Can Qubes protect user from backdoor, that resides in BIOS firmware and device driver?

I appreciate your response. One thing I’ve noticed is that many people seem to suggest buying a second hand laptop. I’m wondering, can you tell why this is seen as being more advantageous than buying one brand new/out of the box? I’m not an expert at this stuff but I’ve learned a lot over the past years. I never like to assume I have all the answers as I know there are plenty of people out there who know more than I do when it comes to all of this. Anyway… I say this only to say that I keep an open mind and ask questions not to challenge your knowledge but to understand. All input is appreciated.

My concern is that I’m quite confident my old Mac was also infected (at the time there was no way for me to prove it as there wasn’t a lot of information out there. This was around 2015/2016/2017) I ended up selling that Mac online and knowing what I know now about the BIOS backdoor access and the inability to remove it, I feel terrible that I sold it to someone else who could then get spied on and harassed as well. I’m not saying this definitely happened, but we have to consider all the possibilities because if this continues to get out of hand, the future looks grim. Then again, if everyone is spying on everyone, that would at least level the playing field :wink: (I’m half kidding of course, I try to keep this light or I’d lose my mind)

Thanks again for your suggestions, and for hearing me out.

If you are personally targeted, then it’s extremely hard to infect every single laptop you might buy. If a random used laptop is infected, then probably all laptops are infected. This would be interesting for some security experts, if you can prove it.

1 Like

I’ve actually done this a few occasions. You are correct, it is extremely challenging to listen to feedback because this is such a personal and deeply invasive way of stalking that it makes it very difficult to show another person all of the ways it is happening. And with the advanced tech out there today, it is nearly impossible to prove or point to the person I believe is targeting me. Much like @newbie I have zero interest in revenge or getting anyone in trouble, I just want my private life to be my own and not on display for anyone else. We all deserve that basic right. As for seeking help, I have reached out to Amnesty International, AccessNow, CitizenLab and Avast. Thus far none have been able to help me because I’m not a high profile person. To quote directly from an email thread with AccessNow:

“…terribly sorry for the delay. We are a bit short-handed at the moment with all what’s going on around the world, I hope you’re understand. I understand the urgency of the request. However, Helpline support is limited to members of to civil society groups & activists, media organizations, journalists & bloggers, and human rights defenders. There is a vetting process involved with all potential Helpline clients. That’s why we’re asking those questions: Do you belong to any organization or group? If available, can you cite website links that show your work in the civil society space and human rights movement?”

I am currently working on finding a therapist to help me work through the mental health challenges that all of this has brought on.

It is an incredibly challenging thing to hold two realities: a. one that I believe to be true based upon my research and experiences and b. the outside possibility that my brain is tricking me.

The second one is hard to even type as it goes against my own true experiences and research outcomes and yet, because thus far I have not been able definitively prove it, I maintain both possibilities in an effort to show that I’m of sound mind and still able to be objective. Thanks to all of the wonderful people out there working hard and sharing information, we are closer now to a solution than ever before, so I am hopeful! Also Qubes may be part of the privacy answer to bring me peace of mind. :sweat_smile:

Again, many thanks for your advice and suggestions. I appreciate you. I’ve done enough babbling for one day, and need to go handle other responsibilities now. Thanks again.

Ok, I can see your logic. That makes sense.

I am no competent person by any mean. But, what I can tell you for sure is that my life got much easier when I stopped to use if and why words and started to use when and how-to instead.
Reading your posts, I am almost sure those awful words brought you here.
Just try. You’ll see, I promise.

This might be coincidence in combination with a perception bias. To be frank I would consider THC abuse in the first place.

Very likely.

Could you give one or two examples? Sounds interesting.

There is no way for an attacker to evade wiresharked network traffic. Dig into that topic. For starters: https://www.howtogeek.com/107945/how-to-identify-network-abuse-with-wireshark/

What has been reported in this thread is consistent with gang-stalking FYI.

For users like @unman who have a rational skepticism to what is reported here, that people will be disbelieved is by design. Its absurdity does not change its reality.

I think for this to be a productive thread if it is going to stay on this topic, it would be best for more technical individuals to provide the best guidance / framework for how someone would log and report potential breaches. Self reporting specific instances of issues, whilst I am aware are real, are not constructive.

From a Qubes POV I do think you have an opportunity to find some significant vulnerabilities that are actively being exploited by these actors and so I would not dismiss it from the teams POV as worth no attention.

Heads + Qubes + fresh hardware verified iso etc. are not able over time to keep secure, what the point of compromise in the stack is I am not sure.

For the others in the thread, it is better to give up on trying to create an impenetrable setup and move on that to continue to try to out maneuver when you are at such a technical disadvantage. In the modern era privacy is somewhat of an illusion anyway.

1 Like

THANK YOU. I have not heard of this term gang stalking.To be able to put a name to it is so helpful. And you are completely correct, though healthy skepticism is warranted, the best help the tech savvy people can provide is to stick to the technically inclined topics- anything regarding how to protect privacy or remove malware from the root, I’m all ears.

To be clear, gang-stalking is a set of beliefs that have been shown to
be linked to persecutory delusions.

I have spent some time investigating a number of such claims, and there
was neither evidence of the claimed events, nor evidence of any thing
that might potentially result in such events.
By contrast, I have worked cases where we were able to identify
hardware or software that had been used to exfiltrate data. In almost
all of those cases the bad actors had set out to avoid detection. In no
case did they deliberately flaunt their access. (Actually there was a
case where a husband made it clear that they knew exactly what the wife
did, both online and offline, but that is rather different.)

I do not say that there are no cases of gaslighting (in the proper
sense). I do not underestimate the dangers of a surveillance society.
I have suggested some simple tests that could help identify locations or
hardware that might be problematic.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

Having seen this thread for awhile I would like to warn others of making remarks about your capabilites. I would not divulge any job/work/capabilities experiences you have. Be aware of nation state actors are looking to gain any foothold they can with your personal details of your experiences and access to this project. On another topic, I’m surprised this thread has lasted this long, technical details the OP has provided, none. Any logs? Has anyone looked at this OP past posts? I would suggest this topic be closed.

Yes I did? Is your nick another alias, or this is indeed your very strong reason to make your first post here?

To sum up this marvelous thread: @newbie has been stalked by only one retard, but @nico is being stalked by an entire gang of perverts. :rofl:

Seriously, what makes you two that interesting? Why should NSA employees have to do overtime for you?

And while we are at it I would like to advice against the use of drugs once more.

https://journals.sagepub.com/doi/10.1177/0020764018801690

THC side effects are commonly underrated.

First this terrible interruption of supply chains, now the sock puppets are becoming scarce. These are desperate times. :wink:

I agree that the thread should be closed, it has wandered off-topic and is unlikely to generate any further Qubes specific value.

2 Likes

imo, my thread is not under user support, or bug fix category, that requires closing,
but under discussion category, which is in my opinion, as a discussion,
it can pause or continue at any time,

i saw freedom-roadmap in purism website that inspires me,
which make me think that, we all are on the same path,
Qubes, Purism, Insurgo, Heads, Coreboot, AOSP, FOSS, etc
all are on the struggle to freedom, privacy, & security.

In my opinion, maybe in this struggle, at least, we need 5 types of activist:

  • security expert, to do research & development,
  • educator / influencer, to educate people,
  • law activist, to fight for data privacy & protection law,
    & prevent any law that are against human right.
  • supportive user; ie use, feedback, donate, etc
  • whistleblower to blow up, ie Snowden, or maybe, newbie like me, to speak up,
  • etc

so maybe, although i can only speak up,
but at least, i can share information to other activist,
ie. for expert to develop solution, or for educator as reference,
or for user to be aware about how important the security is.

Besides, my adversary has provoked, a lot of people, to watch my privacy,
which means, maybe they can see too, I’m writing this thread,
therefore, maybe can help to promote Qubes.

Also, by helping solving problem,
maybe also can improve the knowledge, information, & the solution itself.

I read in diagonal the content of this thread and wanted to clarify a couple of simple things, following some random risk assessment, costs of exploits to target random users and some normal paranoia when someone feels targeted, loosing sometimes common sense (not attacking anyone here).

  • The easiest attack to see remote content of screen is binoculars, where having chain of exploits to obtain persistence to dom0 and grasp screen content and exfiltrate would make a user really targeted.
  • random mouse movements is normally consequence of Bluetooth mouse battery dying, precise movement with point and clicks are a total different story, and filming those would be an interesting proof of anything. Most of the time, those proof lacking raise cynicism, for a reason. There is no way someone could not film those in 2022. And when that happens, cutting network and having the behavior stop at the same time could be considered proof.
  • Qubes should not be able to write to system BIOS nowadays. Simply because writing to BIOS requires IO access that Qubes doesn’t have from qubes (the qubes have really limited access to real hardware) and where dom0 being compromised would also need to have access to SPI IO (that would be iomem=relaxed at the very least) or physical access, which would be more probable otherwise again talking about chain of exploits to gain persistence.
  • People mix a lot of concepts, including open source firmware and absence of binary BLOBS. On that I will be really succint here, but there is no such thing with recent hardware that is Open source firmware without blobs AND compatible with Qubes OS. Qubes OS is compatible with x86, and x86 requires ME/CSME+FSP on Intel side or AGESA+PSP on AMD, without talking of blobs on SSD drives and Graphical cards. I hear you being positive about freedom-roadmap, but it is important to differenciate marketing speech from reality and this is difficult to digest. There is user-ownable hardware (kgpe-d16 being the only one I know that can boot Qubes OS without any binary blobs in firmware nor co-processor nor AGESA) where other open firmware enabled hardware are not supported by Qubes (Talos II is such platform, but has yet no Xen support). There is G505s, but without TPM nor enough SPI available flash space available and to be honest, that laptop is rare to get any hands on. Outside that there is older hardware with open source firmware (everything natively initialized, like the thinkpad X200 and similar) but those don’t meet Qubes Requirements (no hardware isolation : vt-d2). So the point here, at least to me, is to raise consciousness on the state of the actual hardware being produced and sold, so that people can be angry (and take action) about that and start to realize that without a clear stance and demands, that will not happen out of the blue and new hardware will be less and less user-ownable, controllable, repairable and most importantly, auditable.

So basically, there is multiple ways to deal with this. Some have been covered here and in so many other threads of this forum. I will retaliate some:

  • Your vault’s qube’s KeepassXC don’t have to show on screen passphrases that were generated. You could generate them and copy paste them without any visual of them ever being displayed. That is if your only threat is binoculars/shoulder surfing/recording and replay.
  • You could move around, hide yourself from plain sights and see if the threat is still present. Confirm that it is linked to a physical place or if it is linked to network access.
  • You should get a machine that permits you to own it yourself, learn how to flash that hardware and then externally verify the state of your own firmware and externalize proof of persistence.
  • Fresh install Qubes. Enable dom0 root volume snapshot on shutdown. Even multiple ones to keep multiple states you will be able to compare against from a filesystem content level. And report about them, and the content of scripts/binaries that were deployed without your consent.
  • Tightly monitor network traffic externally. “PCAP or it never existed” is still a valid saying even today. Having network traffic, even encrypted, while having only your vault vm open should be a real concern (that requires a bit of analysis and is not so easy to accomplish, but should be more then enough to show proof, outside of NTP traffic and repository related traffic from dom0 getting available updates from its defined updatevm).

Other than that, the only other path is to believe.
Believe you were hacked but not being able to prove it.
Or believing that by buying a new laptop you will be safer, for which UEFI proprietary firmware is the worst mess that ever existed in my opinion, and will protect you from your threat model.

Nowadays, firmware security is shifting toward attesting integrity of non-auditable blobs. Not really into open sourcing them anymore. Some open source EC controllers as part of their freedom-roadmap. Some continue to claim unattainable goals keeping their old roadmaps. But no-one can neuter ME/CSME, open source FSP/AGESA but AMD/Intel themselves, and they won’t.
I find this alarming, but to answer your OP question: Qubes should help protect users from backdoors that resides in BIOS and device firmware, yes. Even if Qubes can protect users against themselves, if you pass along untrusted content between computers, and execute/read such content in trusted environments, there is always a risk that some passed content exploited vulnerabilities in those trusted qubes can one day land where it shouldn’t. If you leave your computer unattended without having any security mechanisms in place to protect /boot and you are targeted, the lowest cost for an attacker is the evil-maid scenario. It is totally possible and quick to accomplish to replace /boot’s kernel xen and initrd files, as easy as it is to modify grub.cfg configuration to break Qubes offered security defaults, and even have something there that would get persistence on first run to compromise dom0. That would be, to me, the easiest way to compromise a target’s system and bypass Qubes security mechanisms: compromise Qubes boot process through physical access of unencrypted /boot content. Low cost, effective to gain persistence on next successful boot, compromising even qubes root volume (dom0) even after Qubes dom0 updates that would eventually remove tampered binaries, if not measured/verified prior of being executed.

2 Likes

@Insurgo thanks so much for your advice & information

if new hardware become less & less user-ownable, controllable, repairable, & auditable,
then what will be the future for Insurgo, Purism, Coreboot, Heads ?
what a pity if all the hard work become useless.

i use my laptop alone in my room, facing windows,
other sides are wall and cupboard,
checked many times, & could not find any binocular devices.

how about supply chain attack ?
in your opinion, is it possible that, compromised supply chain,
is able to give us, compromised version of Heads & Qubes,
while we download them, from correct source in the internet ?

But i had authenticated & verified, Heads & Qubes, before flashing / installing.
Although i read in Qubes documentation, saying that compromised device,
can give us correct authentication & verification, even if it is compromised.

if we have used Heads, can we be confident that,
there are no firmware backdoor anymore in the motherboard ?

last time i read in Coreboot mailing list,
saying that firmware can establish ad hoc connection,
with other firmware in other devices,
until it can find device with internet connection,
which is connected to other network,
then send data to internet via covert channel,
in your opinion, should i consider this vector since i have use Heads ?

I use network monitoring apps, such as net analyzer, network scanner, fing, etc,
to monitor modem, so i can see all devices currently connected,
then, when i disconnect my Heads Qubes laptop,
i can see that my device naturally disappear from the modem.

then i put all other devices inside signal blocking bag,
so now only my Heads Qubes Laptop & router modem,
then i disconnect laptop from wifi, & use vault VM, with no net VM,
to type several things,

but still they can see everything,
so i really cannot figure out where is the gap / backdoor,
do you have opinion, what can be the gap / backdoor ?

thanks a lot

@Brainhack @unman thanks a lot for your suggestion

if i understand it correctly, maybe, in short,
you suggest me to hide from supply chain attack / man in the middle attack ?

but in my opinion, we should be able, to find a way,
to protect ourselves, from supply chain attack, without hiding,

because, if we have to hide, from supply chain attack,
then how Purism, Insurgo, & Qubes developer, etc, also its server / repository,
protect itself from supply chain attack, in their development process ?
Assuming that everyone involved, in the development,
are working remotely, or maybe not at the same location,

in example,
Librem & Insurgo also need supply chain, to download Qubes & Coreboot / Heads,
Qubes developer also need supply chain, to download / deliver their work to server / repository,

Maybe by using authentication & verification,
we can protect system from supply chain attack,

but i read in the Qubes documentation,
saying that the compromised devices,
also can give us correct authentication & verification,
regardless the fact that it has been compromised.

Also, many famous people (ie. artist & politician), who cannot hide,
since everyone involved in the supply chain, also know them, wherever they go,
how do they protect themselves from supply chain attack.

before, i had tried to keep it simple, similar to what u suggested,
but then people naturally asked me, “how ”, “elaborate”, etc.
Therefore, since it has happened several times,
so now, i elaborate first, before being asked,

because, big possibility, that new computer,
will not be compatible yet, with coreboot / heads & qubes,
2 main solution for privacy & security,

also, the price of new computer is much higher,
& there is no guarantee, that it can survive from targeted attack.
So, i cannot waste, a lot of money, for something that is uncertain.

Besides, my income is not in a good shape,
because, i cannot allocate, all free time, energy, & focus,
on anything related to my job,
since, they have flood me with problem & trouble,
for almost 5 years, since 2018,
& the digital privacy invasion itself, since 2020.

yes, anyone know the name for this kind of attack ?

sometimes, i have the same assumption too,
but not sure how to describe it,
since maybe it cannot be categorized as,
side channel attack, covert channel attack, nor supply chain attack.

i know there is term “near field communication”,
but not sure, whether there are attack using NFC,
also, maybe not all devices can do NFC.

i read too, that it is technically possible, for firmware, in one device,
to establish ad hoc connection, with firmware in other devices,
until it can find device, with internet connection,
then use it, to send data to internet, via covert channel.
So maybe, it is a combination,
between secret adhoc network & covert channel attack.

But, since i have used heads,
then maybe we can eliminate this vector,
but, Heads still require ME,
also, there are other firmware in motherboard,

yes, correctly. in my opinion, nobody have time for revenge.
either me or my adversary, have wasted a lot of time, for not sure what reason.
rather i give them chance to fix mistakes, if they are okay, i just want:

  • give me back my privacy, to all of my electronic devices, which is basically my right, but definitely they have to tell me what backdoor they use to invade, so that i can apply solution. they can easily use any anonymous name & share in this thread for example.
  • stop stalking me either digitally or real life.
  • complete explanation what, when, how, who, why they do this to me
  • compensation for all disadvantages they do for almost this 5 years

but apparently they don’t want to, it looks like will be very hard for them,
if they can give me the 1st one only, actually good enough already,
although the rest are also make sense, in my opinion

@newbie why you say this? Think this on-topic but :confused: