No, there could potentially be persistent malware in the storage controller or other firmware. If you’re paranoid, consider updating the firmware on storage devices, reflash BIOS, etc. Then there’s the topic of supply-chain interdiction, which may or may not be a concern depending on how large of a target you or the prior owner(s) have been.
And everything changes the second the device is connected to a network. As of 2010, it took an average of approximately 8 seconds for a computer to become compromised when connected to the internet. I haven’t worked in the realm of security in several years, so I’m confident that this figure has changed.
My perspective of computer security is akin to breaking into someone’s car. If I really want to break into a vehicle, I most likely could… but how many obstacles is the target making me jump through, and is the risk worth the prize at the end?
It is unclear whether this is “barebones” i.e. @amarok has to install a suitable drive (thereby avoiding this particular compromised firmware problem) or not. Even if not barebones, it is possible to replace the storage and on-sell the original storage - for the truly paranoid.
As a general security comment, if you have a fully encrypted drive (that means boot and root, where applicable) then drive firmware compromise isn’t such a problem. I mean, sure, you can lose all your data if the firmware is malicious but your confidentiality need not be compromised.
I plan to use this as a streaming device mainly, if not exclusively, for my stored media, and also for at least one streaming service (via browser with as many privacy controls as possible, and routed through Pi-hole).
Actually, after I asked that, I had a look at the Dell web site and said web site explicitly notes (against the specific model there, which is slightly different from yours, apparently) that Linux is supported. Way to go, Dell!
I would think so. A visit to the Dell web site shows a critical update (September 2023) to the BIOS, which you might want anyway(!) and applying that update could have the effect of wiping out the hypothetically compromised existing BIOS.
The downside is you would probably need Windows in order to apply the update - or be in communication with Dell for how the update is installed from Linux.
I think Microsoft might now require creating an online account just to get into Windows 11, so I would probably have to go there anyway… with a one-time, expiring email address and fake name, of course. It may be that the firmware/BIOS can also be updated that way (if there are un-applied updates).
Unfortunately, I’ll either have to connect directly from my home IP (without VPN protection), or temporarily set up my VPN on the router prior to connecting.
Not might, absolutely. You must be connected to the Internet in order to create a Microsoft account during the Windows 11 setup just so you can use the device. They do not blacklist any ephemeral email addresses as far as I know.
Hmm. I feel the first thing the OP should do is a “threat assessment.” Decide what their risk is from?
Are you concerned with:
Someone stealing from you. (Not my problem. I am on Social Security, not enough money to steal. I have less than ten dollars left in my bank account now.) But my bank is really on top of where my money might go that they might have to replace, anyway.
Worry about the NSA watching me. I would feel so complimented. But that is the subject of my efforts to emulate what a journalist, or a good traveling business man should be doing.
This topic is often raised in several ways on the Qubes OS Forum. How to buy or modify a computer where one can trust the firmware. Qubes OS requires spending time learning some concept. Not sure I would encourage OP to do something that has taken up too much of my time.
Purism is offering to sell a more complete solution of hardware and software to handle some of the possible firmware corruption, and software.
Perhaps look at Tails OS, Whonix has a website with a lot of documentation on Security.
Hidden malware from criminals and/or nation-states… for whatever purpose, targeted at any user of the device
Qubes, Tails, or new (expensive) hardware from Purism is probably overkill for my purposes. This (inexpensive) machine is going to be strictly a media device, and won’t contain any other types of personal files. I don’t plan to access any financial or email accounts from this device, and I probably won’t even set up ssh on it. I’ll copy my stored media files to the drive by usb, and will use at least one movie streaming service.
It will be connected to my network and the internet, but if it’s at risk there, then so are all my other devices. I think I’ve adequately secured my network, however.
Thanks for the tip and the Dell link.
I suspected as much… yet another anti-consumer move. I’ll try to create the account and do the updates behind a VPN, then nuke Windows Spyware 11.
As @Privacy2 points out, you can do the BIOS update using Linux but you will have to read the instructions on the Dell web site carefully. That may be simpler and faster than fighting with Microsoft Spyware. I recommend making a backup copy of the existing disk with Windows on it (just in case!) and then nuking it as fast as possible.
Was able to bypass MS account requirement by not connecting to the internet and selecting “I don’t have an internet connection” during setup.
Dell, by default, offers the boot settings menu after startup, with no special key presses, and before even loading Windows. [EDIT: This was only because the system flagged the power adapter, which apparently was the wrong one, and underpowerd, hence a warning screen that offered a link to the BIOS. The vendor is sending me a replacement.]
After Windows local setup, I connected through a shared connection with my laptop, behind a VPN, and downloaded all the available updates from Windows and Intel, just in case - what an ordeal!), and a Dell firmware update (which didn’t actually install).
Downloaded the same BIOS version (EDIT: as above) update from Dell’s website to a USB drive, restarted, hit F12 and entered a menu that included BIOS reflash option, which I did with no problem in about 5 minutes. (EDIT: This upgraded my existing BIOS version.)
Changed boot order, then booted into Linux Mint USB drive, opted not to backup the Windows install, and proceeded to install Mint, erasing all previous data.
Booted into my Minty-fresh distro and started customizing.
P.S. This machine is very quiet, and a lot faster with GNU+Linux, of course.
P.P.S. I found W11 very unintuitive and annoying as hell, not to mention slow… at everything. I never want to see it again.