Last week’s whole mess with CrowdStrike is fascinating to me, in part because it not only points at the way technology can screw up, but also at the obvious fix (albeit a somewhat painful one).

The problem: Applications are working too close to the kernel, raising the potential of an unprecedented safety risk or kernel panic.

Working close to the kernel is the bread and butter of peripheral manufacturers, who need their devices to more deeply support the operating system. (It’s also a fundamental technique used in the Hackintosh community, which builds kernel extensions, or kexts, to add support for hardware the Mac itself did not inherently support.)

It’s only in recent years that OS makers have realized that letting vendors work so close to the bone was a potential recipe for disaster. Apple in particular has put in a lot of work to replace kernel extension frameworks with stuff that works a bit closer to user space. (Remember the drama a couple years ago when Dropbox was slow to properly support Apple Silicon? This is a big reason why Dropbox was caught with its pants down.)

While simplifying greatly, CrowdStrike’s Falcon Sensor software was built as a security tool that works at the kernel level, in part to mitigate the memory-hog reputation of earlier security tools. (Founder George Kurtz was reportedly inspired after seeing a man on a flight struggle with a slow-loading McAfee app; he worked as an exec for McAfee at the time.) CrowdStrike instead aims for maximum visibility by being as close to the kernel as possible.

After the whole mess with CrowdStrike blew up a week ago, Microsoft emphasized it wasn’t their fault, ultimately blaming two things: CrowdStrike, for its poor handling of updates, and the European Union, which created the opening for security vendors to work so close to the kernel.

Essentially, Microsoft’s argument is that it can’t lock down its kernel like Apple did because of a 2009 EU agreement that required Microsoft to maintain an API that other security vendors can use. In other words, in Microsoft’s telling, Crowdstrike exists because the EU created this rule.

At the Linux level, where you can generally do what you want with specific applications, the CrowdStrike thing has also come up. (As I noted on Mastodon last week, the optics look way worse for Microsoft, to the point where it may not even matter that this is a multi-platform problem. But hey, Linux is probably getting a BSoD of its own, so that might change.)

If the CrowdStrike mess leads to changes in our operating systems, kernels may become harder to pop, for reasons good and bad. (Christian Wiediger/Unsplash)

There are risks and frustrations created by pushing things that traditionally worked at the kernel level into user space, to be clear. In recent years, Apple has created a lot of busywork for users by requiring them to turn on permissions for literally every single thing that an extension does. It means reloading the tool more than once, just to get the app to work. Recently, when I log into my M1 MacBook Air, I occasionally have the permissions I’ve approved for my many apps disappear, only to return after an additional reboot. That wouldn’t happen if those extensions were working at the kernel level!

I think we’re going to see vendors harden their systems even further than they already were, and it’s already starting to show up in the Android space. Recently, Samsung began blocking sideloading of apps on its smartphones by default, making it part of a feature called Auto Blocker, which blocks numerous things that people have taken for granted, including the ability to do updates over USB. It has combined these functions with some security features, and requires you to turn those security features off to use sideloading.

“The Auto Blocker feature automatically blocks files downloaded from sources other than authorized stores, such as Galaxy Store or Play Store. If the app is determined to be safe, temporarily disable this feature and try again,” the company says in its FAQ.

We’ve already seen some knock-on effects from Samsung’s move. Epic Games, which has been working around App Stores wherever it can, announced Fortnite was leaving the Samsung Store in protest of this move, which obviously affects its app. (Side note: Hey Epic, can you please bring back Infinity Blade for those of us who don’t care about Fortnite? That was my favorite mobile game of all time, and I’ve been missing it for years. And no, it shouldn’t be the job of amateur developers to fix. It’s your IP. Thanks.)

To some degree, this debate over sideloading taps into the same well as CrowdStrike working so close to the kernel—essentially, platform developers want to rein in the software-makers that work too close to the bone, in part because the security issues reflect on them, not the developers. For most people, it will likely be the right move to lock these sorts of features down. But I can understand why software developers will be miffed that their drivers and extensions will offer a degraded experience in the long run.

But it may be the cost we’ll have to pay to ensure that our airports don’t randomly blue-screen-of-death on us one day.