All good. 
Just be sure that dom0 is configured to block USB access (see the link above). I once et up a sys-usb VM manually and forgot to do that.
(again⌠for anyone wandering into this thread, donât do this if you use an external USB keyboard)
True⌠but iirc, it still exposes dom0 prior to login.
I have the internal bus with ribbon cables only in dom0, because I donât really have a choice (the motherboard doenât have a PS/2 interface). But all the external ports are in sys-net-usb.
My general stance on this is: A determined adversary with physical access to your device is GameOver⢠in most scenarios, via USB or some other interface. For example, TPM was shown to be bypassable with some ease, rendering AEM useless; not that AEM wouldâve kept them out since itâs for attestation, not gatekeeping. But you get my point.
The best you can do is erect as many obstacles as possible to make the window of opportunity smaller, but that works only if you assume they wonât outright steal your machine. Also donât forget that someone in a position to physically access your machine would likely be able to visit it multiple times, and you probably wonât give your machine a full inspection in between.
Basically, what applies to defending dom0 applies here: Securing the kingdom makes more sense than securing just the throne. Itâs best to keep the invaders outside the border/castle entirely, while you can still set some traps and alarms in the throne room as last resorts.
Especially enjoying @alzer89 and @necker 's inputs hereâgood to learn something new. There was a point in time when I agonized over hardware security and considered using USB locks or even putty, but it makes more sense to compartmentalize.
I thought built-in laptop keyboards and trackpads run on internal P/S2? This should be why they can be used before sys-USB starts.
I should probably call them âserial busesâ, because thatâs what they are (to be fair).
It depends on the device. Iâm sure thatâs the case with some laptops, but I can tell you right now that that is NOT the norm with Apple hardware (and a few Compaq models that seemed to add two RS232 ports on the same bus as the internal keyboard, trackpad, and ânippleâ joystick)
And Apple hardware⌠
You get more than the internal trackpad and keyboard in the same serial bus. They throw in the ports, the Bluetooth module, SD card reader, the webcam, and in some modesl, an IR sensor in the same bus, making USB passthrough very difficult.
I donât know this as a fact, but I wouldnât be surprised if any Apple hardware had the keyboard and trackpad on its own dedicated serial bus, with no other devices. (Iâd love someone to correct me on this, because if there is such a model, Iâm buying one!).
Well, I suppose in the GPD Win Max itâs a de facto PS/2. In any case, theyâre serial devices. They just happen to be on their own dedicated bus, separate from the USB ports, which is quite handy in making a usb qube. .
Not necessarily. This only appears to be the case if you instruct Qubes OS to remove them from dom0 at boot, and this doesnât appear to be the default (at least, not on my machines, anyway).
Most BIOSes wonât disable ports unless you tell them to. This appears to be the case with most bootloaders too.
Then youâre left with the LUKS password prompt in plymouth / systemd, which could potentially be told to disable all ports before entering the password, leaving only the serial bus with the internal keyboard and trackpad active⌠(you just have to hope that you donât have defective hardware!).
I meanâŚit could definitely be done, but youâd have to weigh it all up in a lot more detail than I just did 
I read this as âcanâtâ instead of âcanâ. Apologies, that was an oversight on my part (Fatigue from a mental day at workâŚ). But it still has some interesting content, so I will leave it up.
Apologies @zara, we appear to have saturated your thread 
Iâd be concerned about that too in this senseâŚ
This sounds like something similar to the CAPTCHA concept, which would be reliant on datasets to detect âbot-likeâ behaviour.
Very good point.
sudo chmod -R -x /*
(DISCLAIMER: Donât do this. This is extremely cruel, and your victim will never forgive youâŚ)
What concerns me is that youâre at the mercy of whomever programmed, set up and configured the detection device/software in question. And they might not necessarily possess or have encountered the same traits as you (or your attackers).
Honestly, it still comes down to knowing your machine inside and out; or at least as best you canâŚ
I have several cheap USB hubs that I use to turn one USB-A port into several. In my experience, those pieces of âdumbâ hardware appear to be OK (for my purposes, at least)âŚ
Keeping a machine in a safe or locked case is, in my opinion, infinitely better (and cheaper) than exposing the ports. This is why server cases often have keys.
But I do understand that not everyone can do this, particularly for portable machines.
At the end of the day, you have to make your own decision about what works best for you, and no solution will ever be 100%-effective (otherwise this discussion wouldnât exist) 
.
Alright, now Iâll be the one accused of nit picking 
Short answer: You
Actually, if youâre worried about the default randomness settings Iâm fairly certain you can adjust the bot detection algorithms. Some info here. But if I were going to pay $249.00 NZD + shipping, Iâd try to contact Robert, or as the FAQ suggests Globotron, before ordering.
Nit picking starting⌠Do you really mean âstopâ or do you still mean âdetectâ?
Assuming stop, âit blocks hidden hubs so a flash drive cannot also supply keystrokes, and it blocks devices re-enumerating as a keyboard after first enumerating as something else.â qubes-users
âThe ⌠device requires a power cycle before a device class change is permitted - i.e. the user has to unplug it from their computer.â qubes-users
Iâm started to suspect you might want to set up a development environment to tune the detection algorithm. Make sure you have a JTAG adapter if you go this route.
Me too. And I really like that it supposedly âlocks its flash memory on startup to avoid a badUSB device permanently compromising one side of the firewall.â qubes-issue #2518
Personally, I think âsecurity vs convenienceâ tradeoffs are usually made based on individual threat perceptions. I also think âdefense in depthâ can have unforeseen benefits (e.g. sometimes mitigating known unknowns and if youâre lucky even unknown unknowns). However, I do share your skepticism about detecting a malicious keyboardâs input as well as your concern about unsafe user behavior (i.e. removing the USB firewall out of frustration).
Isolated disposable VMs are indispensable to me, but I also have a lot of USB PCI controllers under the hood. 
So what does this have to do with a secure enough USB hub?
Iâm honestly not sure. My hope is that someone, someday may know exactly how to take aspects of the USB firewall concept and apply it to a âsecure enoughâ USB hub. Maybe @alzer89 can build one?
@Justin , even if I did build one, letâs be honest, nobody would trust it anyway, and we would be back to square one.
Would you be wanting Qubes OS to handle the firewall functions, or the USB hub?
Would there be any noticeable difference (apart from surge protection)?
That would be the much better option for something like a desktop, but you sadly donât have that luxury with a laptop.
Thought provoking question. Hmmm⌠Iâd like to get other peopleâs thoughts on this.
My first thought is to isolate or, at least, separate to the extent possible. I can also see good arguments for limiting the number of devices requiring trust (i.e. having a single RoT when possible), but as fiftyfourthparallelâs TPM example may demonstrate, that could be fragile. Thatâs especially true if it creates a false sense of security (nod to @necker). I hesitate to type this, but maybe both should be considered (incurring added costs and risks of complexity), or something else (something I canât currently imagine that someone reading this may contribute).
Just brainstorming here: Can vaguely envision an external hub capable of being independently verified (both hardware and firmware) against open source designs. Perhaps someday tie it into a tamper evident boot process where the hub firmware could be authenticated. Would we trust that more? Do you think any of that might force attackers to âup their gameâ in order to persist and/or avoid detection? Would it create more problems than it solves? Would any such a thing, were it possible, have any benefits for laptops with 1 or 2 USB controllers?
Note: This may be half-baked idea that might not actually be worth anything.
Since weâre just imagining at this point, why donât we try to consider all the input everyoneâs mentioned in here so far. USB port(s) with data lines disabled, and/or only enabled with a physical toggle switch. The ability to securely authorize devices via an admin key. Maybe we can draw some inspiration/insight from issue #2518. Secure firmware (I still need to research Ironkey and Kanguru). Maybe some ports on microcontrollers that are incapable of supporting both a flash drive and a keyboard at the same time (preventing stealthily hidden hubs inside our usb devices) and that prevent USB class changes after enumeration without power-cycling (wonder if this could inhibit @necker USB hardware password key). I like physical toggle switches and others like blinky lights. Both @zara and @slcoleman wisely mention risks and potential mitigations of the removable nature of USB. I have no idea how that could be incorporated but we certainly could try. Anything I missed or that you all think would help make a more secure USB hub?
Personal aside, I sometimes think of defenses like bank safes that are rated in terms of time. The real time it might take an expert safe cracker may only be known by those who have strong incentives not to tell others about their methods and capabilities. That doesnât stop safe companies from making educated time estimates, however the real âstate of affairsâ may be unknown until after a successful breach and sometimes not even then (e.g. espionage). Defenses that can buy time and, ideally, increase the likelihood of exposing an adversary may be worth considering. But enough of my ramblingâŚ
Edit: Removed personal notes and added half-baked idea note.
Huh? If you have been abrasive then feel free to abrade away. I have enjoyed your posts. My lack of replies is due entirely to my distractability.
I have a fun idea: Why not do a text simulation of hardware hacking? Right here? It might make obvious some holes in peopleâs reasoning.
Thereâs the party being hacked, who specifies his setup beforehand (realistic)
Thereâs the party doing the hacking, who can receive a few pieces of information about the setup to be hacked beforehand (reconnaissance). They specify what tools they bring to the field
And thereâs the Dungeon Game Master, whoâs basically the referee and decides what the chances of certain things happening are (i.e. what die/dice to use). For example, the hackee leaves his laptop unattended at the library to go to the loo; the hackers must quickly exfiltrate the contents of her hard drive. What are the chances the hackee suddenly returns? What are the chances of debilitating diahrrhea? (which of course the hacking team can arrange to increase the likelihood of). Since technical matters are decided this way, this person should be knowledgeable and must be able and willing to justify judgements (so not me)
Basically, think D&D, but somehow even more geekier. Note that this is a half-baked idea that might not actually be worth anything, but itâs better than sitting here navel gazing and gesticulating about unrealistic scenarios, when a truly valuable target would just have their laptop stolen and leisurely taken apart. Bank safes are immovable objects; laptops are not. (This post isnât me being snarky)
To be sure, but also to be relevant there needs to be two distinct classes of testing, hands on local & full on over the internet remote. Many people utilizing Qubes are counting on the security of it over the internet but are counting on it much less in person while others are quite the reverse (Iâm sure that people using it for both purposes & are not described by the previous will still benefit from this distinction).
Not to mention the question âjust how manageable is the anonymity of this OS from withoutâ as in âhow easy is it to determine precisely what OS you are using when you are detected externally just accessing some internet resourceâ (for the purposes of navigating to plan an attack - nmap etc).
What Iâm really worried about is the CIA or China placing additional chips on the pcb to collect data. Itâs my understanding that USB leaks data to adjacent ports. It seems reasonable that the board could be modified to collect data from every port when shipped, or before the hardware reaches the factory.
If you have links, Iâm curious. Thanks for starting this discussion.
Here you go. I guess they could break it, and replace the device. But, thatâs a whole level of security above from what I need. If youâre at that point you probably have built a secure room for storing your device.
The only worry is that it comes without tampering, and it would be nice if it had more ports.
If you use an external USB keyboard, it needs to be connected to dom0 or there wonât be anyway to type in dom0⌠so itâs not ideal to use external USB keyboards.
What I do to solve this is my laptop is connected to a KVM, and I use my USB keyboard and monitor for common daily tasks, and use the built in keyboard when I have to drop down to dom0.
even if I did build one, letâs be honest, nobody would trust it anyway, and we would be back to square one.
If you can build one that doesnât leak data to adjacent ports that would be good enough. Just ship it with a schematic, and follow Purisms model. But, donât pull a Purism and ship different boards to everyone.
Since weâre just imagining at this point, why donât we try to consider all the input everyoneâs mentioned in here so far.
Should have a large amount of ports (10 please) too. The devices need to be authorized, and some form of physical lock functionality to prevent any fuckery from in person attackers. Should be easy to open and verify all of the components. Or pictures get sent before sending the device out with a unique pattern, like Insurgo does.
Why not do a text simulation of hardware hacking?
Thereâs a janitor, in my building, who is a weird nerd. The anime type. He seems cool. But, also seems like someone who might break into my apartment to steal data, and quit his janitorial job as a result.
No that clearly wasnât snarky.
I edited my last post based on your feedback.
Hope you, or your game, can address Zaraâs janitor concern.
I think youâve completely misread what I wrote. The comment, like my previous one, wasnât directed specifically at you (though out of habit I pressed the reply button where I was pinged, without scrolling down to the threadâs reply button). This one though, is.
The âhalf-baked ideaâ referred to my D&D simulation of hardware hacking, which I genuinely think might shed some light on the difficulty (impossibility?) of physical/hardware security against a determined adversary, if the game is designed correctly; and might even be a good game in its own right. Sometimes roleplaying is a good way to gain insight. For example the Finnish, to combat disinformation (mainly from Russia), have a game where kids/users roleplay as the ones generating disinformation which has proven to be quite successful. I wish social media users were required to play this before being allowed online, but of course the platforms are against this so nothing of this sort would ever happen. But I digress.
Regarding the personal note you edited out: Some politeness is a good lubricant, but all things in moderation. I find that too much politeness --and also the expectation of itâ gums up discussions and also generates a lot of verbal cruft, making things more, much more, verbose than they need to be. This is especially true without tonal and other non-verbal cues. Those who want a reason to be nasty, will eventually find one. No matter what you do. I sincerely hope this piece of admittedly unsolicited advice will be of some use to you.
@zara Iâm not sure I understand what youâre trying to say with your janitor comment. Are you saying that you can somehow detect who might steal your computer and pre-emptively block access? Are you trying to play the game I suggested? Iâd appreciate it if someone explained this to me.