Does it matter at all, in any scenario? Can they be seen in any way? Through a compromise for example?
If it could matter in some scenario, are there things not to do? I could imagine personal information or a connection between your VMs (for example naming them “1”, “2”, “3”…)
Qubes is trying to hide the VM names from any adversaries. The names are not shown in encrypted backup files (until decrypted) or when you transfer files and text between VMs. It should be pretty safe to name the qubes as is convenient to you.
Well, probably not exactly. Some things had to be taken into consideration, though
Unless you take steps to alter it, your network qube will send hostname
if you use DHCP.
sys-net may be enough to identify a Qubes machine.
You can change hostname or stop sending the hostname - both covered
recently in the forum and in the docs
This is probably the only identifier that will leak, although unless you
take steps, it is possible to recover hostname from a web browser.
If, by “compromise” you mean someone getting remote access to one of
your qubes, then they will be able to see many details of your system,
including the hostname.
Whether any of this matters is up to you.
What are you guarding against? What is your concern?
If your concern is that someone will know you use Qubes, then rename
sys-net to typical windows hostname. You could change all the usual
names to use typical windows hostnames, but since an attacker will be
able to identify a Qubes qube, the effort probably is not worth while.
If you do make changes to your names, this will make you unique - not
an issue unless you are traced, in which case those names may be
catastrophic.
I mean - if your activities have been traced to specific hostnames, and
the authorities access your computer, then they may be able to build a
case by looking to your Qubes history. (This will apply even if you
use disposables.)
I have not considered the case where you use personal identifiers as
your qube names, or where you use misdirection in your naming.
Feel free to use unman-mail, unman-personal, unman-browser etc.
lol,
i do, name the qube whatever i want and leave sys-* as default, the problem when you change sys-* vm, you should change every policy too.
If you do make changes to your names, this will make you unique
Do you only mean sys-net or all qube names? If you mean all names, how would changing them make me more unique than not changing them? Because I need to find a unique name when creating them any way. (unless you only mean sys-net or other pre-installed VMs).
What are you guarding against? What is your concern?
Firstly, hurting my anonymity through personal information (stupid example would be “(my real name)'s VM”) and secondly, someone who traces me finding out that my identities (VMs) are the same person because their names are “1”, “2”, “3” for example.
You have not yet made it clear what is your concern.
There are (at least) two distinct questions about anonymity, as you
suggest.
One is where a breach of anonymity will allow you to be traced.
One is where a breach of anonymity, if examined, will allow you to be
identified as the author of certain acts.
Using Tor, or Whonix, or Qubes, in itself, may be sufficient to allow
you to be traced.
This will depend on what is your concern.
If you use the default names (personal,work,untrusted,dispXXXX) then
your system will appear the same as any other Qubes user.
This has some downsides - e.g. an attacker might be able to game qrexec
calls because they will know the identity of some other qubes.
But it means that if examined your system will not be immediately
identifiable.
Let us say you work in an institution where there is a naming convention
This is not clear, and these are different things.
Your first example is not stupid - I have seen people use such schemes.
unman’s VM seems a very sensible choice to me.
If you are concerned about this breach, then do not use names with any
identifying characteristics, or use generic names, or names that
identify others. See above.
In the second case, using generic names will provide you with some cover
against correlation identification. If you use dread-1, dread-2,
dread-3, pirate-1, pirate-2, and the tracer has seen activity from
pirate-3, then you are toast. If you use qube-1, qube-2, qube-3… then
you have some defence, since it’s likely that other users will have
that scheme. If you only use default names (including dispXXX) then your
defence will be stronger still.
For most people using the default names will be the best thing to do.
I never presume to speak for the Qubes team.Makes sense! In what case could someone find out my VMs’ names tho?
I’m not sure, but once I tried to create a VM and my configurations went wrong. Then I deleted it and created another one with the same name and it was not even booting. So I deleted this one too and created another one with another name and it worked.
Reconnaissance, guesswork, and targeted attacks.
How would you do it? Think about ways and take steps to mitigate the
problem.
For example -
Network traffic may contain clues.
If they can gain access to one qube, this may provide useful information
on the naming schemes, even in disposables.
QubesIncoming may provide data.
If you have customised a disposable template, then there may be evidence
available in the disposable.