TLDR: Microsoft can at least link your Windows installation to all website domains you visit.
It's unclear what the mechanism is, but I'd wager their "telemetry" is constantly revealing your installation ID, your current IP, and domains that were recently resolved.
The article links to this page, which was shared on HN yesterday. [1]
I feel like using wireshark to look at what's being sent back and forth from Windows telemetry, when using Edge, Chrome & etc should reveal what's being sent and recieved. Using MITM SSL spoofing should be able to intercept the packets.
"all" would be troubling indeed. I hope that someone can discover the mechanism, and whether it's depending on any settings like "Share browsing data with other Windows features" or any other settings.
You can also use the Windows Diagnostic Viewer to check the telemetry data being shipped to Microsoft. I'd be willing to bet that you could use Edge (with defaults) and see the URLs being sent to Microsoft but nothing would come from Brave, Firefox, Chrome etc.
To me this indicates that Microsoft has some sort of traffic analysis performed on endpoints, then linked to GDID. I'd guess this is part of Defender's real time protection or MAPS.
Fun fact, Microsoft Defender MAPS was previously named SpyNet.
The GDID identifier seems software in nature though. They could be more aggressive and tie it to the baseboard's serial number the way some games do. Then the hardware is tracked throughout its entire lifecycle, not just per instance of Windows install.
that's the idea behind SecureBoot and the TPM chip is to provide the GDID based on hardware fingerprint. Some games already do this as "anti-cheat" measurements (tracking you) and Microsoft has been doing it since Windows 7 days. It's just that the TPM now gives you that hardware authority.
I switched to linux a year ago and in that year had less problems than on Windows.
I had some minor problems after updates once or twice. On Windows i had to boot into restore mode multiple times due to Windows Update screwing something up.
The MS Store also constantly had trouble updating apps and games and i had to manage packages manually and uninstall and reinstall them so it would work again until the next update.
The times were Windows is easy to use and fire and forget are long gone. The decline in quality is noticeable.
Actual hackers don't need to run debloating tools each boot getting tired of all the adware and bundled crap eating GB's of storage.
Actual hackers would use Guix System and actually hack really cool stuff and, yes, Guix (the package manager) would be eating GB's because of reproducibility... but at least you could restore your system from Grub anytime.
My surprise level is at approximately... zero.
Next we will see some news, that MS was compelled to share that info with some three letters. - Oh wait, that is exactly what has already happened, according to the article.
MS is just like that person, who drives a dagger into your back.
My thoughts exactly. Weren't they just caught recently handing over bitlocker keys (that get uploaded to MS by default when you sign in with a microsoft account) to the feds?[1]
I was a big fan of Microsoft ten to fifteen years ago. I’ve since transitioned my whole family off Microsoft products now over to Linux, Apple, and proton.
I really thought their corporate culture would’ve changed after the late 90’s but I guess this is a good lesson for founders. The culture you build into your company will likely outlast your tenure.
Nope, but Debian does use systemd by default so it's there.
I'm running Arch Linux and /etc/machine-id is present.
There's also an optional /etc/machine-info file that could exist. It's not a part of systemd and won't be created by default. It's more of an informal way to have details about the system in 1 spot. It was more popular when provisioning bare metal servers but still has value in the cloud. You can have key / value pairs on who to contact, where it's located, what type of machine it is, etc..
I don't like the idea of a persistent id for my machine. Would there be any harm in rewriting the machine-id at every boot? Or just deleting it as part of the shutdown sequence?
Whatever you do there will always be uniquely identifiable information (if not an id, a fingerprint) on your machine.
If you want to escape that, you have to use dedicated privacy-enhancing tools / browsers, but even then, it's very likely that you can still be identified by motivated adversaries.
It doesn't mean you have to give up, but, if such id is necessary for technical reasons in systemd (I guess it is), I wouldn't worry too much.
When you go really hard with the privacy-enhancing tools, you can potentially just make yourself even more visible. When you're so far outside the normal way a user looks you're making yourself even more unique than if you had normal-ish looking identifiers.
It can take a lot of effort to make yourself truly just blend in and disappear.
I have the urge to grab a pitchfork, but I know better than to make assumptions about why that functionality was added. Time to do some homework I guess.
I went to check if Flatpak would protect against this but it seems although it's a wanted feature it's not so straightforward to implement: https://github.com/flatpak/flatpak/issues/4311
The utility of and presence of unique identifiers in software should be no surprise.
But if you are using TelemetryOS (i.e. you cannot fully switch off the chatter) and your daily Web browser doesn't offer privacy extensions, you are the product.
Not using Chrome is a better bet for privacy than not using systemd or D-Bus. If you sign into Chrome (which by default happens any time you sign into a Google product), your entire browsing history is logged on Google's servers, and tied to your email address, Android ID, and any other machine identifiers Chrome can read.
Anyone serious about privacy is using Firefox or Tor Browser, with various settings to harden it against tracking.
Other BSDs don’t have that, but have equivalent PCI tree identifiers. “hostid”, too, is found on many systems but is much less unique as it’s often a function of local network address.
In dbus, it seems the feature is intended for two processes to know they can access the same shmem and other system resources. I'm struggling to understand in which circumstances would that be useful.
Creating an excuse for creating a machine-id to associate with network traffic. Sometimes, it is enough to have a plausible enough sounding reason to write down on paper, but you have to look at what something actually is. Any red blooded hacker knows there's what a tool is meant to be used for, and then there's what it can be used for. Less is more.
I remember a long time ago intel tried introducing unique IDs for their processors. People got up in arms made a big stink and intel put its tail between its legs. Many years later, the industry through a thousand little cuts has that and more with merely a whimper because it’s not a single big boogey entity but it’s diluted across hundreds of thousands of developers who deployed a myriad ways to fingerprint their users…
Tangentially related to Device ID: Apple is significantly worse when it comes to machine identifiers; even with Autopilot enabled you can still install Linux on a Microsoft Surface device (or even Windows if you don't use a Microsoft Account). With MDM locks, Apple devices are literally bricks (especially since all ram and storage is soldered down and locked/paired to the secure enclave chip).
I would suggest staying away from Brave. I recently compiled the debloated Brave edition from source and was rather disappointed. Brave was slower on my machine than Firefox and Chromium according to Speedometer 3.1. The built-in adblocker does a worse job at cosmetic filtering than uBlock Origin on Firefox. On top of that, I had to build the browser from source because the only binaries I could find are Brave's own. Their builds aren't reproducible, and no Linux distro packages their own.
If you think I am being paranoid, you may also want to take a look at this:
>Send optional diagnostic data to improve Microsoft products [Includes how you use the browser, websites you visit, and enhanced error reporting. Determined by your Windows diagnostic data setting]
>Allow Microsoft to save your browsing activity including history, usage, favourites, web content, and other browsing data to personalise and improve Microsoft Edge and Microsoft services like ads, search, shopping, news, and Copilot [Includes your history, usage, favourites, web content and other browsing data]
> 27. Microsoft records also indicate: <...> a little more than three hours after the ngrok account was created, the user visited “[Company F].com” from the .168 proxy server.
There was a time where the default assumption was functionality created tracking opportunities. Nowadays, it's more the opposite. Social media have always been on the forefront of monetizing data, but the same data in the hands of governments is used differently. My point is that the way you/we feel towards Facebook, the entire world is increasingly feeling about most, if not all, US tech.
I know people who won't use Israeli or Chinese-made tech for fears of sabotage. US tech is quickly making its brand in that market.
It's interesting how you think of US tech currently being in a process of becoming a tool of state surveillance and oppression that Russia and China have, while the following exists:
- Helped Cambridge Analytica (~2013) to interfere with the elections: https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Analytica_data_scandal
- Bought Onavo (~2013) to spy on competition: https://en.wikipedia.org/wiki/Onavo
- Manufactured consent to enable genocides in Ethiopia, Myanmar, and Gaza.
3 entries in the list above did exactly that more than a decade ago.
My point is that the US tech is not in a process, they were at the frontier long before everyone else.
Why when Americans do something do we feel like we have to mention the Russians and the Chinese?
Maybe I'm just bad at PR, though. If we call this "Chinese" behavior, maybe it will appeal a particular demographic who would normally support it in order to protect them from "Black Crime."
> Also, can anybody tell how “Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes’ computer “accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,'” works?
That URL shows 16 blocked requests, it tries to load (at the very least) datadog and googletagmanager, I'm guessing the police simply reached out to all the analytics companies Ngrok ends up indirectly/directly sending data to, which ends up saving everything they get their hands on.
What surprises me the most is that the guy was using a Windows installation to do all of this. But then again, you only hear about the dumbest criminals who get caught, so I guess it does make sense after all.
> I'm guessing the police simply reached out to all the analytics companies Ngrok ends up indirectly/directly sending data to, which ends up saving everything they get their hands on.
But those companies would have no way of knowing the GDID. It's not sent in a header, I assume.
A non-Edge browser would give the OS the domain name from the HTTPS connection and the page title because that's what it sets the window title to. I think that would be enough to identify the URL in a lot of cases (i.e. the sign-up URL sets the title to "ngrok Sign Up".
Converting that ID to hex gives 18,000F,C8CB,93CC which rather looks like 32 bits of random data plus the prefix 0x18000f or possibly 40-48 bits of time in ms granularity from some epoch.
It was Microsoft Defender SmartScreen in Edge I believe. The visited domain is submitted to Microsoft to check it against known malware and phishing sites. And, as we're learning here, it is associated with the GDID (and Microsoft Account) which can be accessed via law enforcement requests.
This goes a long way to prove that Microsoft does NOT care about your privacy, even if the header of their cookie consent claims so. They absolutely do not care, and this should be said about every big-tech vendor, not matter how lame it seems to say so. It is long overdue that we all say what needs to be said: they do not care about your privacy, your independence, or your well being. They DO NOT CARE.
Since you did not understand the point at all: There are regulations in place to force sites to "ask" for permissions to use cookies and track you. The point is that the regulations completely fail to force the sites to not blatantly lie, and wrap the "consent" with "we care".
That's just pedantic, because you know it is not the reality they choose. Most sites don't want to not track you. So they pretend they care about your privacy, and then proceed to collect and share data on you anyways.
Yeah, but it's galling we accept these big obvious lies in our society. A legitimate government would impose appropriately stern consequences for misleading and false advertising.
The interesting part is not really the existence of a machine identifier. Almost every modern OS has some equivalent. The bigger question is the boundary: which components can access it, and when does a local identifier become a remote tracking identifier? A machine-id sitting on disk is very different from an OS vendor correlating it with network activity.
This is the part that isn't clear and is by far the most interesting. At what stage and what point did the GDID get correlated with a tool/web request. As is it almost sounds like Microsoft "telemetry" gathers everything and they did a bulk search for certain activity, pulling the GDID and correlating it with a user.
From reading the official criminal complaint [1] it looks like Microsoft literally logs all web requests along with the GDID and sends it over as "telemetry". It basically associates the URL, the client's IP, and the GDID together.
Or I suppose it's possible that it only sends the domain and not the full URL, but that's enough for the police to go to the hoster and demand logs containing the full URL for said IP.
It's not unbelievable at all, and it is well-known. It's been publicized that Microsoft sends every URL you visit in Edge back to Microsoft servers, tied with all the IDs on the device:
Are you talking about this post https://news.ycombinator.com/item?id=48818984? I don't see anything in the complaint alluding to such, and the police seem to have gotten everything directly from Microsoft rather than from the VPN provider.
Clearly a bunch of defensive Microsoft employees are hitting these threads. The official complaint directly cites Microsoft as the source of these logs. They refer to Microsoft as the source of the records for web requests, app usage, and so on.
From the reading of the document, I really don't think that's it. They using phishing to get access to one company's servers, then used those servers to push software to other servers.
It 100% reads that they enlisted Microsoft to correlate telemetry data with some known activities, backtracking from that. Barring specific additional data, this should be extraordinarily concerning.
But it has long been known that Microsoft actively collaborates with and provides user data to legal entities. It is more a matter of the general public not being aware of this, the kind of data collected, and to what extent will users continue to tolerate Microsoft's behavior.
Unlike the Microsoft equivalent (?), nothing prevents you from scrambling it or outright chmodding to 700 to protect it from prying eyes. I go further and bubblewrap software that I don't fully trust like Steam on my gaming machine. I simply don't expose /etc at all in most cases. The Linux security model is actually quite weak against potentially invasive software running in a main user account. For example /home is completely exposed.
Yeah, this is what's glaringly missing from the article.
Exactly how does Microsoft's device identifier get associated with the ngrok session (normally initiated via its closed-source CLI)?
I can't tell from the article whether Microsoft is doing something underhanded to inject its device identifiers into network traffic, or whether the ngrok client software (again, closed-source!) grabbed the device identifier… and might well do the same on any other OS, using /etc/machine-id on Linux for example.
Since ngrok uses a "freemium" model, it wouldn't surprise me at all if its clients send machine IDs to try to catch users trying to get around its free limits.
For what its worth, this has been swiriling around on socials and i saw someone noted that the guy had been busted for something at age 17, maybe he was on some list?
> Exactly how does Microsoft's device identifier get associated with the ngrok session
Apparently [0] it's based on a time correlation for visiting the signup page:
> Investigators obtained IP address records from ngrok and the VPN provider and then obtained records from Microsoft that matched the time when that ngrok account had been set up on a Windows machine through a specific GDID.
> "According to Microsoft records, on or about May 12, 2025, at 19:21 UTC – when, according to ngrok records, the ngrok account was created – the device with the GDID accessed, among other ngrok pages, 'https://dashboard.ngrok.com/signup,' the ngrok page to set up an ngrok account," the affidavit explains.
I assume this likely true for nearly all device manufactures. I assume all devices have some kind of unique ID that they use for tracking, whether they said so or not.
The (not so) interesting part is how inefficient it is. Marketing by ads on the internet has less than 0.5% hit or click rate, and even then it is mostly accidental clicks due to the over-saturation of ads. It's not a real economy. It is just simply not actually worth it.
And yet stupid amounts of money are spent collecting detailed dossiers on every person that touches the internet so that... I'm guessing someone's probably trying to sell mattresses or something... because that's always that weird last question in every marketing/advertising survey I've ever seen... do you plan on buying a mattress within the next six months?
I'm probably going to called a lunatic but I'm convinced this kind of telemetry is somehow linked to and behind the huge coordinated advertising push for VPNs in the last few years. More and more, the "invisible hand of the market" seems like literally the hands of a few very large conglomerations of power and capital that shape the economics of the entire market to effectively control it - they shape the gradient and make sure companies optimize loss. VPNs are either directly spyware that increases tracking capability, or are being offered now because they don't need your IP to track you anymore so they might as well make money off your fears while still tracking you. More broadly, I don't see much of a free market or democracy left anymore, now every government is doing a coordinated push to eliminate privacy as well.
Basically, Microsoft logs things from windows users, including and not limiting to, the machine GDID, IPs that come with the GDID, and when and what exact URLs accessed. So for windows users, privacy, an important part of information security, is totally destroyed by these logs enforced on windows.
And a simple solution to that problem is moving to linux. You save yourself a lot of time and energy for leaving the adversarial information security condition imposed by windows and microsoft.
P.S. You may consider debloating windows for a more information security friendly environment. However, that is nearly impossible, as long as you realize that windows is an OS composed of thousands of closed source softwares, and doing security audits on all of these will be costly.
153 comments
[ 3.1 ms ] story [ 86.5 ms ] threadIt's unclear what the mechanism is, but I'd wager their "telemetry" is constantly revealing your installation ID, your current IP, and domains that were recently resolved.
I feel like using wireshark to look at what's being sent back and forth from Windows telemetry, when using Edge, Chrome & etc should reveal what's being sent and recieved. Using MITM SSL spoofing should be able to intercept the packets.
[1] https://github.com/SmtimesIWndr/gdid-reversal
Reminds me of Google Safebrowsing.
I imagine it's not too difficult to narrow down the potential suspects with how much data points you'd get from ISP, Windows telemetry, and whatever.
You can also use the Windows Diagnostic Viewer to check the telemetry data being shipped to Microsoft. I'd be willing to bet that you could use Edge (with defaults) and see the URLs being sent to Microsoft but nothing would come from Brave, Firefox, Chrome etc.
Fun fact, Microsoft Defender MAPS was previously named SpyNet.
https://en.wikipedia.org/wiki/Microsoft_Active_Protection_Se...
The GDID identifier seems software in nature though. They could be more aggressive and tie it to the baseboard's serial number the way some games do. Then the hardware is tracked throughout its entire lifecycle, not just per instance of Windows install.
hard drive and motherboard serials have been around far longer than TPMs. Not to mention TPMs are far cheaper to replace than hard drives.
I had some minor problems after updates once or twice. On Windows i had to boot into restore mode multiple times due to Windows Update screwing something up.
The MS Store also constantly had trouble updating apps and games and i had to manage packages manually and uninstall and reinstall them so it would work again until the next update.
The times were Windows is easy to use and fire and forget are long gone. The decline in quality is noticeable.
Actual hackers would use Guix System and actually hack really cool stuff and, yes, Guix (the package manager) would be eating GB's because of reproducibility... but at least you could restore your system from Grub anytime.
MS is just like that person, who drives a dagger into your back.
Windows is malware.
[1] https://www.forbes.com/sites/thomasbrewster/2026/01/22/micro...
I was a big fan of Microsoft ten to fifteen years ago. I’ve since transitioned my whole family off Microsoft products now over to Linux, Apple, and proton.
I really thought their corporate culture would’ve changed after the late 90’s but I guess this is a good lesson for founders. The culture you build into your company will likely outlast your tenure.
https://dbus.freedesktop.org/doc/dbus-uuidgen.1.html
I'm running Arch Linux and /etc/machine-id is present.
There's also an optional /etc/machine-info file that could exist. It's not a part of systemd and won't be created by default. It's more of an informal way to have details about the system in 1 spot. It was more popular when provisioning bare metal servers but still has value in the cloud. You can have key / value pairs on who to contact, where it's located, what type of machine it is, etc..
Double-check that this method actually works though.
Machine ID is used for things like dhcp leases, log rotation, etc. IPV6 addresses or transient MAC addresses are derived from it
If you want to escape that, you have to use dedicated privacy-enhancing tools / browsers, but even then, it's very likely that you can still be identified by motivated adversaries.
It doesn't mean you have to give up, but, if such id is necessary for technical reasons in systemd (I guess it is), I wouldn't worry too much.
It can take a lot of effort to make yourself truly just blend in and disappear.
https://askubuntu.com/questions/1498611/ubuntu-dhcp-client-u... (linked because depending on version, there are several different ways to make this change..)
I have the urge to grab a pitchfork, but I know better than to make assumptions about why that functionality was added. Time to do some homework I guess.
But if you are using TelemetryOS (i.e. you cannot fully switch off the chatter) and your daily Web browser doesn't offer privacy extensions, you are the product.
The number of things you need to try to keep track of merely _improve_ your privacy is maddening. The whole world seems to be against you.
And you should be running the browser inside firejail at all times.
It’s best to focus your efforts into rotating these IDs.
Anyone serious about privacy is using Firefox or Tor Browser, with various settings to harden it against tracking.
I’ve seen that it uses a different init system and doesn’t rely on either dbus or systemd
Other BSDs don’t have that, but have equivalent PCI tree identifiers. “hostid”, too, is found on many systems but is much less unique as it’s often a function of local network address.
If the privacy reasons are driving you, see if you can find fixes to these issues without getting rid of systemd.
Good founders already know this. Bad ones don't care.
I would suggest staying away from Brave. I recently compiled the debloated Brave edition from source and was rather disappointed. Brave was slower on my machine than Firefox and Chromium according to Speedometer 3.1. The built-in adblocker does a worse job at cosmetic filtering than uBlock Origin on Firefox. On top of that, I had to build the browser from source because the only binaries I could find are Brave's own. Their builds aren't reproducible, and no Linux distro packages their own.
If you think I am being paranoid, you may also want to take a look at this:
https://www.pcmag.com/news/brave-browser-caught-redirecting-...
>Send optional diagnostic data to improve Microsoft products [Includes how you use the browser, websites you visit, and enhanced error reporting. Determined by your Windows diagnostic data setting]
>Allow Microsoft to save your browsing activity including history, usage, favourites, web content, and other browsing data to personalise and improve Microsoft Edge and Microsoft services like ads, search, shopping, news, and Copilot [Includes your history, usage, favourites, web content and other browsing data]
> 27. Microsoft records also indicate: <...> a little more than three hours after the ngrok account was created, the user visited “[Company F].com” from the .168 proxy server.
I know people who won't use Israeli or Chinese-made tech for fears of sabotage. US tech is quickly making its brand in that market.
* PRISM (est. 2007) spied on US citizens with the help from AT&T, Microsoft, Google, Apple, and etc.: https://en.wikipedia.org/wiki/PRISM
* SpyFiles (various years, ~2011) US/EU surveillance software: https://wikileaks.org/spyfiles/
* Facebook (est. 2004):
* Palantir (est. 2003): https://en.wikipedia.org/wiki/PalantirYou can go all authoritarian fascist if that's what floats your boat, but at least don't backstab people who buy shit from you.
Can't you be repressive and professional?!
Maybe I'm just bad at PR, though. If we call this "Chinese" behavior, maybe it will appeal a particular demographic who would normally support it in order to protect them from "Black Crime."
You can mix it with other info to track a user, but it's not enough to de-anonymize someone on its own.
And of course they are.
it's the decimal representation of a 64 bit integer
That URL shows 16 blocked requests, it tries to load (at the very least) datadog and googletagmanager, I'm guessing the police simply reached out to all the analytics companies Ngrok ends up indirectly/directly sending data to, which ends up saving everything they get their hands on.
What surprises me the most is that the guy was using a Windows installation to do all of this. But then again, you only hear about the dumbest criminals who get caught, so I guess it does make sense after all.
But those companies would have no way of knowing the GDID. It's not sent in a header, I assume.
https://en.wikipedia.org/wiki/Parallel_construction
https://news.ycombinator.com/item?id=48811081
Or I suppose it's possible that it only sends the domain and not the full URL, but that's enough for the police to go to the hoster and demand logs containing the full URL for said IP.
1. https://www.justice.gov/usao-ndil/media/1450651/dl?inline
Nope. That would be unbelievable but also very well known. It was a Windows software licensing matter, see my post above.
https://www.itpro.com/security/privacy/355029/microsoft-edge...
> Microsoft sends every URL you visit in Edge back to Microsoft servers,
Not the same thing.
Hackers cloaked IP address -> VPN license -> Windows GDID -> Hacker's name.
It 100% reads that they enlisted Microsoft to correlate telemetry data with some known activities, backtracking from that. Barring specific additional data, this should be extraordinarily concerning.
[1]: https://www.freedesktop.org/software/systemd/man/latest/mach...
Exactly how does Microsoft's device identifier get associated with the ngrok session (normally initiated via its closed-source CLI)?
I can't tell from the article whether Microsoft is doing something underhanded to inject its device identifiers into network traffic, or whether the ngrok client software (again, closed-source!) grabbed the device identifier… and might well do the same on any other OS, using /etc/machine-id on Linux for example.
Since ngrok uses a "freemium" model, it wouldn't surprise me at all if its clients send machine IDs to try to catch users trying to get around its free limits.
Does the Microsoft store imprint an identifier into the network traffic of all the binaries downloaded from it?
And if so, how?
All of ngrok's traffic is TLS encrypted which means that only the client software and the server/peer should be able to decrypt or modify it.
Thank you! This is not only good to know as an ngrok user myself, but it's also more informative than what's in the article.
Sounds like we can rule that out as the avenue of detection.
Asking for a friend.
Apparently [0] it's based on a time correlation for visiting the signup page:
> Investigators obtained IP address records from ngrok and the VPN provider and then obtained records from Microsoft that matched the time when that ngrok account had been set up on a Windows machine through a specific GDID.
> "According to Microsoft records, on or about May 12, 2025, at 19:21 UTC – when, according to ngrok records, the ngrok account was created – the device with the GDID accessed, among other ngrok pages, 'https://dashboard.ngrok.com/signup,' the ngrok page to set up an ngrok account," the affidavit explains.
[0] https://www.theregister.com/cyber-crime/2026/07/07/windows-i...
Basically, Microsoft logs things from windows users, including and not limiting to, the machine GDID, IPs that come with the GDID, and when and what exact URLs accessed. So for windows users, privacy, an important part of information security, is totally destroyed by these logs enforced on windows.
And a simple solution to that problem is moving to linux. You save yourself a lot of time and energy for leaving the adversarial information security condition imposed by windows and microsoft.
P.S. You may consider debloating windows for a more information security friendly environment. However, that is nearly impossible, as long as you realize that windows is an OS composed of thousands of closed source softwares, and doing security audits on all of these will be costly.