zlacker

I typically buy older Lenovo laptops that I can put LibreBoot on, an open-source BIOS replacement. Then I open it up and disconnect the speakers, microphone, and camera. When I close the laptop back up, I usually place tamper-resistant seals over several locations.

For an OS, I run Whonix and have it configured so the system wipes the memory and shuts down immediately if anything foreign is attached or removed from USB.

Since I don't use any eSata or Firewire devices, if those ports exist I epoxy over them. There are too many ways to dump memory with direct DMA access.

If you were serious about a custom run of security-focused laptops, I think you would have a market for them. Dell and Lenovo just subcontract with manufacturers in China and it wouldn't be too difficult to contact one and give them the specs and do a custom run of laptops. Considering putting actual hardware switches for both the Wifi and Bluetooth.

I would certainly buy one!

>>deftne+(OP)
How do you do the shutdown on USB change? I would like to try that out.

I would imagine, depending on how it is done, that the malicious usb device might get a few keystrokes in before the system is completely down.

>>deftne+(OP)
A friend does something similar with his laptops ThinkPad laptops for certain applications. He disconnects/removes the microphone, camera, bluetooth module and re-flashes the BIOS with a custom version.

On some ThinkPad models, there is a chip associated with the LAN management engine (AMT) that should be disabled as well. This isn't the Management Engine controller itself, only has a power management role for AMT & WoL that cannot normally be disabled.

My ThinkPad has a physical switch for Wifi and Bluetooth, although apparently that is only window dressing and can be bypassed with a BIOS setting (& configuration tool from Lenovo)

What do you think of having a hardware firewall processor for the Wifi and Ethernet interfaces on security focused laptops?

>>lyle_n+d5
https://github.com/hephaest0s/usbkill