I have been hacked repeatedly!

Sadly, my last 3 attempts to use Qubes OS have ended (1) All my VMs were either cloned a dozen times or destroyed. (2) I reinstalled Qubes OS from scratch and restricted myself to only disposable VM running only firefox. Then all of a sudden everything sporadically had its ability to access the internet stopped. A restart fixed this, but I concluded the safest thing to do was reinstall. (3) All ability for any VM to access the internet stopped. In fact it never started. I could not reach the internet while connected to the Wi-Fi. When I tried to restart sys-net VM my screen filled with a notification saying something like, “Qubes Update unable to stop, error” (or something along those paraphrased lines). I tried to reinstall this (4)th time just to see if it would connect to the internet and during installing I found 4 backup partitions inside the dom0, inside the lvm, on advanced partitioning present from the installation from the last install that I never created. I found that because the automatic partitioning “configuration failed” after I clicked “Done”. Advanced partitioning failed as well. I had to install to a external USB SSD. Now shortly after bootup and login, the screen goes wacky then exits to the tty terminal from which i cannot escape except to restart. I noticed in an dot error log in the home directory had an entry with something interacting with ssh secure keyring along with a bunch of dbus errors and something like “gpt”.xwindow.c “atom x” errors too. I do not know if that is relevant. And all files and folders in /var/log/… were completely empty, even though the files and folders were created by something, it was all barren.

I’ve switched to Qubes OS recently because no matter how hard I tried, my Windows (10 and 11) (and Linux [Ubuntu and Debian] and my Galaxy Z Fold3 5G [Android 13]) installations always get filled with logs of logins with elevated privileges, and processes and services (and daemons) with malicious code and control over my computer’s and smartphone’s. The input and output kept getting overrun with oodles of scripts, programs, and virtual devices.

What am I overlooking? Could my Intel ME be compromised? I can’t reinstall again as my two ssds and usb ssd are somehow unable to be formatted by the installer usb and that is the only bootable usb I have. I am posting this via my smart phone.

I am running an Alienware Laptop M17, could there be a remote access subsystem placed by dell? I’ve seen dell environments, accessable from the boot menu, come with a full network stack. Could the SCSI subsystem be compromised and allowing remote connection? Could it be an “evil twin” wireless AP that can somehow connect to subsystem or some pre-enabled Qubes OS remote connection protocol such as ssh or qrpcexec (or whatever it is called). BTW that poses an unnecissary and extreme security risk. Qubes native dom0 remote connection implementation? What a perfect tool to easily and completely take over hard and fast, with little effort. It comes standard on every current release even though I’m sure less than 1% of any user would ever use? Why?? Can’t there be a version of Qubes that does not come with such a powerful tool for hackers and useless to me? Why isn’t Yubikey an option during installation and would it even protect Qubes from any and all possible remote connection attempts? How would I find and secure any possible subsystems and not allow any connection that isn’t solely me requesting https requests to websites? The firewall should have a https, dnssec originating from known authoratative DNS servers connections only feature preconfigured because the firewall seems to be useless to me unless I am missing something obvious.

Thank you for your time and I look foward to your insightful replies.

1 Like

¯_(ツ)_/¯ Could be anything.

Sounds like trivial driver error.

Is it because you turned on sys-usb?

Seems like sys-net broke. A restart of that exact qube could have fixed that…

qubes-dom0 can be a lvm volume group’s name. It’s likely that the failed attempt to auto partition revealed the lvm layout from the previous install. Dom0 root, varlibqubes, swap, etc.

Auto partitioning can be tricky on some hardware
. Just switch to another layout, like btrfs and see if that helps with the install.

You are unnecessarily worrying about qubes os’s design. I would recommend you to read what qrexec is first, before subjectively suspecting it’s something that can be easily used by adversaries.

3 Likes

Are you dealing with an intelligence agency? Use a rasberry pi to avoid hardware level backdoors.

The EEPROM might allow persistent trojans FYI.

Beware of shopping online, they can sabotage the shipping process if they do not respect the law.

Nope.
If it’s not DNS then it is Intel ME (even in case of AMD!).

2 Likes

Thank you for your replies! :wave:

Sounds like trivial driver error.

It was my third install whithin 3 days and the first two never had any issues with internet. Thw first install made it 2 days without one hitch.

Is it because you turned on sys-usb?

When installing Qubes OS on an external USB (SSD), the auto partioner does not install sys-usb and Qubes gives a a warning on every startup and shtudown. The warning says something like this: USB has unfiltered access to dom0.

Seems like sys-net broke. A restart of that exact qube could have fixed that…

I too first tried shutting down sys-net and starting it again. When that didn’t work I tried a full system reboot and it did not fix the problem. If i had known my entire hard drive was put into some locked and hidden state I would have tried trinstalling all the templates (and domains) myself with the command line.

qubes-dom0 can be a lvm volume group’s name. It’s likely that the failed attempt to auto partition revealed the lvm layout from the previous install. Dom0 root, varlibqubes, swap, etc.

No the installer clearly states that no changes are made to the disk until the install process has started. Also when you install on an already occupied disk, the installer stops you ask gives you and option to delete any partitions you want with just a few clicks. After this I got an error that it could not update the disk’s configuration. So, I did what you thought and tried to manually partition it myself. I’ve self-partitioned quite a few Linux installs. Even if the only changes I made was to erase/delete that disk and install on my second hard drive. There was about 40 or fifty exact clones of every template except each clone had a numbering system added to the end of their name like what happens if someone restores from a backup without first renaming the older copies or deleting them first.

Auto partitioning can be tricky on some hardware
. Just switch to another layout, like btrfs and see if that helps with the install.
It wont get past the initial deletion of the previous installation.

I dont think that is true. Maybe i am miaunderstanding, but there is no room left on the disk to fit the OS. The partion tool will not let you click done unless there is enough space for to install and I get an error from this process. If i cant write over the old installation, I can’t write the new installation.

You are unnecessarily worrying about qubes os’s design. I would recommend you to read what qrexec is first, before subjectively suspecting it’s something that can be easily used by adversaries.

You are not seeing the whole picture. The fact is my Qubes OS installation got pwned 3 times in a row within minutes of the first signs, I was finished with no hope of even a bit of forensic computing/science. Then again faster, then the third time it definitely happened within a few minuted like it was easy.
I AM WARNING EVERYONE QUBES HAS A CONFIRMED FIRST IN THE WILD HACK BY A FAST AND HIGHLY MASTERFUL HACKER. I CAN’T EVEN REINSTALL. AT LEAST THIS WASNT POSSIBLE ON WINDOWS that’s right, I went there and it is true. IT IS NOW ALSO ON EVERYONE THAT READS THIS TO IMPRESS THAT DOM CAN/HAS BEEN VERY SUCESSFULLY HACKED AND DOM ACTUALLY HELPED THEM. I SAW A REBOOT COMMAND LINE REFERING TO STARTING REMOTE QUBES. I am no alarmist. I am trying to tell you this is not an isolated event with a nee OS. Ive been constantly reinstalling Windows, Linux, my pi doesnt stand 5 minutes and i has that thing working so well before i became targeted by some loser sadistic sociopath. But at least the combination of a well documented recovery enviornent, that even comes on the live boot disk too, and no ability to somehow lock the paetitions from reformatting by its own installer and give these commands the ability to be compleyely hidden from within the OS enviornment. Qubes OS doesn’t even come with a gui software that can undo these commands that I don’t know how i am going to figure it out. The locked partitions aren’t even visible within the Qubes environment, i figure it is linux, there has got to be a way. It it was Windows I would have had a special enviornment and the very powerful diskpart tool.

The major issue nobody is seeing is that WHEN someone gets hacked, Qubes has given them all the tools they could possibly dream for, developed to have full control over every thing without even having to collect tons of data, try to dehash codes or install self-signed certificates somehow. No, just a few simple, easy to remember commands and their run-of-the-mill “look at everything” and throw every bit of published and easily downloaded and very powerful tools that are all over the internet. Take Kali for example, Parrot OS, Mitre Att&ck, shodan, keeping up with newly published CVEs, wardriving, pineapples from the legal, sucessful, and popular business (evil twin and do sell to way more hackers than pentesters). They have a whole line of products designed to easily hack with no prior knowledge, skill or experience thus making the time one has for any hope of protection from further damage a tiny window. Most businesses have active persistant threats on their network and the average time of detecting this is 3 - 6 months! A hacker only has to barely crack the machine and is presented with a plethora of powerful, simple to understand and use commands that, to someone new like ne, very hard to kick them out after and even harder to figure out what they did and undo what their damage. For example on journalctl, just a few minutes ago i found this suspicious entry:

Use a rasberry pi to avoid hardware level backdoors. … The EEPROM might allow persistent trojans FYI.

Are youbsaying my raspberry pi 3 b+ could somehow reflash my EEPROM and flush it clean? I dont understand how a raspberry pi could do that. Like over the LAN? Because my Pi never lasts for more than 30 minutes before it has been hacked so be they might as have used an axe. Remember the hacker is in my network and clearly has an automated yet softicated siege with a barrage of shock and awe.

Welcome to the forum.
I mean the following in the most respectful way possible but I think there are a few things you need to hear.

If you are concluding that you have been hacked because your internet stopped working you are jumping to conclusions.

Jumping from a few strange system behaviors to supposing someone is executing an intelME exploit is not productive or healthy.

I could dissect other technical details that you’ve posted here and why they don’t make sense, but I don’t want to detract from the above. If you are really concerned: please reach out to a psychiatrist and a managed security service provider to get the expert opinions.

3 Likes

Please post what have you got from the journal. Also, if you can, please post anything that you think is evidence that a pwn has happened.

If someone is really aftering you, are you experiencing substantial loss? Does your boss scream at you because you leaked the company’s secrets? Does your money get stolen?

These fancy tools are developed just for YOU, and users like you and me, to manage your own qubes. I would be surprised that an advanced adversary, which has the capability to penetrate Xen ( which is deployed and by many Tech Giants ), will take such tools into account, when it assesses the difficulties to hack a qubes user.

Again, since it seems that you have no problem accessing the internet from you phone ( that is much easier to hack than qubes ), please provide evidences that you have been hacked. It’s hard for security experts that are working for qubes to help you out, without more details from you.

1 Like

If you’re trying to install Qubes on an external drive, you can’t use a USB qube—the controller has to be attached to dom0, and so you’ll get that error every time you boot. The partitioning tool won’t give an option to create sys-usb either, since it detects its running From USB

Are you dealing with an intelligence agency?

:crazy_face: Lmao this forum attracts the most delusional users sometimes I swear. Just look at the way OP types :clown_face:

4 Likes

I assumed that was sarcasm, but maybe not?

Are you running a vanilla Qubes OS install or have you applied additional options like randomizing your MAC address and host name? In case of the later I have observed with several home routers that after a while they refuse to provide a DHCP lease (too many clients). Restarting the router will fix that issue.

Other than that your post gives me the impression that you have consumed a lot of forum posts and/or YT videos about security and privacy but haven’t invested much energy in actually reading/learning the details. You use a lot of words and clearly have only a very basic (or no) understanding of what they mean. That’s OK, we are all starting at some point.

My recommendation:

  • use another computer to create a bootable GParted USB stick or use the Windows installer if you must to remove all partitions and completely wipe your hard drive.

  • reinstall Qubes OS with all the default options (don’t customize a thing!)

  • report back what works and what doesn’t so we can help you get a working environment

We should start considering the possibility that it’s not an attacker but you who is unwittingly doing something destructive. Also there might be known issues with your hardware. Have you checked the HCL? Are you comfortable disclosing what computer you are using?

4 Likes

Beware that intelligence agencies tend to do this. Make up forum posts claiming to be hacked and then act insane (like OP).

Judging how OP types, I’d suggest that we ignore this thread.

6 Likes

Of course they want to make sure as few people as possible doubt Qubes OS security model. He claims Windows had advantages over Qubes so we better use that instead.

AT LEAST THIS WASNT POSSIBLE ON WINDOWS that’s right, I went there and it is true.

But he’s absolutely correct. Windows DOES have advantages over Qubes.

If you’re the hacker.

3 Likes

Qubes can be hacked depending on your threat model. I’ve dealt with the best (aka worse) intelligence agencies out there.

I can confirm that they can get through a debian minimal firewall.,. I’m not sure if they were able to break out of the virtual machines however.

1 Like

What exactly do you mean by this?

Do you mean that an attacker can target qubeA in this setup:
qubeA->sys-firewall->sys-net
Or do you mean that qubeA in this set-up can be compromised as a result
of some user (or system) action?

Is this specific to a “debian minimal firewall”, or was that the only
one you had experience of?

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

sys-net is the front facing qube that’s connected to the internet, followed by the firewall.

As for my case, they were able to hack me almost instantly, bypassing the firewall and placing spyware directly on the whonix vm i was using.

Granted, the folks i’ve dealt with are responsible for handling extremism (eg: communism and government rebellion), so they probably had a warrant under my name that allows them to use zero days.

I’m not going to disclose any details as i’m tired of dealing with them on the internet and outside, but yes, if you are a direct threat to multiple nations, they will use all sorts of zero days against you.

Remember folks, not just INSIDE your computers. They will also be OUTSIDE your house.

If you get to the point where i am, then be very careful and use the best software possible.

I don’t believe they can hack everything, they do have their limits and they have served court orders in the past shutting down servers and computers they can’t hack.