Not so long ago, we advised the end user to patch everything as soon as possible, and depend on auto-patching as much as possible. The risk of their devices becoming hacked was much higher than the damage of software breaking, and big vendors worked on dependable patching.
Now the world evolved to the point that patches shamelessly remove features or install adware. Even the big names are incompetent enough to cause damage on a regular base. Meanwhile, the internet learned to deal with botnets as a fact of living.
So, assuming you live in a country where identity theft isn't much of a problem, and assuming regular and working backups are implemented, I start to wonder if it isn't time to review our best practices: Don't allow anything on the internet unless it really should (get a good enough firewall), don't run as root or administrator unless you have to, but also disable automatic updates, and do manual updates when a patch is out for 2 weeks and has proven not to cause more trouble than good.
So what's your opinion? How should a non-techy deal with today's landscape?
On every new windows 11 box of mine, I spend around 4-5 hours setting it up in a way to prevent any phone-home or auto-update. Group policies, deleting things, setting up fake domain controllers etc.
Preposterous amount of time spent to make sure I don't end up with "bing discover" feature that some product manager rammed through into the Edge or reset my settings because microsoft reaaaaly wants my new tab page for ad revenue. Oh look latest windows release has "microsoft rewards" in every frequently-viewed UX component; wonderful.
There's an army of CVE bros cargo-culting bullshit like "it doesn't work if it's not auto up to date", when the reality is the product doesn't work if the latest upgrade breaks my workflow or I have to stop what I'm doing and spend a bunch of time undoing whatever new "feature" got added for user-adverse but revenue positive purposes. I don't think I've seen an update in the last 5 or so years that didn't try to turn a thing that I own into a grocery checkout aisle for other stuff that I should own.
My HP printer sits behind a NAT and a firewall and the firmware has been feature-complete since they built the stupid thing. The only thing you get with upgrades is operational risk; hedging imaginary "someone's gonna p0wn it" problems is the security equivalent of the $5 wrench XKCD.
Of course not. The unfortunate reality is on average the larger something is the less it sees you as a person. Any large organization sees us all as walking billfolds. If they don’t see us as human, how can they keep AI ethical or safe?
The reality is they simply cannot, and won’t. While safety will (probably) be assured, because unsafe products bring lawsuits, unethical products that extort customers for money are apparently perfectly legal. We see this in pharmaceuticals, processed foods, and of course Big Tech.
That leaked Google paper on how open-source models will catch up and surpass AIs from Big Tech is interesting. According to that paper, being able to train huge models is not a sufficient moat.
But requiring licenses to construct or deploy AIs would be a sufficiently large moat.
If you are asking yourself this question seriously, I implore you (whoever is reading this) to explore the incentives the different players have in every decision that is made.
The fight over ai is the same fight as it was before - user control and freedom over the ai
I should have control over model updates, retraining, the training pipeline, the prompts... Everything. How ethical or safe the ai is is my problem. It's not a matter of trust, but that it gets changed out from under me, breaking my workflows, and not letting me fix problems with it that affect me.
Unlikely, but there are other ways to control who gets to align AIs. Requiring licenses to construct or train models would be one of them. Patents are another.
No, and we can't trust it to big government either. This is my belief and fear, the government will or has already implanted itself with open AI exactly like they did with Twitter. So now we will have the most powerful corporation in the world secretly controlled by the US government.
Is there a lesser of two evils here? I honestly don't know, but I don't think we will get a choice.
> On every new windows 11 box of mine, I spend around 4-5 hours setting it up in a way to prevent any phone-home or auto-update. Group policies, deleting things, setting up fake domain controllers etc.
Yupp and it's way easier to do - launchctl list and blow away what you don't want without the bs of looking at registry, then group policy, then domain controller nonsense, then services, then start up items then...
You just have to hope that Apple doesn't do what it's already tried and allow its own apps to bypass the TCP/IP stack filtering and firewalling.
And then backpedal furiously and say that it was "a temporary measure while some apps were getting fixes and updates". Huh - not sure why TextEdit.app ever needed a kernel extension but maybe they're right, and it wasn't just a BS excuse.
Why would you ever connect a printer to the internet? Best case it should be available on LAN, and you can use a VPN if you need a wider network (ie. an office building).
You should more or less _never_ update your 'dumb' devices unless there is a specific feature/bugfix you need.
A printer on a LAN will often find a way out to the internet. Sure, you can firewall it if you think to do that. Another way to auto-update firmware is that the printer driver on your computer fetches the upgrade (your PC can certainly get to the internet) and then installs it on the printer.
Well you would be dumb to give it anything but unique per-device credentials to a working SSL-enabled SMTP server.
For non-techy home or SOHO users, they're likely using smtp.gmail.com with their gmail creds though. Would not be unresonable to dedicate a gmail account just for scan to email IMHO.
> For non-techy home or SOHO users, they're likely using smtp.gmail.com with their gmail creds though.
That's exactly what I'm worried about. Obviously there are ways to do it safely (and gmail actually I think might even force them), but I have very low expectations of a lot of the userbase (not a dig at them: the tech isn't exactly set up to make the easy thing safe).
I disable all auto updates on my mum's phones and my own as well - the pain of dealing with features being removed/moved/renamed, interfaces being redesigned and unexpected changes is far greater than the absolutely miniscule risk of being hacked. I hate with absolute passion how an "update" to my phone can change its entire interface to the point where I have to re-learn common usage patterns. Google apps especially are the worst at this. It should be exactly like the day I bought it, I used to think that OTA updates are the best thing ever - now I've grown to loathe them.
I think Google especially does it way too often. But I think to maybe make my argument more precise - I think it's fine if apps do iterative improvement of the interface. But what I see way too much of is "we've rolled out the new version of our interface, enjoy!" and they completely changed the theme, button positioning, names of functions, half of the old stuff is missing.....and that's just it, you have no recourse, no way to roll back other than installing dodgy APKs from somewhere. To give a simple example - TP-Link had a very well designed Kasa app for their smart devices, one day a new interface rolled out, breaking my presets, the interface is dog poop, some functionalty is actually missing - I sent them a long email explaining all of this, they just said "thanks, we'll think about it" and nothing happened.
So yes, in that case I'd rather that this app literally never ever changed - there was nothing wrong with it, but of course some designer somewhere has to justify their continious employment so they roll out these interface changes to basically have a job. I'm sick of it.
>assuming you live in a country where identity theft isn't much of a problem, and assuming regular and working backups are implemented
These are gigantic assumptions. I am not exaggerating when I say gigantic. Identity theft alone is hitting record highs in the EU in both percentage affected and money exploited.
The other problem is we tend to offer advice that is so vague it might as well be harmful. What does it mean for a patch to be proven to not cause more trouble? How does one prove a working backup? List goes on. We wind up giving so much of this nice sounding but useless advice that we confuse people. Even techies! You see it on HN all the time, bad/mediocre advice passed around and internalized, things regurgitated because it sounds good not because it's what will keep your data safe.
When advice is so horrible even techies wind up reverting to the most simplistic solution possible, that's a very clear sign we are doing a horrific job!
I'd like to hear more about what you know of EU identity theft. Specifically as I am from Belgium, my bank is protected with 2FA and my eID identity card should protect me from criminals creating contracts on my name. While probably not bulletproof, I can't really name recent common identity theft troubles. Most damage seems to happen by providing the android/apple/steam/... stores direct access to your bank account or identity, so AFAIK the main advice here is: don't.
Also: What is your alternative? I hate my own post above, but can't really think of anything better.
Without severe expansion of data privacy laws universally, most of my alternatives fall short. I can tell somebody to use 2FA and to be selective about their data, but what good does that do when companies are barely complying with GDPR as is? Our solutions are mostly to know bad things will happen and to have it affect as little as possible so you only have to change one password/account. Bleak. It's disappointing in a way, we could do so much better; substantially improved data privacy laws and mandatory e2e encryption would be great first steps, but they would enrage the very same corporations (like HP) that pull off this nonsensical garbage that puts us all at jeopardy. They keep pushing all these tracking services updates to those to restrict use and enforce sales, we can't handle this by just telling people to update less because eventually other companies will start adopting those policies if it results in increased ad revenue.
I also don't think your post is to be hated, it is not bad and is actually important in getting people on board with the idea of mass reinvention of digital services. We can't get there until we all accept that digital life currently is just far too invasive and we need better regulation before we can even start to work on personal advice. Such personal advice from Telekom[1] as an example, most of it sounds good but doesn't actually work in reality due to how weak our data privacy laws are.
I've always waited at least two weeks to a month before installing any windows update.
I've had two laptops bricked by faulty windows 10 updates in the past. I've gone through the whole gauntlet of people trying to gaslight me with statements such as "It is impossible for a windows update to brick your computer, or get stuck in an infinite updating loop."
I advise pretty much everyone I know to avoid updating important software automatically. Updates for critical software or hardware should only be done to a specific version that has been out for at least a month. Even then, always check multiple sources to ensure it won't introduce something unwieldy.
But of course, that gets a bit tedious for some people. So generally I only apply it to non-security updates, hoping and praying Microsoft hasn't screwed the pooch again with one of those. (Which has happened in the past.)
I never enable auto-update. It's just obviously a gaping vulnerability. It effectively delegates your security to a third party, so any vulnerability or incompetence in the third party becomes your vulnerability. You are effectively signing up to be a beta tester. No. Just, no.
My chrome instance complains about being not up to date because I rewrote the update daemon with a zero byte file that no one has write permissions to.
I did this after chrome’s auto update checker (not the actual update) pegged my cpu to 100% enough times that I rage deleted the updater. Then chrome kept rewriting it and undoing my settings to not update.
It’s a risk I run but chrome lost my trust.
Safari auto updates without ever causing me to notice.
> How should a non-techy deal with today's landscape?
Throw away any tool you do not know how to use. Get off the internet. Get off the computer. Revert 30 years (or more) of progress because we clearly went wrong somewhere.
Now the world evolved to the point that patches shamelessly remove features or install adware. Even the big names are incompetent enough to cause damage on a regular base. Meanwhile, the internet learned to deal with botnets as a fact of living.
So, assuming you live in a country where identity theft isn't much of a problem, and assuming regular and working backups are implemented, I start to wonder if it isn't time to review our best practices: Don't allow anything on the internet unless it really should (get a good enough firewall), don't run as root or administrator unless you have to, but also disable automatic updates, and do manual updates when a patch is out for 2 weeks and has proven not to cause more trouble than good.
So what's your opinion? How should a non-techy deal with today's landscape?