Question about Buying a used laptop

So I was looking at the qubes suggested laptop list and I can afford some of the nicer ones but used from eBay I was curious I’m new to security so is that a safe thing because couldn’t the previous owner put spyware, virus or something on the laptop maybe even something to save and keep track of what I do like keep track of passwords etc or do I sound crazy thanks sorry if it’s a dumb question

1 Like

I’d like to just say that I am by no means a security professional; I am just familiar with using Qubes OS and reading the documentation and researching security in general.
During the installation of Qubes OS, you can choose to delete all existing partitions on the destination disk, which would remove any malware on the disk. You could also choose to purchase a brand new SSD that hasn’t been touched before, but that shouldn’t be necessary for security. As far as malware existing in the firmware, that would be more advanced and difficult to deal with, but Qubes OS at least mitigates the risks there.

1 Like

What if the BIOS was tampered with— does the Qubes installer have a way to deal with that?

And for sake of argument, if you were the target of a nation-state, couldn’t they make a tampered-with used device appear to be installing Qubes— i.e. how far can the Qubes installer be trusted?

No

1 Like

Yes, that is possible, and that is a risk associated with buying used hardware. Qubes OS cannot do much to help you if the hardware you install it on was already compromised before you even downloaded the Qubes ISO.

However, it is worth noting that modern supply-chain attacks means that there is no guarantee that purchasing new (i.e., not used) hardware will be safe either. There have been reports of hardware tampering both at factories and en route to the user (see interdiction).

3 Likes

When Computer Security expert Bruce Schneier was going to receive the Snowden Documents he wanted to make sure he had a computer that would not rat out what he was doing.

He purchased a used computer, from a randomly chosen computer store (they used to exist), and removed the WiFI to create an air gapped computer.

After he read the documents, he deleted all the documents, as possession of the documents then might have - led to unfortunate circumstances.

Notice there are Qubes Certified Hardware at the bottom of the Qubes OS website; from Insurgo, and NitroKey. Which define all the ways they secure the computer to get it safely to you, and secure against firmware intrusion.

However, if a power group, like say a government is your adversary. You might have a problem which is more than can be fixed by just a really secure laptop. But you can make it difficult for even a power group to spy on you.

1 Like

The safest way to buy a laptop is from a private individual with cash. Random people selling their old laptop are much less likely to have the skills or want to compromise hardware than stores or professional second hand sellers.

1 Like

What about ebay? I think it is the best way to do this and then manualy install qubes.

If you trust ebay not to work with your attackers, it’s probably fine. And not to compromise things at scale.

Hi, my policy is to read second hand forums, and while I am traveling with my car, I pull over to a parking lot, read the forums, call the seller if they are in a range of 20km near me and then I call them and date for immediate buy at their house.
I pay cash and collect the computer.

Also I prefer 45nm core2duo, where the management engine (www.github.com/corna/me_cleaner) can be removed completely for security critical stuff.

Unfortunately Qubes needs 32nm Xeon or newer.
At AMD the opteron 32nm of revisions A,B - not C had no PSP (AMDs Management Engine).

So building on these Opterons is an option if you have cheap electricity and a good
air conditioner.

On the other hand running qubes on an old laptop is not so much fun, as older
CAD laptops only provide you with 4 real cores and 32GB max RAM.

So go for a used laptop based on Core2Duo or Core2Quad with 45nm,
and kill the Intel ME completely!
Be sure to remove the WWAN radio card before powering up the first time
at your place (intel computer trace, and “anti theft”).
Just pull (and discard) the WWAN card after purchase to be sure.

openbsd is nice for old computers…

2 Likes

That’s a good idea. But sadly is impossible to find specific configurations this way.

Thinking about it, that as much as we can get to a librebooted pc that is compatible with Qubes (Libreboot – ASUS KGPE-D16 server/workstation board with opteron 6200 and and Nvidia Gtx 780ti).

1 Like

Yes, KGPE-D16, I know :slight_smile:
6200 mind the revisions!
Also this would qualify as a rack-mounted laptop :slight_smile:

1 Like

2nd option:
Just head for a junk yard and try to bribe some clerk who works there to give you an old PC for your kids to learn 10 finger typing.

Nobody would insert N$A-hardware at a junk yard, maybe, you just dump the computer somewhere else, as you found a fishy solder joint, or you might collect 10 junk computers and install windows XP on n-1 of them and play quake on n-1 :slight_smile:

The core2duo computers were expensive those days and are sufficient for ssh and other stupid stuff.
I dont need much computing power, as the other end of the ssh connection has it.

1 Like

That’s probably the best way to get something electronic without someone knowing who you are.

Something that probably better to do with them then installing Windows XP, is to make a cluster, but I imagine that is cheaper to get some PI’s

AFAIK, there are no devices with Libreboot supporting Qubes (attempts: one, two). Moreover, these CPUs are vulnerable to Spectre and Meltdown, which break all Qubes security.

1 Like

Can you give a link to this? Does it apply to opteron 6200 series?

https://meltdownattack.com/

1 Like

Looks like AMD CPUs have not been affected. Making it possible to have a fully libre Qubes setup

In particular, we have verified Spectre on Intel, AMD, and ARM processors.

From here.

Also AMD CPUs are not fully libre: AMD Platform Security Processor - Wikipedia

I was reading the Wikipedia page. :slightly_frowning_face:

The exact model I’m talking about is listed on libreboot as recommended.

BTW, should this be split in a second topic?