Criminal cases involving Qubes systems in evidence?

Over the last fourteen years I’ve been working in the weird intersection of politics, intrusions, disinformation, journalism, whistleblowers, and the like. I did a couple of years working for a device forensics expert witness who got cases from the federal public defenders.

During that time there were several instances where Tor users got had due to the “network investigative technique” - an 0day in Firefox that was carefully guarded and it was functional for law enforcement last I knew. I read every indictment for stuff related to Anoynmous in the 2011 - 2012 time frame, in particular Jeremy Hammond’s paperwork got me to switch from wifi to ethernet cables and homeplug.

I would like to know if there are any U.S. criminal cases where a Qubes system was involved. I want to read detailed criminal complaints, search warrants, and so forth. The are legal as well as technical procedures that must be followed.

Installing and running Qubes, getting your hut bulldozed by feds and losing your gear, and being ready to defend yourself with little to no access to your systems are three increasingly difficult levels of the game. I keep track of my work in an organized fashion, I backup regularly, one copy goes to an attorney, the other goes to a really uncooperative jurisdiction … this is how things are, when one has filed a stream of well founded OIG complaints against a certain FBI field office that coddles right wing extremists.

Open posts are fine, neal at rauhauser dot net is a Protonmail account, and if sterner security measures than that are required before I get to hear about things, feel free to specify the method.


I’m sure we would all like to know this :stuck_out_tongue:

I’m sure there would be at least one instance of law enforcement somewhere in the world seizing a Qubes OS machine, but whether or not they were aware that it was running Qubes OS before they executed the seizure, or if they just happened to seize “all computers at the property” and came across a Qubes OS machine; is unknown…

I myself am not aware of any instance where that fact was publicised, or even tendered as evidence in a court ledger.

To be honest, I can’t see why it would be necessary or relevant to tender the actual operating system running on a machine where evidence was found. Courts generally wouldn’t need to know that information in order to get a conviction…

I have a feeling that’s why we don’t have this information readily available :slight_smile:

The most I have had happen to me is Qubes OS laptops taken away from me at international borders, and then returned to me, but I have never had any machines seized as part of a warrant or anything like that.

But then again, I don’t really get up to anything like that sort of thing in my daily life :smiley:

1 Like

I did a stint working for an expert witness and we got cases from the federal public defenders. There were a variety of them that involved Tor.

Qubes does seem to draw a more disciplined class of operator, the Tor cases were invariably CSAM (child sexual abuse material).

There are a LOT of details in search and seizure, knowing them is the difference between laughing at a prosecutor or being forced to take a plea deal over obstruction. If you’re at a U.S. border crossing you are in a gray zone, there are rights someone familiar with U.S. laws would just expect, which may not apply there.A procedure which is defensible within the U.S. may turn out to be problematic.

As an example, can you be made to give the decryption key for your drive? Last I knew biometrics were a bad move, unless employed in conjunction with some other measure. You generally can’t be made to give up something you know, but something that you are (fingerprint, retina, etc) is absolutely fair game.

I took a moment earlier to scan the front page of the Washington Post. All in all, I think things here are about to get ugly. Preparedness is a must.

1 Like

Based on my limited understanding of the Canada-US border, yes. Also related:


For what it’s worth, I found this affidavit:

It describes how a software engineer created a Natrual Language Processing (NLP) program that, presumably, NSA agents could put classified documents through, and it would auto-redact whatever the NSA wanted to withhold before tendering it as evidence in court.

Page 7 mentions “Whoonix Qubes”, but it clearly says that it’s a fictional example :stuck_out_tongue:

So, they are definitely aware of the existence of Qubes OS, and probably do allocate resources to researching zero-days.

But this goes back to my initial post of the relevance to a court case of the fact that a computer had Qubes OS installed.

To a court, CSAM found on a Windows computer surely would be the same as CSAM found in someone’s Qubes OS vault Qube. Therefore, I can’t see any reason why prosecutors would go out of their way to tell a court that an accused was “using Qubes OS”.

I don’t see how it would further their case…

Or am I wrong?


Results were Martin R. Peck ( claimed that he is the original author of the text that mentioned the EGOTISTICALSHALLOT NSA exploit and that it was a purely made up fictitious example of his own thinking.


It would give Qubes OS notoriety mixed with FUD, just like how the Tor Browser is perceived by the masses as associated with illegal activities, or how encryption is only used by criminals, etc.

A point to note, Qubes is essentially a Xen OS. So any exploit in Xen (and Linux as the main entry point from the VMs) give a pwned scenario.


Roark was a whistleblower, a Congressional staffer involved in NSA oversight, that has some connections to J.K. Wieb, William Binney, Ed Loomis, Thomas Drake.

Roark litigated for the return of her personal computer system, which was seized in the context of a classified leak investigation. She eventually got an admission that there was no active case against her, but the government does not believe she has a right to the return of the full system. The final order does indicate that she would be allowed to have all email that the NSA did not find to be related to classified material.

Peck has some capability in the area of natural language processing, but he would not pass a Daubert hearing, which is required to be recognized as an expert witness. His affidavit proposes that he will create NLP software that the NSA must use in place of the own existing expertise(!) when it comes to determining what is and is not classified among Roark’s documents.

So … as an aside in that absolute non-starter proposition, from a non-expert witness, on behalf of a pro se litigant, Peck mentions Qubes, but in an entirely hypothetical scenario.

If I were ask to contrive a longer string of “dots” that “connect” things I’d have to sit and think a bit. If this is the only known mention of Qubes in court filings, the system remains invisible.

What I would like to see are search warrant applications, detailed criminal complaints, and so forth, from the government’s perspective. Then for the interesting ones in that set I’d want to see what 4th Amendment issues the defense has raised.

Trying to state this in English … Qubes is a tool, like a giant pair of channel lock pliers. The interpretation of the tool is based on context - it’s a nonevent in a construction guy’s tool box, but it’s evidence of criminal intent if found in the back seat of a guy who’s already a convicted burglar. There are things Qubes can do that are simply prudent security measures, but I bet there are capabilities that would run afoul of Title 18 § 1512(c)(1).

(c)Whoever corruptly—

(1) alters, destroys, mutilates, or conceals a record, document, or other object, or attempts to do so, with the intent to impair the object’s integrity or availability for use in an official proceeding; or

Qubes is really good in the avoiding seizure and protecting data after seizure. I have seen nothing related to defending after the fact in the context of the U.S. federal courts, which is what I am seeking.

1 Like

Not all Xen exploits affect Qubes: Xen security advisory (XSA) tracker | Qubes OS

1 Like

That is true, thanks for clarifying.

1 Like

In relation to seizures, and the subsequent forensic analysis. It is my understanding that disk encryption, not the OS is the key defense.

Opal I understand is likely compromised by the NSA in most if not all configurations and LUKS remains secure to anything short of a brute force attack, so high entropy passwords are key.

Is there some other way a Qubes vault protects data at rest in a seizure?

1 Like

Not as far as I am aware.

When I have things that truly can not be seen, they used to end up in Veracrypt, but I’ve staged using age, which is tiny and very slick once you figure out the slightly odd command line argument conventions.

The drive encryption itself is a fine start, but there’s no reason to have an all or nothing setup. And if you’re a total dick (I am), you whip up some containers full of screen shots from cat facts, and encrypt with with a passphrase made by concatenating the SHA256s from four or five words, but you pick one or two pairs of hex digits to swap. Easy for you to recall if you must, but awful for anyone wanting to brute force it. And if you do get compelled to open them … lol cat facts.


Actually, I was about to post a question on: “Nested Encryption.” Which sounds like what you are talking about.

The part that is really unknown to me is how the inner encrypted containers, (folders) might be revealed (passwords or otherwise, like software likes to sync data to somewhere else) because of something in the Qubes OS.

Although there is also third party software that, might give me up. Such as; Several years ago a update in Thunderbird included a feature where, while I was creating an email that was to use the Thunderbird feature of PGP encryption, for end to end encryption. Thunderbird tried to help by storing an draft of the email, with no encryption, somewhere Thunderbird developers had created. Yes, that problem was fixed a long long time ago. But it should be a warning that any third party software can suddenly be improved, and give out data/ text/information I intended to keep to myself.

1 Like

When I ask myself if I were a criminal, would I use Qubes? Probably not. I’d probably use some other method. Depending of how big shark I was, the range would be from not using computers and phones at all to amnesiac systems with encrypted cloud storages that couldn’t be related to me.

Since I’m not a criminal, this might sound naive though.

1 Like

I probably surprise you, but many criminals use Qubes. Even more use Tails. It depends not on what OS is more secure but on which one is easer to use. So that’s why Tails use more than Qubes. But as I understand “big sharks” most commonly use Qubes. But it depends more on how skilled that “shark” is. Qubes scared off many because of its apparent complexity.
And honestly, you guys think too much about the criminal world. In fact, it’s often more prosaic and yet it works. And you probably would have done a good job with cyber security if you tried to do something like this. Most people there are caught not because of any digital security holes, but because of mistakes made IRL. But it probably also depends on the country. It is funny, but it is possible that in the post-Soviet space, criminals try to be more skilled in cyber security, while the law enforcement agencies of those countries have a much smaller resource to fight criminals in the cyber space. I think big role here plays paranoia nurtured by the Soviet Union.

1 Like

That was indeed a problem with email. The age interface is simple and I keep things in my head, so as long as I don’t lose my mind it’s probably safe.

1 Like

Based on my experience, “disagreeing with wingnuts” is a crime in the U.S. :slight_smile:

If one is a big enough source of embarrassment there absolutely WILL be some sort of effort to criminalize something that you did. Look at what’s happening to Hunter Biden - a fool with a drug problem, but nobody else is being prosecuted for the sorts of things he did.

So … not everyone who worries about 4th Amendment issues and Qubes is a criminal, but we all need to proceed from a worst case estimate.


I imagine. But, I can’t see relation between disagreeing with wingnuts (no idea what it was, since English is not my first language) and securing my computer? Proofs of disagreeing? As I said, then I wouldn’t disagree from my computer, most probably. Actually, would never use the same computer to disagree twice.

Anyway, I would value was my disagreeing worth of my peace of mind (put here all basic human needs including security of my family).

1 Like