Hardware brands which you trust to run Qubes

What about internal SSDs?
(I’m also in the market to upgrade the internal SSD)

be aware of wear leveling and firmware attack

Can you substantiate these two attacks? For example, giving some links to their examples?

The Hitchhiker’s Guide to Online Anonymity | The Hitchhiker’s Guide to Online Anonymity.
i don’t clearly have one for firmware attack

Ah, yeah. I already read that doc. Now I remember the wear leveling, TRIM, discussion in it.

I don’t trust hardware. My choice to use certain hardware often has more to do with where and how I get it than the specific manufacturer.

So I suppose I am more concerned with supply chain attacks and various forms of interdiction than unscrupulous manufacturers per se. I am more concerned about some pimple-faced Geek Squad tech messing with my bootloader or an unscrupulous Amazon worker swapping out the Ledger device or router I purchased than I am about the manufacturer designing backdoors into the equipment.

My preference is to walk in and buy a piece of equipment off the shelf instead of ordering it online. The more random the better. And if ordering it online is the only option, I will look for opportunities to have it ordered from a third party with very few ties to me - mostly just to increase the randomness of the purchase.

The only exceptions are companies who take significant precautions against tampering in transit and/or hardware that is highly configurable (ex. routers with detailed schematics available online that allow me to visually inspect the hardware and install opensource firmware etc.

But at the end of the day, I don’t trust any of it. I just use it. It’s a reluctant, conflicted marriage of sorts.

Hello everyone, a very interesting and enlightening thread, I am probably way out of my league here but I like to try and contribute, so if my comments are too noob please just ignore them

I think that most of the people in here fall into the same category as myself, being just average users that value privacy and don’t like the thought of being spied on.
It seems clear that one may never be able to fully trust hardware or software for total security, so I would think that maybe more important than trying to find the perfect impenetrable hardware/software solution, would be the practices one is using when online and connecting to the internet, not drawing attention to yourself or giving away personal data.

Also most of us these days have more than one computer at home, I have thought for some time that the best security for protecting data is simply having no personal information on your online computer at all.
By this I mean having one computer that connects to the internet for all purposes, with no files or personal information of any kind on it.
On another computer all of your files and data are stored and this computer does not connect to the internet, even the ‘three letter organizations’ cannot hack into a computer that does not connect to the internet.

I personally love Qubes and don’t fully trust any hardware, and will continue to use it as my OS for online use, I store all of my flies and data on a separate computer that I do not (or at least very rarely - for updates) connect to the internet.

there still problem, they can draw quite accurately some of your personal info using your online activity

remember human mistake and malware (similar to stuxnet)

that can be a point for failure, but there no workaround for this

Be careful not to assume too much. There are at least a dozen ways that data can be snooped on and exfiltrated from computers with no network connection. The screen emits radio signals that can be reconstructed at long distances. Data can leak into the ground line and be read on power lines. Your computer emits ultra high frequency sounds when typing certain keys which can be listened in on from a distance using a variety of methods, from lasers to more conventional bugs. It’s possible to manipulate display brightness and fan speed to interpolate certain kinds of data. It’s even possible to turn RAM into a freaking WIFI transmitter. So, generally speaking, radio waves, light, sound and electrical current can all be used to compromise a device at a distance. Old school PS/2 connectors can leak keystroke data into the ground pin and right through your power lines. So even “safe” alternatives to USB aren’t 100% safe.

And before you think that it would take a three letter agency to implement those exploits, keep in mind that we are in the age of Blackwater and pay-for-hire goons who gain access to all kinds of fun toys. [Bad] contractors. Like the guys who remodeled your bathroom with that fancy laser cutter. Except these guys have lasers that can turn your house windows or light bulbs into microphone membranes. The only difference is the guy who fixed your bathroom likely still has his sense of morality and ethics intact.

example here

umm, please edit your post

I just did that.

@necker, Shite, I didn’t know a fraction of that stuff, somewhat depressing but good to know. Thanks for sharing guys.

Oh [bad], I didn’t realize that writing [bad] was against the rules. Won’t happen again! (Thanks for fixing it @fsflover )

That is exactly the threat model that I am concerned about, and I’m sure many other users: Even if you are not breaking the law, you do not want your privacy violated by government agencies.

Your answer seems defeatist. Can you at least speculate on how they would violate your system, let’s say assuming they have to this remotely (e.g. they can’t pysically touch you because you are out of the country)? Would you at least be able to tell if your system has been compromised?

Nice.

I think of it more as realistic. If I’d be in a position to fear for my life, I’d obsess over this topic 24 hours a day and would probably not use any computers (for longer than 5 minutes or at the same location twice).

But thankfully I am not.

[quote=“ubersecure”]
Can you at least speculate on how they would violate your system, let’s say assuming they have to this remotely (e.g. they can’t physically touch you because you are out of the country)?

[quote]

Are you in a 5-Eyes country? … or a “friendly” / allied country? They openly admit sharing. Are you in a target country (China, Russia, Iran, Syria …)? Well they spy on you and our guys spy on them.

There is no absolute security and definitely no absolute privacy. All you can do is make it more difficult, but if you are interesting enough …

More importantly, being around this community for a while and having gone down this path in search of total privacy myself for several years I think there is a pretty big danger of mental illness at the end of it all.

There are no absolutes. Know your thread model and formulate a reasonable answer and then accept the residual risk and live your life.

That entirely depends on your skill level and the time / effort you put into detection. But again, consider who you think you are up against.

Actually, no, there is no way to know if your system is (not) compromised. See also: Compromise recovery in Qubes OS | Qubes OS.

Every defeatist person would say that

However, I agree that

And this is why I am simply trying to make “their” work harder, nothing more.

Through the speculative CPU vulnerabilities, they could get any password of yours via javascript on random websites. Through Intel ME they (maybe) could own your system, too.

However, this is an off-topic here and we should not continue this discussion in this thread.

Pretty off topic right now, to the OP, I would say I don’t trust any hardware, but that’s the point of the OS. Of the available hardware to date the most worthy of in terms of a sense of more trustworthy than others is the Purism Librem line.

As for the most recent conversations derailing this thread, understanding how you can be attacked is important. Anything you do that interacts with something that interacts with the internet needs to be a disposable VM. The reason I say this is because AppVMs give the opportunity for persistence and time to find a way to pivot to other VMs. There is a lack of visibility in processes running in each VM however it’s the same case for every other OS anyways. What people are asking for is non-standard and usually requires system-specific customization.

One of the major downsides to Qubes is that even if you isolate every process that interacts with the internet, let’s say your browser, and I get you to visit a page that exploits a vulnerability in your browser that allows me to execute code on your machine. That means I can easily establish persistence unless you are monitoring the filesystem of each VM. I say it is a downside, however literally every operating system is this way, we only care now because we’re looking to harden our systems. Right?

With that said, I believe Sven or Unman use Tripwire to monitor for file changes like that, that may be a good option. I haven’t had any experience with Tripwire, but as a FIM it should be a good option for those who aren’t isolating every process that interacts with the internet to its own VM.

Because of that, I’m trying to think of the best way to manage ram and application isolation using disposable VMs. Some things have to be a balance of usability and disposability, like how am I supposed to add bookmarks in a browser without updating a template with the bookmarks? Well, one way is to just export your bookmarks and move them over to your template. Not the most ideal, but if we were going for convenience we would be running a non-Qubes OS. Protip in the response below, also protip, use a disposable VM for your browser and any apps like signal, session, discord, matrix and just log in when you need to use them, that way you don’t provide a persistent home directory for an adversary to live in.

As for the talks about nation-state adversaries, 99.999999% of people the government couldn’t care less about, APTs don’t care about them either, so unless you’re some high value target or of interest to a certain leader with a pension for dismembering dissidents and you happen to be one of those dissidents just as an example case, then a realistic threat model does not include Nation-State adversaries or APT groups. You aren’t hiding from someone when they don’t care to look for you in the first place. The people who do need that kind of security aren’t posting on this forum, they’re working with people who can help them set up and manage their system. Feel free to RP all you want, you aren’t helping any dissidents by your computer running Qubes. Qubes does not provide privacy, it provides security. There is a difference between privacy, security, and anonymity and Qubes as an operating system only provides security. Anonymity is not as simple as running whonix, privacy isn’t as simple as using Torbrowser. If your priority is privacy, your threat model is primarily the advertising industry, not the NSA.

If you’re in the US and the NSA is interested in you, they would just have the FBI raid your house like Harold Martin. Pro-tip: they have no reason to because mass surveillance doesn’t mean you are more than a speck of dirt to the NSA.

Now you say you want to help others, then use Torbrowser for everything, except for torrenting, because the more traffic that is processed on the network the more others can blend in. The more fingerprints that are identical to the Torbrowser, the more you and others can hide but that’s only one aspect of privacy and anonymity and there are a plethora of other ways you’re identifiable.

Pattern recognition for example is used to identify people based on how they write and type. You’ve got patterns in online activity, connections going at certain times or higher bandwidth usage at times which helps identify you. But beyond all of that, if this Rowhammer fingerprinting technique is employed then you need to be using something that defends against it and I don’t know if a Qubes VM would matter because it’s all about your memory modules.

If you’re concerned about privacy it goes beyond what you do on your computer, your electronic transactions, even cash transactions could be traced at least to an ATM and from there camera footage of when serialized bills were withdrawn, cash back at a store? Even better they have more cameras and witnesses as well. How about the police surveillance in your area? How many cameras are watching your vehicle as you traverse the area? Do you wear IR reflective glasses to obscure your face from IR cameras used at night? Do you use clothes and masks to throw off facial recognition systems? Do you know if you’re connected to a Stingray with your cellphone?

If you want anonymity strong enough to hide from the NSA, you need to be using a yagi antenna and using wifi from a network you cracked a mile away and a system where there is no record of you or anyone you know buying it using public wifi in a place far outside of where you normally operate, using a spoofed mac address so logs can’t be obtained from the coffee shop you used the wifi provided no cameras caught you driving with their automated license plate readers so you’re going to have to steal a car and hope it has enough gas to get there and back before the owner notices, then assuming you’ve made it back never access anything ever related to your actual identity on that machine ever again. Have a separate system to pay your bills and watch netflix on or something while you do other stuff using the mile-away wifi you are connected to with that yagi antenna. All traffic must be routed through Tor on that machine. You still can’t use cash, so you use local monero and conduct in-person transactions to your cold wallet, and then you still need to get groceries so you pay a homeless person to go shop for you and give him some food and some extra cash. You realize your cellphone was not in a faraday bag and was giving away your position when you stole that car and drove to the next town over to set up Qubes so your opsec is ruined and now you have to start over. Now you have to break your lease and move to another state because the police were tipped off about a car being stolen because the person you stole the car from had a ring doorbell and if you happened to cross state lines in that car the FBI is involved. This entire time your cellphone has been paid under your name rather than being paid for in timecards that homeless dude could’ve gotten you and all of your activity on the phone and contacts you spoke with anyways ruined your opsec. No more friends, you can’t call or text, only telegram, session, and Tox. You’ve got a job that knows where you live unless you live out of your car then you just gave em whatever address you could maybe a family member’s permanent address so you still file taxes so the IRS doesn’t target you. At this point you give up, cash out your 401k and buy some land and start a homestead with a side business of selling organic produce and beekeeping, giving up the internet and all technology beyond what you use to listen to music/watch netflix and talk with family and automate with. You realize nothing is different from when you started and this has all been a complete waste of time and you should’ve just chilled tf out or maybe you should have just spoofed the mac address and never stole that car in the first place. This entire time the NSA couldn’t have cared less because they’re too busy looking at members of Byzantine Candor and trying to pull off Stuxnet 2.0.

I hope by now, if you’re even reading this far, you realize while a fun thought experiment, it is by no means practical and for that reason you need to consider what you don’t care the world knows and what you do care the world knows. Sometimes, the best thing for anonymity is to blend in with the rest of the crowd rather than stand out. If you don’t stand out, they have no reason to question your behavior and appearance. One of the things that determines how long information is classified is how long does the information need to be protected, until it becomes irrelevant whether or not your adversaries know. So for each bit of information you seek to hide, look at it that way. Change your threat model to the advertising industry, the NSA doesn’t give a fsck about you.

FBI and local authorities however may…

fbi-handler970×618 299 KB

There is a split-browser that keeps your bookmarks, and will send one you click on to a disposable VM…and also accepts new bookmarks from the disposable VM: