Windows 10 is no longer supported after October? Then what?
Windows 10 will no longer be supported after October. That means no more free updates, including crucial security patches. These are vital to keeping your computer safe from zero day exploits and other cyberattacks. Just using antivirus software isn’t enough. If you are willing to pay an extra $30 per year until 2028, Microsoft will provide crucial security patches as part of its ESU program. The only exception to this is using Microsoft Windows 10 LTSC in its enterprise or IoT editions, which will receive updates. The enterprise edition will receive updates until January 9, 2029. The IoT version will receive updates until January 13, 2031. These LTSC editions are usually stripped down, barebones versions of Windows which are used in enterprise or commercial computers that would be too costly to upgrade to another version of Windows and which perform limited functions. Same with the IoT versions. For example, let’s say you run a Bitcoin ATM that runs on Windows 10. You don’t need a variety of features, you just need an operating system. This also reduces the attack surface against hacks. This would also be a good candidate for the IoT version. You aren’t using Microsoft Office on it or doing general web browsing, so if these programs are no longer supported with updates, it doesn’t matter to you. But you do want it to be secure against zero days and exploits because you need to have it web connected to monitor changing price of Bitcoin.
For at least the next few years, most software is still going to support Windows 10 because over 62% of Windows users are using Windows 10. Of these, many of them are using older computers that don’t meet the hardware requirements to upgrade to Windows 11. Windows 11 requires your computer to have a sufficiently powerful processor and a TPM (Trusted Platform Module) in it for cryptographic security purposes. Computers are expensive, so many people will just continue using Windows 10 and keep their computers unpatched so long as they can run a web browser. In time, Chrome or Microsoft Edge won’t work, so they will either switch to Firefox ESR or get a new computer. In the meantime, they risk being hacked or even subjected to a ransomware attack because unpatched zero days will be discovered by hackers and possibly used to exploit their computers. Most people don’t like to learn new operating systems and fear not being able to use the programs they are used to, like Microsoft Office or Adobe products, so they will buy a new computer with Windows 11 on it. This is the path of least resistance, the default.
Thanks for reading Alexander Finnegan! Subscribe for free to receive new posts and support my work.
For those who are willing to push themselves a bit, there are better options. If I was committed to using Adobe products as a creative professional I would switch to Windows 10 LTSC IoT edition and continue using that for a few more years. That way I wouldn’t have to spend the money on a new computer. Not having regular updates to security vulnerabilities is not an option for me because I have a high threat model as a dissident who has been subjected to mercenary spyware and military-grade hacking attacks. I am also a political refugee. I still face regular phishing and hacking attempts, almost daily. I would never run something like Windows 7, for example, because it would be hacked almost immediately if I tried to use it as my daily driver. Maybe if the computer was air-gapped it would be okay, but otherwise, definitely not.
Microsoft Windows was found to have a hidden backdoor by the NSA in it by a security researcher over twenty years ago. Things have only gotten worse since then. Windows 11 is the most privacy invading version yet. Because Windows is closed-source, you cannot audit the code to verify there are no hidden backdoors. It isn’t open source like GNU/Linux distributions. This is also a security vulnerability, because zero day exploits can be found and until they are reported to Microsoft, they won’t be patched. The GNU/Linux community discovers these vulnerabilities quickly and rapidly patches them. That is why Debian based distros are so secure and stable. If you have no choice but to use Windows 11 there are steps you can take to somewhat mitigate the telemetry which is used to spy on you and report back to Microsoft. The easiest way to do this is to use an automated script like Win11debloat, which removes telemetry and privacy-hating apps from Windows 11 for you. The limitation to this is that future updates by Microsoft can and sometimes do reverse these changes, so you have to regularly run the script every few months. Because you cannot see the source code, you don’t know if everything in telemetry has been entirely turned off, which isn’t very safe. For someone with a high risk threat model like a dissident, journalist, or whistleblower, this is an unacceptable risk, so you shouldn’t be using Windows.
If you are installing Windows 11, never do the option that requires you to be signed into your Microsoft account. If you do, you are opening the backdoor to everything you do on your computer to Microsoft, which is partnered with the NSA and CIA. Expect zero privacy if you do that. Windows 11 is going to assign you an advertising ID, which will be used to track you. You will want to disable that. Turn off location tracking as well. Turn off activity history and diagnostic data. It has been shown that the government used to use the data collected in “diagnostic data” which is uploaded to Microsoft to learn the vulnerabilities in your computer so you could be hacked more easily. Cortana and Windows Recall are privacy nightmares. They are there to collect data on you. Turn them off. You don’t need either one, particularly Recall. Turn off voice recognition, too. Turn off the global settings for your camera and microphone. If you don’t use these on a regular basis, consider putting black electrical tape over the webcam or get one of those mechanical sliders that covers the lens. You can buy a microphone blocker that fits into your microphone port and disables the microphone when you aren’t using it. Also, go into your BIOS settings and turn off the camera and internal microphone. Edward Snowden revealed how these can be turned on by the government without you knowing and used to spy on you. A transcript of your conversations is created and sent back to the government. Snowden discussed this in his book, “Permanent Record.”
If you want to keep using your present computer and save money while gaining yourself additional freedom, privacy, and security, then switch to GNU/Linux. Or at least setup a dual boot of your system with both Windows and Linux. My suggestion would be to go all in with Linux, because then you can do full disk encryption of your hard drive, which protects you if your computer is physically stolen. You can switch to Ubuntu, Linux Mint, or PopOS, which are easy to install, easy to use, and have wide community support. They are regularly updated to patch security vulnerabilities. And because so few people use GNU/Linux, the vast majority of malware and viruses are made to attack Windows computers, not GNU/Linux users. The design of these systems is also more locked down, so it is harder for malware and viruses to do serious harm to your system. You don’t have elevated privileges by default.
If you are using an older computer, something like Linux Mint XFCE is very lightweight and uses few computer resources. Your computer that would either not be able to run or would run very poorly on Windows 11 would fly like a champ on Linux Mint XFCE, Lubuntu, or Zorin OS Lite. The boot speed itself would be half the time. The benefit of Linux Mint in all its iterations is that it has wide driver support, so if you install it on something like a Lenovo laptop, for example, the wireless card, the sound card, and all the components just work. You don’t even need to look for them. You don’t have to be a tech expert to use Linux Mint. Software is easily installed with a graphical manager. You just click and be done with it. Linux distributions ten years ago were more difficult to manage because often there were driver problems. You would install it but the sound wouldn’t work, or the wireless card wouldn’t work. It was incredibly frustrating. Those days are long gone. If you are using a high end NVIDIA card, for example, Pop OS supports these, reducing headaches from that.
Gaming on Linux is possible now. Using Steam, WINE, Proton, and other emulators, you can play most games on Linux. Older games using emulators is widely supported as well. While there are open source creative programs like GIMP to replace Adobe Photoshop, unfortunately it isn’t the same. This remains a limitation. I have never tried emulating Photoshop in Linux, so maybe that is a workaround. I don’t know. I personally have just gotten used to using GIMP, which for me is good enough. Your mileage may vary. Some people may decide to dual boot their computers, keeping Windows to use Adobe products but using Linux for their daily driving. You could keep an air-gapped version of Windows to use Photoshop if you had to, that way you wouldn’t have to worry about the lack of security updates. Or you could switch to Windows 10 LTSC as I previously mentioned. Combine this with a good antivirus program with a decent real-time scanner, including Malwarebytes or Kaspersky (if you live outside the US because the US has been Kaspersky in Amerca). Real-time scanners are important, as are firewalls, because you want to prevent the malware infection and not just react to it. Once your computer is infected it is largely too late. Then you may have already had your data compromised and you should reinstall your operating system and reformat the hard drive because you can’t be entirely certain the virus has been eliminated by the antivirus software. In some instances where there may be a rootkit, you will need to reflash the firmware of your computer in addition to reformatting your hard drive and reinstalling Windows. If your email has been compromised or your Google Drive account compromised, then you will need to also change all of your passwords. That’s a good time to also start using a password manager with a password generator. You want every account to have a strong password that is complex. Never reuse the same password for two different accounts. With a password manager like Proton Pass you only have to remember one password. It also store passkeys, which are excellent. These are highly secure and are not subject to phishing attacks. I highly recommend their use.
Some people may decide to switch to Apple after Windows 10 expires. “I have to get a new computer anyway, so why not?” they may think. Macs are less vulnerable to malware and viruses compared to Windows, which is good. The problem is that they aren’t better in terms of your privacy. Apple still collects a ton of information about you, and Apple does include a lot of telemetry. You are putting your trust in Apple, which you shouldn’t do. Computer security should be based on zero trust. You shouldn’t need to trust anyone outside of yourself to be secure with your data. It should be this way by design. Tim Cook doesn’t know you. He doesn’t care about you, nor should he be expected to. American corporations exist to make money. If they have to choose between protecting your privacy and continuing to operate, or for their executives to go to jail, you aren’t going to be priority number one. Apple’s source code is not open source, so you can’t audit it. You don’t know if there are backdoors. The default settings in Apple’s ecosystem are based on convenience, not privacy. You can do things to improve them and make them overall workable if you have to. For example, your Apple ID should always have two-factor authentication turned on. I wouldn’t use iCloud, but if you do, make sure you have Advanced Data Protection turned on, which turns on end-to-end encryption of your data. That means not even Apple can decrypt your data. The UK is trying to force Apple to end Advanced Data Protection so it can gain access to your data with a master decryption key. It seeks to do this not just for UK users but for users across the entire globe. This would mean the end of encryption, essentially, and the end of computer freedom. The US had these battles in the 90’s, and now Europe is having them.
One would think that in the battle between Android and iPhone users, Android would be the clear winner because it is open source, right? Unfortunately it isn’t that simple. It’s a bit more nuanced. How Android is implemented by the phone manufacturer makes a huge difference. A Pixel 9 phone with a secured chip in it running Graphene OS (a privacy designed operating system) is miles ahead of a cheap Chinese Android phone running a poorly done version of Android. The iPhone has its limitations because it is closed source and by default is set for convenience, not security. But it has very solid hardware and newer iPhones have a secured element chip in them that protects your encrypted data. They come encrypted by default and if you use a strong alphanumeric password, they are solid. Customs agents and the feds use Cellebrite machines which can read the data from all normal Android phones, even if password protected. Unless you are using Graphene OS, forget about it. Graphene OS devices in the BFU state (i.e., before the first unlock after a reboot) are highly resistant to Cellebrite’s tools. Most Android phones leak data, even when using a VPN, according to Mullvad. This year a critical vulnerability was discovered in many iPads and iPhones from iPhone X and on that let an attacker bypass the USB protection mode and read a phone’s data. Apple released iOS 18.3 with a patch that corrected this. iPhones that are now updated and fully patched from iPhone X and forward (including iPhone SE second and third generation) which are encrypted and use a strong alphanumeric password (not a four digit PIN) cannot be read by Cellebrite machines. This is especially true if the phone is powered off. If you are approaching a border and expect customs to read your phone, power it off. You never want to hand them your phone with it powered on and unlocked, no matter what phone it is. For those who are security conscious, turn on the “erase after ten failed tries” mode. One can never be too certain, though, considering the new exploit that was just patched. For those who are dissidents, whistleblowers and journalists, I would suggest you never cross a border with your phone containing important data like your sources, encryption or not. It’s just too risky. Don’t bring the phone with you.
The main risk to mobile users with a high threat model is mercenary spyware, not apps like Signal having their encryption cracked by quantum computers, which are still in their infancy. If the glowies want to read your messages they will do as they did to Tucker Carlson, who was using Signal to contact the Russians to make arrangements to interview Putin but had his phone hacked by the NSA, who then threatened him. They send the Pegasus mercenary spyware or a variant to your phone, infecting it. Then they use a keylogger, voice recorder, and other tools within the spyware to send this data back to them. They get your passwords this way. Or they infect the phones of your contacts if your phone is too hard to hack because you keep switching phones using burner phones. Apple has developed Lockdown Mode, which is designed to prevent Pegasus spyware and other mercenary spyware infections. So far it has worked well. There are currently no known instances of Lockdown Mode being defeated. Someone like Tucker Carlson would be well served in getting either a Graphene OS phone with a Pixel 8 or 9 or using a newer iPhone in Lockdown Mode. Both will resist being read by Cellebrite and mercenary spyware infections. One would need to ensure one’s regular contacts are using the same, otherwise it is all for nothing. Or have them also rotate burner phones.
So what should you do?
Unless you want to buy a new computer and you aren’t into Adobe products, then consider switching to GNU/Linux. Linux Mint is a good start, as is Ubuntu or Pop OS. For those who are targeted, like journalist, whistleblowers, or dissidents, consider switching to Qubes OS. This is suggested by Edward Snowden. Qubes OS uses virtualization to compartmentalize programs, ensuring that infections of one program do not affect the others. For example, you can run a qube for banking separate from a qube for surfing the Internet. If Pegasus were to infect one qube it wouldn’t be able to infect the others. With other Linux distros everything is more connected, increasing the attack surface. Do note that you can do things like sandbox your browser in other distros, using firejail. But the risk is still elevated compared using Qubes. The limitation of Qubes is that you need a lot of RAM for it to run smoothly, at least 16 GB. Qubes is about security and preventing infections. If you are a whistleblower who has yet to draw the attention of the glowies, then your main concern is going to be anonymity. For that you should use Tails OS. It is stored on a USB. It bypasses your normal operating system to prevent any trace of who you are from being leaked. It connects to the Internet using Tor, which hides your IP address. The Torbrowser seeks to give you a generic browser footprint so you aren’t identified that way. You wouldn’t want to sign into your email or social media accounts, obviously, because this would deanonymize you. You would want to use Tails OS to get online, connect with Tor, transmit your important information via a secured means such as using secured email with PGP encryption used by both parties or a secured messaging program like Briar or Signal. Or an onion-based data drop. If you signed up with Proton Mail or Tuta mail using Tor and used a disposable email address and not your real name to sign up, this would also work. If you pay for these services, you would need to pay in cash or with Monero. Bitcoin purchased off an exchange that asks for KYC is traceable to you. KYC means sharing your ID with the company to comply with US Patriot Act requirements. If you are a whistleblower using Tails OS, transfer your vital data and then power down. Don’t check your email, sign into anything, or fuck around. Once you power down and remove the Tails OS USB, this activity is not logged on your normal computer because the hard drive is bypassed. Tails OS is not to be your daily driver for web surfing or general productivity. It won’t keep you anonymous for these purposes. That’s where Qubes OS comes in, because you use it like a normal desktop, and it also helps prevent you from being hacked by state actors.
If you have a moderate threat model and aren’t targeted, then something like Linux Mint, Ubuntu, Pop OS, or one of those is perfect. If you are into Adobe creative products, then consider either switching to Windows 10 LTSC and keeping your current computer or double booting it but air-gapping the older version of Windows 10 and running Linux for your daily driver and general web surfing. You could do this for gaming, too, although Linux is much improved for gaming compared to the past. Some people will just buy a new computer with Windows 11 on it and continue as they were. If so, at least take some effort to use scripts which reduce some of the telemetry and spying done by Windows 11 and which is sent back to the Microsoft mother ship, and indirectly to the NSA. Never install Windows 11 using your Microsoft account that identifies you.