Best laptop to build for Security?

libreboot thinkpad

One that you keep locked in a high security safe that is bolted to the concrete slab foundation in a well secured facility.

Are you actually Japanese, or just a LARPing weeb?

>Threat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.
If your threat model is you don't want your sister to find the naked photos you took of her with a hidden camera in the bathroom, then it's probably fine to just have a password protected account on your Windows 10 PC and give the folder with the incriminating photos an innocuous name like "school projects". On the other hand, if you are trying to hide something from the NSA, then obviously it will take something substantially more secure than that.

Any. USB boot kali with nuke and luks. If you're serious you wouldn't want your main os anywhere around your shady shit

>implying the only weak point is with computer turned off
>no mention of network security
>implying such a system is unbreakable when anyone can get your luks key from memory
the absolute state of a weeb tripfag

fsf.org/resources/hw/systems

>he doesnt take out his RAM and crush it with his bare hands when he is done

the absolute state my dudes

Well, something you should know is that with a lot of computers you try to secure, there comes a point when your efforts will lead you to a solution that isn't perfect but is still good enough. Hardening your security is like putting a bullet proof vest on. Some kinds of ammunition will punch through it, but it's vastly better than having just a shirt on. Cyber security is all about making it extremely difficult for an attacker to defeat your security, but there's no way to make your systems unhackable unless you pull the plug on all of them, so start with that in mind.

So let's begin with securing laptops. I chose the ThinkPad X230 as my main laptop for a multitude of reasons. It's cheap, it's durable, it's easy to service, and there are alternative software and firmware options available. Low level firmware should be your primary concern when considering hardware. The X230 has great Coreboot support and most models of these laptops are being developed for still. My model (Core i5 3320M version) has a fully reverse engineered embedded controller, which means that this critical piece of the chipset has free and open source replacement firmware available in Coreboot, which is a great start.

cont.

Always choose a Coreboot machine with a fully reverse engineered EC. There are many different payloads for Coreboot, but I advise noobs to stick to GRUB, as it will be the easiest payload solution with the most documentation and support, and will easily boot any Linux distro. Also integrated into many modern Intel chipset is a hardware hypervisor called the Intel Management Engine. It's a small ARC or x86 processor that runs its own operating system at ring -3 in the system, and you can't shut it off. However, you can neutralize the IME by stripping its firmware. Depending on the ME core hardware revision, all or a vast majority of the firmware is stored on the same kind of EEPROM as the BIOS/EFI firmware, if not the same flash chip. Having one flash chip will make this easier but isn't necessary. The BIOS/EFI from the manufacturer can be totally replaced by Coreboot, but if the IME firmware is removed, the PC won't boot or will shut off after 30 minutes, rendering it unusable until the IME firmware is restored. To give flexibility to OEMs and businesses (who use the IME for remote management), Intel has made the firmware highly modular to give them some choices. There are modules like AMT (active management technology), the kernel, and others for drivers and APIs and stuff, but they aren't important beyond being a security risk, which is why you strip them out. The only required modules are the FPT and the BUP. The FPT (firmware partition table) just points to the modules for the IME to execute, and is totally harmless. It's just a map.

cont.

The BUP is proprietary Intel code that needs to be left to prevent boot loops and startup issues. The BUP doesn't phone home or do anything malicious from what I've observed, and it's too small to contain any surprises on its own. It just does extremely basic power management and low level CPU hardware init before handing off to the BIOS. Even though the IME is still running, the flash chip isn't even readable from the OS or BIOS level in the X230. There are IME drivers for Windows and Linux, but the IME can't even process updates without a kernel module. So basically it just runs and does absolutely nothing, and there's no chance of it being able to reinstall its firmware. You'd have to use an external flasher for all of this, and so would a potential attacker.

Beyond the low level stuff, just install a Linux distro like Fedora or Debian and keep it up to date. The low level stuff is the biggest hurdle to overcome when trying to secure your machines, especially with the management engine botnet bullshit.

TianoCore is bretty good.

>Always choose a Coreboot machine with a fully reverse engineered EC.

And right there you're shit out of luck unless you want increasingly ancient thinkpads and a handful of early intel macs.

Libreboot supports full-disk encryption, signed kernels, and everything else you mentioned. Do research before you spout nonsense.

Oh and enjoy your botnet.

I've used it and it wasn't that great, but I just hate EFIs in general. I don't think they're all that useful for home users (like myself) and just provide a larger attack surface. I personally use SeaBIOS and keep GRUB/Windows Loader on my hard disks. SeaBIOS is set to boot to the main disk with Fedora and GRUB, and then GRUB is able to detect the Windows 7 Loader on the second disk. It's a pretty simple setup and works well for me.

2012 is only 6 years ago. My X230 is just as good as a lot of the modern laptops out right now. The only meaningful improvements have been better power management and slightly higher clock speeds. A lot of young adults in my age range don't really appreciate how capable modern computers are, and instead chase after numbers and graphs. If you want to do super intensive stuff on a laptop, just use a desktop.

Libreboot doesn't have support for secure key storage via TPM or hardware accelerated crypto via OPAL 2.0.

Also it very very likely won't run on any hardware that even has these features.

>expend all your effort removing low level IME botnet
>install Fedora or Debian with systemd botnet
Good goy

Ah, you're right. These features are only available on hardware-backdoored systems. My mistake.

>systemd botnet
Use a distro without it then. The whole point of alternative software and firmware is that you have a choice. I actually find a lot of the features provided by systemd to be useful, and I just changed a bunch of settings in my free time to make it less shitty (because Poettering hates sane defaults).

>muh TPM
I'll never understand this nonsense. If you're using Windows, there's no point in encrypting it because it's an untrusted system. BitLocker also works just fine with the key stored on a flash drive plugged in at boot. If you're using the TPM for something else that's business related (like for programs you run), then use the hardware provided by your employer. This isn't rocket science, tripfaggots.

And that's the problem with system it's subsuming many other core components while becoming a de facto standard leaving the user with ever less choice.

A tpm is only like 30 bucks why not get one

What about AMD Ryzen?

A bullet to the fucking brain.

damn the edge

Old thinkpad with coreboot/libreboot or librem laptops if you want something more modern.

I did that and then reincarted as a g newfag.

But you also have the choice to not use systemd. Void Linux for example is a perfectly good systemd-free distro with a nice package manager.

For what purpose? You can encrypt your partitions with LUKS in Linux and it works well enough. I don't see a point in using a TPM unless you're using BitLocker in Windows and you want your keys stored onboard in a secure fashion. But again, using Windows is stupid if you care about security. I've also heard that a lot of Intel based business machines also do some kind of TPM emulation through other trusted hardware like the IME, but that's also insecure. So aside from enterprise software that requires a TPM, what's the point? What the fuck does a competent and security conscious home user do with a TPM? If you're using it for work, again, you should be using the hardware your employer provides. If something goes wrong, they'll often try to blame it on you. Using only their hardware in a responsible manner protects you from this kind of backlash, whether or not a fuckup is your fault.

Explain yourself right now.

It has a PSP (Platform Security Processor) which is an ARM TrustZone implementation. I don't know a whole lot about it but I've heard you can't disable it. Recently I've heard some conflicting information that you can disable it on certain boards and chips or something, and a bunch of r*ddit fags were petitioning AMD to open source the firmware. I haven't researched it because I don't own AMD hardware new enough to have a PSP (all of mine is pre-2010). I'm by no means an Intel fanboy but I am somewhat cornered into the brand because it's the evil I know and can manage, as opposed to the one I don't know. I have no other viable x86 options right now, and so I just use Intel machines with modified firmware, and a bunch of RISC machines (Talos II is almost here). Sadly there aren't any RISC laptops out there that would be better than my X230.

>librem laptops
Please don't recommend those here, unless you're dealing with an absolute tech illiterate that can't flash Coreboot/ME_cleaner and install Linux themselves. They are overpriced chinkshit and they incorporate hardware that runs on non-free drivers. I personally don't give a hot shit about non-free graphics drivers and the likes under Linux, but I won't pay out the ass for a "free as in freedom" system that has them when I can make a more free system with an old ThinkPad and an SPI flasher for less than $300. Fuck Librem. Where is their Linux meme phone with the modem switch? I paid good shekels to back that trash.

Holyshit user, thank you! Great things for a newfag to cyber security like me to consider. Youre a gentleman and a Scholar.

You are most welcome. Go forth and strip your firmware.

I just wish there were more posters like you on this board, brainletposter-senpai. So based.

Thanks user, that means a lot to me.

Do you have any friends in real life?

Newfag detected

Only one and he's tech illiterate.

Well I like you as well and appreciate the effort you put into this thread. However I just want to reiterate that while it's true that one can choose a distribution that doesn't come with systemd, the fact that every major distribution has adopted it, along with the fact that many major pieces of free software like GNOME now have systemd as a dependency, means that systemd is becoming a de facto standard so in the long term there really won't be a viable and well-supported choice apart from GNU/systemd/Linux.

Then we move away from GNU/Linux, or we fork it and make it into something else. This has been done with other UNIX-like systems in the past, and we'll do it again.

Based

Currently I work in a Datacenter as a break/fix Technician for Microsoft Azure. It's a great job in the Silicon Valley. What should I be working on within the next 1-2 years in order to transition into a full time career in Cyber Security. Thanks in advance to all of you knowledgeable here in Sup Forums.

Get some level of security certificate and maybe do some pro-bono security testing.

bump

Install tails, qubes os or subgraph os then use a VPN bought with bitcoin and route all traffic through a hardware firewall

Also a bios password on a thinkpad and full disk encryption is fine for the average person

x230 with rms pic without IME, librememeboot with trisquel and run everything in virtualmahine or firejail

I recommend firejail it is so easy, so you can run shitty half spying software like steam or spotify securely.

get the most common laptop in your area and any harvested data from you will be diluted from other million more laptops

>Implying physical security is better than network security

Please don't take this tripfag seriously, he has already displayed the signs of severe mental retardation.

so much this.
All these tripfags are the same, they try edgy pseudo professional comment, get proven of their retardation once again and disappear. Disk encryption is useful, you can go further and care about the firmware too like the brainlet-user argumented, but for the most cases network security is the first concern. You could have your server stored in a secure datacenter, connect with your laptop to access the data, no need for encryption, then you deploy a shitty security layer server and/or client and you're fucked anyway.

Can I get a hardware firewall that's just a firewall and not a router? I have my servers plugged into an unmanaged switch