Measures that can be taken when hackers persistently target QubesOS

Since I was spotted by one of the programming experts on Twitter, my PC’s behavior has been monitored and I have been getting Tweet hints about what I have been doing on my PC. Tails and QubesOS, but when I retweet or do anything on Twitter, the tweets imply death. I also get tweets hinting at my death when I comment on anonymous forums, etc., within 10 minutes of the time I make the comment.

However, if I am taking notes or working in the QubesOS vault (not connected to the internet), there was no response. I find it hard to believe that just being connected to the Internet and surfing the web can plant a Trojan inside Fedora/debian of QubesOS, but after seeing that guy’s well-timed tweets dozens of times, perhaps there is a technology that can infect just browsing the web. I don’t think it’s possible to plant a Trojan horse in QubesOS Fedora/debian. This has been going on for nearly a decade. I try not to worry about it, but sometimes I worry that I am being monitored and I go to look.

I would like to take more security measures in QubeseOS to counter this, what can I do, I even set up a VPN on PFSense so that all communications go through it, but this has also been breached, so I have not yet set it up on the Qubese side. Should I use a VPN? Is there any other way to get secure internet access? They are very good at what they do.Since I was spotted by one of the programming experts on Twitter, my PC’s behavior has been monitored and I have been getting Tweet hints about what I have been doing on my PC. Tails and QubesOS, but when I retweet or do anything on Twitter, the tweets imply death. I also get tweets hinting at my death when I comment on anonymous forums, etc., within 10 minutes of the time I make the comment.

I know this may sound paranoid, but they usually tweet peaceful content, but only when I write online, etc., they tweet death related tweets. Every time it goes on, such as that person retweeting an article with an image of someone choking on himself.

If you aren’t handling any kind of sensitive materials online like journalistic sources etc. I would just reasonably secure your system and accept that as a technically unsophisticated actor, you cannot construct a fort knox digital black box that is unpenetrable to sufficiently motivated and capable adversaries.

Stop checking his twitter & just accept it whilst taking reasonable measures to attain security that are within your ability.

Not the answer you want but that’s the reality if your description is accurate.

I would also add that it isn’t really targeting Qubes OS as such, because Qubes is really the architecture of virtualization via the hypervisor.

A debian box can get owned just like any other debian box, you can just delete & remake it. If that process is compromised then Qubes was impacted.

Not a doctor. This sounds like paranoid psychosis. I hope you face down “the guy” and I wish you well!

This.

I know this whole monitoring situation has really freaked OP out. I get why you feel that way. But try not to let it overwhelm you. No system is foolproof, especially against skilled hackers. As long as you’re not dealing with really sensitive stuff, just focus on keeping your setup reasonably secure. Don’t drive yourself crazy worrying about malicious tweets or reading into every little thing online. It’s unhealthy to be constantly paranoid about surveillance. Do what you can security-wise, but don’t let fear run your life. Accept that some monitoring may happen in this digital world we live in. The anxiety will pass with time. You’re not alone in this struggle. Hit me up if you ever need to vent. But don’t let it consume you mentally. Stay strong and keep living your best life.

The bastards win if you crawl into a corner terrified.

I’ve dealt with similar issues before. It sucks but you’ll get through it.

Thank you. I had been groping around for security measures, thinking I just couldn’t compete, but you’re right. I just didn’t like the fact that even things I wanted to keep secret were being watched, and I didn’t like the fact that people were hinting at it on Twitter as if it were a diary, so I went to check on it.

When I used to use Windows 11, I would only connect to the Internet and browse the web, and about 3 days later, they would insinuate what I was doing (such as the time I was masturbating! sorry.). I am Japanese, but the conversion of Japanese words became strange and the first thing that came to my mind was a conversion that reminded me of death.

たおれる→斃れる、いきかた→逝き方

I think debian is similar to that, and like winodws, they can at least break through the untrusted cube running through sys-net in a few days and plant a Trojan horse. I was exchanging Twitter DMs about the IME conversion, and they “somehow coincidentally” mentioned the IME on their Twitter within 20 minutes of each other, and I follow an account that can separate tweets by 5 minute increments, so I can easily see what time it was tweeted/retweeted.

However, it’s best not to worry about it. Best, but I will say that I don’t want my private life to be invaded, my internet monitored, and made like a pet to be kept.

Thank you. Yes, as long as the timing is right, and if the timing is not right every time, I can deal with it being my imagination, but I think the best bet would be to not go to their Twitter feed. The Man is very strong and I can’t handle him, so it’s enough for me to at least get my personal rights back on the internet and within my computer.

If they get scared and run to the corner, the bastards win. Chihuahua and they sometimes say that. I am now in contact with ethical hackers to give them a reward to teach me what i don’t know about security and technical material. Gradually, i have to increase my defenses. I am very encouraged, thank you so much.

More likely your router is compromised.

Besides staying off social Media. which some folks do not want to do.

Back up hard drives. I suggest cloning, and at least three copies. Locate your private data, back it up separately, expecially logins and passwords. Make some notes of how you have your Qubes set up. Re-program router, immedaitely take it offline.

Find a nuke drive program let it run through your drive. Myself, I have to look up how to Over write a new boot sector securely, Very Carefully. Get a fresh copy of Qubes. install. Begin the process of changing all the passwords with logins. meaning all the rest of the passwords you use as well.

If you have the money, make sure you have a quality Router, set up with encryption (choose a good password, that you should write down, and store in a secure place.

Review your own OpSec procedures. Making a list of do this in this and such an order, and never do this.

At least never do these things at the same time.

A Number of different websites can offer advice, or services. Generally, email is not very secure. Look at the services like https://librem.one/
(I have no affliation)

there are jerks, in real life as well.

Enjloy your research.

Cheers.

Using a VPN set up in Qubes sounds like your best bet if you think your own router or some device downstream might be compromised. If it’s not a device downstream then it may be a compromised browser, plugin, or other app in some particular VM. Test other VM’s to see if there is a similar responce for the same sites. Take coupious notes in case the police later need to be called in.

As a quick test you can install whonix from the community templates repository (qvm-templates-gui) and then access something they normally do know about. If they do not respond as usual then they do not see into your whonix VPN traffic, and if they do respond then change your password immediately on that site with a very strong password. If they do not see your whonix traffic then install a paid/reputable VPN service using Qubes networking VM’s to hide all your normal network traffic.

If the VPN works then your router might be compromised and you should either update its firmware or buy a newer router that has been currently patched and is currently supported with all new security patches. There are many routers out there that have big gaping security holes in them and will never be safe to use. I go with Open Source supported routers because they will continue to be supported and patched for the foreseeable future, unlike many of the COTS products out there with just a 2-3 year support model. If they sit on the shelf for two years then you really only get one year of security patch support. How stupid is that?

As for Twitter, this appears to be a toxic environment for you right now. If you don’t need to use it for your job I would suggest not using it at all, because that communication channel is what makes all this psychologically interesting for your adversary. Your “job” right now is to make his life as f’ing boring as possible. When he finds you uninteresting he will just move on. So unless you are going to learn how to track him down (OSINT) to deliver him on a silver platter to your local police then dropping Twitter is your best option. When he can no longer threaten you directly he will just go away.

Feel free to contact me off line if you need some ideas on monitoring your system and figuring out what is really going on. I hate bullies, and it appears you have one.

Given the regularity and frequency of outbreaks like that, I am afraid patching the kernel to implement Dho-Nha curves for cryptographic integrity control was a mistake… (it is hidden on the compiler level so don’t bother to search)

Can you please elaborate on what the implications of this change are?

So Qubes updated its kernel to implement new cryptography for integrity control and this has left some kind of broader vulnerability that you believe may explain the increased reporting of some of these less explicable compromises?

Sorry what you wrote went over my head.

https://reproducible-builds.org is a key part of the modern software security picture.

Qubes is generally quite secure.
Possibly your hardware may be compromised. Did anyone have (possible) access to your device or did you have any issues with the device before installing Qubes?
If yes, you might want to think about switching your device.

As others have mentioned your router might be compromised. Do you have the same issues when you use the same access point or is it persistent regardless of where you access the web?
An option might be a privacy focused / secure VPN. You could also try to switch to Whonix as it is pretty much anonymous, but as you mentioned you are facing the same problems when using Tails, it might not just be someone monitoring your web traffic.
However what you should keep in mind: Are the anonymous forums (and your twitter account) you mentioned connected to your e-mail or possibly phone number or other personal accounts for verification? Is or was there any possibility that those accounts might have been compromised by phishing? For example you logged in without VPN or channeling your traffic through TOR network. In case you logged in via an insecure connection someone might have your login credentials and possibly monitor what you are doing by monitoring accounts that may have been compromised. Usually changing your password would be sufficient, if not using already, try 2FA - ideally hardware keys (personally I like Yubikeys - I don´t have any affiliation to it, you can choose what you think is best).
2FA via mail or phone number CAN be compromised depending on the skills of your adversaries…
Another thing that comes into my mind is that your installation might be compromised. Verify the downloaded ISO with the PGP keys and re-verify the installation medium after flashing (You can find all instructions for this on the Qubes website)
Usually when people worry, there are valid reasons for this. The problems you described seem like someone really might have interests in stalking / observing / harming you for whatever reason.
Keep in mind USB sticks can be compromised as well as computer hardware (in some cases the only solution is to exchange the hardware)
Secure way would be burning the ISO to a CD, check the hashes after. You can also check the hashes of the CD on multiple devices in case you worry one might be compromised. Easy option for this would be using public computers (internet cafes or libraries) but any would be fine. If all test are consistent on different, not connected devices, theres not much to worry. CDs are usually read only, cant be modified only things could be added, if there is free space. However if you check the hashes you dont really have to worry much. There are some USB sticks that have a hardware switch (then they are read only) but they are a bit more expensive and in my opinion not necessary unless you need it on a regular basis. (USB sticks can have compromised firmware, plugging it into an infected device can compromise the USB as well. Also anything written to an USB could possibly be modified)
If your computer doesnt have a CD drive you could consider buying an external one (they dont cost much) or you could create your installer medium at a publicly accessible computer (computer cafe or library etc.) KEEP IN MIND: Installer media created on untrusted devices should be verified on at least another device.
As mentioned before, if you think your hardware MIGHT be compromised you might want to think about exchanging it. Buying new is usually the safest, but buying second hand is an option to circumvent the targeted attacks that you described (If you sell your device and buy the same second hand you will not spend much more, possibly less)
Another thing that comes into my mind is people that have access to your device(s) might modify, access or possibly alter or implement data in any malicious way (basically anything that you arent aware of or that you dont want). This could be your partner (if any), friends, family, employees, employer, a maid, … ANYONE that could have access to the device sometimes, one time can be enough)
If this might be the case you may want to consider generally locking your device(s) or having a surveillance camera or …)

This are the possible things that come into my mind after reading your post. Some may have a little chance to apply to your situation, you can evaluate for yourself what you think might be possible and where possible security risks are.

Few members have already mentioned, and I agree on this, try staying away from toxic things.
Regardless of whether your systems are secured or not. Psychological warfare / attacks that you described are a terrible thing and will only mess you up and compromise your ability to think clearly. Stay away from it. If Twitter isn`t important you may want to consider staying away; otherwise just block mentioned accounts and any other possible upcoming accounts that you consider linked to this situation or malicious in any other way.

I have noticed some situations where people had very limited access to information but played their cards well. By this I mean maybe they dont exactly see what you are doing on your device, possibly someone around you saw that you logged into Twitter, hidden camera etc. This could be but it also MIGHT NOT BE AT ALL the case in your situation. You mentioned they posted related things, so Im not sure how detailed it is about what you are doing ON your computer or if they just make assumptions based on information they gathered otherwise e.g. just making a post 10min. after you made a post and posting something that makes you worry.

Using disposables for accounts that can be linked to you (also anonymous ones with the same username or your e-mail, phone number…) MAY lower the risk on being infected by malware. At least in such case it would be disposed of once you close the qube which lowers your risk. You may also want to think about making sys-net disposable, however there arent many cases where this would be required. Unless you handle very sensitive information or have a job that is in any other way sensible its usually not necessary…

Stalker-ware MIGHT compromise your camera and microphone. This usually happens only in very specifically targeted cases. This is something to keep in mind. But Qubes OS is usually limiting this as well…

I hope this helps a bit, if you have any questions feel free to ask me or message me directly. Wishing you all the best and hope you can improve the situation you described.

Im not an IT professional, above mentioned reflects my best knowledge of the topic / or an advice related to the topic. This is in no way a legal advice or to be seen as legal consultation of any kind. Im not liable in any way for completeness / correctness of above mentioned. Advice is given by best knowledge as of the time of writing

Thank you , I will try to make a list of OPSEC’s, I didn’t know there was a service like librem, I will sign up and use it. This is the kind of information I lack and it is very helpful.I am grateful.

Thanks. I used to use Windows 11 and PFSense, and I registered Cyberghost in PFSense so that all device communication was through VPN. After that I was just watching Youtube, browsing flea market sites, and reading security related articles, but after about 3 days I started seeing their response.

I don’t think there was any vulnerability in PFSense, and since I am using SoftbankAir, it is supposed to be a private IP address distribution system (although I haven’t checked it with port scans, etc.), so even if I enter the IP address directly, it should not reach the router. So, I don’t know how the attack was established.

I will also try using whonix VPN. At least they don’t know what i am doing in vault (if they did, it would mean that the dom was taken), so I feel very safe there. Thanks, I appreciate it.

@Nakaya_kita look into tempest hazard.

Thanks. When it comes to hardware, I have suspected that the BIOS could be infected, but I had asked an ethical hacker for a fee, and he advised me that it requires a signature to infect the BIOS, which is a very high hurdle. The devices are my old Asrock B450 Pro4 loaded with Ryzen 7 3800X, 16GB x2 32GB x2 memory, and one NvmeSSD , two SSDs connected to it that I used in Windows I don’t think I can use PCIe based cards and have removed all of these(I only have the graphics card connected.). If there is a hardware possibility, as you say, a USB memory stick (it doesn’t have a read-only switch) and the two SSDs connected to it come to mind.

The router is a SoftbankAir Terminal 4, and I’m online with a direct connection, not through PFSense, although when I was using Windows and an HP 8200 elite SFF together temporarily, I had a port-based VLAN with a D-Link hub, I think it was because the password was still admin, and when I connected two days later and checked, the port-based VLAN setting had been removed and disabled I think I will try using another service for VPN as well. As for the router, I will consider a wired-only product that is a bit more expensive, as I believe wireless LANs will eventually be breached (using WPA2).

The anonymous forum is a website called 5ch where it can use without personal information. I’ve been posting on the appropriate forums to ask light security-related questions or to see if they can find what we’re up to on OSINT. I don’t think it’s OSINT, but when I posted on a place called Yahoo Chiebukuro on GraphenOS, there was a bit of a delay. It was responding, so I think they are using them together. I don’t know why, but when I posted on English-speaking sites, the number of times they responded was less than usual, although I don’t keep a record of it. However, I have confirmed that when I was using a personal WordPress service called Avator, there were many connection attempts with that ID, even though I changed the login ID (Avator itself has its own login ID). (There may be a mechanism in Avator itself that can know the login ID)

It is also possible that the iso file you downloaded has been modified… If the PC is already infected, the DNS settings may have been partially modified to download a modified iso. I will check if it is the correct iso file by the method you taught me.

I also have about 10 USB sticks, and the firmware on all of them may have been rewritten during the time I was using Windows. You might want to buy a new one and make it dedicated to QubesOS.

I don’t believe that anyone I know or friends have done anything bad to my PC, but it is possible that an attacker has planted malware behind my friend’s smart phone to steal the audio and message app logs when making a call. In this case, I have to allow it because it is difficult to tell my friend… However, my house is in the countryside and the locks are very vulnerable. So there is a possibility that they broke in at a time when the family was definitely not home and planted a hidden camera in the room. However, I saw this when I redecorated the room and did not see any marks that looked like they had been doctored. Maybe I was an amateur and couldn’t tell the difference.

QubesOS does not use a camera and microphone, but I also read something about the speaker acting as a microphone. Perhaps that is unlikely to happen because dom limits the speaker and microphone.

Thanks for discussing this with me. If you don’t mind, I’d be glad to hear your questions.

First, I am wondering if the firmware on the SSD has been tampered with and malware is getting an automatic installation foothold.

Also, when I first start up QubesOS, the whonix Tor wizard starts up, but when I press Next, it does not proceed (I waited about 10 minutes), is it because SoftbankAir is still a private IP address system that I cannot connect? Thanks a lot. Thanks.sorry for the long sentence.

Thanks. I knew about Tempest before and at that stage I avoided using D-sub and switched everything to HDMI or DP connections. But still they were reacting to what I was doing. I am thinking that they should not be able to read the image from the HDMI cable.

I’m not a doctor, but I am a recovering schizophrenic. When you say “they were reacting to what I was doing” it reminds me of times when I was really ill. I thought people were glitching out my computer when I was playing certain youtube videos. Fortunately I was open to treatment and it has helped me greatly in managing my illness.

Now I don’t know you. Maybe you really are being hacked. With Security and Privacy being a big issue this day and age a sane person can easily be convinced they are being spied on.

This sounds like it’s a problem for you though. I hope in addition to seeking technical advice to improve your security you seek professional help to assess your mental health.

There are two things that can happen if you seek mental help. Professionals can verify you are of sound mind or you end up getting the help you need. Either case can lead to a better situation for you

Best of luck to you.

Most things I will mention have a super low chance to happen. Im just listing it so you can think for yourself where security breaches MAY be. Also keep in mind that security is just as strong as its weakest link… Usually having everything reasonably secured will be enough. IF there are certain risk factors, e.g. someone having physical access to your device, you MAY want to consider increasing your security measures for those particular factors

If the hardware is infected you should replace it. Even if you just think there might be a possibility. You dont need to buy new devices. Second hand would be sufficient to defend against targeted attacks against your person. I would also replace all SSDs, external disks, USBs etc. If you take this step, do it all at the same time to avoid reinfecting the new system... To save any important data you may consider scanning all files (delete anything suspicious) possibly upload them to an online storage. Re-download from the new device. To make sure I would re-check all files. (Malware could also be hidden within Metadata, consider wiping it etc.) Some security experts try to avoid moving data from TERRIBLY INFECTED devices, as malware COULD basically be hidden anywhere. Dont be paranoid about it, but it`s good to keep in mind.

WPA2 isnt secure anymore. WPA3 would be adviced. Your router MIGHT have been infected. IF someone had access to your Windows, they could have accessed the router. As you mentioned the Admin password hasnt been changed. Anyone who was connected to you router could have modified anything. WPA2 can be hacked without bigger issues, so anyone could have gained access to your router.
Consider reinstalling the firmware OR better exchanging the device.
Use WPA3 or wired (wired is usually more secure as any signal COULD be read / intercepted or modified) Encryption usually prevents this. E.g. VPN use (openVPN or Wireguard are an option)
Anyways as mentioned above chances are very low. Dont worry to much and dont fall into paranoia… The mind can be difficult. You have some valid reasons and then things might get exaggerated and you notice things that may not be connected in any way…

Regarding your posts: Is there anything mentioned in these posts or are they very specific in a way that someone might be able to connect them directly to you? Possibly they have an alert for new posts and check if they think it might be a post of yours… Might make sense as you said posting in other forums isn`t noticed or only with delay.

Did you EVER have any issues with stalkers or maybe ex-partners that don`t want to stop talking with you OR maybe dislike you in a way that they might want to harm you? Possibly your adversary is someone who speaks your language (and that you MIGHT even know) hence less reaction for anything related to English language?

Resumé: From what you said the highest chance is your router and/or hardware might be infected.
Replace hardware and router, (secure with WPA3 and set a STRONG admin password). Check your installation before you install it on your new device. You can find instructions on the Qubes website.
Be careful how and which data you move to your new device (you can check some articles on this topic online)
Dont connect ANY possibly infected devices to your new system. There is a chance that your new system gets compromised. Keep in mind mobile devices like your phone could be infected as well and you might want to replace it. (second hand is usually enough to stop targeted attacks and you dont have to spend too much money - consider wiping every device that you are selling, I would overwrite data 35 + times. -takes a very long time usually- If the devices is / was encrypted, usually resetting is enough as no one can make use of encrypted data depending on the encryption type you used. Wiping doesnt do any harm though. Many phones are encrypted by default nowadays e.g. iPhones)

Use a VPN that you trust, preferably at all times. Keep your Endpoints protected. Don`t leave your devices where they could be accessed by other people.
Always keep your devices updated and patched. Some people prefer updating only via wired connection, possibly with secure VPN depending on where you are.

I had noticed some situations with malicious AND/OR modified certificates. Could lead your devices connecting to wrong/malicious servers… In some cases this could even affect updates, however this is RARELY the case.

Camera and microphone arent usually affected when using Qubes, unless dom0 gets compromised. Usually wont be a problem but good to keep in mind what COULD possibly happen.

Does Whonix not connect to TOR or is there a problem with the sdwdate?
Are you using bridges? IF not you might consider using them to hide that you are connecting to TOR, AND more importantly circumvent any possible blocks of such connection.

I hope I could help you a bit by writing down the things that come into my mind and are POSSIBLE in such situations. Please dont forget that the chances for most of it are super low and occur in almost no real-life scenario. In some cases I have added my opinion; keep in mind Im no IT professional and also that the point of view on certain topics may differ from person to person.
It`s always good to re-check, and for topics that seem important for your use case to deep study or at least reading a few articles about it.
The more you know, the better you can control the situation and in case things go unfortunate the better you will be prepared to handle any unfavorable or unexpected situations…

** Im not an IT professional, above mentioned reflects my best knowledge of the topic / or an advice related to the topic. This is in no way a legal advice or to be seen as legal consultation of any kind. Im not liable in any way for completeness / correctness of above mentioned. Advice is given by best knowledge as of the time of writing **