Is it safe to use a second hand laptop after reinstalling ubuntu on it

I bought a laptop from somebody. The laptop had Ubuntu 14 on it, I erased the entire disk and installed Ubuntu 16 on it. I definitely don't want the previous owner to have access to my data or key stroke. Does the re-installation guarantee my security? If not what should I be looking for?

Short Answer

YES

Long Answer

YES, but...

A laptop with Ubuntu 14.04 installed by the previous owner is on average safer than one with Windows installed on it. Windows was well known for having "worms", "viruses" and "Trojans". These days Windows is better but the historical events are still at the back of most peoples' minds. This history naturally affects the thinking of many (but not all) new users to Linux / Ubuntu as well. I think it's important to point out how less likely viruses are.

There are some Linux binary programs that can capture your keystrokes. A previous owner could have such a program installed and another program to transmit your recorded keystrokes to an Internet address. The fact you erased the hard drive and installed Ubuntu 16.04 should have eradicated it.

Thinks to remember:

• As I mentioned in comments below your question, unless an ex-spouse or the NSA sold you the used laptop you shouldn't worry all that much.
• If an owner setup the machine to spy on you and you purchased the machine then that means the machine is your property. Any data collected by the previous owner makes them guilty of willful trespass. Also the police could consider charging them with the intent to commit fraud, blackmail or theft (via on-line banking). Most people would not take this risk.

General points about keyloggers:

• Employers can legally use them to spy on employees because the employers own the computers
• High school principals have been known to spy on students in bedrooms by remotely activating webcams to the school's laptop the student is using.
• Libraries who charge say $12 for a yearly library card probably could not use keyloggers but recently my city library made library cards free so I guess they probably could legally do it.
• If you live in a shared home or other people have access to your computer at work you may want to install your own keylogger on your own computer to see if others are accessing it when you are away.

In the comment section of your question, myself and others were guilty of hi-jacking your question with talk about BIOS and ROM chip reprogramming. That is extremely unlikely unless you are the owner of a bitcoin exchange that the US Federal Reserve or US Treasury was keen to eradicate. However that would also mean you wouldn't be buying a used computer in the first place.

In a comment @JörgWMittag writes that you should always ask "What is your threat model?" In other words: Who is the opponent and what info do you want to keep from them? What is it worth to them?

If you are afraid of a Government-level opponent, and they think you are worth the effort, nothing is safe. You can do whatever you want, it will not be safe.

However, if you are just an average person worrying about other average people, reinstalling the OS should be more than enough.

One worry is that even you make the software safe, the hardware or firmware might be compromised. However, this would be expensive for the attacker and therefore highly improbable.

Do you know the seller? If they are just some random person on eBay, they are not going to care enough about you to do anything.

You might worry a bit if you know the seller AND they have a grudge against you AND they are good with computer hardware.

If you have more specific questions they should probably go on Security SE.

Pretty much yes, but…

Unfortunately, unsupervised direct physical access to a computer pretty much voids all security since, theoretically, an attacker with physical access can do anything they want with the machine including tampering with it to compromise all software running on it in the future. This is very hard to to detect. However, it's similarly hard to pull off in the first place and thus takes a very dedicated attacker. Even for those it would be far simpler to try other attack vectors first.

Conclusion: You're safe unless you somehow attracted the attention of a very dedicated and resourceful attacker.

Disclaimer: I'm going to offer a different viewpoint to this question

Q: Is it safe to use a second hand laptop after reinstalling ubuntu on it?

A: NO

Simply re-installing will not make it "safe" in a general sense, and not make it "safe" if you suspect to be the victim of an attack by your seller.

A couple points on this:

1. Trust

Any "foreign" hardware you use and/or bring into your home network from an "untrusted" source is a risk and should not be trusted by default. However, who do you trust? Well that depends, largely on how much of a target you are and how paranoid you are...

It's difficult to make generalizations here and say big hardware vendors are safe to buy from, because the past has showed they actually aren't. See some random highlights here:

• Spyware on Lenovo with additional software
• HP uses Synaptics Touchpad drivers with keylogger
• IBM ships Software to customers on malware infected USB sticks

Although these news I found with quick googlefu are Windows focused, it is a common misconception that Linux is safe(er) from viruses/trojans . Also, they can all be attributed to some degree at least, to negligence, rather than deliberate attacks.

Even more to the point, we mostly don't know what is lurking in proprietary firmware and drivers that have not been peer reviewed (and even peer-reviewed software can sometimes be the source of myth and mistrust).

To quote a study from 2015:

With the system firmware, a much more privileged software layer exists in modern computer systems though that has recently become the target in sophisticated computer attacks more often. Compromise strategies used by high profile rootkits are almost completely invisible to standard forensic procedures and can only be detected with special soft- or hardware mechanisms.

So, with a specific and targeted attack in mind, it is even plausible - though very unlikely since there are easier methods - that the firmware on your notebook, or the BIOS or even the very hardware itself has been manipulated (say with a microcontroller/keylogger soldered onto the mainboard, etc).

In conclusion to this point:

You cannot trust ANY hardware - unless you have carefully vetted it, from top to bottom, from hardware over firmware to drivers.

But who does that, right? Well, that brings us to the next point.

2. Risk and Exposure

How likely is it that you are a target?

Well, this is something that you can only determine for yourself and there isn't a point-for-point guide out there (that I could find), but here are some pointers for exposure:

• How much is there to steal from you: Besides the obvious social security number (for Americans) and credit cards/banking (for everyone else) - maybe you are rich or came into some money recently (inheritance, bonus payments, alt-coins, etc) or you own a business?

• Are you exposed at your job: Maybe you handle confidential files, or are active in a political function, or you work at the DMV or maybe you work for Evil Corp or it's otherwise gainful to attack you/spy on you because of your job (government, military, science, etc)

• Are you exposed by proxy: Maybe it's not you that is rich, but some extended family or maybe you don't have a business but your spouse has, etc

• Enemies: Maybe there are people out to get you, that have grudge from business deals, former employers or employees, etc. Maybe you are currently in divorce proceedings or fighting about custody of your children, etc

and risk, which mainly bores down to

• Shady sources: Are you buying a laptop out of a trunk of a car from some guy you just met minutes ago for pennies on the dollar? From darknet exchanges? From new sellers on eBay or sellers that seem to have used bots for feedback?
• Patching: You live by the motto "Never touch a running system" and are unlikely to patch your software and operating system.

So should you start paying people to look into closed source firmware, stracing everything, etc and removing built-in microphones from your laptop?

No, because there is also

3. Cost, likeness and discovery of an attack

Unless you are a very high profile target of a very rich, maybe even government, group, your attackers will go the way of least resistance and where you are vulnerable the most.

Because highly specialized zero-day exploit-toolkits cost money, and specialized attacks on firmware even more. Physically manipulating/bugging your hardware risks exposure - and these people generally don't want to get caught.

The past shows us that it is far more likely that someone will simply try to steal your laptop to gain valuable data, rather than plant an infected one.

Or exploit a known security vulnerability that you left unpatched because you did not update your OS and apps to the latest version or because there currently isn't a (good) patch out there at the moment. Hacking into your WiFi or maybe even LAN might also be more feasible.

It is also far easier to try and get your login credentials for banking etc either via Phishing or social engineering than manipulating your notebook.

There have been recent reports that people try and clone a SIM card, by simply going to your mobile provider and claiming to be you - not being challenged by the personnel - and subsequently using this to intercept TAN messages from your bank to empty your accounts. (Though for the life of me I can't find anything regarding this on Google at the moment)

4. Conclusion

Taking off my tinfoil hat, let me point you to this good Ubuntu Wiki entry on basic principles of security for users.