Hey all,
I’ve recently found the opportunity to buy a used Librem 14 at a good price. However, what are the security implications of buying it used? Are there any hardware complications or compromised issues I should be concerned about? Software? Re-installing the OS?
For reference, I plan to re-flash with Qubes OS anyways. I have a rather severe threat model, and this is of crucial importance to me. Please advise with any input.
Thank you in advance for your help!
Random user post here. My post is not the solution to your problem - only some thoughts. (Will be best to get true solution from others more knowledgeable.)
I have an un-severe threat model. I have been moving to Purism hardware for stuff, basically just wildly for fun. My sense of feeling is that data collection corporations have gone so far into building profit-oriented AI predictors that even some of their own people don’t fully understand, that I should try to resist even if there’s no reason. I’m just trying to resist on the moral/ethical basis that it feels like I should, and I managed to have the spare time to do so. You could contrast that, for example, with when I was a younger adult male and at some points in life would have a dual boot machine that ran Windows 90% of the time, but then would boot to Ubuntu for the remaining 10% of the time to then launch a VM of Windows inside of a VPN to watch pornographic things I was interested at that age, but that I didn’t want the world to know I was watching or something. I think a lot of people today conflate why I’ve been using Librem 5 as my phone – for example – with an indicator that I’m hiding some personal secret in modern times of a similar magnitude to stuff from those young years. To be honest, though, I feel like I’m not. I just don’t want to tell Google when I go to the store to buy a bread. I just don’t want to tell Google when I have a bowel movement or when I don’t.
So you can imagine my threat model is a bit silly – the hobbyist. Because of that, I bought a Librem 14 for fun to support the LIbrem 5 and Purism after reading some weird stuff about Purism having financial issues with Librem 5 refund requests or something. I just wanted to push money at their company. But actually I really like my Librem 14 and I use it a lot.
But I compromised my Librem 14 probably the most of anyone on these forums, by running Windows on it, because of a social situation where I felt pressured to run Windows. Details aside, afterwards I retreated to these forums asking if anyon knowledgeable knew how to “de-infect” the Librem 14 after running Windows.
The advice I received at the time was to use the BIOS flash utility for the Librem 14 to re-image the BIOS to remove any possible BIOS tampering from Windows. We can hope that Windows-based BIOS tampering specifically targeted to a Librem 14 is paranoid word salad and never happened, but the theory was that in that 0.1% chance if it did happen, hopefully I destroyed it by re-imaging the BIOS.
But the other thing I would suggest you to look up, which I am less knowledgeable about, would be the boot-tamper-proofing from PureBoot with the Librem Key. I did not buy the key for my device, and instead I use the lazy Coreboot/SeaBIOS, so it is very easy for me to run anything on my Librem 14 that I want, but if I run a bad program that writes over the boot sector of my hard drive with a malware, then I would never know and the malware may live forever behind the scenes, or something. You want to understand how this works: if the Librem 14 you buy from the other user is missing its Librem Key or if that tamper protection is already set up and you don’t have the access, that might be annoying. Ideally you would want your new QubesOS install to be the one configured with the user-secured boot tamper protection.
To be honest, as I get older and spend time with my Purism devices, I start to feel a little like the premise that Purism hardware is “the most secure” may be in some ways a disingenuous marketing thing. It seems to me a more correct way to think about it is that because Purism hardware is so geared torwards running free-software (“free as in freedom” → where we have the liberty to read/modify code) these are educational machines where the user is always empowered. So I can always learn about what my machine is doing. But when I learn, I have so many questions. And the answers to the questions are often miserable. Maybe I only feel that way because I never used Qubes, and because of all the stuff wrong with the GNOME(3) stack and its friends.
But I think we are facing an era in society where it is becoming exponentially more difficult to have a computer that only does what you want and not more.
The Intel ME is an interesting example. I guess Intel puts a linux software stack and a computer inside the computer, so that they have a government computer in the processor that can watch over the OS that you install yourself, or whatever. And since Purism is not a processor manufacturer, they’re using publicly available hacks (that originated in Russia, maybe, if I recall?) to try to break the government computer “ME” just enough that it stops working, whereas the computer processor for doing things you ask would still get the green-light from Intel to run. If I had all the money and all the people in the world on my side, surely this would be a patently absurd thing to do. I would obviously much rather a simple machine that has no “Mangement Engine,” no secret government processor inside the processor. And instead, I would have all the money and all of the people construct for me a computer that only does what I ask and not more.
I recall hearing that maybe some of these hardware components have fuses for whether the “one true settings” from Intel’s partners were changed or not, or something, and maybe there was criticism that the Purism configuration allows the user to burn the fuse and declare it’s the one true state as if they were Dell or HP or whoever, but if the Librem 14 passes into the wrong hands before it passes to you, maybe that guy in the middle could use the “open for the user” choice from Purism to sort of take it over and burn fuses into his own mode from which you can never escape. These are all really stupid things, and I’m not super familiar with them. They are in the category of things that I would chop out and annihilate from my machine, at least until I had an obvious way to view them and check them as a user that I routinely paid attention to. And yet, presumably, we have no means to eliminate them, hence why Purism as a dealer of Intel processors and not a processor manufacturer would likewise have no access to the ideal solution of doing it all in the best way to begin with.
Maybe someone else who knows more will answer in more detail about the Intel processor hardware and firmware controls, or provide the best and most relevant links. My Librem 14 fuses were probably all taken over by Windows, with the fuses burned into a mode to forever serve Bill Gates and Satya Nadella, so maybe they will delete this post before I even send it. Let’s hope not.
Yes it is.
You will need to describe your threat model’s capability if you want us to determine whether or not your questions are valid concerns against them.
Then I would be more inclined to prioritise security over money. Seriously.
While you haven’t gone into detail, the only security benefit I see for buying used is that it may remove some interdiction possibilities e.g. if you are outside the US and your main threat occurs either at the US border going out (US government) or at the border going in to your country (your own government) and the potential seller is already located in your country. But see more at (*) below.
It is true that you can always reinstall the operating system on the disk. However that ignores possible threats to the firmware and if the firmware is compromised then I am not sure that you can rely on either reinstalling the operating system or reflashing the firmware (in the worst case scenario).
You may be able to work around that by reflashing the firmware using external flashing hardware. However you will need expertise and equipment to do that - and to some extent that just pushes the problem elsewhere unless you already have that equipment (in the worst case scenario).
(*) In a sense, buying a computer “used” is the ultimate example of interdiction. You have no idea where it has been, who has had possession of it, what activities have occurred on it, … between the time that it was originally shipped by Purism and the time that it comes into your possession.
Under a severe threat model, interdiction matters. Just ask Hezbollah.
All that said, nobody here can assess your full situation better than you yourself can.