I’ve been doing a lot of traveling recently. Besides my regular work, I also meet up with friends and inevitably am asked to help them with their computers. Keep in mind, I normally don’t do hands-on computer tuning or even deworming. But just as a brain surgeon knows how to set a broken leg, anyone involved in deep computer security knows how to tune preferences and apply patches. In addition, I find it fascinating to see how non-techies use their computers.
Person #1: Self-Inflicted Wounds
The first person I assisted was someone who I swore long ago to never assist. Why? Because things always go wrong on his computer. He seems to get a new computer virus ever few months. He frequently responds to spam messages, and he can’t stop clicking on popup ads. The problem is blame: if you touched his computer recently, then the next problem is your fault — even if it isn’t your fault.
Although I repeatedly stated that I’d never touch his computer, I did take pity on his non-technical wife. Her job was to provide tech support since none of his friends want to assist him. While I didn’t touch the computer, I did talk her through how to make sure the latest patches were applied and how to turn off Microsoft’s “personalized” recommendations and ads. These led to two problems.
First, I have no problem with him having his own political beliefs. The guy has always leaned far right. However, Microsoft’s ads and customized recommendations clearly noticed this and were driving him much further to the right. At his wife’s request, I showed her how to turn off the customized recommendations in the start menu, in the bottom search bar, in the browser, etc. Immediately his wife noticed that the computer was running much faster.
Second, we used Microsoft Windows 11 to “Check for Updates”. Oddly, it was just hanging and not returning anything. After digging through logs, we noticed that he had installed MalwareBytes Antivirus. Twenty years ago, MalwareBytes was a good-enough AV system. However, today it lacks many of the advanced protection features found in other AV systems. (In my opinion, you’re better off using the default Windows Defender on Windows 11 than using MalwareBytes. Or better yet, switch to Norton or Sophos.) Moreover, Google found over 4 million results for “malwarebytes blocking windows update“. It turns out, this is a known problem. We turned off MalwareBytes and immediately saw a long list of necessary and critical OS patches. It took nearly an hour and three reboots to bring the system up the current patch level. (I don’t think the computer had been patched in years.)
Let me say this very clearly: If your antivirus is blocking critical OS updates, then it’s not helping you.
With MalwareBytes disabled, the default Windows Defender AV system kicked on. We did a deep scan and everything was clean.
Finally, we looked at the startup applications. He had Spotify running. It started at boot and always ran, playing some political propaganda stream. According to his wife, he usually had the speakers turned off because he couldn’t figure out how to stop Spotify. I talked her through how to switch it from “always run” to “manual” (starts when needed). Again, the computer seemed much faster.
When I left there, everything was working well. His wife was pleased. And even the computer’s owner said that it was much faster. He also noticed that some of the “clutter” (ads and recommendations) were happily gone.
This happiness lasted about 2 weeks. Then he called up furious that he had a virus and he blamed me. What we were able to piece together:
Windows hit a Patch Tuesday and wanted him to reboot. He didn’t want to reboot, so he (very non-technical) tried to back out the patch. (Oh no…)
In doing so, he somehow also turned off Windows Defender.
Then he wanted to open an attachment from one of his far-right emails. “This program is from an unknown source, do you trust it?” YES! “This wants to access the hard drive, let it?” YES! “This wants to access your contact list, let it?” YES! “This needs to access the network, let it?” YES! He didn’t know what all of the prompts were, so he just kept clicking YES, YES, YES until it installed.
That’s right, he did all of the necessary steps for installing malware: he avoided security patches, he disabled his antivirus, and he approved every permission prompt.
Honestly, some people just can’t be helped. Since I’m not able to drop everything and drive a few hundred miles to help him, I suggested that he take the computer to Best Buy’s Geek Squad since, if they can’t fix the OS, then they can probably help him buy a new computer. (To reiteration: I’m never touching his computer again, even if his family begs me to help. No matter what you do to deter malware, a determined user can always find a way to self-infect.)
Person #2: Technical Enough
One of the people I visited isn’t a techie, but is very computer literate. (And having hung around me, this person knows enough about computer security to have developed some very good habits.) Again, I started with applying system patches. (Good news: The OS was up to date!) However, the web browsers (Firefox and Chrome) were behind by a couple of updates.
It turns out, having browsers update often isn’t always a good thing. Users get burnt out after too many updates. And frankly, I can see why. If it isn’t the OS, Chrome, or Firefox wanting an update, then it’s Adobe, Word, or something else. On Windows, there isn’t a centralized update method; every application manages their own updates. As a result, there’s always something that wants to be updated. You can easily spend more time doing updates than doing actual work.
Adding to this problem is a lack of convenience. Most programs check for updates when they first start up and then want to install any updates. However, we start the program because we want to start work. Some updates may take minutes or require a system reboot. We don’t want to wait for an update to complete before writing or drawing or looking something up. This is a big reason why updates are often skipped. As Person #2 remarked to me, “Why can’t it ask me to apply updates when I’m done?”
Windows 10 and 11 are getting better at the convenience issue. They often try to reboot after work hours. (I occasionally enter my office and notice that the Windows computer rebooted itself overnight.) However, Windows displays an annoying popup that asks if you want to “Reboot now or later?” I’m working now — why are you bothering me with a popup?
While Windows tries to be convenient, other programs are not as considerate. On Linux, I’ve had web browsers crash on me because ‘snap’ did an update and I didn’t restart the browser fast enough. (If Chromium on Linux tells you to restart the browser, then it’s best to drop everything and restart immediately.)
Person #3: Remote Support
I and one other person often provide remote support for one of my non-technical friends. We have a small Linux box sitting inside their firewall. Either of us can use secure shell (ssh) to log into it and then tunnel VNC to the user’s desktop. This is a simple way to provide “remote hands” support.
For this user, I often respond to inquiries for simple tasks. The most common request is “I forgot how to attach a file to an email.” The tiny paperclip icon is too small for their bad eyes to see and it isn’t intuitive for this person. (This is a usability failure, not a user-education issue.) Another request is about directories: “Where did it save the file?” With browsers, downloads go into the download directory, but a “save” from the scanner or word processor goes into whatever directory was last accessed. On Windows, the “last accessed” directory is usually a bad default. It doesn’t take much effort to remotely login and point out the attachment button or help them navigate to the folder containing their document.
Using my remote access, I’ve already disabled all of the personalized ads and recommendations. (This user doesn’t do anything with Xbox games. Why does Windows require Xbox to be enabled?) However, as a remote user, I never noticed something that was really obvious the first time I sat at the keyboard: the computer was slow. When accessing it over the network, I just assumed that any delays were due to the network. Nope — it was really the computer. The hard drive was constantly grinding.
While visiting in person, I went over the system settings and startup applications. As far as I could tell, Adobe, the AV, and some other apps were looking for updates. Two of the processes were causing an update loop: one checks for updates and the other thinks something changed. Then the second process checks for whatever changed and the first process thinks it needs to check the system again. This was a loop due to battling update systems.
I changed the Adobe and Chrome “check for updates” background programs from automatic to manual. This broke the loop. (Both still check for updates when you run each program. But they no longer check for updates all the time in the background.) Suddenly the computer was significantly faster and the grinding on the hard drive stopped.
While people in the computer security field usually don’t have these problems, I saw at least one problem on every single non-technical user’s system: constant updates, series of prompts, and software that — even with constant update checks — were not being updated. In my opinion, this isn’t a user-problem. The bad default settings and constant update checks were design decisions that result in usability issues.
Because of these issues, the software was teaching users the wrong things:
Too many updates? Users learn to not update right now, often delaying updates for weeks or longer. Worse: Some applications can block updates. (Poof! The problem of too many updates has stopped! Of course, this makes you infinitely less secure.) And at least one user decided to forcefully back out an essential update.
In my opinion, the correct solution would be for Windows to provide a central update scheduler rather than requiring every application to manage updates independently. Even if it checks daily, at least it isn’t constantly checking. (Of course, standardizing this would require a significant development effort, as well as a specification like an IETF RFC or something from ISO.)
Too many prompts? This trains users to always select “yes”. Perhaps it would be better to have one prompt that lists all of the required permissions: “This application requires hard drive access, access to your contact list, and network access.” This is what Android and iOS do. If developers don’t declare permission up front, then they don’t get the permissions. Some permission combinations could even trigger a warning, such as “These access privileges are commonly requested by computer viruses. Are you sure you want to install it?” Or maybe alternate yes/no responses to break the “yes, yes, yes” pattern. A really smart system could force a sandbox until after the program is used a few times in order to establish an access pattern.
In any case, prompt after prompt after prompt where “yes” means “enable it”, is just a fast way to train users how to install malware.
Having built-in ads and “personalized recommendations” as a feature in the operating system may be a good way for Microsoft to generate revenue, but it leads to insecurity. Users can’t distinguish spam/malware and an OS “feature”. At best, users get annoyed and figure out how to turn it off. At worst, they end up installing malware because they can’t tell the difference between an OS-provided ad and a virus ad.
However, there’s one more issue that keeps going around in my head. It takes power and bandwidth to constantly check for updates. Each time I turned things off, the computers became noticeably faster. Extra computational power may result in only a few cents per week of electrical power, but that really adds up when you consider that there are millions of computers all doing these same scans, update checks, and hard drive grinding. I have to wonder how much this extra power, excess bandwidth use, and increased costs for power consumption (both by home computers and the backbone providers) could be reduced if every computer just checked for updates periodically and didn’t deal with constant real-time personalized ads. Besides reducing user frustration, it could save money, reduce power needs, and have a real impact on the environment.