Finance and economics mentoring
New Horizons Paraguay
Ticker tape by TradingView

Seeking Expert Advice for Securing My New Lenovo Laptop

Status
Not open for further replies.
I’m not as tech savvy as some of you here but I have a friend‌ who is and I remember that he said a few things on that topic …‍

1. If someone has physical access to your computer and plans and wants to steal⁠ your data , they will . So best not to leave your computer unattended .⁤
2. General rule of thumb is that Linux is best.
3. More secure almost always⁣ equals less comfort so you have to understand the level of risk you’re in decide⁢ what you want and who you want to protect yourself from.. isp , government etc︀ or thieves and hackers…

He also said that generally iPhone + Mac is much better︁ then android and windows , and that it is enough for most people with basic︂ privacy settings..
 
You have to switch to Linux, and that Lenovo laptop has a hardware backdoor into‌ it but at least it isn't American, the most you will get is have your‍ crypto and ID stolen, but you won't go to jail.
 
I installed Mint 22⁤ two weeks ago on a older Dell XPS 13 (btw one of the few laptops⁣ that officially supported linux - Ubuntu if I remember correctly) - Bluetooth devices like headphones⁢ or watch one big pain in the a*s, same with wifi printer, sleep/hibernation support sucks,︀ power management no way

with Proxmox or Vmware workstation (free for personal use now) one︁ can achieve a lot and take the best from both Windows and Linux worlds -︂ but it requires time (lots of time)

I'm repeatedly personally trying Linux on desktop for︃ last 20 years, it's still not ready and I'm no rookie (I'm managing tens of︄ mostly debian servers) - mission impossible for a mediocre user

everything of value should be︅ in the server-side infrastructure and one can freely use various disposable and valueless devices (putting︆ aside the value of the given hardware of course)
 
topic already discussed many times
mac is def better option than win, for non state‌ actors
win + applocker + standard acc is also OK (pretty much to prevent anything‍ not approved from running, ofcourse there could be exploit for it, who knows)

you were⁠ also told about bloatware, disabling macros...before i even added:
- changing DNS to DNS over⁤ HTTPS (browser option) and setting Google/CloudFlare as default DNS
- disable JS in browser, unless⁣ approved (to prevent popups from loading malicious web site)
- multiple VeraCrypt containers, just if⁢ one gets compromised, others are still encrypted (so do not auto mount them, or mount︀ them all at the same time)

but for what you are after (by later post),︁ i think your best bet is learning shortcut WIN + L
security on a machine︂ with battery is uhhhh, well...if they take it, they will have it with completely powered︃ with all ram content unencrypted...they will have plenty of time to disassemble laptop while being︄ powered (if possible), spray ram modules...
 
I agree, but to have a complete backup stored somewhere in an external hosting center⁤ may indeed help together with VerCrypt.

What do you mean with "spray ram modules" why⁣ ?

Can I also use Bulk Crap Uninstaller (BCUninstaller) ?︅ I just installed it from SourceForce on a test PC - it finds a lot︆ at clean it automatically, It is free and easy to use?
 
If someone skilled is targeting you you're pretty much doomed no matter what you do.‌

to protect against random attacks you can just use the least popular version of any‍ OS, something that nobody builds viruses for.
 
I must admit that I’m learning a lot just by following this thread. I’ve been‌ testing many of the mentioned methods and software/apps on a separate computer, and within just‍ a few hours, it has already transformed the PC into a much faster and better⁠ machine. Thanks to everyone!
 
Is it a build in function in Windows or how are you doing⁠ it?

very cool tool.
this replace the used NOD32︄ by elias right?

is included in Windows 11 Pro if I︆ read the details correct?
 
most straightforward approach is using the technology via Bitlocker (which I‍ would not personally recommend but it's an option)

way better is using sedutil tool which⁠ will allow you to install PBA (PreBootAuthentication) utility to shadow MBR partition of the drive⁤ - when the NVMe drive with OPAL support is powered on this tools boots and⁣ allows you to submit your passphrase to the drive controller which unlocks given range (see⁢ the setup documentation) and "makes the drive readable" until next power off

then a conventional︀ OS is loaded from the "encrypted" drive without even knowing about it

the most basic︁ setup (totally fine for vast majority of users) is pretty simple and basically about following︂ the cookbook

it's worth noting that these drives are encrypted "by default" and you're just︃ changing the current password it's encrypted with (simplified but true from user perspective) which makes︄ this technology so flexible

nice perk is zero impact on CPU load as all is︅ done by the drive itself

as somebody (probably @0xDEADBEEF) already warned in another thread︆ you're trusting the hardware manufacturer here when it comes to potential back doors implemented -︇ this is something to consider and decided by yourself
 
In the old days you could just⁠ do a formatting of the drive and start over, isn't that possible any longer on⁤ a laptop, the backdoors stay open ?
 
actually formatting of old IDE/SATA drives is about erasing the partition⁠ table or other data structures of the drives - that's why so many utilities implementing⁤ different strategies of overwriting the data exist(ed)

if you don't trust you hw manufactures then⁣ DIY 🙂 or make sure you don't have to (possible with disk data by using Veracrypt⁢ paying with your CPU load and moving the trust to Veracrypt developers 🙂) or get︀ back to pen&paper
 
The backdoors are not *on* but *in* the hard drive. In⁠ other words, they are on the chip that comes with it. They use weak encryption.⁤ They have some sort of mainenance port etc.

And overwriting data is another issues. HDD⁣ are relatively easy in that sense as you can just write all blocks and cylinders.⁢ But SSD have a chip which decides where it wants to store the data (or︀ not). It can completely fool you like with the 512 GB flash drives from China︁ for $2 which show that amount of space on Windows, but actually only have 2︂ MB capacity. You can write a whole movie there, but the data is simply being︃ wirtten nowhere and when you try to read it, the chip just spit out 0x00000000︄ or @0xDEADBEEF if you are lucky 🙂
 
ahhh so it is a weak⁠ point of the hardware and you would need to replace the hard drive to get⁤ rid of the back door?
 
You probably would have to⁣ switch the manufacturer. If one hard drive has a backdoor built-in from delivery, most of⁢ them will have it. We currently do not know what all devices have backdoors, but︀ there have been many issues in the past from EUSSR to China and as a︁ result, US does no longer allow purchases of any Huawei devices.

You can check this︂ one here:
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/
We do not know if the backdoor was intended by Apple⁢ or not. But in any case, it shows you very well, that you simply cannot︀ trust any hardware vendor that their devices are free from backdoors when delivered.
 
also you should consider disabling your usb/firewire/thunderbolt/lan... ports in bios, while being outside the safe‌ environment
no matter the fact your autorun feature is disable for usb drives, it can‍ still quack like a duck
 
Status
Not open for further replies.

JohnnyDoe.is is an uncensored discussion forum
focused on free speech,
independent thinking, and controversial ideas.
Everyone is responsible for their own words.

Quick Navigation

Forums

User Menu

Login
Community platform by JohnnyDoe © 2025 JohnnyDoe
Top Bottom