Hacker News new | past | comments | ask | show | jobs | submit login
Europe is living under Microsoft’s digital killswitch (thenextweb.com)
322 points by andmarios on May 12, 2017 | hide | past | web | favorite | 175 comments

Although it's not said explicitly in the article, there's an interpretation of the subject that is both literal and true.

Microsoft distributes constant opaque silent updates to all modern Windows systems. With Windows 10, some editions cannot even postpone installing those updates for long. An update deliberately bricking Windows computers, targeted to all of Europe, a country, an organization, or an individual's home. That is, quite literally, a digital killswitch.

Of course Microsoft the company wouldn't do such a thing as long as it's following its own interests. But, being an non-EU entity, it could conceivably be forced by US authorities. Or, of course, the secure distribution channel could be hacked. It's far more likely that an attacker would distribute an update that merely backdoors all systems; but if done as an act of war (or terrorism), bricking is a somewhat plausible goal.

As the article correctly notes, the same problem affects most other software; it's just that Microsoft Windows is both so widely used and so infrastructure-critical (you can't replace it with a different OS and keep running your native Windows applications). OSX and iOS have minority market shares and you can buy competing products. Android phones and Linux distributions don't have a single update channel for all of them. Non-operating-system software generally isn't installed on most computers and has alternatives for most of its users. Windows is in a pretty unique position.

You're right! It's rarely about who creates the backdoor/update channel/law but about who can leverage and abuse it (hacker, next president, etc).

We are slowly starting to realize how big these issues are. I hope.

Ahem, the next president?

That ties into the overall point of the comment that the person using the backdoor may not be the one who created/mandated it, i.e. one president that people trust mandates a backdoor but never uses it improperly, but the next president after them is more unscrupulous and uses that backdoor for nefarious purposes, effectively piggy-backing on the trust of the previous president.

The point is that it might not be appropriate to give someone the keys to the castle even if you trust them completely not to abuse that power, because people don't last forever in a position and that power will eventually pass to a successor who may be less trustworthy.

This is an important approach to this problem. If you attack a hypothetical future leader, everyone can picture someone that might be worse, whether or not they like the current leader. It's a good way of avoid being dismissed over partisan concerns.

Same reason why you would never trust any country to be a nuclear power, no matter how trustworthy it seems to be.

Specially one which has used nuclear weapons against civilians in the past.

Oh, wait, never mind ...

The problem is that once a country is a nuclear power, taking the nukes from them is kinda hard. Even when you simply don't trust them.

This seems to be a pretty big blind spot for our two-party system here. Every president I can remember has set precedent by using some rule/loophole in the powers granted to the Executive Branch and then their party gets bent out of shape when the next president uses that same technique to do something they don't like.

Doing the 'right thing' the wrong way just conditions the American public toward accepting an autocracy. While particularly bad for one party, it's not great for either of them, and certainly not for the citizenry.

Honestly, when the big bad comes around, any loophole will be used, the eternal classic being a state of emergency.

If everyone abuses these loopholes anyway, then maybe there's a chance that they'll be closed in time. One can dream, right?

I laughed out loud reading this. This is a great, very clear explanation (though I think you may be responding to a joke). Can I get you to write my comments from now on? :)

Current president isn't intelligent enough to pull the political maneuvers to pull this one off -- even his base would be up in arms. You can't say "bigly cyber" and click your heels three times and get back doors.

Also in the case of hostilities, there's no way you could block this channel ( OS updates ) on a large enough scale, fast enough. This vector would be utilized in advance.

> Android phones and Linux distributions don't have a single update channel for all of them

This is pretty much saying that, because an OS is open source, that means anyone can put it on almost anything and sell it, so the fact that the original developer can't control all possible distributions of the software that said software is untenable.

In practice, that is not how it works. You don't approach broad deployments of Android or, say, RHEL while getting supplied by a half dozen different OEMs. You pick one and stick to it. In much the same way Windows shops work - you normally either go with just Dell or just HP.

Hell, you can't lump Linux and Android in the same boat either. Vendors never guarantee perpetual phone OS updates on Android, because they always abandon their devices. The exception might be Google, maybe, with one of their device series from the last 5 years since the Nexus 4 which did get dropped, but you might be able to get a perpetual update contract with them for an extended support period. I have no idea.

But for something at Government scale, adopting Android is actually really trivial. At least it used to be - you could have just approached Cyanogen to support all devices with a guaranteed support period. Now I'm not sure if there is a corporate entity to barter with backing Lineage, but the same principal applies. There are ways around Android's horrible update model.

For desktop Linux, though, its no competition. You will always be going to one vendor, using that one vendor, and getting consistent updates from that singular vendor. Be it Dell or Red Hat or Canonical or whomever you plan to contract with. They aren't going to be throwing Gentoo randomly on a couple of your thousand Ubuntu boxes, and if you want they will certainly preconfigure the images to point the update servers to your own self hosted ones to control updates if you really want to.

True, but there's still a difference: One organization will homogenously use a single distributor/vendor/update channel within itself, sure. But different organizations might use different vendors, or even different sections of an organization if they're bureaucratically separated enough (e.g. not sharing budgets and IT staff).

If you're running Windows, you're getting it from Microsoft, end of story.

> If you're running Windows, you're getting it from Microsoft, end of story.

You talk as if nobody ever bootlegged Windows.

In the context of a large government agency that wants support and ongoing updates, yeah. Nobody bootlegs Windows.

That can change, once you've assumed that Microsoft can't legally deal with them.

So... the reason it's so trivial to locate Windows and Office, and the reason why KMSPico et exist... is so that the latest version of Windows - and updates - actually propagate, er, fully.

Presumably so that Microsoft doesn't get bad press, and maybe due to (shady but arguable) legal implications.

Oh wow.

This isn't really true. I know that both Google and Amazon (and likely others) have their own versions of desktop Unbuntu, and, importantly, all software comes from their own PPAs (including OS / kernel updates).

In terms of the "kill switch" threat, this pretty much removes it.

Additionally, desktop Linux systems are similar and open enough that it wouldn't be a big deal to move to Debian / others if Canonical went up in smoke or were compromised. It certainly wouldn't cost end users file compatibility.

> The exception might be Google, maybe, with one of their device series from the last 5 years since the Nexus 4 which did get dropped, but you might be able to get a perpetual update contract with them for an extended support period

Eh, Nexus 5x was The Phone for a while, released September 2015. EOL was announced in October 2016, software updates last until September 2017.

So it's still allegedly supported, but Android 7 update caused bootloops on a bunch of phones and Google determined it was a "hardware issue". Maybe it was, but I feel like Linux/Windows would work around this kind of issue, rather than shrugging and asking you to talk to the manufacturer.

Yeah, you need a Heavy Enterprise style vendor.

In virtually all Linux distros you can switch software repositories or delay or block updates altogether. And if they go the Linux route they can always choose a distro maintained inside the EU.

It's interesting because some cities publicly documented their switch to Linux, then came back to MS things (for some reasons). But in the end having open source, untied software is of political importance if you want to avoid being tied.

Munich never switched back, which is probably the city you are talking about, but Microsoft has been throwing millions of dollars into both defamatory propaganda against the city and attempts to either elect officials to force them back to Windows or to buy off key officials to make it happen.

It is extremely crooked when you read the narrative as its unfolded over the last decade. Microsoft is extraordinarily aggressive in maintaining its monopoly in the public sector.

Yea I remember reading about this in Linux Format magazine (yea I pick up a copy occasionally when at the bookstore...great read on all things Linux, and FOSS) a few years ago. It is crazy how far Microsoft will go if the stories are true. If Munich wants to use LibreOffice, then let them, or maybe make an OS that doesn't require an almost unfathomable amount of resources.

I remember articles but nothing by Microsoft. Maybe influenced by MS though. There were a few other cities too IIRC.

ps: hooray for liberal private business right :)

I'll bet you that would be the year of 'linux on the desktop' at last.

Disclaimer: Employee, not on Windows.

> With Windows 10, some editions cannot even postpone installing those updates for long.

Not saying that users will necessarily find the place to do it, or understand the implications of this action, but anyone can permanently postpone installing the updates by disabling the service.


I think you were referring to the "defer updates" feature which is only available in Enterprise (and maybe Pro, I'm not sure about that one.)

As a home user, I would prefer to be able to select which updates I want to download/install, and when. I don't want to blanket disable all updates, because of course I do want security updates as soon as possible, but I want to be able to block specific updates for however long I want, potentially forever (in Windows 7, the "Hide Update" functionality does this nicely).

I make it a habit on my Windows 7 system to read each and every update's KB entry and determine if I want it. I wish I could do this with Windows 10.

In short, I don't think disabling the update service in Windows 10 is even remotely an ideal solution to this problem.

You can't do it anymore on Windows 7, because they switched to the consolidated patch model of 10. Now, the possibility you have are mainly a linear security only channel, and a linear security+stability(+eventually features) channel.

This is why I'm in the process of switching to Linux as my daily driver and for service hosts. Putting all sorts of shit in the urgent security patch category was the final step. If you can't trust a security patch you can't trust microsoft at all.

I wish I could remember the exact things they pushed but I have a feeling they were windows 10 related.

Can't edit but I found a new example when looking to see if I could be vulnerable to WannaCry.

In the May 9th 'Security Rollup'; "Updated Internet Explorer 11’s New Tab Page with an integrated newsfeed." [0]

I cannot disentagle this update from the other ACTUAL security updates.

[0] https://support.microsoft.com/en-us/help/4019264/windows-7-u...

Right, I forgot. Well, at least with Windows 7, you can choose to install only security rollups, whereas with 10, AFAIK, you have to take it all or nothing.

Yes, I was referring to the "defer updates" feature. The Pro edition has a limited feature - you can defer updates a little while - if you're in a managed domain, you can defer for longer but not forever.

However, if you make a practice of not installing any security updates at all, you create a bunch of other not easily solved problems for yourself.

Your interpretation may be true, but it's certainly not literal, since they literally state their interpretation (in bullet points, for clarity) and that ain't it.

(most of the Windows deployment under consideration would be enterprise edition, and they don't take updates automatically)

File under: garden variety EU chest beating.

> Microsoft Windows is both so widely used and so infrastructure-critical (you can't replace it with a different OS and keep running your native Windows applications)

If the US declared war on part or all of Europe, and caused Microsoft to send updates bricking legitimate Windows installs within that region, the victims could still use pirated Windows to run their native Windows applications. I doubt there would be any legal repercussions.

If MS, for whatever reason, bricked an entire country during wartime, the war would likely be over before most folks could figure out Bittorrent.

It would take a huge amount of time, effort and money to reinstall and reconfigure, say, 80% of all computers in a country that happen to be running Windows 7 or newer. To recover all the data from backups (assuming the backup servers weren't running Windows as well). To replace any literally bricked hardware.

Meanwhile, many very critical systems that happen to be implemented on Windows would shut down for weeks or months. Look at the current ransomware attack on the NHS. Now imagine taking down all health services, ISP services, maybe electricity or gas or water companies, supermarkets, distribution and shipping management, police and government records...

Yes, these things usually have non-Windows components on big iron or Linux servers. But if you take out all the Windows clients, and however many Windows servers do exist, then the system as a whole cannot function.

This could be a part of a (cyber)war effort. Instead of, or before, sending in the army to attack, you cripple the enemy's economy and civil infrastructure. You even have a chance of maintaining plausible deniability if you attack the MS update distribution channel, or serve them a sufficiently secret order that doesn't get leaked.

Then again, if US declared war on Europe, they'd just brick the hardware (which is what bricking usually means), or take out key parts of the backbone, then it doesn't really matter what the capabilities of individual users are.

When the problem is "we need to be able to run our existing native Windows applications", this matters. No matter what Microsoft does, a country can't be prevented from running their own native Windows applications on their own machines. They have all the necessary software and expertise locally. One strike is not a victory.

the victims could still use pirated Windows to run their native Windows applications. I doubt there would be any legal repercussions.

When...a month after ? Too late. Damage's done. War's over.

That is an unusually optimistic view of what it takes to win a war.

Maybe, but I doubt the next major war will involve tens of millions of soldiers occupying and then rebuilding a country, ala WWII.

Because today it's easier to destroy a country completely without boots on the ground, so people won't have to occupy it and won't bother to rebuild it?

IMHO, major wars will only happen somewhere in Asia...between China, Russia, India and Pakistan (all nuclear powers). They all have border issues are relatively large countries and China and India have potential to be local superpowers. China will need Lebensraum and move into Siberia and that might start it all. USA will probably seek to sell arms to both sides and stay out of it:).

Although its not much of a hurdle (as MS provide the hurdle too) don't modern large scale MS-based IT systems still rely on a local controller to push updates? This used to be the case with domain controllers a few years ago.

They can if they want to. It's called WSUS - Windows Server Update Services. But all it amounts to is a glorified local mirror and central point for pushing updates. You still don't know what individual updates do, still can't cherrypick individual fixes out of monthly rollups, still can't install some update without installing they prerequisite updates. And, like you pointed out, you can't fully trust the WSUS software, which also talks to Microsoft to update itself.

WSUS might delay or stop an attacker who takes over the MS distribution channel from publishing an update telling all target computers to shut themselves down right now. But a smarter attacker will distribute a time bomb as part of a legitimate update, that people will install for legitimate reasons, and that will be triggered after enough computers have installed it. The trigger may not even come via the Windows Update channel.

And to quote, "there's another theory that states that this has already happened."

Windows users should be blocking all Microsoft spyware with a DNS blackhole, except for when they occasionally want to pull in an update. I would share mine, but it's only running on a micro instance...

Selectively pulling updates doesn't seem feasible. Consider that:

* Microsoft does not disclose what (most) updates do and it's not feasible to reverse engineer all of them to check.

* Multiple updates, including critical security patches, are published as a single monthly rollup and cannot be (easily) separated from one another.

* The Windows 10 Update client doesn't officially support cherrypicking some updates and delaying others indefinitely; if you let it connect to the (real) Microsoft update server it will try to install all available updates.

* You're not downloading individual per-update executables and checking their hashes; you're running a program (the Windows Update client) that, once it trusts the server it connects to, uncritically runs any code the server sends to it.

Now consider all of that when the adversary controls not just individual update contents but the whole update server or delivery channel...

You can also use a separate computer to manually install Windows updates:


Granted, the DNS blackhole is more about blocking the spyware than isolating single updates.

I wasn't aware of the MS Update Catalog. It's nice to know that it's an option. This does allow installing single updates without using the Microsoft Update client

It's not a long-term solution, though: 1. You need to know the KB article ID of the update you're looking for. And again, the individual update descriptions or KB articles frequently just say "something was fixed" but not what. 2. Some updates will probably fail to install because previous updates to the same component weren't installed. Conversely, updates that just give you the latest version of a file or application might auto-install the older updates you wanted to skip.

In any event, even if you successfully skip most updates, the main outcome will be that your system will be that much less secure and easier to take over using published vulns even without a backdoor...

I think you're saying you intentionally use an unpatched OS with known actively exploited and patchable vulnerabilities, you do so in situations where the machine is connected to the public internet, and you think the thing you should be worried about is Microsoft attacking your machine via Windows Update.

I don't think you need to worry about the number of people wanting to replicate your configuration exceeding the load your micro instance can handle.

> you do so in situations where the machine is connected to the public internet

Where'd you get that from? My "micro instance" is clearly not on my Windows machine. My Windows box is behind a pretty over-the-top firewall (which isn't even necessary on a private network for the exploits that are public). Not every vulnerability makes you remotely vulnerable behind your NAT, and I wish more of the people obsessed with update-hygiene understood that.

Is my solution good for a corporate network? Obviously not, because you can't control the attack surface.

I rarely hear about black hole dns, and I often wonder why it's not more prevalant? Does anyone have insight into the pros and cons involved?

You need to be slightly technical to set one up and make sure your devices use it, and if you use a VPN that intercepts DNS like mine does, you need to host it on a publicly addressable IP.

Personally, I'm glad more people don't use it or I'm sure Microsoft would resort to hard-coded IP's and other methods, which require a very configurable router to block (like OpenWRT).

pf can block by IP address, so you could just set up an OpenBSD router. Again, technical, but if it ever DID become necessary, I can't think of a good way for MS to address that.

There are lots of ways. Think of it from an anti-malware perspective: how can the botnet agent on my PC, which has OS-level privileges, discover and communicate with the daily command-and-control server, if each day the network admin blocks the previous day's CnC server IP address?

Any network communications that the OS is allowed (or that a Microsoft program or driver that the OS trusts is allowed) can be used to carry extra data about which IPs to talk to in order to exfiltrate "telemetry" or download updates. DNS and WHOIS queries (where MS can publish arbitrary queryable records), peer to peer DHT-like networks (ditto), Tor (designed not to let your router/firewall know who the OS it talking to), the list is endless.

I'd assumed win10 was already doing some of this. My one VM that runs it is still not getting network access. Doesn't need it, and I don't trust it. But good to know, thanks.

depends who you're trying to thwart

TV downloading updates? it'll probably work

trying to stop MS from spying on you? they have engineered parts of the stack to avoid things like firewall and hosts file blocks, so presumably they have an IP hardcoded in case you block all their hostnames at the DNS level

This is a poorly written article. Under the heading "What's the problem":

> IT systems of European governments mostly run on Microsoft software and OS [...] that means that almost all of the data of European citizens — tax information, health records, etc. — along with security related data, are in proprietary file format...

> The problem with the proprietary file format is that Microsoft’s software is made to be incompatible with open source, which effectively forces all communicating departments within a government to use the company’s products, in order to ensure compatibility of files and ease of communication.

The operating system that runs on a system has no bearing on how the data for various applications is stored. As far as I know, Microsoft isn't providing the applications that store "tax information, health records, etc.", unless the governments are using Excel and Word to keep all that information rather than a database.

Even so, if they are using Excel/Word, the Office Open XML file formats are ISO/IEC standards, not proprietary.

There may be some problem of vendor lock-in here, but this article seems to have no idea what the real problem is.

> This is a poorly written article.

This article seems to originate from the Netherlands, drumming up anti Microsoft rhetoric that was very prevalent a few years ago here.

It is important to understand with these types of articles, that Microsoft and their local partner companies (disclosure: such as the one I work for) has competitors who stand to benefit from stories like these. Other companies (like IBM, Oracle working with local ISV's and service companies) want to sell their, also propriety, but non-Microsoft based solutions. They promote independence from Microsoft as a feature of their software, and have budget to hire PR firms and run a lobby too, just like Microsoft.

But their solutions often come with a worse type of vendor lock-in. The Oracle type. In the Netherlands, most public backend administrative software is not based on Microsoft technology, and it is completely closed, unable to integrate with (Microsoft based) front end systems or web api's.

The article states that Microsoft makes 2 billion in the EU public sector, I don't know if that is true, but in the Netherlands spending on Microsoft software is somewhere around 1-2% of total public IT spending, and I'd say they provide relatively good value for that.

> unable to integrate with (Microsoft based) front end systems or web api's.

It's not 1992 - Oracle databases can integrate with all sorts of web APIs and front end systems. You may not like how its done or how much it costs, but it's a little over the top to claim that it can't be done.

" You may not like how its done or how much it costs, but it's a little over the top to claim that it can't be done."

It can't be done in a business if the vendor decides it costs too much or will be done in a way unsupported for good reasons. Whereas, with FOSS, they might pay someone to fix that or someone might do it themselves. The arbitrary costs and limitations the proprietary vendors can force on locked-in users is an important risk of their model for users.

> Oracle databases can integrate with all sorts of web APIs and front end systems

Of course, however the problem is not a technical one. IT suppliers simply use their ownership of the software and support/maintenance contracts as leverage to claim a stake in any project connecting to 'their' software, and make their customers pay through the nose for anything they want.

> The problem is lack of control over vital parts of state operations, leaving European countries at the mercy of a foreign company and government.

This is a very valid point.

> This doesn’t only weaken Europe’s ability to stop the US snooping around, it also leaves security flaws for anyone with the know-how to exploit.


I agree that it is not a very precise technical article. But the main issues hold true.

Disagree entirely - for me it hits the nail on the head immediately. And what a timely article given the impact on the NHS today. Are we seeing NSA tools used in the wild? The EU handed Microsoft its biggest fine and still we have this unacceptable state of affairs where we have secret code running public utilities and services, especially of a foreign/extra-judicial entity. Unfortunately getting out of that lock in is going to be tricky.

You think that if an entire government was running a specific *nix operating system that the NSA couldn't develop an exploit to gain access to the OS?

Android phones run Linux and get hacked to get root access. Routers, IoT devices, and lots of other hardware run Linux variants and get hacked all the time.

This idea that people hold that if only we didn't run Windows we'd all be more secure is silly and naive.

i.e. http://freedom-to-tinker.com/2013/10/09/the-linux-backdoor-a...

There's been multiple attempts. Linus has even been directly asked to put backdoors in Linux.

There is even a contest to make code look normal, but do something malicious https://en.wikipedia.org/wiki/Underhanded_C_Contest

I'm sure the NSA is very good at that.

NSA would find lots of exploits. Many black hats would, too. The key difference I see from high-assurance security is that there will be a diverse array of protections developed that might stop anywhere from some to all attacks. There's a pile of them out there in CompSci, private sector, and so on for Linux, FreeBSD, and Android. Tiny portion of that R&D goes to Windows kernel or privileged userland. Microsoft Research even builds great tools Microsoft themselves won't even use in the general case even though they applied some of them.

To put this into perspective, there's CPU modifications that can make a Linux or FreeBSD system mostly safe and secure against known classes of attack instantly just at the compiler and CPU level with a certain performance hit. Anyone wanting improved security could then use Linux with those CPU's probably buying some extra chips, too, to cover performance loss. You don't have that option with Windows.




It would certainly be harder, since they don't have the political option of compelling Microsoft to add a backdoor.

you're implying that coercing major companies is easier than few hours researching vulnerabilities?

I think you are grossly understating the difficulty of penetrating actual defenses.

Once a vulnerability is used it is likely to be patched. A group that cannot be coerced to do something for you will close vulnerabilities as it learns of them because they are liabilities.

Also, moving away from microsoft will likely lead to the end of software monoculture. You need to research those vulnerabilities for each target. Oh, and it it would be much more than a fewer hours of research.

Gah, this brings me back to the glory days of slashdot.

The software monoculture exists because of USERS. The vast majority of users don't want to have to learn three different OS, look+feel, GUI rules, etc. They just want the goddamn excel file that the CPA sent over that they need for their accounts receivable report to OPEN. Trying to convince governments to go to FOSS doesn't well work because the users slip back to things so that they can do their job the way they know how.

See, e.g. the city government of Munich, which after a decade of trying never got above about 60% of their users to switch to Linux, and is considering abandoning the effort.

For people outside the United States, switching away from microsoft really is a matter of national security (It kind of is inside the US too, but that is a different argument). If leaders of a nation allow their civil servants to be so lazy that they damage national security they deserve whatever results they get.

Using new software today isn't like it was in the 90s, the OS is much less important. UIs can be delivered by web and all the user friendly UIs (all mobile OSes, and no desktop OSes) area ll similar enough that many users can't tell the difference. If this is the barrier to someone's national security...

> The operating system that runs on a system has no bearing on how the data for various applications is stored

It's not impossible for a motivated user to go against every UI (dark) pattern to keep work on an open format, but it's so unlikely as to be irrelevant.

While the file formats may be open, it's widely known that MS keep enough secret sauce in Office so that an MS Excel nightmare won't open correctly in LibreOffice. Being able to decompress and parse the contents of the file (the open part) is not the same as humans being able to interactively retrieve information from it.

The user's intuition is to blame LibreOffice, but as technologists we should recognize that if you won't ship a working reference implementation for effective use of your 'open standard', then it's just malicious marketing.

I do see an issue with storing your nation's critical data in a OS with security backdoors enforced by a foreign country.

I heard that China got a special treatment from MS on that, Windows 10 without the spyware...

I suspect this article is referring to legacy systems written with Microsoft software, that communicate with a server through binary applications that only work on Windows.

It is getting harder to remember, but only 10 years ago, having Microsoft as the only supported platform was easily justifiable in most organizations. Even if your software was customer facing!

Yeah, it's click-bait. There are also lots of non Microsoft systems in use in Europe. It's just as complex of an environment as anywhere else in the world.

This was an article for Microsoft haters to upvote each other for saying the same thing they have been saying for years.

"[T]ax information, health records, etc." would likely be stored in SQL Server databases.

It looks like SQL Server import and export file formats are defined, but I am not aware that the native format is standardized.

> Even so, if they are using Excel/Word, the Office Open XML file formats are ISO/IEC standards, not proprietary.

You aren't serious about that, are you?

I have used Linux as my primary desktop system for over ten years. Usability really sucks. I'm not talking about a new UX model, systemd vs sysv, or wayland vs xorg. I'm talking about not needing to know about unix-isms to run a desktop operating system. Gnome and KDE are okay-ish now.

Honestly the best desktop system for linux I've seen is Deepin https://www.deepin.org/en/ , which is produced by a Chinese based group and marketed mainly at Chinese audiences.

It installs updates on reboot, which removes many corner cases for desktop users. It has a nice dedicated admin panel that feels like a single interface rather than 20 different panels glued together. It focuses on efficient desktop use rather than some new hotness UI concept which Unity and Gnome3 both got infatuated with. The desktop interface is fast and gets out of your way, but providing useful quick tools to open, close, and switch apps.

Why do I think governments haven't used more open source? Because we care more about systemd vs sysv then a single good consistent UI. Because we think writing desktop components in javascript and python will give good (enough) performance that won't feel sluggish; hint, they won't. Because coders (often) care more about how their code looks, using the slow interpreted language they know, or "getting the job done" (as they define it), then they do about concrete performance evaluation, benchmarking, and end user use cases and long term person off the street testing.

Sorry, that was kinda a rant. But seriously, checkout the deepin desktop. New users can be really productive in it quickly and maintain it themselves.

I use OS X, Windows 10 and Gnome 3 pretty much every day. They're all okay. I like Gnome best, and Windows least. But they all do the job, and they're way more similar than they are different. In contrast, 10 to 15 years ago, the user experience was wildly different on each of them.

But it's moot anyway. Browser apps will continue to displace desktop apps, and they don't really care which operating system you're running. European governments would be well served to somehow supply their administrations (as well as the general public) with a first-class alternative to Google Docs. Extra requirements: self-hostable, (even more) extensible.

So, Collabora Online[1]

[1] https://www.collaboraoffice.com/code/

Also, Open Xchange https://www.open-xchange.com/

This is true for me any my personal family.

This is not true for many (most?) large governments. Again, my main point is that developers often miss what users actually need and care about.

Many people in administration don't need much more from their office suite than regular users. Many others do, though, I agree -- hence the extensible part. Either make the extensions by dedicated government IT staff or pay someone to do it; open-source either way, obviously, because it's absurd to use public funds to commission proprietary software.

Personally, I prefer to install my updates manually, when I see fit and am glad that there are still systems that allow me to do so.

The biggest issue with "desktop environments" is that they try to emulate windows.

The problem with that is that there are not only a series of widgets, but also separate programs/libraries made to do what was designed to be done from a shell.

For example, in the file manager, you can right-click a file, and decide what program it opens with. That might mean the file manager has emulated some sort of registry. Alternatively, to better integrate with the system, it might be using xdg-open.

The goal should not be to make a closely integrated system, but a loosely coupled set of consistent, simple programs that let the user control specific aspects of the OS.

KDE and GNOME have improved a lot in this respect, but they still seem to have the wrong goals.

There are very complex websites programmed in javascript that are not sluggish.

So why is it then impossible to use that on the desktop?

I would say, this is actually the way to go. Because there are MANY good UI-Designers now, because of the web. And they know Web-technologys. If there will be a easy way, to integrate that into the desktop(native apps in general), then there will be better and more consistent UI's over time, that "newbs" can use.

But deepin looks interesting.

edit: and quite ironically, deepin is based on Webkit und HTML5 ... (or used to be until recently, don't know for sure yet, why does deepin does not even have a english Wiki page?)

edit2: but the deeper I look into it, the more it looks flawed unfortunately


That info is old. They rewtote it. Look at GitHub, not quora.

This is a chicken egg problem, where distros claim they want more users, but when they get users complaining about usability problems, users either get ignored, get ridiculed, or are told it works by design they should adapt.

So until there are just enough of a certain kind of user who can adapt, but still complain and insist on software becoming more usable, things can change.

And face it, both macOS and Windows have had persistent crappy UI/Ux of their own, it's just not as such a critical mass that people say f it, I'm going back to pencil and paper (which when it comes to proprietary voting systems, we should sooner be on pencil and paper).

You're missing the point. It isn't about "bad" UX, but consistent UX that omits implementation details. With the exception of Win8, both osx and windows have huge consistency points.

> Because we care more about systemd vs sysv then a single good consistent UI.

I always thought the whole systemd thing was a clown car joke. Nobody actually cared, right? Anyone that mattered?

It isn't fair to say that because KDE and Gnome exist that Linux is screwed forever. They are entirely two different stacks, and their competition breeds innovation and progress. You can't have "do whatever you want with the code" software and not see the emergence of competing ideas. Both projects also date back to the mid 90s, so they are so old with so many millions of LOC under them you don't throw that away. Especially when doing so basically tells hundreds of free software developers to - in many cases - use something they hate - either GObject C or Qt respectively. Both are not pleasant to work in, and while both have their own abstractions (GTK has its Python bindings and Javascript design thing and Qt has QML) you always end up dropping into the base toolkit for something. They exist because competing technologies exist, and you should evaluate them independently as much as you would evaluate Windows or OSX.

> Because we think writing desktop components in javascript and python will give good (enough) performance that won't feel sluggish; hint, they won't.

The vast majority of enterprise software is being written in one of the following nowadays:

* Java. Ugly as fuck, can be slow when written poorly (and it will be written poorly). Huge clunky codebase, giant memory footprint. * React / Electron / Just a webapp. Super slow, super clunky, super painful to write because you break the browser metaphor in a dozen ways trying to make it work. It is putting plane wings on a VW Beetle and hoping you get somewhere in one piece. * Mobile apps, ignoring the desktop, and pissing everyone off in the process. Some businesses I know have tried putting their Android APK business app they use on ipads in the field in ARC on Chrome for the Desktop to get their office staff using it, its insane.

None of these are good. It is all shit. All the native APIs are colossal shit. Cocoa is awful, Objective C is awful. C# is... ok. But its awful. UWP is horrifyingly bad with some mutant C++ dialect and the promise of eternal lock-in.

Compared to everything else, GTK and Qt are the best development environments for user software by far. I personally might significantly prefer the modern QML style Qt programming over GTK3, but they are still leagues beyond the usability of any other platform, and that is without even considering that they are cross platform.

That is about the worst criticism of the Linux desktop ecosystem, because that is also the best thing the ecosystem has produced, two really good toolkits. GTK not so much for stability, but just using it is much less painful than any first class alternative.

If we can get something to Qt's standards and API coverage written in, say, Rust, that would be the golden miracle. But PyQT right now isn't that bad. It is pretty bad, having to put C++ metaphors in Python, but its only as bad as GObject metaphors in Python, and way better than anything on .net or the awful NDK on Android.

the Gnome desktop (at least on Fedora) also delays updates until shutdown/reboot time. but points taken on Javascript and Python. From what I'm seeing in Gnome Builder updates though, they're really interested in getting to a point where Rust can be used for writing Gnome apps.

Not on Ubuntu with Gnome flashback. I get an update popup at least any other day with the new versions of some packages or security updates. Reboots are for switching to new versions of the kernel. I confess I sometime postpone reboots for even a couple of months. I suspend my laptop and I have too many open applications (desktop or background) to be willing to close and restart all of them. If it's really like that, no Fedora for me.

Most distros have this no bundled libraries rule, so either the stale version can still be used after an update, or if it's yanked out from under running processes, they can crash. Hence rebooting. macOS and Windows have mandatory reboots for anything system related too, so this is not out of the ordinary.

Right now, if you use flatpak based applications on Fedora, they get updated without reboots. And that's the way forward, including for the desktop environment itself eventually.

Imo the thing with the public sector, is that it is so large that it probably could fund both an OS and a productivity suite easily and that would be a net gain, both from a freedom perspective and for the economy at large.

I am all for entrepreneurship and I do think that companies and competition create progress. But when one company reaches the level of Microsoft, where every year we learn how many billions Bill Gates' bank account increased —I do know that he helps with his money but still, his bank account does increase—, it just takes money off the market. Hoarding is bad.

> it just takes money off the market. Hoarding is bad.

Like anyone with significant wealth, Bill Gates's wealth is mostly in non-cash investments, whereby the capital is used for enterprise.

A more sensible argument might be that Microsoft is successful because of anti-competitive practises / exploiting a monopoly, rather than adding value.

Even if it was hoarded as cash, this shouldnt matter. Less meal tickets floating around means that the each ticket gets more food. If Bill Gates is using the money for consuming resources(say making a huge building), this affects the economy as there is an opportunity cost(the consumed resources could have been used elsewhere). One exception is monetary crises where hoarding has a negative impact, but thats not the usual situation.

There is a strong case for redistribution of wealth on its own terms and social good.

Bill Gates no longer owns a significant amount of Microsoft stock. Ballmer was the largest shareholder the last time I looked.

Gates isn't hoarding anything, and in any case, all his wealth is going to charity.

Bill Gates owns a very significant amount of Microsoft stock.

Since when is $11.3 billion held by one person in one company, not a lot? It's one of the largest single positions held by any person on the planet in a given company. That position is so large, by itself it would nearly qualify a person into the top 100 richest list globally.

Top Microsoft mutual fund position: Vanguard Total Stock Market Index Fund, 155 million shares.

Bill Gates: 167 million shares.

He'd be the seventh largest institutional holder in Microsoft - a $528 billion company.

It depends how you define significant. Gates has been selling stock and has reduced his shareholding from at least 45% to around 2.5%. While $11.3bn would be a lot for most people, I imagine things look different when you're worth $86bn to $90bn ;-)

Incidentally, Yahoo Finance reckons The Vanguard Group owns 525,395,707 Microsoft shares. The Vanguard Total Stock Market Index Fund is just one of its funds.

YF doesn't mention Ballmer so presumably he sold off his 333 million shares without it making news. It's a while since I looked....


Bill gates money isn't sitting in couches, it is invested back in economy. And given the fact that his total wealth is constantly increasing despite giving away billions, shows it is invested quite efficiently.

You could have simply omitted the second paragraph and your argument would actually be more forceful. I agree overall with what you say.

I don't think the problem is with how fast Bill Gates' money is increasing or whether the money is being hoarded. "Hoarding is bad" - some folks say this is a somewhat dubious economic proposition because in theory hoarding reduces the overall cash supply with fewer currency units chasing the same number of goods and services. This is actually really good for savers until the hoarding exceeds a certain threshold where it starts interfering with the velocity of money and all that good stuff. (and frankly, the US GDP is something like 18 trillion, the M2 money supply is apparently 10 trillion, and Bill Gates, despite his enormous pile of money, does not even have 1% of it. I don't think he would make much of a dent even if he hoarded every single penny).

The real problem is the propagation of unchecked power. Be it governments. Be it corporations. Be it dictators or whatever. At least, in theory, well designed governments already include checks and balances. Even the most corrupt banana republic is rarely beholden to the power of such a small group of people like we have in the top tech companies. I mean, how the fuck does Microsoft have the temerity to sneakily upgrade OSes even if people don't want to? Why is there no lawsuit against them of any significance? (And I am sure you can find equally bad examples of abuses of power from all the tech giants).

And while we were all told that competition is supposed to cause the checks and balances and will prevent power from accumulating in any one business - it is probably time to ask if that actually holds true in the technology sector, especially at the bleeding edge? It is probably time to legislate the dismantling of these tech giants.

Thank you for your elaborate response. The point I wanted to pass, is that spending 2 billion euros per year for FOSS, paying developers and various-sized companies in EU, would make much more difference to our continent than giving this money to a single company for proprietary software.

Not only this wealth would be better distributed, but also FOSS would be widely accepted and a sought after career path. Additionally, in my experience at least, FOSS leads to better professionals. My limited sample, says that a junior developer that can read the source of the library he uses, grows to be a better senior developer than the one that can't.

I can't imagine an operating system that I'd be less likely to want to use than one developed entirely by the public sector.

[disclaimer, MS employee here]

Question: If governments could inspect and audit MS source code, would the concerns brought up in the article be addressed?

This is a clarifying question, not a loaded one. To avoid any surprises: governments, including the EU can and do audit MS source code (public source, for example: https://forums.anandtech.com/threads/microsoft-lets-eu-gover...)

The code review opportunities are joke. The only chance to review a mere million lines of codes thoroughly is to throw a million eyes on it and open communication about findings.

The way those are done now, they are Valium for politicians and a cash cow for those doing the "audits".

>a million eyes on it and open communication about findings

That's what the Chinese government does internally. Ba-dum-tssh.

There's also the issue of the data. It should always be accessible in a format that anyone is free to inter-operate with (E.G. no patent restrictions), and preferably in one or more protocols/apis/formats that fulfill this criteria.

Critically it must be possible to utilize the data without proprietary products. Government records need to stand the test of time. Just like we can read ink on paper today, in the future preserved records need to remain readable. Libre formats ensure that there is a known, implementable solution. However they also make it more likely that someone will already have that solution.

[disclaimer, read the article]

No. The problem is not the existing code, but the potential for forced updates with new code.

The thing people in technology forget is that the most expensive resource in government is the people who work there. Every person in my IT department is top of their game, everyone of them has been continually honing their skill sets and are following their interests.

This has put us a head of a lot of other municipalities and a lot of private companies. We've had to send ADFS and Azure consultants back because our crew was better, as an example.

Those people live and breathe Microsoft. Those people are the reason we didn't have to renew our server room, when we decided to go own-cloud in a major hosting center instead, and they are they reason we'll soon be able to move our cloud from rental to Azure.

Sure we could have used other technologies for it, but it would cost an unimaginable amount of money to replace the entire IT-workforce. I'm certain we could retrain our current staff, but a lot of them wouldn't want to, because the truth is, if they wanted to be working with non-Microsoft technologies then they would have been snatched up by our "competition" already.

I think open source should play an important role in government, and I think that role should increase steadily going forward, but I also think people and reason should come before an ideology.

With 370 different IT-systems of various magnitude we already have some that run on Linux. JBOSS and Wildfly are big in government, but out of our entire system portfolio only a fraction of the systems even have non-Microsoft alternatives. Other systems are on 8 year contracts, making it impossible to swap them out overnight even if we wanted to. Which we don't because we would need to replace every system, and get every employee on board with open source alternatives in order to save the insignificant Microsoft licensing fees which make up less than 1% of our IT budget.

Sure, Europe is bound to Microsoft and that can be problematic. What if Trump truly goes apeshit for instance? Then we would be royally fucked. The truth is that there is no viable alternative that won't be ridiculously exoensive and take up to 50 years to fully implement.

With everything heading for the cloud it might not even make sense. The only cloud options for a huge part of the European public sector are labeled with Google, Amazaon or Azure - and none of them would make the legislative challenges or licenses any less of an issue. At least with Microsoft, we have a company who has been really open to quickly and efficiently meeting European demands.

> take up to 50 years to fully implemen

It didn't take you 50 years to get here, why would it take 50 years to to get somewhere. You also have the benefit of knowing what a successful system looks like, so you can avoid many pitfalls from the first attempt.

We buy systems we have no clue how work. Like the system we use for telemedicine, or the system we use for electronic locks in elderly care.

It's not that we don't want to know how they work. The political administration has simply decided upon a decentralized strategy in which any one can buy anything because there is a belief and trust in localized knowledge.

As a central unit we don't support android because it's impossible to keep safe enough to meet EU law. This, however, doesn't mean that the system to handle electronic locks we bought last year doesn't run on android. It also doesn't integrate with our data warehouse, meaning that 800 user profiles has to be maintained manually but hey.

I have 250 examples like that, but the point is that it's complicated and that there are no easy black and white solutions.

Maybe it hadn't taken exactly 50 years to get where we are now, but it's certainly taken 25. We couldn't just unravel it over night, even if we wanted to.

> We buy systems we have no clue how work.

Well that doesn't seem like a good starting for any but the smallest ventures. National governments have a special interest in safety and security. Fixing this, even in a piecemeal way is surely a step in the right direction.

The attitude of the your post and the higher GP post sound more like people lamenting something some natural disaster that can never change. Instead you could be looking at a system built by people and maintained by people and on some level understood by people and choose to make it better.

I'm pragmatic. We've been actively trying to change things for the past many years. Thanks to new EU security directive we're getting there.

Progress is slow though, and it's not like we couldn't do better if the politicians wanted it.

That's the thing about public administration though, citizens genuinely don't care about IT, and bottom up management simply doesn't produce fast changes in organizational culture.

> Sure we could have used other technologies for it, but it would cost an unimaginable amount of money to replace the entire IT-workforce.

It's worth doing it, to get rid of the sick MS lock-in. Breaking the catch 22 needs to start from somewhere.

Our tech guys are absolute wizards, most with a fair business understanding. Replacing just one of them is around $500000 with no guarantees that we could find someone suitable.

We're a medium sized municipality in Scandinavia sitting next to the largest one in the country, meaning that getting good tech staff is already extremely hard with the popular technologies.

The staff who work here now do so because of benefits or ideals, not the pay, where we will never be able to compete. On top of that it's taken more than 25 years and five different middle managers to build the right kind of culture.

I'm sorry, but why would we ever want break that? And why on earth would we do it to possible break free from the Microsoft lock-in 25 years from now, when Microsoft licenses are less than 1% of our IT spending?

And that's just the tech perspective. We'd also have to reschool 7000 employees on everyday software considering how integrated the office365 platform is here. And where is the open source alternative to 365?

(I'm sorry for the wall of text if you were being sarcastic)

> We'd also have to reschool 7000 employees on everyday software considering how integrated the office365 platform is here.

I'm confused did you educate them in using office365, or even in using Office 2007 (which was a big change)? I.e. were there courses they all attended? Or did you just update them and them and they had to learn? Similar with the OS, did they go on Windows 8 and windows 8.1 and windows 10 courses or did they just get the update?

I agree that FLOSS lacks a great office suite alternative. I totally disagree with the concept that if there were your users would need to be re-schooled.

Yes we reschooled people from 2007 to modern office.

You can't imagine how many man hours teaching one drive for business cost us.

We did a comparrison of open office and google docs vs ms office when we did our business case of course. Open office lost by around 1400% with some employees never learning it.

We don't just use office365 though, we use addons. Like automatically sending electronic mail through APIs that integrate with the national platform while using a custom template and journalizing into our record system.

Hell, we've build two word adding ourselves allowing citizens to digitally sign documents with their public identification.

> Yes we reschooled people from 2007 to modern office.

As in actual classes? How did this work? This sounds like an epic waste of money and everyone's time.

> We did a comparrison of open office and google docs vs ms office when we did our business case of course. Open office lost by around 1400% with some employees never learning it.

Yeah we've all done reports like this. They are usually an epic waste of time as usually everyone knows the answer they want before they start... I'm surprised that you managed to get results that were that favorable for the desired answer though - openoffice.org and the more recent Libre Office kept a similar UI to MS office 2003.

> We don't just use office365 though, we use addons. Like automatically sending electronic mail through APIs that integrate with the national platform while using a custom template and journalizing into our record system.

Sounds like 10-30 LOC each if you ran on FOSS systems (although obviously it is hard to tell without knowing what your exact requirements were) - I'm sure office365 saves you time/money in other ways though.

> Hell, we've build two word adding ourselves allowing citizens to digitally sign documents with their public identification.

Did you build libreoffice extensions as well? Or do you expect citizens to subscribe to your software choices? I don't mind what you do for internal software but forcing everyone to use the same software as you is a bad use of tax money.

Every citizen who doesn't opt out of it, is a digitized citizen.

That means they have a two-factor identity and an secured electronic mailbox hosted by us in the cloud.

So what our addons do is it allows a caseworker to send a document as a PDF directly to a citizen, who can then follow a link to our document signing server and sign it online. They don't need any kind of software to do so, because everything is supplied by us.

If they don't have a computer they can use one at a library our at our town hall. (Which run ubuntu by the way)

I get that you think we wanted office to win in our business case. That's not true, we simply show the political level the facts and they act accordingly.

I thought there are actually quite a lot of Linux developers in Scandinavia, though I have no idea about sysamdins. I agree that finding good specialists is always hard.

I'm not sarcastic. For the government organization, it can be just a matter of principle.

All the development we do ourselves is on .Net core, Java or Python so as far as development goes we're pretty much all open source. We even share a few systems with other municipalities through our official github.

When we buy systems open source isn't as important to us as ownership, but it's still relatively important.

Operations is a different story though. As mentioned we use Jboss, and we run it on CentOS. We tried hiring a sysadmin to run our Linux farm, but we've yet to find someone qualified.

So all our Linux servers are supported remotely by a consultant company.

You're correct of course. If the political will is there we could change it. It would be a nearly impossible task, requiring us to rebuild our entire infrastructure from scratch, retraining or replacing 50 staff members and rescooling 7000 as well as rebuilding around 200 systems, of which 50 are major and would have a replacement cost exceeding our entire yearly budget each.

If the government decided to take the country down that road, it would be a different and much more manageable story, and they kind of have. Open source is a priority in the official strategy of digitization, at least in Denmark.

But it'll take a looong time to implement, and we won't be starting with Microsoft because no one really wants to replace Microsoft with uncertainty.

"Lock-in", i.e. (economic) transaction costs, aren't exclusive to Microsoft. For every system or solution or whatever that anyone adopts there is some non-negligible cost to switch to something else.

Migrations costs and lock-in are orthogonal concepts.

Migration costs are just the costs of switching from one solution/product to another.

Lock-in is when you are in some form dependent on a monopoly.

Insofar as lock-in causes high migration costs, that is mostly because it forces you to migrate in the first place, unless you want to stay dependent on the monopoly. If you are using some software, say, and it's lacking a feature that you need, in a lock-in situation, you have to either buy that feature at the price the copyright owner of that software asks, or you have to switch to different software (which in turn is expensive because your data is, presumably, stored in some proprietary format and the company that knows how to read it is not keen to help you with migrating it to a different software). If you were using free software instead, or proprietary software that you yourself hold the copyright to, the migration would be cheaper because you would have the code to help you with migrating away from it--but more importantly, you probably won't have to migrate at all, because you can just hire any competent software development company from the market to implement your features, and if one company is overcharging you, chances are, you'll find one that is not.

I don't think people come always before ideology. Imagine a medival king saying "But we have all these great torturers, we havily invested into them, they are the best of their kind and they bring great results. We can't stop torture now."

I tried to migrate to Ubuntu in 2011 and gave up because I was missing apps like Evernote or Visio. - I moved away from MS products in 2015, replaced my Thinkpad + Windows 7 with a Mac, replaced MS Visio with Omnigraffle, abandoned Visual Basic and migrated to web Apps (Django mainly). The only MS product I use is MS Office (via a subscription) on my Mac.

This article made me think: Do I really need MS Office? Occasionally I use Word for 1 to 10 page documents. Then there is MS Excel. I used to use it to do data analysis with it, used Pivot Tables extensively. But now I mostly use it for simple tables. Finally there's PowerPoint. I have created many businesses plans with it. (I used MS Access as well, to create quick line of business solutions, but I'm trying to do this in Python + Django now.)

Now I'm considering trying to move away from MS Office as well. Because actually all that keeps me using it is a vague feeling that I might miss something if I don't. Or others expecting me to send them Office documents (instead of Libre Office) - Germany is MS Office land.

Another German here. I have abandoned MS Office in favor of OpenOffice/LibreOffice years ago and when I have to send documents I just send .pdf's but if I REALLY had to send .doc, .xls etc. LibreOffice can im- and export those formats too.

There is lots of truth in this. I've been saying all of this for years and am trying to raise awareness whenever I get the opportunity, while not trying to be pushy (that just doesn't work, people need to want to). Two highlights of the article:

> European children are educated in Microsoft Office, which is given to schools and universities for free, which some call the “crack model” — getting people hooked for free and then start charging them.

God this is so true. Every year emails go out "you can get office for free via $ourSchoolName!" What do you mean indoctrination and free advertisement? I wanted to reply to all with a message in a similar tone (about libreoffice being free and not a trial) but never found a good phrasing that would do anything beyond provoke a backlash (also when discussing it with like-minded friends).

> Security risk

All eggs (not just "all your eggs", no, all eggs) in one basket is a terrible idea for obvious reasons.

I'm not overly sympathetic, governments should be doing more to support open source software. Public money should be used to make public software. The idea of using public money to support proprietary software and formats really bugs me. If you want to do this for your own personal or business reasons, fine. But public resources should be used to make existing public owned (effectively we all own free open source software) software better.

Government systems simply should not be running proprietary software.

Government systems should be running whatever makes the most sense given all of the relevant tradeoffs. It's really unclear why an arbitrary reasonable person would entirely exclude proprietary software from consideration.

I agree with you, but... There is a HUGE problem with this statement.

90% of the devices that are bought require windows. Every single microscope, ID reader, card reader, access system, detection system, defence devices, advanced cameras, radars, etc. provide drivers and/or software, that I know, offer drivers/apps only for windows.

Even they make a plan to move from windows, it will take years, in this time, every acquisition will be made for windows. A common use for these devices/pc's is more than 5 years. Heck i've seen tools that are used even after 15 years because they worked and no money/desire to replace them.

Of course you can negotiate, or request support for other operating systems, but that means extra money, training, etc. Even in the current state it's hard to get good IT people, programmers, sysadmins, etc. It will be harder to get linux admins. Also it will take years to teach people to use another OS.

And to end: have you seen custom software made for governments? 50% just slap a program that requires x version of .net, some c++ redistributable and requires to run only as admin or only xp, 40% just slap a java abomination or applet and call it a day, 9% make a nice piece of software but just like everyone else after they deliver the software they forget about the support or patch 1-2 things and they are gone. ALL OF THIS is happening mainly because the state doesn't have trained people and they don't know what to ask from devs & because they don't give a shi*t about they money they spend.

I've often thought that the British government should have an in-house team of developers to work on services for local authorities and public facing institutions.

It seems every time a contractor gets involved the tax-payer gets a good fucking, think of all the accrued billable hours taken up by redundant layers of manglement pontificating, the endless reworks and finally the extortionate support contract to keep the end product limping along.

Specialized devices like microsocopes or military devices/radars should be handled under the "flimsy IoT devices" category. You won't be allowed to put them among common workstations in most managed Windows environments either, they're liable to get stuck on ancient OS versions etc.

Normal accessories like card readers work fine under Linux.

Could you explain your opinion?

I would much rather see governments embrace and contribute to Open Source software available to all, they could even pay 3rd parties to maintain and service.

Some have tried and have gone back to Windows[1]

[1] https://yro.slashdot.org/story/17/02/11/1930217/the-city-of-...

But there are som hints, that the decision to "go back" might have been politicaly motivated. Like relocating the microsoft central in germany to munich ...

But on the other hand, there were many flaws in the system, but many in the OSS-community did not want to acknowledge, because it is easier to shift the blame to evil conspiring microsoft, than to admit, that linux and libre office is not perfect. Which is really, really stupid, because how can it be technically as good and polished as microsoft products, given there is so much more money behind them. And even though the linux kernel might be now even better than microsoft - that is not at all the case for Desktop, Drivers, Stability, Programms, etc.

Here's some previous discussion on that topic: https://news.ycombinator.com/item?id=13642820

Yes, but also others have tried and have not gone back (yet?) like GendBuntu[1]. Munich was about 15,000 computers [2], GendBuntu is 70,000.

[1] https://en.wikipedia.org/wiki/GendBuntu

[2] http://www.zdnet.com/article/linuxs-munich-crisis-crunch-vot...

This shows just shows how stupid the guys who contract for (EU) government IT, and their political masters who are supposed to be directing them. Any software that not built from the ground up to be secure is unlikely to be, it is not something that can be bolted on. Various version of Windows needed to be heavenly hacked to meet even the most basic DoD-CETCS (RedBook) standard back in the 1990s. And I doubt it is any better now. That some public services dumped Microsoft years ago suggest this lock-in problem is almost as old as commercial computing.

I cannot believe they are stupid. On the contrary they are clever enough to side with MS.

When this news circulated around one month ago in Portugal it was put in more harsh terms as somewhat a form of digital colonialism.

I watched Munich trying to change to Linux, they even created a LiMux, a special distribution.

In my opinion, the biggest problem was UI and design. LiMux and all its programs just look like something that has been thought up in the 90s. No modern UI, no sleek design.

In addition, the interoperability is horrible. Its just not fun to work with something like that, not when you come home to an iPad oder a Windows 10 machine.

If there was any chance to roll out something other than Microsoft (or Apple, for that matter), government bodies must invest into the UI. If people have to fight with the OS and its applications every step of the way, it will never be accepted.

For other industries, roles may be reversed.

For example, another headline could be: the US is living under ASML's digital killswitch

Time to ditch Windows for Linux.

Large Organizations like Microsoft, Oracle, and the like because they have support numbers to call when things go wrong. Oracle is the top offender I dislike integrating with their products but it's hard to get decision makers in IT to look elsewhere. No ones lost a job buying oracle as the saying goes.

I'm not familiar Linux support. Not sure what Red Hat has going on for desktop support.

Not sure what Red Hat has going on for desktop support.

If you are a reasonably large government body with a budget, I am pretty sure that Red Hat will provide desktop support if you pay them.

Moreover, it is likely that desktop support will become more and more trivial as administrative applications will probably move towards web apps as well.

The best time for that was roughly a decade ago, but yes; the second best time is always 'now'.

I remember this being discussed a decade ago. The irony was that in most cases it was abandoned because migrating cost more than the annual IT budget. And since no politician ever plans a decade ahead, here we are.

Still, there are successful migrations:


All good things come to an end:

"February 2017 - Politicians discuss proposals to replace the Linux-based OS used across the council with a Windows 10-based client.[42]"

Hopefully, it's far from the end. The fight continues [unfortunately only in German]:


In short, there are no technical problems whatsoever. It's just a strong lobbying...

If I were a country that was not allied with the US, or otherwise feared potential power plays by the US against my nation, I would not use any closed source software originating from the US.

Same applies to China, to Russia, and any other nation with a well funded cybersecurity division.

A nation could order a software producer under their jurisdiction to write an automatic updater pushing malware to collect:

National secrets


Access to critical systems

And who knows what else if we are being creative. We use our computers for everything. Coded source software, especially with automatic updates, is systemic risk and it's going to bite a lot of people really badly if a cyber-competent nation ever decides to initiate WW3

Amusing that this article is going out as Europe is being hammered by ransomware on unpatched Windows computers.

If the US wanted to take out all EU computers, presumably they'd use an airburst nuke, and target all the electronics, not just the Windows boxes. Of course, if things got that bad, presumably the "logical" course of action would be to scour the continent, rather than let a pissed off high skilled population live to join Putin.

War is not about killing your enemy and breaking his things. That is the job of warriors, but not how you win a war.

It would immensely benefit the US in a war with Europe to silently snoop on all those systems and act like we couldn't. Use the information to perform lower cost higher gain military operations.

Killing the populace En masse makes nothing but enemies, but leveraging information can make you friends. Imagine if the US used is massive infiltration to find people sympathetic to its cause and gave them guns and bombs with Russian labeling. Those people do most of the damage in the country and we swoop in with targeted precision bombing and cost effective troop deployments to arrest huge amounts of heads of states and legislatures. We could defeat Europe in a year and at least some portions of Europeans would thank us. Then we move on to the part the US sucks at, occupying.

Micro "It's not like we can just flip a switch" soft

(Though I guess it requires a broader umbrella of 'MS dickery with networks' as the Xbone debacle was you being forced to be online at MS' behest, and this is sort of the opposite)

And most countries on Earth are living under Monsanto's food killswitch.

I always wonder why the european countries don't work together to build their own software. Or at least a single country looking at germany, where each city seems to brew it's own stuff.

Well, regarding today's massive ransomware attack based on a Microsoft security flaw, it's a little bit ironic

Hm, what operating systems are used by governments outside of Europe? Doesn't everybody have to rely on Windows?

Is there any possibility that China has a hardware backdoor in our iPhones? (and whatever other devices they make?)

i went thru all the comments here and maybe it's a dumb question - but I'd assumed that the situation described applies to all/most governments? Is the situation vastly different e.g. in the U.S.?


We've banned these accounts that you created just to violate the guidelines with.

Did you really create an account just to say that?

I think there is a bigger problem - using Microsoft Office means that an organisation is stuck in 1990's ways of working. The web should replace these tools that were developed for personal computers that came with floppy disk drives instead of ethernet connections.

Companies 'stuck' on old-fashioned Microsoft Office also have to present information to customers and internal stakeholders, so they hire a 'web department' that then becomes the new typing pool. Instead of dictated or hand-written things that get typed up on 'Wordperfect' (MS Office killed the typing pool for good), we now have Word documents or Excel spreadsheets that some 'web person' has to then copy onto some CMS or other system powered by a SQL database.

I did open a 'legacy spreadsheet' today so I appreciate that there is still some life in having data that way, however I cannot remember the last time I had a use case for a wordprocessor, Microsoft or otherwise.

I also know Microsoft do 'sharepoint' and a few other web things but not many 'real' websites have gone for the Redmond solution, 10% according to the survey I just Googled:


Although 10% isn't quite into Windows Phone territory of pointlessness, I can't imagine setting out today with a new project and instantly thinking 'Microsoft'.

I think the Microsoft problem will cure itself much like how the old typing pool died - people get old, they retire, new people come along and learn how to do stuff with the new tools, the more efficient processes and the demands of the time.

I honestly can't imagine using any other tools to do my job than office. As a student I tried the Google suite/docs and years of usage has me relieved that I could leave them behind. Thinking back the only thing I remember about them is the instances of them not working or not working correctly. Printing was a mess. Left/right clicking to open more complex interfaces would often interfere with native browser/system functionality.

There are no true alternatives in my opinion. Everything else just does not cut it. Websites are slow and more often than not come with all kinds of garbage. Such as advertisements and the latest and greatest font or version of whatever.js (that developers insist must not get cached because they use continuous integration! (note '&t=' parameters when GETting a script)).

No please, PLEASE, let me keep my efficient clean familiar office applications. They are everything I need, I think it's great not much has changed about the basics since they were introduced. I love the fact that I can sit down behind office 2016 and office 2000 and be just as productive when working with simple documents. I love the fact that my dad, whom I often support with computer related stuff, did not even notice the update from word 2003 to 2010.

I am surprised to hear that you say that the difference between office 2000 and 2016 is not so big.

I find that sharing files between them is huge pain and that the UI is totally different.

Have you considered LibreOffice, it is at least as fast as ms office, but can work with files from any version of ms office or other programs. It also doesn't cost money, which you didn't mention, but is a concern for most people.

As for letting "your software", as the article made clear it is not yours. You keep them at the pleasure of microsoft. If they ship an update that breaks them you are screwed. If they decide that your version of office is too old for your new version of windows they can ship an update that breaks it and they are financially incentivized to do so.

I think you vastly underestimate the number of businesses critical processes in huge international companies that uses Microsoft Excel.

I work with a lot of these 'business critical processes' done in Excel. Too often that information is squirrelled away on some 'business critical spreadsheet' and not shared properly in the organisation.

There was also a time when typing pools were totally essential, we don't defend typing pools and insist on having them now though.

I'm not saying it's ideal, just that it won't go away.

Excel gives a lot of 'compute power' to non-developers. Nothing else is as good and flexible for so called 'end users'.

As kpil points out, Excel enables end users to develop their own solutions. What kind of business critical processes are you finding Theodores?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact