Can Qubes protect user from backdoor, that resides in BIOS firmware and device driver?

just additional information from wiki

ME has full access to memory (without the owner-controlled CPU cores having any knowledge), and has full access to the TCP/IP stack and can send and receive network packets independently of the operating system, thus bypassing its firewall.

@sven Exploiting ME is not limited to nation states. Multiple exploits have been and are constantly discovered by various researchers. I know of 1 currently used in the wild atm.

@newbie, if you do not have iME neutralized simply use Nighthawk or something similar to check your system integrity. Also, if you are not involved in anything an APT group may consider problematic, then it’s unlikely you are being targeted. Who is this person posting social media post identical to your dairy in your VaultVM? Someone you know? Unlikely someone, who has the resources to compromise all your systems, would simply do it just to troll you.

I have been compromised several times using QubesOS, but i am also designated as an aggravated activist. Although, i always assume my daily systems are compromised, without system integrity checks i would feel a bit butt hurt.
Everyone who thinks high value targets can’t easily be compromised if they use QubesOS as their daily driver, needs to check themselves, before they wreck themselves.

Like how? Is it remote exploit? I’d like to have some evidence

How exactly?

2 Likes

The one used in the wild atm is a local exploit (not to be confused with physical) of the AMT, so unless you have not neutralized ME and have AMT enabled (Which you actively have to do), I would not worry about that one.
If you are simply just looking for evidence for various remote, local or physical ME vulnerabilities just look at Intel’s security center advisories for known vulnerabilities. There are several ME vulnerabilities made public every year.

As to how i have been compromised, it would be bad opsec to reveal, given that i am still ‘dancing with the devil’.

Oh come on. If you want, you can describe the attack vector without revealing yourself. At lest vaguely, to give us some idea.

If my systems get compromised, I promise to publish absolutely every bit of it.

2 Likes

While I can understand your point here, if there is genuine evidence of this I would urge you to raise a security issue.

2 Likes

But please do not send anything to the official Qubes Security Team unless you can demonstrate an actual security vulnerability in Qubes OS. That email address is intended for responsible disclosure by security researchers and anyone else who finds a legitimate security vulnerability. It is not for anyone who suspects they’ve been hacked.

1 Like

wild atm

what do you mean by wild atm ?

the accurate reason, why i’m being targeted ? i don’t know
since i think i could not answer, on behalf of my targeter.
i know assumption and opinion only, why they target me.

as for myself, i think the attack vector is NSA-tier.

i remember, one day i created new appVM + firefox + gmail + evernote
evernote is a simple cloud storage for notes.

because i forget my evernote password, so i need to reset, and get the temporary password from gmail.
i use a combination, of human readable words, to create no meaning sentence, for password.
then the targeter troll me, by posting my password, exactly the same, somewhere they sure I can see.

it happened 2 times, but the second time, i reset microsoft password, on my macbook.
Macbook + chrome + gmail + microsoft. Then they troll me the same way.

I read somewhere, that actually a website, can read password, we input, on another website, on next tab of our browser.

So, maybe the gap is also the next tab website.
Or also, since I have experienced NSA-tier backdoor many times, also I can assume it is NSA-tier.

My suggestion, the secure login, would be:

  • disable ME
  • vpn
  • always create new app VM, before login
  • always strong password + 2 factor authentication
  • don’t open another website at the same login VM

also, maybe another suggestion, i think that, most people, who decide to use Qubes, mostly are being targeted, or also stalking victim, since he is being targeted digitally, it means, the targeter also can see, whatever he posts in Qubes forum, so the targeter maybe dislike, and polluting the thread, but i worry, they also dislike and target the expert here. so if I can suggest, really we should focus on blocking the NSA-tier backdoor.

@Sven if not mistaken, your system is X230 + CoreBoot + Qubes ,
which is the same as Insurgo X230 privacy beast , isn’t it ?
so, can we consider yours as Insurgo ?

if you have disabled and neutralized ME,
then why did you say, a nation state still can spy on you ?

actually, it is a new term for me, “nation state”.
I search about nation state actor,
Nation state actor is a hacker, who works for government, and being tacitly supported by Government.
Is this what you mean by Nation State ?

Seriously?

How about installing surveillance equipment in your home? What OS does your phone run? What other internet connected devices are in your environment? Do you live in an apartment? Who are your neighbors?

Got any new friends recently? Do you ever get drunk? Do you always have eyes on your computer?

If a guy an the street pulls you in a corner and starts beating your stomach… how long until you tell him whatever he wants to know?

Basically: xkcd: Security

But also: xkcd: Authorization

2 Likes

If you’re just wondering about the term “nation state”:

In a more general sense, a nation state is simply a large, politically sovereign country or administrative territory.

In the context of cybersecurity, it basically means an adversary with big-government-level power and resources. Some people hold the view that if such an adversary is determined to get to you, there’s practically nothing you can do.

How about installing surveillance equipment in your home? What OS does your phone run? What other internet connected devices are in your environment? Do you live in an apartment? Who are your neighbors?

oh, you referred to other factors outside the laptop,
okay, i thought you still refer to the laptop.

it basically means an adversary with big-government-level power and resources.

i see, so nation state actor means, government support hacker and its resources.
in my case, I’m not sure what resources are being used.

but, even if it is nation state actor, IMHO,
it’s not something hard or difficult, for something like this to happen,
because logically, these resources must have many employees or inside persons,
maybe, someone with money & connection to inside can make it happen.

Some people hold the view that if such an adversary is determined to get to you, there’s practically nothing you can do.

I refer to one of the Snowden’s interview, he said that, surveillance is about power.

so, if someone illegally access our property, disclosing and spreading our personal information, and put us under surveillance, then IMHO, the intention is to have power and control over us.

Some more, if they use the disclosed personal information, to troll and bully us, also the intention is the same, which is to have power and control over us. I search, bully is also about power.

So, even if nothing we can do, but when someone put us, in this kind of situation and condition, then IMHO, we still have to find a way to do something, because this is not how we treat human being, and not the right thing in humanity.

Let me share, my personal understanding, about the “reason”, why I am being targeted.

I remember, that my adversary, sent and send me many hidden messages,
that if I didn’t perceive it wrongly, actually they are trying to justify,
that their digital privacy invasion, is merely just a prank.

What is my pure intention, with this post ?

  • for everyone to learn, & to have a correct mindset, whether digital privacy invasion = prank ?
  • for anyone, to not be fooled, if your adversary, trying to use prank, as justification.
  • for anyone with capacity & resources, to not accept “prank”, as a reason, to invade someone’s privacy & security.
  • for anyone and me to give opinion.

What is NOT my intention, with this post ?

  • to attack / revenge / argue with my adversary, if they read this post
  • therefore I will never mention any name, so no body will be disadvantaged.
  • so please kindly, don’t focus on the word “adversary”, but on the word “prank” & “digital privacy invasion”.

Can we consider, digital privacy invasion, as just a prank ?

Even if it is a prank, it doesn’t mean that all prank, are valid / legal / acceptable / tolerable.
Some prank are invalid / illegal / unacceptable / intolerable.

Especially in my case, it doesn’t happen once, or twice only, but it has happened everyday, for more than 1.5 years,
and it has consumed my free time, for more than 1 year, to struggle with everything related to privacy and security.

Imagine, someone illegally access my Laptop & smartphone, then stalking and watching everything I do,
also accessing my mic and cam, to listen and watch all my activity,
then they use the disclosed information, to troll and bully me, to manipulate and fool me, to roast me,
and to purposely misunderstood and frame me, then flood me with offensive and intrusive sarcasm,
also doxing, and gas-lighting, then unethically communicate, also unethically interfering my business, and so on,

and they don’t do it alone, but secretly inviting more and more people to do the same thing,

and it doesn’t happen once, or twice only, or 1 day, or 2 days only,
but it has already happened for almost everyday, for around more than 1.5 years.

And I have suffer many disadvantages,
time, energy, money, emotional, mental, psychology, life, privacy, security, social life, and so on,

Then they just simply, consider it as, just a prank.

In my opinion, how come continuous illegal access, and information disclosure,
followed by many evil and unacceptable action, as described above,
to this level, and to this length of time, and still happening,
can be simply understood as a prank.

What worrying me more is,
in case my adversary, is really a nation-state actor,
or maybe inside person, of important government resources,
then how come, they can be easily manipulated, by trivial reason, such as prank.

If trivial reason, such as prank, can be used, as a valid acceptable reason, to access someone’s backdoor, then does it mean, we can simply, just random choose any reason, to access someone’s backdoor, i.e. surprise, concern, suspect, insecure lover, curious friend, die-hard fan, etc, in that case, what will happen to the future of humanity.

I wish that, technology can get better, not only in performance,
but also in protecting our privacy and security.

Now, let me share, my opinion about, the difference between, spying and guarding,
in case the adversary, is using guarding, as an excuse, to justify spying.

Another reason, why they target me,
which I try to understand, from their many secret hidden message,
is because, they want to be my guard, or to guard me.

I don’t know, what make them think, that they have a right, to be my guard.
Some more, accessing backdoor illegally.

In my opinion, we can guard, what belong to the public.
That’s also limited, only if we are part of the public.

But, we cannot enter someone’s private property illegally,
and then secretly guarding everything inside.
Some more, illegally accessing all the backdoor, of all of his electronic devices.

That’s hard thing to understand, other than excuse, to justify spying only.

Now then, what are the differences, between spying and guarding …

Who own the property ?

  • In guarding, the property belong to the subject, the property owner.
  • In spying, the property does not belong to the subject (the spy or the adversary).

How does someone guarding something, that does not belong to him ?

How does someone guarding something, by invading their privacy, and violating their right ?

What is the responsibility ?

  • In guarding, to secure the property from adversary.
  • In spying, to disclose information from the property, then reporting to the adversary.

How does someone guarding something, if he is the adversary ?

How does someone guarding something, by disclosing information to the adversary ?

Who delegates responsibility ? And to who ?

  • In guarding, property owner delegates responsibility to the guard.
  • In spying, adversary delegates to the spy.

Who is the threat ?

  • In guarding, property are secured from any threat model by adversary.
  • In spying, adversary are the threat.

How does someone guarding something, when he is the threat ?

Who reports to who ?

  • In guarding, The guard reports to the property owner.
  • In spying, The spy reports to the adversary.

How it is called guarding, if the report doesn’t go to the property owner ?

What is the motive or intention ?

  • In guarding, the motive is security.
  • In spying, the motive is to disclose information, and to find the security gap within the property.

So, actually, there are big differences, between spying and guarding.

The only true privacy is in your mind (upon certain axioms, that is).

If you want to store state secrets on your devices I suggest you do it in a manner that only you can decode.

Has this helped>? @newbie

P.S: I store state secrets in Google Keep.

hmm, it looks like, you missed my point,
because, my last 2 posts, are not about, asking for help, or wailing about privacy.
since, i have known the answer.
but I don’t mind either, if anyone has suggestions.

my point, is more about sharing experience,
because, rather than my experience become forgotten history,
i think, it would be better, to share it with people,
so that everybody can learn.

because, in my last 2 posts,
although we know that, they are merely just excuses,
but in fact, these excuses, have managed to manipulate many people,
so i think that, also cannot underestimate.

hmm, but since you mention about privacy, so let me share my opinion,
in my opinion, privacy and security are closely related,
because i think that, the purpose of security, is to protect privacy,
because, if security does not protect privacy, then what else it want to protect ?
and what i mean by privacy here are, i.e. laptop data, password, email, etc

1 Like