Might I suggest some therapy to help with what seems to be crippling paranoia?

first off chill out, Jason Bourne.

the threat mitigation is handled based on your threat model, not on a “defend all bases against anyone” approach. once you answer what your specific model is, then you can start building your defences. if your threat model is spouse looking through your shit, a password is more than adequate. if it’s the border nazis CBP, you go for encryption at rest. if it’s a toddler walking around the house smashing stuff, none of those will do you any good.

there are people with complex threat models but I doubt they post on lemmy and they def don’t scour the classifieds for used Thinkpads. the idea that there are threat actors out there infecting random devices and then see what they catch is… def possible, but highly unlikely.

you’re perfectly safe using a 2nd hand enterprise-class laptop, like a Thinkpad, Elitebook, or Latitude, wiped clean. those are tough and resilient devices built for road warriors for everyday, heavy use. the good thing is, they get periodically swapped out for new models, so they can be had for cheap, and a huge majority of those haven’t seen a lick of any significant use.

those devices are worlds apart from the laptops you’re advocating buying (I assume you mean the consumer-class models) and definitely way cheaper, like a couple times over, while being infinitely expandable and serviceable with cheap, widely available and cross-generation compatible parts.

the final part is compartmentalisation and fungibility of devices. keep the minimum stuff you need on there, assume they will break, get lost or stolen, so encryption is mandatory, and have a tried and tested backup and restore procedure in place.

I’ve noted the product families specifically and what I wrote applies to them only, not every used device everywhere.

These old bricks don’t get microcode updates for the CPU which means you will be vulnerable to many Spectre and Meltdown attacks. QubesOS can mitigate it to some degree such as by disabling hyperthreading, but QubesOS can’t mitigate it completely, only microcode updates can and these old bricks don’t receive them.

as I know linux is capable of loading its own, updated cpu microcode at boot time. I’m not sure if it’s being done by default, but this article probably means that it isn’t

but the main thing is that built-in microcode version is probably not that bad of a problem if you take care of it

If you’re paranoid, install a new drive, reflash/update the motherboard bios, clear the boot picture (a proof of concept rootkit storage vector was there), factory reset the motherboard, clean install an OS, install software from trusted sources only, don’t let any stranger use your PC without you watching, take extra steps to encrypt your drive, and finally securely limiting privelege escalation to what you explicitly authorize. You’d be in the clear against 9999/10000 of attacks (I have no citation for this figure). You’d have to be super important, like a diplomat, tax chief, Microsoft IT director or small country royalty or something if you are to be targeted through an old ThinkPad.

(Tinfoil hat time)

Are you trying to evade info-stealing hackers, or the feds? From feds you’re somewhat out of luck, Intel ME and AMD PSP, in conspiracy-speak are kinda like government backdoors, closed source, undocumented, with huge control over a processor. AMD example intel example. Apple hardware is no better, you had better hope they haven’t conveniently slipped up and left an arbitrary read write endpoint in the software.

(Tinfoil hat off)

Assess your risk and threat level and take appropriate mitigation measures. The vast majority of exploited vulnerabilities will be through social engineering rather than software, and then software rather than hardware. The lowest hanging fruit is when there are open, easily accessible connections from the internet, software that can be exploited to freely escalate privilege, a user unwittingly leaking a secure credential, or physical access to a device by someone knowledgeable.

“If a malware flashes a ROM then you buy their laptop and erase the hdd or ssd or buy a new hdd/ssd, then you flash coreboot to the computer. After all this the malware can still remain in the firmware and you would never know unless the malware makes itself obviously known by a ransom attack or stealing all your crypto or something.”

This is untrue, the previous owner can theoretically get a virus that if the virus takes advantage of architecture exploits or zerodays. It could install a malicious firmware blob within your bios. The odds of this a rather rare and would rather half to be a widespread issue with the chipset. Or a threat actor would need to know the exact firmware and model of your motherboard. Flashing a new bios or updating your bios clears the chip that stores your boot firmware.

Malware lives on storage, an ssd or hardive can harbor malware as an infected OS. Some malware can live in RAM, but ram is cleared on a power cycle. If you got a used laptop and you update the bios and reinstall your os your fine, the OS should have proper sandboxing and seperated permissons. The cpu being old in certain models can be mitigated with patches and bios updates. However newer also doesnt mean more secure, certain am4 cpus had architectural flaws. At pwn-to-own buch of hackers using zero days to unlock heated seats on a tesla without paying the stupid subscription because of the CPU flaw and ram buffers.

And if you want to get tin foil hatty. How do you know you werent man in the middled when you bought a laptop from a retailer. What if a bad actor installed or tampered with the new laptop you bought. And now is less secure than a second hand laptop because joe down the street doesnt care what you do with the laptop as long as he gets paid. Or vice versa, how do you know joe didnt install malware on the pc so he can sell your information on the dark web??

And realistically there are alot of an attack surface for any device. Lets say you have your laptop and sombody steals it. Your using LUKS full disk encryption right? Lets say you did for this example, your headers for decryption are plaintext on boot. So a threat actor can use brutforce to crack your disk. You can setup LUKS to have your headers on a separate disk that you take with you. Its the equivalent of taking away a lock and a key. So all the threat actor is left with is a door. I can go on for hours about potential attack surfaces, TPM, secure boot, Intel management engine, ISP’s, SSD’S vs HDD’s.

“Privacy and Security are a mindset not a tool, device or service”

What makes you think that new hardware coming from a manufacturer is more secure than second hand hardware?

There’s numerous examples of hardware being compromised before it even got into its original packaging, let alone those intercepted during shipment.

In other words, at some point you need to realise that there are no guarantees in life.

Can you reinstall firmware?

What is Heads? 'Cause if it’s this Heads either you’re kinda cooked or I’m missing something.

But the main point I wanted to make in this topic is about risk with used second hand laptops. Because of that I think it probably is best to buy a new unused laptop

Why would that be better? As far as I know, malware can and have been installed on brand new laptops. Ask Lenovo and Sony, if I remember well.