Portable usable PC setup while traveling as developer and creator

magikarp

@User2288 I saw you mentioning something similar with ZorinOS and Windows VMs. What's your opinion here? Thank you
@Relaks also you, using Windows 11 Enterprise, could you help me with a feedback/advice? Thank you again!

magikarp

@hachikojuan what about you using Qubes? Would you advise me to use it on a laptop? Which laptop? Can it be installed on a macbook pro? I don't think it would be enough, and gaming laptops aren't good for battery and they heat up. But I could forget about battery life.. Anyway. Thank you also
@Clueless looks you had similar doubts/issues? How did you end up using Windows 11 Pro and how did you debloat/disable telemetry on it? You could really help me with this, thanks

Clueless

magikarp
It came with my new laptop last year (which I already broke of course but it was the perfect excuse to finally buy a pixel tablet😅), so I thought I'd use it until I figured out what Linux Distro to use. But I just loved the new UI so much that I didn't really saw the point.
As for debloating, a really simple first step is in the installation process to set the region to "English world" so the MS Store apps don't install (like tiktok and the other crap).
For debloating I love to use Chris Titus' Winutil. With it you can set updates to "Security only" and deactivate telemetry, cortana, edge etc. as well as setting nonessential services to manual. It now also has OO-Shutup integrated. Sometimes the removal of edge doesn't work properly so you can use Revo Uninstaller to force its deinstallation.
Also, to make it faster (or make it feel snappier at least) the first thing I always do is deactivate animations and transparency, then go to the Advanced system settings and under Performance set Visual settings to Adjust to best performance. That's all I know, but I like how much faster Windows is or at least feels after these optimizations.
It is maybe frowned upon, but you could also use tiny11. But it is a custom ISO, so you have to trust the guy who develops it.

de0u

magikarp I'm not sure it's feasible to provide advice at this level of abstraction. What kind of software do you develop? What is meant by "enforce policies and manage apps"? Which policies, which "management", which apps?

magikarp Now: my threat model is preventing fingerprinting and tracking as much as possible by companies.

That may be too abstract to be an actionable threat model. What do you wish to conceal, from which companies? If you are using commercial video-editing software, and you pay a company for a license, they will likely know your name, which is a pretty good fingerprint.

I think it might be good to start with the Privacy Guides article on threat models, and write something down to use as a basis for tradeoffs.

There isn't really a "privacy recipe" that everybody can follow resulting in doubling one's "privacy score", because individual needs are too different.

magikarp

de0u
1) I develop SaaS. So websites or apps + the service that could be something running 24/7 but this would be another topic about hosting, I wouldn't host it on my daily driver obviously, and anyway these things can be easily "work stuff", things meant for the public, I don't care about it. No videogames for sure.

2) Which policies? Policies like the ones for browsers. Forcing browser settings. Can be done easily both with Chromium and Firefox based browsers as far as I know and doing. If anything available for the OS too, it wouldn't hurt (for example Windows Group Policies). But the fundamental thing for me is the browser policies and possibility of knowing which apps/processes are running on the pc. For example if I run a VM, the host OS can't know which apps are running inside the VM unless I also install something that monitors that on the VM and tells the host OS. If using VMs, I must be able to do that. I don't think QubesOS lets me do this. And anyway, no GPU no good.

3) Which apps? I will need to use the browser (Mullvad or Tor, I only use these two based on my use case, because they are the only browsers with good anti-fingerprinting). Then some IDE for developing, I guess. Some open source app/script for encryption, backups, sync. Video and image editing software, for example Photoshop and something to mount videos (basic stuff, I guess). Docker for something local. Maybe some small local AI. I don't care about video games because I don't play them and don't want to play them.
Messaging apps (Signal for example).
And.. I could need some other professional software I can't think of now. Some third party thing. Surely, something like Office for offline use, this is something I use as of now, mainly Microsoft Word without internet access.

4) What do I wish to conceal? I want to prevent an app or websites to know what I'm doing on other apps or websites.

5) The companies I want to conceal data from are any companies I didn't choose to give my data and just that selective data to. Big corporations like Google, Meta, Apple, Amazon, Microsoft, are the main threats for example. But also ads, more in general, and data brokers. I want to do share the minimum amount of data to the minimum amount of people without crazy usability inconveniences or daily fixing bugs/issues. For example I don't want Google to know that I've been on a site reading about some personal health issue or curiosity. That would happen just with google analytics on most websites if not using Mullvad or Tor. And if I login on Mullvad or Tor obviously they can know, but for example I can login on a website of a given domain, but that website cannot know I'm searching things on another websites because third-party cookies are blocked and I don't have unique fingerprint.
Anyway, device fingeprinting would be more difficult. On GrapheneOS I'm switching from only 2 profiles (owner and play services profile) to multiple profiles not running in background, and the Owner will use just open source apps or closed-source apps without Network permission. Then the multiple profiles will be useful for preventing IPC and querying all my installed apps, between certain groups of apps and compartimentalize more. I'm in the middle of doing this.
On desktop I don't know. AFAIK, this is only possible on Qubes, or if I use a VM for each app in general.

6) Obviously if I pay a company and give them my name they will know my name. They won't know my name if I use a virtual credit card just for that purchase and "Name Surname" as my name. And, anyway, I will obviously know that they know who I am and assume that. But, I don't want them to know at which time I go to the bathroom or search X or Y that isn't related to them. So, I miss your point.

7) I already read lots of things for months. I've got no problem on tradeoffs and already know what are my priorities and stated in the post above. For example I said that I care more about privacy, but above privacy I need usability for software developing and video/image editing, then the browser policies and the possibility of knowing which apps/processes are running on the OS, then privacy, then security.

I need an OS, a PC to choose, and then just move on with life and focus on work instead of privacy or security (I already spent lots of time on these topics and at a certain moment the returns exponentially decrease).

What I asked is feedback of practical use and experiences from people, and a double-check to know if I'm missing something. Having third party opinions. And, corrections, eventually.

magikarp

@TheGodfather @4nu4b do you know something about Windows 11 Enterprise? I saw you mentioning massgravel. Any feedback? Can Enterprise version be as private as linux distros?

magikarp

@Shendai which solution did you end up with?
@Foggy Can you help me please?
@Tuba What about VMs setup?

Shendai

magikarp If you're asking what I use personally, I dual boot on most of my computers.

1) Win10 Ameliorated edition for windows. It's not for the faint of heart as windows updates are not just disabled but gone, however so are most of the "guts" for telemetry and other microsoft nasties. You could install updates via powershell, but that would very likely re-install all the nasties that were removed, so I don't. Honestly hardening windows by disabling some services, not running Office, using a 3rd party firewall like Comodo, and being mindful of your downloads has avoided any problems for me, and that's going on 4 years or so of heavy usage in this config.

2) I choose one of several linux distros depending on the hardware. Void linux for old, especially 32-bit systems, like an ancient asus netbook I have from 2008. Nobara's been working well for a gaming laptop. Garuda or just default Arch for newer rigs that are more... expendable if something goes wrong. Strengthen certain default settings, enable firewall, change password for root account, basic security 101 stuff.

I don't use qubes or other truly security-first focused OS's, as I've found the usability compromises for me are greater than I will tolerate, though I have dabbled in a couple of them. Hope this helps. Remember the user is always the greatest point of failure for security on any system, and no OS can fully protect against that.

geovanni

magikarp

Your information about Qubes is wrong. You can attach a GPU to a VM.

Qubes is still incredibly hard.

Closed source operating systems may or may not have certain spyware. Since the closed source code is compiled before anyone reviews it, who knows what it does!

I hear Windows has a cool new feature in which they take pictures of everything you do and run it through their AI. Awesome bro! Totally secure!

@magikarp any closed source operating system has code that can't be reviewed. the code is readable by developers and then it's compiled into a form computers read. closed source means no one except the developers can read the code and you need to trust the developer and if the developer is a corporation or person, you also need to trust that they can't be pressured by bad actors to add malicious code

magikarp

geovanni I know that (closed source meaning), but telemetry can also be detected by looking at network traffic. Also, a VM without network connection does not have this privacy issue. In fact, in my post I talked about various options and was asking for feedback, I appreciate yours.

You are saying that QubesOS can have a GPU and that it can be used in an efficient manner to do video rendering/editing on laptop specs (with decent battery life). If it's true, then I'll go for it. Can you mention me some link thanks. Could you make an example of a laptop for doing that. Could you tell me your personal experience a bit. Thanks

My main goal is finding a goal, not to have maximum privacy only, but the best privacy I can have while being able to work and travel in a decent manner without spending too much time everyday on not important things.

mmmm

MacOS can be fairly private if you dont sign in, and you're mindful in your usage. Also, Safari without any modifications is an excellent browser for fingerprint protection. The method of blending in employed by both Tor and Mullvad is very similar with safari, partly due to it being designed with that in mind, but also apples insane control becomes a benefit as every user is restricted and therefore essentially the same. Also a lot more users in the pool compared to mullvad, and likely tor too. Also, its safari so its not like you can be tagged for using a 'privacy' browser, like with tor, if youre worried about that.

Obviously being closed source this post is more of an opinion than a fact, but certainly something to bear in mind.

In your list, Qubes is by far the best option for privacy. You can literally do what you like with the OS.

I use macOS, as I need to use adobe stuff for work. Its a desktop which I use an iPad to remote into when travelling, which I do a lot. This combo is a lot cheaper than a powerful macbook.
For my private life I use Qubes on a dell inspiron low level i3 something or other, but maxed on ram 32gb. Its absolutely fine and cost peanuts, really.

This means I need to carry this macbook air sized laptop plus an iPad around with me, but I get the best of both worlds.

The mac mini, the iPad, and the dell cost around 2.5k combined, which is substantially cheaper than the cost of an equally powerful macbook. Its infinitely more versatile, modular and compartmentalised.

magikarp

mmmm I actually was building a home PC to do that, but do you think I would be able to use the PC remotely in a decent way? Like, from Asia to Europe, how good would the latency be? How far did you tried to use that remote connection and which software did you use (I was thinking about Sunshine on remote PC and Moonlight on the client).

I actually seriously thought about having a home PC with Proxmox so that I can have multiple VMs as I like and have good consumer specs with also 2-gpu passthrough, and having just the smartphone with Moonlight + hdmi-out + keyboard/mouse to use that from remote.

But then latency "destroyed" my plans. But I didn't test it because I'm not travelling yet, I will be in a few months.

Would you think this setup is feasible? Can you tell me more about yours? Thank you VERY much.

@Clueless thanks, you are talking about Windows 11 Pro?

@taiyi A macbook wouldn't be enough powerful, right?

Qubes on a home PC while connecting remotely from a thin client like the Pixel 8 Pro with hdmi-out or just a raspberry or a tablet or something like that, @mmmm do you think it would be feasible? Latency is what scares me about this setup. I could have the PC at the house of one family member with a 2.5Gbps internet connection in Europe.

What scares me is the latency that I would encounter connecting from Asia. Even at speed of light, it would be high, I suppose. So asking you where you travelled is really important. Thanks again y'all

taiyi

For a laptop with a high performance CPU and at least 64G of RAM, installing QubesOS as a host and several Windows or Linux virtual machines is an option.

mmmm

taiyi my laptop has 32 GB, is an aging i3 and isn't powerful. I have 14 Linux Qubes and 2 windows 10 Qubes. It absolutely runs fine. High ram is a prerequisite, powerful CPU is a nice option. But its not useless on a lesser machine, far from it.

mmmm

magikarp I think it completely depends on the connection you have.

I have used this system using Jump Desktop between a Mac and an iPad. I have successfully edited whole 1000+ image photo shoots this way using lightroom classic on the Mac - from start to finish, multiple times. This is from one side of one European country to the other side of a neighbouring European country. Also from the UK to France. I haven't tested it any further afield. The latency allowed for some pretty precise work. In was every surprised with the results and continue to be amazed every time I use this system. YMMV obviously - probably will.

magikarp

mmmm So if I have a 2.5Gbps download and upload (more important than download for the device that sends the stream) in Paris for example, and I connect to it from a 50Mbps download in Bali, Indonesia, will I be able to work on remote desktop/Moonlight-Sunshine?
I think that, maybe, the distance between UK and France is much shorter than France-Indonesia, for example.
I wouldn't be scared to do this between two european countries. But here we're talking about different continents..

For example, let's say the distance from Paris to Ubud (Bali, Indonesia) is 12385 km on a straight line without calculating difference of altitude, just geographical straight line distance.
At speed of light (299792 km/s) it's 41ms of latency.
At SPEED OF LIGHT, in a ideal "direct" connection without anything else.

Obviously there are other things that add latency to that. For example:

the latency between my thin client and the router (Wifi) or LTE tower (mobile data)
the latency from router/LTE tower to ISP
the latency from ISP to the resource I'm asking for
eventually the latency of VPN if I don't use public IP for the PC who streams
probably the data traveling at a speed a bit slower than light
VS
just the latency from keyboard/mouse input to a laptop screen output (if just having a laptop). Internet would be used only for data and not for the "graphical interface".

London-Paris is just 342km on calcmaps website. Paris-Ubud (Bali) distance is 36 times longer.
What do you think?

magikarp

magikarp @GrapheneOS any advice?

mmmm

magikarp no idea. My distances are much shorter, and we're talking about different systems and different apps. Too many variables to know for sure. Sorry I can't be more helpful.

mmmm

Shendai Remember the user is always the greatest point of failure for security on any system, and no OS can fu

Hear, hear!