What if Microsoft just turned you off? Security pro counts the cost of dependency
- Reference: 1750962854
- News link: https://www.theregister.co.uk/2025/06/26/cost_of_microsoft_dependency/
- Source link:
Czech developer and pen-tester Miloslav Homer has an interesting take on reducing an organization's exposure to security risks. In an article headlined " [1]Microsoft dependency has risks ," he extends the now familiar arguments in favor of [2]improving digital sovereignty , and [3]reducing dependence on American cloud services.
The argument is quite long but closely reasoned. We recommend resisting the knee-jerk reaction of "don't be ridiculous" and closing the tab, but reading his article and giving it serious consideration. He backs up his argument with plentiful links and references, and it's gratifying to see several stories from The Register among them, including [4]one from the FOSS desk .
[5]
He discusses incidents such as Microsoft allegedly blocking the email account of International Criminal Court Chief Prosecutor Karim Khan, one of several incidents that [6]caused widespread concern . The Windows maker has denied it was responsible for Khan's blocked account. Homer also considers the chances of US President Donald Trump getting a third term, as [7]Franklin Roosevelt did , the [8]lucrative US government contracts with software and services vendors , and such companies' apparent [9]nervousness about upsetting the volatile leader .
[10]
[11]
We like the way Homer presents his arguments, because it avoids some of the rather tired approaches of FOSS advocates. He assigns financial value to the risks, using the established measurement of [12]Return on Security Investment [PDF]. He uses the [13]Crowdstrike outage from last July as a comparison. For instance, what if a [14]US administration instructed Microsoft to refuse service to everyone in certain countries or even regions?
He tries to put some numbers on this, and they are worryingly large. He looks at [15]estimated corporate Microsoft 365 usage worldwide, and how [16]relatively few vendors offer pre-installed Linux systems. He considers the vast market share of Android on mobile devices compared to everything else, with the interesting comparison that there are [17]more mobile phone owners than toothbrush owners . However, every Android account is all but tied to at least one Google account – another almost unavoidable US dependency.
[18]
There is a genuine need for people to ask questions like this. And, importantly, many of the decisions are made by people who are totally tech-illiterate – as many movers and shakers are these days – so it's also important to express the arguments in terms of numbers, and specifically, in terms of costs. Few IT directors or CEOs know what an OS is or how it matters, but they're all either former beancounters or guided by beancounters.
[19]OpenDylan sheds some parentheses in 2025.1 update
[20]Cosmoe: New C++ toolkit for building native Wayland apps
[21]Microsoft dangles extended Windows 10 support in exchange for Reward Points
[22]Mozilla rolls out Firefox 140 with ESR status and fresh features
Another issue we rarely see addressed is the extreme reach of Microsoft in business computing. The problem is not just bigwigs who mostly don't know a hypervisor from an email server; the techies who advise them are also a problem. We have personally talked to senior decision-makers and company leaders who know nothing but Windows, who regard Macs as acceptable toys (because they can run MS Office and Outlook and Teams), but who have never used a Linux machine.
There's a common position that a commodity is only worth what you pay for it, and if you don't have to pay for it, then it's worthless. Many people apply this to software, too. If it's free, it must be worthless.
It's hard to get through to someone who is totally indifferent to software on technical grounds. When choices of vendors and suppliers are based on erroneous assumptions, challenging those false beliefs is hard.
(We've had a few abusive comments and emails from anti-vaxxers following [23]our coverage of Xlibre . They're wrong, but it's tricky to challenge the mindset of someone who doesn't believe in the basic concepts of truth, falsehood, or evidence.)
[24]
One way to define "information" is that it is data plus context. We all need contrast and context and comparisons to understand. Any technologist who only knows one company's technologies and offerings lacks necessary context. In fact, the more context the better. Looking around the IT world today, it would be easy to falsely conclude that Windows NT and various forms of Unix comprise everything there is to know about operating systems. That is [25]deeply and profoundly wrong . Nothing in computing is universal, not even binary; there have been working [26]trinary or ternary computers , and you can go and see a [27]working decimal computer at Bletchley Park.
Lots of important decision-makers believe that Microsoft is simply a given. It is not, but telling them that is not enough. It's like telling an anti-vaxxer that the Earth is an oblate spheroid and there are no such things as chemtrails. After all, some US legislators want to [28]ban chemtrails , so they must be real, right?
But if you can put a price on false beliefs, and then show that changing those beliefs could reduce risk in a quantifiable way, you can maybe change the minds of IT decision-makers, without needing to tell them that they're science deniers and the Earth isn't flat. ®
Get our [29]Tech Resources
[1] https://blog.miloslavhomer.cz/p/microsoft-dependency-has-risks
[2] https://www.theregister.com/2023/02/09/open_source_policy_summit/
[3] https://www.theregister.com/2025/02/26/europe_has_second_thoughts_about/
[4] https://www.theregister.com/2025/06/13/danish_department_dump_microsoft/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aF3C9w0lbGAFup71x2CbHAAAAMM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://www.theregister.com/2025/06/03/aws_european_sovereign_cloud/
[7] https://www.bbc.co.uk/news/articles/cx20lwedn23o
[8] https://www.theregister.com/2022/12/08/joint_warfighting_cloud_capability_awarded/
[9] https://www.theregister.com/2025/01/03/tech_titans_hide_in_shadows/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aF3C9w0lbGAFup71x2CbHAAAAMM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aF3C9w0lbGAFup71x2CbHAAAAMM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://www.enisa.europa.eu/sites/default/files/publications/Return%20On%20Security%20Investment.pdf
[13] https://www.theregister.com/2024/07/19/life_interrupted_how_crowdstrikes_patch/
[14] https://www.theregister.com/2025/04/30/microsoft_getting_nervous_about_europes/
[15] https://www.onecloud.com.au/resources/how-many-businesses-use-microsoft-365-in-2024/
[16] https://linuxpreloaded.com/
[17] https://www.linkedin.com/pulse/really-more-mobile-phone-owners-than-toothbrush-jamie-turner/
[18] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aF3C9w0lbGAFup71x2CbHAAAAMM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[19] https://www.theregister.com/2025/06/26/opendylan_20251_released/
[20] https://www.theregister.com/2025/06/25/cosmoe_new_cpp_toolkit/
[21] https://www.theregister.com/2025/06/25/microsoft_free_esu_tier/
[22] https://www.theregister.com/2025/06/24/firefox_140_esr/
[23] https://www.theregister.com/2025/06/10/xlibre_new_xorg_fork/
[24] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aF3C9w0lbGAFup71x2CbHAAAAMM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[25] https://www.theregister.com/2023/12/25/the_war_of_the_workstations/
[26] https://mason.gmu.edu/~drine/History-of-Ternary-Computers.htm
[27] https://www.tnmoc.org/witch
[28] https://phys.org/news/2025-05-florida-bill-chemtrails-geoengineering.html
[29] https://whitepapers.theregister.com/
It wouldn't necessary be Microsoft making the "turn you off" decision
Here in the US Trump is trying to bully and blackmail corporations, universities, law firms, etc. Hopefully democracy and the rule of law will stand, but if he's allowed to do that by either the courts or the fact that CEOs see it as a good strategy to keep their head down and not speak up, he and future presidents could arbitrarily command Microsoft (or any other US corporation) to disable services for any country, organization or individual for whatever reason he has or no reason at all.
That's a HUGE risk. Maybe there would be more CEOs willing to stand up to the orange toddler if other countries make it known that if the US goes down this road that they will abandon US technology wholesale to de-risk their countries and citizens. People in the EU etc. should take corporate silence as compliance, and announce policy accordingly.
> We've had a few abusive comments and emails from anti-vaxxers following our coverage of Xlibre
I'd hoped most of them would died from something eminently preventable by now - the phrase "unsanitised telephone handset" springs to mind. But if you can get a Flame of the Week out of one of them, I'd be very happy to laugh at them if that would make you feel any better.
Unfortunately that will require getting below herd immunity levels which will cause the deaths of innocents who can't get vaccinated, and it is more likely the children of anti-vaxxers will die than the anti-vaxxers themselves almost all of whom were vaccinated in childhood.
This seems to be starting to happen in parts of the US, sadly. And will only get worse with anti-vaxxers in charge of national public health policy.
We need more options
and I don't see viable alternatives.
I have brought up that we are WAAYYYY to dependent on MS. One serious attack/misconfiguration on them and we are out potentially millions.
Now with everything in the cloud,,,, Que: Rolling Stones - It's Just A Shot Away
An awful lot of people have their heads in the sand
They think because it hasn't happened it's not going to happen. Just a few months ago Canada thought it was best buddies with the USA. Not any more. Trump is already coercing Canada, he could easily cause them more trouble and the effects would be instantaneous. It's one thing to deal with tariffs, which take time to take effect. it's another if you can't get into your email and documents at all. Local backup? I bet a huge number of people don't do it.
I don't think the prospect of building a non-USA software infrastructure is hopeless. That is defeatist. Start by doing it piece at a time. Declare it a national emergency (even a Europe-wide emergency), and then start doing something about it.
Agreements and 'guarantees' with MS don't mean anything when Trump knocks on their door.
I have 2 words for you
Potato famine.
Well if you want to be scientific about it : Monoculture and the dangers of depending on it.
Take windows 10... a simple job to re-install it.... we've all done windows re-installs , use the CD/DVD/USB and let it run rampant over whatever is installed before. but windows 10.. I WANT THE INTERNET it screams with all the tact of a 3 year old toddler in the sweats(candy) section of a supermarket.. then refuses to do anything more (unless you know the magic commands which cause a another reboot before you can create a local account) of course a non-techie person would cheerfully sign up for all the 'cloud' services m$ offers without a thought. as do many many many businesses.
But once they've got your data, what happens if you cant get access to it? whether by design "Give us $5/month per user or you'll never see your data again" or by political reasons or by the service they advertise as 365 comes in at more like 350.. and we know which day it will fail.
Stir in just how many people use m$/office and a cloudstrike scale cockup could destroy western cizilisation.
So what do we do about it.... well unless forced to by governments, everyone will still buy m$/office because everyone else uses it, plus no one is going to buy a rival office suite becaue m$ have made the bar to entry in that market so high that only they can supply the software/OS we need.
So unless governments wake up to the danger of relying on basically one supplier for our entire desktop computing needs, we will always face the danger of potato famine.
Choosing risk
While the premise of this article is spot-on, and the necessity of confronting IT monoculture is beyond question for serious professionals, I submit that every business, by the very mathematical nature of business itself, simply operates to minimise risk and maximize profit. Successful ones anyway. Choosing a known OS, with known personnel and capital budget requirements, simply reduces the chance of systems failure. And in the event of a failure of IT services, recovery and repair is likewise understood well enough to model and price, thus creating a large motive to stay with the herd. If there is ever going to be a departure from M$ monoculture, we will need some type of government mandate in order to overcome the above described risk profile bias. I have for years hoped that this would transpire. However, despite a few European and authoritarian government initiatives, most nations with free-market economies are shying away from such heavy-handed tactics. Should they be bolder and do this? Yes, probably. Will they? I guess it really depends on how bad the monopoly gets. And it's pretty bad right now.