Ask HN: How do you trust that your personal machine is not compromised?
"Compromised" meaning that malware hasn't been installed or that it's not being accessed by malicious third parties. This could be at the BIOS, firmware, OS, app or any other other level.
468 comments
[ 4.9 ms ] story [ 329 ms ] threadIf you assume every device you use is compromised, how can you possibly use any encryption?
On a similar note services and networks should be treated as compromised as well, meaning you must use encryption, authentication and in general make sure to limit attack surface.
And all of that boils down that you should make sure you should not rely on services, users, etc. don't for example access personal information they are not supposed to access.
After all the problem with things like Ransomware is exactly that this isn't assumed.
At some point you just have to admit there's limits to privacy and work with them. You paper journal could be stolen and read / rewritten too, yaknow? It's not a new problem, its just in a new context.
So either my personal machine is not compromised, or they think the amount of crypto in the wallets is too low.
Jokes on them though, cause I am moving my crypto to a hardware wallet eventually
If the U.S. has backdoors on every PC, they're not going to bother draining the wallets of "small fish"; they need to keep these things secret so they can go after terrorists
I think this guy had gotten my phone number from my HN profile and he thought I might be able to help him. He thought his android phone was infected by malware and he knew who did it. I told him the people who repair cell phones at the mall could do a system reset on his phone…. Unless he was dealing with state-level actors in which case it might be an advanced persistent threat and it might be permanent.
My even shorter (and incomplete) summary of the document would be: configure your router and firewall; remove default passwords and crapware from your devices; use a lock screen; don't run as root; use a password manager and decent passwords; enable 2FA everywhere you can; enable anti-malware if your OS has it built it; don't run software from untrusted sources; patch regularly.
There are also other controls that you can choose to impose on yourself. For example, I require full-disk encryption, and I will only use mobile devices which get regular updates. Would be interested in hearing other things that HN'ers do to limit risk.
And do you always check for keylogger thumbdrives and such?
I haven't used a use usb stick in +10 years.
This was a corporate requirement where I used to work, unofficially reinforced by the local jokers who would rotate the screen and / or send prank messages if you didn't.
My colleagues edited my .bashrc to echo "lock your screen next time"
(Kidding obviously, at least for the latter).
I think at first the colleague might assume it's a bug in the terminal not someone had replaced the command with an alias
or just alias them to echo, so that it prints out the file name, not even the file content
Same here. The all time favorite is sending a resignation notice to the person's manager (the manager usually gets a fair warning first and plays along with it).
Or a message that says "I love you very much"
Check for keylogger thumbdrives: I use a laptop so it would be immediately obvious. But now that you say it I haven't checked the charger USB-outlet on the back of my cabled keyboard.
[1]: it has happened I have failed. Once a year or something.
[2]: I sometimes try to allow myself to go downstairs in my own house to fetch a cup coffe without locking when I am alone, but I find it so stressful in practice I always lock it. I don't need to know but it is a good habit. I'm otherwise normal :-)
For example IT enforces that your screen becomes locked after 15 minutes of inactivity and also ties in your local computer 's user login password to your SSO login to access everything. It's a contradiction around password best practices. If you force people to input their password multiple times a day then naturally people will gravitate towards easier to type passwords.
If the idea is "but what if you go AFK in a public place and forget to lock your screen?!?", that's not a valid reason. If you were working in a coffee shop and went to use the restroom for 4 minutes or turned your back for 2 minutes then your machine could be compromised (or even worse stolen). It's extremely reckless to leave your gear unattended in a public place.
It can really break morale to input your password and MFA half a dozen times a day, especially when you're alone in a locked apartment where the laptop hasn't left that location in a year.
Then they don't type most of the time and the length of 'memorable passwords' (like correct-horse4BATTERY!staple) isn't a problem.
> For example IT enforces that your screen becomes locked after 15 minutes of inactivity
If your OS is MS-Win, try playing an audio file when you don't want the auto-lock to go off. Provided IT's "checkbox security" parameters [1] did not include turning this off, MS-Win does not timeout lock the system if an audio file is playing, which makes playback of an audio file a way to prevent the timeout auto-lock from happening. Note that this won't help with any 'presence' indicators that go "idle" or "away" with no activity for some time.
If this works, then you can create an audio file of 'silence' with sox to use to play back when you don't want the auto-lock to trigger:
Creates a ten minute long wav of 'silence'. If you want it smaller, compress the wav with lame into an mp3 or fdkaac into an aac file. Then launch playback of the silence file, and set windows media player to "loop" when it reaches the end of the file.[1] Much corporate/govt. IT "security" is "checkbox security". It is the equivalent of IT having a "compliance form" with a long list of "configured settings" with check-boxes next to each, and so long as they can go down the form and "check all the boxes" they deem their setup "secure". Whether it is actually secure is not important, just that it "checks all the boxes" on the "compliance form".
This puts you into a grey area though no? You could make a case this is willingly trying to circumvent security protocols which could be grounds for being fired.
I dealt with this as a policy issue recently. Controls like aggressive screen lockouts are one of the few options available to allow some categories of workers to work outside of a company controlled premises.
The argument that you live alone etc is irrelevant as I have no idea (and don’t want to know) whether that’s true. I can tell you that people have done shockingly dumb things with remote work and the company has to try to control risk as best it can.
What does the policy really protect against?
If it's being locked out after 15 minutes of inactivity because of roommates or kids it doesn't protect you against anything in the grand scheme of things. For example if I leave my office for lunch and you step in 10 minutes later then you have a solid 40-50 minutes to do whatever damage you plan to do while I'm gone.
The only time it makes a difference is if it locks really fast, such as 30 seconds but then using the computer naturally would be ridiculous because you couldn't stop touching the keyboard or mouse without being locked out.
Also, what if your room mate planted cameras in your office that let them see exactly what keys you're pressing on what screens without ever compromising the machine itself? Now everything is compromised and they have full reign to do whatever they intend to do.
> The argument that you live alone etc is irrelevant as I have no idea (and don’t want to know) whether that’s true
This is the real problem. Everyone gets treated like an equal criminal when in reality none of the measures taken really do anything to provide the security they were designed to do. It reminds me a lot of "for the children" but applied to corporations for "compliance reasons".
I'd be more ok with the precautions if they worked.
Re: the “treat people like a criminal” take. A common approach organizations are taking is employee surveillance. I don’t want to know that your girlfriend has a conviction or that your kid sits next to you with sensitive data in your screen, etc. And I don’t want to force you into an office.
There’s a difference between “security” and risk management. If the discussion was pure security with low/no risk tolerance, you’d be working on a locked down terminal server in an office.
If you're on windows, there's a powertoy[1] called "Awake" that can keep your screen on indefinitely despite IT rules. I liberally use this on machines I'm remotely connected to because there's 0 reason why a remote session should lock if I'm active on the computer looking at a different window.
[1] https://learn.microsoft.com/en-us/windows/powertoys/
Ah, no mention of water proofing computer to protect against robotic dog innocently spilling moring coffee/tea on computer.
On Windows, Win-L to lock.
When home, I always have to lock or my cat would typeeeeeeeeawww
Mostly the same basics as you. The document you linked is a good starting point.
I'd add extensive use of virtualisation and sandboxing. I run less and less software as native, installed applications on any device I use personally or professionally. Instead it tends to run inside things like VMs or Docker containers or cloud-hosted platforms now.
My basic policy is to try and make every device and installed application expendable/replaceable in case anything breaks or gets compromised and then focus on the data. I apply the principle of least privilege for access to any sensitive data, try to keep all important data in standardised formats and avoid lock-in effects as much as reasonably possible, and keep good back-ups under my own control with the ability to redeploy/restore anything quickly and as automatically as possible.
I generally use a device as an access mechanism; a configured window into the data. This configuration is the only thing lost when a device is lost. No data, no function, no service. Configure the replacement device and continue as you were.
Virtualisation and Docker-isation makes backups and restores almost enjoyable.
If, however, there's a backdoor I don't know about, then I'm pwned.
Given the most common network activity is web browsing, it seems like enabling protections in the browser is becoming mandatory for the security-conscious.
For me this amounts to enabling NoScript and uBlock[edit: [0]] plugins in Firefox, desktop and mobile versions, and disabling or locking down various "features".
An additional step I take is to use several browser profiles for different purposes (mail, banking, shopping, default, to name four) so that Firefox always asks me to pick a profile on startup. As well as reducing the possibility of XSS, this lets me relax the settings for some profiles where I restrict myself to a small number of trusted sites. (This may well be overkill!)
0: uBlock Origin, that is, as per instructive commment below[1]
1: https://news.ycombinator.com/item?id=34389942
I also made an app and extensions to help me use multiple browsers, one per site. (Browsr Router)
0: https://www.simpleanalytics.com/en/blog/google-changed-googl...
You're solution is more bullet proof. For similar reasons I am hoping to add better profile support to Browser Routr.
> or me this amounts to enabling NoScript and uBlock
Hard to see how installing third-party extensions that can view and change data for every site makes the browser more protected.
It's about who/what you trust.
What I am looking for is an easy way to run something like a LiveCD OS in a VM for browsing. The problem is that I have never found a decent LiveCD that has Firefox with all of the mandatory extensions (uBlock Origin, etc...). I guess I could customize my own LiveCD, but last I looked into it, doing so seemed complex and too time consuming to figure out.
Posting this in the hopes of being steered towards a simple solution or to inspire someone to create one.
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-...
Here's a 5m solution whose starting point might be acceptable:
- install Nix
- Follow first two steps at https://nixos.wiki/wiki/Creating_a_NixOS_live_CD to generate iso
1. Install Nix in a VM or on a clean HD
2. Customize Firefox to my liking
3. follow the two steps you highlight
4. Load my created iso in a VM
Right?
You should be safe to avoid this unless your threat model includes a trusting trust type exploit on Nix generating the ISO.
Also, just realized it'll be a little more complex because you'll want to use home-manager to install Firefox plugins and do about:config configuration.
Here are some examples of that in various contexts:
https://github.com/search?q=language%3Anix+programs.firefox+...
Since Ubiquity started fown the cloud-first path I’ve switched to Mikrotik. While they do seem to have regular CVEs (which is good, I think?), they also don’t seem to have a public bug bounty program.
I was thinking about getting a Ubiquity router because it has good support for setting up wired VLANs without needing to go down the path of finding a solid OpenWrt router.
Is it really true that you can't access the router's dashboard and configure things without associating an online account to your router?
I was in the market for more hardware and I had to decide whether to increase my investment in Ubiquity or make a change, and I chose the latter.
The day after I set my UDM Pro up as non-cloud, it corrupted the login somehow and I had to factory reset it and redo all settings (as it hadn't been running long enough to run any automatic backups first). I capitulated and just set it up again as a cloud login to avoid having the same fiasco at some random point in the future again.
I immediately regretted going with the UDM to save (quite) a few bucks over a OPNsense/pfSense appliance to fit my requirement of handling a full 10G of WAN.
I will admit having the app to monitor usage remotely is a somewhat neat trick. I find the firewall configuration in GUI obtuse enough to be next to unusable.
As someone who bit the bullet and sold all their UniFi gear on eBay and switched to OPNsense and Ruckus, I'll tell you that it's been absolutely worth it.
That might be true for their UniFi line, but EdgeMAX devices work fine without an online account. EdgeRouters run a fork of Vyatta, with configuration files and command line operations that are fairly easy to work with. They also have a web UI for common configurations, though I have little experience with it.
A bit of warning: EdgeMAX support has been declining in recent years. Security updates are still published, but bugs don't seem to be addressed as quickly or consistently as they were in the past, and some forum users have expressed doubts about what kind of support will exist in the future. That said, my equipment is still doing fine.
I think OpenWRT has been ported to at least one Ubiquiti router, so that might be a good fallback if EdgeOS support ever ends. I wonder if anyone here has tried it.
* Windows
* storing data on other people's computers (cloud apps)
(Yes, they're all safe under the right circumstances. But the right circumstances are far from universal.)
And loosing access to important stuff can be worse than other people seeing the stuff - anything behind a google (etc) account can be lost in a moment, due their mechanised decision making and inability to meaningfully contact humans.
If you can't always easily contact a helpful and authorised human, the continuing existence of your stuff is a gamble. And no, setting off a twitter storm and hoping that the company will be embarrassed into restoring your data is not a suitable contact method!
We have a pretty standard setup at work: screen times out after 15 minutes, and co-workers teach you pretty fast to lock your machine.
At home, where I use a MacBook Air, I work in a physically unstable situation...in a rocking chair, on my lap. Whenever I stand up, I close the machine, which locks it immediately. If not, I risk the machine sliding to the floor.
* Software: Canonical, Google, Microsoft, Valve, Oracle, Dropbox. I install software from their official repos and keep it up to date. Anything 3rd-party/unofficial/experimental/GitHub goes in a VM.
* Hardware: I built my main PC from mainstream commodity components. I have no way of knowing if there are secret backdoors but I consider it unlikely.
I use a password manager, I enable 2FA, I turn off things I don't use, and generally have a low-risk hygienic approach to computing.
I’m also privileged enough to not be a “person of interest” so don’t feel the need to take any extraordinary precautions.
Yes, I’m aware of VM escapes. Yes, I’ve read Reflections on Trusting Trust. I choose to trust regardless because life’s too short for paranoia. As Frank Drebin said:
“You take a chance getting up in the morning, crossing the street, or sticking your face in a fan.”
https://www.techrepublic.com/article/is-the-intel-management...
There is hardware that doesn't contain those at least, but it doesn't break power records.
(This is not an argument for mass surveillance, it's just a practical assessment of the risk).
* Software: Google, Microsoft"
I trust that Google and Microsoft won't hack into my bank account and steal money, even though they could, but otherwise I assume they collect anything they want and can.
So now I disable automatic sample submission via group policy but Microsoft definitely can and will access files that they really have no business accessing.
The only option we are left with is to operate under the assumption that, indeed, our machines are permanently compromised.
- clean reinstall every month, just pick a new flavor of Linux to try out. (also helps ensure I have proper backups and scripts for setting up environment)
- Dev work I usually do in docker containers, easy to set up/nuke environments.
- Open source router with open source bios (apu2), firewall on it, usually reinstall once in a while.
- Spin up VMs via scripts for anything else. (games - windows VM with passthrough GPU for example)
- automatic updates everywhere.
this is not sustainable. you do this once and then pray nothing breaks!
If something breaks or I get bored, nuke the active one and start clone, update it and make another backup, then reinstall games again.
On the other hand, gpu pass-through breaks once in a while and is annoying to fix.
would be annoying to initiate and wait for all the windows updates, drivers and game installations every time
also runs the risk of reusing the hwid (which e.g. Epic and Ubisoft are cottoning on to and permabanning)
gpu passthrough is a menstrual headache hence the set, forget, pray attitude
Only half kidding, unfortunately.
FWIW, I try to segregate my machines for different categories of behaviour - this laptop is for work, this one is for photos and personal documents, this one is for porn, this one is if I want to try something. But even still my trust in e. G. software vlan on my router and access controls on my NAS etc are limited in this day and age.
I feel today it's not about striving for zero risk (for 99.99 of people) , but picking the ratio of overhead and risk you're ok with. And backups. (bonus question - how to make backups safe in age of encrypting ransom ware).
It doesn't wake on LAN and there should be no way of knowing it exists outside of checking DHCP static addresses reservations - and now that I mention it, maybe I should remove it from there too.
This minimises the size of the window, and network-snoopable information, required to compromise this set of backups.
The trick is to make sure nothing has access to the backup storage, which is obviously easier said than done.
I don't think it would help against situations where your primary system is being encrypted for a while, and thus your backups eventually get overwritten with bad stuff.
I do have a set of hard drives I exchange with my friend as "off site" backup. Neither my cloud service nor NAS keep copies/snapshots of previous versions of files; and I have too much stuff to create BlueRay let alone DVD one-off backups :0/
I use rsync's --link-dest to get Time Machine-like backups so they can't be overwritten through the backup system itself. I don't take the "shut it down" precautions with this system the other person does, though I do have a separate in-place one that's strictly manual (as in I have to physically plug it in to update).
I wouldn't often go a full week without checking some file or other, so I think I'd know pretty swiftly if I got infected with an encrypting ransomware virus - hopefully quickly enough to minimise damage.
I also do off-site backups on occasion, so I could roll back to the last full set of off-site backups - so long as I remember where/when the most recent one is.
My main adversary I'm protecting against is hardware failure, however. I think I run a pretty tight ship in restricting access to data that I'd rather not lose.
Maybe some hubris payback will come visit one day though...
Firstly, as fbdab103 said:
This right here is the key to backups: triage your data to understand what is truly important.
Know your data, know how often it changes, know its level of importance to you, know what duration of loss you're willing to incur (or are likely to incur based on hardware cost limitations).
Hardware:
Software: Configuration:I have a central store of documents on the Primary NAS, protected by username / password access. Each family member has their own directory.
Mobiles backup photos and videos to a temporary / throw away location on the Primary NAS via a Syncthing docker instance hosted on one of the VMs. This destination is then backed up (twice?) daily using a couple of rsync scripts to separate photos and videos into a permanent location on the Primary NAS.
The secondary NAS has a daily wake up and backup of these 'home directories', photos and videos to both its internal and external storage.
Each VM is hosted on the Proxmox server's internal storage (I used to have all the VM disks hosted on the NAS and connected to Proxmox via ISCSI, but the centralisation to the NAS became an issue when the NAS was lost - see New Learnings 1[0]).
Each Proxmox Server has a weekly scheduled backup of all the VMs to both the Primary and Secondary NAS's, and at least 4 historic backups, in addition to the current, are kept, which Proxmox is configured to manage.
(This is actually against what I said earlier about the Secondary NAS only 'fetching' backups - that's how it used to do it, but this went against the 'purity' of having a direct backup raher than a copy of a backup, which is its own interesting topic: a direct backup is more trustworthy than a copy of a backup because there's less opportunity for data corruption, so the theory goes).
The primary NAS has a weekly backup of these VM backups from its internal storage to external storage.
The secondary NAS has a weekly wake up and backup of these VM backups from its internal storage to external storage.
The secondary NAS also has a weekly wake up and backup of other media stored on the primary NAS, which gets copied to both internal and external storage.
The external storage of either or both of the NAS's can be disconnected and stored elsewhere if I go on holiday, then retrieved and reconnected upon return.
In addition, I do ad-hoc backups to older HDDs and SSDs of different tiers of data, where Family Photos and Videos are probably the most import sentimentally, and financial / household-management documents are the most important practically. These get spread amongst friends and family and are poorly documented (which I need to improve, lest they find said 'spare' hard drive or USB and decide to use it for something far less important).
(I have also recently setup backups for docker instance configuration data, but they're a bit redundant given that these are encapsulated by the VM backups, but it helps me sleep easier to have them backed up separately - these are a weekly script, similarly copied weekly from Primary to Secondary NAS internal and external storage)
[0]: New learnings 1: In mi...
This right here is the key to backups: triage your data to understand what is truly important. I roughly put things into three buckets
- Priority 1 - potentially disastrous if lost. Financials, taxes, legal documents, and password vaults. The nice thing about most of these documents is that they are immutable and likely append-only (eg you only have one set of 2020 taxes). For most people, this amount of data should be well under 1GB and require only sporadic backups. Which means you can purchase a bolus of $10 thumb drives, encrypt the collection, and leave them everywhere. Mail an annual copy to mom, leave one in your bag, at the office -wherever.
- Priority 2 - anything you created which does not fall into Priority 1. Home pictures, videos, your 1000 half-baked programming projects, etc. Potentially a much larger collection for which a real backup system becomes necessary.
- Priority 3 - everything else which is theoretically replaceable. The archive of music you "acquired", backups of youtube videos, personally ripped DVD collection, etc
This is actually a solved problem, with many solutions. In a nutshell, you need a system that has enough space to make many enough copies without overwriting the ones that are too fresh. It also must not be controllable by the host that you backup but this is kind of obvious.
Versioned, offsite backups. For instance, if you have a database in an AWS account:
* Give the backup process write only (I.e. no delete permissions) to a GCP account.
* Create the backup in AWS and timestamp it
* Copy the backup to GCP using the above permissions.
* If you want to be more secure, copy the backup to a USBHDD (daily/weekly) and unplug it.
I've looked into this before, and it is just not that easy. "Write" is delete, for most cloud storage systems, for the practical purposes of trying to keep a backup safe. (I.e., you might not be able to delete a blob in some bucket, but if you can write to it, you can just overwrite it with 0s.)
"WORM" (write-once read-many) tends to be the term to search / gets the right documentation from most providers. In GCP's case, it appears to be "set up a retention policy", and that's similar to my experience with other providers. These bring their own set of problems.
That said, encrypting ransomware isn't going to magically determine where your backups are, and for most orgs, having the backup at all (and having it tested) is the priority, not the whole WORM thing.
(Orgs, IMO, also tend to get really uppity about having "database" backups, where "database" == {MySQL, Postgres, etc.}. But then there will be an S3 bucket that also has a bunch of data in it, and that never gets backed up, and nobody even questions that. And half the time it seems impractical to back up, too, due to a mix of cost and S3's design.)
It doesn't matter how many files your computer has and how many millions of lines of code it runs. There is a concept of Trusted Computing Base (TCB), which is the part of the code that you have to trust.
In Qubes OS it's only about a hundred thousand lines, and doesn't include any browser. The key is security through isolation.
You run your browser and network in virtual machines and assume that they are compromised. You keep your sensitive files in an offline VM.
From there, take appropriate actions. For the vast, vast majority of us, that means using good passwords, updating software, and not running weird things from the internet.
If you’re worried about 0 click RCE in Chrome/Windows/iOS, you either should be getting better advice from folks outside of HN, or are being unrealistic about who is coming after you.
For the former, I don’t assume anything especially since I’m not an American citizen. I still believe with some certainty that my iPhone is safe from the government but not 100%
For the rest, I run a pretty esoteric setup (compiled-from-source custom configured linux kernel with no binary blobs; all software compiled from source, with no exceptions; aggressive, burdonsome-to-me privilege separation; chroots and VMs for various degrees of potential threat; etc). I have no illusions that it is perfectly safe. What I am comfortable with is that, in order to compromise me, you would have to know a lot about what I run and how I run it. I believe that I would have to be nearly individually targeted to extract any useful data from my machine, and that I am not nearly a valuable enough target for anyone to do so. I think you would have to be a state-level actor or someone with similar capabilities to compromise me, and none of them would care enough.
My security paranoia stems from extremely sensitive work I did as a lawyer long ago, but I am now so used to it that I carry on as a scientist, even though my current work is not nearly so sensitive (if at all). I give up a lot of convenience and some functionality to operate this way, so it is not for everyone. I am not an adversary to anyone, so outside state actors surely don't care about me. And my own government can just get a warrant and knock on my door, so they don't care about me either.
Embedded device firmware besides the bios is probably my main vulnerability, but if you're successfully getting at me through my hard drives or mouse, then I was surely an incidental rather than actual target.
If nobody actually audits the source, and the closed-source binary has had other types of testing done on it, it's likely that the closed source binary will be more secure.
To answer your questions, oh hell no; definitely I do not audit source code myself. Though I have rarely. I do it this way, and it is different enough for me, because someone could audit the source in theory. If someone did audit and found a security problem, then I could check to see if my source was also compromised. If I install binaries, then I might not ever be able to know if my binary was compromised. Maybe someday if reproducible builds are guaranteed to be bit-perfect, then I would use binaries from reputable sources, but that would only happen in the case where third parties are compiling from source and affirming the reproduction. In that case, why not just compile it myself?
Developers who publish compromised source are going to get burned. Developers who publish compromised binaries are going to say, "omg we must have been compromised by someone else." Obviously it is possible for third-parties to compromise source, but I'll go with what I see as the lesser threat.
If the cost of compiling was high, then that might make a difference. For me, the cost is negligible, which makes it a no-brainer for me.
Are there guides you found helpful?
If you’re worried about the impact to your broader organization (which is what most of the sophisticated threats tend to target), you should think about risk mitigation through the Swiss Cheese defense model. Each system is inevitably going to have holes, but layering them on top of one another will incrementally improve your coverage.
For instance:
- Your team should be trained about phishing attacks. But inevitably some will get through, so…
- You should implement 2FA in case a password is compromised. But a threat actor may be able to capture a 2FA-passed SSO session token, so…
- Production access should be limited to a small number of individuals. But even they might get compromised, so…
- You should programmatically rotate credentials to make old leaked credentials useless. But a newer one might be captured, so…
- Data should be sufficiently encrypted at rest and in transit, and…
- Your team should have an incident management system and culture in place to quickly respond to customer reported incidents and escalate it to the right level and…
- Audit logs should be tracked to understand the blast radius in case of compromise - and so forth
When you look at incidents like CircleCI and LastPass, a good security organization will understand that there was more than just one point of failure and should talk in detail about how they are shoring up each level.
Personally, I assume the hardware is already compromised and plan for recovery accordingly, starting with the worse case scenario. Then, I ask myself "If this thing isn't compromised yet, how can I help it stay so?", starting probably with the network access, through firmware, all the way to the browser.
OS/app level: occasional AV scans, though I don't trust clamav as much as I trust Windows antivirus.
I should really properly set up secure boot on my desktop to make rootkits harder to install, but Linux and secure boot are just too much of a kludge.
https://www.infotechnotes.com/2021/07/microsoft-windows-core...
But random malicious code in user space? Well, I really just hope for the best :)
So I trust that regular caution and OS security reduces the risk to an acceptable level but mostly I don’t fear anyone reading or destroying my data because I have backups and it’s not sensitive. Sure it would be scary from an integrity perspective, but not in any other sense. Even constant access to my machine and everything I do wouldn’t be a big risk.
So if I’m affected by a ransom Trojan (most likely scenario), I’m happy to just wipe my machine.