For example, Signal is a great app to use for private communication but if you use Signal on Windows OS then how private is the communication really? Typical Windows users aren’t good at security and Windows users also have a high amount of malware which can spy on the conversations. It was just an example for privacy starts with the hardware.
I have read a lot of people in privacy communities recommend buying older thinkpads and basically anything that Heads supports. The problem is not that they are old, the problem is they are second hand. You don’t know what the previous owner have been doing on the laptop and who might have had access to it. Remember, Windows users are typically not good at security and malware spreads commonly in Windows.
If a malware flashes a ROM then you buy their laptop and erase the hdd or ssd or buy a new hdd/ssd, then you flash coreboot to the computer. After all this the malware can still remain in the firmware and you would never know unless the malware makes itself obviously known by a ransom attack or stealing all your crypto or something.
There is nothing you can do to prevent this risk other than avoiding used computers.
Then there’s the entirely other debate if it’s even worth it for security & privacy to buy an old brick that is supported by Heads. And I’m not experienced enough on that topic yet although I’m learning about it and getting closer to being able to come to my own conclusion with the help of all the experts who have written about it.
These old bricks don’t get microcode updates for the CPU which means you will be vulnerable to many Spectre and Meltdown attacks. QubesOS can mitigate it to some degree such as by disabling hyperthreading, but QubesOS can’t mitigate it completely, only microcode updates can and these old bricks don’t receive them.
But the main point I wanted to make in this topic is about risk with used second hand laptops. Because of that I think it probably is best to buy a new unused laptop. Off the shelf for cash is best but maybe not depending on which country you live in. fed upgrade factories are a thing and some countries have it happening more than others. In that case maybe it’s better to order a laptop from one of those laptop vendors who ship it with tamper proof container, although it will be very expensive with taxes/customs but worth it.
If you’re paranoid, install a new drive, reflash/update the motherboard bios, clear the boot picture (a proof of concept rootkit storage vector was there), factory reset the motherboard, clean install an OS, install software from trusted sources only, don’t let any stranger use your PC without you watching, take extra steps to encrypt your drive, and finally securely limiting privelege escalation to what you explicitly authorize. You’d be in the clear against 9999/10000 of attacks (I have no citation for this figure). You’d have to be super important, like a diplomat, tax chief, Microsoft IT director or small country royalty or something if you are to be targeted through an old ThinkPad.
(Tinfoil hat time)
Are you trying to evade info-stealing hackers, or the feds? From feds you’re somewhat out of luck, Intel ME and AMD PSP, in conspiracy-speak are kinda like government backdoors, closed source, undocumented, with huge control over a processor. AMD example intel example. Apple hardware is no better, you had better hope they haven’t conveniently slipped up and left an arbitrary read write endpoint in the software.
(Tinfoil hat off)
Assess your risk and threat level and take appropriate mitigation measures. The vast majority of exploited vulnerabilities will be through social engineering rather than software, and then software rather than hardware. The lowest hanging fruit is when there are open, easily accessible connections from the internet, software that can be exploited to freely escalate privilege, a user unwittingly leaking a secure credential, or physical access to a device by someone knowledgeable.
I’m not convinced that this needs targeting. At the same time, you can’t know if any of the former owners was an important person, or in the environment of one, just as you can’t know what shit did they install entirely carelessly.
In theory it’s possible that intel me is made to be spyware/backdoor for feds but I don’t think it is because if it was then why are there so many cyber criminals in the world who the feds can’t catch? There are lots of cyber criminals on the top wanted lists and feds want to catch them so badly. And that’s just the non-affiliated cyber criminals, then there are also nation sponsored hackers for example north korea has been in spotlight recently for crypto hacks. And if intel me really was what we fear it could be in theory then usa’s enemies like russia and china would be instantly defeated.
So even if it’s possible in theory because it’s cpu proprietary firmware with its own OS and that’s scary but if it really was abused that way then wouldn’t the world be a completely different situation?
Also, intel wouldn’t need to have a backdoor in intel me. This source puts it well (https://deploy-preview-244--privsec-dev.netlify.app/posts/knowledge/laptop-hardware-security/):
So if you read that article, he says there’s no point in buying an old brick just to be able to disable intel me because of the above quote.
Hence I put that part of the comment with my tinfoil hat on, the world is out to get me specifically, trying to masquerade a well-publicized “security feature” as a backdoor to spy on whoever they please, when they could just as easily put unpublicized vulnerabilities elsewhere.
Yeah, if you can’t trust any of the CPU vendors, then you can’t trust desktop computers at all. Or you’d put a Faraday cage around your home or something to keep the internet out.
Also, cybercriminals simply can hide in countries where enforcement is lax to non-existent. Even if you break American or European rules, all American or European officers can do is their best to block them from their own countries’ services or tap the shoulder of the apparent source countries’ leaders, or in rare cases, dispatch a covert unit to intervene directly.