hyperman1

Not so long ago, we advised the end user to patch everything as soon as possible, and depend on auto-patching as much as possible. The risk of their devices becoming hacked was much higher than the damage of software breaking, and big vendors worked on dependable patching.

Now the world evolved to the point that patches shamelessly remove features or install adware. Even the big names are incompetent enough to cause damage on a regular base. Meanwhile, the internet learned to deal with botnets as a fact of living.

So, assuming you live in a country where identity theft isn't much of a problem, and assuming regular and working backups are implemented, I start to wonder if it isn't time to review our best practices: Don't allow anything on the internet unless it really should (get a good enough firewall), don't run as root or administrator unless you have to, but also disable automatic updates, and do manual updates when a patch is out for 2 weeks and has proven not to cause more trouble than good.

So what's your opinion? How should a non-techy deal with today's landscape?

pxmpxm

On every new windows 11 box of mine, I spend around 4-5 hours setting it up in a way to prevent any phone-home or auto-update. Group policies, deleting things, setting up fake domain controllers etc.

Preposterous amount of time spent to make sure I don't end up with "bing discover" feature that some product manager rammed through into the Edge or reset my settings because microsoft reaaaaly wants my new tab page for ad revenue. Oh look latest windows release has "microsoft rewards" in every frequently-viewed UX component; wonderful.

There's an army of CVE bros cargo-culting bullshit like "it doesn't work if it's not auto up to date", when the reality is the product doesn't work if the latest upgrade breaks my workflow or I have to stop what I'm doing and spend a bunch of time undoing whatever new "feature" got added for user-adverse but revenue positive purposes. I don't think I've seen an update in the last 5 or so years that didn't try to turn a thing that I own into a grocery checkout aisle for other stuff that I should own.

My HP printer sits behind a NAT and a firewall and the firmware has been feature-complete since they built the stupid thing. The only thing you get with upgrades is operational risk; hedging imaginary "someone's gonna p0wn it" problems is the security equivalent of the $5 wrench XKCD.

birdyrooster
Maybe you can contribute your work to this existing project that is really quite good. For your consideration: https://github.com/builtbybel/BloatyNosy