zlacker

>>molecu+(OP)
I care about audio so much more than video, and text/keys/etc captured from the machine even more. As long as my screen and keyboard are out of the frame of the camera, I don't really care about it getting RATed. At worst, you'll see me naked, or making angry/etc. faces at someone on irc or email. While embarrassing it would be less bad than most of what you could accomplish by stealing actual information.

OTOH, carrying around a microphone connected to the Internet which can be remotely enabled at any time without leaving any real trace (battery use/network use is the only real sign, although even that could be covered up to a great degree -- there is probably a way to do either low-fidelity or infrequent audio pickup, maybe keyed on location and charger state, and on-device pre-processing) -- people do this all the time Mostly because there's no real alternative to carrying smartphone yet.

Plus, of course, there's the fact that no modern desktop OS is particularly secure -- either you give up auto-updates and likely fall to bugs, or use auto-updates and are at risk to your OS vendor or anyone who can compel him. So sensors attached to it, as well as stuff processed on it, is also at risk. You can somewhat mitigate this through a large combination of other protections, but it's almost impossible for a single user single machine to solve that problem.

I'd love a custom run of Dell Chromebook 13 or Lenovo Thinkpad 13 Chrome Edition with no built-in mic/camera, and an EPROM vs. EEPROM, and some special case features. Would be willing to commit to buy 10k units at ~$800/unit retail in 8-16GB x 32GB config.

>>rdl+D3
I typically buy older Lenovo laptops that I can put LibreBoot on, an open-source BIOS replacement. Then I open it up and disconnect the speakers, microphone, and camera. When I close the laptop back up, I usually place tamper-resistant seals over several locations.

For an OS, I run Whonix and have it configured so the system wipes the memory and shuts down immediately if anything foreign is attached or removed from USB.

Since I don't use any eSata or Firewire devices, if those ports exist I epoxy over them. There are too many ways to dump memory with direct DMA access.

If you were serious about a custom run of security-focused laptops, I think you would have a market for them. Dell and Lenovo just subcontract with manufacturers in China and it wouldn't be too difficult to contact one and give them the specs and do a custom run of laptops. Considering putting actual hardware switches for both the Wifi and Bluetooth.

I would certainly buy one!

>>deftne+WH
A friend does something similar with his laptops ThinkPad laptops for certain applications. He disconnects/removes the microphone, camera, bluetooth module and re-flashes the BIOS with a custom version.

On some ThinkPad models, there is a chip associated with the LAN management engine (AMT) that should be disabled as well. This isn't the Management Engine controller itself, only has a power management role for AMT & WoL that cannot normally be disabled.

My ThinkPad has a physical switch for Wifi and Bluetooth, although apparently that is only window dressing and can be bypassed with a BIOS setting (& configuration tool from Lenovo)

What do you think of having a hardware firewall processor for the Wifi and Ethernet interfaces on security focused laptops?