App Bloatware Removal in W10 & W11

[britechguy]

@Sky-Knight

Edge cases. And I know for what you're studying that requires knowing about the edgiest of edge cases in depth.

But, in the real world that most users, business, home, or otherwise live in, the things I'm discussing (and you are, too) are not security threats in any meaningful sense. That matters.

Accurate risk assessment looks at the big picture, and that includes focusing on what is even kinda-sorta reasonably probable in a given situation rather than what is remotely possible, but very, very highly unlikely.

Just like I out and out refuse to worry about being hit by a meteorite every time I get out of bed, I refuse to worry about whether I use Segoe UI versus some other font for my desktop icons. It makes zero sense to do either.

 

[Sky-Knight]

@Sky-Knight

Edge cases. And I know for what you're studying that requires knowing about the edgiest of edge cases in depth.

But, in the real world that most users, business, home, or otherwise live in, the things I'm discussing (and you are, too) are not security threats in any meaningful sense. That matters.

Accurate risk assessment looks at the big picture, and that includes focusing on what is even kinda-sorta reasonably probable in a given situation rather than what is remotely possible, but very, very highly unlikely.

Just like I out and out refuse to worry about being hit by a meteorite every time I get out of bed, I refuse to worry about whether I use Segoe UI versus some other font for my desktop icons. It makes zero sense to do either.

I'm not studying this... I'm DOING it.

And the font change you mention is an indicator of compromise.

So yeah, the answer is "it depends". But in the case of the font, not so much because it's different, but more so because of when it changed, and what changed it.

 

[britechguy]

But in the case of the font, not so much because it's different, but more so because of when it changed, and what changed it.

And what part of, "Changed by me," is unclear?

For the love of heaven, I've been abundantly clear that the changes I've described have ALL been end-user initiated. Stuff that "just happens out of the blue" is a huge red flag, but that's not what I was talking about. To wit:
----
Message #15:

anything that Windows' own UI allows you to tweak

Message #18:

but my (or anyone's) choice of things like themes, desktop icon fonts, etc., do not constitute any reduction in security.

Message #21:

whether I use Segoe UI versus
----

You love to wander down paths that are clearly not the marked ones upon which others are walking.

 

[Sky-Knight]

And what part of, "Changed by me," is unclear?

For the love of heaven, I've been abundantly clear that the changes I've described have ALL been end-user initiated. Stuff that "just happens out of the blue" is a huge red flag, but that's not what I was talking about. To wit:
----
Message #15:

anything that Windows' own UI allows you to tweak

Message #18:

but my (or anyone's) choice of things like themes, desktop icon fonts, etc., do not constitute any reduction in security.

Message #21:

whether I use Segoe UI versus
----

You love to wander down paths that are clearly not the marked ones upon which others are walking.

And you seem to be incapable of understanding what it means when this isn't the case, and being able to prove that it was.

It's one of those things that means absolutely nothing, until it means absolutely everything. Yes, this level of inane crap is what we look at to track down system breaches. Which is also how you fight malware in 2023. Nuke and pave gets you back online certainly, but it doesn't stop it from happening again!

 

[frase]

I like Papyrus & Comic Sans on everything.

 

[britechguy]

And you seem to be incapable of understanding what it means when this isn't the case, and being able to prove that it was.

Project much?

I suggest you re-read mesage

• #23

.
To wit: Stuff that "just happens out of the blue" is a huge red flag, but that's not what I was talking about.

You don't get to cherry pick.

 

[GTP]

I found out they just confuse my elderly clients. The less apps / icons, the better.

I like to reduce the desire to "tinker" which a lot of people - not just the older clients - are want to do.

 

[GTP]

but my (or anyone's) choice of things like themes, desktop icon fonts, etc., do not constitute any reduction in security.

Wait. What?
This is like saying that if you paint your front door is reduces the strength of the lock fastening it shut!
Or hanging a canary cage from a hook in the ceiling reduces the structural integrity of the house!

 

[HCHTech]

I can certainly understand the desire to get rid of apps that incessantly popup when the end user doesn't use them at all (I'm looking at you Skype & Teams). I also personally uninstall any stupid game I come across helpfully installed by the latest feature update. Barring that, I'm with the rest of the 'leave it alone' crowd.

 

[britechguy]

This is like saying that if you paint your front door is reduces the strength of the lock fastening it shut!
Or hanging a canary cage from a hook in the ceiling reduces the structural integrity of the house!

No, it's not. I suggest you re-read what you quoted. It says the exact opposite.

The color of the paint on the door (analog: choice of theme) has nothing to do with the strength of the lock. The lock's still as strong as ever (security undiminished)
Hanging a canary cage (analog: changing the desktop icon, or window frame fonts) does not reduce the structural integrity of the house (at least if you're using a hook appropriately sized, not one that's too huge).

User chosen options (that is customization) for the UI that is directly supported in that UI's settings does not change security in any meaningful way.

Note: User Chosen. Any sudden and unexpected changes, of any kind, on a computer are red flags that require immediate investigation. User initiated changes don't fall into that category.

Not every blessed thing is tied to security. And muddling what is and what is not helps no one. That's why the blanket statement that customization always compromises security is just plain wrong. In fact, most customization is completely innocuous if it's user initiated.

 

[YeOldeStonecat]

This thread reminds of the name of one of those tools, pc decrapifier. Never used it.
We only sell business grade computers, of course sometimes come across consumer grade ones, and business class models tend to come with far less bloatware/trial ware installed. If we see trials of some AV product, we'll yank that. I don't see much else on there to pull. Recent exception being, Windows 11 now comes with that "Team Chat"...the lightweight version. I uninstall that, else it sits in the systray for users and will confuse them with full 365 Teams.

On "currently used" computers I do any work on, every time I remote into a clients computer to do something, I always...always...fire up APPWIZ.CPL and look at what's installed. And remove stuff like web players (flash, shockwave, java, quicktime, silverlight, any browser search bars like bing (don't run into google search bar much anymore but older rigs I might). On clients not on AzureAD yet I'll uninstall old version of Office and make sure on latest. On clients moved to logging into AzureAD I have an InTune policy that yanks any prior versions of Office and paves with latest. (I'm finally catching up on my InTune management notes here...fun thread....lots of peeps here who participate in the 365 realm should join the thread). https://www.technibble.com/forums/t...ions-mem-intune-configuration-profiles.88297/

There are also more modern scripts you can find in reddit and github 'n various places, to "de crapify" computers. However, these days, with modern multi core CPUs and M.2/NVME drives...it's pretty darn fast to nuke 'n pave with a fresh install of winders and then lay on the manufacturers maint tool (Smell Commandless Update, Lenogo disadVantage, HP <huge poop> disAssist )...to update drivers 'n BIOS.

 

[GTP]

No, it's not. I suggest you re-read what you quoted. It says the exact opposite.

The color of the paint on the door (analog: choice of theme) has nothing to do with the strength of the lock. The lock's still as strong as ever (security undiminished)
Hanging a canary cage (analog: changing the desktop icon, or window frame fonts) does not reduce the structural integrity of the house (at least if you're using a hook appropriately sized, not one that's too huge).

User chosen options (that is customization) for the UI that is directly supported in that UI's settings does not change security in any meaningful way.

Note: User Chosen. Any sudden and unexpected changes, of any kind, on a computer are red flags that require immediate investigation. User initiated changes don't fall into that category.

Not every blessed thing is tied to security. And muddling what is and what is not helps no one. That's why the blanket statement that customization always compromises security is just plain wrong. In fact, most customization is completely innocuous if it's user initiated.

I am agreeing with you Brian. I'm disagreeing with the original statement.
Customizing an OS's interface has nothing to do with security.

 

[britechguy]

I am agreeing with you Brian. I'm disagreeing with the original statement.

While we are in vehement agreement, the way you quoted what I said, immediately followed by a, "Wait. What?," is far more characteristic of expressing vehement disagreement. That's what threw me. What followed that seemed to me to be a restatement of my position (and was just that), and that was confusing, too after the initial, "Wait. What?."

We are clearly both on the same page on this.

 

[britechguy]

So when I say reduction in security, do not constrain yourself to the limitations of what most consider cybersecurity, or information security. I'm talking about security as a raw, wide open concept that encompasses physical, interactive, virtual, network, and anything else you can think of that goes before the word. In this sense it's more akin to the concepts of risk and change and how these factors mold the human behavior around themselves.

In other words, a definition so broad as to be meaningless. When everything is security, nothing is security. This definition is so all encompassing that no one can know where the boundaries lie, and that is the death of security. You need to know what it is you're protecting, and why, to figure out the appropriate how. And that how varies, a very, very great deal, depending on the what and why.

And that's been the biggest flaw in your overall thinking since I arrived here. You always believe that "more is better" and conflate what's necessary for a situation with what might be (or might not be) ideal, but unattainable in practice.

 

[Philippe]

"However, some IoT customers may prefer a more security-focused balance for their Windows IoT devices, one that reduces their attack surface to the absolute minimum, and may therefore wish to fully disable all services that are not needed in their specific environments."

I know it's for W10 & W11 IoT, but same principles apply to Home / Pro, if you see fit.
( https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize-your-device/services )

 

[Sky-Knight]

In other words, a definition so broad as to be meaningless. When everything is security, nothing is security. This definition is so all encompassing that no one can know where the boundaries lie, and that is the death of security. You need to know what it is you're protecting, and why, to figure out the appropriate how. And that how varies, a very, very great deal, depending on the what and why.

And that's been the biggest flaw in your overall thinking since I arrived here. You always believe that "more is better" and conflate what's necessary for a situation with what might be (or might not be) ideal, but unattainable in practice.

Now you're getting there! And it's not that it's so broad that it's meaningless, it's that the threat landscape has evolved to a point where we just don't know what we need to respond to any given threat.

And you're right for the average home user, this is insanity. The value of the asset being defended isn't sufficient to justify this level of response. That however doesn't mean the definitions I'm using are overly broad, nor that this process lacks value.

The only point I'm trying to make is that yes, user customizations of the OS are part of that user's infosec reality. Because that's just how nuts things have gotten. This is not paint on a front door, unless the front door can run arbitrary code.

 

[britechguy]

@Sky-Knight

[T]here are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know.
~ Donald Rumsfeld, then United States Secretary of Defense

All you can deal with, realistically, is "known knowns," and, to the extent possible, mitigating the "known unknowns." You just can't, ever, mitigate "unknown unknowns" because they are completely and utterly unknown at the point in time where analysis and planning is being undertaken. Hence the reason that risk analysis and security planning is cyclic in nature. Revisitation over time is always necessary.

The first two "known" classes are difficult enough to deal with, and even within those classes, there are "probable," "kinda-sorta likely," and "remotely possible, but highly unlikely," subclasses. Focus should always be on the "probable" and "kinda-sorta likely" subclasses when doing an accurate risk assessment and security plan. The remotely possible cannot be ignored, entirely, but it has to be accepted that it's foolhardy to try to defend against the most remotely possible and highly unlikely. The cost-benefit ratio just isn't there.

That's what accurate risk analysis and security planning is really all about, as it emphasizes defending against that which is recognized as most likely to occur as well as at least in the realm of may be likely to occur. It never focuses excessive resources on the remotely possible, but highly unlikely. And that's why I will never be able to accept your approach or definitions, they give far too much weight to the remotely possible but highly unlikely. And unless you're defending an asset or assets that are of insanely high value, that approach just isn't valid or useful. We're right back to:

In the computer security field, we often say that one doesn't need Fort Knox to safeguard a broken bicycle.
~ Glenn Glazer, M.S. ’07 UCLA Security & Cryptography,
April 25, 2019, in Message on Groups.io Beta Group

And if you care to review where that was said, and why, it's in direct response to those who are insisting on spending inordinate resources in defending against the remotely possible but not at all probable.

 

[Sky-Knight]

@britechguy It's literally my job to address unknown unknowns.

No, they don't go away but managing them is the core of any mature cybersecurity program. Rumsfeld in this case is an objective idiot, and if I get my military family in on this conversation they'll have even more choice words to use to describe the man. Quoting him does you zero favors, not if you're actually objective.

Everything else you're saying is accurate however. The first step to securing anything is an inventory. You can't secure what you don't know you have. Then once you have a list of things to protect, you then move on to an inventory of potential risks. And so on and so forth. A critical aspect of all of this is keeping an eye on the cost. Because as you've said many times, it doesn't make any sense to secure a bicycle with Fort Knox.

It's far less tech than it is documentation. And the process is never ending, ever evolving, and mercifully heavily automated.

And the SMB / SOHO / Home User group, all need this protection. They need to understand their risks so they can make appropriate decisions. We cannot make these decisions for them. Otherwise how do they know when in their business cycle it makes more sense to do something they haven't done yet?

 

[britechguy]

Quoting him does you zero favors, not if you're actually objective.

Actually, it does. I have no love of Donald Rumsfeld, nor of Richard Nixon, but that Rumsfeld quote is widely acknowledged as having great depth and distilling the biggest picture to its essence. It triggered multiple discussions in the ivory towers of academia (with a good synopsis on this wikipedia page: https://en.wikipedia.org/wiki/There_are_unknown_unknowns) but one of the best observations (quote from previously noted wikipedia page) is that there is a 4th category, too: "Psychoanalytic philosopher Slavoj Žižek says that beyond these three categories there is a fourth, the unknown known, that which one intentionally refuses to acknowledge that one knows."

Richard Nixon, also no role model, was prescient in many more ways than one when he observed:
Always remember others may hate you but those who hate you don't win unless you hate them. And then you destroy yourself.

One judges the value of ideas on those ideas themselves, not on the person who uttered them. Even the most facile or loathsome individual may have a moment or moments of great insight.

 

[Sky-Knight]

@britechguy I don't disagree, but good luck convincing too many people we should be stealing economics ideas from Nazi Germany.

Which is quite sad because the Weimar Republic was an economic wonder, and we really should be trying to emulate it. Far too few realize the power of that economy that enabled the Nazi's to do what they did, and that one is how they got started!

But Rumsfeld? I'll give him the stopped clock being right twice a day treatment on that specific statement but after all the blood on his hands? The willful stupidity? He's very much a victim of the unknown known, much of his own making.