Buying computers without interception/bugging

[Rered1958]

Any advice for how to buy computer equipment online, with reduced risk that a friendly NSA agent will intercept the shipment and implant a hardware bug in it?

I have not bought any computers since before the Snowden leaks disclosed this as a real threat. My remaining computers are slow, and literally falling apart. I need lots of new stuff.

I don't do anything illegal, much less of national security interest. However, I have a loud mouth with my opinions... I'm probably on some interesting lists; and I use lots of crypto/anonymity networks to keep my private stuff PRIVATE. I must have clean hardware.

Most hacker/geek sites either ignore this threat, or say "cross your fingers, good luck". Thought I should ask here. People here are more practical.

 

[neweraoffshore]

Ehhh. Go into a hardware store and buy the hardware directly there without using shipping‌ ?!

 

[happyjohn]

I totally agree with newera - go into the‍ store and buy what you need, pay with cash or bitcoins and even change your⁠ face look by using a fake mustache and sun glasses.

 

[void]

Let's assume you are right and they are capable and interested enough to monitor your‌ purchases and bug your hardware. Then there is no need to physically go to hardware‍ store - just use an intermediary who will buy it for you (easy to find⁠ random guy not connected with you at all).
Sounds creepy but I like your thinking⁤ btw...

 

[Martin Everson]

Yeah going into a good independent store and paying in cash is best. Don't fill‌ out any warranty nonsense that reveals your identity and then walk out.

However if I‍ owned a computer store and you came in with @happyjohn disguise I would call the⁠ police straight away smi(&%.

 

[Spinat]

If you go into any store like this I think they will call the police‌ right away 😀

 

[lavel]

It's total paranoia to think that anyone will prepare your computer parts with chip's and‌ stuff. I actually never thought about it.

 

[bancosantander]

It actually is‍ possible and they do it. It just depends on who you are.
Wearing a false⁠ beard or anything like this is not necessary. Just go to a store where nobody⁤ knows you and pay by cash. Do not leave any personal information.
If you are⁣ a person of interest they can prepare your computer at the airport too during the⁢ security check.

 

[JohnLocke]

So the same apply if you buy a new BMW and you are a person‌ of interest, hey will prepare the car with microphones and stuff like that 😉 I think‍ that's something you see in the movies but not really believe they are doing it⁠ unless you are really important and dangerous for the rest of the world.

But Hey,⁤ I'm only human and don't know better.

 

[bancosantander]

The wrong person⁣ just needs to say your name and they will place microphones in your car. For⁢ simple tax avoidance this will not happen. There has to be something more going on.︀ Then it usually will not happen at the store where you buy your car. They︁ will just open your car at night and place all the stuff.

About the Computer︂ story:
happens even you are not a terrorist or somebody really dangerous.

 

[Rered1958]

My apologies for the delayed response. Cloudflare locked me out of posting last month, and‌ it was awhile before I had time to mess around and figure out what/why/how.

I had written a long, substantive response to some of the practical ideas presented by @void, @happyjohn, @neweraoffshore, and others. But for now, I just want to see‍ if I can post one measly link...

@lavel, @Admin, et al., I do⁠ not even watch movies! Here is but one example of many articles written on the⁤ subject about six years ago, the source for the Verge story linked by @bancosantander (thanks!):

https://www.spiegel.de/internationa...ort-to-spy-on-global-networks-a-940969-3.html

An aside for those who are︈ fond of spooky speculation: I suspect that it was such reporting as this that got︉ Appelbaum forced out of the Tor Project based on facially incredible smear accusations, which also︊ resulted in a sudden mass replacement of the Tor Project's whole board of directors. Hmmm.︋ Appelbaum had access to a lot of leaked documents, and he spent about three years︌ doing reports like this. He would not shut up until they torched his career, and︍ so thoroughly destroyed his reputation that he essentially could never again show his face in︎ public.

Appelbaum also had an axe to grind against the mass-surveillance company known as Cloudflare.️ I hope this post goes through!

The following pic of TAO modifying an interdicted Cisco‌ router is via Ars Technica, from a leaked internal NSA document disclosed by Glenn Greenwald;‍ I will try to link to the article in a later post, but I want⁠ to avoid attempting too many links at once:

Thanks, all, for the interesting discussion.

 

[Sulu]

Allow me to enlighten you.

Buy a 3rd gen Intel CPU, or older, PC and‌ have the Intel ME (backdoor) neutralized by running open-source BIOS (coreboot).
You can do this‍ yourself, if you're techy, or buy ready-made systems which deliver to you a separately shipped⁠ hardware token (such as YubiKey) that will authenticate your PC hardware every time you boot⁤ it up. This works to validate the tamper-proofing upon arrival and also to keep validating⁣ your computer because someone may have had access to it and compromised the hardware.

Then of course don't install Windows on it...

Anything you do from here on should have⁢ you pretty safe as long as you know how to maintain a good level of︀ opsec.
Luckily you can educate yourself online regarding best practices in anonymity and security (yes,︁ these two are not equal).

Example product: X230 PrivacyBeast, with other producers offering similar solutions.︂

Pro tip: if you're juggling multiple tax/bank identities and whatnot, learn how to use Qubes︃ OS.
Thank me later.

 

[microw]

There is basically no way to order any hardware to your own name and be‌ sure that they haven't intercepted it (assuming you actually are important and they have reasons‍ to do this. It is not cheap and they will not just intercept packages of⁠ every person with 100k of undeclared income).
You need to buy hardware physically in a⁤ store with cash.

 

[Sulu]

If you want to be anonymous, Tails is a good solution to that and you⁠ can use any computer you like.

If you want security, use hardware that you trust⁤ is clean (no embedded backdoors in firmware) and use software that you trust (libre open-source⁣ OS and pretty much everything else).

But when you say you don't want the purchase⁢ of a computer to be linked to your identity, is a bit extreme... I mean,︀ you're not allowed to own a computer?? It's about what you do with it and︁ the traces you leave behind that mostly counts for anything. But then again, if you︂ don't want 'them' to know you even have a computer or digital activity - I︃ recommend Tails.

Else, educate yourself on how to maintain good security and privacy. Learn about︄ the best practices and start implementing them into your digital routine.

 

[microw]

That's the hard part. For a regular person this is next to impossible.‌ Not even experts can be sure if all parts of Intel ME are deactivated, if‍ all closed source firmware in the network cards or 100s of other chips in a⁠ modern PC are all clean. However, if there is no link between you and the⁤ physical computer (like your name or credit card is not linked to the serial number⁣ of the computer through buying it with a credit card in a store), then even⁢ if the hardware is not really trusted, it is still anonymous. There is no way︀ to connect you to that hardware (assuming you still keep up with opsec and keep︁ everything in Tails and/or encrypted, etc.)

 

[Sulu]

It is possible. You would have to settle for even older generation CPU, for example‌ in the lenovo lineup it is the ThinkPad X61. Complete removal of Intel ME is‍ possible here. The laptop itself is notorious for it's durability and smoooth keyboard.
And then,⁠ as stated before, the exact hardware configuration after the cleanup can be signed with a⁤ unique key private to you and then verified with a hardware token at each boot⁣ to warn you if there has been any alterations in the hardware/firmware. If you then⁢ also use reliable open-source OS and applications, you're already operating at high security.

The most︀ common attack vector is the individual user's incompetence at maintaining healthy opsec (poor password management,︁ poor security, etc.)

 

[cckuhqilfownnfctux]

the best︂ advice is never buy anything online. and you should not buy new hardware -︃ buying a second-hand computer with cash on the second-hand hardware market will do the trick.︄
and, as it was said already, you need to choose hardware thoroughly: like old motherboards︅ which still use BIOS instead of UEFI, old CPUs that allow Intel ME backdoor to︆ be removed, hard disks that were never accused of using backdoors in firmware, wi-fi cards︇ that can be used with open-source firmware, and so on.

 

[Sulu]

NitroPad X230 from Nitrokey is a pretty good option right now. It comes with a‌ hardware key which authenticates the laptop for any tampering in-transit and later during your use‍ (and absence) from the computer.
IMO it's the best you can get at this price⁠ range.

 

[Offshorespirit]

The hardware itself has backoors, example: intel

I know what there is kind of nonimous‌ hardware, but I cannot provide you a lot of information about it

 

[Sulu]

Yes and‌ therefore, see my previous posts.