Silk Road forums
Discussion => Security => Topic started by: AnonymousAddict on January 04, 2013, 06:18 am
-
Ok iv got a HP probook4430, It was givning to me when i got into college. Im a computer science major, and honestly i find i learn more from the other teachings of the net and computers then through school..
One of my questions is, when i turn it on, it says 'Property of _____ and has their logo etc. Well iv since left that college and on to a new one, the computer is mine, but i wanna know how the hell do i get all their Logo's and shit off just like the on soon as u turn it on says Property of so and on.
2nd id like to turn the 'Lowjack'I guess would be the correct term, Iv met other students that say after leaving the school they some how have access to it and just it down where u cant use it, which im sure a new HD would fic that, but iv read there are ways to get around it just not full instructions..
And last.. Id light to beef this computer up with as much security as i can, Iv downloaded Trucrypt and dowloaded it to my USB STICK and when i installled it, i was fucked up so im gonna have to go back and read it all over again, but it says my USB stick is mounted. I wanna do the option where theres a inner and outer system running, But when i went to do it it needs a CD, so im going to buy Blank discs tomorrow.
Id like to put a whole Diffrent OS on here, such as Linux abunto, but im not sure if thats right for me. So if someone could help me get my laptop fully secure id be greatufull and when i reload coins i will throw u a little money.. Iv got a couple nice usb sticks, One is a Kingston but only 4g, Then another is 8g.
So with that said help is needed.. Thnks SR FAM... Im BOUT to go look into liberty and tails now
-
I've never really done much with encryption, but I'm sure astor or Nightcrawler can help you out there. As for the bootup logo, that should be an option in your BIOS settings. If it isn't in the BIOS settings, then it's at the operating system level and you'll have to look up how Microsoft partners get a bitmap to display at system load. I read about it once ages ago; it's a key in the Windows registry that points to a properly formatted bitmap or something. Shouldn't be too hard if what I read (and what I remember) is accurate.
As for the "lowjack," if there is one then it'll likely be a piece of software running underneath the OS (meaning Windows loads and can control that software -- if it loads *before* the OS though, you can't just kill the program through Process Explorer or something, it won't even be listed probably). I have no experience with such software, so it's conceivable I'm wrong, but I don't see how it could possibly be a software solution and not show up as a running process in Windows (again unless it actually loads before the OS, which means you have to reinstall the OS to get rid of it).
If it's hardware... you're out of luck. Hardware could be setup to be impossible to disable via software or a hard drive change. But I'm not even sure anybody sells those things, or why someone would bother paying money just to make sure a laptop is useless unless they want it to be.
So go to Administration controls or whatever it is, and look through the list of services. Now relax, a lot of them sound really scary and bad but unless you google one and know exactly why you don't need it, don't fuck with the settings. Just find one that sounds like it's some kind of tracking software (if there is one, there may not be), and stop it. Then set it to disabled. Click okay. Done :)
Edit: to be clear, if it's not a BIOS setting and it's still there after reinstallation of the OS -- then you'd need to be able to muck with the BIOS at a non-user level. That I can't help you with, but you shouldn't go that far unless you *really* want it gone. I suppose you could try clearing the BIOS settings entirely and hope the manufacturer's default settings don't include it... I doubt they would, come to think of it. On desktops there's a couple of pins somewhere on the motherboard and if you put the jumper you'll find on them (it's a tiny little piece of plastic) in the special position bridging the right pins for a few seconds, the entire BIOS memory is cleared and restored to default. But that can means everything, not just some logo. There's probably info for it if you search for your model. It's usually used because someone forgets the BIOS password and can't boot their computer, if that helps you find it.
-
TrueCrypt isn't hard to set up and they have extensive documentation on their web site. Take some time to read through it.
Id like to put a whole Diffrent OS on here, such as Linux abunto, but im not sure if thats right for me.
If you're not sure if Linux is right for you, Ubuntu and Linux Mint have Live CDs. Pop them in your CD ROM and boot them up. Play around and see if you like them. No installation required. They don't touch your hard drive. IF you're ready to install, it's an icon on the desktop.
The nice thing about the latest versions of Ubuntu and Linux Mint (which is based on Ubuntu) is that full disk encryption is a one-click option during the install process, and they use LUKS, an encryption scheme for which the ElcomSoft software isn't designed to steal the keys from RAM -- although I'm sure that's coming.
If you want to get really advanced, you could apply the TRESOR kernel patch, which puts the encryption key in the CPU registers, preventing them from being stolen from a memory dump, cold boot attack, etc.
https://en.wikipedia.org/wiki/TRESOR
This guy has a nice tutorial on that
https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sophisticated_Attacks
The main difference between Ubuntu and Linux Mint is the user interface. A lot of people dislike Ubuntu's latest UI, which is called Unity, so Linux Mint offers more traditional looking UIs. You can check out the screenshots on their web sites or Wikipedia.
Besides FDE with LUKS, some other advantages of Linux:
-- malware, while technically possible, is effectively nonexistent on desktop Linux
-- it's free, so if you fuck something up you can do a clean reinstall without worrying about licensing bullshit (remember to make backups)
-- it's free, so if you need to destroy your data, you can nuke the whole hard drive (more secure than individual file deletion) and reinstall
-- gpg comes with every distro by default
-- a lot of networking stuff is more advanced
-- scripting via the command line is fast and powerful
The major drawbacks:
-- very few professional games
-- few professional software packages on the level of Office and Photoshop
-- support for specific kinds of hardware can be dodgy, but that's gotten a lot better in recent years (running the Live CD gives you a chance to test your hardware)
If you want use this laptop exclusively for secure drug stuff, Linux is a good option, but if you want it for general computing, gaming, professional stuff, stick with Windows.
-
If you want to get really advanced, you could apply the TRESOR kernel patch, which puts the encryption key in the CPU registers, preventing them from being stolen from a memory dump, cold boot attack, etc.
Just mentioning that if you have DDR3 RAM, which you probably do if the laptop isn't more than a year or two old, it's immune to cold boot attacks. Though I haven't actually tested that or anything... as for Unity... yeah. Fuck that. I gave it a chance, and my verdict stands: fuck that.
-
Good info on DDR3. Ironically, TRESOR only works well if your CPU supports AES-NI, which is also fairly recent.
Yeah, I don't like Unity either. Cinnamon is my favorite DE for Linux right now.
-
If you want to get really advanced, you could apply the TRESOR kernel patch, which puts the encryption key in the CPU registers, preventing them from being stolen from a memory dump, cold boot attack, etc.
Just mentioning that if you have DDR3 RAM, which you probably do if the laptop isn't more than a year or two old, it's immune to cold boot attacks. Though I haven't actually tested that or anything... as for Unity... yeah. Fuck that. I gave it a chance, and my verdict stands: fuck that.
First time I heard this claim although some googling shows that it has some support. I wonder if it continues to be immune if the attacker flash freezes the RAM. It seems the reason given for its immunity is because it clears its state in only a few seconds after power is cut, not giving an attacker enough time to transfer the RAM in a forensics laptop or even to reboot the system the RAM is in and load a live light weight forensics OS. However if they gain access to the computer and it is booted up, I imagine they can still freeze the RAM to dramatically extend the amount of time they have to put it into a forensics laptop or reboot the targeted system into a forensics OS. Also I cannot find any actual studies or experts talking about DDR3 RAM and cold boot attacks, only random people on the internet making claims about it. Thus, I am skeptical about the truth of this until someone shows me a study or a recognized expert saying something on the matter.
-
If you want to get really advanced, you could apply the TRESOR kernel patch, which puts the encryption key in the CPU registers, preventing them from being stolen from a memory dump, cold boot attack, etc.
Just mentioning that if you have DDR3 RAM, which you probably do if the laptop isn't more than a year or two old, it's immune to cold boot attacks. Though I haven't actually tested that or anything... as for Unity... yeah. Fuck that. I gave it a chance, and my verdict stands: fuck that.
First time I heard this claim although some googling shows that it has some support. I wonder if it continues to be immune if the attacker flash freezes the RAM. It seems the reason given for its immunity is because it clears its state in only a few seconds after power is cut, not giving an attacker enough time to transfer the RAM in a forensics laptop or even to reboot the system the RAM is in and load a live light weight forensics OS. However if they gain access to the computer and it is booted up, I imagine they can still freeze the RAM to dramatically extend the amount of time they have to put it into a forensics laptop or reboot the targeted system into a forensics OS. Also I cannot find any actual studies or experts talking about DDR3 RAM and cold boot attacks, only random people on the internet making claims about it. Thus, I am skeptical about the truth of this until someone shows me a study or a recognized expert saying something on the matter.
Er, that doesn't sound good. Have I fallen prey to misinformation? The first mention I heard of it was in the comments on Bruce Schneier's site, and nobody refuted it. So I googled for like 20 seconds, decided it was decent info, and that was that. Apologies if I've steered everybody wrong, but you now know precisely my basis for saying this and can decide for yourselves.
Edit: I use "google" loosely. Please do not bother harrassing whatever poor fools googled this stuff around the same time, you will not find me :P
-
It isn't that I think it is wrong, just that I would like to see a study done first. The basic theory makes sense though, DDR3 RAM is more volatile than DDR2 or DDR, so it loses its state faster after power is cut.
-
^^That is indeed the theory behind those claims. Even DDR2 is volatile enough to clear in seconds, although flash freezing the memory sticks is supposed to preserve the information long enough for a data acquisition. Bottom line is either way, if LE gets to your machine before you can power down, any encryption keys contained within RAM are theirs for the taking. If you manage to power off the PC--even as they come in the door--then odds are your data is safe. Those 5-6 seconds (probably longer) until they clear the immediate area should be long enough. There is no hard, primary evidence to prove any of this, but from what I have heard, LE only attempts the cold boot attack when they have prior knowledge of your encryption. There is anecdotal evidence that they don't even try removing the RAM, rather they attempt to live acquire the contents on a running PC. It seems that with typical cases, if they find it powered down, there's not much they can do as of today. That will likely change though, so thank God for TRESOR and similar solutions.
I would remove the HDD from the laptop entirely and use liberte/tails for any kind of high exposure activity i.e. vending on SR. This laptop is now your nuclear football; keep it next to you at all times, even if it's off. If LE knows about your setup, they will try to separate you from the PC before they kick your door in and tackle you. If they succeed, you're fucked. They can also sneak into your house and install a keylogger if they want you bad enough, so again, make sure it's a small laptop you can take with you practically everywhere.
For "basic" security and maximum convenience, I recommend a fully updated version of Windows 7 running on a TrueCrypt partition without the whole "hidden OS" feature. Only install the software you absolutely need, and make sure to keep it patched. A free antivirus package such as AntiVir and/or MalwareBytes helps as well. Avoid using any software licensed to you, as any update checking traffic containing your serial or other info can be used to find you. LE can also cripple some antimalware programs registered to you by having them send you a bogus update. I'd also create a TrueCrypt container (a regular file that can be mounted as a drive) and use it to store anything illegal or even questionable. When you're done working on anything "bad", dismount the container and run CCleaner to wipe any temporary files and free space. At this point, LE can raid you and break the encryption on your running laptop, but all they will find is a sanitized windows installation and a suspiciously large file containing random data. If your passwords are long and secure, the investigation of your device stops there. Just make sure you use software designed for anonymity (like the TBB) any time you do anything suspicious. You don't want shitty software leaving all sorts of artifacts for LE to find, although for low level offenses like ordering pot, odds are they'll end up power off your computer themselves and demand the password later.
Now as for the lo-jack thing, is it called Computrace by any chance? Try googling it if you aren't sure. If your laptop is a Dell, HP, or that other one that used to come in black-and-white "cow boxes", odds are that's it. Here's a page on removing it: http://www.freakyacres.com/remove_computrace_lojack.
EDIT: Using a Linux liveCD or tails/liberte would effectively disable computrace as it needs to load its modules onto a compatible OS such as Windows to function.
-
There is anecdotal evidence that they don't even try removing the RAM, rather they attempt to live acquire the contents on a running PC. It seems that with typical cases, if they find it powered down, there's not much they can do as of today. That will likely change though, so thank God for TRESOR and similar solutions.
Which I forgot to list, but the biggest advantage of Linux is that it's open source. Try applying a kernel patch to Windows. :)
-
Newer Intel processors have lowjack functionality built right into them :/.
Carrying your laptop with you everywhere you go is definitely great for security, but it does get to be a bit cumbersome. I did that for quite a while, but it is truly hard to keep it up. I believe that even if you carry your laptop with you everywhere, that if you are identified and they want you bad enough they will be able to get you. They might sneak into your home when you are gone and install pinhole cameras to spy on you typing your password in. Or they will install mini microphones and get your password by analyzing the amount of time between keystrokes, and the number of keystrokes you type before waiting for your OS to boot up the rest of the way. Or they will do some crazy TEMPEST style attack. Or they will just rush in and pwn your ass before you have time to power down. Carrying your laptop with you everywhere but only using it inside of your sound proofed tinfoil covered blanket fort loses its appeal at a surprisingly rapid rate. But it is more secure :).
IMO nobody should really rely on full disk encryption to keep them protected from a targeted attack. It can certainly save the day, but the cases where it saves the day tend to be when the attacker is street level LE, or feds who are not aware that you are using encryption in the first place. I know someone who was arrested for drug trafficking not related to the internet, he also was a member on several private drug forums and quite involved with the online scene. The police and DEA agents that raided him did confiscate his computers and try to look through them, but they just immediately powered them down and since they were encrypted couldn't get shit off of them later. They had no idea that he would have encrypted hard drives, and they just don't have the resources to do raids with a focus on computer forensics in every single case, on the off chance that someone they raid might be using computer security techniques to hide something interesting from them. In the literature on CP raids you can see much of the same theme, it is quite common for an encrypted hard drive to protect someone who has been raided on suspicion of downloading CP from some public P2P network or something, but it is also pretty frequent that the feds will do a cold boot attack or similar in order to defeat disk encryption when they do targeted operations against big time collectors / distributors who are part of targeted and known as sophisticated trading groups.
-
Yeah, it's all about the scope of your threat. A typical SR vendor can work from a netbook or small laptop that they bring with them whenever it's reasonable. I mean, you're not literally going into the club or taking a bath handcuffed to a briefcase, but at the very least keep it on you as much as possible. I completely agree that if the feds really want you, they have the persistence and resources to either lock you up or force you into hiding. High profile targets like DPR or a first-tier supplier are going to have a radically different approach to OPSEC.
Those basic precautions I gave were for casual buyers and other low level users, while the ones above that were aimed towards vendors and anyone ordering weight. Neither are going to prevent a targeted attack from an opponent like the US feds, although the above approach does minimize risk assuming one is selling drugs part time and isn't some VIP.
The best advice I can give regarding FDE is to never tell anyone you're using it. Same goes for anything about your setup. Don't tell anyone more than they absolutely need to know, which is usually ZERO. It's one of the easiest ways to minimize those targeted attacks, although it certainly won't prevent them all.
-
Ok iv got a HP probook4430, It was givning to me when i got into college. Im a computer science major, and honestly i find i learn more from the other teachings of the net and computers then through school..
One of my questions is, when i turn it on, it says 'Property of _____ and has their logo etc. Well iv since left that college and on to a new one, the computer is mine, but i wanna know how the hell do i get all their Logo's and shit off just like the on soon as u turn it on says Property of so and on.
You _may_ be able to disable the boot-up splash screen; some BIOSes have an option to disable the splash screen. If available, that is likely your only option to do so.
Because your laptop was supplied by your school, it's only reasonable to make the following assumptions:
- The laptops are purchased in bulk (probably in lots of several hundred to one thousand or more) by [deleted] College
for their students. Usually when an organization makes such large purchases, they can have machines built to order,
with specific hardware, software, etc.
- Presumably the [deleted] splash screen was included in the BIOS as a part of the build process.
- It is highly likely that these machines came with Lojack pre-installed.
I was only vaguely familiar with Lojack,so I went to their website to gather some information on what it does, and how it works. Unfortunately for you, the Lojack people seem to have covered most of the bases.
- Lojack has entered into agreements with a wide array of hardware manufacturers to place code in their computers'
BIOSes. HP is one of those manufacturers, and your model HP PROBOOK4430, is one of those with such a modified
BIOS.
- Once activated, the code in the BIOS essentially re-installs the Lojack/Computrace Agent monitoring software when
it detects one of the following situations:
- The hard drive has been replaced; or
- The hard drive has been re-formatted or the OS has been re-installed; or
- The Lojack software has been removed.
The Lojack web page even specifies that flashing the BIOS will not remove the Lojack software, as it is located in a non-flashable area. According to Lojack's web page, the only way to remove/deactivate the software is to contact Lojack with your account information/password so the Lojack Agent software can be deactivated.
If the Agent has been activated and you are an authorized user with the correct password,
you can submit a request to have the Agent removed from your computer within your Customer
Center account.
I suspect you're not going to be able to do that. Let me explain:
The reason [deleted] College would have had the software installed was to serve as an asset-control tool. This software would allow the College to:
- Lock the computer - the computer is essentially rendered unusable. The college could place specific messages on the
lockout screen, such as "Your computer has been locked due to non-payment of tuition fees."
- Delete files on the computer - Files can be deleted, so that they are unrecoverable.
As part of an asset-control scheme, a student's laptop can be locked by the College if, for example, they fall behind on their tuition payments. You can see just how attractive such an option would be to them.
Furthermore, once a laptop is reported 'stolen' it can be:
- Tracked - Once a machine is reported 'stolen' Lojack describes the process as follows:
If your computer is stolen, contact us. The next time your computer connects to the internet
it will silently switch to theft mode with Agent contact increasing from once per day to every
15 minutes. This increased contact will allow the Absolute Theft Recovery Team to forensically
mine your computer using a variety of procedures including key captures, registry and file
scanning, geolocation, and other investigative techniques to determine who has your computer
and what they're doing with it.
Most importantly, we will use our technology to pinpoint the physical location of your computer
and work closely with local law enforcement to recover it.
Needless to say, for law-abiding people, these recovery procedures will not induce any alarm. For those travelling the Silk Road, however, these are an absolute nightmare scenario, as even when _not_ reported stolen, the software phones home with the user's IP address at least once every 24 hours. Remember, this will be your REAL IP address.
You may remember earlier that I said you need to have a username/password to be able to deactivate the Lojack software. For logistical reasons, it is highly unlikely that each laptop was supplied with its own account. Rather, it is far more likely that all machines issued by a particular campus are included on a single Lojack account. Therefore, the personnel at [deleted] responsible for asset control would only require a single username and password to be able to monitor the campuses' entire laptop inventory.
You can be absolutely certain that they're not going to give you that information, as a malicious person could lock or even wipe out the entire campus' inventory of laptops with that information.
What should have happened, when ownership of the laptop was transferred to you, was that the machine should have been removed from the school's asset database, and the machine removed from the school's Lojack account.
Whether this was done (or not) you will have to contact the school to find out.
2nd id like to turn the 'Lowjack'I guess would be the correct term, Iv met other students that say after leaving the school they some how have access to it and just it down where u cant use it, which im sure a new HD would fic that, but iv read there are ways to get around it just not full instructions..
A new hard drive will not solve your problem, if the Computrace Agent has been enabled in the BIOS. My understanding is that installing the Lojack software and setting up an account will activate this feature. The idea behind modifying the BIOS is so that hard drive wiping or replacement will not eliminate the Computrace Agent software, as it will be re-loaded from BIOS. As long as the Agent is activated in the BIOS, and you're running Windows, you'll never be rid of it. The software developers claim that the Agent functionality is located in a non-flashable section of the BIOS, so even re-flashing your BIOS will not get rid of it.
Back in 2005-2006, there was a report published on Cryptome, which stated that the software could be defeated by locating the services involved, determining the IPs they were communicating with, and editing your hosts file to link these IP addresses to the loopback address. (I can't say for certain whether this information is still valid, although I think it might be.)
What are you looking for? A program called RPCNETP.EXE. You could search the registry for it
and rename it, delete it entirely, stop the services by going to the Windows Control
Panel/Administrative Tools/Services and stop it from there. Use Sysinternal's Process Explorer,
Knoppix. I could count numerous ways to disable this product. As for the service Absolute offers,
I've logged in twice in six months because I was wondering who was sending me those annoying
alerts, and I wanted to see exactly what information was being passed over to Absolute's
databases.
Sysinternal Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Breaking Computrace's Lo Jack for Laptops J. Oquendo ... - Cryptome: http://cryptome.org/lojack-hack.pdf
See also: Researchers find insecure BIOS 'rootkit' pre-loaded in laptops
http://www.zdnet.com/blog/security/researchers-find-insecure-bios-rootkit-pre-loaded-in-laptops/3828
See: http://helpdeskgeek.com/windows-7/windows-7-hosts-file/ for help on editing the Windows hosts file.
You can read an account here of how one user managed to modify his BIOS to remove computrace from it:
http://www.freakyacres.com/remove_computrace_lojack
WARNING: ATTEMPTING THESE PROCEDURES COULD RENDER YOUR MACHINE UNUSABLE.
And last.. Id light to beef this computer up with as much security as i can, Iv downloaded Trucrypt and dowloaded it to my USB STICK and when i installled it, i was fucked up so im gonna have to go back and read it all over again, but it says my USB stick is mounted. I wanna do the option where theres a inner and outer system running, But when i went to do it it needs a CD, so im going to buy Blank discs tomorrow.
Id like to put a whole Diffrent OS on here, such as Linux abunto, but im not sure if thats right for me. So if someone could help me get my laptop fully secure id be greatufull and when i reload coins i will throw u a little money.. Iv got a couple nice usb sticks, One is a Kingston but only 4g, Then another is 8g.
So with that said help is needed.. Thnks SR FAM... Im BOUT to go look into liberty and tails now
If I were in your shoes, I wouldn't dual-boot; I'd install a KDE-based Linux distribution such as Mepis. Mepis is oriented towards Windows refugees, so you shouldn't find it too much of a learning curve.
LoJack depends on Windows -- if Linux is the primary OS, then the LoJack Agent won't know how to talk to it. You could always run Windows in a virtualbox instance, so you could effectively have both OSes running at the same time.
Linux can be setup to use full-disk encryption package LUKS at the time of install. This means that the entire disk, with the exception of a small boot partition, is encrypted and unavailable without entering the passphrase to decrypt it.
See: http://distrowatch.com/table.php?distribution=mepis
NC
-
Now *that* is how you exhaustively answer a question... :)
-
THNKS guys for all your teq suppport.
I have a 8g thumb drive, thats the most g usb drive i have,, Can someone point me to a site where i can download a Linux or one of those other OS to download to the USB so i can dual boot it>?
-
THNKS guys for all your teq suppport.
I have a 8g thumb drive, thats the most g usb drive i have,, Can someone point me to a site where i can download a Linux or one of those other OS to download to the USB so i can dual boot it>?
For greater security, you would be better off burning the appropriate .iso image to a DVD, and booting from that. Remember that Windows keeps a log of all usb devices which have been connected to the machine; this would include any usb sticks that have alternate OSes on them.
Here are the download URLs:
32-bit
http://distro.ibiblio.org/mepis/released/SimplyMEPIS-1.5G_11.0.12_32.iso 32-bit
MD5 hash of iso image
http://distro.ibiblio.org/mepis/released/SimplyMEPIS-1.5G_11.0.12_32.md5sum
64-bit
http://distro.ibiblio.org/mepis/released/SimplyMEPIS-1.5G_11.0.12_64.iso
MD5 hash of iso image
http://distro.ibiblio.org/mepis/released/SimplyMEPIS-1.5G_11.0.12_64.md5sum
NC
-
Nightcrawler, I'm curious as to why you chose MEPIS. Why not Tails, which comes with all the security stuff by default, including features like scrambling RAM on shutdown?
-
I have a few laptop questions that are not worth their own thread.
1. Do laptops have GPS or anything in them?
2. If you buy a Windows laptop can you delete the OS and install Tails?
2a. Can you remove the harddrive that came with the laptop and just run off a CD/USB?
3. Is there anything else that could/should be done when turning a normal laptop into a SR only device?
-
Nightcrawler, I'm curious as to why you chose MEPIS. Why not Tails, which comes with all the security stuff by default, including features like scrambling RAM on shutdown?
I was assuming that he wanted an OS he could install to the hard drive -- if that is the case, then Tails is not suitable. That said, there is absolutely nothing stopping him from installing Mepis, and still running Tails if he wished to do so. One advantage to using Mepis (or other Debian variant) is that you can use LUKS (or loop-AES) to encrypt the entire HD, with the exception of a small boot partition. Even that boot partition can be left empty for greater security and, if the hardware allows it, the boot partition can be located on a USB stick or microSD card.
NC
-
I have a few laptop questions that are not worth their own thread.
1. Do laptops have GPS or anything in them?
I've never heard of one with GPS installed; that is usually left to tablets and handheld devices. That said, one still has to watch out for wireless signal triangulation.
2. If you buy a Windows laptop can you delete the OS and install Tails?
Unless I am mistaken, Tails is not installable. It must be run from a CD or USB/microSD device. Wiping Windows off the machine is not a bad idea at all.
2a. Can you remove the harddrive that came with the laptop and just run off a CD/USB?
Yes. That is what Jacob Appelbaum has done with his Apple laptop. Seeing that the machine has no HD has literally given Customs and LE officers fits. Just make sure your laptop has as much RAM as it can handle -- it'll work better that way.
3. Is there anything else that could/should be done when turning a normal laptop into a SR only device?
I think that about covers it.
NC