Hubert Servidor's security hacks

It’s nice to know I’m not the only one who does this!

Stating that it was being dismissed as invalid isn’t the whole story.

See the very professional reply from Marek (lead Qubes OS developer) [0].

Marek evaluated the claims, pointed out some solutions that were already available, assisted the OP with providing a more conceptual understanding of Qubes OS, talked about future roadmap, and most importantly, he encouraged the OP participate and provided pointers towards contributing.

It’s easy to simmer this situation down to “did Qubes OS get hacked” but Marek showed the bigger picture is more important: if you want to hack Qubes, understand the concepts deeper, know where the project wants to head, and help get more people involved and contributing. Those factors definitely help achieving a hacked Qubes OS where the right people know about it and are able to do something about it before it becomes a risk.

I definitely want the OP to continue down the path of trying to hack Qubes or finding security vulnerabilities. It’s not always just about a VM escape (see [1], [2], [3], [4], [5]). With the right understanding and support from the Qubes team, it could be a matter of time before another QSB is released found by the OP. And we should all welcome that.

1 Like

Sorry… can’t let this go without a response.

Of course it’s the whole story. Look at the following link.

Notice it is the same user who posted someone else’s video clips and the same user who offered no additional insight or explanation regarding the nature of the videos. It was the same individual who drew premature conclusions after very little discussion of the matter. That’s why the user was told by one of the Qubes devs:

“…this does not appear to be suitable for qubes-issues …If, after reading our issue tracking guidelines you believe we are mistaken, please leave a brief comment explaining why. We’ll be happy to take another look.”

Regarding the response from Marek that you quoted, it was a completely different interaction from a different user. You are are defending the creator of this thread by citing someone who else was actually discussing vulnerabilities at length with the members of the Qubes team. There is a difference between offering no explanation about a random youtube video and discussing real security concerns along with a published explanation of potential vulnerabilities in Qubes. The latter allowed Marek to clearly address the matter…

t’s easy to simmer this situation down to “did Qubes OS get hacked”

The issue here was not reduced to anything. The issue here was unclear from the beginning. Repeated requests were made for the OP to clarify the nature of the claims. He offered next to nothing in the way of actual discussion before posting a suggestion for a new Qubes hypervisor.

I definitely want the OP to continue down the path of trying to hack Qubes or finding security vulnerabilities.

The OP has demonstrated nothing and said nothing to suggest that he has ever stepped foot on that path. You are quoting an exchange between a security researcher and the lead developer of Qubes - neither of whom have anything to do with the OP.

“Sorry… can’t let this go without a response.”

Because the OP (me, you can name me, I assure you) was asking for info, not going to lecture you on the “vulnerabilities” described in the videos. I looked first if the guy “Hubert” was around but obviously not, hence I posted the link as alleged “security hacks”.

Of course it would have been way easier for everybody if “Hubert” created an account on github/there to post his own finding instead to release cryptic videos on Youtube. But obviously you were, again, eager to jump to conclusions and pretend I was there to troll while ALL I was asking was “Interesting or not ?”

Where did I asked for or stated anything else in my original comment ?

ALL I was asking was “Interesting or not ?”

I didn’t say you were pretending to be someone else. I said you posted ambiguous content - and with no explanation from you or other members of this forum, began quoting unsupported claims that “dom0 wasn’t isolated at all” and making the suggestion to replace the Qubes hypervisor. That’s more than "asking [if it] was “Interesting or not ?”

So perhaps now you can clarify:

You said “That explains a lot”. What exactly was the explanation and what are all the things it explains?

That if Xen is compromised/flawed, perhaps considering another hypervisor as an alternative might be a reasonable option, maybe ? Nothing more.

But since it has been considered a non issue, case closed, I guess ?

Anyway, fell free to comment on “Hubert” videos, I provided the link to the source material, it might lead to an interesting interaction. Or not. It depends.

This is very far from true and is covered by the FAQ.

Thanks for pointing that out. Instead of quoting XSA-212, I quoted XSA-211.