The parent was simply explaining that lockdown is not intended for a person who buys computers from Craigslist in order to enforce security.
Your mitigation is not a mitigation against being singly targeted. There are so many attack vectors in a computer outside of the boot disk. The computers sold on Craigslist should not be considered secure, since there is no level of trust in the supply chain or the state of the hardware.
For ex: If you are being directly targeted, a nation-state can purchase the computers from your local Craigslist, rewrite their bios, and list them for you to purchase. Then flood Craigslist with 100 other compromised machines.
I was explaining why your use case of purchasing computers from craigslist
does not secure against nation-state targeted attacks. Now you are changing the conversation and saying there are other ways to attack. Of course there are many other attack vectors. I mentioned that, however the conversation was about the true level of security provided by your mitigation.
I'm not changing the conversation, I'm pointing out the simple, currently-used-against-dissident attacks that are not possible if there isn't a clear connection between dissident and device. It certainly provides pretty good protection compared to having an always connected device with a unique ID carried on you at all times. Security is oftentimes about making reasonable tradeoffs based on your risk levels.
And I think you may be overestimating even the resources and capabilities of nations.
Let's say you lived in Philadelphia. You could drive down to Baltimore or up to NYC in 90 minutes. Within that range, there are literally over 10,000 individuals selling 1 or more laptops on craigslist and other sites that I did a cursory search over. And that's not even counting all of the small mom and pop shops that are selling laptops, as well as the big box stores.
How should the adversary state figure out which of those people you're going to purchase from? Should they purchase literally every laptop in the region? Okay then...what about when people start selling more laptops they had in storage because the market is red hot?
What do they even do when they have the laptops? Do they have exploits for every BIOS for every type of laptop for the past 15 years? How do they sell the laptop to me? Do they have their agents sell them? Do they have hundreds of agents who are deep undercover in America, who could lure me in?
I just don't see "buy every laptop in a region, exploit it, and resell it, hope your target picks one up" as a viable strategy, even for the wealthiest of nations, assuming you need to do it discreetly.
Your mitigation is not a mitigation against being singly targeted. There are so many attack vectors in a computer outside of the boot disk. The computers sold on Craigslist should not be considered secure, since there is no level of trust in the supply chain or the state of the hardware.
For ex: If you are being directly targeted, a nation-state can purchase the computers from your local Craigslist, rewrite their bios, and list them for you to purchase. Then flood Craigslist with 100 other compromised machines.