How can we be sure the vendor isnt backdooring the hardware somehow. Arent we inherently transferring trust from a manufacturer like Dell to a smaller niche company that attracts privacy and security cautious users?
For that matter, the Qubes website might get hacked or the domain is altered or something. Maybe Qubes is the honeypot. Only you can decide where your trust model ends. I personally don’t think laptop brand names are much safer when it comes to targeted supply chain attacks; if you’re being targeted, oh well.
i guess i didnt make my point clear enough… if i was a state sponsored hacker, id definetly go after a privacy/security focused vendor which less than 0.1% of the population has even heard of. there are much higher chances id backdoor someone who really has something to hide - someone who goes to lengths of getting a novacustom with qubes. There are too many devices being shipped by dell, lenovo etc to back door each one and surveil each one so chances the hacker would get a high value target is very very low Wouldnt you agree?
its almost like tradeoffs between privacy and anonymity… different threat models i get…but still worrysome.
fair. But is it possible to offer transparency on a higher level than just OS, open source BIOS/UEFI etc? Is there a way to verify authenticity of the hardware itself? CPU, RAM, SSD, Network adapters etc?
This aint up to novacustom. This would be up to you to verify.
Certain companies advertise whatever-certified to grain trust. However if you dont trust a statement you have to get a 3rd-party involved to verify and actually run an audit. Sure you can do the basics, which requires advanced skills though. Anyway you have to get engineers and another bunch of people usually. This would be enterprise-pro level. very expensive.
Yet you are given tools by a vendor like novacustom. source is open. you can flash stuff on your own. Oh wait. i should use that quote thing
another set of expert would be required to check hardware parts as you wouldnt trust components.
though i dont think this is the attack surface. your example is refering to upper class hacking
Well if i was a state sponsored hacker I’d probably been given a target or group of targets. What makes a target though. I will pick your example.
…is hiding yet kind of exposed even if using a hidden identity hence anonymous. Being anonymous doesnt equal security. Quite popular examples of people out there who were anonymous yet had to face hacking, without any identity exposed. Prosecutors try to expose identity.
Back to hacking. I would think that state sponsored hackers try to gain access (hacking) and/or exfiltrate data. Enter networks, saturate networks, hijack mailboxes, use masterkeys and so on. I am no hacker though. So I am just guessing of course.
Unless you cant audit a vendor (any vendor) you have to focus on basics. Qubes-OS follows the campaign of - dont trust the infrastructure - which is a great approach to raise awareness of security. It doesnt mean you shouldnt worry about YOUR infrastructure though - hopefully. Would you recognize strange traffic going on? Your own network infrastructure should be like that “dont trust” → dont trust a client.
Anyway I think novacustom is advertising quite well, also providing open source components, even joining this forum. That’s rare!
Final comment which goes to @solene
Awesome review of a laptop. You did even test several operating systems and added quite useful information. Also details like level of noise. I think almost every kind of user will find valuable information. Makes me want to take a look at that vendor. Thanks a lot. As I will be looking for certified hardware with regard to Qubes-OS eventually. They do offer nice configs like high amount of RAM bundles. Also more recent hardware compared to other vendors (I am still comparing though). Keep it up please.
Thanks! I’m using a laptop daily so I know what matters to users in real life, I wanted to cover everything one could ask before spending a lot of money on it. I also added some precisions after being asked for them after publication.
Hey @solene, would you mind running fwupdmgr security again after setting the HAP bit (disables Intel ME) in the BIOS? I want to see how the results change if the HAP bit is set.
The command works in Qubes OS now so no need to use a live fedora USB stick.
(Make sure to disable the HAP bit after you’re done if you want to keep the ME enabled)
I wrote a small update for the review to share feelings 1 year later. Basically, I’m really happy of it, except the screen which is the lacking part for me, but as I wrote in the update, I’m highly sensitive to high refresh rate so this may not be annoying for everyone.
I’m curious to know how other NV41 users feel about the screen.
I’ll try to find some time to check it, I did not see your post sorry.
