Our valued sponsor

Seeking Expert Advice for Securing My New Lenovo Laptop

EliasIT

Corporate Services
Mentor Group Lifetime
Dec 10, 2010
1,430
811
113
I have just ordered the latest and largest laptop from Lenovo - it comes with fingerprint security and is also supposed to be able to scan your eyes before granting access to the valuable stuff on the PC.

It’s coming directly from China to me. I assume there are no authorities or anyone else who can tamper with the PC before I receive it. Therefore, one should be able to assume that this piece of hardware is untouched!

What would you do first? Windows 11 is a must for me, unfortunately, I’m not a techie and can’t install Linux or anything like that.

My plan is, of course, to set up a VeraCrypt-protected drive and activate both fingerprint and eye scan. Additionally, I’ll be using NOD32 for antivirus and firewall protection.

But I’m sure all of this can be completely torn apart by the tech gurus here at OCT - I’d greatly appreciate your input!
 
secure it against what?

why using protected drive(i guess that is a container) with VeraCrypt? do full disk encryption.
password protect your bios(different password than the one for vera).

antivirus any would work, even windows defender.
i recommend doing random internet browsing in vitual machine, or windows sandbox.
consider installing comodo firewall.

that's about it that you can do.

you can also ask @0xDEADBEEF and @mraleph
 
you can also ask @0xDEADBEEF and @mraleph
yeah I was already on the way to tag them to the thread, thanks :)

Protection against strangers, hackers and others that would use a 5 minute window to access the laptop while I'm away.
 
I have just ordered the latest and largest laptop from Lenovo - it comes with fingerprint security and is also supposed to be able to scan your eyes before granting access to the valuable stuff on the PC.

It’s coming directly from China to me. I assume there are no authorities or anyone else who can tamper with the PC before I receive it. Therefore, one should be able to assume that this piece of hardware is untouched!

What would you do first? Windows 11 is a must for me, unfortunately, I’m not a techie and can’t install Linux or anything like that.

My plan is, of course, to set up a VeraCrypt-protected drive and activate both fingerprint and eye scan. Additionally, I’ll be using NOD32 for antivirus and firewall protection.

But I’m sure all of this can be completely torn apart by the tech gurus here at OCT - I’d greatly appreciate your input!
Maybe you could look into Linux mint, it's a linux distro that is made for beginners (really easy to work with and if you don't want to you basically never have to use the terminal).
Just don't use biometric encryption (at least as a standalone option, it is great when combined with a strong password) in my opinion.
For an antivirus I personally used bitdefender when on Windows but havent used one since switching back to Linux, I do have a basic firewall setup but I don't tend to download odd executables anyways.
Veracrypt is nice but as someone else already said full disk encryption is even better. Just ensure to backup your files properly because once when I setup full disk encryption on Manjaro it corrupted everything stupi#21
 
It’s the easiest thing in the world to take your fingerprint. Probably you will soon disable eye scan.
But what kind of people do you surround yourself with if you are scared of leaving your laptop alone for 5 minutes? And if you are, why don’t you just take it with you to the restroom? Or put it inside a safe like Securikey Eurovault 035 Freestanding | esafes
 
Last edited:
this thread has a potential to be one of the longest in history of OCT
just my two cents, not looking for a flame war ;)

- you don't need antivirus (quite the opposite)
- for performance reasons use HDD level encryption (your NVMe drive will support OPAL standard most likely), if you're paranoid or have a solid reason use Veracrypt instead or (better) on top (for special partition with hyper sensitive stuff or file-based container)
- Linux is a nice idea unless you're ready to invest lots of time to make it usable for desktop and struggle with every second peripheral
- make sure your laptop is always ready to be stolen or broken without you losing any data or worries that somebody can read it
- forget fingerprint and biometrics, it's a weak spot
 
this thread has a potential to be one of the longest in history of OCT
just my two cents, not looking for a flame war ;)
We once had a similar thread:

- you don't need antivirus (quite the opposite)
100% agree. Use your hand instead. Maybe use Windows Defender, just in case. But I defintely would not recommending any additional software as they have a good track record to be full of vulnerabilities.

- for performance reasons use HDD level encryption (your NVMe drive will support OPAL standard most likely), if you're paranoid or have a solid reason use Veracrypt instead or (better) on top (for special partition with hyper sensitive stuff or file-based container)
- Linux is a nice idea unless you're ready to invest lots of time to make it usable for desktop and struggle with every second peripheral
- make sure your laptop is always ready to be stolen or broken without you losing any data or worries that somebody can read it
I think you can use Bitlocker with hardware OPAL encryption as suggested, it is built-in:
Of course, you can also use Veracrypt, it will be a bit slower but helps paranoids to sleep faster.

What do you guys recommend in terms of backup solution to not lose the data when the device is stolen? CrashPlan with a proper encryption key?

- forget fingerprint and biometrics, it's a weak spot
Please only use a password. Otherwise, the police will just drug you and then hold your finger onto the sensor.
 
  • Like
Reactions: jafo
Please only use a password. Otherwise, the police will just drug you and then hold your finger onto the sensor.
If we're in a situation where law enforcement is drugging you, why would they stop there? What are the rules and limits of this hypothetical scenario?

1726317720779.webp


If they want whatever is on your laptop badly enough to drug you, whipping out a $5 wrench or a phonebook (doesn't leave marks as easily) doesn't seem farfetched.

For @EliasIT, I think the best advice so far is from @void. Also make sure to keep your stuff updated, so you're not left vulnerable to some well known exploit that's already been patched.

Privacy isn't security but the two are closely related enough that you might want to take a look at Home Is it perfect? No. Is it a good start? Yes. Is it good enough for the majority of all people to improve their privacy and security? Also yes.
 
  • Like
Reactions: ilke
But what kind of people do you surround yourself with if you are scared of leaving your laptop alone for 5 minutes?
I'm not so worried about my close relationships, but a hypothetical situation could be that you're sitting in a restaurant, an Internet café, or in a business meeting and suddenly, for inexplicable reasons, leave the room for 5-10 minutes without thinking about the fact that your laptop is sitting on the table.
- you don't need antivirus (quite the opposite)
Why you say that, please elaborate, there are tons of virusesout there?
It's a bit impractical to run around with and would also look strange if you pulled a portable safe out of your bag.

- forget fingerprint and biometrics, it's a weak spot
But if you use it together with a good password, I assume it makes sense to use it, or why would it be a weak point?
If they want whatever is on your laptop badly enough to drug you, whipping out a $5 wrench or a phonebook (doesn't leave marks as easily) doesn't seem farfetched.
I am faster than that rof/%

What do you guys recommend in terms of backup solution to not lose the data when the device is stolen? CrashPlan with a proper encryption key?
That is a really good question, which is also the next thing I was going to ask about.


With Windows 11 Pro, BitLocker comes as I understand it, and it can encrypt your entire hard drive and make it so that you cannot access the data without a password, is that correct?

As an additional security measure, and with hidden partitions, VeraCrypt comes in for the extremely sensitive information that might be on the computer, is that understood correctly?
 
  • Like
Reactions: mraleph
- forget fingerprint and biometrics, it's a weak spot
But if you use it together with a good password, I assume it makes sense to use it, or why would it be a weak point?

I would not recommend it. The biometrics can be used to unlock your stuff while you sleep, sit around or are drugged. A password is safe and you can "forget" it.
 
I did a double take when you mentioned antivirus... Avast... Like antiviruses are the spyware. Why wouldn't they be?

And it's a Lenovo laptop. So I assume you'd want to use Windows? Another spyware. Use Linux. Nothing is needed to make it "usable", it already is. Better Debian, rather than Mint. Mint is based on Ubuntu which has become spyware as well. Don't install shiny themes or plugins - those are not checked by distro maintainers, are a HUGE security hole.


Finger scanner, eye scanner - wow. Isn't it common sense to assume that finger and eye data is just being mined and resold, especially if you're on Windows? And even with Linux, not everything is open source, lots of hardware driver stuff is closed source.

Why you say that, please elaborate, there are tons of virusesout there?
If you're on Linux, you'd install most software from the distrubution's repository using terminal. That software has been tested and checked by maintainers before being added to the repository.

So you'd only get a virus if you'd try to install third-party software, which you can just avoid doing.
 
  • Like
Reactions: cryptofriendly
Is Cisco exporting their routers from China to Switzerland? the article is 10 years old.

@elcontestador , @call2vn hmmm, what part in the intial post did you not understand when I made clear the laptop need to run on Windows 11 - NO LINUX ?

I would not recommend it. The biometrics can be used to unlock your stuff while you sleep, sit around or are drugged. A password is safe and you can "forget" it.
ahhh very good point, I didn't think about it that waythu&¤#
 
Not interested for religious war :rolleyes:

The problem is in a model - school of thought - perspective, whatever.

First of all, for what purpose you procured the laptop - CAD/CAM, coding, building, storage etc?

I have just ordered the latest and largest laptop from Lenovo - it comes with fingerprint security and is also supposed to be able to scan your eyes before granting access to the valuable stuff on the PC.

IBM and Lenovo design and quality control is as different as Earth and Mars are.

I assume that you procured ThinkPad Workstation 16" with AMD cpu and NVIDIA Quadro, or similar.

Have you decided to procure Lenovo product or you were advised? In both cases, you shouldn't procure from them.

Use DELL and HPE equipment if you're serious with your business.

It’s coming directly from China to me. I assume there are no authorities or anyone else who can tamper with the PC before I receive it. Therefore, one should be able to assume that this piece of hardware is untouched!

That logic doesn't count that hardware is compromised by manufacturer itsef.

Without defined threat model - identified actors and their capabilities primarily - assuming that there is a threat array - I may only say that if that laptop is coming to you or affiliated person, it may be tampered during transport and customs procedure.

Protection against strangers, hackers and others that would use a 5 minute window to access the laptop while I'm away.

What stranger - why hackers - whom others? Your sentences imply that you're HVT carrying confidential information. Hence, you're either a target of industrial espionage or a conventional one.

Why would you carry confidential information with yourself in any form fin4774"

What would you do first? Windows 11 is a must for me, unfortunately, I’m not a techie and can’t install Linux or anything like that.

Why is a Microsoft Windows 11 a requirement for you - due to lck of knowledge of Linux or for because of assumed software support and lack of it on Linux?

My plan is, of course, to set up a VeraCrypt-protected drive and activate both fingerprint and eye scan. Additionally, I’ll be using NOD32 for antivirus and firewall protection.

If you will carry protected information with yourself on a laptop's storage, then it's against OPSEC and CI/INFOSEC.

But, in this business, adaptability is a key. If you are going to expose yourself to a risk, then that laptop should have at least two properties

XML:
That it can't boot without high assurance encryption keys

XML:
An encrypted remote storage and backup exist

For the first property, Linux with UEFI bootstrap and encrypted /boot volume would be required. As for the second one, a colocated 1U/2U servers with RAID 5/6 or 6+0 should be established for remote storage and backup purposes via rsync and your own VPN.

Biometric authentication may be used as comfort measure but with expiry period - up to 30 minutes - after which strong authentication methods must be used.

Whatever Linux distribution is used, it's essentially the same. For GUI, GNOME should be used. And not, Ubuntu isn't a spyware ns2 For Microsoft Windows software, an isolated VM instance may be used with GPU pass-through.

- for performance reasons use HDD level encryption (your NVMe drive will support OPAL standard most likely), if you're paranoid or have a solid reason use Veracrypt instead or (better) on top (for special partition with hyper sensitive stuff or file-based container)

OPAL SED is nominaly good. But, their firmware may be a problem as we detected on our internal network used for IPMI management a traffic apparently related to certain vendor. As a lucky moment, we don't use them for production servers.

Considering that you're mobile, you should have a WWAN active as well as firewal - iptables with prerouting rules or nftables.

AV should be used only if you have an exchanges with external parties thru mail or mobile storage.

Apple and Microsoft products should not be used for any serious matters.

If you need assistance for set-up, send a DM and I will gladly help you - free of charge, I don't need a revenue from OCT - or delegate the task to our knowledgable technician.

But, you should really consider not to use Lenovo products.
 
Is Cisco exporting their routers from China to Switzerland? the article is 10 years old.

Without defined threat model - identified actors and their capabilities primarily - assuming that there is a threat array - I may only say that if that laptop is coming to you or affiliated person, it may be tampered during transport and customs procedure.
And that was exactly my point earlier.