European Union And OS level Backdoors

I don’t think it is technically possible to force a backdoor on Qubes OS users. At the very least, it is an open source project, that anyone can download sources, apply modifications and build themselves.
Anyway, we’ll fight back any request to backdoor Qubes with any means available to us. In case of all the options exhausted, we’d rather stop maintaining the project, than to ship backdoored product.

9 Likes

I don’t think it is technically possible to force a backdoor on Qubes
OS users. At the very least, it is an open source project, that
anyone can download sources, apply modifications and build
themselves.
Anyway, we’ll fight back any request to backdoor Qubes with any means
available to us. In case of all the options exhausted, we’d rather
stop maintaining the project, than to ship backdoored product.

That’s the spirit…

no one said it is a conspiracy theory. i just wondered why there
should be a backdoor in the device itself its simpler to have a
(law
forced) backdoor in programs.

anyway thanks for the information and as fsflover said, Amd,
Intel,Arm all of them have backdoors.

So to my knowledge only Intel’s ME has a remote management feature.
AMD’s PSP can be manipulated and exploited through arbitrary code,
but
not remotely; only if the attacker got you to load malicious code or
has physical access to your laptop/computer. If you have other
information please share it.

36C3 - Uncover, Understand, Own - Regaining Control Over Your AMD
CPU:
https://www.youtube.com/watch?v=bKH5nGLgi08

CCC’s collection of AMD processor analyses presentations:
https://www.youtube.com/c/mediacccde/search?query=AMD

So, yes I feal a better while using AMD processors.

I forgot the links to the code for those who want to check for
themselves:

2 Likes

I don’t want to worry you but since AMD provides DASH tools which are
“for secure out-of-band and remote management”, and which operate
“independent of the power state of the machine or the state of the OS”,
I’m not sure you should feel any better.

There’s a huge amount of nonsense talked about these features, and what
the motivation for them is. The primary market for processors/machines
remains business, and a huge push in IT management in business is for
remote out-of-band control. That’s it.
Not to say that i want those features on my machines, but there’s no
need to look for conspiracy when hard cash provides an answer.

1 Like

I don’t want to worry you but since AMD provides DASH tools which are
“for secure out-of-band and remote management”, and which operate
“independent of the power state of the machine or the state of the
OS”,
I’m not sure you should feel any better.

I heart about DASH, but to my knowledge there has to be client software
installed on the target machine. But I’m not so familiar with DASH, do
you have more info about it?

There’s a huge amount of nonsense talked about these features, and
what
the motivation for them is. The primary market for
processors/machines
remains business, and a huge push in IT management in business is for
remote out-of-band control. That’s it.

True enough, yes I know.

Not to say that i want those features on my machines, but there’s
no
need to look for conspiracy when hard cash provides an answer.

I know but that’s usually what one gets told when pointing such things
out…

Thank you

Yes but chances to meet people that think hardware backdoors are conspiracy in a Qubes OS forum is very rare. i guess :slight_smile:

Thank you and the Qubes OS Team for the hard work

1 Like

Thanks for replying here, Marek! I’m with you 100%.

Maybe the shared Qubes master key idea should be implemented:


It may not help against a judicially forced backdoor but it can help at other attempts to undermine Qubes OS.

Yes but chances to meet people that think hardware backdoors are conspiracy in a Qubes OS forum is very rare. i guess :slight_smile:

Would it help to set the development team to a charity to get a better law protection. Needless to say, that charity regulations and laws are country dependent?

I don’t know how centric the actual team is but decreasing the risk by distributing the dev. team around the globe and verify new lines of code only with consensus before release it?

I think that’s part of the idea behind the proposed new multisig scheme:

1 Like

@adw Where did any of this go? Specifically:

  1. Were the proposed E.U. regs scrapped?
  2. Has Qubes given up (or delayed) the multisig idea?

Nowhere yet, AFAIK.

Sorry, I have no idea.

Not any moreso than before. Our to-do list is years and years long. We’re understaffed, and urgent stuff often cuts in line, bumping less urgent stuff down. It’s not unusual for something like this to sit as a to-do item for a very long time. That doesn’t necessarily mean we have or haven’t decided to do it, delay it, or abandon it.

1 Like