Qubes OS could be honeypot?

Have you considered that Qubes may be a honeypot?

As a typical PC user I have to just take peoples word for it that qubes is secure and all I really may be doing is telling the world that I have something to hide while gaining no added privacy.

I would assume government agents dont need qubes so who is it for? It seems as though most security people find an OS like Kali to be plenty secure. It sure is easier in Kali or Arch to know exactly what processes are running on your machine. and how they got there. Also as far as I know on Kali or Arch only one process can be hidden with a process hider. On qubes their are endless terminals so maybe endless programs could be hidden. I have no clue because I am not a computer scientist.

I am not the one to take advise on technical matters but I am elite when it comes to smelling BS and critical thinking and this place certainly has a fishy smell.

After reading this it smells even worse as providing Firefox with less security than many other browsers along with no native tools to know if you are being surveilled seems more consistent with a honeypot than with a reasonably secure OS.

But I am just an idiot so take it for what it is worth witch could very well be nothing. But really just ask yourself if any of this makes sense, When I trust the words of others it does but when I think about my gut it says fishy fishy fishy.

One thing I do know is you would have to be nuts or a computer scientist to trust qubes for anything other than political dissidence against an “enemy” of the United states and its “allies”. Even the encryption is a joke against an adversary with the ability to farm out decryption to every windows machine on the planet or more than likely use all the bitcoin mining machines as a network of encryption cracking processor units.

Either way it appears to be more about giving people protection from random criminals and a false sense of security than about actual security. Do we really think we have any idea what the US has? Do we really think we even have a clue what decryption algorithms the US government has? Sure with what we know it sounds reasonably secure but in case people have not noticed it has been atleast 20 years since the public has been aware of what the cutting edge of computing has been.
If you think DARPA cant make Luks2 its B/tch you have not been paying attention. Well sorry for the rant and I am sure its tldr but I am autistic and have a compulsion to speak my mind sometimes.
sorry for wasting your time and good luck!

One could easily make the argument that it’s less than nothing, seeing how you make some wild claims about things you clearly don’t understand and provide no evidence to back up your claims.

After these, how the one could expect others to believe

If Qubes devs would say something like

We’re bunch of autistic idiots, but our gut says we created reasonably secure OS based on security-by-isolation concept.

I would ran away immediately from it.

Well there is no such thing as less than nothing so…

Also this is the kind of comment one would have expected to receive on a forum for the Anom phone had they brought up honeypot potential. I made no accusations. I said to at most consider the possibility.

Also I did provide some evidence, the interpretation is left to the users.
It seems pretty obvious that a reasonably secure operating system with a security strategy of having vms with extremely poor security based on take our word for it they can not get past the VM to dom0 does not inspire much confidence.

Pattern recognition and an advanced ability to spot contradictions is a symptom of Autism in case you didnt know and that makes no rational sense.
I can think of several other explanations though that I would believe more than qubes being a honey pot. If I had to bet on it I would be the Devs did not want to create the kiddy diddlers OS of choice so qubes is probably not out of the box a fortress so that clueless perverts can not use it to get away with heinous crimes out of the box. Its just a guess but it is another explanation that fits with what I know already.

Another point of evidence is that one would expect a reasonably secure OS to want to provide a somewhat secure default because just letting random hackers into even an untrusted qube provides opportunities for them to stumble upon ways to get into dom0.

Sure you cant stop people from setting up a qubes machine and trying to hack it but you can stop random people from stumbling in the front door and lucking their way into a vulnerability.

I am sorry if I sound like I am casting shade but I can not help but think of every possible way I can imagine situations playing out and then noticing when reality and what I have been told do not jive.

Like I said I am probably wrong and when I said idiot I was referring to the actual origin of the word as in a citizen and not a government official. But I cant help but see many conflicting paradoxes in the way qubes is presented.

I like to look on the bright side so I will continue to stick to my assumption that the inconsistencies are due to the Devs not wanting to aid and abet kiddy diddlers.

But I am just following qubes advice and not trusting the infrastructure.
That in and of its self is rather suspicious. If you know anything about con artists they often start out by heavily warning you to not be con’d. It takes advantage of human nature, people will rarly suspect someone of doing something they warn you about. Liar will talk about hating liars, cheaters hate cheaters ect ect. its like con man 101 stuff. proof of nothing but food for thought is all and security begins but thinking about our actions does it not?

No one forces you to use QubesOs. You can use Windows, macOS, or some other Linux of your choice if you don’t trust QubesOS or trust another OS more.

And you can prove your guess (wrong) by checking the source code yourself or paying someone you trust to do it.

But with your style of arguing I could also argue that Assange and Snowden get paid by the government to hide the real truth behind their whistleblow stories.

Nope, when it comes to technology, it makes sense to rely on facts grounded on the solid technical/scientific proofs like those listed above and I’m afraid that I don’t have anything to support the thesis of honeypot existence at this point.

Everyone respects your opinion and intuition which is useful as it creates doubt, doubt drives the research and research improves people’s lives… But, from the technical perspective, we must recognize the effort that Qubes dev team made in combining xen with additional software as a brilliant and complex concept that provides a fully functional product which finds practical use in corporate environment, it resolves real technical problems in production, it drastically improves productivity and these are the facts. This solution, however, fails at those basic levels I’ve wrote above.

My fends are using Qubes, I educate them to do so in their daily life and work, but it’s not fun to spend the afternoon in hardening and patching the templates or commonly used software such as web browser (manually). That’s why I’ve brought this subject and yes, I’ll share my findings/ideas with the dev team hoping that someday, we might have a standardized baseline checklist in place to help automate security profile configuration so that the basic or advanced user needs could be met more easily.

You know what, this even goes beyond basic recommendations provided by the Protection Profile for General Purpose Operating Systems, so thank you for that!

Many thanks for this!

Amen!

I’d still like to get an answer on a question:

When I use empty single browser dispVM for a single purpose/use of accessing my online banking, from whom I’d want to protect what in a crappy default Firefox browser?

that would change my perspective…

The more one lacks the understanding and capability to verify claims, the more one has to trust. This is not binary of course but a spectrum.

At the one extreme would be a virtualization expert with deep understanding of x86 architecture and a extensive background in offensive security. Like an ITL team member. Such a person can reach a high level of confidence in a setup without trusting others.

At the other extreme are users that have no technical background or understanding. They have no means to reach any level of confidence and must more or less solely rely on advice from others.

Of course one can reason about likelihoods, motivations, observed reality etc. … but in the end that’s all a weak substitute for knowing.

We are all somewhere on this spectrum and I dare estimate > 90% of active members in this forum are a lot closer to the later extreme (including myself).

Now, listening to opinions of anonymous posters in an open forum is probably not getting you anywhere. So your choices are:

a) investing time and effort to move “up” on the above spectrum
b) identifying a person that one trusts that is sufficiently advanced on said spectrum

From a general security perspective I actually appreciate this for the non-technical users who swim in deep waters and should not develop a false sense of certainty in the security of things you do not properly understand and cannot audit.

Where you are wasting time in here is that this dialogue cannot arrive anywhere productive, because you don’t have the technical ability to be convinced of its security through code review and explanation.

This is the same for myself, and so while it is worth contributing your warning for others like you to not stumble blindly towards a bright shining light like a moth to a flame without second thought, it’s completely irrational and unproductive to try and have this argument when you couldn’t possibly be convinced even if absolute technical proof was provided, because you cannot understand that.

Your point is more of a general mindset for small fish in the big dangerous ocean rather than anything Qubes specific, or anything that can have a Qubes answer other than affirming that Qubes isn’t bulletproof and if you can’t understand it you probably shouldn’t absolutely trust it.

I’d just like to remind everyone that Qubes OS is open-source software. You can audit the code yourself (or ask or hire someone else to do it for you), ensure it’s free of backdoors, then compile from source yourself. Not only do you not have to trust us, but we don’t want you to have to trust anyone, which is why we continue to work on making Qubes as transparent and trustless as possible, from the security of the Qubes Builder to our work on reproducible builds.

The moderation policies here are generous. I’m surprised how many pointless rants moderators put up with. In the past this included people encountering a bug or making user errors and immediately concluding Qubes was compromised or that they were being targeted by nation states.
But this can also be hugely distracting and a waste of time. noobTutorial admist they are writing out of some compulsion and that they are wasting people’s time so maybe this sort of post doesn’t need to be on here?
And next time someone thinks that some auto-type feature in their browser is an active hacker who has nothing better to do than to “toy” with his target, maybe that also doesn’t need to be on here.

Stopped reading there.

Sounds like a slippery slope if you ask me, who gets to decide what is a waste of time?

Mods.

We like to keep an open forum, where moderation is kept to minimum and only when people break things like code of conduct or discussion guidelines .

Generally if something isn’t breaking those, then we dont moderate.

I will echo @adw and say our ethos has always been to distrust infrastructure. Validate things for yourself. Make your own reproducible build and validate all the hashes are right. The code is all open and there to be audited by anyone. Thats how you can find out for sure, for yourself, with your own eyes/fingers and skills - that the answer to the subject of this forum post is “no, it is not”

I will add, develop your own threat model. I think its great people want to question things, challenging what you are told and making your own assessments is a positive thing. It’s completely fine to ask questions of the community. I think the line of “be a good community member” gets crossed very quickly if posts go from asking questions into to making assertions without anything to back those assertions up.

$0.02.

S

I agree, the trick to letting this die is NOT TO ENGAGE - unless of course there is something meaningful to contribute or ACTUAL EVIDENCE of this claim.

It’s a relevant question, there are probably lots of people asking the same question, “How do I know Qubes isn’t a honeypot?”

The OP just took it one extra step, and claimed it to be fact with only their gut feeling as evidence.

Extraordinary claims should be supported with extraordinary evidence, you should be allowed to ask the question, but not claim something is fact without any evidence.

I am a bit disappointed by most of the answers in this thread so far. The question asked is reasonable.

The answer is complicated for sure. “No, it’s not!” is not likely to convince anyone. This could be a great conversation about how to asses risk, which things can be verified and what cannot, what the residual risks are and why there will always be some… etc.

Instead the form the question was asked gets attacked and some are calling for the mods to do something about the thread. I feel as protective of the project as most of you, but that’s exactly why I think we are better off discussing and answering such a question then moderating it away.

I agree with Sven - it is a reasonable question, if somewhat unclear.

In what way could Qubes be a honeypot?
Does the questioner mean that it could be used to identify users who
have something to hide? I have seen similar things said of Tor.

It would not be difficult to identify users who downloaded Qubes,
except that the iso is available from multiple sites, including the
onion site.
So that makes it more difficult to identify those who download. If
Qubes were a honeypot in this sense, these options would not be
available.

In the default install it is relatively simple to identify Qubes use by
monitoring network traffic, just as it is relatively simple to identify
Tor or Whonix users.
Users who want to can take steps to avoid this to some extent.
If Qubes were a honeypot in this sense, it would not be possible to do
this.

In what other way could Qubes be a honeypot?
Perhaps the question means that it could be used to give people the
illusion of security, while covertly opening up their secrets to
someone.

Is there a back door?
Are there baked in vulnerabilities?
The code is open source - it is open to review by any one. No one has yet
found a back door.
There have been security flaws: these have been identified, (usually
internally), and fixed with public announcements. Issues arising from
use of Xen are analysed and fixed - often before fixes are available in
other OS.
All of this is done in the open.

Is it not likely that there are security researchers poking at Qubes all
the time? It would be a feather in any ones cap to find fundamental
flaws, or a back door.

It takes no effort to say this sort of thing.
What takes effort is working on a project, identifying errors, and
fixing them to make things better.
Do not listen to people shouting in the forums without work behind them.

Of course, some one might at this very moment be typing up Ultra Secret
memos originating from MKUltra, or pointing out that the Qubes icon
shows that Qubes is linked to QAnon, or that the Qubes logo is
obviously a pizza box from that pizza parlour, or some other stupidity.

And someone might equally be working hard on the source to identify
flaws and attacks on Qubes. If they have any integrity they will report
their findings to the security team, and help to
make Qubes more secure.

If there were any sign that the dev team consistently made decisions
that undermined the security of Qubes in use, then that should be easy
to identify, and to call out. (There have been decisions that I
think were wrong, but I accepted the reasoning behind them. Often there
is a balance in Qubes between security and usability.)

The fact that the question has a theoretical validity is true. The delivery is another matter.

My comment above was really meant to express admiration for how much time and effort many of you here spend answering people who, at time, make wild allegations.
No need to censor anyone as such but equally I don’t think Mods should feel obligated to let through absolutely everything. I’ve spent enough time with the alternative crowd. People for whom you are a hero until there is the slightest disagreement and then they turn you into an enemy or controlled opposition or a honeypot.
It’s not my time sacrificed so I’m not criticising. Just saying. With some people you can’t win.