Advanced Plus Security Stenographers' Surface Go Tablet Security Config 2022

Last updated
Nov 20, 2022
How it's used?
On-device encryption
Log-in security
    • Basic account password (insecure)
Security updates
Allow security updates and latest features
Network firewall
Real-time security
SELinux set to enforced.
Custom IP Tables
Proton VPN
Firewall security
About custom security
Custom IP Tables
Periodic malware scanners
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Microsoft Edge, 1Password extension, DuckDuckGo.
Password manager
1Password installed in Podman container separate from the rest of the system.
Maintenance tools
OS is maintenance free.
File and Photo backup
Nextcloud instance in public cloud (Ubuntu, E2E Encryption & encryption at rest) > server at home (Open Suse MicroOS).
Server at home has 4 bash scripts on cron jobs
1. Rsync over SSH the files for each user in Nextcloud
2. Copy them to a backup folder
3. Delete all entries older than 7 days.
4. Encrypt and upload to S3 storage in the cloud
Server at home is on isolated VLAN / automatic updates
System recovery
Fedora Silverblue is an immutable operating system. By design it cannot be rendered in a broken state by anything related to software. However, in the event that it is compromised by malware or a bad actor:
- Wipe the SSD
- Reinstall Silverblue
- Run setup script that installs all my programs
- Log in to Nextcloud
Risk factors
    • Browsing to popular websites
    • Opening email attachments
    • Logging into my bank account
    • Coding and development
What I'm looking for?

Looking for medium feedback.


Level 2
Thread author
Nov 11, 2022
I am running Fedora Silverblue 37 on my Surface Go tablet. Fedora Silverblue is an immutable operating system, meaning that it cannot end up in an unrecoverable state due to software.

To achieve this Fedora Silverblue mounts the system as read only, you only have write access to a handful of folders like /var/home/%username%/. This means you cannot install software the traditional way. Instead you are meant to use Flatpaks, which can have their permissions managed by the program Flatseal. For those programs that are only available as .rpm files, you have two options. Either layer the RPM on top of the system by installing it with rpm-ostree, or install it in a toolbox (which is just a Podman container with access to devices and /var/home/ on the host.) Obviously the latter is the preferred method.

Fedora Silverblue's system files are stored in snapshots with rpm-ostree providing a method similar to git (but for system files.) When you update the system it creates a new system snapshot, applies the updates to that, then when you reboot it boots into that new snapshot. It then leaves the last few for you to roll back to in case something goes sideways.

Managing permissions of programs with Flatseal is critical to privacy. For example, I have Microsoft Edge installed but it only has access to my downloads folder. The read only file system and SELinux in enforced mode also provide some resiliency against most malware. This isn't my primary device, my main computer is running Qubes OS.

For my files I host a Nextcloud server (Ubuntu, public cloud provider) with E2E encryption and encryption at rest. Those get backed up to an isolated virtual machine in my home running Open Suse MicroOS. That server then encrypts and uploads the files to S3 storage in the cloud.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.