Our valued sponsor

Buying computers without interception/bugging

Rered1958

New member
Oct 17, 2019
4
7
3
Visit site
Any advice for how to buy computer equipment online, with reduced risk that a friendly NSA agent will intercept the shipment and implant a hardware bug in it?

I have not bought any computers since before the Snowden leaks disclosed this as a real threat. My remaining computers are slow, and literally falling apart. I need lots of new stuff.

I don't do anything illegal, much less of national security interest. However, I have a loud mouth with my opinions... I'm probably on some interesting lists; and I use lots of crypto/anonymity networks to keep my private stuff PRIVATE. I must have clean hardware.

Most hacker/geek sites either ignore this threat, or say "cross your fingers, good luck". Thought I should ask here. People here are more practical.
 
  • Like
Reactions: JohnLocke and lavel
Ehhh. Go into a hardware store and buy the hardware directly there without using shipping ?!
I totally agree with newera - go into the store and buy what you need, pay with cash or bitcoins and even change your face look by using a fake mustache and sun glasses.

fake-mustache.jpg
 
Let's assume you are right and they are capable and interested enough to monitor your purchases and bug your hardware. Then there is no need to physically go to hardware store - just use an intermediary who will buy it for you (easy to find random guy not connected with you at all).
Sounds creepy but I like your thinking btw...
 
Yeah going into a good independent store and paying in cash is best. Don't fill out any warranty nonsense that reveals your identity and then walk out.

However if I owned a computer store and you came in with @happyjohn disguise I would call the police straight away smi(&%.
 
If you go into any store like this I think they will call the police right away :D
 
It's total paranoia to think that anyone will prepare your computer parts with chip's and stuff. I actually never thought about it.

It actually is possible and they do it. It just depends on who you are.
Wearing a false beard or anything like this is not necessary. Just go to a store where nobody knows you and pay by cash. Do not leave any personal information.
If you are a person of interest they can prepare your computer at the airport too during the security check.
 
So the same apply if you buy a new BMW and you are a person of interest, hey will prepare the car with microphones and stuff like that ;) I think that's something you see in the movies but not really believe they are doing it unless you are really important and dangerous for the rest of the world.

But Hey, I'm only human and don't know better.
 
So the same apply if you buy a new BMW and you are a person of interest, hey will prepare the car with microphones and stuff like that ;) I think that's something you see in the movies but not really believe they are doing it unless you are really important and dangerous for the rest of the world.

But Hey, I'm only human and don't know better.

The wrong person just needs to say your name and they will place microphones in your car. For simple tax avoidance this will not happen. There has to be something more going on. Then it usually will not happen at the store where you buy your car. They will just open your car at night and place all the stuff.

About the Computer story:
happens even you are not a terrorist or somebody really dangerous.
 
My apologies for the delayed response. Cloudflare locked me out of posting last month, and it was awhile before I had time to mess around and figure out what/why/how.

I had written a long, substantive response to some of the practical ideas presented by @void, @happyjohn, @neweraoffshore, and others. But for now, I just want to see if I can post one measly link...

@lavel, @Admin, et al., I do not even watch movies! Here is but one example of many articles written on the subject about six years ago, the source for the Verge story linked by @bancosantander (thanks!):


Der Spiegel said:
[December 29, 2013]

Take, for example, when they intercept shipping deliveries. If a target person, agency or company orders a new computer or related accessories, for example, TAO [NSA's Tailored Access Operations] can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called "load stations," agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer.

These minor disruptions in the parcel shipping business rank among the "most productive operations" conducted by the NSA hackers, one top secret document relates in enthusiastic terms. This method, the presentation continues, allows TAO to obtain access to networks "around the world."

[...]

REPORTED BY JACOB APPELBAUM, LAURA POITRAS, MARCEL ROSENBACH, CHRISTIAN STÖCKER, JÖRG SCHINDLER AND HOLGER STARK

An aside for those who are fond of spooky speculation: I suspect that it was such reporting as this that got Appelbaum forced out of the Tor Project based on facially incredible smear accusations, which also resulted in a sudden mass replacement of the Tor Project's whole board of directors. Hmmm. Appelbaum had access to a lot of leaked documents, and he spent about three years doing reports like this. He would not shut up until they torched his career, and so thoroughly destroyed his reputation that he essentially could never again show his face in public.

Appelbaum also had an axe to grind against the mass-surveillance company known as Cloudflare. I hope this post goes through!

The following pic of TAO modifying an interdicted Cisco router is via Ars Technica, from a leaked internal NSA document disclosed by Glenn Greenwald; I will try to link to the article in a later post, but I want to avoid attempting too many links at once:

nsa-pwn-cisco-640x373.jpg


Thanks, all, for the interesting discussion.
 
Allow me to enlighten you.

Buy a 3rd gen Intel CPU, or older, PC and have the Intel ME (backdoor) neutralized by running open-source BIOS (coreboot).
You can do this yourself, if you're techy, or buy ready-made systems which deliver to you a separately shipped hardware token (such as YubiKey) that will authenticate your PC hardware every time you boot it up. This works to validate the tamper-proofing upon arrival and also to keep validating your computer because someone may have had access to it and compromised the hardware.

Then of course don't install Windows on it...

Anything you do from here on should have you pretty safe as long as you know how to maintain a good level of opsec.
Luckily you can educate yourself online regarding best practices in anonymity and security (yes, these two are not equal).

Example product: X230 PrivacyBeast, with other producers offering similar solutions.

Pro tip: if you're juggling multiple tax/bank identities and whatnot, learn how to use Qubes OS.
Thank me later.
 
  • Like
Reactions: cckuhqilfownnfctux
There is basically no way to order any hardware to your own name and be sure that they haven't intercepted it (assuming you actually are important and they have reasons to do this. It is not cheap and they will not just intercept packages of every person with 100k of undeclared income).
You need to buy hardware physically in a store with cash.
 
There is basically no way to order any hardware to your own name [...]
You need to buy hardware physically in a store with cash.

If you want to be anonymous, Tails is a good solution to that and you can use any computer you like.

If you want security, use hardware that you trust is clean (no embedded backdoors in firmware) and use software that you trust (libre open-source OS and pretty much everything else).

But when you say you don't want the purchase of a computer to be linked to your identity, is a bit extreme... I mean, you're not allowed to own a computer?? It's about what you do with it and the traces you leave behind that mostly counts for anything. But then again, if you don't want 'them' to know you even have a computer or digital activity - I recommend Tails.

Else, educate yourself on how to maintain good security and privacy. Learn about the best practices and start implementing them into your digital routine.
 
use hardware that you trust is clean (no embedded backdoors in firmware)
That's the hard part. For a regular person this is next to impossible. Not even experts can be sure if all parts of Intel ME are deactivated, if all closed source firmware in the network cards or 100s of other chips in a modern PC are all clean. However, if there is no link between you and the physical computer (like your name or credit card is not linked to the serial number of the computer through buying it with a credit card in a store), then even if the hardware is not really trusted, it is still anonymous. There is no way to connect you to that hardware (assuming you still keep up with opsec and keep everything in Tails and/or encrypted, etc.)
 
It is possible. You would have to settle for even older generation CPU, for example in the lenovo lineup it is the ThinkPad X61. Complete removal of Intel ME is possible here. The laptop itself is notorious for it's durability and smoooth keyboard.
And then, as stated before, the exact hardware configuration after the cleanup can be signed with a unique key private to you and then verified with a hardware token at each boot to warn you if there has been any alterations in the hardware/firmware. If you then also use reliable open-source OS and applications, you're already operating at high security.

The most common attack vector is the individual user's incompetence at maintaining healthy opsec (poor password management, poor security, etc.)
 
  • Like
Reactions: cckuhqilfownnfctux
Any advice for how to buy computer equipment online, with reduced risk that a friendly NSA agent will intercept the shipment and implant a hardware bug in it?

I have not bought any computers since before the Snowden leaks disclosed this as a real threat. My remaining computers are slow, and literally falling apart. I need lots of new stuff.

I don't do anything illegal, much less of national security interest. However, I have a loud mouth with my opinions... I'm probably on some interesting lists; and I use lots of crypto/anonymity networks to keep my private stuff PRIVATE. I must have clean hardware.

Most hacker/geek sites either ignore this threat, or say "cross your fingers, good luck". Thought I should ask here. People here are more practical.

the best advice is never buy anything online. and you should not buy new hardware - buying a second-hand computer with cash on the second-hand hardware market will do the trick.
and, as it was said already, you need to choose hardware thoroughly: like old motherboards which still use BIOS instead of UEFI, old CPUs that allow Intel ME backdoor to be removed, hard disks that were never accused of using backdoors in firmware, wi-fi cards that can be used with open-source firmware, and so on.
 
NitroPad X230 from Nitrokey is a pretty good option right now. It comes with a hardware key which authenticates the laptop for any tampering in-transit and later during your use (and absence) from the computer.
IMO it's the best you can get at this price range.
 

Latest Threads