Using old PCs
May not be as stupid as it sounds. Rebuild it from a pressed disk with a standalone vetted and tested update pack on locked media then image it
onto a disk and lock it with a boot checksum once everything works correctly using the clock freeze mod to ensure that traps based on hitting a target
date can't run.
I have yet to see *any* malware that can defeat a mechanical switch and you can still buy 256MB SD cards which can be configured to boot
a reliable OS such as DSL or some variant of Ubuntu as a backup.
Incidentally watch out for the well known method of attacking a machine using the programmable chips in LCD panels and RAM, also network ID chip and
CPU microcode both in the motherboard controller and actual processor, also the USB ports can be configured with autorun turned off by default.
Mitigation: use chips known to be locked at the factory and read them using a few lines of debug code just to be sure.