Either you have the chinese backdoor, or the american one, so choose your posion/least adversarial option. However i see less people complaining about Cicso. (obviously OpenWRT is the best option if one can live with additional external hardare)
Everything entering your sys-net should be considered “in enemy hands” anyways. Right after that comes the insecure network so it is not to be trusted. Either you have taken precautions like using Tor/VPN/whatever or not Qubes gives you the tools do take those precautions with an astonishing level of security so especially when having untrusted hardware components like network interfaces Qubes gets very useful.
Agree to disagree. If i weren’t Chinese, I’d always use Chinese backdoor. Their motifs against foreign ordinary people are without a doubt less adversarial, and even if they wouldn’t, I’d be less reachable to them.
The mobile broadband modem is much more dangerous than something like ethernet/wifi adapter. You can place hardware firewall between ethernet/wifi adapter and internet and filter potential malicious traffic but you can’t restrict the mobile broadband modem traffic.
Also the mobile broadband modem can track your geopositioning based on nearest base stations and report it over the internet unrestricted as there is unknown proprietary firmware in the modem with broad capabilities because it has linux inside.
Sure, getting geolocated by the carrier, but that is a trade one has to agree on when using cellular services. That is why i am not using them. Compromised or not.
A rogue sys-net with wifi capabilities can geolocate you much more accurate, than with a rogue broadband adapter.
Having a malicious sys-net pretty much sucks, but is not fatal (depending on goals, threat model and so on).
I thought about placing another firewall between my Qubes and the outside to only allow traffic to my guards.
But i am not sure, that this would help anything regarding data extraction: I cannot reasonably inspect Tor packets and if my sys-net wanted to extract something, this would be the way: Going over Tor with the same guard as me. So even if i use the most restrictive firewall, data extraction is ridiculously easy, as it would be over broadband.
Other than that, it cannot modify packets or read them with either wifi, ethernet or broadband.
I see some technical differences between wifi vs broadband of course, but the capabilities that an adversary would gain are very comparable imo. Or is there something i am not seeing?
You can protect yourself from malicious devices/software in sys-net (ethernet/wifi adapter firmware of software) - you can have hardware firewall (for example some SBC - raspberry or something) and you can install VPN server there and block all traffic except this local firewall traffic. Then you will have VPN client in sys-vpn connected to sys-net that will connect to this hardware firewall and block all malicious traffic from sys-net and only allow sys-vpn traffic. This way you can protect yourself from being compromised by sys-net.
And even if sys-net can geolocate you - it has no way to send dthis info anywhere and no way to store this info as well if you use disposable sys-net.
But this won’t work with modems.
Also, of course in this way you need to belive that your SBC is not compromised. But it’s much harder to compromise it compared to your Qubes. You visit different malicious websites, download and run different and possible malicious software in Qubes - but not in your hardware firewall.
So you even can protect your real IP from getting exposed right away if your Qubes is compromised and get a layer of protection from hardware firewall. You can connect wifi to this hardware firewall to hide your geolocation. You can add another VPN to this hardware firewall to hide your IP from whole Qubes. Qubes won’t be able to see your broadband connection and will only see your exit VPN IP.
Off topic:
We should never accept products from China, Russia, Iran, North Korea or any other authoritarian, oppressive states even you have nothing to do with these countries. It’s not like choosing between US and UK. Besides ethical issues, products from these countries are more privacy invasive.
Example: Before apple’s CSAM detection, China already try to detect and delete pictures and videos that mock Xi on LOCAL STORAGE.
If we really have to choose between them, I’d choose the system (claiming) monitoring CSAM and terrorism rather than the one monitoring and censoring political and religious activities.
Thank you for participating. To everyone who helped) I found a solution. That’s how it works. I bought myself a router with open wrt firmware, put it on a vpn router. Now I insert my modem into the router. And everything is connected. Not directly, but as a Wi-Fi. I need to use the modem anyway. Since you need Internet for a laptop. Because I’m on the road. Wired internet is limited to my room. Thanks again for the help)
Generally i agree. I really dislike oppresive regimes like everybody else, maybe even more. It is very risky to place trust in this hardware.
But: US and UK three letters have massively more resources and their attacks on infrastructure and factory backdoors are (more or less) well known.
I sincerely think that this is not only a problem with oppressive regimes, but with unregulated, unsupervised power concentrations in general.
Not sure what backdoor i would like to choose. But a company saying “We scan your content to make sure your are not a child abuser” sounds more outrageous to me than a gov trying to oppress people from talking about tiananmen square.
The latter is more dangerous for society, but more or less expected. The first one is a direct accusation of me, so i take that more personally. Also that sounds pretty much like me having to proof my innocence before being allowed to to stuff on my device instead of a judge having to proof me guilty.
What i observe is, that with the four horsemen of the infocalypse every surveillance is legitimated and is abused in any case i know eventually, so i won’t comply with (my devices) spying on me for any reason whatsoever, as i am a law abiding citizen that simply want to protect his human rights.
If you want to proceed with such a discussion, i highly recommend another topic…
This might be slightly OT but I’m posting it just because you’ve mentioned it… I’ve been using this setup pretty much since I started using Qubes, without an issue: sys-whonix > sys-corridor > sys-firewall > sys-net
