secure hardware after purchase but before qubes installation

[James Miller]

For those that run Qubes on an off the shelf computer, did you go through any special steps to insure the hardware was clean after you purchased, but before you installed qubes? I'm about to buy new hardware for my installation and I'm thinking of all the places in the purchase chain where a laptop could be compromised. Does anyone have advise on how to not become the one in a million person to get a laptop with compromised hardware? For example:
Do I need to replace any parts just in case?
Do I need to buy in person or directly from the manufacturer on line?

[cooloutac]

I would literally get it off the shelf somewhere. Examine the box to make sure its not used before buying. Thats what I do.

I hate buying stuff from Amazon or Newegg, cause half the time its used, opened in shipment. UPS is very corrupt. Some of them are also crazy and play soccer with your packages.

One way to determine if its fresha and clean when buying some parts, is they come with stickers. Gpu, CPU, MObo, and memory sticks always come with manufacturers stickers to put on the case. IF the sticker is not in there, its used.

For example I just ordered some more g.skill ram, The original ram I bought from microcenter had the sticker. The same exact ram I got from newegg, didn't. Now I don't think ram has firmware to be comrpromised? who knows. also its a liftime warranty so I wasn't too upset. But these are things to look for.

[cooloutac]

Every single manufacturer I've ever bought puts a sticker in the box. So if you buy something and didn't get one. Its used period, no matter what you are telling yourself.

[cooloutac]

only time I never get a sticker when buying from microcenter, is if the item is on clearance.

[cooloutac]

I just realized most people buy laptops. In that case I don't know what you can do except cross your fingers.

If super paranoid Im not even sure you can trust an oem laptop. maybe get one of those fsf approved laptops? very expensive though, and you'd have to trust the shipping.

[pixel fairy]

sun microsystems, now part of oracle, used capsules with beads and adhesive to detect rough handling in shipment. have not seen anyone else adopt that.

purism was looking into this as well. tamper proof tape is easily defeated. i suggested glittery nail polish and a signed photograph on a login page and sent in email to the buyer.

your best bet is show up in person. dont even think about lenovo unless its 2013 or before and you trust its previous owner. they already shipped too much malware, even in bios, out of the factory.

[Tai...@gmx.com]

On 09/07/2017 02:40 PM, pixel fairy wrote:

> sun microsystems, now part of oracle, used capsules with beads and adhesive to detect rough handling in shipment. have not seen anyone else adopt that.
>
> purism was looking into this as well. tamper proof tape is easily defeated. i suggested glittery nail polish and a signed photograph on a login page and sent in email to the buyer.

As always I would like to remind people that purism isn't worth the
money, their laptops are simply quanta rebrands with a few slight
improvements that one can do themselves for much less money - their
relentless pursuit of the latest intel hardware means they will never be
free.

> your best bet is show up in person. dont even think about lenovo unless its 2013 or before and you trust its previous owner. they already shipped too much malware, even in bios, out of the factory.
>

I would suggest a Lenovo G505s, it is owner controlled (no ME/PSP or
code signing) and mostly open source with coreboot (the blobs can be
open-sourced as there is no code signing anti-features) - and it
supports Qubes 4.0.

Reflash the firmware and you would be fine, other than that I highly
doubt anyone on this list is even remotely on the radar of an
organization that would have both the technical abilities and the
authority to subvert a letter carrier - one needs a warranty to
intercept USPS first class, priority and expressmail and they take their
jobs more seriously (whereas it is much easier to bribe FedEx Home's
"independent contractors" aka the gig economy scam)

Why do you guys use qubes anyways? (feel free to message me off list) I
can't understand why everyone is so paranoid - I only use it for the
personal security pride as an IT person I would feel silly if I had poor
security and got hacked despite having nothing worth stealing.

[cooloutac]

you suggest a lenovo? lol I wouldn't touch them as far as I can spit.

[cooloutac]

I think you are wrong about UPS. Do you not remember the police arresting like 100 drivers for distributing drugs years ago? Right in my area of nyc. You never watch the videos of UPS guys playing soccer and throwing around peoples packages? lmao

UPS nor Fed ex, even ring your doorbell anymore, they drop the package on your step run away and sign for it themselves.... Its become a super corrupt industry.

I'm sure the police are ripping open my packages half the time without any warrant, or who knows who else. Certainly seems that way. When half my packages come opened up and complaining does nothing. Just like they record cellphones nowadays without a warrant. In MASS!

Another guy who's answer to security is telling yourself you are not a target, Threat models or trivialities to bypass protections are lame excuses to avoid any security precautions if easily feasible. I wouldn't trust you at all.

[cooloutac]

On Friday, September 8, 2017 at 9:40:23 AM UTC-4, cooloutac wrote:

If you have to get a laptop anything would be better then a lenovo. Go into the store with a live qubes usb stick, and make sure it supports iommu first and foremost. Has tpm, usually the business enterprise models to.
Refer to the HCL list, don't worry about them saying unknown for slat, Every Core i3, i5 and i7 supports SLAT as far as I know. Not sure about amd.

[cooloutac]

On Thursday, September 7, 2017 at 11:00:14 PM UTC-4, Tai...@gmx.com wrote:

I like how you say noone on this list is on the radar of an organization that would subvert mail, which is a hell of alot easier then subverting your bios imo, yet you suggest everyone to use coreboot cause its so much more secure....

[cooloutac]

why do we use qubes? Better question is why are you even posting here? I wonder if you are just looking for victims.

[Sven Semmler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 09/07/2017 10:00 PM, Tai...@gmx.com wrote:
>
> Why do you guys use qubes anyways? (feel free to message me off
> list) I can't understand why everyone is so paranoid

1) Qubes is an excellent networking lab / playground to learn about
InfoSec.

2) Having all important / personal data in offline qubes separated
from any online activities is simple & effective.

3) The same reason I encrypt files and emails ... so that if I ever
really need it, me starting to use it is not a data point that gives
me away.

I love technology and see it's benefit to society, however when I look
around and see all those Facebook addicts littering their livable
space with always on IOT devices (cameras, microphone and all kinds of
other sensors) and uploading everything to cloud storage I cannot help
but wonder what the future will bring.

Also: https://twitter.com/rootkovska/status/891949524830257154

/Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZsqjDAAoJENpuFnuPVB+2EUIP/0E4NkAWLdrbSkjrs4pal+Zd
kSQSARjCa1S2Daspxkv8B1qnN+44UalIGCMSQYhgDedlJ/kpNaBp1ay/up4tm6BS
pJib/X309f1iQlBa/QiYU2DlmN5BB9x+iKr9QFZ3PYOtglbdFPnYHkzC6tj1H5pi
2OP1tF9JVa6nA9hcT9GmJCSk8ezqmIeXKCZ4iRNmyvgrEkaTxgkrIQrmlWP+bMAR
G4nIH/nic82py7v2wNb8q/19ZxLuwVuNtEaptp8rCahnEgoHQ7Tf/WBggGo62BB/
2U9XltIP1F2VyHWY5bJzgIOuJYtkb7v9mfNhyqnRBcQEVYprmfV8bUnB3tBACMnp
VHhyI3YMwH7f0dV1OJA6kpcwEnfba1EXKHqQotKUPJZ+advWWfwxU73L+YBgluHO
x60Pg7jXhFouQ8XeaevWXgnefq6m/b7M0U0iiqXUnaLb11K0TV45ikKFi/RoT8pt
hoJOlxZTI6ksK5+V1vxpsCNy4edlR7RtDEify27CQQjZ/Yix669hZhUreDkpbVgm
7GRK9VkGMEVB2deUdvxr8MdSl/050CV596rYlKSpgq0j5z36i2NKPKAF0fITAznv
GkNe7fLmVYKBGWmbehcOvAIqZUHk734pjmz+0BOhycTKSpWor7Wq+x70IHWdzA12
uZ20iH0H/8JxAQsrWCSD
=Q9ag
-----END PGP SIGNATURE-----