Ask HN: What's your checklist for when you hand your laptop in for repair?
For instance on Mac I think I should turn on disk encryption, sign out of iCloud, back up on my applications specific configuration files, delete all my local copies of SSH keys, delete all my local copies of proprietary code.
I never thought of having a checklist for this before but I think it's useful and there's probably some sort of standard best practice.
I'm interested in what are people's responses for different platforms and is there any sort of Open source script that will handle this for you like a "nuke script"... I mean obviously the point is not to Nuke it you want to bring it back later but.... you want to handle if someone somehow has privileged access to everything you want them to have his little surface area of anything valuable as possible.
49 comments
[ 3.1 ms ] story [ 76.1 ms ] threadIf that isn't possible, I usually make a backup and restore system to defaults. Easier for support to determine the issue if software is in any way involved.
I believe some manufacturers explicitly tell you that you cannot expect your data getting returned if you ship your device to them. You get it back in most cases, but not if you get the whole device replaced for example.
Then someone will figure out most users don't need much processing power (only emails, word, etc.) and back to centralized computing we go!
Any modern SSD can/will leverage cryptographic erasure to render any data unreadable. [1]
Since OP is talking about Apple systems, Mac computers with the T2 chip or newer (which includes all Apple Silicon Macs), full disk encryption is automatic even with FileVault turned off. [2]
Basically, when you erase a drive on a modern Mac, the encryption key is changed, so prior data is not recoverable in the same way that an unencrypted HDD will leave magnetic traces of readable previous data.
[1] https://www.dell.com/support/kbdoc/en-ca/000150908/data-remo...
[2] https://support.apple.com/guide/mac-help/encrypt-mac-data-wi...
This can provide security but comes with new dangers. I would still recommend removing the HDD. If you encrypt this way, lose the recovery password and your device has a critical failure, your data is lost.
2. Apple and Microsoft both provide user-friendly cloud-based recovery options for FileVault and Bitlocker that leverage iCloud and Microsoft accounts, respectively.
2.5. “But what if you don’t want to trust/use cloud services?” See #1. You can’t depend on your single drive anyway. If you can be responsible for safeguarding backups you can be responsible for safeguarding encryption/recovery keys.
3. Organizations and probably most individuals rely on professionally managed storage solutions to house important data. Organizations don’t tell their employees to store important things on their local laptop, it’s Box/Dropbox/Drive/etc.
4. Considering how most computer users are on laptops, removing the drive is not a practical suggestion, even if the laptop has an easily removable drive. That type of knowledge and ability is beyond the vast majority of computer users.
That’s why, to me, the best way to operate is on a full disk encrypted device that’s treated as disposable. At any time it could be stolen, fall on the ground, stop working due to a power surge, get wet, etc. If your workflow involves device replacement causing lost data you’re already in a vulnerable position.
Our company uses VMs for everything sensitive now, so hopefully no one needs this checklist!
yeah i use vms for all my work (basically, or ssh into a vps) but the keys to the vms, the login sessions for emails, web browsing is all done on the laptop.
do you mean that even all your work email / all your web browsing do you within a VM?
can you technically explain a little more how that works?
Don't do that. There's a guest account for that. Unless you're debugging something very specific, you don't need your actual account available.
Apple should be ashamed of themselves.
My guess is you’re out of luck if you don’t trust full disk encryption when it’s done right from the beginning of using the machine. Physical destruction isn’t cost effective when the machine is sent for repair.
1. Power off computer.
If I don’t trust my disk encryption:
1. Fix it myself or buy a new computer.
Apple completely replaced one of my older phones when I took it in for a battery replacement because a previous "unapproved" third party battery replacement had been made. I assumed a restore from iCloud backup would restore the 2FA app settings but that wasn't the case (I think Google Authenticator has actually implemented exports now though). There were a few accounts that I didn't have backup codes for but luckily I was able to reset the 2FA for those accounts using my identity since I had been through KYC for those accounts when I set them up.
Wasn't the whole 'you cant't open it/ warranty issue' thrown out somewhere (hard drives, for example)? EU or US?
/sorry, on mobile. Limited research for a few days.
It worked by overwriting, renaming, and truncating the file before unlinking it.
On rotational HDs, the overwrites clobber the data in the same physical location on disk. On SSDs, the overwrites will typically appear in a new location on disk due to wear-leveling and block-sparing.
Your best bet is to turn on FileVault, wait for it to finish encrypting the drive, then wipe the whole disk in Recovery Mode.
Since OP brought up Apple products, that will include anyone using FileVault, and it even includes people not turning on FileVault on all Macs leveraging the T2 chip or Apple Silicon – Apple is forcing full-disk encryption even if you're not enabling FileVault.
For iOS devices this automatic full-disk encryption has been happening for many years now, implemented much earlier than Intel Mac systems gained the capability. I think the iPhone 4 was the first iPhone to get full-disk encryption, which on iOS has always been on by default and cannot be disabled.
If your Mac system is on this list or newer then it's already protecting your storage: https://en.wikipedia.org/wiki/Apple_T2#Products_that_include...
2. unscrew all screws
3. replace everything non-functional
4. screw all screws, use blue fixator
5. power on
6. notice that one of bus ribbons was forgotten or misplaced
7. redo steps 1-5
8. get a final result, power on
This makes me think that: 1) using FV to secure your data, and then 2) setting up a second admin account on the mac for the repair people is not enough to protect any ssh keys / proprietary code / financial data on the first admin account from anyone who can access the second admin account.
FV is useful but I think you need to combine a dedicated encrypted partition, or encrypted folder (with another tool I guess that can do this) if you want to protect from a second admin account.
I back it up just in case. Never ever give your data away.
When I get the laptop back, I restore the disk.
If you want to be more secure, in case you worry that someone might do a file recovery to grab data, just overwrite all the data with 0x00 using a program. and your data will be secure and unrecoverable unless someone will try really hard to sniff your data.
Second, if we're talking about my laptop.. I use Linux and a fairly open hardware device so I simply order replacement parts online and fix it myself. I can't imagine sending my laptop away to get it fixed.
If I can't fix it.. I remove all working parts and toss in a supply box. I toss the device carcass in a pile in my garage in hopes of finding a use some day, and order a new laptop.
And even still, doesn't change my point in that OC'd answer is irrelevant.
Wipe the LUKS header (`cryptsetup erase <device> && wipefs -a <device>`).
Run the default NixOS setup.
When I get the machine back, reformat & re-install. Copy back the config, reboot to my working old system.
I've got an "erase your darlings" style setup, so everything outside /home and /persist gets erased every boot anyway, and I test my backups so "just wipe it and restore once it's back" is pretty low risk.
You can get an impression of how much by searching for "forensic artifacts." Here's a taste: https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWI...
That's not even a complete list. For example, I think it's missing the QuickLook cache that contains thumbnails of all the things you've previewed recently.
So the checklist is simple:
1. Backup your drive.
2. If FileVault wasn't turned on, turn it on and wait for it to finish encrypting the disk.
3. Erase the disk and reinstall the operating system.
EDIT: Forgot that not everyone has FileVault turned on. Turn on FileVault, everyone!
Whatever Apple employee is performing service on your machine doesn't have the time or possibly even the ability to do much of anything with your system. Apple's going to be using automated diagnostic tools and has a general interest in getting your repair done as quickly as possible.
That Apple employee is being watched by cameras and monitoring tools while they do their job and they're not going to sacrifice their performance metrics or potentially get fired/prosecuted over a desire to rummage through your system. Put yourself in their shoes: if you were repairing 20 laptops per day as your job, how much would you care about fucking around on any of those particular systems? File this one under "the cashier doesn't care that you're buying condoms."
If Apple did something with your stuff it could be very detectable, and Apple is a massive lawsuit target. They have every motivation to be extremely careful about how they handle data. They also handle repairs for business customers.
If you've really got some sensitive data, you still don't need to be talking about nuke scripts and other time-wasting complexities. Skip all that and just do a local Time Machine backup, wipe the system, then send it in for repair. Then when you get it back you restore the whole thing as a single piece. But honestly I've never bothered with that.