Windows Updates introduce telemetry features and I don't allow my gaming PC network access to Microsoft. In my mind, the risk of them collecting my personal information is greater than the possibility of a "major security hole" being exploited, and even if it were, the data is limited to something totally inconsequential. As an additional measure, I reinstall the OS several times per year, but only allow updates before I use the computer for the first time.
Windows 10 has had telemetry since its initial release. You don't avoid it just by not installing updates. If you're really so concerned about security and privacy, then why not just use Linux?
Reminds me of the pro-vaccine memes likening vaccines to seat belts. An incompatible, overly-simplified emotive analogy for both vaccines and windows updates. It's almost like you believe your world to be threatening and dangerous without Microsoft's software rules to keep you safe.
It is because there is decades of history of unpatched devices being used as vectors for ddos, entrypoints for horizontal movements inside a secure networks etc.
If you pay attention to the Ukrainian conflict, you will see that the cyber-warfare is going strong (especially in the energy sector), and the internet is indeed a 'threatening' place. Just because you don't consider yourself an interesting target doesn't mean you won't be compromised.
Yes it's unfortunate that MS packages both bug fixes and 'features' in their update process. But as other comments have said, it is better then to migrate away from Windows to another OS which you can keep up to date.
There are many layers to a good defense, but for a regular consumer, simply keeping devices up to date is a low effort way of reducing attack surface area.
I wouldn't run any unpatched device with internet access, be it windows, linux, anything.
I recommend the book "This Is How They Tell Me the World Ends: The Cyberweapons" for a non-technical but interesting read about this topic.
> "I wouldn't run any unpatched device with internet access"
You wouldn't go Sunday driving without a helmet. Got it.
It's not a binary game, patched vs unpatched. Safe vs falling down a cliff. Otherwise every piece of software is in either an unpatched state, or discontinued. As soon as you patch software, it's now in an unpatched state relative to the next patch/product update which is a certain event.
If Grandma leaves her old Windows 95 PC exposed to the internet, we might use scary language like "cyber-warfare" and "internet is threatening" to help convince Grandma to upgrade. But the difference between a modern system patched only a few months ago or last year and "today" is only a bunch of unlikely exploitable edge cases, and a whole lot of product update gunk.
Typical patch notes: "possible code injection when unlikely event A happens at the same time as unlikely event B.".
Things that bring regular consumers undone in the world of online mishaps, are manual blunders like having their email hacked, or believing the person on the phone who says they're from Microsoft. Patches don't help with the most common pain points.
Just because Microsoft wants "60 days" to be the most you can go without updating Windows, doesn't mean that 90 days or 180 or 360 days is some kind of industry-agreed threat to the internet. Being "unpatched" beyond the rigid rules you've subscribed to, is not a dilemma worth linking to books about cyberweapons.
> As soon as you patch software, it's now in an unpatched state relative to the next patch/product update which is a certain event.
Why do you bother taking showers? You're just going to start getting dirty again as soon as you get out.
> But the difference between a modern system patched only a few months ago or last year and "today" is only a bunch of unlikely exploitable edge cases, and a whole lot of product update gunk.
> Typical patch notes: "possible code injection when unlikely event A happens at the same time as unlikely event B.".
This isn't true. A lot of new vulnerabilities are easily exploitable.
Because our bodies accumulate and generate dirt over time which needs washing off. Software doesn't accumulate dirt or generate problems over time, so your analogy doesn't fit.
> This isn't true.
We are not playing "who knows the truth", we're having a discussion. What I said is not false. The vast majority of typical patch notes detail vulnerabilities which can happen only when certain variables align. "Easily exploitable" may be true, provided certain other unlikely conditions are met, such as the attacker already gaining access to your system in order to exploit said vulnerability. This is not a "seat belts" vs "no seat belts" risk. I maintain that the risk from not embracing whatever tech giant's update ideology is commanded, is overstated most of the time compared to other risks people face online.
You are focused too much on Microsoft and the individual user. The concepts are applicable to any device from any manufacture. The book I linked is about the evolution and history of network spread malware such as bots. It discusses about how security was always an afterthought during the start of the millennium, and how at a certain point basically every device was running some malware. Then collectively the industry and the government finally started to understand the nature of the beast and introduced security hardening best practices.
This is continuing today, and the increased knowledge sharing has industries working together to fight the problem. Even the US government has learned from e.g. google and started to move to 0-trust network architecture: https://www.whitehouse.gov/briefing-room/presidential-action...
Automatic updates are one of the biggest enablers of stopping automatic spreading of malware. The Mirai botnet for example had a large capacity knocked out thanks to Deutsche Telekom responding and force updating their network devices which were vulnerable attack vectors. Unfortunately there are a lot of devices out there which are out of support or have no updates available (i.e. internet of shit), which remain a constant problem.
Automatic updates are the industry standard, because the days an patched or unpatched device is a threat to the internet is 0. This doesn't mean patching is futile. It still greatly reduces the available attack surface, and also helps protect other devices.
You should also be aware the when 0-day gets patched, they often happen silently. e.g. Linux will obfuscate it's commit message, because if they say 'e.g. fix really bad 0 day', then immediately that 0-day becomes public knowledge and will be exploited even more before the patch is live and propagated to the systems. Same in release notes, so people don't diff the binary to discover what the attack vector was. Just because it's not loudly announced, doesn't make it not real.
So please do your minimum part to practice network hygienic if you want to participate. It is not a 'dilemma', it is polite behavior for a greater goal.
Please stop selling me Microsoft automatic updates. I'm not buying.
Doesn't mean I never update. It means I control the updates on my terms, not on those of commercially motivated, privacy-invading faceless tech giants with agendas far beyond the scope of network hygiene.
I use a cheap smartphone. It works fine but gets no more updates. According to your position in this debate, I should abandon that unhygienic phone, and pay the protection money for a fresh plastic box of rare earth metals, for the greater good.
I'm not sure why you're invested in replying to me about this topic. Most general PC users already have automatic updates on. You should be ecstatic about that.
Behavior modification and reinforcement tactics used by software vendors to get people to do things, is real. Overstating the threat of security risks if people fail to update in a given time frame, is one of the tactics used to get people to install, upgrade, buy, renew, etc.
I apply updates on some things without much delay, such as specific software I trust/respect. Other times I will never update, such as my e-bike where I modified the firmware for certain reasons which are my business. There are valid reasons why people delay or decline updates.
It's disappointing you believe embracing automatic updates is tied to ethical use of the internet. The implication of that idea, is that update-urgency is never exploited by those pushing the updates. We're even seeing "updates for the sake of updates" coming through, as Apple will reportedly delist apps that haven't seen an update in awhile.
Okay I'm done on this topic! Updates! Ugh... I turn them off and edit group policies etc to put a stop to the blatant turf-war on who gets to run the show in my house.
> I use a cheap smartphone. It works fine but gets no more updates. According to your position in this debate, I should abandon that unhygienic phone, and pay the protection money for a fresh plastic box of rare earth metals, for the greater good.
It's definitely not right that you have to do that, but the fact is that today, being secure means you do have to. In the ideal world, manufacturers would have to either provide security fixes for way longer, or open up their devices to the point that other people can do it for them.
> It's disappointing you believe embracing automatic updates is tied to ethical use of the internet. The implication of that idea, is that update-urgency is never exploited by those pushing the updates.
Do you consider it ethical for your computer to knowingly be part of a botnet? And of course Microsoft abuses automatic updates, but the solution to that isn't getting rid of automatic updates; it's getting rid of Microsoft (e.g., switching to Linux or something).
So scan your PC for malware. If none are found and your machine is running fine, you don't need to panic about updates until you're good and ready to install updates.
The problem with blind loyalty to Microsoft updates on their terms, is they can micro-tweak the compliance rules over time. One day you may find you can't use your own PC unless you sign in to Microsoft, upload photo ID, then enter the code they sent your phone. Don't worry, the data you provide Microsoft is shared only with trusted partners.
