IT FAQ

Q: Is it safe to surf the Internet using an administrative account on Windows?

A: No. Using a non-administrative account mitigates 92% of Microsoft vulnerabilities with a critical severity rating.

Microsoft really shot itself in the foot with Windows, as its initial administration, where users create logins, leads users to believe that only one login is necessary, when in fact there should be a minimum of two: one with administrative privileges that is only used to install software and fix system problems, and one without administrative privilege for general use. And its Windows 10 attempt to force users to use online Microsoft logins perpetuates the situation, as users should be encouraged to create a local administrative login as well as a regular login to surf the Internet (to create a local login on a new Windows 10 system, do not connect to the Internet).




Q: Does a safe way of doing online banking exist?

A: Bank via LiveCD/DVD or LiveUSB, running Linux instead of Windows in a temporary session, though UEFI SecureBoot will need to be temporarily disabled in BIOS. Some PCs with a CD/DVD drive boot from a CD/DVD by default; some require pressing a specific key as soon as the first boot screen is seen; some won't allow it until BIOS options are properly set; most require BIOS options to be set to boot from a USB flash drive. Read advice here from Ubuntu and Arch. Linux distributions Linux Mint (a fork of Ubuntu; read user's manual), Manjaro (an Arch fork; read help) and Linux Lite (an Ubuntu fork designed for Windows refugees; read help) are recommended.

If you have a PC running Windows XP, Vista, 7, or 8, a LiveCD/DVD or Live USB would be a much safer way to surf the Internet. Even better -- and faster -- would be to replace the HDD with an SSD, and install Linux on it.




Q: What is the best antivirus for Windows?

A: Read the findings of the top-two labs, AV-TEST and AV-Comparatives. Your author recommends Malwarebytes Pro (the paid product, not the freeware) combined with the default Windows Defender, Bitdefender, and F-Secure.

Simplifying things somewhat, traditional antivirus works by looking for specific strings in the suspect code. That approach works well most of the time, though new malware that has not been processed by antivirus companies yet -- called zero-days -- can slip through the cracks. Malwarebytes Pro works completely differently, essentially heuristically, which is why it is an outstanding partner for Windows Defender.

Some vendors offer a free version without all of the features contained in their paid product, as AV-Comparatives noted, with technical support and ransomware protection being some of the missing features. However, most vendors include toolbars or other unwanted add-ons.

There are options for a free, reliable second opinion. Malwarebytes offers a second-to-none scanner, but it starts a free trial of its paid product and requires installation (it converts to an on-demand scanner after the trial period ends, often pestering you to purchase it). F-Secure offers Online Scanner, as well as other free tools. Microsoft offers Safety Scanner, the antivirus engine in Windows Defender which does not require installation, Malicious Software Removal Tool, the same one offered each month via Windows Update which does not require installation, and Windows Defender Offline, which is used via CD or USB flash drive, running a temporary Windows instead of the installed one in order to remove rootkits. Norton Power Eraser is a powerful scanner and does not require installation. None of these free products should be used as the only antivirus, as they offer no real-time protection.

Some vendors offer removal tools for specific malware, though you've got to know which one is infecting your PC. Malwarebytes offers removal guides and Bleeping Computer offers removal guides.

Antivirus products can be difficult to completely remove. Bitdefender offers uninstallation tools for its paid and trial products, as well as uninstallation links for most other vendors. ESET offers instructions and an uninstaller tool. Malwarebytes offers its Clean Uninstall Tool. To complete the uninstallation, look in both "Program Files" and "Program Files (x86)" and remove all directories with the name of the antivirus vendor (expert users should also peruse ~/AppData and C:/Windows/Prefetch, with the name often being abbreviated in the latter, for example, for Bitdefender, there may be entries starting with "Bitdefender" or "BD"). If an entry remains in Control Panel -> Uninstall a program, use Revo Uninstaller.

If Malwarebytes Pro needs to be moved, even on the same PC after Windows reinstallation, deactivate the license first and then reactivate it on the new system. Otherwise you may need to contact customer support.

It's never a good idea to install tune-up utilities or toolbars. The most screwed-up PCs are often ones with these products.

Malwarebytes Blog, Bitdefender Blog / Labs, F-Secure online security tips and articles, ESET We Live Security, G Data Security Blog, Bleeping Computer News, Threatpost, Krebs on Security, CISA US-CERT, FBI Consumer Alerts, and NIST National Vulnerability Database offer security news.

CISA offers a list of free cybersecurity services and tools and the NSA offers Network Infrastructure Security Guidance, though much of both pertain to government agencies and business.




Q: I was told that some malware cannot be identified by antivirus software and therefore antivirus products are useless.

A: That malware is classified as zero-day, called that because on the day your PC sees it, your antivirus vendor has not yet seen a sample of it so it has not been able to include a defense for it in its product. Eventually the vendors will get around to rectifying that, but some PCs will become infected before then. Surfing without antivirus protection puts you at risk of malware which has already been identified by antivirus vendors.




Q: Does it really matter if I renew my antivirus product? Am I not protected 99+% via the already-downloaded signatures?

A: New malware is created every day. Having a lapsed subscription means that all new malware is a zero-day from your point of view. And many antivirus vendors have switched to a cloud scheme where some or all of the signatures of potential malware no longer reside on your PC. As soon as your subscription lapses, the cloud become unavailable to you.

By the way, if your antivirus product is sold in stores, for example, Norton, you can buy a copy on sale and use the activation code to renew, saving money over the regular price. You can use products intended for more users than you have.

One advantage of Windows 10 is that if an antivirus subscription is allowed to lapse, Windows Defender will be automatically enabled.




Q: How do I determine if an email is a phishing attempt?

A: Phishing, where grifters try to convince users to click on a questionable link, is responsible for the majority of cyber-breaches.

URLs all follow the same scheme. They start with either http:// or https://, with everything from those two slashes to the next slash or the end of the URL being the fully qualified domain name (FQDN). For example, a link might read, https://www.paypal.com/blah/, which is a valid link because www.paypal.com is a FQDN. Another example might read, http://www.paypal.paymenow.com/someconfusingtext/, which is a phishing URL because www.paypal.paymenow.com points to paymenow.com, not paypal.com. To further simply things, only the two right-most parts of the FQDN are important for users, for example, www.amazon.com is routinely shortened to amazon.com, with amazon being the domain and .com being the top-level domain. Also note that paypal.com and paypal.net are completely different domain names. Domain names can be looked up via ARIN.

There are four other address formats: dotted-decimal (for example, 192.168.0.1), dotted-octal (for example, 0300.0250.0000.0001), hexadecimal (for example, 0xc0a80001; hexadecimal addresses always start with 0x), and integer (for example, 3232235521). Never click on hexadecimal or integer addresses and only click on dotted ones if you know the origin.

Before clicking on any link on Windows and Linux PCs, whether in email or on a web site, position the mouse cursor over it without clicking, which will cause the text of the actual URL to be displayed in the lower-left corner of the screen. Compare the displayed text to what you expect, and if the text is unexpected, do not click on it. That said, you can still be vulnerable to homoglygh attacks, where English characters are replaced by ones in other languages that look similar, so manually entering URLs is the safest approach.

If an email asks you to enable macros to open a Microsoft Office file, decline. Macros are disabled by default for good reasons.




Q: My Windows PC was bitten by ransomware. Help!

A: Print screenshots -- press PrintScreen, start Paint, press ctrl-v, and print -- of all messages or take photos of the screens, because the ransomware may interfere with your research. Download Bitdefender's Ransomware Recognition Tool, which will "find which family and sub-version of ransomware has encrypted their data and then get the appropriate decryption tool, if it exists." Then shutdown the PC until you have decided what to do. You might need a second PC for research, doing so at Stop Ransomware, No More Ransom Project, ID Ransomware, Malwarebytes, F-Secure, and NJCCIC. Decryption tools are available for some ransomware from No More Ransom Project, Bleeping Computer. Emsisoft, Kaspersky, ID Ransomware, and Trend Micro.

If you have backups, do not connect them to the infected system, as the ransomware will encrypt them.

You can pay the ransom, but only half of those who paid a ransom were able to recover their data. Some ransomware purveyors are incompetent and do not decrypt files after payment. Search on your particular ransomware before paying. And then you must remove the ransomware, because it will bite you again in the future. Malwarebytes would be your author's first choice for removing ransomware, but then again, wiping the drive and reinstalling Windows is the only way to guarantee that the ransomware is gone.

It won't help you now, but you need to start making backups so you won't be put in this situation again. A minimum of two HDDs and a docking station, or two USB flash drives, depending upon the amount of data, are needed. At the end of each day, copy your data from the system drive to the backup drive. You must not keep the backup drive running all day for three reasons. First, you are wasting electricity. Second, you are shortening the life of the drive. And third, ransomware will encrypt any data it sees on the PC, so your backup drive will be of no use (some ransomware specifically targets NAS and backup storage devices). The best tactic is to do a daily backup and a weekly one because you won't know when ransomware actually strikes (corporations generally do daily, weekly, and monthly backups). And you need to test your backups, because you wouldn't be the first one to discover that backups were faulty.

Be aware that over 90% of phishing emails contain ransomware.

Q: Is there any way to stop annoying ads, especially pop-ups, from appearing?

A: Enable the setting to block pop-ups (it's usually the default). Use Brave Search, Qwant, or Duckduckgo instead of Google, Bing, Amazon, Yahoo, or other data-snarfers.

For the below, a fork is either an offspring of Firefox or Chromium (Google's open source browser; Chrome, a Chromium fork, is Google's data-snarfing cash cow), resulting in a browser with different features, behavior, and/or appearance. Edge, a Chromium fork, has its own add-ons. 

Alternative browsers include (for some, there is an option to install only for the installing user or all users, with the latter being the most useful):

 - Firefox (Mozilla's heir to Netscape Navigator; extensions in Firefox Add-ons; offers help and forum relevant for it and forks)

 - Firefox Nightly (bleeding edge release of Firefox, though rarely buggy; extensions in Firefox Add-ons)

 - Firefox ESR (extended support, so Firefox features are delayed, which can be good or bad depending upon one's point of view; extensions in Firefox Add-ons) 

 - Vivaldi (Chromium fork; extensions in Chrome store; started by co-founder of Opera because he was dissatisfied with Opera's direction after purchase by Chinese company; very configurable; offers help and forum)

  - Brave (Chromium fork; extensions in Chrome store; phones home least data; unique ad scheme; offers help and forum) 

 - Pale Moon (Firefox fork, but a divergence at v-28, with its own extensions; no telemetry, spyware, or data gathering; has trouble with some websites requiring login; use forum for help)

 - SeaMonkey (Internet suite with Firefox fork, email, newsgroups, with its own extensions; privacy fine-tuning; offers help / forum)

 - TOR browser (Firefox ESR fork masking IP addresses via a volunteer server network, with traffic running through three nodes, though that slows response; adding extensions or modifying settings allows for fingerprinting)

  - LibreWolf (privacy-focused Firefox fork with Ublock Origin installed; extensions in Firefox Add-ons; download Windows installer here; offers FAQ)

 - Otter (created by Opera refugees; uses QtWebEngine wrapper around Chromium so the intrusive "auxiliary services that talk to Google platforms are stripped out"; support for Chrome store extensions not scheduled to arrive until v-2.0; Opera shortcuts are relevant; use forum for help)

 - Opera (Chromium fork with its own extensions, but ones from Chrome store can be added after installing Install Chrome Extensions; its free VPN is only a proxy; cannot change Google search on Speed Dial; offers help)

VikingVPN offers a hardening guide for Firefox, with it being mostly relevant for forks.

The premier ad-blocker, uBlock Origin, is available for Edge, Firefox, Vivaldi / Brave, Pale Moon / Sea Monkey, and Opera. It doesn't store browsing data and is more efficient than most. Native ad-blockers are included in Vivaldi (select Settings -> Privacy), Brave (enable it in Shields), Otter (enable in Tools->Content Blocking), and Opera (enable it in Settings).

Disabling JavaScript will halt most ads, prevent scrolling interference, and neuter malware, though it'll cripple web sites requiring login:

 - Chromium, Edge, Brave, Seamonkey, Otter, Opera, and Chrome have a setting to disable JavaScript.

 - uBlock Origin can block JavaScript globally via a single selection (Dashboard->Settings) or block it per site (click on the icon in the browser toolbar and click on </> at the bottom right of the popup).

 - To disable JavaScript in Firefox and forks: type "about:config" in the address field, press Enter, accept the warning about being careful, type "java" in the search field, and double-click on "javascript.enabled" (you want Value=false).

 - To disable JavaScript in Chromium and forks: type "chrome://settings/content/javascript" in the address field, press Enter, and click on "Allowed" to toggle the setting.

Installing an additional browser and configuring it for JavaScript-free operation is worth considering.

In its list of browser recommendations, the FBI recommends that you not store passwords in them. Browser settings allow users to specify if logins, passwords, and addresses should be stored.

For Firefox, media autoplay can be prevented: type "about:config" in the address field, press Enter, accept the warning about being careful, type "media" in the search field, and double-click on "media.autoplay.default" (set value=1), though this setting sometimes blocks video you want to see. For Firefox ESR and Pale Moon, search for "media.autoplay.enabled" and set Value=false.

Chromium does not offer a media autoplay setting, though there are extensions that promise to do it. Disabling media autoplay is essential when viewing websites such as Reuters and Daily Mail which innundate users with popup video.

Some websites do not work properly when an uncommon browser is used because they simply look for a famous browser name and give up if one is not found (many websites are only tested with Edge, Firefox, Safari, and Chrome). Vivaldi slips on a Chrome avitar for problematic websites and Otter allows changing the name via Preferences->Advanced->Network.

Browsers often allow for website and download validation, for example, Firefox's "Block dangerous and deceptive content," Vivaldi's "Google phishing and malware protection," and Opera's "Protect me from malicious sites," with Google Safe Browsing used to verify URLs, recording your browsing history in the process. With respect to downloads, Firefox admits it "asks Google’s Safe Browsing service if the software is safe by sending it some of the download’s metadata." Antivirus will perform that check, so it can be disabled. Browser extensions which would accomplish the same thing are offered by some antivirus vendors, for example, Bitdefender TrafficLight (for Firefox and Chrome), Emsisoft Browser Security (for Firefox, Edge, and Chrome), and Avira Browser Safety (for Firefox, Opera, and Chrome). Your author queried vendors as to whether Google Safe Browsing was used, but only Bitdefender, Emsisoft, and Avira responded, with their replies being, respectively: "TrafficLight uses the Bitdefender engines to determine if a URL is or isn't detected," "We do not use Google Safe Browsing, and "We're using our own protection mechanism to scan for malicious URLs."

Browsers offer options to check spelling and use prediction services to more quickly load webpages. However, Google is subcontracted to do all this, meaning that everything you type is sent to Google to be stored forever in order to completely monitize your actions. Google explains its data-snarfing policies in detail in its Google Chrome Privacy Whitepaper. If you use Chrome, at least use incognito mode (other browsers call it private browing).

Only install extensions you need. Ones that use CSP injection to modify headers can interfere with other add-ons. A basic Chrome Extension can "steal passwords from an online banking website." Most sell your browsing history. Some are redundant, for example, if uBlock Origin is installed, Ghostery and Privacy Badger aren't necessary. Chrome Store extensions have a reputation for malware, with 85% having no listed privacy policy and 32% using third-party libraries containing known software vulnerabilities.

On a related note, an arbitrarily named concept called punycode could cause you to access a web site via a homograph attack. It's only an issue with Firefox and forks, but it allows a URL to include ASCII coding to display foreign language characters that look like the ones you want, but are actually quite different, for example, using Russian letters instead of English ones. To prevent this in Firefox and forks: type "about:config" in the address field, press Enter, accept the warning about being careful, type "network.IDN_show_punycode" in the search field, and double-click on that entry (you want Value=true).




Q: Is it okay to leave the settings of my router on the default ones?

A: No. Disable remote administration (disable RDP, port 3389, on the router and all PCs), UPnP (Universal Plug and Play), telnet (port 23), ftp (port 21), and WPS (Wi-Fi Protected Setup). Default passwords must be changed to something reasonably difficult to guess.

Firmware should be updated as soon as updates are available, as routers will not auto-update or inform you that updates are available. Obtain updates only at the vendor's web site. Another option is to install Linux-based firmware, e.g., DD-WRT or Tomato, if your router is supported (many aren't), or buy a router which already has it installed.

And on a related note, the FBI recommends that since the security of IoT devices (for example, baby cams and smart appliances) is pretty much a joke, default passwords must be changed immediately and they should be on a separate network from everything else.




Q: How do I choose a secure password?

A: The best passwords are long sequences of ordinary words, for example, "maryhadalittlelambandsomewhitewine," because attackers guess the most likely possibilities, and, mathematically, the length of the password is exponentially more important than the complexity of the character-set used. 20 digits is currently too long to brute-force attack in a reasonable amount of time, but given the increasing speed of computers, that number will increase over time. Substituting a word that does not belong in the sequence will increase security, for example, "maryhadalittlelambandcukoowhitewine."




Q: How can I hide my IP address from web sites?

A: There are a number of ways to do that, but they usually involve a cost in money or response time.

Determine the IP of your router. For Windows PCs, use the instructions found here. Most virtual private network (VPN) provider websites can display your IP address, for example, NordVPN and ProtonVPN, with a VPN being a network of servers designed to reroute Internet traffic to mask IP addresses via an encrypted tunnel (read explanations from Mullvad VPN, VikingVPN, and NordVPN).

Research the parent company of your VPN. Kape Technologies, which formally was a malware vendor, has bought Private Internet Access VPN, CyberGhost VPN, ExpressVPN, and ZenMate VPN, as well as websites that ostensibly offer objective reviews of VPNs.

Tor browser can be used to hide IP addresses. Tor is a volunteer network of servers that reroute your Internet traffic through a few nodes, often in different countries. Response is slower than normal. Tor depends on exit nodes, where the final server decrypts your data and passes it back to the Internet. Exit nodes, which are often owned by the NSA, can be used to read traffic of unsuspecting users, so Tor browser shouldn't be used for banking.

VPNs are essential when using public Wi-Fi. Free ones are problematic because they sell your browsing data to advertisers or install malware to add your PC to a botnet (especially Chinese and Russian VPNs). Tom's Guide and PC Magazine have recommendations for Windows -- PC Magazine also has recommendations for Linux -- and AV-Test tested twelve of them. A VPN cannot keep you completely anonymous. Using a VPN with https websites, as you should, results in double encryption. VPN vendors offer different speeds, with the fastest option being best for watching video. The NSA's Selecting and Hardening Remote Access VPN Solutions is worth reading.

By the way, Microsoft email servers are confused by VPNs and require verification via your alternate email or phone. If you plan to use a VPN with Microsoft email, make sure your VPN provider offers servers in your city.




Q: There are some Windows updates available for my old PC hardware running Windows 7/8.1. Should I accept them?

A: Microsoft has released some strange updates for older hardware ever since Windows 10 was released, some of which break things. For Windows 8.1 and previous: start Windows Update, select the update in question but don't click on the checkbox, click on "More information" to the right, and read the description that appears in IE. If the description is generic and/or irrelevant, don't accept it. This assumes you set Windows Update policy to "Check for updates but let me choose whether to download and install them" and deselected the setting marked "Give me recommended updates the same way I receive important updates," as Microsoft can no longer be trusted.

To refuse future drivers in Windows 10, you need to do two things, though the second is not available with Home or S:

 - Open Control Panel. Click on "System and Security." Click on "System." Click on "Advanced systems settings." Click on the "Hardware" tab. Click on "Device Installation Settings." Click on "No." Click on "OK."

 - Type Win-r (Win is the Windows key), which will display a pop-up to enter commands. Type "gpedit.msc" and click on "OK." Double-click on "Administrative Templates" under "Computer Configuration." Double-click on "Windows Components." Double-click on "Windows Update." Right-click on "Do not include drivers with Windows Update" and select "Edit." Click on the "Enabled" checkbox and click on "OK."




Q: How do I research an error message shown on my Windows PC?

A: Copy the error message exactly and note the time of the event. If your PC is still running, copy and paste it into a file and save it. If your error message is shown on a black, blue, or cyan screen -- called a Stop Error, Blue Screen of Death (BSOD), or blue screen -- copy the error message quickly, because it will only be displayed for a short time (for Windows 7 and previous, it will be the second or third line of text; for Windows 8/8.1/10, it will be found at the bottom-right of the text). Looking at Windows event logs (read Microsoft instructions and Bleeping Computer instructions) may give additional insight, especially if the error code flashed by too quickly to copy. Here's a Microsoft list of blue screen error messages. If you changed any hardware recently, that should be the first thing you investigate.

Search on the text of your error message at Microsoft Community to see if you can find a relevant answer. To debug BSODs, peruse Microsoft's Troubleshoot blue screen errors. Other BSOD forums are TenForums' BSOD forum and Bleeping Computer's BSOD forum.

You could do an Internet search on the exact text of your error message, but there are many web sites designed to attract you so they can make money on their ads or malware. To prevent this, use a browser which allows for JavaScript to be disabled (see the next section for details, though you may need to install a second browser). Look at several answers and see what the general consensus is, as most web sites contain nonsense or worse.




Q: My external drive displays errors. How do I fix it?

A: The problem with computers is that there are many variables. The drive could be on its way out. The external enclosure could be having problems. The cable could be problematic. And even the USB port could be failing, which could mean the PC's motherboard is toast.

HDDs usually fail with some notice, so making an immediate backup is the best policy. SSDs sometimes fail with some notice, but they can fail catastrophically. If making a backup is not possible, remove the drive from the enclosure and use it in another unit to retrieve the data, assuming the drive isn't the problem, of course.

Determine which hardware unit is defective via substitution. Use different equipment and see if the errors continue (this is why computer shops keep old parts). Ask your friends to see if they have a similar unit.

As for the USB port, assuming it's USB 3.0, use a USB 2.0 cable to convert 3.0 to 2.0 (StarTech USBEXTAA6IN USB 2.0 6" extension cable would be a good choice), as 3.0 is known for problems as parts age, but 2.0 is about as reliable as computer parts get.




Q: How can I make my PC faster?

A: You can upgrade memory, processor (for desktops), and/or system drive.

A minimum of 8 GB of memory is recommended for the average PC (any less and the PC might slow down due to paging). Choose the proper generation -- DDR, DDR2, DDR3, DDR4, and DDR5 -- as they are physically not interchangeable. Memory must be installed in matched sets in terms of both speed and latency. If a mixed bag of memory is present, the system will run at the slowest common denominator. Research both your motherboard and processor to learn what memory speeds both support, choosing the fastest common one (it's usually okay to choose a slightly faster one for reasons of price or availability, though the system will not run at that speed). Make sure you do not buy too much for your PC, as motherboards only support a certain quantity. Memory problems are common with no-name memory. The firms supplying around 95% of DRAM, the chips populating memory sticks, are Samsung, SK hynix, and Micron (Crucial is Micron's retail division), with most memory vendors buying DRAM from the big-three. Samsung and SK hynix do not sell in the US retail market, though used memory can be found at eBay and Amazon.

For processors, the answer is different depending upon whether the PC is a desktop or laptop. For the most part, new desktop processors are available for sale for a few years, with used ones being available after PC recyclers offer them after PCs die (avoid ones with blackened areas or smashed corners). Currently, most laptop processors are soldered onto the motherboard, making replacement problematic.

This paragraph only pertains to desktop procesors. The processors a motherboard or OEM PC supports are included in the documentation for it, usually available online (Intel processors cannot be installed on AMD sockets and vice versa -- here are instructions for Intel processors and AMD processors -- but note that improper installation can destroy the motherboard). Moving from a one or two core processor to one that has four or more cores will certainly speed up your PC. Keep your old one as a spare, as you might need it. And before you swap processors, upgrade to the latest BIOS, because support for processors is added as they are released by the vendor (if support for a processor is not included in BIOS, the PC may not even boot).

However, the best bang for the buck is to upgrade from an HDD to an SSD. This will require either cloning the system drive or reinstalling the operating system on the new drive, though cloning often has the restriction that the new drive be at least as large as the old one. Better SSDs include instructions on cloning, with many vendors offering a free version of Acronis True Image, the usual method.

SSDs use NAND flash for non-volatile storage, as compared to spinning discs and read/write heads of HDDs. The companies which actually manufacture NAND are Samsung, Kioxia (née Toshiba; OCZ is a retail division), Micron Technology (Crucial is a retail division), Western Digital (SanDisk was an acquisition in 2016), SK hynix, and Intel, ranked from largest to smallest. Reviews from Tom's Hardware, Anandtech, and Storage Review are trustworthy.

For current consumer PCs, there are two SSD form factors: 2.5" SATA and M.2 NVMe (M.2 SATA SSDs, the immediate ancestor of M.2 NVMe SSDs, have different connectors). New PCs usually have an NVMe socket. NVMe SSDs run very hot, with laptops benefitting greatly from a stand where air can circulate.

There are two types of SSDs: consumer and enterprise. The latter are more expensive and often offer power protection, with capacitors being used to provide sufficient power for data to make its way to its destination after a power loss (sudden power loss has been known to brick SSDs). Enterprise SSDs consume more power and generate more heat than consumer SSDs and are therefore not acceptable for use in laptops, and are often problematic in external USB enclosures. Enterprise SSDs are often OEM, meaning that they employ the firmware of the OEM instead of the manufacturer (they will have the name of both the OEM and the manufacturer on the label).

For PCs that use Intel hardware, ones that use Sandy Bridge (2nd Generation Core) processors which first became available in 2011 remain competitive when upgraded with at least 8 GB of RAM and an SSD. For PCs that use AMD processors, look for ones that use Ryzen processors which first became available in 2017, with the same caveats about 8 GB of memory and SSDs.

SSDs should never be defragged. Windows often does not disable defragging, so manually verify it.

Be aware that vendors engineer PCs for the minimum requirements, especially Dell. New PCs arrive with a power supply unit (PSU) barely adequate for the hardware it contains, let alone any added hardware (and as PSUs age, their output decreases). When buying a replacement PSU, calculate the power requirement by adding up the worst-case power needs for all of the individual components, and then multiply by two at least (Seasonic offers a wattage calculator). PSUs are most efficient between 20% and 80% of the listed output. No-name PSUs often significantly inflate their advertised output.




Q: How can I secure-erase or wipe an SSD or USB flash drive?

A: Secure-erasing and wiping are two different, but related things. The former safely and efficiently eliminates only the files, while wiping sets each bit to 0 or 1. Over-provisioning, only applicable to SSDs, reserves some of the storage for use as a buffer (it's usually configurable via the vendor's management utility), while wear leveling, applicable to both SSDs and USB flash drives, ensures that the NAND is used evenly to ensure that it ages in perfect harmony.

It is important to remember that wiping SSDs or USB flash drives results in a reduction of that drive's lifetime by its capacity. A full wipe, whether via diskpart, DBAN, shred, or dd, should only be done if you want to permanently eliminate data before disposing of it or if the drive has problems.

A vendor's management utility is required to secure-erase SSDs (secure-erase is not applicable for USB flash drives):

 - NAND manufacturers: Samsung Magician, SK hynix Drive Manager (download here), Micron Storage Executive, Crucial Storage Executive (Crucial is Micron's retail division, but utilities are not interchangeable), Western Digital SSD Dashboard, SanDisk SSD Dashboard (WD bought SanDisk in 2016), Kioxia (née Toshiba; OCZ is a retail division) SSD Utility, and Intel SSD Toolbox.

 - NAND buyers from the above manufacturers: Corsair SSD Toolbox, Kingston SSD Manager, ADATA SSD Toolbox, Team Group SSD Toolbox, Patriot Memory SSD Toolbox (click on any SSD and then "Toolbox"), and Silicon Power SSD Toolbox (secure-erase is only for industrial SSDs).

The best method of eliminating data from SSDs is secure-erase; the second-best method is delete partition(s) (note that partitions will be eliminated by secure-erasing) and quick-format (the second method is applicable for USB flash drives). Then leave them powered-on in an external dock or PC for at least one day to allow TRIM / garbage collection to complete.

On Windows, Disk Management (right-click on My Computer / ThisPC, then select Disk Management) can usually, but not always delete partitions (it has trouble with OEM partitions and those created via Linux)

The Windows tool diskpart can remove partitions and wipe HDDs, SSDs, and USB flash drives, except for partitions created under Linux. To start it, open a command prompt as administrator and enter "diskpart" without the quotation marks. Enter "list disk" to see all drives. Note the entries; you must determine which is which by the size and order (the last one inserted will be the last one listed). Using the proper one for 'X', enter "select disk X"; enter "list partition" to see all on that drive; enter "select partition X" to choose the partition; enter "delete partition" to remove it or enter "clean all" to wipe the drive (t will take a while, with no status indicator).

USB flash drives sometimes become recalcitrant given that they usually employ bargain-basement NAND and controllers. A full wipe is sometimes necessary. That said, it's usually sufficient to remove their partitions and quick-format. The Linux-only GNOME Disk Utility is an efficient method of doing that, albeit not securely (the utility also works for SSDs and HDDs): select the device on the left menu; click on the upper-right icon with three vertical dashes; from that menu, select "Format Disk" and follow the prompts until finished.

The Linux-only GParted (here's a tutorial) can usually delete partitions, but always verify that the device (GParted -> Devices) is set to the one you think it is, as it will allow you to delete partitions of the device your operating system is on.

DBAN, a freeware utility burned onto a CD-ROM or USB flash drive, will wipe HDDs, SSDs, and USB flash drives, whether created under Windows or Linux. A one-pass wipe is sufficient, with more passes only necessary to thwart the NSA. DBAN is recommended by Intel for recalcitrant SSDs, though it will shorten the lifespan of SSDs and USB flash drives by their capacity. If DBAN fails, the drive is most likely ready for recycling.

The Linux-only shred sets each bit of an SSD, HDD, or USB flash drive to random 0s and 1s. The following example will set each bit to a random 0/1 using one pass, with "/dev/sdx" being the drive to be wiped (use GParted to determine it): "shred -vn 1 /dev/sdx". Shred will remove any partition, Windows or Linux; running it for five seconds is sufficient.

The Linux-only dd can set each bit of an SSD, HDD, or USB flash drive to 0s, though that's not its usual purpose (copying ISO files is). The following example will set each bit to 0, with "/dev/sdx" being the drive to be wiped (use GParted to determine it): "dd if=/dev/zero of=/dev/sdx status=progress".

If you are curious about Linux data recovery, read the technical webpages from Arch Linux and Ubuntu.