

Ask HN: Achieving high security and privacy by daily re-imaging of your system - computator

I'd like to have my system re-imaged every single day (for
example, automatically every night, or whenever I shut it
down, or just before I travel with it).<p>Why do I want to do this? Because it cleans up the system
and instantly gets rid of all malware, junk, and hidden
data. By hidden data I mean temp files, URLs, snapshots, and
buffers written out by browsers, editors, media players, etc.<p>If you start searching for hidden data, you'll find that
there is plenty of private information that is not found by
"cleaning" programs like CCleaner.<p>I'm focusing on Windows here but my question can apply to
Mac and Linux as well.<p>How to achieve it? I've thought of 4 ways:<p>(1) Carefully create a complete system (OS and applications)
on a virgin disk and then run it as a read-only disk. I'm
not sure that Windows can be set up like this since it
needs to write to the registry and other places.<p>(2) Carefully create a complete system on a virgin disk
and image that disk over to your "working" disk whenever
you want to refresh your working system. The working disk
is writable, so Windows will be OK.<p>(3) Write a script that first wipes your disk and
re-installs, one by one, the OS and all your applications
from a trusted source (like a DVD or a read-only external
drive) by running the actual install programs, and then
applies all your settings (i.e., options, preferences,
defaults).<p>I already maintain a readme file that documents the settings
I use in every app I install, and it is not a huge list in
my case. In some apps, settings can be applied only through
the GUI so this could be a hassle to set up.<p>(4) Create a VM that has the OS, applications, and settings
that you like, and start a fresh instance of this VM whenever
you feel the need.<p>In all of these cases, I'm assuming that the user maintains
a clean separation between his data and the apps/OS. In my
case, all my data lives on a separate volume. (Even data
can be untrustworthy--like JPEG images that cause buffer
overflow exploits and macros in Word documents--but let's
leave that issue aside for this question.)<p>I see pros and cons with each of the methods above.<p>What are your thoughts?<p>Which way would give good security and privacy, but not
entail a huge hassle?<p>Is there a commercial or free product that already does this?
======
bhousel
Option #4 has been working very well for me over the past year. I'm a huge fan
of VMWare now.

VMWare also lets you take snapshots of your VMs, so that if anything goes
wrong, you can revert to an older version.

------
charlesmarshall
how about a more random one... use version control on the disk and do a clean
checkout on boot.. big overhead to store the repo and probably not too fast to
checkout .. but on the plus side you can include specific files as time goes
on ... so the next service pack can be added to your repo when it comes out
without having to make an entire new image.

