For example, Signal is a great app to use for private communication but if you use Signal on Windows OS then how private is the communication really? Typical Windows users aren’t good at security and Windows users also have a high amount of malware which can spy on the conversations. It was just an example for privacy starts with the hardware.
I have read a lot of people in privacy communities recommend buying older thinkpads and basically anything that Heads supports. The problem is not that they are old, the problem is they are second hand. You don’t know what the previous owner have been doing on the laptop and who might have had access to it. Remember, Windows users are typically not good at security and malware spreads commonly in Windows.
If a malware flashes a ROM then you buy their laptop and erase the hdd or ssd or buy a new hdd/ssd, then you flash coreboot to the computer. After all this the malware can still remain in the firmware and you would never know unless the malware makes itself obviously known by a ransom attack or stealing all your crypto or something.
There is nothing you can do to prevent this risk other than avoiding used computers.
Then there’s the entirely other debate if it’s even worth it for security & privacy to buy an old brick that is supported by Heads. And I’m not experienced enough on that topic yet although I’m learning about it and getting closer to being able to come to my own conclusion with the help of all the experts who have written about it.
These old bricks don’t get microcode updates for the CPU which means you will be vulnerable to many Spectre and Meltdown attacks. QubesOS can mitigate it to some degree such as by disabling hyperthreading, but QubesOS can’t mitigate it completely, only microcode updates can and these old bricks don’t receive them.
But the main point I wanted to make in this topic is about risk with used second hand laptops. Because of that I think it probably is best to buy a new unused laptop. Off the shelf for cash is best but maybe not depending on which country you live in. fed upgrade factories are a thing and some countries have it happening more than others. In that case maybe it’s better to order a laptop from one of those laptop vendors who ship it with tamper proof container, although it will be very expensive with taxes/customs but worth it.
Might I suggest some therapy to help with what seems to be crippling paranoia?
first off chill out, Jason Bourne.
the threat mitigation is handled based on your threat model, not on a “defend all bases against anyone” approach. once you answer what your specific model is, then you can start building your defences. if your threat model is spouse looking through your shit, a password is more than adequate. if it’s the
border nazisCBP, you go for encryption at rest. if it’s a toddler walking around the house smashing stuff, none of those will do you any good.there are people with complex threat models but I doubt they post on lemmy and they def don’t scour the classifieds for used Thinkpads. the idea that there are threat actors out there infecting random devices and then see what they catch is… def possible, but highly unlikely.
you’re perfectly safe using a 2nd hand enterprise-class laptop, like a Thinkpad, Elitebook, or Latitude, wiped clean. those are tough and resilient devices built for road warriors for everyday, heavy use. the good thing is, they get periodically swapped out for new models, so they can be had for cheap, and a huge majority of those haven’t seen a lick of any significant use.
those devices are worlds apart from the laptops you’re advocating buying (I assume you mean the consumer-class models) and definitely way cheaper, like a couple times over, while being infinitely expandable and serviceable with cheap, widely available and cross-generation compatible parts.
the final part is compartmentalisation and fungibility of devices. keep the minimum stuff you need on there, assume they will break, get lost or stolen, so encryption is mandatory, and have a tried and tested backup and restore procedure in place.
I’ve noted the product families specifically and what I wrote applies to them only, not every used device everywhere.
compartmentalisation and fungibility of devices
<insert thumbs-up emoji here>
What makes you think that new hardware coming from a manufacturer is more secure than second hand hardware?
There’s numerous examples of hardware being compromised before it even got into its original packaging, let alone those intercepted during shipment.
In other words, at some point you need to realise that there are no guarantees in life.
If you’re paranoid, install a new drive, reflash/update the motherboard bios, clear the boot picture (a proof of concept rootkit storage vector was there), factory reset the motherboard, clean install an OS, install software from trusted sources only, don’t let any stranger use your PC without you watching, take extra steps to encrypt your drive, and finally securely limiting privelege escalation to what you explicitly authorize. You’d be in the clear against 9999/10000 of attacks (I have no citation for this figure). You’d have to be super important, like a diplomat, tax chief, Microsoft IT director or small country royalty or something if you are to be targeted through an old ThinkPad.
(Tinfoil hat time)
Are you trying to evade info-stealing hackers, or the feds? From feds you’re somewhat out of luck, Intel ME and AMD PSP, in conspiracy-speak are kinda like government backdoors, closed source, undocumented, with huge control over a processor. AMD example intel example. Apple hardware is no better, you had better hope they haven’t conveniently slipped up and left an arbitrary read write endpoint in the software.
(Tinfoil hat off)
Assess your risk and threat level and take appropriate mitigation measures. The vast majority of exploited vulnerabilities will be through social engineering rather than software, and then software rather than hardware. The lowest hanging fruit is when there are open, easily accessible connections from the internet, software that can be exploited to freely escalate privilege, a user unwittingly leaking a secure credential, or physical access to a device by someone knowledgeable.
to be targeted through an old ThinkPad.
I’m not convinced that this needs targeting. At the same time, you can’t know if any of the former owners was an important person, or in the environment of one, just as you can’t know what shit did they install entirely carelessly.
Intel ME and AMD PSP, in conspiracy-speak are kinda like government backdoors, closed source, undocumented, with huge control over a processor.
In theory it’s possible that intel me is made to be spyware/backdoor for feds but I don’t think it is because if it was then why are there so many cyber criminals in the world who the feds can’t catch? There are lots of cyber criminals on the top wanted lists and feds want to catch them so badly. And that’s just the non-affiliated cyber criminals, then there are also nation sponsored hackers for example north korea has been in spotlight recently for crypto hacks. And if intel me really was what we fear it could be in theory then usa’s enemies like russia and china would be instantly defeated.
So even if it’s possible in theory because it’s cpu proprietary firmware with its own OS and that’s scary but if it really was abused that way then wouldn’t the world be a completely different situation?
Also, intel wouldn’t need to have a backdoor in intel me. This source puts it well (https://deploy-preview-244--privsec-dev.netlify.app/posts/knowledge/laptop-hardware-security/):
Intel and AMD do not need the co-processor to implement a backdoor - they can simply introduce CPU vulnerabilities like Spectre and Meltdown if they want to. If you do not trust a CPU vendor, the only mitigation is to not use said vendor.
So if you read that article, he says there’s no point in buying an old brick just to be able to disable intel me because of the above quote.
Hence I put that part of the comment with my tinfoil hat on, the world is out to get me specifically, trying to masquerade a well-publicized “security feature” as a backdoor to spy on whoever they please, when they could just as easily put unpublicized vulnerabilities elsewhere.
Yeah, if you can’t trust any of the CPU vendors, then you can’t trust desktop computers at all. Or you’d put a Faraday cage around your home or something to keep the internet out.
Also, cybercriminals simply can hide in countries where enforcement is lax to non-existent. Even if you break American or European rules, all American or European officers can do is their best to block them from their own countries’ services or tap the shoulder of the apparent source countries’ leaders, or in rare cases, dispatch a covert unit to intervene directly.
But the main point I wanted to make in this topic is about risk with used second hand laptops. Because of that I think it probably is best to buy a new unused laptop
Why would that be better? As far as I know, malware can and have been installed on brand new laptops. Ask Lenovo and Sony, if I remember well.
It sounds like you’re saying buying used second hand laptops can’t have malware from the manufacturers, only new laptops can but that is wrong.
If you buy second hand you still have that risk of malware from manufacturers and you also have the risk of malware received because of previous owner bad opsec. So if you avoid second hand laptops then your risk is small but with second hand then its bigger risk.
It sounds like you’re saying buying used second hand laptops can’t have malware from the manufacturers, only new laptops can but that is wrong.
Not at all, I’m just saying that you’re wrong in supposing it must be safer when purchased new. Nothing else.
These old bricks don’t get microcode updates for the CPU which means you will be vulnerable to many Spectre and Meltdown attacks. QubesOS can mitigate it to some degree such as by disabling hyperthreading, but QubesOS can’t mitigate it completely, only microcode updates can and these old bricks don’t receive them.
as I know linux is capable of loading its own, updated cpu microcode at boot time. I’m not sure if it’s being done by default, but this article probably means that it isn’t
but the main thing is that built-in microcode version is probably not that bad of a problem if you take care of it
On https://osresearch.net/ it says Linux kernel has some mitigations but it doesn’t protect entirely.
do you mean this part?
However, some of the vulnerabilities of this class cannot be effectively mitigated without updated CPU microcode.
(https://osresearch.net/Heads-threat-model/)
linux can do microcode updates. I think what they wanted to mean is that the general mitigations (the retpolines and the page table isolation they mention near it) are what is not enough
Ahh, very interesting! I think QubesOS only does mitigations, not microupdates. So that’s a point for linux in linux vs qubesos. I need to spend more time learning about these cpu vulnerabilities. One of the things I like about QubesOS is they do many security stuff that many of users don’t know about or understand. For example QubesOS doesn’t use the GPU in the Qubes because an attacker could get control of the GPU and see everything that the GPU renders which means seeing the host (dom0) and all the Qubes.
I guess you can do that on Linux as well by disabling kvm passthrough of the GPU to the VMs.
And maybe disabling hyperthreading like QubesOS does isn’t necessary on Linux if the cpu microupdates from Linux kernel already solves that cpu vulnerability. Many things for me to look into regarding these cpu vulnerabilities.
QubesOS does make compartmentalizing much easier and smoother experience though.
“If a malware flashes a ROM then you buy their laptop and erase the hdd or ssd or buy a new hdd/ssd, then you flash coreboot to the computer. After all this the malware can still remain in the firmware and you would never know unless the malware makes itself obviously known by a ransom attack or stealing all your crypto or something.”
This is untrue, the previous owner can theoretically get a virus that if the virus takes advantage of architecture exploits or zerodays. It could install a malicious firmware blob within your bios. The odds of this a rather rare and would rather half to be a widespread issue with the chipset. Or a threat actor would need to know the exact firmware and model of your motherboard. Flashing a new bios or updating your bios clears the chip that stores your boot firmware.
Malware lives on storage, an ssd or hardive can harbor malware as an infected OS. Some malware can live in RAM, but ram is cleared on a power cycle. If you got a used laptop and you update the bios and reinstall your os your fine, the OS should have proper sandboxing and seperated permissons. The cpu being old in certain models can be mitigated with patches and bios updates. However newer also doesnt mean more secure, certain am4 cpus had architectural flaws. At pwn-to-own buch of hackers using zero days to unlock heated seats on a tesla without paying the stupid subscription because of the CPU flaw and ram buffers.
And if you want to get tin foil hatty. How do you know you werent man in the middled when you bought a laptop from a retailer. What if a bad actor installed or tampered with the new laptop you bought. And now is less secure than a second hand laptop because joe down the street doesnt care what you do with the laptop as long as he gets paid. Or vice versa, how do you know joe didnt install malware on the pc so he can sell your information on the dark web??
And realistically there are alot of an attack surface for any device. Lets say you have your laptop and sombody steals it. Your using LUKS full disk encryption right? Lets say you did for this example, your headers for decryption are plaintext on boot. So a threat actor can use brutforce to crack your disk. You can setup LUKS to have your headers on a separate disk that you take with you. Its the equivalent of taking away a lock and a key. So all the threat actor is left with is a door. I can go on for hours about potential attack surfaces, TPM, secure boot, Intel management engine, ISP’s, SSD’S vs HDD’s.
“Privacy and Security are a mindset not a tool, device or service”
I have respect for what you’re saying and I would like to think you’re right. I don’t have the experience myself to know, I just listen to what experts like you are saying. But I have also read other experts say worrying things like this (https://www.srlabs.de/blog-post/usb-peripherals-turn):
To make matters worse, cleanup after an incident is hard: Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root. The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.
Once infected, computers and their USB peripherals can never be trusted again.
What do you think about that?
And if you want to get tin foil hatty. How do you know you werent man in the middled when you bought a laptop from a retailer. What if a bad actor installed or tampered with the new laptop you bought. And now is less secure than a second hand laptop because joe down the street doesnt care what you do with the laptop as long as he gets paid.
That is part of the unavoidable risk. There are some entities we can’t avoid having to place some trust in. But I think the risk is higher buying second hand instead of from a reputable brand and off the shelf. And the previous owner was also at risk of such a mitm attack from the vendor.
Lets say you have your laptop and sombody steals it. Your using LUKS full disk encryption right? Lets say you did for this example, your headers for decryption are plaintext on boot. So a threat actor can use brutforce to crack your disk. You can setup LUKS to have your headers on a separate disk that you take with you. Its the equivalent of taking away a lock and a key. So all the threat actor is left with is a door.
If you have a password with 100+ entity then practically I don’t think we need to worry about bruteforce attack, or am I wrong about that? But you are still making a good point about there being many attack surfaces to defend against, it’s not only about where you buy it from.
malware living on the bios rom could possibly live through an internal bios flash (normal “update firmware” thing in the bios or things like ivyrain) if it somehow manages to manipulate that process.
however, it is always overwritten by an external bios flash (using a raspberry pi or something using flashrom), because then you’re directly communicating with the flash chip. (if you suspect that the flash chip has been replaced with a malicious one you’re probably a bit schizo)
one thing is though is that the flash on the embedded controller is left untouched in most operations like this, so it could possibly harbor malware, but the only thing that could possibly do is make your laptop unusable or die randomly. It can’t really affect the software running on it i’d think. What you’d want to do if you’re really schizo and suspect your EC is infected is to externally flash lenovo firmware and use something like this to update the EC before externally flashing Heads.
the chain of trust for your installer USB would be something you can’t really avoid though, just use the most trustworthy computer you have
I hope you are right, it would really make it easier if it’s just an external boot rom flash that is needed. I mean I know that feds can plant chips in the silicon and you wouldn’t find it if they had covert physical access and there’s no glitter nail polish to protect the screws, but in this case they are not the adversary, in this case it’s just random cyber criminals who are the adversary when you buy a second hand laptop.
That article I linked to seems to suggest the malware can persist by hiding in any usb peripheral even camera. I think bluetooth is usb as well if i am not mixing it up with something else but i remember reading bluetooth is actually using usb bus. But anyway you mentioned only the boot rom and EC, you didn’t mention other peripherals so that’s why I’m replying and asking what you know about it. Do you think that linked article is mostly FUD and a bit incorrect when it says a malware can hide in the hardwired webcam or other USB components inside the computer?
It depends on the model of the computer. I have personally librebooted a t440p thinkpad and although perhaps a usb controller can be reprogrammed. Id fine that highly unlikely, i had to buy a specific programmer, then realized the kind people on the libre boot form recommended a raspberry pi to program the ROM chips on the thinkpad. I then had to deconstruct the thinkpad to get acess to the 2 chips on the motherboard housing 2 firmwares. For the BIOs, i believe that it is highly unprobable for a usb port to re-program a usb HID device like a keyboard, mouse or camera. There a specific chips that are ESP programmers they are designed in a very particular way and exclusively are for programing and reading. Most chips are read only chips on USB devices for long jevity. And technically you can reprogram them, however you need an ESP programmer to connect to them and flash. And lets say theoretically you reprogram them with malware, it would be extremely hard to guess the manufacture of the usb controller chip as well as the layout of what pin does what. It was very complex to program an bios chip and certain models of computers have multible chip for certain things like firmware blobs. I think the artical is highly theoretical and never showed any real exploits being used in the wild. Im not an electronics engineer or anything but from what i know about playing with libre boot and arduinos it sounds unrealistic like 1995s hackers/watch dogs to reprogram usb bus’s with a built in usb bus.
i mean there’s a possibility of malware hiding in usb peripherals since they have flash, and for thinkpads I think the camera, touchpad, smartcard reader are usually usb. If they hypothetically acted as usb mice/keyboards/network adapters/display devices, they could possibly infect your system ig
What is Heads? 'Cause if it’s this Heads either you’re kinda cooked or I’m missing something.
Oh, damn! Cool! Thanks for clarifying!
Can you reinstall firmware?
Yes, but can you trust that, if it’s compromised, it doesn’t also infect the new version, or just plain lie to you?
