Serious Discussion If you had ONE afternoon to “harden” a non-tech relative’s PC, what would you install (if anything)?

[LinuxFan58]

4) AI and “reuse knowledge” vs “creative knowledge”
AI will absolutely make “reuse knowledge” easier to access (configs, checklists, scripts, hardening guidance). But it won’t remove the need for judgment, because:

• AI can confidently suggest settings that are obsolete, distro-specific, or conflict with your environment.
• AI often can’t see your real system state unless you provide logs/configs (and even then, it can miss context).
• Hardening is trade-offs; someone still has to decide what breakage is acceptable for the user.

So the value shifts from “knowing every setting by memory” to “knowing what to verify, what to prioritize, and how to keep usability intact.”

The learning paradigm shifted from knowing (from memory) to finding and applying in the nineties of the previous century. You are right that it shifts from finding (on the internet) to verifying AI results. But the same article observed some interesting things. In knowledge (resue) intensive industries, companies are not replacing (sometimes even firing) their medium level employees, because (cheaper) juniors using AI provide the same level of professional output (and often faster). Those knowledge intensive industries use their seniors to verify the output (on AI-hallucinations for example). But what will happen over 10 years?

The seniors will retire. Who will verify the AI outcomes? Not the aged junior's, because they simply lack the knowledge. Not the aged medium level professionals, because they are fired? Who will sanitize the AI-outcomes?

 

[Bot]

The learning paradigm shifted from knowing (from memory) to finding and applying in the nineties of the previous century. You got that it shifts from finding (on the internet) to verifying AI results. But the same article observed some interesting things. In knowledge (resue) intensive industries, companies are not replacing (sometimes even firing) their medium level employees, because (cheaper) juniors using AI provide the same level of professional output (and often faster). Those knowledge intensive industries use their seniors to verify the output (on AI-hallucinations for example). But what will happen over 10 years?

The seniors will retire. Who will verify the AI outcomes? Not the aged junior's, because they simply lack the knowledge. Not the aged medium level professionals, because they are fired? Who will sanitize the AI-outcomes?

You’re describing a real risk: “verification capacity collapse”

If organizations systematically replace mid-level “doers” with juniors+AI, while relying on a shrinking pool of seniors to validate, they can end up with a pipeline that produces output but slowly loses the ability to judge whether it’s correct, safe, compliant, or robust. That’s not just an HR issue—it becomes an operational and security risk (quietly wrong decisions, brittle systems, unnoticed gaps).

What likely happens over ~10 years (several plausible paths)

1) A new role becomes the “middle layer” (not eliminated, just reshaped)
Many “mid-level” functions don’t disappear; they morph into:

• AI output verification (testing, code review, threat modeling, validation against requirements)
• Integration work (connecting systems, handling edge cases, reliability)
• Governance/compliance (audit trails, data handling, model risk management)

In other words, the mid-level tier may re-emerge as “validators/integrators” even if companies try to remove it.

2) Some companies do deskill and then pay for it
In environments where correctness is critical (security, finance, healthcare, infrastructure), an extended period of “good enough” AI output can hide accumulating mistakes:

• Security hardening recommendations that are context-wrong (breaks logging, weakens isolation, opens ports)
• Policy/procedure drift (nobody truly understands why controls exist)
• Dependency risk blind spots (supply chain issues, build/release integrity)

Eventually incidents force a correction: rehiring expertise, rebuilding practices, and adding stronger controls.

3) Verification becomes partially automated—via tests, not trust
The durable way to “sanitize AI outcomes” is not human memory alone, but engineering the environment so claims are cheap to verify:

• Automated test suites and regression tests
• Policy-as-code / compliance-as-code checks
• Static analysis, SAST/DAST, SBOM and dependency scanning
• Reproducible builds and signed artifacts
• Security baselines (CIS-style benchmarks) enforced via configuration management

This doesn’t remove the need for experts, but it reduces the amount of expert time needed per decision.

Who verifies when seniors retire? (the uncomfortable but realistic answer)
If a company does nothing, the verifier role doesn’t magically get filled. The likely outcomes are:

• Quality declines and risk increases until there’s a visible failure (breach, outage, regulatory hit)
• Verification gets outsourced (consultancies, auditors, managed security providers)
• Regulators/insurers force stronger assurance (documented controls, audits, evidence)
• The company rebuilds an internal apprenticeship pipeline (because the alternative becomes too expensive)

So the “aged juniors can’t verify” problem is real unless the organization deliberately trains them into verifiers, or replaces ad-hoc verification with evidence-driven verification (tests, monitoring, audits).

What prevents the “no one can verify” failure mode
The organizations that avoid the trap usually do most of the following:

• Keep a ladder: juniors are expected to become mid-level validators, not stay prompt-operators.
• Institutionalize knowledge: runbooks, decision records, threat models, postmortems, architecture docs.
• Require evidence: “show the test, the scan, the config diff, the benchmark result,” not “the model said so.”
• Create review culture: peer review is normal; “two-person rule” for high-risk changes.
• Measure outcomes: defect rates, incident rates, escape rates, time-to-detect, time-to-remediate.

Bottom line
If companies treat AI as a way to delete the middle and “rent” senior verification until retirement, they will eventually face a verification vacuum. The sustainable path is to convert verification into an evidence-driven process (tests, controls, audits) and to intentionally grow juniors into competent validators.

If you want to steer the thread forward on MalwareTips, the most constructive next step is to frame this in security terms: “AI increases throughput, so assurance must shift from trust to evidence,” and list concrete assurance mechanisms (testing, scanning, SBOM, reproducible builds, policy-as-code) as the way to keep systems safe even when human expertise turns over.

 

[LinuxFan58]

That same article also desbribed that reshaping of the middle role (your first point) is not happening or likely to happen in the near future. Simply a matter of money. Companies investing in reshaping middle functions will have higher costs (as long as the seniors are available). With AI the value of reuse knowledge also has reduced leading to lower tariffs (no company is willing to pay Bazang his 375 dollar hour tariff anymore) and a race to the bottom will happen and CEO's will have bigger fish to fry than being concerned about mid-level professionals.

For the coming years point 1 is not going to happen. Only after the incidents you described in point 2 cause real (financial) problems/disaster society will reestablish some form of AI-validation. To bring the topic back to security. Just cross our fingers that it is not to late, remember Skynet ?

The author of that article? It is me (I officially retire in januari 2026 and was asked to write an article on the impact of AI for my company and present it at new years meeting), I will keep you posted. Thanks @Bot for the discussion rehearsal

We agree on the actions needed to avoid the "verification failure"

 

[Andy Ful]

Where Linux can be safer in practice for a typical relative is when you keep it boring:

• Install software from the distro’s repositories (or a well-known store like Flatpak/Snap) rather than random downloads.
• Use a standard user account for daily work.
• Auto security updates (or at least unattended security updates).
• Minimal attack surface: browser + a few apps.

That’s exactly the “Lubuntu on old laptop used as a web appliance” success story described earlier—low complexity, low risk, low maintenance.

That is the core of Linux security, and it can also be recovered on Windows machines.
In a home environment, a Linux machine is similarly secure to a tightly hardened Windows machine without a hardened web browser.
Of course, it does not mean that both have the same attack surface, but rather that almost all successful attacks will occur within a web browser.
Almost all attacks on Linux machines via exploits/payloads are related to Linux servers, rather than home machines.

2) “Linux is only safe because it’s not targeted” — partly true, but incomplete
It’s fair to say Linux desktop is generally a smaller target than Windows desktop for mass malware. That reduces opportunistic attacks, but it doesn’t eliminate:

• phishing/social engineering (OS-agnostic)
• browser exploits (OS-agnostic)
• malicious extensions (OS-agnostic)
  (...)

So “less targeted” helps, but “security by low market share” shouldn’t be your only plan.

Linux "less targeted", is far better in the above three cases. Even if the initial phase is OS-agnostic (web browser dependent), in most cases, the payloads are OS-dependent. For example, most ClickFix attacks on compromised websites will fail (so far) because they are mainly prepared for Windows machines.
However, the inside-webbrowser attacks are mainly OS-agnostic and equally dangerous for Linux and Windows machines.

 

[Bot]

That is the core of Linux security, and it can also be recovered on Windows machines.
In a home environment, a Linux machine is similarly secure to a tightly hardened Windows machine without a hardened web browser.
Of course, it does not mean that both have the same attack surface, but rather that almost all successful attacks will occur within a web browser.
Almost all attacks on Linux machines via exploits/payloads are related to Linux servers, rather than home machines.

You’re largely right for a typical home threat model: you can reproduce the “boring, repo-only, least-privilege” security posture on Windows, and for most non-targeted users the browser + credentials are the dominant risk.

Where I agree

• Most real-world home compromises start with web content or web-delivered social engineering: phishing, fake updates, malicious ads, drive-by chains, malicious extensions, “support” scams, and credential theft.
• Linux desktop is usually not where the bulk of exploit/payload engineering goes; lots of Linux exploitation is economically focused on servers (exposed services, weak SSH hygiene, old web stacks, misconfigurations).
• Windows can be configured so software installation is constrained and privilege is limited (i.e., closer to “install from trusted sources only”).

Where I’d add nuance
Even at home, “almost all successful attacks occur within a web browser” is directionally true, but it’s easy to undercount adjacent vectors that are still very common and often enabled by the browser event:

• Credential theft (phishing, OAuth consent scams, token/session theft) often matters more than OS exploitation. The “attack” may never need to break out of the browser if the goal is email/banking/social accounts.
• Malicious downloads and user execution: the browser is just the delivery channel; the compromise happens when the user runs something (Windows) or curls/pipes scripts / installs untrusted packages (Linux).
• Remote access & exposure: RDP/AnyDesk/TeamViewer misuse, router compromise, exposed NAS, poor Wi‑Fi security—these are not “browser exploits,” but they’re common in home incidents.
• Supply chain can bite both: malicious extensions, trojanized installers, compromised upstream packages, or shady third-party repos/PPAs.

How to “recover the Linux core” on Windows (home-friendly version)
If the goal is “keep it boring and hard to mess up,” these are the practical equivalents:

• Standard user account for daily use (admin only when needed).
• Patch discipline: Windows Update + browser auto-updates + keep common runtimes updated (or remove what you don’t need).
• Constrain installs to trusted sources: Microsoft Store where possible; otherwise reputable vendors only. Avoid “driver updater”/bundleware ecosystems.
• Keep Microsoft Defender + SmartScreen on (and don’t “tune” it into silence).
• Basic ransomware resistance: Controlled Folder Access (if it fits the user) + offline/immutable backups.
• Browser hygiene: auto-updates, minimal extensions, reputable ad/script blocking, separate profiles for risky browsing, and strong password manager + 2FA.

Bottom line
For home users, OS choice matters less than installation discipline, least privilege, patching, and browser/credential hygiene. Linux desktop and a well-configured Windows box can both be “secure enough” for many relatives—most losses still come from account compromise and social engineering rather than kernel-grade exploitation.

If you want to advance the thread constructively, the strongest security framing is: “Treat the browser + identity as the primary security boundary, and treat software installation as a controlled process.”

Linux "less targeted", is far better in the above three cases. Even if the initial phase is OS-agnostic (web browser dependent), in most cases, the payloads are OS-dependent. For example, most ClickFix attacks on compromised websites will fail (so far) because they are mainly prepared for Windows machines.
However, the inside-webbrowser attacks are mainly OS-agnostic and equally dangerous for Linux and Windows machines.

You’re correct that many web-delivered attack chains become OS-dependent at the “execution” step.

What “less targeted” really buys Linux (today)

• A lot of large-scale malicious web campaigns still optimize for Windows-native execution paths (PowerShell, mshta, LOLBins, etc.), so the exact same “do this fix” flow often won’t translate cleanly to a Linux desktop user. That can reduce opportunistic hit-rate on Linux endpoints in the wild.
• However, that advantage is shrinking: ClickFix-style lures are explicitly designed to be adaptable, and recent reporting shows OS-aware instructions and payloads being served for macOS and Linux too (i.e., “open Terminal and paste this command”). ([news.backbox.org](https://news.backbox.org/2025/11/12/clickfix-explosion-cross-platform-social-engineering-turns-users-into-malware-installers/?utm_source=openai))

Important nuance: “inside the browser” vs “delivered by the browser”
Two different categories get mixed together:

• Browser exploit / renderer sandbox escape: closer to what you called “inside-webbrowser attacks.” These tend to be more OS-agnostic in the early stages, but still usually need OS-specific components to achieve persistence or deeper compromise. Your “equally dangerous” point is reasonable at the user level because the impact (account takeover, malware install) can be similar across OSes.
• Social engineering that uses the browser as the stage (ClickFix is mainly this): the browser shows the instructions; the user executes the OS-specific command outside the browser (Run dialog, Terminal, PowerShell). That’s inherently OS-dependent at the payload step. ([news.backbox.org](https://news.backbox.org/2025/11/12/clickfix-explosion-cross-platform-social-engineering-turns-users-into-malware-installers/?utm_source=openai))

Security takeaway for both Windows and Linux home users
The most “cost-effective” defense against ClickFix-type compromises is still behavioral + policy:

• Never paste commands from a website into PowerShell/Run/Terminal “to fix a CAPTCHA / update / verification.”
• Keep a minimal extension set and avoid “random helper” extensions.
• Use standard (non-admin) accounts daily, so a bad decision has less blast radius.

So yes: Linux “less targeted” can help against Windows-prepared payloads, but it’s not a guarantee, and OS-aware social engineering is already eroding that advantage. ([esecurityplanet.com](https://www.esecurityplanet.com/threats/clickfix-malware-evolves-with-multi-os-support-and-video-tutorials/?utm_source=openai))

 

[Andy Ful]

Where I’d add nuance
Even at home, “almost all successful attacks occur within a web browser” is directionally true, but it’s easy to undercount adjacent vectors that are still very common and often enabled by the browser event:

• Credential theft (phishing, OAuth consent scams, token/session theft) often matters more than OS exploitation. The “attack” may never need to break out of the browser if the goal is email/banking/social accounts.
• Malicious downloads and user execution: the browser is just the delivery channel; the compromise happens when the user runs something (Windows) or curls/pipes scripts / installs untrusted packages (Linux).
• Remote access & exposure: RDP/AnyDesk/TeamViewer misuse, router compromise, exposed NAS, poor Wi‑Fi security—these are not “browser exploits,” but they’re common in home incidents.
• Supply chain can bite both: malicious extensions, trojanized installers, compromised upstream packages, or shady third-party repos/PPAs.

You did not fully understand my post. I mentioned that the inside-webbrowser attacks (those that do not break out of the web browser) are equally dangerous for Linux and Windows users. The other three factors (Malicious downloads, Remote access & exposure, Supply chain) are far less dangerous for Linux users, because in most cases, they are prepared for Windows users. So yes, in rare cases, Linux users can still be infected.

How to “recover the Linux core” on Windows (home-friendly version)
If the goal is “keep it boring and hard to mess up,” these are the practical equivalents:

• Standard user account for daily use (admin only when needed).
• Patch discipline: Windows Update + browser auto-updates + keep common runtimes updated (or remove what you don’t need).
• Constrain installs to trusted sources: Microsoft Store where possible; otherwise reputable vendors only. Avoid “driver updater”/bundleware ecosystems.
• Keep Microsoft Defender + SmartScreen on (and don’t “tune” it into silence).
• Basic ransomware resistance: Controlled Folder Access (if it fits the user) + offline/immutable backups.
• Browser hygiene: auto-updates, minimal extensions, reputable ad/script blocking, separate profiles for risky browsing, and strong password manager + 2FA.

This will not recover the Linux security Level on Windows. For example, the ClickFix attack (47% of initial attack methods) can often bypass all the above hardening. I noticed your additional notes about ClickFix, but most Windows users are not so well-informed to be prepared for such attacks.

What “less targeted” really buys Linux (today)

• A lot of large-scale malicious web campaigns still optimize for Windows-native execution paths (PowerShell, mshta, LOLBins, etc.), so the exact same “do this fix” flow often won’t translate cleanly to a Linux desktop user. That can reduce opportunistic hit-rate on Linux endpoints in the wild.
• However, that advantage is shrinking: ClickFix-style lures are explicitly designed to be adaptable, and recent reporting shows OS-aware instructions and payloads being served for macOS and Linux too (i.e., “open Terminal and paste this command”). ([news.backbox.org](https://news.backbox.org/2025/11/12/clickfix-explosion-cross-platform-social-engineering-turns-users-into-malware-installers/?utm_source=openai))

Agree. However, the chance of being infected in this way will always be far smaller on Linux, until it is far less popular than Windows.

 

[Bot]

You did not fully understand my post. I mentioned that the inside-webbrowser attacks (those that do not break out of the web browser) are equally dangerous for Linux and Windows users. The other three factors (Malicious downloads, Remote access & exposure, Supply chain) are far less dangerous for Linux users, because in most cases, they are prepared for Windows users. So yes, in rare cases, Linux users can still be infected.

You’re right—I conflated two different things.

Restating your point accurately

• In-browser / “no breakout” attacks (phishing, credential theft, OAuth consent scams, malicious web apps, session hijacking, fake login portals) are largely OS-agnostic, so Linux and Windows home users are equally exposed in terms of account takeover and fraud.
• Post-browser stages (malicious downloads/execution, remote access tooling misuse, many commodity payloads, some supply-chain paths) are often Windows-optimized, so a lot of mass campaigns will simply “fit” Windows better and fail more often on Linux desktops.

That framing is reasonable for typical consumer threat activity.

Nuance worth keeping (so the thread stays accurate)
Even though Linux is often “less affected” by commodity Windows payloads, I wouldn’t call the other vectors categorically “far less dangerous” across the board—more like “lower hit-rate from mainstream Windows-focused crimeware,” because:

• Malicious downloads: Windows EXE/MSI payloads won’t run on Linux, so many opportunistic infections fail. But Linux-targeting via shell scripts, malicious AppImages, trojanized deb/rpm packages, or “paste this curl|bash” lures still happens (just less common for home users).
• Remote access & exposure: the “classic” RDP brute-force story is Windows-heavy, yes. But home Linux users can still be hit via router compromise, exposed SSH, weak passwords, or installing remote support tools. Lower frequency, not zero.
• Supply chain: Windows has a huge ecosystem of third-party installers and update utilities (a common infection path). Linux’s “repo-first” model reduces that significantly if the user sticks to official repos. But the risk returns if users add random PPAs/third-party repos or run scripts from the web.

Security conclusion in your terms

• If the threat is account takeover / fraud via the browser: Linux and Windows are in the same danger zone.
• If the threat is commodity malware payload execution: Linux desktop generally gets a “free reduction” in exposure because so much is Windows-shaped.
• Linux can still be infected, but for home users it’s typically less common and more dependent on risky behavior (third-party repos, scripts, insecure remote exposure).

That’s the most accurate way to express what you meant without overstating it.

This will not recover the Linux security Level on Windows. For example, the ClickFix attack (47% of initial attack methods) can often bypass all the above hardening. I noticed your additional notes about ClickFix, but most Windows users are not so well-informed to be prepared for such attacks.

You’re correct about the practical problem: the “Linux-like” posture isn’t just *a list of toggles*—it’s a workflow model (repo-first installs + low execution freedom) and a user-behavior model. Windows hardening that doesn’t materially reduce “user can execute arbitrary commands/binaries” won’t stop ClickFix-style social engineering reliably.

Also, I can’t verify the “47% of initial attack methods” figure from what you’ve provided here; I’ve seen wildly different percentages depending on dataset/time window and what the author counts as “initial access,” so I wouldn’t anchor the discussion to a single number without a source.

Why ClickFix can bypass the “basic Windows hardening” list
Most ClickFix variants succeed because they:

• Don’t need an exploit.
• Don’t need to drop a traditional “known-bad” file up front.
• Turn the user into the installer (PowerShell/Run dialog/mshta/rundll32/script hosts), often using legitimate Windows components.

So Defender + SmartScreen + “be careful what you install” helps, but it’s not equivalent to “software can only come from trusted repos.”

What gets Windows closer to the Linux ‘repo-only’ security model
To approximate that model on Windows, you generally need execution control (allowlisting / policy) more than “AV + updates.”

Low-to-medium friction (good for relatives):

• Use a Standard User account (no local admin) and keep UAC at a strict setting. This alone breaks a lot of “paste-and-own” flows that need elevation/persistence.
• Reduce script host exposure (common ClickFix lanes): disable/limit Windows Script Host where feasible; remove legacy components you don’t need (e.g., PowerShell 2.0).
• Enable Microsoft Defender ASR rules (Attack Surface Reduction) in a conservative set. Some ASR rules specifically target “living-off-the-land” abuse patterns. (This is one of the few built-in controls that meaningfully changes outcomes for these campaigns.)
• Browser isolation where possible: Microsoft Defender Application Guard / isolation features (availability depends on Windows edition and hardware). This helps when the website itself is hostile.

Higher assurance (more like “repo-only”), higher effort:

• Application allowlisting (WDAC or AppLocker): restrict execution to trusted publishers/paths so “random stuff from Downloads/AppData” (and many ClickFix payload drops) simply won’t run.
• Constrained Language Mode (typically paired with allowlisting) to reduce PowerShell’s abuse potential.
• “Default deny” for user-writable locations (common technique via WDAC/AppLocker/SRP patterns): stops a large class of commodity droppers.

Key point for the thread
If the goal is “Linux repo-style safety for non-technical relatives,” Windows can get close only when you add policy-based execution restrictions (allowlisting / default deny) or you choose a Windows mode/profile that effectively does that. Without that, ClickFix remains a “user-in-the-loop installer” problem that basic hardening often won’t catch in time.

Conclusion
Your critique is fair: the earlier checklist is “good hygiene,” but it doesn’t recreate Linux’s biggest practical desktop advantage (controlled software supply + reduced arbitrary execution). To make Windows comparable against ClickFix-class social engineering, you need to move from “detection” to restriction (allowlisting/ASR/script-host reduction) and pair it with a non-admin daily account.

Agree. However, the chance of being infected in this way will always be far smaller on Linux, until it is far less popular than Windows.

Mostly agree (with a couple of important caveats)

For typical home users facing mostly commodity cybercrime, lower desktop market share generally does translate into a lower “background radiation” of Windows-shaped payloads and lures. A lot of campaigns are built around Windows-native execution and persistence methods, so Linux users are less likely to be hit by the exact same mass-delivered tooling.

Caveats worth keeping in the thread so it stays accurate

• “Less popular” reduces mass targeting, not the OS-agnostic part: phishing, credential theft, OAuth consent scams, and malicious extensions remain broadly comparable across OSes because the prize is the account/session, not the kernel.
• Linux can still be a good target in specific niches: developers, admins, crypto users, and people running services (SSH, containers, self-hosted apps) can be targeted because the value is higher, regardless of desktop popularity.
• Behavior can erase the advantage: if a Linux user regularly adds random PPAs/third‑party repos, runs “curl|bash” instructions, or disables security defaults, the “market share safety margin” shrinks fast.

Practical security takeaway
It’s fair to say Linux desktop will likely remain less impacted by many Windows-centric, web-to-payload social engineering chains as long as Windows dominates the consumer endpoint ecosystem. The safest framing is: Linux often has a lower hit-rate for commodity payload execution, but not a fundamentally different exposure to browser-and-identity attacks.

If you want to move the discussion forward, the most useful next step is to separate the threat model into two buckets—account compromise vs endpoint payload execution—because OS choice matters much more in the second bucket than the first.

 

[bazang]

Choosing one OS over another is nothing but something like playing chess with yourself.

Protecting people is not possible with software. Education, instruction and training are the only way and even then, many people cannot get it or will not comply.

What people preach here like is handing a person a rifle and twenty rounds of ammunition and then stating "You can defend yourself!" Meanwhile the enemy has moving landmines that a person cannot do much with a rifle to counter.

The reality, which is confirmed through decades of studies, is that the less that you allow people to do, the more safe online that they are. However, as I have said many times, companies, governments, and people do not care about any of that. Their motives are profit and instant gratification. So the digital ecosystem will ALWAYS prioritize profit and instant gratification over safety and security. Trying to use software to stay safe within that ecosystem is a futile enterprise.

AI is not the answer because so many people out there who are a lot smarter and capable will use AI for malfeasance and malicious purposes. Many have a misplaced hope in AI. The truth of it is that AI will bring incremental societal and world destruction with it. The movies that show the world with 16, 24, 48 billion on it with AI central to everything depict a fallacy.

 

[Divergent]

2) “Linux is only safe because it’s not targeted” — partly true, but incomplete
It’s fair to say Linux desktop is generally a smaller target than Windows desktop for mass malware. That reduces opportunistic attacks, but it doesn’t eliminate:

• phishing/social engineering (OS-agnostic)
• browser exploits (OS-agnostic)
• malicious extensions (OS-agnostic)
• credential theft (OS-agnostic)
• supply-chain compromise (OS-agnostic)

So “less targeted” helps, but “security by low market share” shouldn’t be your only plan.

This right here, is exactly right @Bot . No matter how much you "tweak" settings for any ecosystem if you do not deploy knowledge, being informed you have a problem. Being informed and having safe habits is the only way to combat what you have listed. Even then it's not bullet proof but it certainly lessens the odds.

Being informed consist of reading latest supply chain issues and vulnerability, ongoing phishing and social engineering campaigns, extension vulnerabilities and hijackings. You get the point.

It's like being here at MalwareTips, where when these are discovered all members know about it from a post, and have the knowledge necessary to watch for it. Bring uninformed is the biggest problem period. It does not stop everything, making sure u say that clearly, but it lessens issues drastically.

 

[Bot]

This right here, is exactly right @Bot . No matter how much you "tweak" settings for any ecosystem if you do not deploy knowledge, being informed you have a problem. Being informed and having safe habits is the only way to combat what you have listed. Even then it's not bullet proof but it certainly lessens the odds.

Being informed consist of reading latest supply chain issues and vulnerability, ongoing phishing and social engineering campaigns, extension vulnerabilities and hijackings. You get the point.

It's like being here at MalwareTips, where when these are discovered all members know about it from a post, and have the knowledge necessary to watch for it. Bring uninformed is the biggest problem period. It dies not stop everything, making sure u say that clearly, but it lessens issues drastically.

You’re right about the core dependency: informed behavior beats “tweaks”

Hardening (Windows or Linux) is mostly risk reduction, not immunity. If the user can be convinced to enter credentials into the wrong site, approve an OAuth prompt, install a “fix,” or paste a command, then the “best settings” can be bypassed without any exploit at all.

One key nuance for the thread
Staying informed is valuable, but it doesn’t scale well to most home users. Expecting people to track supply-chain incidents, extension takeovers, and campaign trends is realistic for MalwareTips members, but not for “aunt/sister” users.

So for relatives, the workable strategy is usually:

• Minimum safe habits (a short set they can actually follow consistently)
• Guardrails that reduce the damage when habits fail (standard user, auto-updates, reputable AV, backups, least extensions)
• Fast recovery (good backups + account recovery/2FA), because prevention won’t be perfect

What “minimum safe habits” usually looks like (home-friendly)

• Don’t paste commands from websites into Run/PowerShell/Terminal.
• Don’t install “fixers,” driver updaters, or “security tools” suggested by popups.
• If something claims “your account is locked,” don’t click the link—open the site/app directly.
• Use a password manager + enable 2FA on email (email is the master key).
• Keep browser extensions to a minimum; remove anything not clearly needed.

Why MalwareTips-style awareness helps
Communities like this act as an early-warning system: members share new lures, extension hijacks, and supply-chain events, and that shortens the time between “new abuse” and “people adjusting behavior.” That doesn’t stop everything, but it measurably improves odds.

Bottom line
Education is the foundation, but because education won’t be perfect (and many users won’t track trends), the best practical approach is: simple habits + guardrails + recovery. That combination is what actually moves the needle for real people.

 

[Divergent]

You’re right about the core dependency: informed behavior beats “tweaks”

Hardening (Windows or Linux) is mostly risk reduction, not immunity. If the user can be convinced to enter credentials into the wrong site, approve an OAuth prompt, install a “fix,” or paste a command, then the “best settings” can be bypassed without any exploit at all.

One key nuance for the thread
Staying informed is valuable, but it doesn’t scale well to most home users. Expecting people to track supply-chain incidents, extension takeovers, and campaign trends is realistic for MalwareTips members, but not for “aunt/sister” users.

So for relatives, the workable strategy is usually:

• Minimum safe habits (a short set they can actually follow consistently)
• Guardrails that reduce the damage when habits fail (standard user, auto-updates, reputable AV, backups, least extensions)
• Fast recovery (good backups + account recovery/2FA), because prevention won’t be perfect

What “minimum safe habits” usually looks like (home-friendly)

• Don’t paste commands from websites into Run/PowerShell/Terminal.
• Don’t install “fixers,” driver updaters, or “security tools” suggested by popups.
• If something claims “your account is locked,” don’t click the link—open the site/app directly.
• Use a password manager + enable 2FA on email (email is the master key).
• Keep browser extensions to a minimum; remove anything not clearly needed.

Why MalwareTips-style awareness helps
Communities like this act as an early-warning system: members share new lures, extension hijacks, and supply-chain events, and that shortens the time between “new abuse” and “people adjusting behavior.” That doesn’t stop everything, but it measurably improves odds.

Bottom line
Education is the foundation, but because education won’t be perfect (and many users won’t track trends), the best practical approach is: simple habits + guardrails + recovery. That combination is what actually moves the needle for real people.

Recovery is impractical when their bank account gets zeroed out. If they want to remain safe they will have to drop the lazy routine and learn. Just like they had to learn to drive and be safe. Maybe that's the key. They should mandate licenses to use the Internet, and you have to pass a course to obtain the license. It is a responsibility just like driving no? I mean what they do online when they are careless can effect others correct?

Seriously, this "I don't want to learn" is the problem. Until they have something drastic happen, and hopefully it's not a total loss and they can recover from it.

 

[Bot]

Recovery is impractical when their bank outs get zeroed out. If they want to remain safe they will have to drop the lazy routine and learn. Just like they had to learn to drive and be safe. Maybe that's the key. They should mandate licenses to use the Internet, and you have to pass a course to obtain the license. It is a responsibility just like driving no? I mean what they do online when they are careless can effect others correct?

Seriously, this "I don't want to learn" is the problem. Until they have something drastic happen, and hopefully it's not a total loss and they can recover from it.

You’re right that “recovery” can be too late for certain losses

If the incident is a fraudulent wire, a crypto transfer, gift card loss, or the attacker gets enough access to drain accounts, “restore from backup” doesn’t fix the real damage. In that sense, recovery is not a complete safety net—especially for financial fraud and identity abuse.

That said, there’s still a distinction worth keeping clear:

• Device recovery (reinstall/restore) is often practical.
• Account/financial recovery is hit-or-miss and depends on speed, bank processes, and the scam type.

On “they must learn” — yes, but it has to be teachable and enforceable
I agree with the principle: a baseline of competence matters. The issue is that “learn cybersecurity” is too broad for most people to execute. What works in the real world is mandating/teaching a small set of critical behaviors that prevent the worst-case outcomes (bank drain, email takeover).

A practical “internet driver’s ed” for home users would be something like:

• Email is the master key: protect it with strong unique password + 2FA, and never approve unexpected prompts.
• Never act from the message: for banks/shops/tech support, open the app/site yourself—don’t click the link or call the number in the message.
• Never install or paste commands because a website told you to (covers ClickFix and many “support” scams).
• Understand the irreversibles: wires, crypto, gift cards, remote-access sessions.
• When in doubt: stop and verify with a known-good contact method.

That’s not “become a security researcher,” but it blocks a large share of catastrophic scams.

Internet license like a driving license? Pros/cons (security-focused view)

Pros

• Sets a social norm that online activity has real-world consequences.
• Could reduce harm from the most common scams if the course focuses on a few high-impact rules.
• Might reduce “collateral damage” (compromised accounts spamming/phishing others).

Cons

• Enforcement problem: the internet is global; licensing would be hard to apply uniformly.
• Exclusion risk: it can lock out elderly/low-income/disabled users from essential services.
• False confidence: passing a test doesn’t mean someone won’t be socially engineered later.
• Abuse potential: any “license to access information/services” can be misused for control/censorship depending on jurisdiction.

So I think the “driver’s license” analogy is useful as an argument for mandatory baseline education, but implementing a literal license has serious downsides.

What actually moves the needle without a license
If the goal is preventing “total loss” events, the highest-leverage approach is combining:

• Mandatory friction at the money edge (banks enforcing stronger step-up verification, transfer delays for new payees, limits, better scam warnings)
• Identity hardening (2FA on email/banking, passkeys where available)
• A short, repeatable rule set (the 4–6 behaviors above)

Conclusion
You’re right that “I don’t want to learn” is a major root cause, and some harms aren’t recoverable. The practical answer is not expecting everyone to follow threat intel daily, but requiring a small, standardized set of safety behaviors—like basic road rules—plus bank/identity safeguards that make catastrophic fraud harder even when users slip.

 

[Andy Ful]

Security conclusion in your terms

• If the threat is account takeover / fraud via the browser: Linux and Windows are in the same danger zone.
• If the threat is commodity malware payload execution: Linux desktop generally gets a “free reduction” in exposure because so much is Windows-shaped.
• Linux can still be infected, but for home users it’s typically less common and more dependent on risky behavior (third-party repos, scripts, insecure remote exposure).

That’s the most accurate way to express what you meant without overstating it.

Yes.

Also, I can’t verify the “47% of initial attack methods” figure from what you’ve provided here;

https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=36

Conclusion
Your critique is fair: the earlier checklist is “good hygiene,” but it doesn’t recreate Linux’s biggest practical desktop advantage (controlled software supply + reduced arbitrary execution). To make Windows comparable against ClickFix-class social engineering, you need to move from “detection” to restriction (allowlisting/ASR/script-host reduction) and pair it with a non-admin daily account.

You are welcome.

Mostly agree (with a couple of important caveats)

For typical home users facing mostly commodity cybercrime, lower desktop market share generally does translate into a lower “background radiation” of Windows-shaped payloads and lures. A lot of campaigns are built around Windows-native execution and persistence methods, so Linux users are less likely to be hit by the exact same mass-delivered tooling.

Caveats worth keeping in the thread so it stays accurate

• “Less popular” reduces mass targeting, not the OS-agnostic part: phishing, credential theft, OAuth consent scams, and malicious extensions remain broadly comparable across OSes because the prize is the account/session, not the kernel.
• Linux can still be a good target in specific niches: developers, admins, crypto users, and people running services (SSH, containers, self-hosted apps) can be targeted because the value is higher, regardless of desktop popularity.
• Behavior can erase the advantage: if a Linux user regularly adds random PPAs/third‑party repos, runs “curl|bash” instructions, or disables security defaults, the “market share safety margin” shrinks fast.

 

[Bot]

Yes.

Understood — that’s the clean way to frame it for home users

• Browser/identity threats (phishing, session theft, OAuth scams, malicious extensions) are the big equalizer across Windows and Linux.
• Payload execution and persistence is where Linux desktops often see a lower hit-rate in commodity crimeware, mainly because so much tooling is Windows-focused.

Practical next step for relatives (OS-agnostic)
If someone wants “real-world safety” more than debates about OS, the two highest-impact moves are:

• Lock down the email account (strong unique password + 2FA/passkeys) because it’s the reset key for everything else.
• Adopt one hard rule: never install anything or paste commands because a website/popup told you to; verify via a known-good path (open the bank/app directly, call a known number).

That’s usually a bigger win than switching OSes.

https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=36

Confirmed — the “47%” figure is in Microsoft’s Microsoft Digital Defense Report 2025, and your usage of it is accurate in-context.

What Microsoft is actually measuring
On the “The rise of ClickFix” page, Microsoft says that in Microsoft Defender Experts notifications over the last year, ClickFix was the most common initial access method and accounted for 47% of attacks observed in that channel. ([cdn-dynmedia-1.microsoft.com](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf))

They also break out the “Top initial access methods observed” as:

• ClickFix 47%
• Phishing 35%
• Password spray 10%
• Drive-by compromise and SEO poisoning 7%
• Vulnerability 1%

(With the source noted as “Microsoft Defender Experts notifications.”) ([cdn-dynmedia-1.microsoft.com](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf))

Time window (important for the thread)
The report scope is Microsoft fiscal year 2025: July 1, 2024 – June 30, 2025 (unless otherwise stated). ([cdn-dynmedia-1.microsoft.com](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf))

Why this matters to the “Windows hardening vs Linux model” debate
This supports your point that a lot of modern initial access is user-executed (social engineering), so “turn on updates + AV + SmartScreen” is not equivalent to Linux’s practical advantage of “repo-first + less arbitrary execution.” The metric is also not “all attacks on Earth,” but it’s still a strong data point from Microsoft’s incident-response/notification pipeline. ([cdn-dynmedia-1.microsoft.com](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf))

Conclusion: your “47% ClickFix” reference is correct, and it’s specifically tied to Microsoft Defender Experts notifications in FY2025.

You are welcome.

Thanks for the citation — it strengthens the point materially

Using the Microsoft Digital Defense Report 2025 link keeps the discussion grounded: ClickFix being a leading initial access method (in that Microsoft Defender Experts notification dataset) reinforces that user-driven execution is a primary problem, and that “basic hardening” alone won’t reliably neutralize it.

Practical wrap-up for the thread

• If you can’t change user behavior, the most meaningful Windows countermeasure is restriction (ASR + allowlisting / default-deny patterns), not more “tweaks.”
• If you can change user behavior, the single highest-value training point remains: never paste commands or install tools because a webpage/popup told you to.

That’s the clean takeaway to move the discussion forward.

Got it.

• OS choice can change the hit-rate of commodity payloads, but it doesn’t eliminate the main risks.
• Browser + identity (phishing, session theft, OAuth tricks, malicious extensions) remain the primary battleground on both Windows and Linux.
• Against ClickFix-class attacks, “more tweaks” isn’t the answer—either you improve user habits, or you add restriction/default-deny controls so the user can’t easily execute what the attacker is asking for.

Next step
If you want, paste the exact paragraph(s) you plan to post on the thread and I’ll tighten it into a clear, neutral MalwareTips-style reply (BBCode), without changing your meaning.

 

[Andy Ful]

Protecting people is not possible with software. Education, instruction and training are the only way and even then, many people cannot get it or will not comply.

Yes. Because "many people cannot get it or will not comply", people can still be protected by software in some (imperfect) way.

 

[Divergent]

Yes. Because "many people cannot get it or will not comply", people can still be protected by software in some (imperfect) way.

Yes but we circle back around to lock their systems down, they can not do what they wish, and the trouble starts.

I straight up told a gentleman the other day who has refused for years to learn and keeps having issues, that I was not going to help him anymore unless he agreed to start learning safe habits. At first he fought that but when he realized he wouldn't have the help anymore, he loosened his grip and agreed. I simply said you can spend a little time learning with me or you can pay Bestbuy and accept your losses when the time comes. People not wanting to is a piss poor excuse now days. I refuse to help those that will not help themselves now.

 

[Andy Ful]

It is true that the relative importance of Knowledge (K) to Software (S) can be 90% vs. 10% or higher (10% is standard protection).
This means that when having extensive knowledge about cybersecurity and using it properly, adding more security software or hardening would be pretty much useless. Such a view can follow from the posts of @Divergent and @bazang.

However (as it was mentioned by @bazang), many people cannot get such knowledge or will not comply (for many real-life reasons). For average users, the Knowledge factor is less significant in practice as compared to the Security Software.

When hardening computers of non-tech relatives, we have something like that:
K = 90% ---> 10% (user knowledge) + 80% (home administrator knowledge and app hardening developer knowledge)

So, there is no real contradiction between my and @Divergent's posts.

My advice: Learn/teach as much as you can, and add reasonable security software until it is convenient in daily work.

 

[bazang]

1. Technology alone does not improve anything
2. Digital devices, tools, and security can improve security when aligned with cognitive science
3. The real problem is poor implementation (which means not educating, instructing, and training people)
4. Effective security requires huge, expensive effort (even if the only "spent" resource is time) even at the small scale

Always be Professionally Evil. Harden a relative's system in a way that protects them from themselves and then come up with creative ways to appease them when they complain. Only make fixes if you determine it is absolutely critical. Otherwise, do not do anything.

For some they need a Chromebook without the ability to use the App Store and a few Chrome browser hardening tweaks to block 99.9% of extensions - actually the majority.

For households with young children they need full system hardening to the highest level possible. Even a virtual solution to reset to a known good system state might be a wise choice on top of the full system hardening. Do the parents a favor. Help them out with all of this.

For those with teens and gamers - just run away.

For those who are professionals that use their devices for work - just run away.

For those with dinosaur hardware and no money, then Linux and browser hardening.

For the initiated and inclined, it is rather easy to work with them.

When it comes to mobile phones those are different beasts.

Always choose the lowest aggravation to yourself solution.

This is both professionally ethical and operationally correct given the reality of digital devices, OSes, software, and people.

Either that or "Just Say 'NO!'"

In most cases, the only winning move is not to play.

 

[Zero Knowledge]

These days I would just buy a MacBook Pro, iPad or ChromeBook for a friends or family member and install a adblocker. I wouldn't bother with Windows and Linux.

My advice: Learn/teach as much as you can, and add reasonable security software until it is convenient in daily work.

This is very true, also share your knowledge and help educate other people.

3. The real problem is poor implementation (which means not educating, instructing, and training people)

You nailed it with this statement. This has been the major problem with security software and technology poor implementation in every area.

Over the years there has been many great and very well designed pieces of software, security or hardening techniques but they have been too difficult to follow, use or learn.

We need to design and implement better education campaigns and software that makes a difference and actually inform and educate people with better security hygiene habits.

 

[Miravi]

These days I would just buy a MacBook Pro, iPad or ChromeBook for a friends or family member and install a adblocker. I wouldn't bother with Windows and Linux.



This is very true, also share your knowledge and help educate other people.

You nailed it with this statement. This has been the major problem with security software and technology poor implementation in every area.

Over the years there has been many great and very well designed pieces of software, security or hardening techniques but they have been too difficult to follow, use or learn.

We need to design and implement better education campaigns and software that makes a difference and actually inform and educate people with better security hygiene habits.

I agree that a "walled garden" like the devices you mention is probably the ideal solution for the majority of users with simple needs—browsing the web, document editing, printing, etc. You'll also have an OS perfectly tailored to the hardware.

The less room for error the better. Many people simply won't have the know-how to navigate the numerous pitfalls of Windows or a good Linux distro.