BearOfaTime

BearOfaTime , 21 hours ago

It won't.

All the crap from MS only affects ignorant home users. (I say that with no criticism - home users often lack significant expertise in this stuff).

Corporate has an IT team dedicated to image building, based on requirements gathering, which is well documented and well tested before it's deployed to even a small test group (usually us fellow IT geeks get to be Guinea pigs first).

Once it's been certified, then they'll deploy to a second, larger group, test and verify.

Wash, rinse, repeat.

Plus they'll probably start with new hires and anyone with a machine that is falling off lease/aging out. This gives them a little room, in that new hires don't have any local data (no one should have much in the first place), and people with aging machines can hold onto the old machine for a couple weeks as a fallback, just in case.

I've seen it several times, been part of deployment and upgrade teams.

Additionally, they deploy policies to redirect any MS network services to their own internally hosted services - windows is designed to do this, there are specific policies for everything, such us Windows Update services, even the MS App Store. Because no company wants machines pulling random crap from outside the company (they probably even block the access at the network level - I would).

BearOfaTime , 2 days ago

Hahaha haha, right, right, hahahaha

BearOfaTime , 2 days ago

Get Win10 LTSC. It gets updates 2x/year, has very minimal bloat.

Then get O&O Shutup to reduce bloat even more.

And you can permanently license it using Microsoft's own scripts.

Scripts on Gituub.

BearOfaTime , 1 day ago

Nice, thanks for the alternative!

I like the option for scripting it.

BearOfaTime , 1 day ago

No idea.

I've never cared about such things for home systems - I never use MS support, and I think updates are over emphasized for stability and security, as that ignores the other layers that are required.

If a system runs, does what I need it to do, I'm uninterested in making changes that run the risk of causing issues (for example, I have containers for things like Syncthing that don't get auto updates - I need to know that it works the same all the time, as it keeps mobile devices syncing their data to home, which gets backed up). I check updates 2x/year, and manually update if I feel it's useful (sometimes updates aren't available for all systems, which can break things).

All my systems are properly secured, behind multiple layers of security (physical firewall, isolated vlans, VPN, with encryption enabled wherever it's available, etc), I run in limited user accounts, my admin accounts aren't obvious, with proper complex passwords, everything is encrypted, properly replicated and backed up.

My next phase is adding 2FA even for my home servers.

BearOfaTime , 3 days ago

"mystery malware"

The article clarifies the name of the malware.

Clickbait BS. Why are you being disingenuous?

BearOfaTime , 3 days ago

Or having non existent security

BearOfaTime , 4 days ago

Which is exactly what I see all the time.

BearOfaTime , 4 days ago (edited 3 days ago)

Drywall isn't a concern. Mounting to actual studs is what matters.

But I'd still put up plywood first, since drywall can compress where something's mounted.

BearOfaTime , 5 days ago

I'm currently migrating all sorts of stuff to Proxmox.

Nice thing is, VM's and containers are easily copied with systems off, even did a P-to-V of an ancient Win7 machine and am reusing that hardware for Proxmox, and will run the VM in Proxmox until I get everything cleaned up and restructured.

Proxmox is a beast.

BearOfaTime , 5 days ago

How would you compare Proxmox to Kubernetes?

I'm currently running a hypervisor lab to test stuff for friends in the SMB IT space to find a replacement for VMWare. At the moment, Proxmox has the best cost/flexibility/ease of learning, but if Kubernetes is more mature, has better support, that would be a great argument for it.

BearOfaTime , 4 days ago

Yea, the lab is to test for a VMware replacement, so I'll start tinkering with Kubernetes along with Proxmox and a couple others.

BearOfaTime , 6 days ago

Tailscale is Wireguard (or I should say it uses Wireguard, just provides automation around client config).

BearOfaTime , 6 days ago

And there simply aren't enough mechanics now, hasn't been for at least 40 years that I know of.

BearOfaTime , 6 days ago

I completely disagree with recommending exposing a port to someone who's asking this very question about the relative risks.

If they lack the expertise to understand the risk differences, then they very much lack the expertise to securely expose a port.

BearOfaTime , 4 days ago (edited 4 days ago)

By learning before you take on the risk.

It's not like this isn't well documented.

If OP is asking this question, he's nowhere near knowledgeable enough to take on this risk.

Hell, I've been Cisco certified as an instructor since 1998 and I wouldn't expose a port. Fuck that.

I could open a port today, and within minutes I'll be getting hammered with port scans.

I did this about 10 years ago as a demonstration, and was immediately getting thousands of scans per second, eventually causing performance issues on the consumer-grade router.

BearOfaTime , 4 days ago

And that's a different animal (moving the goalposts, which is an excellent idea, but OP didn't even think of doing this).

OP asked about exposing a local port, which is a Bad Idea 99.9% of the time, especially for someone asking why it's a risk.

Using a VPS with reverse proxy is an excellent approach to adding a layer between the real resource and the public internet.

BearOfaTime , 6 days ago (edited 5 days ago)

Tailscale has the Funnel feature which doesn't require your friends use the client.

BearOfaTime , 6 days ago (edited 6 days ago)

I've run I run the IoT version of 10 on everything - laptop, desktop, VM's, etc, it's great because it only does updates 2x/year, no feature updates by default.

Licensing is handled by the scripts from Microsoft. If you're a large enough business, it would be worth the cost of the Enterprise licensing just in reduced support issues.

Basically, it's Windows without the bloat, which seems like a good thing. I can use whatever apps I want for photo viewer, etc, and no garbage on the system.

BearOfaTime , 6 days ago

Thanks for the Veracrypt reminder. Adding that to my stuff to setup and document list.

Sometimes Bitlocker really pisses me off.

BearOfaTime , 6 days ago

What about home users?

I run Win10 LTSC as default for desktops, VM's, laptops. It's great - 2x/year security updates, nothing else.

No bloat, no BS.

BearOfaTime , 8 days ago

Guess someone's gonna be countin' telephone poles along the way!

(Like I did when I forgot to bring a book or a travel game.)

BearOfaTime , 6 days ago

Ooh, I like it! Especially as a fellow two-wheeler!

BearOfaTime , 8 days ago

People sill use Google search?

BearOfaTime , 9 days ago

Imagine using a custom, bloated mess that most vendors put on devices, with garbage that runs in the background that can't be disabled or removed without breaking something.

BearOfaTime , 10 days ago

Many SMBs will walk away at next server refresh.

VMware is walking dead.

We're currently testing Nutanix and Proxmox for smaller clients.

Proxmox support is similar (~65%) in cost to VMware licensing, but it's not likely to pull this sudden increase BS. Plus it's capabilities are significant for SMB.

BearOfaTime , 10 days ago

Nutanix is another one.

BearOfaTime , 9 days ago

Paid support is a requirement for business. Tryinto avoid that is Penny-wise, pound-foolish.

When shit goes tits-up, you really need the support resources right now.

Win-win in my book.

BearOfaTime , 9 days ago

Except this is a top customer with tens of thousands of VM's, walking away.

BearOfaTime , 9 days ago

Bingo.

Where does the next gen of admins come from, if they're been using Proxmox, etc, to learn on?

All my peers started with VMware years ago because they could get ESXi for free and run it on test boxes, then have the experience to deploy in client sites.

BearOfaTime , 9 days ago

You're not wrong!

I think Broadcom overplayed it on this one, as this example shows.

Or, they're playing a game we can't figure out. A 20,000 VM client is in the "large customers we want to keep" category.

BearOfaTime , 10 days ago

Oh, that was surely an accidental oversight, right?

BearOfaTime , 11 days ago

No.

Just don't stick your head inside when it's on. Pretty simple, just like a fucking oven. Imagine that!

BearOfaTime , 11 days ago

It probably would lower the temp because the on-board cpu would no longer be doing the RAID controlling.

All that work would be offloaded to the system CPU and whatever software you use to control the RAID setup (TrueNAS, Proxmox, UnRAID, etc).

Of course this would mean backing up all the data on those drives (which you're already doing, right) and rebuilding the array with the software you choose.

BearOfaTime , 11 days ago

Every circumstance is different, but undoubtedly the RAID cpu temp will drop since it's not doing anything.

Also, it seems the direction today for self holsters is software RAID, which I can get behind because I've had RAID cards die, and when they can't be replaced, you're out of luck.

BearOfaTime , 11 days ago

Because the patent office is never wrong?

Hahahahahaha

BearOfaTime , 11 days ago

I wouldn't mind a fold like the S4 Fold (which never made production) (or whatever it wa about 2015).

I'd rather it be two phones joined in the middle like that with a minimal/no bezel there, rather than a folding screen.

BearOfaTime , 11 days ago

Can you install apps on your work machine?

I've used Ditto as a clipboard manager on Windows for going on 20 years. Unbeatable.

You can manage clips in it extensively, it's scriptable, hot keys, groups, etc.

It's also in the MS App Store

Edit: Just noticed you want something shareable, like a web page. Does your company not have a wiki?

BearOfaTime , 11 days ago

Well that's unfortunate.

Maybe Ditto will clear the security team. Hell, they might love it and be grateful to learn about it.

I'd think being in the MS store would help a little.

Try it on your personal machine, I can't live without it, and everyone I've shown it to says "why isn't this part of windows"?

BearOfaTime , 13 days ago

Oh, that stuff is out there somewhere... in a database

BearOfaTime , 13 days ago

Right? Like every little municipality could do this?

BearOfaTime , 14 days ago

Have you heard of capital letters and punctuation?

That's too hard to read.

BearOfaTime , 13 days ago (edited 13 days ago)

Not even close.

Though it's really impressive how much it's improved over the years.

I keep having to say this, as much as I like Linux for certain things, as a desktop it's still no competition to Windows, even with this awful shit going on.

As some background - I had my first UNIX class in about 1990. I wrote my first Fortran program on a Sperry Rand Univac (punched cards) in about 1985. Cobol was immediately after Fortran (wish I'd stuck with Cobol).

I run a Mint laptop. Power management is a joke. Configured as best as possible, walked in the other day and it was dead - as in battery at zero, won't even boot. Windows would never do this, unless you went out of your way to config power management to kill the battery (even then, to really kill it you have to boot to BIOS and let it sit, Windows will not let a battery get to zero).

There no way even possible via the GUI to config power management for things like low/critical battery conditions /actions.

There are many reasons why Linux doesn't compete with Windows on the desktop - this is just one glaring one.

Now let's look at Office. Open an Excel spreadsheet with tables in any app other than excel. Tables are something that's just a given in excel, takes 10 seconds to setup, and you get automatic sorting and filtering, with near-zero effort. No, I'm not setting up a DB in an open-source competitor to Access. That's just too much effort for simple sorting and filtering tasks, and isn't realistically shareable with other people.

Now there's that print monitor that's on by default, and can only be shut up by using a command line. Wtf? In the 21st century?

Networking... Yea, samba works, but how do you clear creds you used one time to connect to a share, even though you didn't say "save creds"? Oh, yea, command line again or go download an app to clear them for for you. Smh.

Someone else said it better than me:

Every time I've installed Linux as my main OS (many, many times since I was younger), it gets to an eventual point where every single thing I want to do requires googling around to figure out problems. While it's gotten much better, I always ended up reinstalling Windows or using my work Mac. Like one day I turn it on and the monitor doesn't look right. So I installed twenty things, run some arbitrary collection of commands, and it works.... only it doesn't save my preferences.

So then I need to dig into .bashrc or .bash_profile (is bashrc even running? Hey let me investigate that first for 45 minutes) and get the command to run automatically.. but that doesn't work, so now I can't boot.. so I have to research (on my phone now, since the machine deathscreens me once the OS tries to load) how to fix that... then I am writing config lines for my specific monitor so it can access the native resolution... wait, does the config delimit by spaces, or by tabs?? anyway, it's been four hours, it's 3:00am and I'm like Bryan Cranston in that clip from Malcolm in the Middle where he has a car engine up in the air all because he tried to change a lightbulb.

And then I get a new monitor, and it happens all damn over again. Oh shit, I got a new mouse too, and the drivers aren't supported - great! I finally made it to Friday night and now that I have 12 minutes away from my insane 16 month old, I can't wait to search for some drivers so I can get the cursor acceleration disabled. Or enabled. Or configured? What was I even trying to do again? What led me to this?

I just can't do it anymore. People who understand it more than I will downvote and call me an idiot, but you can all kiss my ass because I refuse to do the computing equivalent of building a radio out of coconuts on a deserted island of ancient Linux forum posts because I want to have Spotify open on startup EVERY time and not just one time. I have tried to get into Linux as a main dev environment since 1997 and I've loved/liked/loathed it, in that order, every single time.

I respect the shit out of the many people who are far, far smarter than me who a) built this stuff, and 2) spend their free time making Windows/Mac stuff work on a Linux environment, but the part of me who liked to experiment with Linux has been shot and killed and left to rot in a ditch along the interstate.

Now I love Linux for my services: Proxmox, UnRAID, TrueNAS, containers for Syncthing, PiHole, Owncloud/NextCloud, CasaOS/Yuno, etc, etc. I even run a few Windows VM's on Linux (Proxmox) because that's better than running Linux VM's of a Windows server.

Linux is brilliant for this stuff. Just not brilliant for a desktop, let alone in a business environment.

Linux doesn't even use a common shell (which is a good thing in it's own way), and that's a massive barrier for users.

If it were 40 years ago, maybe Linux would've had a chance to beat MS, even then it would've required settling on a single GUI (which is arguably half of why Windows became a standard, the other half being a common API), a common build (so the same tools/utilities are always available), and a commitment to put usability for the inexperienced user first.

These are what MS did in the 1980's to make Windows attractive to the 3 groups who contend with desktops: developers, business management, end users.

All this without considering the systems management requirements of even an SMB with perhaps a dozen users (let alone an enterprise with tens of thousands).

BearOfaTime , 13 days ago

I've never had a Windows pc get slow after 6 months... Unless I've beat the snot out of it as I just don't care. But I'm an Admin, user boxes don't usually have such an issue. I have a 10 year old Windows 7 box that's as fast as it was 10 years ago.

But... If you install/uninstall a lot of stuff, over time that can cause issues (because Uninstallers are notoriously lazily compiled - I say this as an app packager of 20+ years.)

I used to say Windows Reg cleaners are snake oil, but on some systems it can really help with the uninstall issue - lots of crap, especially stuff related to context menus, can really slow it down. The only one I've ever recommended is Crap Cleaner - I've seen it revive a test machine that had gotten slow from a billion installs/uninstalls, testing lots of iffy software, etc.

BearOfaTime , 13 days ago

Disable auto updates.

Damn auto updates being on by default is a terrible design choice.

BearOfaTime , 13 days ago

Yep, I find booting from off is as fast (and maybe faster) than coming out of hibernation these days. It's definitely more fluid.

My SMB IT friends disable hibernation when they deploy laptops. Users don't reboot enough as it is, hibernation can be problematic, and wastes hard drive space (at least 16 gig, because they don't spec any less)

BearOfaTime , 14 days ago

Yes, please link your guide.

This is a major barrier to helping others.

I've run rooted since 2010 because it's my device, there's things I want to do, and now run Lineage/DivestOS or Graphene. But I can't recommend that to friends/family, of course.

I've tried to improve a non-rooted phone, but damn if it isn't a real PITA.

BearOfaTime , 13 days ago

Excellent - thanks!