I talked to Customer Service at FedEx and they did not have any record of opening the box for any reason. Also sent Purism support an email and waiting to hear back.
Did it cross international borders? Customs perhaps?
No. Domestic via FedEx standard shipping
Was it delivered to you in your hands or left on your porch?
The FedEx tracking number specified “signature required” but the driver just set it on my porch. I have a security camera system that covers the entire area and I picked it up off the porch minutes after it was dropped. Nobody handled the package between the time the driver set it down and I picked it up.
I have linked to your thread (i.e. this thread) from the thread discussing how to improve tamper-detection in Purism’s shipping practices: Preventing shipment interception, providing hardware integrity verification .
I would advise you keep pestering FedEx and get purism involved. I reckon they would accept a return/replacement as once they check that it’s not tampered with it can be resold.
Hmm, sometimes, during the shipping process the tape can be opened from being moved around. (They aren’t too gentle with boxes.) Many times they re-tape it themselves. It could be that, and therefore nothing was messed with it. But who knows.
I can not call my self a librem owner (yet), but would be interesting if someone who recived a librem can tell if the notebook package it self not the shiping package is of that kind that tampering would be obvious. Because @2disbetter is right shiping damge happens often. If not i would return it.
Just a not so seriouse side note: If signature is requiered, do you realy recived a package?
Purism advised that I could reinstall Coreboot and O/S or return the item to them and they would do it for me.
2disbetter: The tape crossing perpendicular to the box seams was clearly cut with a knife, not accidentally ripped from rough handling.
ramnasko: The laptop itself was not in any additionally sealed package. It was in a plastic bag that was folded, not sealed on one end. The Qubes flash drive was in a very flimsy plastic film that one could easily open and close without leaving any evidence of opening. No tamper resistance inside the shipping box for any product.
I have pictures of each step of package opening.
I had the exact same thing happen to me with my new Librem. I too was advised to reinstall the OS and coreboot if I have concerns. There are other interdiction methods that this would not fix, however.
I am interested to know what you did to secure yours. My concern is hardware interdiction, which of course is difficult to detect, let alone overcome.
*One difference between our two situations is that the white Purism box had a round seal on it, which did not appear to have been removed and reapplied, tampered with, etc. The bad the machine was in had a similar seal on it, which also did not appear to have been tampered with. I know there are methods of circumventing this, though.
Has anyone received a shipment which upon close inspection hasn’t been tampered with? If they are repurposing cut open OEM boxes, they should let people know and they should do a better job resealing the packages. If they are shipping new boxes, then this is very concerning and needs to be addressed.
Yes I received an un-tampered box,
They don’t make them tamper evident, just a simple cardboard box.
Even Macbooks are more tamper evident, and I will always compare it
to them since Purism have the same (if not more expensive) specs and price.
Basically you are getting a “Coreboot ready, ME free” machine with a 3 years old
CPU with a plastic cheap feeling chassis at about the same price as a new top tier
machine. If not my broken keyboard on a Macbook running Debian, I would not
even consider it as a daily driver. Just for a throwaway Qubes secondary it may do
the job fine. You will rarely find a honest opinion here. If this one will be censored,
I will post a more in-depth one on more neutral communities.
The chassis is literally aluminum, so I’m not sure where you may have gotten a plastic chassis from, but it wasn’t Purism.
@AlexE the question is - which boxes HAVEN’T been opened during transit ? where was it opened the first time ? can you tell ? who did it ? why ? how many times ?
i can tell you that for tampering (if that IS the case) the motherboard is the target. so far i haven’t received ANY motherboards or graphics cards from any manufacturer that were unopened - sure they looked pristine and function “as-advertised-most-of-the-time” but i could never tell who/where did what exactly - all i did was guess it was customs practice to do so. the rest of the products i receive allways arrive untouched and in pristine condition it’s maybe just the most important components that receive any kind of special attention at all (if any).
i know for sure that when the time comes for me to receive a librem product i will not be able to receive it at my door so i will HAVE to go the customs office in person. Once there i will get the chance to see for myself if it has indeed been tampered with before customs or simply before i arrived there. If not they would probably ask me what’s inside anyway and depending on the level of suspicion the customs officer has at-the-moment i may have to conform to regulations and open up the package myself.
but from this to speculating attacks happening in transit for every user that reports it seems (to me) very far-fetched and over-the-top-tin-foil-hatty.
Holding both side by side on the same desk together with 4 more laptops.
Feel the a real aluminium and then try again. Sorry to break hearts here.
I’ve sent an email to Purism asking whether they send the laptops in new boxes or whether they receive the laptop bodies in taped OEM boxes which they cut open and then retape closed and reuse them to ship the laptops to customers. I’m still waiting for a reply from them.
Don’t be so paranoid.
If you were a target of an adversary capable and willing to do so, you would receive
a box that is wrapped better than what Purism ships.
Just compile your own Coreboot image on a trusted machine, flash it, completely wipe
the Debian PureOS they shipped it with and you are 99.9% safe to use it.
If you were a point of interest target (adversary slang), they either had you before,
or would have you no matter how your laptop was shipped.
Well I got a reply. Unfortunately it was in broken English from somebody that didn’t seem to understand what I was asking. I tried to clarify what I was asking, but I’ve not heard anything back for the past few days. I wish they would have replied before the end of the work week, but whatever; the wait continues.
This is interesting. I received my Purism laptop, and it had to come through customs, but my box was entirely sealed. The laptop, the Librem Key, and the QubesOS pen drive, all were in sealed bags. They were ‘vacuum’ sealed, with no way to open these without cutting them. I was super impressed with the way the device was shipped, and hope this context helps.