The Most Secure, Modern Computer Might Be A Mac

March 25, 2026 by Bryan Cockfield 13 Comments

The Linux world is currently seeing an explosion in new users, thanks in large part to Microsoft turning its Windows operating system into the most intrusive piece of spyware in modern computing. For those who value privacy and security, Linux has long been the safe haven where there’s reasonable certainty that the operating system itself isn’t harvesting user data or otherwise snooping where it shouldn’t be. Yet even after solving the OS problem, a deeper issue remains: the hardware itself. Since around 2008, virtually every Intel and AMD processor has included coprocessors running closed-source code known as the Intel Management Engine (IME) or AMD Platform Security Processor (PSP).

These components operate entirely outside the user’s and operating system’s control. They are given privileged access to memory, storage, and networking and can retain that access even when the CPU is not running, creating systemic vulnerabilities that cannot be fully mitigated by software alone. One practical approach to minimizing exposure to opaque management subsystems like the IME or PSP is to use platforms that do not use x86 hardware in the first place. Perhaps surprisingly, the ARM-based Apple M1 and M2 computers offer a compelling option, providing a more constrained and clearly defined trust model for Linux users who prioritize privacy and security.

Before getting into why Apple Silicon can be appealing for those with this concern, we first need to address the elephant in the room: Apple’s proprietary, closed-source operating system. Luckily, the Asahi Linux project has done most of the heavy lifting for those with certain Apple Silicon machines who want to go more open-source. In fact, Asahi is one of the easiest Linux installs to perform today even when compared to beginner-friendly distributions like Mint or Fedora, provided you are using fully supported M1 or M2 machines rather than attempting an install on newer, less-supported models. The installer runs as a script within macOS, eliminating the need to image a USB stick. Once the script is executed, the user simply follows the prompts, restarts the computer, and boots into the new Linux environment. Privacy-conscious users may also want to take a few optional steps, such as verifying the Asahi checksum and encrypting the installation with LUKS but these steps are not too challenging for experienced users.

Black Boxes

Changing the operating system on modern computers is the easy part, though. The hard part is determining exactly how much trust should be placed in the underlying hardware and firmware of any given system, and then deciding what to do to make improvements. This is where Apple Silicon starts to make a compelling case compared to modern x86 machines. Rather than consolidating a wide range of low-level functionality into a highly privileged black box like the IME or PSP, Apple splits these responsibilities more narrowly, with components like the Secure Enclave focusing on specific security functions instead of being given broad system access.

Like many modern systems, Apple computers include a dedicated security coprocessor alongside the main CPU, known as the Secure Enclave Processor (SEP). It runs a minimal, hardened operating system called sepOS and is isolated from the rest of the system. Its primary roles include securely storing encryption keys, handling sensitive authentication data, and performing cryptographic operations. This separation helps ensure that even if the main operating system is compromised, secrets managed by the SEP remain protected.

The Chain of Trust

To boot an Apple Silicon computer, a “chain of trust” is followed in a series of steps, each of which verifies the previous step. This is outlined in more detail in Apple’s documentation, but starts with an immutable boot ROM embedded in the system-on-chip during manufacturing. It first verifies early boot stages, including the low-level bootloader and iBoot, which in turn authenticate and verify the operating system kernel and system image before completing the boot process. If any of these verification steps fail, the system halts booting to prevent unauthorized or compromised code from executing.

Perhaps obvious at this point is that Apple doesn’t sign Asahi Linux images. But rather than allowing unrestricted execution like many PCs, or fully locking down the device like a smartphone, Apple’s approach takes a middle way. They rely on another critical piece of “security hardware” required to authorize that third-party OS: a human user. The Asahi Linux documentation discusses this in depth, but Apple’s secure boot system allows the owner of the computer to explicitly authorize additional operating systems by creating a custom boot policy within the user-approved trust chain. In practice, this means that the integrity of the boot process is still enforced, but the user ultimately decides what is trusted. If a boot component is modified outside of this trust chain, the system will refuse to execute it. In contrast to this system, where secure boot is enforced by default and only relaxed through explicit user action, x86 systems can treat these protections as optional. A motivated x86 user can achieve a comparable level of security, but they must assemble and maintain it themselves, as well as figure it out in the first place.

Reducing the Attack Surface

The limited scope of Apple’s Secure Enclave gives it a much smaller attack surface compared to something like the Intel Management Engine. As mentioned before, the IME combines a wider range of functionality, including features designed for low-level remote system management. This broader scope increases its complexity and, by extension, its attack surface which has led to several high-profile vulnerabilities. Apple’s Secure Enclave, by contrast, is designed with a much narrower focus. That’s not to say it’s a perfect, invulnerable system since it’s also a closed-source black box, but its limited responsibilities inherently reduce that attack surface.

It’s also worth mentioning that there are a few other options for those who insist on x86 hardware or who refuse to trust Apple even in the most minimal amount, but who still consider the IME and its equivalents as unacceptable security risks. Some hardware manufacturers like NovaCustom and even Dell have given users the option of disabling the IME (although this doesn’t remove it entirely), and some eight and ninth generation Intel machines can have their management engines partially disabled by the user as well. In fact these are the computers that my own servers are based on for this reason alone. Going even further, it is possible to get a 2018-era Thinkpad to run the open-source libreboot firmware. However, libreboot installations can become extremely cumbersome, and even then you’ll be left with a computer that lacks the performance-per-watt and GPU capabilities of even the lowest-tier M1 machines. In my opinion, this compromise of placing a kernel of trust in Apple is the lesser evil for most people in most situations, at least until libreboot is able to support more modern machines and/or until the libreboot installation process is able to be streamlined.

I’ll also note here that Apple is far from a perfect company. Their walled garden approach is inherently anti-consumer, and they’ve rightly taken some criticism for inflating hardware costs, deliberately making their computers difficult to repair, enforcing arbitrary divisions between different classes of products to encourage users to buy more devices, and maintaining a monopolistic and increasingly toxic app store.

But buying an M1 or M2 machine on the used market won’t directly give Apple any money, and beyond running the Asahi installer script doesn’t require interacting with any Apple software or their ecosystem in any way, beyond the initial installation. I’ve argued in the past that older Apple computers make excellent Linux machines for these reasons as well, and since the M1 and M2 machines eliminate the IME risk of these older computers they’re an even better proposition, even without considering the massive performance gains possible.

Ultimately, though, the best choice of hardware depends on one’s threat model and priorities. If the goal is to minimize exposure to IME/PSP-level risks while retaining semi-modern performance, an M1/M2 Mac with Asahi Linux is one of the best options available today. But if fully open hardware is non-negotiable, you’ll need to accept older or less powerful machines… for now.

AirTag Has Hole Behind The Battery? It’s Likely Been Silenced

February 17, 2026 by Donald Papp 34 Comments

Apple AirTags have speakers in them, and the speaker is not entirely under the owner’s control. [Shahram] shows how the speaker of an AirTag can be disabled while keeping the device watertight. Because AirTags are not intended to be opened or tampered with, doing so boils down to making a hole in just the right place, as the video demonstrates.

By making a hole in just the right place, the speaker can be disabled while leaving water resistance intact.

How does putting a hole in the enclosure not compromise water resistance? By ensuring the hole is made in an area that is already “inside” the seal. In an AirTag, that seal is integrated into the battery compartment.

Behind the battery, the enclosure has a small area of thinner plastic that sits right above the PCB, and in particular, right above the soldered wire of the speaker. Since this area is “inside” the watertight seal, a hole can be made here without affecting water resistance.

Disabling the speaker consists of melting through that thin plastic with a soldering iron then desoldering the (tiny) wire and using some solder wick to clean up. It’s not the prettiest operation, but there are no components nor any particularly heat-sensitive bits in that spot. The modification has no effect on water resistance, and isn’t even visible unless the battery is removed.

In the video below, [Shahram] uses a second generation AirTag to demonstrate the mod, then shows that the AirTag still works normally while now being permanently silenced.

Continue reading “AirTag Has Hole Behind The Battery? It’s Likely Been Silenced” →

Making A Functional Control Panel Of The Chernobyl RBMK Reactor

February 11, 2026 by Maya Posch 16 Comments

Control panels of a pre-digitalization nuclear plant look quite daunting, with countless dials, buttons and switches that all make perfect sense to a trained operator, but seem as random as those of the original Enterprise bridge in Star Trek to the average person. This makes the reconstruction of part of the RBMK reactor control by the [Chornobyl Family] on YouTube a fun way to get comfortable with one of the most important elements of this type of reactor’s controls.

The section that is built here pertains to the control rods of the RBMK’s reactor, its automatic regulations and emergency systems like AZ-5 and BAZ. The goal is not just to have a shiny display piece that you can put on the wall, but to make it function just like the real control panel, and to use it for demonstrations of the underlying control systems. The creators spent a lot of time talking with operators of the Chornobyl Nuclear Plant – which operated until the early 2000s – to make the experience as accurate as possible.

Although no real RBMK reactor is being controlled by the panel, its ESP32-powered logic make it work like the real deal, and even uses a dot-matrix printer to provide logging of commands. Not only is this a pretty cool simulator, it’s also just the first element of what will be a larger recreation of an RBMK control room, with more videos in this series to follow.

Also covered in this video are the changes made after the Chernobyl Nuclear Plant’s #4 accident, which served to make RBMKs significantly safer, albeit at the cost of more complexity on the control panel.

Continue reading “Making A Functional Control Panel Of The Chernobyl RBMK Reactor” →

The function generator circuit on a breadboard

555-Based Square-Wave And Triangle-Wave Function Generator Build For Beginners

February 7, 2026 by John Elliot V 8 Comments

Over on YouTube [Andrew Neal] has a Function Generator Build for Beginners.

As beginner videos go this one is fairly comprehensive. [Andrew] shows us how to build a square-wave generator on a breadboard using a 555 timer, explaining how its internal flip-flop is controlled by added resistance and capacitance to become a relaxation oscillator. He shows how to couple a potentiometer to vary the frequency.

He then adds an integrator built from a TL082 dual op amp to convert the circuit to a triangle-wave generator, using its second op amp to build a binary inverter. He notes that a binary inverter is usually implemented with a comparator, but he uses the op amp because it was spare and could be put to good use. Again, potentiometers are added for frequency control, in this case a 1 MΩ pot for coarse control and a 10 kΩ pot for fine control. He ends with a challenge to the viewer: how can this circuit be modified to be a sine-wave generator? Sound off in the comments if you have some ideas!

If you’re interested to know more about function generators check out A Function Generator From The Past and Budget Brilliance: DHO800 Function Generator.

Continue reading “555-Based Square-Wave And Triangle-Wave Function Generator Build For Beginners” →

Welding Nuts Inside Metal Tubes, Painlessly

February 6, 2026 by Donald Papp 37 Comments

[Jer Schmidt] needed a way to put a lot of M8 bolts into a piece of square steel tubing, but just drilling and tapping threads into the thin steel wouldn’t be strong enough. So he figured out a way to reliably weld nuts to the inside of the tube, and his technique works even if the tube is long and the inside isn’t accessible.

Two smaller holes on either side. Weld through the holes. A little grinding results in a smooth top surface.

Essentially, one drills a hole for the bolt, plus two smaller holes on either side. Then one welds the nut to the tubing through those small holes, in a sort of plug weld. A little grinding is all it takes to smooth out the surface, and one is left with a strong threaded hole in a thin-walled tube, using little more than hardware store fasteners.

The technique doesn’t require access to the inside of the tube for the welding part, although getting the nut back there in the first place does require a simple helper tool the nut can slot into. [Jer] makes one with some scrap wood and a table saw, just to show it doesn’t need to be anything fancy.

Another way to put a threaded hole into thin material is to use a rivnut, or rivet nut (sometimes also used to put durable threads into 3D prints) but welding a plain old nut to the inside was far more aligned with what [Jer] needed, and doesn’t rely on any specialty parts or tools.

[Jer]’s upcoming project requires a lot of bolts all the way down long tubing, which is what got him into all of this. Watch it in action in the video below, because [Jer] has definitely worked out the kinks, and he steps through a lot of tips and tricks to make the process painless.

Thanks [paulvdh] for the tip!

Continue reading “Welding Nuts Inside Metal Tubes, Painlessly” →

Gimmick Sunglasses Become Easy Custom Helmet Visor

February 5, 2026 by Donald Papp 6 Comments

[GizmoThrill] shows off a design for an absolutely gorgeous, high-fidelity replica of the main character’s helmet from the video game Satisfactory. But the best part is the technique used to create the visor: just design around a cheap set of full-face “sunglasses” to completely avoid having to mold your own custom faceplate.

One of the most challenging parts of any custom helmet build is how to make a high-quality visor or faceplate. Most folks heat up a sheet of plastic and form it carefully around a mold, but [GizmoThrill] approached the problem from the other direction. After spotting a full-face sun visor online, they decided to design the helmet around the readily-accessible visor instead of the other way around.

The first thing to do with the visor is cover it with painter’s tape and 3D scan it. Once that’s done, the 3D model of the visor allows the rest of the helmet to be designed around it. In the case of the Satisfactory helmet, the design of the visor is a perfect match for the game’s helmet, but one could easily be designing their own custom headgear with this technique.

With the helmet 3D printed, [GizmoThrill] heads to the bandsaw to cut away any excess from the visor, and secure it in place. That’s all there is to it! Sure, you don’t have full control over the visor’s actual shape, but it sure beats the tons and tons of sanding involved otherwise.

There’s a video tour of the whole process that shows off a number of other design features we really like. For example, metal mesh in the cheek areas and in front of the mouth means a fan can circulate air easily, so the one doesn’t fog up the inside of the visor with one’s very first breath. The mesh itself is concealed with some greebles mounted on top. You can see all those details up close in the video, embedded just below.

The helmet design is thanks to [Punished Props] and we’ve seen their work before. This trick for turning affordable and somewhat gimmicky sunglasses into something truly time-saving is definitely worth keeping in mind.

Continue reading “Gimmick Sunglasses Become Easy Custom Helmet Visor” →

Balancing A Turbine Rotor To 1 Milligram With A DIY Dynamic Balancer

January 25, 2026 by Maya Posch 19 Comments

Although jet engines are theoretically quite simple devices, in reality they tread a fine line between working as intended and vaporizing into a cloud of lethal shrapnel. The main reason for this is the high rotational speed of the rotors, with any imbalance due to poor manufacturing or damage leading to undesirable outcomes. It’s for this reason that [AlfMart CNC Garage] on YouTube decided to spend some quality time building a balancer for his DIY RC turbine project and making sure it can prevent such a disaster scenario.

In the previous part of the series the turbine disc was machined out of inconel alloy, as the part will be subjected to significant heat as well when operating. To make sure that the disc is perfectly balanced, a dynamic balancing machine is required. The design that was settled on after a few failed attempts uses an ADXL335 accelerometer and Hall sensor hooked up to an ESP32, which is said to measure imbalance down to ~1 mg at 4,000 RPM.

A big part of the dynamic balancing machine is the isolation of external vibrations using a bearing-supported free-floating structure. With that taken care of, this made measuring the vibrations caused by an imbalanced rotor much easier to distinguish. The ESP32 is here basically just to read out the sensors and output the waveforms to a connected PC via serial, with the real work being a slow and methodical data interpretation and balancing by hand.

Continue reading “Balancing A Turbine Rotor To 1 Milligram With A DIY Dynamic Balancer” →