Dr. Sbaitso

Do you have a new/new-to-you/used Windows device that needs a fresh start? Here's the process I've refined for myself over the years to get the best, most usable device possible. Start with zero added crap like McAfee or manufacturer sales programs.

You'll need a couple of USB flash drives for this process. Grab one that's at least 16 GB (install media) and one that's at least 32 GB (data backup). If you're going to be doing this often, you can replace the install media flash drive with an IODD device. I've got one with a 1TB SSD with a bunch of Windows and Linux ISOs, a separate folder for drivers, and a little 1 GB FAT32 partition specifically for holding BIOS updates.

Step 0: BACK UP YOUR DATA. On a separate, external device like the 32 GB or larger flash drive. Copy your user profile(s) and set it aside. You can just copy C:\Users and get 99% of things you'll care about. Get one that's visually distinct, label it, and put it somewhere else so you don't overwrite it. Do this even if you have multiple drives in the system. Don't count on your ability to keep internal storage devices straight. You can skip this step if you're pulling the device straight out of the box.

Step 1: Prepare Media. This requires a working computer.

Microsoft provides clean (for Microsoft) Windows 11 ISOs directly on their website: https://www.microsoft.com/en-us/software-download/windows11 Download the ISO directly from Microsoft. Don't download the ISO from any third-party sites. You can also use the Microsoft “Create Windows 11 Installation Media” program which will automate a lot of the process.

With the Windows 11 ISO, you can use Rufus to create your Win11 install flash drive. Rufus can do some fun things like kill the Microsoft Account requirement.

MAKE SURE YOUR INSTALL USB DEVICE ISN'T YOUR BACKUPS USB DEVICE

You can also just dump multiple ISOs on your IODD. I keep older versions of Win11 install ISOs around specifically so I can just use the bypassnro trick to create a local account, but there will probably always be some option to get around the online account requirements.

Step 2: In addition to Windows, there are a couple of other things you want to grab.

Check to make sure you have the latest UEFI (AKA/FKA BIOS) version for your device. Get this from the vendor with their name on the box directly from their website. Download the version specific to your model/serial number.

Also grab the latest system/platform, graphics, and network/wifi drivers from the manufacturer's website. 90% of these “executables” will be zip files that you can extract and point Windows at the folders later.

Lastly, you want to grab other stuff you want to install immediately. For me, that's Privacy.Sexy, WinAeroTweaker, Vivaldi browser, a Copilot Killer Script and the latest releases of PowerShell, Windows Terminal, and PowerToys.

After you create your install USB, you can copy the BIOS update, drivers, and miscellaneous programs to it.

Step 3: Update UEFI/BIOS. Specifics are going to depend on your device and its process. Make sure you're on the most recent version, especially because of the Secure Boot certificate expirations.

Step 4: Boot Windows 11 Installer. Start fresh, blow away everything on the existing internal drive. The default manufacturer programs are almost never worth saving. The restore partitions are going to have old crap that will be replaced almost immediately when you start updating.

Modern devices won't have a Windows license sticker; the key is baked into the UEFI. Sometimes the Windows installer will pick up the right edition (home/pro/enterprise), sometimes you have to select it yourself. Either way, you can install Win11 without needing to provide a license key at this step. See also the MAS further down.

Step 5: Install drivers for devices Windows didn't handle during installation. The old Device Manager still exists. Right-click on the Start button/Windows logo, and select “Computer Management”. There you can see devices, including ones that don't have working drivers. Either run the executables you downloaded earlier, or right-click on the problem device and “Update Driver”, pointing it at the folders you unpacked.

Step 6: Kill the annoying semi-setup bullshit Windows pulls after updates. Settings app –> System –> Notifications –> Additional Settings –> Uncheck “Suggest ways to get the most out of Windows and finish setting up this device” and “Get tips and suggestions when using Windows”. These are the terrible interruptions Microsoft has started imposing after some updates that will do the absolute bullshit like tricking you into using Onedrive or switching your browser back to Edge. They're gross and terrible and if we had working antitrust enforcement they'd get another deserved crotch-kicking over it.

Step 7: Run the RemoveWindowsAI script. Kill it all, roll back to “classic” Paint/Notepad/Snipping Tool. Uninstall a bunch of MS garbage like Onedrive, Teams, the Office stub, and whatever else you don't need.

Step 8: Install PowerShell7/Terminal/PowerToys, configure to taste. You can install MS Office here too, if you need it. If you don't, we'll install LibreOffice later.

Step 9: Update Windows. Settings –> Windows Updates –> Check for Updates and Advanced Options –> Optional Updates. Just grab everything, get to the latest version. Check “Receive updates for other Microsoft products” too. This covers MS Office and PowerShell. This will take a while, and make sure the bullshit in step 6 didn't get re-enabled.

Step 10: Run the RemoveWindowsAI script again, because “no” isn't a term Microsoft understands.

Step 11: Install Vivaldi, set as default browser, configure as desired. For me that's a dark mode theme, crank the built-in ad-blocker to max, make Settings a tab instead of its own window, setting the search engines to DuckDuckGo, and install the extensions for 1Password, PrivacyBadger, and uBlock Origin.

Step 12: Install/run Privacy.Sexy and WinAeroTweaker.

Privacy.Sexy can break things, so I normally just use the “Standard” setting. I've had good luck with its revert options when it DID break things, but your mileage will vary.

WinAeroTweaker will restore some older Windows defaults to their better options. Once you find settings you like you can save and load those settings to a simple file.

Step 13: Verify Windows activation. Settings –> System –> About –> Product Key and Activation. The system has probably already activated itself in the background. If not, do it now. Or not. I'm not the software police. You can also use the MassGrave Activation Scripts, at your own risk.

USE AT YOUR OWN RISK: Massgrave.dev has published the “Microsoft Activation Scripts (MAS)” on MassGravel GitHub: https://github.com/massgravel/Microsoft-Activation-Scripts These can be used to activate Windows and Office through a couple different methods.

Step 14: Everything else. I've used Ninite for decades to bootstrap a bare computer into usability. Check the boxes, get an executable that will download and install the apps with the best defaults. Only criticism is the free version dumps a bunch of icons on your desktop.

My personal absolute minimum app list is this: Vivaldi Firefox WinDirStat 7-Zip VLC Notepad++

For utility, I'll add these: Paint.NET IrfanView LibreOffice FileZilla

You can keep the Ninite executable around and rerun it later to update existing installs. The EXE isn't locked to a specific machine, so if you're doing several machines you can just dump it on the install flash drive and run it directly.

Manufacturer utilities like Dell's SupportAssist can be okay, but you've got to keep a close eye on them to make sure they don't do something dumb like install McAfee for “free”.

Step 15: Restore your documents/pictures/music/miscellaneous backed-up data. Now's a good time to make sure you have a comprehensive and tested backup scheme for your data too.

Now you should have a usable, fast Windows 11 device with the minimum Microsoft bullshit hanging around.

#Windows #Microsoft #Laptop #PC #Security #Reinstall #Copilot #Malware #Dell #HP #Lenovo #ASUS #Acer

Why I won't buy Androids

I was talking about new phones with a friend a few days ago, and he asked about Android choices. I told him I won't buy any Androids, for a bunch of reasons. This is social media, I'm into my second boozy eggnog. I figure I'll share those reasons here too. Most of the reasons are around Google itself, and some how it's handled Android. Only one is because I'm a petty bitch with a collection of heirloom grudges.

First and foremost, Google is an advertising company with a search engine and a browser and a video hosting service and a mobile operating system all designed to keep your eyes and ears on their advertisements. For FY2022, 80% of Google's revenue came from advertising. Given the lengths I go to avoid ads everywhere else, putting a little ad machine in my pocket doesn't make much sense.

Aside: I go to extreme lengths to block ads. I have a very aggressive PiHole setup. My daily browsing is through Vivaldi (which has a built-in ad blocker) (But the new Direct Match stuff defaulting to On is pretty fuckin' shitty, Vivaldi) and also running an over-packed μBlock extension. Secondary browsing goes through Firefox with a similarly-configured μBlock. I also have a WireGuard VPN running on my iPhone so whenever I'm not on my own WiFi network I'm tunneling back in just to use my PiHole. Vivaldi on iPhone also has a built-in ad-blocker.

Besides the ad biz, I don't trust Google overall. It started with Google Reader, but Google is quick to drop the blade on the neck of any product/service/app that doesn't have a VP championing it. The other recognizable names include Google Wave, Google+, Google Fiber, and Google Stadia. What's going to be the 300th entry in the Google Graveyard? They're at 293 right now, so I expect we'll hit 300 by April 2024.

Zooming back out to the state of the internet today, I honestly think Google and Facebook are tied for doing the most damage to the internet and society at large. Their pervasive advertising is enough for me to stay far away from them. But their stains run far deeper. Google Search is now completely useless. Everything is a webpage now. I've lost count of the companies they've either acquired and killed or cloned and killed. They've built data profiles to rival Facebook. And Youtube will gleefully auto-play viewers into misogyny, conspiracy, and rightwing fascism.

On Android specifically, Google has been an exceptionally poor steward of the ecosystem. Flagship devices now get a few years of updates, but anything down-market may get a year of updates before being forgotten like the fifth child at an after-school activity. Google could enforce feature and security updates for a minimum period of time, but they've chosen not to. And it's only improved to the shameful level now somewhat recently.

And they've been spreading this fast-fashion/ewaste-speedrun philosophy to the laptop formfactor too. They're goddamned laptops, not milk. I have an Alienware M11x R1. It's from 2010. It still runs Windows 10. Poorly. But it can still get OS and security updates 13 years after release. It's a functional print server for my old Brother laser printer that I bought in ~2007 that only has a USB-B interface.

Beyond the shameful state of Android updates, the Google app store is a fraudulent mess. It's been a problem for years and it's still a problem today. It's impacted millions of users at this point. If the Google Play store is going to be the premier source of Android apps, Google needs to get a lot better at protecting users from bad actors. For devices that contain so much of our lives, failures to protect against financial theft is unacceptable.

And Google themselves are part of the problem. We're over-due for Google's next chat app shakeup. I think. And that's just Google. The phone OEMs can replace it with their own uniquely crappy SMS/RCS/Proprietary pile of crap. Going back to the problem of executive champions and vision, nowhere is than absence clearer than the absolute clusterfuck of Google chat apps.

Finally, I mentioned above that I'm a petty bitch. My family holds onto grudges like most folks hold onto fine tableware or farmland. Case in point: My grandfather got screwed over by a Shell gasoline station. He wrote to corporate to explain the situation, and found their answer... unsatisfactory. Nobody in my family has gone to a Shell station since.

My grandfather died over a decade before I was born.

But I have a very personal grudge against Google. They blamed me for something they broke, and have never to my knowledge apologized for it.

Many, many years ago I worked at a small firm. This was when Windows 7 was at its peak, and Windows XP was still very common/well-supported. We had a line-of-business app that was dependent on certain components of Internet Explorer. If you tried to access the web launcher from something other than IE, it would break in really unpleasant ways. Since some of the LOB usage was time-critical, when it broke it was a priority issue.

This was also the time Google started to spread Chrome like herpes. We weren't a big firm, and we didn't have great tools for controlling third-party applications and their updates at the time. Remember, this was almost 15 years ago. I've learned a lot since then, and the toolsets have improved a lot since then.

So folks would just push the button to update Adobe reader, next next next finish. The work we did was highly technical, and again: ~15 years ago, small business, most folks had local admin. We didn't have the tools to do a good job controlling these things. And updating an existing Adobe reader install would “helpfully” install Chrome and set it as the default browser. The LOB “app” was a shortcut on the All Users desktop that pointed to the webpage.

Google Chrome could not support the critical application. So I'd get a panicked phone call from a user because the critical LOB app was failing. I'd either walk over to their desk or RDC into their machine and uninstall Chrome. They'd go back to work, fill out the time-sensitive information, everyone was acceptably content.

Until they tried to click a link outside IE. Say, a link to something important in Outlook. Turns out, Google did a shit job coding the Chrome uninstaller, and left HTML file associations (what Windows uses under the hood to understand it needs to pass data to a browser) just... empty. And in Windows 7, that leads to a specific error message: “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” Hey guess who the System Administrator was. Guess who everyone thought was blocking something they needed to do for work?

Eventually I got the tooling and controls in place to prevent Google Chrome from installing itself where it shouldn't (part of the user profile), and finally blocked the garbage of early Chrome from my corporate domain. It wasn't technically a virus, but it sure acted like one. It sure caused a lot more headache than any actual malware. And I still carry a grudge for the shitass job Google did when spreading their little browser-glitter all over my matte black Thinkpads.

So now my phone is built by Apple. They have plenty of different problems, but Google products are absolutely disqualified.

I really wish Microsoft hadn't given up on Windows Mobile/Phone. A third player with real marketshare would be good for everyone. And comparing the ROG Ally to the Steamdeck highlights how weak Windows is on smaller devices and interfaces that aren't keyboard & mouse. Having an ARM-based processor base would have put Microsoft in a better place to really compete with Apple's M processors. Having an XBox Mobile/Handheld/Go would be amazing. #RIPWindowsPhone

So yea. I don't trust Google for many reasons. Android itself is a mess. And I'm petty as fuck. That means an iPhone is my only option.

Brief Thoughts on PKI and Certificates at Scale

This started as a reply to @davidseidl@mstdn.social and a thread about certificate expiration in a small organization (https://mstdn.social/@davidseidl/109638543580938963). He made some good points, but there's scaling issues for enterprises, as I outline and address below.

At the scale of a couple dozen certs, calendar alerts and individual/backup responsibility is okay. Once you get into hundreds and thousands of certs, you need to plan and automate as much as possible.

At enterprise scale, you're probably using certs for a number of tasks: * User Authentication * Device (server, service, container) Authentication * Data encryption in transit * Data encryption at rest

When you're working in an enterprise (1,000+ employees), maintaining the infrastructure necessary and helping developers understand how to accomplish their goals absolutely requires its own team. You're likely dealing with multiple certificate issuers (internal and external), along with ensuring all the moving parts of certificates (issuers, CMT, CRL/OCSP, and the servers/databases underpinning them) are working smoothly.

That also means thousands of certs on hundreds or thousands of devices, services, or containers. Unless you want your entire day to be consumed with manually updating certs (and maybe you like to do the boring stuff like that), automation is key.

A good Certificate Management Tool will do several things: * Find what certs are already out there through scanning * Manage certificate life-cycles * New certificate provisioning/installation * Renewing existing certificates * Maintaining certificate history * Centralized revocation in the event of a breach * Report what you have in appropriate granularity * Alert appropriate parties in cases where automation isn't yet available

Certificate Inventory: A CMT should be able to scan targets (though an IP range, an Active Directory OU, a list of URLs, et cetera) and find the certificates are either offered through various interfaces (like HTTPS) or stored on the device (like in the Windows CertMgr). The second option will require an account the scanner can use to authenticate to the account.

Certificate Life-Cycle Management: The bread and butter of installing, renewing, and revoking certificates. Maybe you want one cert for a service/application on a dozen servers. Maybe you don't want to have to manually deal with your public-facing .com cert every 60 days. Maybe you have a honeypot farm with a valid cert for $reasons that you want to be able to revoke with one button. That's the heavy lift a CMT provides. It can also maintain a history of previous certificates, so you have more pieces of the “when did this stop working” puzzle.

Reporting: Execs love pretty graphs, and some accountants love internal billing. Reporting from your CMT can make this literally automatic. Need to migrate from $OldCertIssuer to $NewCertIssuer, and Management wants some numbers on who's behind the curve? Security needs to audit all your externally-trusted certificates? Reporting!

Automation should be the target for the majority of your certificates' life, but sometimes automation just isn't available. Old line-of-business applications can be picky, and maybe you don't have the maturity yet for automation success. There are also some high-security edge cases where a manual process is required. Even if your CMT can't talk to the device (say because it's in a segregated network), the certs will still expire when the clock says they do. Or perhaps you have a third-party service that can't request certificates on their own. This is where monitoring and alerting can come into play. Monitoring and alerting on certificates before they expire can let you plan and communicate changes in a calm, orderly fashion instead of “oh gods the cert expired and we need to replace it five minutes ago!”.

An end-state goal is essentially the same as a well-oiled CI/CD pipeline (and in fact interacting with your CMT could be part of of that process). Review reports, alerts, and observability metrics. Let the computers handle the boring parts while your team handles the interesting choices of fitting use-cases and designing good, scaling solutions.

When you're using certificates for data-at-rest encryption, that data is only useful if you can decrypt it. We use our CMS to handle key escrow for our servers. There are specific additional security requirements around that, and we work with our internal security teams to ensure everything is handled properly.

Our CMS acts as a proxy/relay for most certificate use-cases in our environment. We've got a couple of distinct certificate authorities that do different things, but half the certs flow through our CMS. Sometimes that's “store and forward a CSR, return signed cert”, sometimes it's “Fill out a few fields, we'll take some default data, and handle everything behind the scenes”. The other half is just grabbing data from an Active Directory Microsoft Certificate Authority for reporting purposes.

Just because you're not ready for heavy automation doesn't mean you won't see value in a CMT/S. Step one of solving a problem is always identifying the problem. CMT/S will help with that too.

Good CMT/S will integrate with your existing toolsets. If you've got a smooth container deployment pipeline, ideally you can integrate your cert management with an API call or two to include standard, short-lived certs automatically.

The journey through automation (and away from waterfall development) is a long and winding road. How do you eat an elephant? One bite at a time. When you're looking to change and mature a culture, start with small wins. Build momentum. Get some easy-to-understand examples (especially within your own team) you can quickly (elevator-pitch style) demonstrate to others. Just as important is knowing when to say “This is a bigger challenge than anticipated, and we can leave it as a manual process for now.”

Layoff Advice From Experience

A ton of people have had a really bad time recently, with 200,000+ lay-offs over the past few months. I had a thread on birdsite last year with some good advice, so I thought I'd recap and generalize it here.

Things suck for a lot of folks. And they're going to suck for a little while.

I'm sorry.

Getting laid off a month before my 4th work anniversary felt almost exactly the same as finding out my long-term relationship was over because she was cheating on me. The same feelings of betrayal. The same sudden emptiness. The same massive, unplanned changes to life and routine.

Recognize that this is a sudden, drastic life change. Your routines are all destroyed. Your social circle may have just changed drastically. Don't be afraid to lean on your friends; they're there for you.

I don't know how long your runway is, but take some time to decompress. Whether that means tackling some projects you put off, or digging into your To-Be-Read pile, or binging on every season of Survivor is up to you.

Have some light conversations with contacts that you're in the market, but let the resume/application/interview prep wait a bit. It can wait, and will be better if your head is screwed on straight.

Interviewing is a specific skill-set, and you may benefit from waiting before jumping right to interviews. Again, this all depends on how long your runway is. Some limiting factors are immigration status, requiring heath insurance, or immediate monetary needs. All this advice is subject to change based on your specific circumstances. Review the current articles, gather your great stories, and start editing your anecdotes.

Take the swag and put it away. Don't throw it out, just tuck it out of sight. Maybe you'll come to a place where it reminds you of the good times you had. Maybe you'll decide to ceremonially burn it in the woods (responsibly). But it can wait until your head stops spinning.

Sometimes you lose a political game you didn't even realize what happening. Sometimes someone three levels above you loses a political game THEY may not have realized was happening. Neither one is good, but putting the pieces together helped me.

The same truth about dating (there's no “one”, you make the relationship through work) applies to companies too. Your last team may have been something special, but you can make a great place and team with good people anywhere. You can make a new special. YOU can make a new special.

I thought I had found a place I was going to spend the next 30 years at and retire from. Between internal politics and the 2017 tax code change, that rug was pulled out from under me. Since then, I've had two great positions where I'm doing even better work. But the trust of just standing on a rug is gone. Now I'm always read to jump.

Be okay with sitting in the weird quiet for a bit. Then dust yourself off and make a new special.