This weekend I spent half a day remediating an elderly relative's Win 11 home laptop. Totally overpowered and overpriced for her needs, it was recommended to her by BestBuy when her old machine was complaining it wasn't compatible with the new MS OS ro...

douglevin@infosec.exchange

This weekend I spent half a day remediating an elderly relative's Win 11 home laptop. Totally overpowered and overpriced for her needs, it was recommended to her by BestBuy when her old machine was complaining it wasn't compatible with the new MS OS rollout

Both her OS and primary email were compromised. The threat actor did not disable Defender but just excluded every important directory from scans. May have also punched a hole in her device firewall for all I could tell.

Only reason she even knew an issue had occured was due to issues with her email. She stopped receiving any emails and we reached out upon recieving what appeared to be a phish from her account. (No link to click in initial message, but an invitation to a longer urgent conversation.)

Turns out they just redirected her email to her outlook account email (which she didn't even know she had, but was generated as part of her Win 11 install). They created a new alias and added some other rules to auto-forward further comms. FWIW, the rogue device attached to her account was coming from a TX location - many states away from us.

No 2FA, no adblocker, no password manager, no understanding of firewalls, what makes a password stronger vs weaker, confused by messages about actions that were computer/browser/OS related.

But look. She's 80+. I only had a few hours to investigate and remediate. I can't change all that and expect her to manage it on her own.

How the f*ck is it possible that an average user can manage this stuff? Why is Win such a trash fire? Can't MSFT make a default config for non-technical home users that is locked down by default? She has literally ZERO chance against threat actors on the modern web.

We in tech have totally lost the plot...

I am NOT looking for advice (just use Linux or w/e). I am venting about shit UI, shit tech co's pushing the next new crap tech for no other reason than $, and the state of the modern web.

mttaggart@infosec.exchange

@douglevin I'm sorry both she and you had to go through that. You're absolutely right that the state of tech (Windows especially) is utterly inaccessible to many—especially the elderly. I've worked these incidents for a number of users, and it's not just the confusion, but the feeling of humiliation after being successfully targeted. We have to do better, both in design and support. It's shameful.

douglevin@infosec.exchange

@mttaggart Yes! She felt so bad and I said basically don't be: they are pros and you had NO CHANCE. Zero...

thatjpwing@mastodon.social

@douglevin @mttaggart I tell folks I help in similar situations the same thing. "Don't feel bad. The Internet was never designed for what it does today and bad folks have taken advantage of that. Let me know if you need any further help."

gunchleoc@mastodon.scot

@thatjpwing @douglevin @mttaggart Yep. Also adding new stuff to the user interface, constantly changing stuff around... the only thing you can do for dementia patients these days is downgrade to Windows 10 and hope they dont live past the end-of-life for the security patches