So I was looking at the qubes suggested laptop list and I can afford some of the nicer ones but used from eBay I was curious I’m new to security so is that a safe thing because couldn’t the previous owner put spyware, virus or something on the laptop maybe even something to save and keep track of what I do like keep track of passwords etc or do I sound crazy thanks sorry if it’s a dumb question
I’d like to just say that I am by no means a security professional; I am just familiar with using Qubes OS and reading the documentation and researching security in general.
During the installation of Qubes OS, you can choose to delete all existing partitions on the destination disk, which would remove any malware on the disk. You could also choose to purchase a brand new SSD that hasn’t been touched before, but that shouldn’t be necessary for security. As far as malware existing in the firmware, that would be more advanced and difficult to deal with, but Qubes OS at least mitigates the risks there.
What if the BIOS was tampered with— does the Qubes installer have a way to deal with that?
And for sake of argument, if you were the target of a nation-state, couldn’t they make a tampered-with used device appear to be installing Qubes— i.e. how far can the Qubes installer be trusted?
Yes, that is possible, and that is a risk associated with buying used hardware. Qubes OS cannot do much to help you if the hardware you install it on was already compromised before you even downloaded the Qubes ISO.
However, it is worth noting that modern supply-chain attacks means that there is no guarantee that purchasing new (i.e., not used) hardware will be safe either. There have been reports of hardware tampering both at factories and en route to the user (see interdiction).
When Computer Security expert Bruce Schneier was going to receive the Snowden Documents he wanted to make sure he had a computer that would not rat out what he was doing.
He purchased a used computer, from a randomly chosen computer store (they used to exist), and removed the WiFI to create an air gapped computer.
After he read the documents, he deleted all the documents, as possession of the documents then might have - led to unfortunate circumstances.
Notice there are Qubes Certified Hardware at the bottom of the Qubes OS website; from Insurgo, and NitroKey. Which define all the ways they secure the computer to get it safely to you, and secure against firmware intrusion.
However, if a power group, like say a government is your adversary. You might have a problem which is more than can be fixed by just a really secure laptop. But you can make it difficult for even a power group to spy on you.
The safest way to buy a laptop is from a private individual with cash. Random people selling their old laptop are much less likely to have the skills or want to compromise hardware than stores or professional second hand sellers.