Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: What's your checklist for when you hand your laptop in for repair?
49 points by graderjs on Oct 17, 2022 | hide | past | favorite | 45 comments
For instance on Mac I think I should turn on disk encryption, sign out of iCloud, back up on my applications specific configuration files, delete all my local copies of SSH keys, delete all my local copies of proprietary code.

I never thought of having a checklist for this before but I think it's useful and there's probably some sort of standard best practice.

I'm interested in what are people's responses for different platforms and is there any sort of Open source script that will handle this for you like a "nuke script"... I mean obviously the point is not to Nuke it you want to bring it back later but.... you want to handle if someone somehow has privileged access to everything you want them to have his little surface area of anything valuable as possible.



First off, if you have work/proprietary code on the laptop you should be asking the company to fix it and follow their procedure.

Second, if we're talking about my laptop.. I use Linux and a fairly open hardware device so I simply order replacement parts online and fix it myself. I can't imagine sending my laptop away to get it fixed.

If I can't fix it.. I remove all working parts and toss in a supply box. I toss the device carcass in a pile in my garage in hopes of finding a use some day, and order a new laptop.


Thanks for answering the question by not answering the question!


Have you read the other answers here? It's absurd the levels you have to go through to repair a Mac these days. You can't even remove the drive, so you have to thoroughly wipe the disk? What if some aspect of repair is centered on the disk itself? Ugh yeah GP has it right. Start with a laptop you can _actually repair_ if you wanna repair a laptop.


Most laptops that compete with Macs have the same annoying limitations, barring SSD sometimes (Dell XPS, Microft Surface).

And even still, doesn't change my point in that OC'd answer is irrelevant.


I think we just have different criteria for competition. Repairability and OS choice are my top two. Macs are pretty bad at both but great for other things.


Or use a desktop!


Well the company is my company so I have to do it


You'll never get all of the sensitive data off of it by deleting it piecemeal. There's just too much private data generated from normal usage.

You can get an impression of how much by searching for "forensic artifacts." Here's a taste: https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWI...

That's not even a complete list. For example, I think it's missing the QuickLook cache that contains thumbnails of all the things you've previewed recently.

So the checklist is simple:

1. Backup your drive.

2. If FileVault wasn't turned on, turn it on and wait for it to finish encrypting the disk.

3. Erase the disk and reinstall the operating system.

EDIT: Forgot that not everyone has FileVault turned on. Turn on FileVault, everyone!


I wanted to say "remove the hard disk" but with Macs that's not an option anymore, so if there's sensitive data on it I'd personally do a full backup and then wipe the disk using a factory reset before sending the device in. Who knows where it might end up? Even if the disk is encrypted there might be a way to decrypt it in the future (e.g. firmware issue, weak password etc.), so the only way to be sure is to completely purge all data. And selectively deleting stuff is a bad idea, even if the disk is encrypted the file system will usually not overwrite the files on deletion, i.e. if someone manages to bypasss the full-disk encryption the files might still be recoverable (unless you use "shred" to overwrite them, which has its pitfalls as well if used on single files).


I think wiping the disk using factory reset isn’t going to wipe or overwrite the data though, especially on SSDs. If you try to overwrite files or sectors, that may not actually overwrite those specific sectors either. All unencrypted data may be available to read.

My guess is you’re out of luck if you don’t trust full disk encryption when it’s done right from the beginning of using the machine. Physical destruction isn’t cost effective when the machine is sent for repair.


Is it possible to securely wipe a SSD? Or better to encrypt whole drive, throw away the key, and maybe corrupt a few random bits?


There is a "Secure Erase" command in the ATA command set that pretty much does just this. Modern SSDs have firmware-level encryption with a hidden key only the firmware knows; Secure Erase simply obliterates and regenerates the key.


Yes,that’s certainly possible with the response that bitwize provided in a reply to your comment. But the GP doesn’t trust full disk encryption or the firmware. For such people, there is no way other than complete physical destruction.


Maybe I'm naive but shouldn't it be enough to encrypt your disk with FileVault? Of course assuming that you don't hand over your password to the technician. Also logging out of iCloud would remove the option to e.g. lock or wipe the device remotely.


After some searching around it seems that a second Admin account can definitely access the FileVault encrypted files of the first Admin account. AFAICT this is because FV is full disk encryption, and any user who can login when FV is on, must therefore necessarily be able to unencrypt the disk. User protections then depend on OS privileges, which don't stop an admin user.

This makes me think that: 1) using FV to secure your data, and then 2) setting up a second admin account on the mac for the repair people is not enough to protect any ssh keys / proprietary code / financial data on the first admin account from anyone who can access the second admin account.

FV is useful but I think you need to combine a dedicated encrypted partition, or encrypted folder (with another tool I guess that can do this) if you want to protect from a second admin account.


Never give your password to Apple. They make it sound like your machine will be wiped if you dont, but I always refuse and I’ve never lost data.

I back it up just in case. Never ever give your data away.


First item on my checklist is to buy a laptop that I can repair myself. Knock Clevos all you want but System76 includes detailed instructions on how to replace almost any part going back several generations. Plenty of other vendors like Framework and Starlabs also support self-repair.


If we're talking Macs being serviced directly with Apple I don't see how doing anything is necessary. Anything more than backing up your system (in case Apple needs to wipe it) is a waste of your own time.

Whatever Apple employee is performing service on your machine doesn't have the time or possibly even the ability to do much of anything with your system. Apple's going to be using automated diagnostic tools and has a general interest in getting your repair done as quickly as possible.

That Apple employee is being watched by cameras and monitoring tools while they do their job and they're not going to sacrifice their performance metrics or potentially get fired/prosecuted over a desire to rummage through your system. Put yourself in their shoes: if you were repairing 20 laptops per day as your job, how much would you care about fucking around on any of those particular systems? File this one under "the cashier doesn't care that you're buying condoms."

If Apple did something with your stuff it could be very detectable, and Apple is a massive lawsuit target. They have every motivation to be extremely careful about how they handle data. They also handle repairs for business customers.

If you've really got some sensitive data, you still don't need to be talking about nuke scripts and other time-wasting complexities. Skip all that and just do a local Time Machine backup, wipe the system, then send it in for repair. Then when you get it back you restore the whole thing as a single piece. But honestly I've never bothered with that.


If I trust my disk encryption:

1. Power off computer.

If I don’t trust my disk encryption:

1. Fix it myself or buy a new computer.


Back up all data, especially my various nix configuration files (`configuration.nix`, `home.nix`, `flake.nix`es, etc.`).

Wipe the LUKS header (`cryptsetup erase <device> && wipefs -a <device>`).

Run the default NixOS setup.

When I get the machine back, reformat & re-install. Copy back the config, reboot to my working old system.

I've got an "erase your darlings" style setup, so everything outside /home and /persist gets erased every boot anyway, and I test my backups so "just wipe it and restore once it's back" is pretty low risk.


I usually remove the HDD if it isn't a problem related to it. Of course that has become more difficult as products got worse.

If that isn't possible, I usually make a backup and restore system to defaults. Easier for support to determine the issue if software is in any way involved.

I believe some manufacturers explicitly tell you that you cannot expect your data getting returned if you ship your device to them. You get it back in most cases, but not if you get the whole device replaced for example.


reading all these comments like remove the hdd, it sounds like a good future solution may be to get my self an external drive, (or even a cloud drive), and somehow set everything up so all my User data exists on that "partition" or drive or whatever. i wouldn't know where to begin to figure out how to do this on mac, but I'm sure it's possible somehow. then the main device is essentially a dumb terminal with the OS on it, and all the proprietary data / keys / config etc is on an encrypted external drive


This isn't really necessary. "Remove your HDD" is outdated advice.

Any modern SSD can/will leverage cryptographic erasure to render any data unreadable. [1]

Since OP is talking about Apple systems, Mac computers with the T2 chip or newer (which includes all Apple Silicon Macs), full disk encryption is automatic even with FileVault turned off. [2]

Basically, when you erase a drive on a modern Mac, the encryption key is changed, so prior data is not recoverable in the same way that an unencrypted HDD will leave magnetic traces of readable previous data.

[1] https://www.dell.com/support/kbdoc/en-ca/000150908/data-remo...

[2] https://support.apple.com/guide/mac-help/encrypt-mac-data-wi...


If you encrypt your device like this, it is outdated in a way that you also need to make a copy of your TPM recovery key in case of a hardware failure or replacement. Your data will be lost otherwise. Same goes for MS Bitlocker. Support cannot migrate your data to a new device. If support can access the recovery key to do that, it will be able to access your data as well.

This can provide security but comes with new dangers. I would still recommend removing the HDD. If you encrypt this way, lose the recovery password and your device has a critical failure, your data is lost.


1. If you’re depending on a single local drive to safely house your data you don’t have to lose an encryption key to lose your data.

2. Apple and Microsoft both provide user-friendly cloud-based recovery options for FileVault and Bitlocker that leverage iCloud and Microsoft accounts, respectively.

2.5. “But what if you don’t want to trust/use cloud services?” See #1. You can’t depend on your single drive anyway. If you can be responsible for safeguarding backups you can be responsible for safeguarding encryption/recovery keys.

3. Organizations and probably most individuals rely on professionally managed storage solutions to house important data. Organizations don’t tell their employees to store important things on their local laptop, it’s Box/Dropbox/Drive/etc.

4. Considering how most computer users are on laptops, removing the drive is not a practical suggestion, even if the laptop has an easily removable drive. That type of knowledge and ability is beyond the vast majority of computer users.

That’s why, to me, the best way to operate is on a full disk encrypted device that’s treated as disposable. At any time it could be stolen, fall on the ground, stop working due to a power surge, get wet, etc. If your workflow involves device replacement causing lost data you’re already in a vulnerable position.


At that point we would be almost going full circle back to terminals and mainframes.

Then someone will figure out most users don't need much processing power (only emails, word, etc.) and back to centralized computing we go!


Personally I make an exact copy of the disk to an other, reset any OS (Windows/Mac/Linux) and hand over the laptop for repairs.

When I get the laptop back, I restore the disk.

If you want to be more secure, in case you worry that someone might do a file recovery to grab data, just overwrite all the data with 0x00 using a program. and your data will be secure and unrecoverable unless someone will try really hard to sniff your data.


All my work goes in Documents on linux and windows and I just rsync those files that I don't keep in the cloud over to a backup drive. Most of them I could get by without. Everything else is on github or cloud drives. It's been a long time since I trusted a piece of hardware with irreplaceable files. If it's a personal computer, I just take the hard drive out. They will have spares they can put in. If I couldn't take the HD out I would at least wipe it. All my drives have an encryption layer at all times.


1. power off (if needed)

2. unscrew all screws

3. replace everything non-functional

4. screw all screws, use blue fixator

5. power on

6. notice that one of bus ribbons was forgotten or misplaced

7. redo steps 1-5

8. get a final result, power on


Disk encryption should always be turned on, and I don't think your other tactics are going to provide a meaningful increase in security if that's done (although I still think they're all a good belt-and-suspenders approach).

Our company uses VMs for everything sensitive now, so hopefully no one needs this checklist!


But it you create another admin account on the Mac can't you just reset the encrypted accounts password and decrypt with the new password? Maybe not but it's probably pretty hard to enter your password in an apple store in a way that nobody can see...

yeah i use vms for all my work (basically, or ssh into a vps) but the keys to the vms, the login sessions for emails, web browsing is all done on the laptop.

do you mean that even all your work email / all your web browsing do you within a VM?

can you technically explain a little more how that works?


> it's probably pretty hard to enter your password in an apple store

Don't do that. There's a guest account for that. Unless you're debugging something very specific, you don't need your actual account available.


They asked me to sign in to so they could create an 'apple' Administrator account on there to repair the display.


I always refuse and they seem to be upset but the repair has always been completed.

Apple should be ashamed of themselves.


You can always refuse. They have the right processes to deal with that. If they're being annoying there's always "I legally can't due to sensitive data stored on this laptop".


If you use an authenticator app on your phone for 2FA codes make sure you have backup codes for all your accounts.


this is a good reminder as well, but just wondering is this specifically related to some risk of getting a laptop repaired?


Not a risk for laptops. I just wanted to chime in since phones are commonly used for 2FA.

Apple completely replaced one of my older phones when I took it in for a battery replacement because a previous "unapproved" third party battery replacement had been made. I assumed a restore from iCloud backup would restore the 2FA app settings but that wasn't the case (I think Google Authenticator has actually implemented exports now though). There were a few accounts that I didn't have backup codes for but luckily I was able to reset the 2FA for those accounts using my identity since I had been through KYC for those accounts when I set them up.


oh definitely remove the hard disk. even if you delete files, pros can recover it.


This is generally going to be outdated advice for computers and phones that have SSDs leveraging built-in full disk encryption and cryptographic erasure.

Since OP brought up Apple products, that will include anyone using FileVault, and it even includes people not turning on FileVault on all Macs leveraging the T2 chip or Apple Silicon – Apple is forcing full-disk encryption even if you're not enabling FileVault.

For iOS devices this automatic full-disk encryption has been happening for many years now, implemented much earlier than Intel Mac systems gained the capability. I think the iPhone 4 was the first iPhone to get full-disk encryption, which on iOS has always been on by default and cannot be disabled.

If your Mac system is on this list or newer then it's already protecting your storage: https://en.wikipedia.org/wiki/Apple_T2#Products_that_include...


yes, what about using something like 'srm' (supposed to be a secure rm)? issue is MacBook air cannot remove hardrive (cannot even open without voiding warranty i think).


>cannot even open without voiding warranty i think

Wasn't the whole 'you cant't open it/ warranty issue' thrown out somewhere (hard drives, for example)? EU or US?

/sorry, on mobile. Limited research for a few days.


The `srm` that used to ship with MacOS doesn't work with SSDs.

It worked by overwriting, renaming, and truncating the file before unlinking it.

On rotational HDs, the overwrites clobber the data in the same physical location on disk. On SSDs, the overwrites will typically appear in a new location on disk due to wear-leveling and block-sparing.

Your best bet is to turn on FileVault, wait for it to finish encrypting the drive, then wipe the whole disk in Recovery Mode.


Back it up and wipe it clean.


[flagged]


Vacuum the biscuit and cake crumbs out of the keyboard - might also solve that "repeating key" problem you've been having lately. (Source: worked for me!)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: