Risk on secondhand equipment

[heqa...@runbox.com]

Hi,

Do you see any problem while purchase on ebay computers or laptops
secondhand?

Thanks you

H.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

You can find a brief discussion about the pros and cons of buying a
used computer for Qubes in this issue:

https://github.com/QubesOS/qubes-issues/issues/1771

Basically, it depends on your threat model (e.g., how likely you are
to be specifically targeted by an adversary, how much money and effort
your adversary would be willing to expend to tamper with your hardware
before you come into possession of it, and so on).

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXTaWnAAoJENtN07w5UDAwPboP/jfVrIK8kGO5Pj80UTKlKzyC
Rn370TiybIDH6ZIkY4INQtPF0YezFnMewmneGHg8e0huwK+LB14u8ucINih4mZTk
nos/h75L+r7pJu2q2cvLhMB3QWnIAEkuAOWKhNFHlqHyKxduf5fOYO+H5d1nohm1
AQ3zFWbDPGs+u+jIm8ZnQEbv/qUM/zOXq5hJW7Yl7gHWPZa9hnW+Aq0hggfFX48I
gdUGnoq7JaoiBSnMcIkLXtFW+B8UUAzHrzz9xIEsFOFlHB8HvgssOU0APPoaTSRm
9OBQ0TqMwkvaFlgx/ZBGcf60mQbxl9lznryBxwlmDODpy1w5+Hbzg8wC5Vgg1dq2
IsRafO4sRVg6TEqTkbuROHn+eW9dst3GHNkbJe4h+Xhf3BBV5qG2KLl8Pfkvbwhd
eUsbGvXs5E/Cw40lEb75eaxSe1NggYb+bXaWiOfL3Nd1U6qhf3FvDnEgo1DycD3t
G5cqki8Xk/vIEnu8+sTB5ZHY9o6UG/RpexNRGOVth1D9o3gtYjn2QzlXS2udkm58
pswc03/ZUItPKzAwSYtNUH/DYH0fOiKF2Z9Gv224iQk0KcFOUc2dbBqqnpON0Jv5
sH9FRj4BXd+1KSboCN+wA5Pcb2i27LSZSaNCbaXVitYq4XgF0azRIRD/0hgkfzDz
v+SNRXbKdwRm2dWBg1Wv
=zQPV
-----END PGP SIGNATURE-----

[raah...@gmail.com]

or could just be a computer being sold unknowingly with an infection. Or someone could be selling an infected computer to spy on a random person for fun. I guess there is alot of possibilities. I would say its safer to buy new and not refurbished, but there is no guarantee even a retail store is always being honest about that.

[mstv...@gmail.com]

The link refers basically to laptops. I was wondering if there are issues with second-hand desktop parts for the last couple of generations.

Is a second-hand CPU safe?
CPU vulnerabilities seem to be corrected with microcode updates applied to the motherboard BIOS or the OS, and not directly to the CPU. That makes me think that there is no firmware to speak of within a CPU; at least not one that can be changed.
On the other hand (if I understand correctly) modern CPUs include integrated controllers for peripherals, RAM, graphics etc. (Let alone AI modules or whatever, and the “plasticity” those imply.) Does that mean that the CPUs themselves run their own firmware or software of any kind? And more importantly can a CPU be infected in a permanent or contagious manner?
“in a permanent manner” : remains infected when installed on another motherboard?
“in a contagious manner” : the malware propagates to the next motherboard the CPU is installed on?

CPUs also contain eDRAM. Which leads me to my next question.

Is second-hand RAM safe?
If the DIMM itself has a controller or firmware (other than the IMC in the CPU) , then it might be infected too. Is that correct?
A second reason of concern is the issue of Data Remanence, a property that allows “removing a computer's memory modules, cooling them to prolong data remanence, then transferring them to a different computer to be read out.” according to the Dynamic_random-access_memory article on Wikipedia. Admittedly the phenomenon refers to “ data retention of seconds to minutes at room temperature and "a full week without refresh when cooled with liquid nitrogen."” according to the Data_remanence article. The aforementioned articles address the matter through the perspective of forensics rather than security. But am I right to assume that it would allow file-less malware infections?

P.S.: I don’t have a particular threat model in mind. My questions are strictly hardware related. I realize the problems of an official endorsement and I understand that nobody can predict future vulnerabilities or exploits.

[brenda...@gmail.com]

On Friday, April 27, 2018 at 7:18:37 AM UTC-4, mstv...@gmail.com wrote:
> Is a second-hand CPU safe?

> Is second-hand RAM safe?

Are second-hand keyboards safe? Second-hand mouses? Second-hand SSDs? Second-hand optical-drives? Second-hand power-management chips? Second-hand displays?

Is any component safe if it was out of your sight for more than 30 minutes?

There's no winning in this thought experiment. cf "On trusting trust."

--

But yeah, CPUs: from what I understand, Intel microcode updates are not persistent across power cycles. This is why, though an OS can push updates for the current session, it is "more permanent" to deploy the microcode updates in the BIOS/firmware (esp. in a multi-boot system or in a system where the OS lags in microcode update support).

Anyway, when you get your used machine, reflash the BIOS using the manufacturer's most recent release or reflash it with coreboot if that's your thing. Same with any devices that have firmware update support (SSDs, etc.).

Also fun side note: many contemporary SED/HW-FDE SSDs will not allow firmware updates if a) the updates aren't signed by the manufacturer's keys and/or b) the drive is security configured (ATA password, TCG OPAL), even though unlocked. a) is good (or as good as the manufacturer is about securing their signing keys anyway); b) means you have to temporarily de-configure security before updating the firmware (less good..but I like the trade-off of knowing the drive will reject firmware updates unless I go out of my way to perform a security operation that is unusual).

B