For example, Signal is a great app to use for private communication but if you use Signal on Windows OS then how private is the communication really? Typical Windows users aren’t good at security and Windows users also have a high amount of malware which can spy on the conversations. It was just an example for privacy starts with the hardware.
I have read a lot of people in privacy communities recommend buying older thinkpads and basically anything that Heads supports. The problem is not that they are old, the problem is they are second hand. You don’t know what the previous owner have been doing on the laptop and who might have had access to it. Remember, Windows users are typically not good at security and malware spreads commonly in Windows.
If a malware flashes a ROM then you buy their laptop and erase the hdd or ssd or buy a new hdd/ssd, then you flash coreboot to the computer. After all this the malware can still remain in the firmware and you would never know unless the malware makes itself obviously known by a ransom attack or stealing all your crypto or something.
There is nothing you can do to prevent this risk other than avoiding used computers.
Then there’s the entirely other debate if it’s even worth it for security & privacy to buy an old brick that is supported by Heads. And I’m not experienced enough on that topic yet although I’m learning about it and getting closer to being able to come to my own conclusion with the help of all the experts who have written about it.
These old bricks don’t get microcode updates for the CPU which means you will be vulnerable to many Spectre and Meltdown attacks. QubesOS can mitigate it to some degree such as by disabling hyperthreading, but QubesOS can’t mitigate it completely, only microcode updates can and these old bricks don’t receive them.
But the main point I wanted to make in this topic is about risk with used second hand laptops. Because of that I think it probably is best to buy a new unused laptop. Off the shelf for cash is best but maybe not depending on which country you live in. fed upgrade factories are a thing and some countries have it happening more than others. In that case maybe it’s better to order a laptop from one of those laptop vendors who ship it with tamper proof container, although it will be very expensive with taxes/customs but worth it.
I have respect for what you’re saying and I would like to think you’re right. I don’t have the experience myself to know, I just listen to what experts like you are saying. But I have also read other experts say worrying things like this (https://www.srlabs.de/blog-post/usb-peripherals-turn):
What do you think about that?
That is part of the unavoidable risk. There are some entities we can’t avoid having to place some trust in. But I think the risk is higher buying second hand instead of from a reputable brand and off the shelf. And the previous owner was also at risk of such a mitm attack from the vendor.
If you have a password with 100+ entity then practically I don’t think we need to worry about bruteforce attack, or am I wrong about that? But you are still making a good point about there being many attack surfaces to defend against, it’s not only about where you buy it from.
malware living on the bios rom could possibly live through an internal bios flash (normal “update firmware” thing in the bios or things like ivyrain) if it somehow manages to manipulate that process.
however, it is always overwritten by an external bios flash (using a raspberry pi or something using flashrom), because then you’re directly communicating with the flash chip. (if you suspect that the flash chip has been replaced with a malicious one you’re probably a bit schizo)
one thing is though is that the flash on the embedded controller is left untouched in most operations like this, so it could possibly harbor malware, but the only thing that could possibly do is make your laptop unusable or die randomly. It can’t really affect the software running on it i’d think. What you’d want to do if you’re really schizo and suspect your EC is infected is to externally flash lenovo firmware and use something like this to update the EC before externally flashing Heads.
the chain of trust for your installer USB would be something you can’t really avoid though, just use the most trustworthy computer you have
I hope you are right, it would really make it easier if it’s just an external boot rom flash that is needed. I mean I know that feds can plant chips in the silicon and you wouldn’t find it if they had covert physical access and there’s no glitter nail polish to protect the screws, but in this case they are not the adversary, in this case it’s just random cyber criminals who are the adversary when you buy a second hand laptop.
That article I linked to seems to suggest the malware can persist by hiding in any usb peripheral even camera. I think bluetooth is usb as well if i am not mixing it up with something else but i remember reading bluetooth is actually using usb bus. But anyway you mentioned only the boot rom and EC, you didn’t mention other peripherals so that’s why I’m replying and asking what you know about it. Do you think that linked article is mostly FUD and a bit incorrect when it says a malware can hide in the hardwired webcam or other USB components inside the computer?
It depends on the model of the computer. I have personally librebooted a t440p thinkpad and although perhaps a usb controller can be reprogrammed. Id fine that highly unlikely, i had to buy a specific programmer, then realized the kind people on the libre boot form recommended a raspberry pi to program the ROM chips on the thinkpad. I then had to deconstruct the thinkpad to get acess to the 2 chips on the motherboard housing 2 firmwares. For the BIOs, i believe that it is highly unprobable for a usb port to re-program a usb HID device like a keyboard, mouse or camera. There a specific chips that are ESP programmers they are designed in a very particular way and exclusively are for programing and reading. Most chips are read only chips on USB devices for long jevity. And technically you can reprogram them, however you need an ESP programmer to connect to them and flash. And lets say theoretically you reprogram them with malware, it would be extremely hard to guess the manufacture of the usb controller chip as well as the layout of what pin does what. It was very complex to program an bios chip and certain models of computers have multible chip for certain things like firmware blobs. I think the artical is highly theoretical and never showed any real exploits being used in the wild. Im not an electronics engineer or anything but from what i know about playing with libre boot and arduinos it sounds unrealistic like 1995s hackers/watch dogs to reprogram usb bus’s with a built in usb bus.
i mean there’s a possibility of malware hiding in usb peripherals since they have flash, and for thinkpads I think the camera, touchpad, smartcard reader are usually usb. If they hypothetically acted as usb mice/keyboards/network adapters/display devices, they could possibly infect your system ig