Saw Arkenfox's about-config settings: arkenfox.github.io/gui and recalled Ghack's and other's recommended settings. Have edited them by hand but many/most edits don't survive upgades. Using node.js would help.

The local computer shop only works with Windows, no coreboot help there. Found some mobos sold with libreboot and the Amibios site has an option for open source firmware. Hafta check first but either might be a way to go. The mobo/cpu are 8 yrs old and although they work great, your timing is appropriate.

Thanks, zapper.

novacustom or nitrokey

B: system76

or C: a computer with libreboot or coreboot that has me disabled.

Arkenfox disables a lot of garbage. Including that telemetry pocket crap for starters.

nmap -v -A  scanme.nmap.org
nmap -v -sS -p1-9000 -iL > /home/glenn/build/logs/ip/ip.txt (edit, added redirection > to file)

and for local net info...
netstat -r
netstat -i

and amongst that script I also have,
lynis audit system -Q --pentest

@aluma, I haven't seen that response from shields-up since I stopped using M$win

One Day At A Time.

You're welcome, Glenn. WinXP days, with Netscape, Winamp, Zonealarm and stopping by grc to read and learn. Ever use BlackViper's site to configure services?

Haven't seen it here but I'll keep an eye out. Did you find that from grc's All Ports test, another site's test or local?

That's good news. Hard to tell initially... sometimes it's easy and sometimes it's anything but.

You might try LibRedirect when at FB. It's a FF addon that redirects the connection to youtube and most social sites through privacy friendly frontends.

I used to use LibRedirect to watch/download youtube videos with youtube and googlevideo disabled in NoScript. Since youtube began splitting audio from video I had to download them separately. Used ffmpeg to join the m4a and mp4 but it became tedious. Started using sites like youtube4kdownloader_com and 9convert_com/en404 to download a video with audio.

Thanks for starting this thread, Glenn.

The iucode leak was discovered and a free fix is available, but I didn't wanna mess with replacing bios code. Same reason I haven't done the coreboot. Got a good repair shop in a local retailer and I'll ask the next time I'm there.

Intel's me expanded into more modules, same for the expanding aes* security modules. Seems more of their stuff is added to each new kernel version... the difference between Beowolf and Ceres kernels in CPU use and ram is noticable.

Agree with you about security. Wifi isn't a problem 'cause I use a wired connection, and only turn on the router's wifi when family or friends are here.

Used eMatrix for a while with PaleMoon and liked it. Got Icecat installed but haven't used it much. Hadn't heard of arkenfox but looked into Ghack's user.js. Do you know if it's as effective as claimed?

Hyperbola seems a fine OS. Tried installing in VBox and after much effort, realized I was using instructions of a different version than I was trying to install. One of those duh moments. I'll give it another go soon.

Thanks zapper.

The ath9k wifi card is if you don't want to depend on non-free software blobs in particular.

me too, and I agree.

I keep finding some ports open, like telnet and LP...

I used zonealarm with winxp and it seemed secure enough to stop all but serious targeted attacks (which I had no evidence of, or effects)

I think FB is still doing that. Any of my actual friends have denied trying to contact me via those methods.

I'll have a read of the schneier post very soon. I find this topic very interesting, to say the least.

I must say, I am not a gold digger and I don't have anything to steal, or hide for that matter but it's annoying when the pc crashes.

But please keep in mind that since I reseated the nvme ssd I haven't had any crashes.

So, as educational as this experience has been it seems more and more that this was my mistake,
poor eyesight when I installed and started using the nvme drive.

Thank you for the info.... I am in the process of weening myself off FB and google apps, including email and chat.

Interesting, didnt 'know that intel ucode did that. Although there is a better option still, use a more libre bios, such as coreboot and have intel me disabled. You need to buy from an OEM though who would disable it for you though.

Otherwise, you are on your own regarding intel me.

Securing a computer requires three things to my knowledge:

Using as few blobs as possible, wifi included preferably meaning ath9k or similar

Coreboot + disabled me or similar

A distro that doesn't have blobs installed and refusing proprietary software that does remote dialing which means basically most of it.

Technically, emulators do use proprietary software, but they don't escape their sandboxes much if at all.

I currently use iceweasel-uxp + ematrix, httpsalways, httpsinquirer, modifyhttpresponse (blocks some useragentsniffers!) a custom ublock origin legacy, getemall, greasemonkey fork and other minor stuff.  icedove-uxp and no other addons which means no google accounts!

Using a firefox equivalent, with arkenfox config and privacy badger, ublock origin and some script blocker is wise too though if you don't use the above.

The rest? Idk...

I still been using Hyperbola. They were struggling with some issue, but I think they are getting back on track now.

Devuan however, I have on my other SSD for disk cloning.

Having two SSDs on a computer can be wise sometimes.

securing my system from being hacked

Great thread. Got me curious so I looked up 'hacked bios' and in the list of alternate searches was 'hacked bios download.' A number of sites have tools (for good or ill) to hack/edit most any bios.

Among many similar, null-byte.wonderhowto_com had these articles:

Found a 2015 'BIOS Hacking' article at Schneier:

https://www.schneier.com/blog/archives/ … cking.html

I've tested ports at grc_com going back to WinXP days. Good site for learning although it's mainly for Windows. A recent test on Common Ports with NoScript set to 'Trusted' for grc:

Did a test at youtube. Ran macchanger and restarted the router for a new IP, and found youtube's 'suggestions' were the same videos I'd watched the day before, despite watching a completely unrelated video. Next day, after macchanger and router, I booted TinyCore from a USB. Although watching a video unrelated to those I'd previously watched, youtube's 'suggestions' were what I'd watched both previous days.

Seems youtube's had my MAC address, stats and profile for as long as I've had this hardware. Google's everywhere and can likely identify public facing hardware no matter what security is used. I assume the other major and social networks can do the same.

While talking with neighbors when Facebook first became a hot site, I mentioned to one I wasn't interested in joining Facebook. When she said she'd never emailed me about joining I rechecked her email. Facebook was stealing members' contact lists and sending invites to contacts in the member's name. Dunno if they still do it but I've stayed away from social networks since then. When I vounteered I suggested members change their Facebook's registered email to another email with no contacts, and not use FB's in-house mail.

Got two versions of Devuan, each on a SSD, and keep personal stuff and backups on two parked HDDs. FF is for general and Waterfox for email, with NoScript, PrivactBadger, a few 'about' page tweaks and no stored passwds. I try to keep apps/services/firmware which listen to a minimum, or block when possible. Eg: iucode-tool firmware is not installed as a tiny OS inside Intel CPUs uses it to 'phone home.' Also keep ~50 default modules blacklisted.

Guess it's a balance between security and what's comfortable to maintain. It's feeling like I'm doing something yet knowing nothing I do can prevent a seriously targeted attack.

Appreciate all the tips and ideas.

Oh,...my bad, I didn't mean to leave out the kernel... like "madaiden's" page.

I am talking about the entire system, motherboard controls, booting and the OS.

Only Devuan for security (keeping things out), the other os's are for test-driving and ideas.

He doesn't really make it clear that he is talking about the kernel and also, windows security features of being locked down are largely meaningless due to being proprietary and it having backdoors.

Linux can be hardened if you know how, however. firejail is one way. I don't understand the criticisms about firejail either. Besides, windows executables are marked as executable once downloaded. The same is not true for linux. Which is why windows gets malware easily... so yeah...

This pic is my "GamesBox", everyday computing. I have 4 distros installed, and 2 of them are basically unused. Debian Bookworm, Kali (rolling release), Ubunto-Studio & Devuan Daedalus-Plasma.

this pic was after I re-assembled and checked if it would still work :-) All my fingers were crossed, static is a real danger...
GamesBox, Fractal Case

Cheers