This reinforces my policy of buying laptops with the cheapest drive offered and replacing the drive with an SSD before the first boot. I run Linux anyway, so booting Windows has no value for me.
I recently did this exact thing -- bought a Lenovo laptop with a 5400 RPM disk drive, and immediately popped it out and replaced it with a Crucial MX100 SSD. Installed Linux, it works great :)
You also have to reflash all firmware with known-trusted versions using a known-trusted reflasher to be safe.
... and replace the CPU with one that is known not to have backdoors. You'll have to craft it from Silicon yourself, though, because there aren't any available for sale anymore.
Can't you just write all 0's to the drive or just reformat it? Genuine question here, why would you need to physically replace the drive to ensure security when you can write to the whole thing?
What is it that the firmware can achieve? Is the firmware capable hijacking data, communicating with the NIC and transmitting data? Or is it somehow injecting harmful code? I feel like I'm missing something here.
... rewrote the hard-drive firmware of infected computers—a
never-before-seen engineering marvel that worked on 12 drive
categories from manufacturers including Western Digital, Maxtor,
Samsung, IBM, Micron, Toshiba, and Seagate.
The malicious firmware created a secret storage vault that survived
military-grade disk wiping and reformatting, making sensitive
data stolen from victims available even after reformatting the
drive and reinstalling the operating system. The firmware also
provided programming interfaces that other code in Equation
Group's sprawling malware library could access. Once a hard drive
was compromised, the infection was impossible to detect or remove.
That appears to be the act of a nation-state though. I don't really sweat those, because I'm pretty sure if the NSA really wants in to my machine, I can't stop them.
I'm not saying it is acceptable or that it doesn't matter. Just that, when it comes to my own personal computer, it isn't worth worrying about.
I have a lot of friends who haven't figured out the whole security-as-a-spectrum thing, and they spend a lot of time giving themselves grey hairs over adversaries that 1) they can't beat, 2) aren't worth beating, and 3) don't care about them anyway.
I don't understand the downvotes. The gp probably asked why not just zero-out the bytes. Sure, there's the firmware modification issue. But what I was responding to is why replace. This is the easiest option.
Post says "buy the laptop with the cheapest drive; then replace that cheapest drive with an SSD".
You said "the cheapest drive is not an SSD".
The point is to minimise the money spent on the drive supplied with the machine because you're not going to use that drive, you're going to throw it away.
