TechLetters #182 CrowdStrike's major global IT outage ("WinNuke"). Web browser privacy, privacy PR&Comms is an art, and privacy-preserving technologies.
WinNuke was a tool that could remotely crash a Windows 95 system, but its impact was limited, especially compared to conditions in 2024. This is partly because computers are now more prevalent and deeply integrated into global economies and civilization as a whole. However, these systems are interconnected, making them susceptible to certain external software vulnerabilities. For example, CrowdStrike, which operates at a low-level layer of the operating system to monitor cybersecurity events, is susceptible. However, this privileged position comes with risks: any malfunction can impact the operating system as a whole, leading to instability. This can even result in an inability to start, as seen in the global outage on 19.07.24. Given its low likelihood, organizations often overlooked this risk in their typical risk-based approaches, deeming the cost of resilience unjustified. Furthermore, the use of software like CrowdStrike is mandated by regulations and insurance policies. Thus, any lessons to be learned must address multiple levels; however, there are no easy solutions.
Security
Global IT outage. This is an understatement. Plenty of industries affected, from transportation (like airlines), to finance, to health. It affected Windows systems with CrowdStrike cybersecurity software. Our civilisation depends on software. It depends on other software and systems, these in turn on others. Something goes wrong and the effect is global. Like a dominoe effect. It is all very fragile. Now we see only a small manifestation of this.
Technical details of why the IT ourage happened. "CrowdStrike has corrected the logic error by updating the content in Channel File 291. This is not related to null bytes contained within Channel File 291".
The issue is already being used by cybercriminals to attack businesses. Phishing emails posing as "help". Sounds as a reasonable risk since initially the mitigation advice was gated behind a user/password form, and in practice it was taken from Reddit users, then Twitter/X users. There's a lesson here.
Privacy
Privacy PR is a fragile craft and benefits from competent staff. Indeed, the introduction of Mozilla’s privacy-preserving advertisement attribution has been a PR disaster and a major failure. It is clear that in terms of communication and PR about privacy, Mozilla has scored a major failure, considering the user outcry, which includes misinformation and plain disinformation. It did not have to be this way When shipping new products, you better have competent people who understand both technology and the policy, legal, and communication landscape. Otherwise, you may be in for a surprise. Still, the reality is that Mozilla’s mechanism DOES NOT USE TRACKING (‘PPA does not involve sending information about your browsing activities to anyone’). This is despite what the media framing suggests. It isn’t clear why some media outlets call it tracking. The reasons could be a lack of insight/knowledge, clickbait fear-mongering, or some other reason. In the end, the deployment of this new Privacy-Preserving Attribution system is good for web privacy in general, including for the users of other web browsers. The alternative is having invasive tracking, not no tracking. Other forms of tracking, using other means, including those impossible to block, which is technically possible.”
Apple Safari introduces Private Browsing 2.0. It includes "Blocking network loads of CNAME-cloaked known trackers". The tweet below is the best research work, where we demonstrated and describing the scheme and the risks. This Safari feature is excellent. New fingerprinting protection approach. Modifying APIs to add noise. This likely may make the output of some web browser APIs non-deterministic. Privacy-wise, it will definitely introduce a big impact. Apple is also criticising a (the least exciting, though) part of Google's Privacy Sandbox, the Topics API. Apple is directing a big punch at (and huge criticism of) Google's Topics API. This part sounds as an opinion piece (publicistic entry). "imagine what advanced machine learning and artificial intelligence can deduce about you based on various combinations of interest signals. What patterns will emerge when data brokers and trackers can compare and contrast across large portions of the population?"
Interesting technical (sometimes relaxed) look at Protected Audience API. Aside from mine it is a best privacy audit so far, though I do not agree with all of its claims or assertions. “Showing ads causes information to leak”. “In a sense, Protected Audience is the product of the conjunction of competitive pressure on privacy and antitrust fears, so this is a natural conclusion.”
In case you feel it's worth it to forward this content further:
Subscribed
If you’d like to share: