undefined | Better HN

0 pointsvel0city1y ago0 comments

Right, so adding the NOS is making a third party addon that changes the behavior of the product outside the original designs of the product.

And installing a third-party kernel module (driver) is...a third party addon that changes the behavior of the product outside of the original designs of the product?

Honda didn't build the engine with NOS in mind. Microsoft didn't build the NT kernel for CrowdStrike. It is a third-party modification to the system the user chose to add on after taking delivery of the product that ultimately changes the behaviors of the system.

Arguing like Microsoft is liable for CrowdStrike's bad software is like arguing Honda is responsible for that NOS kit.

If I write a buggy kernel module that instantly kernel panics my Linux system, is Linus Torvalds responsible? Or am I responsible for the software I wrote?

0 comments

hpen1y ago

The analogy falls apart because Microsoft's platform is meant to integrate with third party software, that's a feature of the system. If the "feature" can take down the system it's a fault of the system.

If you zoom out, Microsoft has a system, a feature allowed on that system, signed by a cert, etc, can take down 8.5million devices of your system, that is a fault of your system.

A counter example of how to architect the thing? MacOS, Linux.

vel0cityOP1y ago

Kernel panics happen on MacOS and Linux as well. I don't get why you seem to think they're immune to buggy kernel modules.

https://access.redhat.com/solutions/7068083

https://lists.debian.org/debian-kernel/2024/04/msg00202.html

https://forums.rockylinux.org/t/crowdstrike-freezing-rockyli...

Anyone can make a program that can crash MacOS or Linux especially when you convince the user to install it with very high permissions. It is really not too difficult. Heck, Linux comes with the ability to really mess up your system out of the box. Give it a try:

  sudo rm -rf --no-preserve-root /

Gee, why would they possibly ship such malware on their system, something that could break the whole thing just hanging around. Would the distro developers be responsible for the damage caused if you decided to run that command?

If you zoom out, Linux has a system, a feature allowed on that system, signed by a cert, etc, can take down any Linux machine, that is a fault of your system.

> Microsoft's platform is meant to integrate with third party software

Sure, but Microsoft offers no warranty to any of the third-party software. Just like Honda offers no warranty to third party modifications made to your car. Which yes, its normal and fine to use non-OE equipment on your car, but if you swap OE equipment with non-OE equipment they're no longer going to warranty that equipment. It is not like every component of your car is welded together.

Going back to your original comment here, CrowdStrike was not in any way a supplier of parts to Microsoft. This is why Microsoft shouldn't be held responsible in the same way auto makers are liable for the parts by their suppliers. And even then, often with the way auto parts suppliers' contracts are written the final liability just might lay on the parts suppliers! It is not like Honda went under with the Takata airbag recall. Takata was negligent and didn't build to the standards and requirements as their contracts required.

Microsoft isn't going to warranty Chrome having a security issue with their JS sandbox or Photoshop corrupting a file. Neither is Apple if it happens on MacOS.

j / k navigate · click thread line to collapse