I need to place my bet on a new pentesting laptop that will get me further into the 21st century. This article discusses some of my considerations when faced with this decision. All prices listed are from early August 2016. www.securitystreak.com About the Author is a vendor-neutral consultant. Who performs professional audits, and risk assessments. He designs secure networks and engineers resilient high assurance systems in the Cloud. Andrew Douma penetration tests, You can connect with him on LinkedIn , GoodReads , and Twitter . More stories by Andrew Evaluating QubesOS as a Penetration Testing Platform | Finding the right exploit code | Antivirus in 2017: Why? Which? How? | Penetration Testers’ Guide to Windows 10 Privacy & Security | Full Disk Encryption with VeraCrypt | On the Shoulders of #InfoSec Giants: ‘Hacker to Security Pro’ | Securing an Android Phone or Tablet Brand choice Amongst my peers, : Apple, Dell, HP and IBM/Lenovo. I also reviewed all major “Linux laptop” resellers but found they are all based on one of these brands. there are four favorite brands These last eight years, as my base operating system. But my current souped-up MacBook Pro (MBP) model seems on track for its planned obsolescence. I have been using OS X/MacOS The Dell XPS line has gotten some traction in the Linux community. However , I would argue it failed to run anything glitch free that wasn’t the latest version of . But what a beautiful design… having owned the XPS 13 (9343) for over a year Ubuntu as any customized model that fits my needs has an almost . I’ve never enjoyed their plastic-fantastic form-factor either. My mom keeps buying them, perhaps that factors in. HP will not be making the cut Apple-like price tag and wager my money on another Thinkpad. The first great laptop I owned was an X40. The perfect 12.1" hacker laptop which ran Fedora Core Linux and is still in working order until this day. I will be returning to my roots IBM ThinkPad Memory & Storage As security professionals, we run many virtualized operating systems (guest VMs). This gobbles up RAM, CPU cores and hard disk space. Virtualization has made our work safer and far more efficient, it is here to stay. Whichever model I end up with I will upgrade to 32GB of Random Access Memory (RAM) ($0.27/GB) and preferably a SATA III Internal Solid State Drive (SSD) (~$0.35/GB). Capability to upgrade to 64GB of RAM in the future would be “nice”. When possible, I buy waterproof and shockproof electronics. I am a huge fan of the durable Adata HD720 product line ($0.065/GB) for secure project archival and system backups. It is the only external Hard Drive brand I’ve owned of which the drives outlasted other brands, generation upon generation. Chipsets Strong support for virtualization is an absolute need. I frequently work with VMWare Fusion/Workstation/ESXi, as well as Xen, and KVM. It is also the future of computing. Hardware supported security would be superb. Taking a page out of : the Qubes 4 suggested hardware Intel® Virtualization Technology (VT-x) Intel® Virtualization Technology for Directed I/O (VT-d) Intel® Extended Page Table (EPT = ) SLAT Intel® Trusted Platform Module (TPM) At the time of writing, . 113 Intel CPUs match my criteria Threat Model State-sponsored cyber attacks are not my immediate concern. I’m well aware of the internet war that is playing out between friend and foe alike. I know all things I do are being captured and stored indefinitely. (1) (2) That said, . China + Superfish + Lenovo Service Engine + Lenovo Customer Feedback Program. If I were considering Windows as my base operating system, you would not have made the cut. Lenovo, please don’t let us down (again) I also enjoy reading comebacks for : terrible arguments “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say”― Edward Snowden However, I am much more concerned with my professional responsibility towards my clients and keeping my sanity. I’ve come across (intentional?) backdoors left behind and malware introduced by other testers. Security professionals never pirate right? Do you analyze malware on the same machine you store client results? Every vendor solution that can effectively keep up with Endpoint Intrusion Prevention, Detection, and Remediation, relies heavily on virtualization to do so. “Just because you’re paranoid doesn’t mean they aren’t after you.”― Joseph Heller I am opting not to concern myself with , and for that matter Intel vPro. This is a penetration testing laptop, not an “off-the-grid” laptop. The overly paranoid can sink their bitcoins into or look into impractical paranoia surrounding Intel ME/FSP CrowdSupply campaigns like ORWL disabling Intel ME. I also choose to rely on the security features provided by IBM’s BIOS. Installing an open-source like isn’t an option for newer ThinkPad models. Basic Input Output System (BIOS) Coreboot Graphics To achieve the greatest compatibility, . In most cases, we offload all password cracking to . No single laptop GPU could ever compete with that. I will opt for an Intel GPU cloud-based Linux GPU instances Obscure Linux and BSD distributes may react poorly to HiDPI screen resolutions. That said, screen real estate is king, and I cannot drag my external monitor with me to engagements. Base Operating System (Dom0) I plan to install Red Hat Fedora Linux, or in this case, the expected at the end of this year. Currently, Qubes 3 is a Fedora 23/ based system, but of . With the upcoming release, they will move to hardware-enforced memory virtualization (Intel EPT). Qubes 4 “distribution” Xen PV kind different For backups and project archiving, I am a huge fan of the ($0.065/GB). The only brand I have owned during my lifetime of which the drives did not suddenly fail. durable Adata HD720 product line Using Linux as my everyday desktop does not make me that enthusiastic. I love working with Red Hat Enterprise Linux (RHEL) / CentOS when engineering cloud-based environments. However, I abandoned Fedora 10 for OS X as weekly updates would break something essential. Qubes-OS is a young distribution. There has been criticism over the prioritization of desktop bugs and over KVM. At the end of the day, it is their project; they are calling the shots. choosing Xen My primary aim is to challenge myself to further improve my security posture and routines. is an often overlooked factor in managing IT risk. I have traced several incidents to malware brought into the network by third party penetration testers. Usable security It will not hurt that I know the Red Hat distributions inside and out. The odds of success increase through my familiarity with preventing and detecting intrusions. I can only hope I do not lose time to debugging and reporting issues on a weekly basis. Qubes appears well-documented. Should it for any reason not work out as planned I am likely to install a BSD based operating system and run KVM — but that’s a story for another day. Virtual Guest Machines (DomU) Qubes allows you to spin up persistent and disposable VMs based on , , and . Fedora Debian Whonix It is reportedly easy to create templates for pentesting distributions and . Installing a cloud-oriented pentesting distribution such as or is an option. BlackArch (Arch) Kali (Debian) BackBox (Ubuntu) Parrot (Debian) With the release of Qubes 4, I expect better support for Windows and BSD. I will look into documenting the template creation for . Alpine Linux ThinkPad Models Only the T- and P-series support 32GB of RAM. Though I might end up paying to have the SSD drive installed by the manufacturer, I am not paying $400 for a RAM upgrade to 32GB. The P-series has absorbed the old W-series line and support up to 64GB of RAM and a 1TB SSD. But every model sports a NVIDIA GPU which guarantees issues due to its proprietary drivers. Which leaves us with the . T560, T460, T460p, and the T460s Linux compatibility with HiDPI varies from application to application (Qt vs GTK). For some models, there no longer is a choice. Please do your research into FHD (1920x1080) and WQHD (2560x1440) resolutions. For several CPU upgrades other components, such as the NVIDIA GPU, are mandated. I did opt for Windows Pro, backlit keyboard, fingerprint, and smart card reader, and the large capacity battery (when available). Using the I managed an extra $75 in savings above the normal internet discount. RetailMeNot SAV30THINKPAD coupon, Note that only the T460s supports a 1TB PCIe-NVMe SSD; the others tap out at 512GB. 32GB DDR4–2133 currently costs about €130 or $120 whereas the older DDR3L-1600 costs €360 or $330. ( Tweakers.net , NewEgg, Amazon) only the T560 has hardware supported security through dTPM; all other systems have the Simulated Software TPM. ( Note: upon receiving my model it does have Software TPM&Hardware dTPM) all systems have Intel based Wireless radio cards (preferable addition when auditing WiFi/RF networks and not dealing with Broadcom-required binary blobs) IBM ThinkPad T560 @ $955 http:/shop.lenovo.com/us/en/laptops/thinkpad/t-series/t560/ ThinkPad T560 misaligned keyboard, credit IBM.com Specs: _Keyboard: Backlit Keyboard with Number Pad — EnglishPointing Device: UltraNav (TrackPoint and TouchPad) with Fingerprint ReaderTPM Setting: Software TPM EnabledCamera: 720p HD CameraHard Drive: 128 GB Solid State Drive, SATA3System Expansion Slots: Smart Card ReaderFront Battery: ThinkPad Battery 3 cell Li-Polymer (44Whr) FrontRear Battery: 6 Cell Li-Ion Battery 72WH Cylindrical RearPower Cord: 45W AC Adapter — US(2pin)Wireless: Intel Dual Band Wireless-AC(2x2) 8260, Bluetooth Version 4.1 vProIntegrated Mobile Broadband: Integrated Mobile Broadband upgradableLanguage Pack: Publication — EnglishWarranty: 1 Year Depot or Carry-in_ Processor: Intel Core i7–6600U Processor (4MB Cache, up to 3.40GHz)Operating System: Windows 10 Pro 64Operating System Language: Windows 10 Pro 64 EnglishDisplay Panel: 15.6" FHD IPS (1920x1080) ,No Touch,WWANMemory: 4GB PC3–12800 DDR3L 1600MHz SODIMMGraphics: Intel HD Graphics 520 Security Chip: Software TPM & Hardware dTPM - Terrible keyboard!!!+ i7 processor+ 15.6" screen+ FHD resolution- up to 32GB DDR3L RAM (expensive stuff!)~ max 512GB SATA3 SSD+ Hardware dTPM Pros and cons: IBM ThinkPad T460p @ $915 http://shop.lenovo.com/us/en/laptops/thinkpad/t-series/t460p/ Specs: Processor: MBOperating System: Windows 10 Pro 64Operating System Language: Windows 10 Pro 64 EnglishDisplay: Graphics: Memory: 4GB SODIMMCamera: 720p HD CameraKeyboard: Keyboard Backlit — EnglishPointing Device: UltraNav (TrackPoint and TouchPad) with Fingerprint ReaderSecurity Chip: Software TPM EnabledFirst Hard Drive: 128 GB Solid State Drive, SATA3System Expansion Slots: Smart Card ReaderBattery: ThinkPad Battery 6 cell Li-Ion (72Wh) Cyl HC RearPower Cord: 90W AC Adapter (2pin) — USWireless: Intel Dual Band Wireless-AC(2x2) 8260, Bluetooth Version 4.1 vProIntegrated Mobile Broadband: Integrated Mobile Broadband upgradableDisplay Panel: T460p WQHD IPS AG WW PAINTLanguage Pack: Publication — EnglishWarranty: 1 Year Depot or Carry-in Intel Core i5–6440HQ 14.0 WQHD(2560 x 1440) IPS Non-Touch (only option) Intel HD Graphics 530 DDR4–2133 - i5 processor (i7 forces NVIDIA)~ 14" screen- WQHD screen (FHD currently unavailable)+ up to 32GB DDR4 RAM~ max 512GB SATA SSD+ Hardware dTPM (even if not listed in product description) Pros and cons: IBM ThinkPad T460 @ $1061 http://shop.lenovo.com/us/en/laptops/thinkpad/t-series/t460/ Specs: Processor: Processor (4MB Cache, up to 3.40GHz)Operating System: Windows 10 Pro 64Operating System Language: Windows 10 Pro 64 EnglishDisplay: ,No Touch,No WiGig,WWAN,WLANGraphics: Memory: 4GB PC3–12800 SODIMMCamera: 720p HD CameraKeyboard: Keyboard Backlit — EnglishPointing Device: UltraNav (TrackPoint and TouchPad) with Fingerprint ReaderSecurity Chip: Hard Drive: 128GB Solid State Drive, SATA3System Expansion Slots: Smart Card ReaderFront Battery: ThinkPad Battery 3 cell Li-Ion (23.2Whr) FrontRear Battery: ThinkPad Battery 6 cell Li-Ion (72Wh) Cyl HC RearPower Cord: 45W AC Adapter — US(2pin)Wireless: Intel Dual Band Wireless-AC(2x2) 8260, Bluetooth Version 4.1 vProIntegrated Mobile Broadband: Integrated Mobile Broadband upgradableLanguage Pack: Publication — EnglishWarranty: 1 Year Depot or Carry-in Intel Core i7–6600U 14.0" FHD IPS (1920 x 1080) Intel HD Graphics 520 DDR3L SDRAM 1600MHz Software TPM Enabled + i7 processor~ 14" screen+ FHD screen- up to 32GB DDR3L RAM (expensive stuff!)~ max 512GB SATA SSD+ Hardware dTPM (even if not listed in product description) Pros and cons: IBM ThinkPad T460s @ $983 https://shop.lenovo.com/us/en/laptops/thinkpad/t-series/t460s/ Specs: Offering Model: Transactional ModelProcessor: Processor (4MB Cache, up to 3.40GHz)Operating System: Windows 10 Pro 64Operating System Language: Windows 10 Pro 64 EnglishDisplay: IPS Non-TouchGraphics: Memory: 4GB 4GB OnboardCamera: 720p HD Camera with MICKeyboard: Keyboard — EnglishPointing Device: UltraNav (TrackPoint and TouchPad) with Fingerprint ReaderSecurity Chip: Hard Drive: 128 GB Solid State Drive, SATA3System Expansion Slots: Smart Card ReaderFront Battery: 3 Cell Li-Ion Battery 23.5WH FrontRear Battery: 3 Cell Li-Ion Battery 26WH Rear Power Cord: 45W AC Adapter — US(2pin)Wireless: Intel Dual Band Wireless-AC(2x2) 8260, Bluetooth Version 4.1 vProWWAN Selection: WWANIntegrated Mobile Broadband: Integrated Mobile Broadband upgradableDisplay Panel: 14.0" FHD IPS 250nit (1920 x 1080),No Touch,720p HD Camera,Mic,WWAN,No WiGig,WLANLanguage Pack: Publication — EnglishWarranty: 1 Year Depot or Carry-in Intel Core i7–6600U 14.0 FHD(1920x1080) Intel HD Graphics 520 DDR4–2133 Software TPM Enabled (no upgrade available) + i7 processor~ 14" screen+ FHD screen+ DDR4 RAM- only up to 20GB :(+ max 1TB PCIe-NVMe SSD ($500 upgrade)- no large capacity battery+ Hardware dTPM (even if not listed in product description) Pros and cons: Decision If I would choose today, it would be the T460p. $812 on checkout with the stock HD and coupon. Upgrading it myself to a will run me $220, $70 cheaper than Lenovo’s upgrade. Assuming I spend $120 on the , I will own a laptop capable of running my digital toolkit, for $1152. 512GB SATA SSD 32GB of RAM ThinkPad T460 award-winning keyboard, credit IBM.com Compare that to the $3200 I would need to shell out for a 15" Macbook Pro that maxes out at 16GB of RAM! Buying a ThinkPad doesn’t always grant immediate gratification. Most modifications to the configuration trigger a 3–5 week delivery time. September 2016 update To conclude this article I will share with you, my final decision and remaining thoughts: I ordered the T460p when it came back on the weekly sale, apparently the only time the coupon works. I opted for the 14.0 FHD IPS Non-Touch Display and with additional warranty and taxes paid $866.48. Warning: do not get a model with “ Windows Signature Edition ”. I grabbed the for $119.99 and the for $422.66. Pushing my total amount wagered to $1409.13. G.SKILL Ripjaws Series 32GB (F4–2133C15D-32GRS) SAMSUNG 850 PRO 2.5" 1TB SSD (MZ-7KE1T0BW) It was easy to opt for Samsung as they build the entire SSD themselves, it was harder to decide between their EVO and PRO line. I did end up going over my budget for that component; to guarantee sufficient disk space, I/O performance, and longevity. If you are willing to spend $2500 or more, I recommend taking a closer look at the HP Zbook. This model is currently listed three times on Furthermore, they allow customers to have an Intel GPU, opt out of vPro, Windows licenses, having a webcam or even a hard-drive! NotebookCheck’s “Top 10 Workstation Laptops”. Continue reading my follow-up article: evaluating Qubes OS as a penetration testing platform. Do you have any advice? Corrections or additions? Please do not hesitate to reply! Feel free to share your experiences, advice, and questions in private or through the comments section. Click the ♡ to recommend this article.