Yes, of course. I planned on doing that anyway. The numbers above were the result of a few preliminary runs. I will run that script and the manual testing soon.
2 Likes
well i mean idk bout that… at the end of the day we’re speaking of a Chinese company beholden to the ccp
a company without the best of histories and one that spesifically targets hardware to companies!
i mean forget about the spyware and bloatware you’re getting with lenovo
even if you clean everything up there’s still the risk of hardware backdoors
and a massive risk
MASSIVE risk…
let me just ping you… commented about this
Any company is beholden to their government (or governments where their hardware components are assembled) - what matters is whether their hardware was actually tampered with. AFAIK Lenovo only modified some of their software for their company profit interest, not for their government’s interest, and it’s wiped in the coreboot flashing process.
Anyway, thinkpads are very popular, and older thinkpads have attracted the interest of modders and firmware developers. There are many eyes on the hardware. Schematics are available for the older thinkpads (google “wistron x230 schematic”). So it is nearly open hardware that has been subject to a lot of scrutiny.
3 Likes
At the moment I don’t know of any “massive risk” with Lenovo laptops, especially the older ones.
I’ve read about “superfish” and the so called “service engine” and of course especially the former has been a huge mistake but efforts to gather information are hardly exclusive to Lenovo.
I also agree with what @airelemental has written.
1 Like
While I do not dispute what you say, I would caution against thinking this has anything special to do with China or its ruling party. The same logic applies to Intel, AMD, Google, Microsoft, and many others, all of whom are U.S. or U.S.-based companies with long histories of collaborating with the United States government, sometimes willingly. They also all reside within the NSA’s backyard, for whom we do not really have a threat model because “they are somewhere between a usual state level attacker and Cthulhu”. Perhaps China’s 3PLA/4PLA is at a similar adversarial level, but the NSA likely remains chief among them in the pantheon.
I agree that Lenovo has a problematic history and its relationship with China is worrisome, though this should not be any different from a U.S. company unless your threat model for some reason includes the Chinese government and its APTs but not the U.S. or its—in which case, you are probably the U.S. government.
Currently, it is primarily the U.S. government that has prohibited Lenovo from use among its operatives for nationalistic reasons. If you agree with that assessment and include Chinese companies in your threat model, despite the lack of evidence that Lenovo has been used as a hardware attack vector outside of U.S. agencies (assuming even that is true), then you probably should view U.S. companies with similar concern. And when it comes to an eldritch abomination like the NSA, not even the anti-tampering and anti-interdiction services of NitroPad and Purism may be enough.
Regards,
John
P. S. To clarify, I am not saying to trust Lenovo; I am only saying to distrust it as much as you distrust any hardware tied to the U.S. and feasibly within its government’s reach. The current state of hardware trust and security is deeply depressing and unlikely to improve in any large amount (unless you count Google’s open hardware ventures to be an improvement), and this is only compounded by the adversarial nature of nearly all corporations and nation-states.
4 Likes
well no let me put it this way… first of all a (at least in theory) reasonably transparent democratic government with rule of law and limitation of power is very very very different then a dictatorship that could force any company to do whatever and send anyone to prison/have killed with a symbolic judge who’s aligned with the party arbitrary enforcment of the law no jury transparency etc
very very different… in the us sure the government can force companies to do a lot (but then often that won’t hold in court might be useful in a few situations like stopping of terrorism but you get the point)
also whistelblowers journalists and so on get some protection under the law unlike in well china where the authorities will kill you’re family to control you even if you’re for ample overseas and i can go on and on about the difference
china’s also very corrupt lacks supervision and so on
while getting anything from any goverment isn’t ideal china has been known before to compromise hardware and u know it’s horrible that so much of our manufactoring is there (taiwan is great don’t get me wrong that’s where i’d suggest you get you’re computer parts but it’s not without it’s issues)
the real issue is that you can never know… now ok with older parts for sure
they don’t after all at the end of the day compromise everything the issue is that there’s allways that risk
unless you’re willing to inspect everything to the teeth
1 Like
oh and i clarified my argument against china
but let me also add on top of that, that yes indeed you should always worry about all governments and…
but personally while i’m not happy with the idea that the nsa would hae my data i can live with it (it’s not ideal and the goverment should not have that right/power!) many would not want this but still it is much better to have you’re data in the hands of a goverment with the rule of law
not one where if you’re “lawyer” does too good of a job he gets charged and prosecuted arbitrarily
a nation so corrupt where people w’d happely sell you’re data for a couple of bucks (and i don’t just mean credit card information i mean if you care about privacy you can have some blackmail able material on you’re system)
and yes i know this is all farfetched and unluckily anyway
but again a low or a high level bureaucrat accessing my information from the us is much less concerning then a high level “trustworthy” official from china
We may need to agree to disagree here, @rjo74618, because I honestly struggled to tell whether you were describing China or the United States in your replies above due to their mutual culpability in such behavior; and I consider neither to be transparent, democratic, governed by the rule of law, or limiting toward their own power. We apparently have radically different assessments of the U.S. government, it activities, its threat level, and the credibility of its claimed rationale for them. Here is not the place to discuss that however, since that strays too far from the topic.
We can both agree that the Chinese government is one of the most dangerous threat actors globally and any electronics produced under its auspices may pose a general threat to everyone, especially those purchased by companies and decommissioned for resale (such as is the usual stock of used Thinkpads). We can also both agree that Lenovo does not have an encouraging record, especially if the U.S. government’s allegations of it being a vector for supply-chain attacks are true, and that Lenovo’s products should not be apportioned any additional trust just because they make (or made, years ago) products with certain desirable qualities. Lastly, we can agree that any hardware produced in countries with powerful nation-state threat actors and governments with a record of mass surveillance and gross violations of basic human rights should be immediately suspect, especially for anything critical, and preferably avoided or at least assessed with a much stronger degree of scrutiny.
Regards,
John
2 Likes
This discussion is entertaining, but it probably belongs to its own thread (just like Discussion on Purism). @deeplow do you agree?
You are of course entitled to your opinion, but consider some official democracy rankings and the like designed by scientists, which clearly show the difference between China and USA and explain it.
I disagee. If the discussion is around choosing the hardware to trust (just like for Purism), then it should belong to the general forum topics. Otherwise Purism discussion also ought to be moved to All around Qubes, like any future discussion of any company. In the latter case the current thread will look unfinished and shallow to me…
I’m always charmed by the way that people advocate for the US.
In terms of global geopolitics I doubt there is a cigarette paper between
the US/UK/Israel and other democratic states, and the bogeymen of China
and Russia. In terms of attacks on privacy and security the US has
a long and inglorious record.
To try to pull back to the issue in hand, there’s very little that can
be concluded from an alleged targetted attack. The fact that the CIA
tried to kill Castro with poisoned cigars tells you nothing about the
safety of buying a cigar off the shelf.
In another thread, I think, someone said “It’s turtles all the way
down” - but it isn’t. Turtles all the way down is a reductio of such
arguments. Most people are very bad at assessing risk, and responding to
it.
Which is more likely? The CCP has inserted backdoor chips in to every
lenovo laptop and is gathering data on a global scale from every lenovo
user, or the CIA has targetted the small production line of a laptop avowedly
aimed at “privacy” - i.e those it considers will have something to hide.
We really need to start teaching people about security and risk in a
sensible way.
6 Likes
I do not wish to stray any further from the topic, so all I will say further on this subthread is that I do not consider such rankings to measure much of anything and that I fundamentally object to the abuse of the term “democracy” in mainstream political discourse, whose common definition has not resembled anything close to actual democracy for at least a couple centuries. While there are some differences between the United States and China, including regarding their relationship to “democracy”, little understanding of that can be gained through hegemonic narratives generated by actors with strong material and ideological interests in weaponizing concepts such as democracy for the purpose of perception management.
Understanding this helps place issues like hardware trust and brand credibility in a more comprehensive context, since the usual assumptions we may be making about the criteria by which we judge these things may themselves be products of social control, and so inadvertently result in conclusions against our interests and for those of our adversaries. This is why such considerations are relevant to topics such as trustworthy hardware brands, though I admit that they may still be off-topic due to the generalizing effects it has on the discussion.
If anyone would like to discuss the off-topic political dimensions of this, you are free to message me in private and I will respond when I have time, or we can start an #all-around-qubes thread if it is not deemed too off-topic for even it. I only pray this message itself is not taken as a continuation of any off-topic tangents here; it is meant to conclude them and assert their general relevance in assessing trust and risk in subjects such as hardware security.
Respectfully,
John
With that said, I wish I had more to contribute to this thread, but I am personally very pessimistic about the state of hardware security, as I said above, and I do not have high opinions of any hardware vendor, whether Purism or Lenovo or others. Those for which I have no particular concern, if only because I am not very familiar with them such as Raptor Computing Systems, I still have general concerns such as those related to the above. So, my unhelpful and unsatisfactory answer is “None”.
I would love to explain and defend which hardware vendor I can trust to secure Qubes OS and respect my privacy and freedom, but I do not have one and I doubt one exists. I am critical of thinking in terms of brand trustworthiness, as well, since brands tend to tell us nothing about the merits of the company and only the perceptions they have manufactured. Trust is something earned and very few companies have done anything to warrant any trust at all, at least when it comes to security and especially hardware security.
I do think favorably toward older Lenovo Thinkpads due to some of the qualities I appreciate in them, such as their repairability and ease of (dis)assembly and powerful computing relative to their competition; and I do admire the apparent efforts that companies like Purism make toward transparency and securing the supply chain and delivery; but I would not go so far as to say I trust those products or their vendors, especially not as brands. Would I prefer them over other options? Probably, but not necessarily for reasons related to hardware security, even though their hardware is more open and verifiable than most.
Nonetheless, I intend to be installing Qubes OS on a Thinkpad and a part of me wants a Librem 14 (but will never buy it due to cost), and I would consider Dell Latitudes as an alternative to Thinkpads. I suppose the best I can say on these matters is that there are some vendors and products I can distrust less (and mainly because I am more able to implement means of distrusting them more, like corebooting 
), even though I cannot say I really trust any of them.
When it comes to hardware security, however, often what is more important is how and where you acquire a particular piece of hardware and not who produced it. For example:
- I am more willing to trust a new laptop I buy physically in-store from off a shelf than I can buying from an online vendor.
- I trust a used Thinkpad or Latitude bought second-hand from an end-consumer buyer more than I would one decommissioned from a government office or major corporation.
- I would trust a computer bought online directly from the manufacturer more than I would one bought on Amazon.
- And I can probably trust a company that provides anti-interdiction and anti-tampering services such as Purism or NitroKey more than I can trust one that does not, despite being a much likelier target for surveillance, interdiction, and tampering.
As I said before in the Lenovo trustworthiness thread, I extend “distrusting the infrastructure” to the endpoints and that includes the hardware, so I am more concerned with securing myself against the hardware on the assumption that it is untrustworthy and compromised (without any alternative) than with whether I can trust it at all. One can still want verifiable hardware security and a vendor one can trust, as I do, but the absence of that should not spell the end of one’s approach to hardware security (not that anyone is saying otherwise). So for me, I am less interested in brands and vendors, which I can trust only as far as I can throw them, and more interested in what they offer and how I can get it. Maybe that is implied in the topic question, but to me this is an important difference. Just some food for thought.
Regards,
John
1 Like
Sub-discussion continuing in China vs USA in trustworthiness (category only available to long-time forum members)
It was moved as the discussion at and was getting too off-topic (and the public forum section is only for Qubes-related). Feel free to continue discussing here “Hardware brands which you trust to run Qubes”.
I think the question is not Qubes related at all, as Qubes can’t save you from bad/corrupted/compromised hardware…
An unfortunately there is no real (usable) open-sourced hardware out there - and probably newer will. So we have to make a compromise when selecting a harwdare. Moreover turst is not something measurable, and it is very much subjective.
So for me it is about tho choose the best available option in the time I buy a new hardware. But this always will be limited to you budget, and the market in your area.
I’m personally not trusting any of the vendors, but accepting the risk involved using their product.
2 Likes
Strongly agree. Nothing in this thread was Qubes specific and when you remove the “to run Qubes” form the subject line it is essentially the same as https://forum.qubes-os.org/t/how-can-we-ever-trust-our-hardware-supply-chain-attack/2846?u=sven
@deeplow I see you already split but in addition I think we should close down this thread or even move it in it’s entirety maybe?
I do love this thread and would like to see it continue, but not in this category.
How is this the same? Those are totally different threat models. In the supply chain attack, the company may be secure, while its suppliers are compromised. Here we discuss whether to trust companies themselves.
This is why I called it “brands which you trust”. It does not matter whether you trust the brands whose supply chain is compromised.
1 Like
Fine. In any case this entire thread belongs into “all around qubes” and if I could move it I would. My point is that there is absoultely nothing Qubes specific about this thread and it’s the kind of thing we created “all around qubes” for.
Edit: I just realized that this thread did start in “all around qubes” and then was moved here by @deeplow following your suggestion. Although I disagree I do not mean to challenge that move. Let’s have it here.
1 Like