Our valued sponsor

Seeking Expert Advice for Securing My New Lenovo Laptop

Aren't snaps closed source and could essentially be doing anything? The whole practice of theirs to force snaps on everyone is already bad enough, they are going to only get worse

What would you say about this argument: Ubuntu Spyware: What to Do? - GNU Project - Free Software Foundation

You do now that both cloud-init and snapd may be disabled?

Snap is a package manager just like apt, zypper or dnf is. Every Linux distribution attempts to close it's own package management - Ubuntu as well and particularly because it's Debian derivative.
 
  • Like
Reactions: EliasIT
Anyway, I would set up two partitions, one with a decoy Windows install, 2nd one hidden with LUKS encrypted Linux and Windows in a virtual machine.

WWAN can be Airalo ordered with fake details/via VPN. Or if you are not going to travel, a local prepaid SIM card assuming registration isn't required.
 
You do now that both cloud-init and snapd may be disabled?
I've seen reports of people having snaps come back during their next update. And why bother with this game of removing malicious stuff when you can just go for Debian?

I would set up two partitions, one with a decoy Windows install
Could be a bit dangerous to have Windows and Linux on the same drive. Windows likes to mess with bootloaders
 
I've seen reports of people having snaps come back during their next update. And why bother with this game of removing malicious stuff when you can just go for Debian?

Khm, we operate a fleet of arround 100 physical machines acting as hypervisors running Ubuntu LTS with disabled/removed cloud-init and snapd. We didn't reported that those packages and services are re-enabled/re-installed for quite a long time.

There is a procedure when and how to remove cloud-init and snapd.

But, again, we removed snapd to ease the management - as we build and install packages - not because it's spyware - and it isn't.

Anyway, let's be focused on @EliasIT thread topic.
 
  • Like
Reactions: dany
Khm, we operate a fleet of arround 100 physical machines acting as hypervisors running Ubuntu LTS with disabled/removed cloud-init and snapd. We didn't reported that those packages and services are re-enabled/re-installed for quite a long time.

There is a procedure when and how to remove cloud-init and snapd.

But, again, we removed snapd to ease the management - as we build and install packages.

Anyway, let's be focused on @EliasIT thread topic.
What would be the reason to go for Ubuntu, though? For an average user? New Debian installers come with DE and hardware drivers configured, it's no longer a challenge to install. What benefits would you say Ubuntu would offer to topicstarter over Debian?
 
What would be the reason to go for Ubuntu, though? For an average user? New Debian installers come with DE and hardware drivers configured, it's no longer a challenge to install. What benefits would you say Ubuntu would offer to topicstarter over Debian?

Wrong man to ask ;) There isn't particular difference apart from comfort level. Both Ubuntu LTS and Debian with GNOME when properly configured is better choice then other distributions.

For server environment, Ubuntu LTS and RHEL/Oracle would be choice.

But, @EliasIT for unknown reasons prefers Microsoft Windows 11.
 
Always a fun one, but it all boils down to my favourite question: "What is your Threat Model?". Understanding your threat model is crucial. Are you protecting against casual thieves, determined hackers, or state-level actors? Each scenario requires different levels of protection. If your threat model includes interdiction by (possibly) a state actor, I would really hate to be in your shoes. If your threat model is to be reasonably safe with reasonable usability, then you got something to work with.

Also very logical that you do not want to bother with Linux, even though it can have some advantages if configured correctly. It can also easily be your downfall as it requires some technical knowledge to keep it secure.

As an enthusiast and professional I also have a Windows environment. The good news is that a standalone Windows environment is much easier to keep secure than a domain joined device, since your attack surface can be reduced to the bare minimum.

What I would do:

First things first, debloat windows 11. Microsoft has lost their mind with the amount of bullsh*t preinstalled. [1] For this you can use GitHub - Raphire/Win11Debloat: A simple, easy to use PowerShell script to remove pre-installed apps from Windows, disable telemetry, remove Bing from Windows search as well as perform various other changes to declutter and improve your Windows experience. This script works for both Windows 10 and Windows 11.. There are a lot of other scripts, but this one did not break any useful system functionality for me.

I can recommend Defender EDR. If you already have an O365 license, then it might be included, otherwise the P2 license is also very affordable. It goes beyond a normal antivirus and will be more in line with your threat model. Might take a bit to understand the portal and all, but it will be a much safer experience than just installing a cheap (and "dumb") agent of another vendor. Crowdstrike Falcon is also nice, especially after their latest fiasco you might be able to get it for cheap too. ;-)

Also Defender EDR (MDE) keeps track of your vulnerabilities as well. Which will give you a nice overview and help you to prioritise updates. Personally, I only use biometrics when I am at home. This for ease of logging in, when I leave the house with my laptop, I make sure to disable biometric authentication. In addition to biometrics, consider using multi-factor authentication for critical accounts. This adds an extra layer of security beyond just your laptop's defenses.

Bitlocker is indeed included from the Pro edition, which will be more than sufficient. Talking from experience, if somebody steals your laptop and it is encrypted with Bitlocker and the BIOS is also configured properly. There is no worry, unless they use the aforementioned wrench method.

Also when you get your device, start thinking about hardening. If you combine it with MDE P1/P2, you will also get recommendations on how to apply hardening (ASR) rules. Otherwise I can advise you to take a look at: GitHub - HotCakeX/Harden-Windows-Security: Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md. Basically hardening helps you to reduce the potential ways an attacker could exploit your system or software on the system. For instance, one of the most common ones is blocking untrusted macros in Office documents. It will definitely have an impact on usability, but it will greatly improve your security posture as well.

I would apply these to the host OS, and use VMware Workstation Pro to virtualise another instance of Windows where you can run untrusted stuff. Windows sandbox is also fine, but VMware workstation is now free for personal use anyways.

Implement a regular backup strategy. Even with all these security measures, having a recent backup can save you from data loss due to theft, hardware failure, or ransomware.

Consider enabling proper auditing. Yeah, it's a double-edged sword, because it is like leaving breadcrumbs of your digital activities. Great for forensics if something goes sideways, but not so great if your laptop falls into the wrong hands. It's a trade-off between having a detailed record and potentially exposing more info if your device is compromised.

Again, if you are ever at the level that a nation state has decided that you are on their target list. You will get hit with much more than just a phishing mail, if you are at that point in life I can only recommend to hire someone with an intelligence background who is willing to prepare you for that battle. 99,99% of people will not have to deal with that stuff fortunately, and I have assumed you do not have enemies in Virginia or Moscow. :p

There are arguments to be made for the compromise on privacy, and they are valid, but considering the circumstances I think this would be sufficient. If you want to combine a high level of security with a high level of privacy, you will have to roll up your sleeves and start fighting the battle against Big Tech.

[1]
1726331729603.png
 
I'm not so worried about my close relationships, but a hypothetical situation could be that you're sitting in a restaurant, an Internet café, or in a business meeting and suddenly, for inexplicable reasons, leave the room for 5-10 minutes without thinking about the fact that your laptop is sitting on the table.
What about using an alarm lock?
 
  • Like
Reactions: EliasIT
First of all, for what purpose you procured the laptop - CAD/CAM, coding, building, storage etc?
It is my entire business I have there, if it is gone I'm gone you won't see me again. That is why I swear on Lenovo former IBM - haven't seen anything better so far.. and now it is too late I stick with the box.. it costs me 3500 CHF.

I assume that you procured ThinkPad Workstation 16" with AMD cpu and NVIDIA Quadro, or similar.
No, it is the latest with the Intel Ultra 9 CPU, bigger battery and better screen.

Have you decided to procure Lenovo product or you were advised? In both cases, you shouldn't procure from them.

Use DELL and HPE equipment if you're serious with your business.
see above for both questions, it is a little too late now :D I should have asked this question before I ordered.

What stranger - why hackers - whom others? Your sentences imply that you're HVT carrying confidential information. Hence, you're either a target of industrial espionage or a conventional one.

Why would you carry confidential information with yourself in any form fin4774"
see my answer above.
Why is a Microsoft Windows 11 a requirement for you - due to lck of knowledge of Linux or for because of assumed software support and lack of it on Linux?
yeah, because of knowledge, I have been working 30 years with windows PC's... it is simply too late for me to switch while I got used to Windows boxes.

For the first property, Linux with UEFI bootstrap and encrypted /boot volume would be required. As for the second one, a colocated 1U/2U servers with RAID 5/6 or 6+0 should be established for remote storage and backup purposes via rsync and your own VPN.
Ah, good point... But do you mean it's better to store it with a hosting company rather than using a local NAS or SAN solution in the office? Or would a combination of SAN/NAS and cloud-based backup work better? Which SAN or NAS manufacturer would you recommend in this case, and which specific model?

Considering that you're mobile, you should have a WWAN active as well as firewal - iptables with prerouting rules or nftables.
does it work on Windows 11 Pro ?

If you need assistance for set-up, send a DM and I will gladly help you - free of charge, I don't need a revenue from OCT - or delegate the task to our knowledgable technician.

But, you should really consider not to use Lenovo products.
Thank you so much for all your help and insights. For now, I’ll stick with Lenovo. I already have one, and it’s worked great for the past three years, so I think the new one will do fine if I follow some of the great advice from here.

Thank you very much for offering your help. I would like to pay for it if it becomes relevant. I personally advocate for paying for services one uses, so it would be strange if I didn’t pay for what I need... but very generous of you.

looks useful - is this something you use yourself ?
 
  • Like
Reactions: mraleph
For an end user, there isn't fundamental difference between Apple macOS, Microsoft Windows and Linux from usability perspective. From a security one, Apple is a paradise until you go mad, Microsoft is hell as it is and Linux is a hard place to be but quite livable.

Sorry for Lenovo and Microsoft Windows, my opinion still stands security wise.

Ah, good point... But do you mean it's better to store it with a hosting company rather than using a local NAS or SAN solution in the office? Or would a combination of SAN/NAS and cloud-based backup work better? Which SAN or NAS manufacturer would you recommend in this case, and which specific model?

I recommended that you do not store data on local storage but to have a WWAN (Wireless Wide Area Network) for syncing with storage server - not SAN/NAS but colocated chasis and RAID 6+0 (for utmost redundancy and spare drives, can utilize RAID 6 as well) with appropriate volume size. The backup server should be stored at different facility. For instance, a storage in LINX LON1 or Manchester and a backup one in AMS-IX or DE-CIX Frankfurt am Main. In that case, you would achieve resilience and survavibility - even if that Lenovo with Microsoft Windows is damaged, destroyed or stollen. And can simply buy DELL or HPE laptop after :cool: and install proper O/S fin4774"

I agree with you regarding paying for. Though, there are certain exemptions from that rule and culture as you certainly know.
 
I recommended that you do not store data on local storage but to have a WWAN (Wireless Wide Area Network) for syncing with storage server - not SAN/NAS but colocated chasis and RAID 6+0 (for utmost redundancy and spare drives, can utilize RAID 6 as well) with appropriate volume size. The backup server should be stored at different facility. For instance, a storage in LINX LON1 or Manchester and a backup one in AMS-IX or DE-CIX Frankfurt am Main. In that case, you would achieve resilience and survavibility - even if that Lenovo with Microsoft Windows is damaged, destroyed or stollen. And can simply buy DELL or HPE laptop after :cool: and install proper O/S fin4774"

I agree with you regarding paying for. Though, there are certain exemptions from that rule and culture as you certainly know.
And what software would you recommend server and client wise?
 
  • Like
Reactions: mraleph
And what software would you recommend server and client wise?

At server side, RHEL/Oracle or Ubuntu LTS for server O/S - with encrypted /boot volume and UEFI bootstrap - and rsync via ssh over internal VPN. Preference is Ubuntu LTS for terminal side.

I don't believe you - such a recklessness... cannot be true

That's a preference and a decision - to use Microsoft Windows - we must respect.
 
Last edited:
  • Like
Reactions: EliasIT
I recommended that you do not store data on local storage but to have a WWAN (Wireless Wide Area Network) for syncing with storage server - not SAN/NAS but colocated chasis and RAID 6+0 (for utmost redundancy and spare drives, can utilize RAID 6 as well) with appropriate volume size. The backup server should be stored at different facility. For instance, a storage in LINX LON1 or Manchester and a backup one in AMS-IX or DE-CIX Frankfurt am Main. In that case, you would achieve resilience and survavibility - even if that Lenovo with Microsoft Windows is damaged, destroyed or stollen. And can simply buy DELL or HPE laptop after :cool: and install proper O/S fin4774"
And do you have a suggestion to what hosting firms could help with this? I don't have a clue about how to set this up nor what I should order. I have a tech firm that can do much of it, but then you have another chain you need to trust and I don't trust anyone with my data.. I will remember your words with the DELL or HPe Laptop next time I'm out to buy.
 
  • Like
Reactions: dany
And what software would you recommend server and client wise?
version control systems used by developers are exceptionally efficient for management of all the data (not just source code), easy to use even for non-tech guys and come with lots of perks - however setup might be challenging for an average user

And do you have a suggestion to what hosting firms could help with this? I don't have a clue about how to set this up nor what I should order. I have a tech firm that can do much of it, but then you have another chain you need to trust and I don't trust anyone with my data.. I will remember your words with the DELL or HPe Laptop next time I'm out to buy.
if interested I can recommend (don't know the forum rules whether I'm allowed to) an exceptional and affordable dedicated server (and other services) provider in the UK... - whatever you do for living you need a solid server-side bedrock setup and stop relying on your "terminal" devices - no exceptions
 
Last edited:
And do you have a suggestion to what hosting firms could help with this? I don't have a clue about how to set this up nor what I should order. I have a tech firm that can do much of it, but then you have another chain you need to trust and I don't trust anyone with my data.. I will remember your words with the DELL or HPe Laptop next time I'm out to buy.

A cavet. For this set-up - IX - you would need to have an ASN and IPv4 scope or to establish some arrangement with third party providers. Engage directly with IX and use two 10G peering ports with optional fraction use at 1G - though it depends on your traffic volume. If that is a problem, you may go for a simple colocation.

For that, if there is a rationale and a budget, always establish contractual relationship with the DC owner. NorthDC in CH, DE and NL, Netwise in UK, Gigahost in Norway, Sabey in US and Serverius in NL may be a good choice. Procure either complete cabinet or a minimum lockable area - 1/2, 1/3 or 1/4 depending on the facility. Those companies have a perfect blend of network providers - Hurricane Electric, Lumen/L3, Arelion, NTT, Dutch IX etc.

Interxion/Digital Realty, Equinix, Iron Mountain and similar behemots are not recommended - apart from Equinix if you need their IX.

version control systems used by developers are exceptionally efficient for management of all the data (not just source code), easy to use even for non-tech guys and come with lots of pekrs - however setup might be challenging for an average user

For @EliasIT use case, version control system may prove to be optional, though one that he should consider. Rsync as cron job for end user is more appropriate.
 
Last edited:
Linux is a nice idea unless you're ready to invest lots of time to make it usable for desktop and struggle with every second peripheral
This hasnt been true for years, again something like linux mint will have 0 practical issues with all peripherals I can think of (except if they need special windows only drivers of course), but you can always dual boot for windows and use the windows install only for low risk activities.
 
  • Like
Reactions: mraleph