Amazing answer, very clear. Could any virus be sophisticated enough to endanger the vault, even if it’s not connected to the internet?
And secondly, how would you consider using several Tails USB sticks in comparison to several Qubes? In my knowledge, it is comparable security-wise.
yes
what would happen if you using bad dns and the website go to the malicious one that look exactly similar
AFAIK, no
depend on how you compare it
because you are comparing like that, tails is better
Because the Qubes vault is not connected to the internet, it has no chance of getting a virus. That said, I guess there is a chance that someone could write a Qubes-aware supervirus that might get downloaded by, say, your personal VM and then exploit some unknown bug in Xen, the CPU, or something to jailbreak the Qube, download stuff from the vault, and phone home with that.
I have never heard of such a beast, and I have no idea if it’s even possible. Someone like the NSA might know a way, but I don’t worry about that because well-funded agencies like that have no interest in anything I’m doing. Even if they did stumble across my machine and decide to poke around, they wouldn’t find anything interesting.
Also, at that point, you’re not really looking at viruses or even script kiddies, but rather determined, manual, time-consuming, and expensive hacking attempts. You have to REALLY piss someone off to get that treatment. And as XKCD pointed out, by then, they’ll just torture you for the password anyway.
I’m not really familiar with Tails beyond a quick search, so don’t take this paragraph too seriously. I see both good and bad in Tails.
The good
- The sticks are truly air-gapped from each other at all times.
- When they’re off, THEY’RE OFF!
The bad
- It’s slow to switch from one to another.
- You can’t run several at once.
- It’s difficult to transfer data between them.
- One of the benefits mentioned for Qubes is that your network connection is managed by the NetVM, an AppVM with the network and/or WiFi card attached to it and no other jobs, and a separate AppVM with a firewall and NAT router. This means that your real AppVMs and even the Whonix gateway have two extra layers of separation from the Internet. The Qubes developers have seen exploits against network drivers, but in Qubes, that only lets you hack a virtual modem! I don’t think Tails has this.
- It’s probably easier for someone to steal a USB stick than a laptop without getting noticed.
1 Like
if there no persistent partitions, it useless (unless they want your fingerprint)
True.
True. Though if you do have some persistent data, then that becomes a concern. Also, I wonder how easy it is to “borrow” a Tails device and perform an evil maid attack on it.
it quite easy to do that if they prepared malicious file
Does it make a difference if you allow those files to be readable by your computer by telling it how to understand those files (and thus allow any software running on your computer to understand the files too)? I think you just answered your own question.
Way too many to list unless you take into account:
- WHAT you’re trying to protect them from
- WHO is trying to get them
- WHEN they could potentially get them from you
- Unavoidable things that you need to do with those files
- HOW someone could potentially get them while you’re doing those unavoidable things
You won’t be able to do anything meaningful until you determine these things, and we cannot do this for you.
Is there any electricity running through your USB stick? You’ll know the answer to your question based on this.
*sigh* Yeah, sure, why not… 
I really REALLY hope you are
Of course it’s possible, and there are people working on it. Hopefully they’re using it for good, not evil. There’s always an ethical dilemma for a person who discover an exploit.
I see a lot of replies like “yes” or “no” in this thread. Actually, practically everything is explained in the documentation in more detail and often with external links. I cannot recommend it enough, although it’s not always an easy read.
For example: Aren’t antivirus programs and firewalls enough?
Not necessarily, but it’s much more secure than almost anything else.
See also: USB Security.
Note that Tails is much less convenient. Qubes-Whonix can run while you are doing other things with your computer, whereas you have to reboot to run Tails. On the other side, Tails does not leave any traces, whereas Qubes-Whonix can. See also: How does Qubes OS compare to using a “live CD” OS?.
2 Likes
AMD processors have PSP, which - unlike Intel ME - cannot be disabled and neutralized. The best security can be provided by an open-source BIOS, where you don’t need to trust anyone but to verify. Coreboot is the most popular one.
can you elaborate, please. i saw in many website, they sad you can disable amd psp in bios. however i expect it will only disable “the part that when disabled it will don’t create noticeable different”
Thanks, makes sense. However:
what would happen if you using bad dns and the website go to the malicious one that look exactly similar
Any way to exclude that? Would the link be exactly the same as well?
because you are comparing like that, tails is better
Security-wise? Why?
- You can’t run several at once.
Right, but it isn’t recommended either to run several Qubes at once, so I see no difference here.
- It’s difficult to transfer data between them.
You could just take another USB stick for that.
The rest makes sense, thanks!
All clear. I don’t understand the following answer, though:
Is there any electricity running through your USB stick? You’ll know the answer to your question based on this.
I’ve heard you need to install another BIOS to be able to disable it, is that right? Because mostly, it’s not available to be disabled by default.
Also, do you think it has any serious upsides disabling it? It might increase your fingerprint more than necessary (correct me if I’m wrong).
BIOS does not contribute to your (online) fingerprint. See here and here what does.
Proprietary software tells you that it is disabled. Do you trust that?
3 Likes
Proprietary software tells you that it is disabled. Do you trust that?
Well then, regarding to what you said before, it can only have upsides I guess.
yes, completely same, no different at all even when using “unicode inspector” and that same link could go to real website in different computer
what i comparing here is anti-forensic
that for amd only and you should don’t trust that
who know? not me
- Computers run on electricity (at least, they do at the time of writing this post)
- When you plug in a USB device, your computer is so generous that it will share this electricity with the USB device, powering it.
- This electricity allows your computer to interact with the USB device.
- Without electricity flowing through your USB stick, you can’t read/write anything on it.
Can anyone interact with files on a USB stick when the USB stick is in your pocket, not plugged in?
No… 
I’m sure you understood this. You’ve probably just never had to think about it this way before…
I should think it would be easier and more secure to just create backups of your templates. That way, if anything goes wrong in any of your VMs, you just delete the compromised qube and spin up a clone.
AV isn’t even recommended for mainstream distros. As I understand it, one of the reasons Linux doesn’t make heavy use of AV is that all AV software, by necessity, requires root access to do its thing; which means if the AV is ever compromised, the malware has unrestricted root access as well. Thus the AV is an unecessary point of failure and the Linux philosophy is deny root access to any and all installed applications by default.
That being said, you do you if that’s what you want to do. Under no circumstances, however, would I ever install AV on dom0. That’s a f***over waiting to happen.
If you’re PC itself is already infected, antivirus isn’t going to help you. You need a new computer (imx).
from security side, correct
but from privacy side, where you place the backup also matter
not all av do that
but if the av need permission, it will have even more permission than root, it can preventing root user to do something
how good are you in tech? you in most of the time just need to reinstall that computer