29 July 2024

A Convincing Argument

The invaluable Maureen Tkacik does a deep dive into the CrowdStrike disaster, and comes to an interesting conclusion, that it was a failure of antitrust enforcement that led to the shutdown of hundreds of thousands of computers for days.

Specifically, it appears that CrowdStrike and other software vendors colluded to shut out 3rd party security test firms that found exploits in their software.

So, monopolistic and oligopolistic behavior doesn't just harm consumers, it harms the national defense: 

………

More notably, CrowdStrike had just been accused in court of orchestrating a conspiracy linked to the DNC cyber attack, though it didn’t involve any murders. According to the plaintiff, an independent cybersecurity software testing service called NSS Labs, the hack had exposed the incompetence of CrowdStrike, which the DNC had hired to stop the breach in May 2016 but which “missed a spot” that enabled hackers to hang out undetected in the servers for another five months afterward.

According to the lawsuit, in a pique of damage control, CrowdStrike allegedly colluded with some competing software developers and a nonprofit standards organization whose leadership they controlled to blackball a group of independent third-party software testing outfits that specialized in testing and identifying defects in so-called “endpoint protection” software, a variety of cybersecurity software CrowdStrike pioneered. The complaint says that, through the nonprofit Anti-Malware Testing Standards Organization (AMTSO), the companies had promulgated a bogus new set of narrow parameters by which third-party testing shops were allowed to test their products—essentially, a Mutual Enshittification Pact—and promised to boycott and/or sue any third-party testing shops that lobbied for more expansive or rigorous testing standards.

I will add an aside here, the anti-circumvention sections of the DMCA actually make testing the software in a way that is not approved by the vendor a crime.

Yet another bad consequence of listening to the copyright maximalists.

By all appearances, the scheme worked: By the end of 2020, the testing shop that brought the case had shut down, CrowdStrike was a $50 billion company—and nightmarishly disruptive ransomware attacks had become a near-daily occurrence.

“The fact is that there is very little empirical evidence that any endpoint detection software does anything approaching what the marketing claims that it does, much less prevent any of the catastrophic security breaches” that have become so increasingly commonplace, says an attorney and cybersecurity consultant who tweets under the moniker Brian in Pittsburgh and asked the Prospect not to use his full name for professional reasons. “Some large companies hire consultants to test-drive software packages against one another, but the results of those sorts of tests are almost never made public.”

The result, he says, is an information vacuum that combined with the software industry’s historical exemption from product liability laws and “enormous investor pressure to generate constant earnings growth,” inevitably resulting in the corrupted software update that canceled and delayed thousands of flights, surgeries, and electronic transactions last Friday. 

………

But if the conspiracy NSS Labs described in its complaint holds even a kernel of truth, it sheds a lot of light on how CrowdStrike emerged in less than a decade as a company big and powerful enough to mint two multibillionaires and bring the world to its knees, despite a flagship product that almost no one understands, which demonstrably failed at its highest-profile assignment, and whose recent flub suggests practices so sloppy they call to mind much older, more corrupted enterprises like Boeing, or Abbott’s contaminated baby formula factory. Two cybersecurity experts told the Prospect that their industry was even worse. “This industry is pervaded by an incredible degree of secrecy and rot,” says Brian in Pittsburgh, “and that will persist until we create a neutral, adequately funded body … to investigate these disruptions.”

………

CrowdStrike had retained NSS in April 2016—the month before the DNC hired CrowdStrike—to submit the Falcon modules to a battery of private tests to determine their vulnerabilities. The results of those tests aren’t known, but one can probably extrapolate from what happened in 2017 after NSS informed CrowdStrike that its public group testing division—which claimed to aspire to become the Consumer Reports of security software, and was strictly forbidden from sharing software or data with its private testing division—had independently purchased some Falcon modules and submitted them to a battery of standardized tests alongside some competing products, the results of which it planned on releasing at the annual RSA security conference.

CrowdStrike immediately sued NSS, demanding a temporary restraining order to enjoin the lab from releasing the results. The company claimed that the test amounted to a theft of trade secrets, and that a public release would result in “irreparable harm” to its business. A federal judge disagreed and dismissed the TRO the day before the conference was scheduled to begin.

But CrowdStrike had another trick up its sleeve, according to the antitrust complaint NSS would file the following year. At a trade organization conference in Poland the year of the DNC hack, an amended version of the complaint claims, CrowdStrike co-founder Dimitri Alperovitch hosted a meeting with fellow security software vendors “with the express intent, purpose and effect of obtaining agreement among the competitors to refuse to do business with companies [that] attempt to perform public tests of their products using testing methodologies other than those agreed to by the EPP Vendor Conspirators.”

Together, the companies formulated a new set of rules the testing agencies were required to follow if they wanted to test their software, including a minimum advance notice of five business days before tests commenced, a requirement that testing agencies allow software vendors to do certain tests over before the results were publicized so long as they insisted the malfunction was “anomalous,” and strict parameters on what kind of tests they were allowed to administer. CrowdStrike and its allies further agreed to “refuse to deal with any cybersecurity testing service that did not adhere” to their new “standards.” As a Symantec executive argued in an email to fellow AMTSO members urging them to vote in favor of the new standards, “If you want the money Symantec will pay for those tests, you will have to follow the standards. If a tester doesn’t like that, too bad. We will find one of their competitors who will.”

But CrowdStrike had another trick up its sleeve, according to the antitrust complaint NSS would file the following year. At a trade organization conference in Poland the year of the DNC hack, an amended version of the complaint claims, CrowdStrike co-founder Dimitri Alperovitch hosted a meeting with fellow security software vendors “with the express intent, purpose and effect of obtaining agreement among the competitors to refuse to do business with companies [that] attempt to perform public tests of their products using testing methodologies other than those agreed to by the EPP Vendor Conspirators.”

Together, the companies formulated a new set of rules the testing agencies were required to follow if they wanted to test their software, including a minimum advance notice of five business days before tests commenced, a requirement that testing agencies allow software vendors to do certain tests over before the results were publicized so long as they insisted the malfunction was “anomalous,” and strict parameters on what kind of tests they were allowed to administer. CrowdStrike and its allies further agreed to “refuse to deal with any cybersecurity testing service that did not adhere” to their new “standards.” As a Symantec executive argued in an email to fellow AMTSO members urging them to vote in favor of the new standards, “If you want the money Symantec will pay for those tests, you will have to follow the standards. If a tester doesn’t like that, too bad. We will find one of their competitors who will.”

I would note that the behavior that CrowdStrike and other vendors engaged in is a crime/.  It's not just a crime, it's a, "If you are convicted, go to jail," crime, or at least it was until some point around the mid 1970s.

We need to start doing this again.


0 comments :

Post a Comment