The problems that Lennart is pointing:

- Your setup is secure, because you spent time tuning your Arch Linux setup. Competitor just come of the box with their solution, no setup required (even if objectively their solution is rather crappy "Trust us! We swear that we'll protect your data! (Except if we search for kiddie porn").

- Your setup is still vulnerable to something weird happening before it get encrypted: You think it's your booting Linux that asks a password to unlock you LUKS, but actually it's a keylogger (or a trojan that will inject a backdoor into the running system once LUKS has been unlocked).
There is a complete chain of trust that could be leveraged to make sure that the things that asks you to unlock LUKS is actually your perfectly tuned secure setup, and not something that pretends to be while stealing your data. Such chain of trust relies on other things beside encryption, such as SecureBoot and TPM. But most Linux distro don't leverage them so you don't have any guarantee about what happened between the moment you pushed the on button and the moment you got the LUKS prompt (or inserted your USB key).

Tough I dis-agree with his final assessment about the closed platforms "doing it better":
Yes, indeed they make bettter use of these advanced feature. But in my little experience they seem to only making use of this to make you don't get full admin access to your own (pocket) comupter that you bought with your own money. And don't make much effort into making sure that an attacker would have no access to your data. And are usually bad at all these outcome.

It's always the most uninformed arguing against the experts of the industry...
Yes, it's unsafer on Linux, in case of a hacked device or somebody that has or had physical access to your device.

If you have hardware access:
Step 1: Open the chassis
Step 2: Unplug the keyboard
Step 3: Plug the keylogger on the keyboard ribbon
Step 4: Plug the keyboard's ribbon on the keylogger female connector
Step 5: Close the chassis

If you don't have hardware access:
Step 1: Spill some liquid on your keyboard *accidentally* when you are a Starbuck, whatever
Step 2: Monitor your mailbox for amazon delivery
Step 3: Swap the keyboard part you've ordered with one that already contains the keylogger

If you are using a Yubikey or some other stuff:
Step 1: Wait until you're sleeping and/or distracted (never underestimate the dumbness of paranoid people)
Step 2: Unlock your computer with your yubikey that's obviously close to the computer because... well, it's more convenient this way.
Step 3: Install a software keylogger (even easier)

If the attacker does not care to be stealth:
Step 1: Buy a $5 hammer at hardware store and a $5 hood
Step 2: Hit your chick until you tell the password or give the key

I don't know if it's possible, honestly I never looked. What is certain though is that "industry-standard enterprise security" and actual security are not only two totally different things, they are often mutually exclusive.

Now that is a serious concern right there.


OK, so let me put it down really condensed:

The problem with trusting big tech is that big tech only protects you in the capacity of its property

Big tech doesn't protect you from itself, cuz that's how it makes its money.

So thank god for them regulators, pristine creatures of utmost morals, tasked with keeping the industry in line and in check. Good guys that proudly obstruct the industry from having committed a single unethical thing in like...


37 microseconds.

Wait a moment, was that sarcasm? Dang! I just can't tell whether it is.

Ummmm.... it appears I failed to be sarcastic enough...

Because these connections bypass the firewall on the device. If you put the firewall/network capture system (e.g. iptables, dnsmasq or Wireshark) on the router (outside the device) then you'll see a ton of Microsoft-related connections.

Privacy comes at a cost, and that cost is losing these features that I usually don't need (like OneDrive, Microsoft account, weather/news, etc.).
If the device does not have an Internet connection then of course Windows 10 would be unable to activate its telemetry features.

One way you can tell windows is not spyware is you just install a brand new copy, then put on a firewall that asks for for permission explicitly for every connection.

Now just browse around your computer. Do not open a web browser, do not open any 3rd party apps. Just fool around windows stuff.

Just count how many connections to how many hosts windows' various components will request out of the box.

Now start blocking that access, and observe what effect that has on your experience.

Somehow, and amazingly so, windows works much worse when it is denied internet access than if the system simply has no internet access.

I am sure windows is becoming increasingly more riddled with this stuff entirely for the benefit of its users who also really don't know what's best for them, without the slightest bit of exploitative invent behind it.

In conclusion, you should and MUST trust big tech absolutely and unconditionally as a form of a higher and impeccable authority to keep your data safe, just like you must trust your priest in the confession booth to keep your soul safe from hell.

I did not. Why do you assume I did? I don't even use Google (go read my post history from one or two years ago because I once even mentioned that Google is evil).

Let me clarify. I did not mean to say "DNS is used to spy on me". I meant to say "Windows 10 makes a lot of connections to Microsoft servers upon connecting to a network". Excuse me if I was not clear.