Personally, I run a single Win10 desktop (all of my laptops are Linux-only) that I update roughly annually, by allocating an entire day for going through the updates one by one and getting rid of any Microsoft malware along the way. I am far more concerned about Microsoft's own malware than any ransomware floating around the Internet.
Of course, I've also had SMBv1 disabled for many years (there's no reason to retain support for it unless you need to support WinXP machines, in which case you have my condolences), the desktop sits on an isolated subnet with a very restrictive router and firewall in front of it and all telemetry, Cortana and other malware has been eviscerated via group policy and other settings, along with router-level blocking of telemetry and update servers.
I fully understand that my case is atypical and the average user isn't going to follow comparable precautions, so I don't actively recommend my approach to anyone else, but it works great for me. Apart from wasting about a day per year on maintenance, I'm as happy with the OS itself as I've ever been with any Windows version, and it fulfills my Windows development and occasional gaming needs just fine. Obviously, I'm much less happy with Microsoft as a company for forcing me to go through such lengths to make their OS into something I'm comfortable using.
Really? You're more concerned about the software being provided to you by Microsoft, who is at least presumably trying to keep you as a satisfied customer and provide a secure operating system then you are for faceless hackers connected to the Internet who's whole objective is to either out right steal people's money, disrupt people's lives, or else subvert your computer in order to launch attacks on other users?
> Microsoft, who is at least presumably trying to keep you as a satisfied customer
You surely jest!
Individual users are not customers of Microsoft in any meaningful sense. Microsoft sells the OS mostly to companies who install it on machines so that the end user buys a computer with Windows already installed.
If MS wanted to keep me as a customer they would have provided a proper upgrade path for all the millions of lines of VB6 code that are out there and they would create an IDE that has a usable editor.
> who is at least presumably trying to keep you as a satisfied customer and provide a secure operating system
I seriously question that presumption. I think Microsoft is generally trying to satisfy enough of my needs to keep me in their ecosystem while extracting as much value as they possibly can (within legal, technical and business constraints) from collecting data on me, pushing ads, etc.
I'm certainly not saying Microsoft are "more malign" (by whatever moral standard) than hackers out to steal people's money, however, by virtue of using Windows, I automatically have a degree of exposure to Microsoft that can only be mitigated rather than eliminated altogether. My exposure to ransomware and other non-targeted attacks by non-state actors is vastly smaller, and much easier to mitigate.
I am under no illusions about my ability to withstand targeted attacks by more competent parties, but that isn't a particularly significant concern to me.
I'm not the OP, but I'm not particularly worried about "hackers" as my network is defended well enough against non-targeted attacks. Microsoft, on the other hand, betrayed my trust by forcing malware down the supposedly trusted update channel. That trust won't be regained in foreseeable future. And come on, "secure operating system" lol? Sorry, couldn't help myself.
You're more concerned about the software being provided to you by Microsoft ... then you are for faceless hackers connected to the Internet
Yes. And there is no /s on this comment.
We don't use much recent Microsoft software because we no longer trust it. They are going down a path we don't want to follow.
With the older OSes that we do still use, principally Windows 7, we are similarly sceptical about updates, and typically we only apply necessary security patches now.
[Edit: For whoever is downvoting a lot of the comments with this sort of sentiment, you might consider that objectively we have had far more downtime as a result of bad updates from Microsoft than as a result of malicious actions by hackers over recent years, and I doubt we're alone in that.]
> you might consider that objectively we have had far more downtime as a result of bad updates from Microsoft than as a result of malicious actions by hackers over recent years, and I doubt we're alone in that.
I haven't seen it put that way before. You're not alone.
One of the recent update cycles had some kind of interaction the video drivers on several of my machines, resulting in monitors connected via DisplayPort intermittently failing to wake up following a screen blank. The current workaround is for users to reach around the back of their monitor, unplug and replug the power. I burned an entire day on that one, plus the continued frustration.
Knock on wood, but I can't remember the last time I had to scramble for a security incident or malware outbreak.
To add some additional perspective: many of us know how to add some basic level of security to our personal networks. Certainly not NSA-proof, but enough to about being owned by your average script-kiddie or wide-spectrum hacker.
So in reality we do have more concern about Microsoft's update channel, which has a trusted, straight-shot channel directly into the core of our system than we do random Joe hacker who had to bypass our NAT, find a zero-day, etc.
From a secure point of view, Windows update operates within the secure zone with root privileges. Of course that's more concerning if you don't trust it that an external hacker.
Are you aware of https://www.reddit.com/r/TronScript/ ? Sounds like it could save you a lot of time (and, if you do things that are not yet in Tron, you could help the community as well by adding those things).
I am, and I actively recommend it to anyone sufficiently well educated that they could (and would) go through the contents of the script manually and verify its contents. I don't do anything additional that could be automated in a general fashion, but my own scripts (partly based on Tron) include custom things specific to my setup - adjusting router/firewall settings, interacting with my automated backups, etc.
If you're going to insult people on HN, the least you could do is substantiate your reasoning so the post has at least some content.
And while I'm sure there are many definitions by which I could be called "incompetent" (as could you or anyone else), I'm especially intrigued to know how the rather isolated setup I described would present a danger to anyone.
Of course, I've also had SMBv1 disabled for many years (there's no reason to retain support for it unless you need to support WinXP machines, in which case you have my condolences), the desktop sits on an isolated subnet with a very restrictive router and firewall in front of it and all telemetry, Cortana and other malware has been eviscerated via group policy and other settings, along with router-level blocking of telemetry and update servers.
I fully understand that my case is atypical and the average user isn't going to follow comparable precautions, so I don't actively recommend my approach to anyone else, but it works great for me. Apart from wasting about a day per year on maintenance, I'm as happy with the OS itself as I've ever been with any Windows version, and it fulfills my Windows development and occasional gaming needs just fine. Obviously, I'm much less happy with Microsoft as a company for forcing me to go through such lengths to make their OS into something I'm comfortable using.