dewme

It’s exactly as large as it needs to be. 

michelb76 said:

The worldwide outage of Windows PCs was because of companies blindly automatically updating software and disregarding security and safety to save some bucks.

Placing your trust in other people’s hands has always involved risk. It’s also unavoidable because individuals and organizations don’t have the expertise, experience, or knowledge of every problem domain in play to take on all of the responsibilities themselves. People die on the operating table due to medical mistakes and unforeseen circumstances but I’d still rather place my trust in the hands of a trained and experienced doctor and hospital instead of trying to perform surgery on myself in the basement or attending medical school to gain the knowledge I’d need to perform medical procedures on myself. 

For a lot of companies any form of IT management and security protection is totally foreign to their primary domain of concern. Should they know better than to defer responsibility to companies like CrowdStrike or Microsoft? Should all companies have an internal team of IT specialists? There is no easy answer, especially when creating a sufficiently competent internal capability at a level that CrowdStrike or Microsoft, however imperfect, can deliver at a cost that’s spread across many other customers.

At the same time companies can’t simply throw up their hands and hoist their surrender flag when it comes to IT because IT is everywhere, it’s unavoidable, and cannot be ignored if you want your company to survive. Over the past couple/few decades many companies have come around to having C-level executives like CIOs and CISOs who own corporate level responsibility for ensuring their company’s IT and security posture is sufficient to protect the company and its stakeholders. Everyone in these positions, and their staff, need to stay on top of what’s going on in the IT sector and be aware of existing, evolving, and potential threats to their business. That’s their job. They also need to have a very clear understanding and plans in place to deal with security breaches and down time, including damage control, workarounds, and recovery. These are not trivial roles just to obtain premium parking spots and financial incentives. When a senior executive hires an outside firm to protect their company’s best interests it does not absolve them from ultimate responsibility any more than the CEO would be forgiven for a disastrous business deal that tanked the company.

Sometimes bad stuff happens and you just have to deal with the consequences. Hopefully you’ll avoid having the same or similar things happening again.

This is an “interesting” response by Microsoft. They are basically saying if they were allowed to follow Apple’s “walled garden” approach and sandbox all non-Microsoft code running at any level then this would not have happened. I think this is a bit disingenuous considering Microsoft’s major claim to fame was their ability to support everyone and anyone’s hardware and software, unlike Apple. 

PetrolDave said:

BlueLightning said:

Surprised something like this would get past testing (assuming testing was done).  

Most testing now is done by the developers themselves not by a independent test team, so the same wrong assumptions are made which leads to problems like this. Long gone are the days of a “Chinese Wall” approach…

Yes, developers are running a greater number of tests but the tests they run are at finer granularity than the system tests that are run by the test team. If you don't have an independent test team to create and execute system level tests and create regression tests to gauge the relative stability of the software as it's being built - you are basically screwed. Imagine the person who is responsible for the braking system in an automobile having final sign-off on whether the entire vehicle is ready to deliver to customers. Having every individual contributor assert that their piece is "good-to-go" doesn't answer the question of whether the system is tested to a level that provides a quantitative measure and determination that the software system is ready to ship. You have to do system testing.

On the Microsoft side of this thread, I don't know why so many folks are pouncing on Microsoft for this particular issue. Microsoft provides a vehicle for helping other software vendors deploy their software, but Microsoft only has so much visibility into what these other vendors are putting out there. I do believe that Microsoft should be doing a series of tests to ensure that the update package does not destabilize the target system after installation. But if the destabilization occurs only after the misbehaving application is executed or loaded on the target system there is only so much Microsoft or Apple can do. I cannot imagine that either Microsoft or Apple fires up every application, service, extension, library, etc., that is part of the update package to ensure nothing is compromised. 

I've worked very closely with Microsoft over 25+ years as a partner and have friends that work at Microsoft. I've worked on joint projects and industry initiatives with Microsoft. Based on my personal experience the quality of their program managers, developers, engineers, architects, vertical application specialists, etc., is nothing short of outstanding. At one point in the early 2000's they started hoovering up some of the most respected and influential developers and architects in the software development community at large. They are not lacking in talent in any way. Microsoft has a wealth of talent, but it all comes down to how they use that talent.

If I had to point a finger at Microsoft's achilles heel I would say that it's the massive scope, size, and volume of their code base and the need to drag along a huge anchor of legacy functionality and support for decades. Then there's the massive third party hardware and software community. If Microsoft only had their own software, their own hardware, far less legacy baggage, and an ecosystem that Microsoft is in total control of, they would be sitting pretty. Of course what we call "legacy baggage" has a huge impact of mass numbers of real people and businesses and Microsoft is not going to abandon them. They'd love to transition them to their latest and greatest stuff but that's a huge effort that will take time. I think that when they finally came around to focusing on security and then stability, as evidenced by Windows 10, they were able to glue together some major pieces of what once was a flimsy house of cards.

I have a tremendous respect for what Microsoft has been able to accomplish given the size and scope of what they've taken on. It's hard for me to directly compare Apple and Microsoft because I believe the two companies are on vastly different missions and each one is doing what they are best equipped to do. There's a good reason why they both keep themselves near the very top of the mountain when it comes to market capitalization. Trying to force a zero-sum-game comparison between these two companies is rather silly in my opinion. They are both crushing it regardless of who happens to be on top on one day or another.