Seeking Expert Advice for Securing My New Lenovo Laptop

[Sailorman]

I've happily used Linux Mint for many years. I recommend it for anyone who has some tech knowledge and is willing to learn. Buy a laptop with Linux Mint pre-installed. (I usually install Linux Mint on cheap refurbished laptops but that's not for beginners.) You could use it as a second computer and play with it until you are ready to make it your number one computer. Avoid dual booting because it adds complexity. Encrypting a whole disk adds complexity. You may wish to consider using a tool to protect only your key files on the hard drive. Anyway, you still don't want to risk loss or theft of your laptop. Even if your info is protected, replacing the laptop would be highly inconvenient and expensive.

Reality check: getting scanners to work with Linux was problematic and may still take extra effort though it is doable. That's why I also have at home an older Windows 10 desktop with scanner attached that I use occasionally for some purposes where Windows is easier. I use it less and less. It will be my last Windows computer. I will never upgrade to Windows 11 for reasons of both privacy and security.

My biggest step in minimizing reliance on Windows was selecting a personal financial software application for Linux to replace Quicken on Windows. I finally switched to Gnucash which is acceptable for personal finance. Gnucash is a bit clunky for managing anything more than basic investments or basic small business. For OCT readers, Gnucash handles multiple currencies well, much better than Quicken.

 

[unth72]

There's a disk encryption system that's been around for a very long time but it never gained the popularity of VeraCrypt or Truecrypt which came before and that's because it's not free.

It's a professional solution, I find in life you tend to get what you pay for. You can 'tune' the hash algorithm, iterations and parameters if you want as well.

It does full volume encryption - which is full disk encryption in plain English.

Company : Jetico
Product : BestCrypt volume encryption and Bestcrypt container encryption or 'Suite' which contains both of them plus a couple of others.

Not free, they've been around a very long time and they really know their stuff.

 

[cckuhqilfownnfctux]

OPAL SED is nominaly good. But, their firmware may be a problem as we detected on our internal network used for IPMI management a traffic apparently related to certain vendor. As a lucky moment, we don't use them for production servers.

elaborate please, what vendors and exact models you use, what kind of traffic you saw, are you sure it was coming from HDDs and not from other peripherals?
and are you sure it was not an infected (or backdoored straight from the factory) IPMI itself?

if interested I can recommend (don't know the forum rules whether I'm allowed to) an exceptional and affordable dedicated server (and other services) provider in the UK

please share.

as somebody (probably @0xDEADBEEF) already warned in another thread you're trusting the hardware manufacturer here when it comes to potential back doors implemented - this is something to consider and decided by yourself

and the worst part is that Lenovo has a long history of installing backdoors...

@EliasIT I did not read the thread thoroughly and possible have missed it, but I did not see your threat model.
please describe what you want to defend from and we might give you some better advise.

 

[void]

please share.

dm

 

[daniels27]

It does full volume encryption - which is full disk encryption in plain English.

Is this somewhat linked to Fullbitencryption by Kryptochef?

KRYPTO 4.0/2014 Professional Multi User

PC-Wahl: CCC demonstriert erneut einen Angriff und bietet Open-Source-Hilfe

Mit einem demonstrativen Hack macht der CCC auf ein erneutes Sicherheitsproblem der bereits mehrfach nachgebesserten Wahl-Software aufmerksam. Eine Open-Source-Spende soll PC-Wahl jetzt zu einer sicheren Update-Funktion verhelfen.

www.heise.de

 

[cckuhqilfownnfctux]

P.S. I do confirm some of the posts above: biometric auth is a bulls**t; Lenovo is an utter crap, Dell and HP despite also being a crap are a little bit less shittier than Lenovo; you should use a native Microsoft Defender plus install a firewall, a third-party firewall is much more important than a third-party antivirus;
and I will specifically quote this post as it gives the most correct information:

1. If someone has physical access to your computer and plans and wants to steal your data , they will . So best not to leave your computer unattended .
2. General rule of thumb is that Linux is best.
3. More secure almost always equals less comfort so you have to understand the level of risk you’re in decide what you want and who you want to protect yourself from.. isp , government etc or thieves and hackers…

He also said that generally iPhone + Mac is much better then android and windows , and that it is enough for most people with basic privacy settings..

(except the 2nd one, Linux sucks in terms of security and malware protection but if we start to discuss that it really will be the longest topic in OCT history; the Mac OS will perfectly do the job for the majority of users and uses)

@EliasIT I did not read the thread thoroughly and possible have missed it, but I did not see your threat model.
please describe what you want to defend from and we might give you some better advise.

I think I found it:

Protection against strangers, hackers and others that would use a 5 minute window to access the laptop while I'm away.

if they target you specifically and your laptop is turned on then you are fucked, no exceptions.
if they are just a random thieves and might want to scan your drives for sweets before exchanging laptop for drugs then a full disk encryption will save you. but FFS do not save the encryption key in the TPM, use password.

 

[clemens]

How is it going with your Lenovo laptop @EliasIT ? you must have received it by now I guess.

 

[EliasIT]

It's going really well with the newly purchased hardware and all the great advice from this thread. I teamed up with an IT specialist to handle much of what I couldn't manage or understand and turn it into reality.

At this point, my laptop is as secure as it can be, with local backups stored on a NAS solution, which then sends data to a backup server with RAID 5 at a hosting center.

The drives are encrypted with BitLocker, the laptop has been cleaned of everything Lenovo-related and other unnecessary stuff. It's super fast, and everything is running smoothly.

The help and advice shared here have been incredibly useful.

 

[dany]

First things first, debloat windows 11. Microsoft has lost their mind with the amount of bullsh*t preinstalled. [1] For this you can use GitHub - Raphire/Win11Debloat: A simple, easy to use PowerShell script to remove pre-installed apps from Windows, disable telemetry, remove Bing from Windows search as well as perform various other changes to declutter and improve your Windows experience. This script works for both Windows 10 and Windows 11.. There are a lot of other scripts, but this one did not break any useful system functionality for me.

this one is really good, thanks man.. it removes tons of stuff from my pc and made it even faster. It also removed skype but I can reinstall it

Thanks a ton........

 

[wellington]

I have just ordered the latest and largest laptop from Lenovo - it comes with fingerprint security and is also supposed to be able to scan your eyes before granting access to the valuable stuff on the PC.

It’s coming directly from China to me. I assume there are no authorities or anyone else who can tamper with the PC before I receive it. Therefore, one should be able to assume that this piece of hardware is untouched!

What would you do first? Windows 11 is a must for me, unfortunately, I’m not a techie and can’t install Linux or anything like that.

My plan is, of course, to set up a VeraCrypt-protected drive and activate both fingerprint and eye scan. Additionally, I’ll be using NOD32 for antivirus and firewall protection.

But I’m sure all of this can be completely torn apart by the tech gurus here at OCT - I’d greatly appreciate your input!

Just ensure it didn’t go via Israel and you are good to go

 

[avalanche]

this one is really good, thanks man.. it removes tons of stuff from my pc and made it even faster.

The very reason why Windows sucks.. more apps is not supposed to make machine slow, unless these apps are running without your knowledge. Apps are just apps stored on SSD.

 

[dany]

yeah I realize that windows installs a lot of unuseful stuff by default like games and stuff like this which I don't need. but good to have such a tool then from @0xDEADBEEF , came very handy.

 

[void]

yeah I realize that windows installs a lot of unuseful stuff by default like games and stuff like this which I don't need. but good to have such a tool then from @0xDEADBEEF , came very handy.

you can have a look at this as well GitHub - ChrisTitusTech/winutil: Chris Titus Tech's Windows Utility - Install Programs, Tweaks, Fixes, and Updates