>The importance of keeping apps and OSes up to date and avoiding suspicious websites still stands. Unfortunately, neither of those things would have helped the victims hacked by this unknown group.
Disabling Javascript would have helped. You can even use tools like uMatrix to set exceptions per site so you're not exposing yourself to every single site on the internet by default. Though you won't see online news sites suggest this since their revenue is so tied to Javascript being enabled.
The reason why general computing sites don't recommend it is because users won't be happy when they can't sign into their bank or use other websites they wish to use.
The average user doesn't know anything about how sites are constructed. Telling them to use uMatrix is non sensical.
Though that's not to say there's good advice on these kinds of sites.
I've seen a "Windows 10 tips" list from a very popular site telling users that "they don't like being patronised about their own computer" and recommends turning off UAC (Essentially running their account as root)
Or even saying that updating your OS is frustrating so here's how to disable it.
Absolutely dangerous advice but that's the level of general computer sites.
I don't want forced updates when I am working. And many time I have encountered issues like computer not booting. After updates they prompts "Please install our cool new software called edge".
I want security update not the marketing update. So I make a compromise and disable update all together. Why not give linux style update where I can review each and every package.
The reason is that the product is Windows 10 as a whole.
Linux Distros are just bundles of software that make up the operating system.
So if your compromise is that you don't want new Windows 10 updates because they also bundle in new features rather than using an OS like linux, then it'd be your fault if you get hacked via an exploit that was patched in an update.
Then the obvious solution is to make them care. We penalise corporations for financial negligence and failing to take proper precautions and report correctly. We increasingly penalise them for violations of privacy and data protection rules, where similarly they are expected and required to provide adequate infrastructure to comply with the regulatory obligations. If failing to implement reasonable security practices and provide appropriate security updates to users with no strings attached started costing the hardware manufacturers and software developers and resellers the same kinds of penalty per violation as some of the financial or privacy regulations, we'd soon see those security updates universally available without forcing all the unwanted user-hostile changes at the same time.
There isn't law that mandates they split security updates from feature updates.
I'm suggesting that perhaps there should be.
In what other area of consumer protection law does a manufacturer or reseller get to provide a seriously defective product and then refuse to deal with the problem unless the buyer also accepts other changes that might make the product significantly different and possibly in their view significantly worse than the one they chose to buy?
The principle is important here. Your example about Paint 3D is cute, but in reality, there are plenty of other examples where user-hostile software changes have been pushed out after purchase, including those that disabled previously available functionality, reduced privacy, introduced advertising, or dramatically changed the look and feel of the product. People shouldn't be forced to accept these kinds of unwanted retrospective changes to the product they originally chose to buy just to maintain an adequate level of security.
The unpleasant answer is that if you give people linux style updates, every Windows 10 install becomes part of a botnet like the bad old days. No operating system I know of other than Linux actually gives you the option to do updates piecemeal and security is one of the main reasons why.
For the record I hate this, but history has shown that if you don't try your absolute hardest to get security updates installed onto users' machines, they're going to constantly get owned by malicious third parties. Chrome and Firefox aggressively auto-update for the same reason (if you try to manually install old Chrome for testing it'll obliterate itself on next launch!) The vast majority of users simply do not pay attention to security and will not make the right decisions if you offer them choices about updates and security, because they don't have enough knowledge or context to make the right choices.
Not in any real way for most people. It's only available to enterprise accounts, and from what I saw when I worked in IT, Microsoft strongly discourages it's use for normal user desktops.
Thank you for saying that. I'm one of first in 2005/2006 advocating JS rendering in the browser. JS in the browser has really gotten out of hand. I no longer advocate to do everything on the client/browser side. A web site should just work without JS.
Normal websites should absolutely, but actual webapps don't necessarily need to. Modern JS allows for very capable audio, video and 3d web applications inside the browser. The alternative if it wasn't for JS would be to build desktop apps, which would introduce a completely new set of problems and potential security risks.
For sure, audio, video do not need JS to function.
Yes you need JS for 3d webGL, but it also opened another can of worm that allows company to fingerprint GPU pretty much anyone who is not using Safari regardless if you are in incognito mode.
What most web developer don't realize browser was build to be a sandbox to protect you from the world wide web. Seems like the current trend is tear down that sandbox for usability and functions. Which is fine, then advertise that browser with JS enabled pretty much open you all that risk. It should be in the educational to the public as well as the first page of any browser that doesn't sandbox GPU finger printing.
This is true, and web browsers will need better user configuration to control such things, including fine controls to control what exactly a script does. The web developer console is a good start, but it doesn't even start to go far enough at all.
Most should work without JS (and also without CSS too, usually), yes.
Even in the few cases where it is needed, it should be designed to work OK without. I did see once where if JavaScript was disabled, it displayed a link to documentation instead; that is a good idea. (Unfortunately, the documentation didn't work without JavaScript enabled; they should fix that.) If it is accessing data, you can link to the documentation and/or to the data directly, in order to deal with it by yourself, with your own software, if the user wishes to do so. Sometimes the script is used to perform calculations, or automatically convert or render something; you can still add a <noscript> block to just mention what it is, links to source codes, or in some cases (e.g. automatic time zone conversion) just omit that part entirely will do. Simply writing "This page requires JavaScript enabled to work" is worthless; don't do that.
I use F-Droid's Fennec, which has addon-collections re-enabled. Bit of a hassle if you want something that's not yet included in an existing collection, but possible:
Disabling Javascript would have helped. You can even use tools like uMatrix to set exceptions per site so you're not exposing yourself to every single site on the internet by default. Though you won't see online news sites suggest this since their revenue is so tied to Javascript being enabled.