Qubes OS could be honeypot?

Sometimes the “appeal to authority” can be valid. Provided, of course, that the authority being appealed to is of the sort who can readily defend what he’s saying.

I have enormous respect for certain people because I know they can back up what they say. In some cases I know a little bit about their subject matter, so I have a limited basis for judgment.

No one can know everything, though I’ve certainly tried. The next best thing is to know of a number of people who do know their areas well, and who show it by being able to back up what they say with evidence. (If they can’t do that, they’re just parroting something else, which may or may not be good information.)

Again I will bold the cliff’s notes bite and leave the TL:DR autistic over explanation in standard text.

**This is such a strange comment to me. What exactly do you mean. What “solid technical/scientific proofs” do you speak of?

I will take a look at it thanks. I was poking around and my initial assessment is that probably few people in the world would even know what they were looking for.
I will look around though and do some basic stuff like search for Ip addresses and whatnot.
Also isn’t the thing about back doors that they don’t look like doors? If people could find them they would just be regular doors and not ready and waiting when someone is willing to pay for them.
That is how they work right? you only get to use them for a little while until they get out and then you patch them and close them forever. Then you call Mr Gates and he shows you the next one?

This post was forked from a comment in a thread started by someone else, I am not the one that decided it needed to be here and I wouldn’t have started a thread with an ill thought out rant. The person that put it here probably though it would be a worthwhile discussion though.
The Qubes team has stated many times that I have seen that Qubes is not only for computer scientists. Those folks tend to rely on their gut feelings so censoring questions would be seen by many as a coverup.
The over thinker in me does look back and think that my comment is a pretty good one to highlight if your going for the appearance of transparency while making the idea look like the ramblings of a crazy person not to be associated with.

Would you like to explain why? **Is it crazy to think that maybe nyx would be included in the packages of a tor dispVM? After all this is not supposed to only be for the Linux elite. **
You can not see how someone could wonder how both those things can be simultaneously true?
obviously there are many explanations and I layed out a few others in my second comment on the thread this thread was forked off of.

I completely agree and its good to know there are others out there that like when people think for themselves.
One thing I will note is that nobody that I have seen here has yet to say that they trust qubes because made their own reproducible build and validated their hashes.
I will admit that I gave up on validating my qubes install. I was only able to verify the checksum. I was unable to find any outside sources of the keys and gave up after a few hours of looking for a picture of someone with the qubes key on a tee shirt like I read to do.
I dont break the law so I gave up. Unfortunately it looks like things like choosing what goes in or out of your body will be illegal before long so I am planning for the day when I will be a criminal.
I mean I am a libertarian so my live free or die tee shirt could already be illegal, It surly warrants a spot on the DOJs biggest threats to democracy list it would seem.

I did not make any claims or use my gut feeling as evidence. My gut feelings would be the jury evaluating evidence more like.
If you can show me where I said qubes is or is not anything I would stand corrected.
I asked a question and made a few subjective statements I found suspicious aka fishy smelling and that was it.

This guy gets it. God I miss when this was how most people think.
Man you kids should have seen life before cellphones put the internet into everyone’s hand. The internet use to be suck a cool and fun place back when you needed actual knowledge to be able to use it.

But yes discussion is the best way to expose what is and is not a dumb idea. So far all I have really heard in the anti honeypot camp is that you can learn how to spot backdoors and find them if you like because the code is open.
I have not read a word from anyone that says they have inspected the code and found it to be on the up and up.
As of now Qubes is the winner by a mile against Windows and MacOS though as I know them for a fact to be working with the government any chance they get. The fact that qubes honeypot status is even debatable should be viewed as a huge win other than using Qubes takes away your ability to fit in with the heard on Windows or Mac.

I would like to suggest maybe another topic or whatever its called like general Discussion and user support for a section called something like source code evaluation. It could help and give people a reason to participate if they can get clout and such by posting. Just a thought.

With the Anom phone, which was absolutely a honeypot, it did not matter how you got the phone. Paying a random stranger to order it for you would provide you with zero anonymity or security. They owned your telemetry data.
The point was that the governments around the world could see and hear everything you did with it, watch you thru the cameras.
Not knowing when and how we downloaded qubes means nothing, if it phones home the Mac address of my router they know exactly where I am and who pays my isp or gives them the name and address on the bank card that ordered my motherboard.
You see this is the kind of thing that would would actually make me worry about qubes.
I am sorry if you really believe this but this is the exact kind of thing I would expect to here from a honeypot. Just convincing enough to fool a clueless person but such an obvious bad assessment.

Again none of this would matter if qubes was a honeypot. You are not going to outsmart a nation state typically. Short of going thru every line of code before boot and then capturing it during updates and inspecting that it there is really no way to know if you are beat or not.
At least not for a regular person. I guess you could sniff the packets going in and out of the PC and check them all out but that doesnt sound doable for a typical person.

Yes and you can read all about the acts of congress and yet people still dont believe the government passed indefinite detention and made propaganda legal within the united states by modifying the Smith/Mundt act because most people refuse to read anything but a magazine.

I made the suggestion up above and I will make it again. Even if this is a honeypot and you want to catch more flies I suggest a Source code discussion topic like general discussion and user support.

This would go a great way in inspiring confidence. People could coordinate and maybe form teams to divide the code and go thru it. Maybe there is a place for this already but if so a link to it would be appreciated.
If people are going thru thousands of lines of code it would be easy to miss something or bury it at the end and hope the investigator falls asleep before they get too it.
I mean how many lines of clean code would you go thru before you give up and decided it was all good? I dont know but a game theorist does and they would be on the staff should qubes be a honeypot.

**Word on the street is their are millions of dollars in reward money should someone find ways into qubes. If so dont be surprized if people dont offer them up for free for patching lol. **
I would bet my life that if qubes has not been opened up for the US government already there are teams of people working for money printer go brrrrrr money working on finding them.

Again this is very naive thinking and very governmentesk to throw around conspiracy loons to try to discredit the discussion by lunatic proxy. Not that you are doing that but is seems like it is a possibility.

If qubes was a honeypot who do you think would control the forum? Have you seen how censorship works these days? For all I know I am talking to bots and my account has been flagged to be invisible to the real people on the forum. So no lack if threads about it proves nothing.

I could show you how it works, maybe I will make a video and upload it but here is how it works. When I go on you tube I have been put on a list that only lets me talk to bots or people that already agree with me. I know this for a fact because I can go on the exact same video on a friends account or on a random tails account and I can not see any of the comments that are not the official government narrative.
So saying if qubes was a honeypot you would be able to tell from reading the forum is just nonsensical. Im sorry and I mean no offense but damn.

But thank you for at least trying to address the issue with logic and reason even if I believe it is very flawed. The simple fact that you resorted to reason and logic is enough for me to respect the hell out of you. Provided your just not a government agent doing a bad job and being paid way to much for it hahahaha.
but seriously I salute you!

I agree the delivery does seem crazy but again ill state that I did not create this thread, that would be insane. This was a comment on another post that was written on a whim and later forked out here for general discussion by a mod. I assume they thought it could lead to good discussion and it appears they were right.

Also to repeat I made no claims here, I simply asked someone if they had considered it in a reply to their comment.

I feel your pain and know the feeling. It seems “agree to disagree” is not an option for most people these days.

I take pride in my ability to change my mind when I receive new information though so I am not the type you cant win with. I appear that way to some but it is because I have thought deeply about every belief I hold so I am not so easy to sway. Its easy to change someones mind with one conversation when they have only ever had two thoughts about something.

Oh I understand that but that may come across to most as well as it does when your parents tell you you will understand when you grow up.
Also I would be surprised if any member of the qubes team has went thru every single line of code in every single update and utility. I very well could be wrong and I hope I am but I could see it as a possibility.

Maybe if I knew enough I would know an easy way to check the code but that would probably only help me to be confident that the qubes devs are not trying to hack my bank accounts. There are probably not many here including the devs that could go thru the code and be sure a team of government super geniuses did not hid some extremely elegant never before seen hack in there somewhere.

I guess what I am missing is a sense of who the devs are. It would be easier to trust people if I had a clue who they were or what they stood for and that is something I would need to learn over time. First I need to get my qubes working before I can look into the philosophical beliefs of the devs unfortunately.

Again I would understand this viewpoint had I made this thread but with the context that this was a reply to someone else in their thread asking why qubes Firefox failed a basic security test I would hope I still wouldn’t come across as bad faith.
I think maybe if we learn nothing else from this we should learn that is should be made obvious to people when a thread is forked to its own thread because I do not appropriate the hate coming my way for something I did not do. It would be deserved if I had made this thread but I simply commented on someone else’s post and now I am catching the flames. Also learn to read people, reading comprehension is a good skill to have and it is very clear in what I wrote that I was not making any accusations. I simply asked if the person considered it.
Also nowhere in any of this do I claim that qubes is a honeypot.

@anon11917472 I wish you could have made your point without peppering it with unrelated issues that are totally off-topic here but might invite others to share their opinions about these topics. In that case we will have to moderate your post and the replies to keep the conversation on-topic.

This has nothing to do with agreeing or disagreeing with your opinions, or freedom of speech or any such thing. We simply want to keep discussion in this forum limited to the topic of the forum.

If I understand correctly, the line of thought you’re suggesting is something like this:

“If there’s a backdoor in the code, then it will be hidden. It may be so well-hidden that no one finds it before it causes harm. If a backdoor can still exist and cause harm in open-source code, then code being open-source is of limited value.”

To which my question is: Relative to what alternative?

You can either use open-source software, where you have a chance of finding anything bad, or you can use closed-source software, where you have no chance at all.

You can make laws against putting backdoors in software, try to catch offenders, and punish the ones you manage to catch. You can try to persuade people that it’s wrong with moral and political arguments. None of these methods is perfect, and they’re not mutually exclusive. Are you suggesting that since there is no perfect method, we might as well not bother with the decent-but-imperfect ones available to us?

That’s because Qubes builds aren’t fully reproducible yet (see #816). You can read about the latest progress here and here.

Others have already provided a lot of other good considerations. For example, @unman’s reply is a lot broader than just the code being open-source.

Why don’t you do something about it, then? If you don’t have the skills to read the code yourself, start contacting people who do and try to persuade them to audit the code, even just a small part. Many hands make light work. If you have financial resources, hire companies or individuals to audit (parts of) the code. Spend time making content (e.g., videos, podcasts, articles) that provides value to security experts and engages them so that you have a platform for encouraging them to get interested in the project and look at the code. Go on other forums, subreddits, and social media platforms to engage with people about Qubes. Help spread the word. Do something about it.

@unman is simply going through several possible ways in which Qubes could be a honeypot and discussing each one. Neither he nor anyone else has suggested that the fact that Qubes ISOs can be downloaded anonymously is the main or only piece of evidence that it’s not a honeypot. He is not “fooling” anyone. He’s giving a frank assessment of several possibilities. His assessment is also not a bad one, since it is true that an entity who wanted to track downloads would not allow downloads over Tor and VPNs from multiple independent mirrors and via torrents. Your argument here seems to be based on a basic misunderstanding of the way in which @unman’s post is written rather than any substantive disagreement.

In that case, it sounds like your only viable option is to use an OS from an organization has enough resources to compete against the US government, right? I’m guessing only Microsoft, Apple, and Google would stand a chance (and maybe not even them).

Well, I’m not a bot (AFAIK), and I’m replying to you, so there’s that, at least. If you think the forum is being controlled by nefarious entities, why not take your concerns to another platform that isn’t under their control?

Just to clarify, you’re saying that since you don’t see any comments that disagree with “the official government narrative,” this is proof that such comments exists but are being intentionally hidden from you? Have you considered that maybe instead no one else made any such comments?

How would it get into the code in the first place?

I’m a bit surprised by this line of thought, given your earlier remarks. If you’ll indulge me for a moment, I’d like to reflect (what I perceive to be) your own thought process back to you regarding this specific topic: Even if we provided a detailed bio of each Qubes dev, how would you know it wasn’t just made up? Even if the Qubes devs recorded videos or did livestreams where they answered personal questions, how would you know it wasn’t all staged? Even if you went to a conference and met the Qubes devs in person and shook their hands, how would you know they weren’t just paid actors?

At the end of the day, all that really matters is the code that runs on your machine, and all that really guarantees it is the fact that it was signed by certain cryptographic keys that have a sufficiently long history of signing things that consistently turned out to be trustworthy. Joanna used to have a saying: “We are the PGP keys” (in reference to herself and the team in their capacity as Qubes devs). So, while the devs are real people, and their beliefs absolutely do matter, there is also a sense in which, from your perspective as an end user strictly evaluating your own threat model, they are basically synonymous with their signing keys.

That’s fair. I’ll add a notice to the top post indicating that it was forked from the other thread.

I am not making any suggestions or accusations. Also windows, MacOS are without a doubt full of backdoors. The fact that we are even debating QubesOS puts it far far above mainstream Operating systems. If I was to make a suggestion it would be for people to learn all they can, or find someone they trust, on security and censorship evasion ASAP.

Good to know. So that means that when Plexus said this

He was incorrect and this is not a way to find out myself. I did not even know what that even means but it sounded awfully convincing.

I am considering doing something, I mad a suggestion for a source code audit section of the forum and I would participate if one is created. Also there seems to be a misunderstanding here, I did not make a thread asking the world if they have considered that Qubes could be a honeypot.
Someone else made a thread asking why Qubes default Firefox failed almost every area of a basic browser security test. I commented and asked them if they had considered that Qubes could be a honeypot.
I had not given it much thought before because I do not care really because I am not using Qubes for security, I am using it to keep organized in the information war that is going on.
I would be interested in helping out with source code auditing if their was a topic for it like General discussion or user support.
It is just strange that people keep saying the code is open go audit it but not a single person has said they have audited it.

This would actually be evidence to me that Qubes is not a honeypot. If it was I would expect many bots to step in to say "I have audited the code and all was well.
The code being available for audit and people not bothering to do so would jive more with a reality where the project was on the up and up.

I don’t know how to audit code but I am good with logic and organization so maybe I could be useful by congregating the code and keeping track of who has audited what and what has been vouched for by multiple people as well as organizing audit of updates and such. An audit would be useless after all if pieces were missed or only audited by one person.

We will have to agree to disagree on this one, I stated my reasoning above but I will give a brief summery here.
What I am saying is everything he said is irrelevant because it is a false correlation. My example was logically sound. It would make no difference how you obtain your Qubes ISO if it was a honeypot just like it made no difference how you obtained an Anom cellphone. The governments were not tracking the people who bought Anom phones they were tracking the activity that was done on them and the telemetry from the devices. They would not need to know who is using an Anom phone or qubes, they would get plenty of info by having total access to what it was being used for. With the Anom phone they did not arrest people that bought them for legal activities they arrested the people that bought them and used them for illegal activities.

That might be the only viable option for criminals but I am happy with using Qubes. Qubes provides me with what I need honeypot or not. And again I made no claims that qubes is a honeypot, I simply asked one person that was complaining about the default Qubes Firefox if they had considered that qubes may be a honeypot. My personal opinion is that it probably is not. I explicitly explained my opinion in my second response on the original thread this comment was forked from.

I dont think the Qubes forum is run by nefarious entities. I said if it was the lack of posts about Qubes being a government OS would not prove anything because they would obviously be deleted if any were posted. Therefore the lack of said posts is proof of nothing.

Sorry and no that is not what I was trying to say. I was not talking about the qubes forum there I was speaking to how censorship works in general as proof that lack of posts on the forum would be proof of nothing.

It appears that the people in power have realized that people get angry when they are censored so they have moved on to a more elegant and sophisticated form of censorship.
It appears that they are using peoples data to determine who believes what and then letting them talk to each other so they dont notice they are being censored from anyone that does not already agree with them.

As evidence I look towards youtube. On youtube when I am on my personal account I can look at a video, a story about a football player dying on the field for example and every other comment is asking if he was vaccinated against Covid or claiming the vaccine killed him.
If I jump on youtube without an account for example in a fresh DispVM or at the library I can look at the exact same video on the exact same youtube channel and not a single comment will mention the Covid Vaccine.
So with that in mind I would assume that if qubes was a government honeypot they would have a similar system.
For example if an account mentions the word honeypot they are flagged and kicked over to a system where their posts are only visible by agents so they do not know they are being censored.

I just said this was possible on the qubes forum so lack of posts was not proof of anything. I do not believe this is how qubes works because I am on Qubes thru tor and I could see this post before I log in. Could it still be the case sure but it is at least not obvious if it was.

This makes sense if you understand that I do not believe Qubes is a honeypot. It would be more likely that one of the devs would be an agent that would insert code written by a team of government programmers into the code and the other legit devs would not have the ability to notice.
If a team of programmers was making a backdoor for Qubes it would probably take advantage of a security flaw that was unknown to the public therefore unknown to the legit devs. Maybe something like making it difficult to install Qubes without a swap partition because the government has access to the bridge between memory and swap. I am just making this up but its just an example of how devs could miss an exploit if they have no knowledge of what hardware systems are compromised ect ect.

I wouldn’t “know” anything but I would have a sense of their motivations and goals. I am sure many have attended those and do have that sense and it influences their outlook.
But like Socrates there are very few things in this world that I know to be absolutely true. Kurt Godel incompleteness theorem and Wittgenstein’s beetle in a box thought experiments helped me avoid a false sense of certainty about most things.
I know I exist. I can thank Kant for that. I think therefore I am it the common quote but what he really said was that to doubt that I am thinking is still thinking so I doubt therefor I am is a better axiom.

My heroes in life are people like Chelsea Manning, Daniel Hail, Julian Assange, Edward Snowden and anyone else willing to tell the truth or do the right thing at great expense to themselves. People like the creators of the Pirate bay as well. So having a sense of who the devs are would go a long way and it is my fault I do not have one which is why I would never accuse Qubes of being a honeypot. I dont think it is and I think I made that pretty clear. If I was a dev though and I had not been approached by a man in a black suit offering me millions of dollars to slip a piece of code into Qubes I would be seriously thinking about the reason being because someone has already slipped that piece in.
I dont know the technical details and maybe this is not possible but it seems like a reasonable worry. In many places, England for example it is illegal not to give the government access to your PC and passwords so they would probably have issue with Qubes if they really had no way of getting in. I guess they can get in if they have physical access to the system so there is that but it is still something I would ponder.

I understand this but have also read several places that Qubes is not only for people that have the technical chops to evaluate source code. To them including me the main factor will be judging the situation on perceived priorities of the developers. This is what I have based my assessment on and will continue to be the case until I learn to assess the source code which will likely be never because I will never be the able to outsmart a team of the best minds in the world should they be the ones given the task of infiltrating Qubes.

For example it the founders of the pirate bay were involved in qubes development I would know that people I can trust to sacrifice for the little guy are involved. I assume the Qubes devs fit into this category as well which is why I dont believe Qubes is a honeypot. I do think it is something people should consider though especially if they are discussing results of a security analysis.

Thanks you very much. I believe it was important context that means the difference between me appearing to be a lunatic and me appearing to have critical thinking skills and a helpful attitude.

In closing I will just try to be very clear.

I greatly appreciate what the devs are doing with Qubes and consider them to be doing the world a great service ate great personal expense.

I did not claim that qubes was a honeypot at any time, I simply asked someone that was asking about weak default Firefox security if they had considered the potential that Qubes was a honeypot.

My personal belief is that the Qubes devs are genuine but that many governments and people would be extremely motivated to get a way into Qubes systems so remaining ever vigilant is a necessity
I believe others have mentioned this quite a bit and is extremely obvious given the lengths many have gone to to ensure that no human can can have any anonymity, privacy or communicate a thought to another human without them knowing about it and scrutinizing it.

I also believe it would be a good idea to have a Qubes forum section like general discussion and user support for something like source code auditing where people could coordinate and discuss things. People could coordinate efforts to break the task of auditing bulk lines of code into smaller pieces, as you and I said many hands makes lite work.
It could be discouraging people not to bother because it is such a large task but could promote people to take it on if there was a way to organize the efforts so that peoples efforts were not overlapping potentially missing the one piece of code that is compromised.
It is a huge task and could be seen as a waste of time if one expected to not gain any piece of mind at the end anyway. inspecting the code would be meaningless if you did not keep up with new updates and such. In an update something could come in, do its dirty work and delete its self before people got around to auditing it I would assume. I could be wrong obviously because I do not know how that stuff works.

Another thing I would suggest is that maybe Qubes could have some built in features for monitoring security or a guide section of how to set something up for oneself. This stuff is pretty easy to do on Arch linux but on Qubes I don’t even know where to begin because it is hard to get a sense of what is doing what and what is done on a VM basis and what is done globally by dom0.
Thgs like a default of having Nyx setup to monitor tor traffic would save people collectively maybe thousands of human hours trying to figure out where to even put Nyx in a qubes system. This is just an example, I have not even tried yet because I am still working on understanding far more basic stuff than this but it was very simple to do on Arch. It was also easy to setup a system for knowing what and when something was trying to write to disk but with Qubes I dont know if I need to set up a system for every qube or just a system for dom0. Should Nyx be on my dom0, sys firewall, sys-net, sys-whonix, all things that are very complicated for the non technical users that Qubes is claimed to be for as well.

I dont know, these are just thought but I thank the Qubes devs and will be working on clearing this stuff up for the layman when I figure it out for myself

Thanks for all you do and please dont take my comments as casting shade, I am just trying to do what little I am qualified to do to help which is working thru some critical thinking from an autistic layman’s with a good memory and somewhat realistic worldviews perspective.

Also to beat a dead horse I never intended this discussion to make it out of a few comments on someone elses thread.

Honestly, I really hate this kind of conspiracy posts.

It seems as though most security people find an OS like Kali to be plenty secure.

Says who? Kali is merely a Debian installation with its own repository and loaded with offensive tools. It is all of the usual insecurities of Linux distributions, including lacking of app sandboxes and verified boot. Its defaults are also generally worse than your average Linux distro like Fedora due to it still using outdated and insecure technoligies like X11.

Also as far as I know on Kali or Arch only one process can be hidden with a process hider. On qubes their are endless terminals so maybe endless programs could be hidden.

Non-sense. There have been malware that hides its processes from usual tools like ps, yes. But what makes you think that only 1 process can be hidden??? What happens when your Linux installation (which generally has extremely poor security) gets malware? You are screwed.

In Qubes, the damage is limited to just the AppVM which got infected or the TemplateVMs which got infected and the AppVMs based on it, assuming that there is no VM breakout (which is much harder to carry out that simply infecting a Linux installation).

I am not the one to take advise on technical matters but I am elite when it comes to smelling BS and critical thinking and this place certainly has a fishy smell.

Conspiracy talking.

One thing I do know is you would have to be nuts or a computer scientist to trust qubes for anything other than political dissidence against an “enemy” of the United states and its “allies”.

Non-sense. One does not need to be nuts or a computer science to grasp the general design of Qubes OS. This is trivial stuff to understand.

Even the encryption is a joke against an adversary with the ability to farm out decryption to every windows machine on the planet or more than likely use all the bitcoin mining machines as a network of encryption cracking processor units.

More non-sense. There are issues with how Windows handle encryption by default (only doing TPM unlock instead of forcing pre-boot authentication and so on), but it is entirely configurable by the user.

If you think DARPA cant make Luks2 its B/tch you have not been paying attention.

More conspiracy talk. Unless you can make an actual technical argument, don’t make BS claims like this.

LUKS/dm-crypt does have some drawbacks, namely that the encryption key is loaded into memory instead of being held only in a Secure Element and so on. An honest discussion would focus on the actual technical weaknesses that we know of and attemps to fix them, rather than spewing out complete and utter non-sense like this. Also, you just claimed that Kali and Arch was “secure” above. Do you know what they use? LUKS.

I dont believe I made any real claims.

Yes you did. You make a bunch of claims that have no technical basis outside of just Qubes.

“Have you considered that Qubes may be a honeypot?” is a question.

Suggestive question to push a narrative.

**This is such a strange comment to me. What exactly do you mean. What “solid technical/scientific proofs” do you speak of?

Actual technical discussions. Not conspiracy. Unless you can actually prove that it is somehow a magical honeypot (through the source code, through reverse engineering, through just network monitoring, etc), just don’t make claims.

It is absolutely possible that something malicious slips through and have not been detected yet (this goes for any pieces of software, open source or otherwise), but you really should not be talking conspiracy unless you actually have found something.

Even the conspiracy about stuff like Windows is obnoxious.

I am not making any suggestions or accusations. Also windows, MacOS are without a doubt full of backdoors.

Conspiracy talk. Show me an actual backdoor. Shouldn’t be hard if know actually know that they have them.

That is how they work right? you only get to use them for a little while until they get out and then you patch them and close them forever. Then you call Mr Gates and he shows you the next one?

Please try to understand the difference between a vulnerability and an actual backdoor.

The over thinker in me does look back and think that my comment is a pretty good one to highlight if your going for the appearance of transparency while making the idea look like the ramblings of a crazy person not to be associated with.

Dude, you are talking conspiracy. There is nothing factual about what you said. What you are doing is not “overthinking”. What you are doing is purely just saying a bunch of stuff you do not have basic understanding of in an incoherent, rude, and extremely obnoxious manner.

Would you like to explain why? **Is it crazy to think that maybe nyx would be included in the packages of a tor dispVM? After all this is not supposed to only be for the Linux elite. **

The disposable VM comes from a disposable template. What packages being included in the disposable template is up to you to decide…

There are arguments to be made about removing unnecessary packages for attack surface reduction. But you are turning this into conspiracy talk right there.

One thing I will note is that nobody that I have seen here has yet to say that they trust qubes because made their own reproducible build and validated their hashes.

Doing that doesn’t mean anything unless you also verify the source code. And no one realistically verifies the source code for everything they use either.

The reason why people use Qubes is that the design of it is much, much better than your average Linux distribution and provides strong isolation for different groups of applications.

I dont break the law so I gave up. Unfortunately it looks like things like choosing what goes in or out of your body will be illegal before long so I am planning for the day when I will be a criminal.
I mean I am a libertarian so my live free or die tee shirt could already be illegal, It surly warrants a spot on the DOJs biggest threats to democracy list it would seem.

Conspiracy talk.

As of now Qubes is the winner by a mile against Windows and MacOS though as I know them for a fact to be working with the government any chance they get.

Conspiracy talk. Yes, Apple and Microsoft do work with the government, but that doesn’t mean they will do it at every chance they get or that they actually have a backdoor in theor operating systems.

Qubes is not always better than macOS or Windows either - it lacks things like verified boot, per app permission control, and so on. It being better at isolating groups of applications does not mean that it is better for all use cases or against all threats.

With the Anom phone, which was absolutely a honeypot

And some guy actually found the actual backdoor before the whole thing went down.

Not knowing when and how we downloaded qubes means nothing, if it phones home the Mac address of my router they know exactly where I am and who pays my isp or gives them the name and address on the bank card that ordered my motherboard.

What??? Mac address randomization is a thing. And how is the mac address of the network card even tied to your motherboard? What?

If you don’t want your ISP to know you are downloading Qubes, use a VPN or Tor.

You see this is the kind of thing that would would actually make me worry about qubes.
I am sorry if you really believe this but this is the exact kind of thing I would expect to here from a honeypot.

This has nothing to do with Qubes to begin with. This is basic opsec.

At least not for a regular person. I guess you could sniff the packets going in and out of the PC and check them all out but that doesnt sound doable for a typical person.

Perfectly doable for someone who’s got the time and energy for it. It’s not rocket science and is trivial to do.

**Word on the street is their are millions of dollars in reward money should someone find ways into qubes. If so dont be surprized if people dont offer them up for free for patching lol. **

If it was a honeypot why would the government pay people to find exploits for it?

Also to repeat I made no claims here

You made a bunch in your original post and you have just made a bunch more.

I take pride in my ability to change my mind when I receive new information though so I am not the type you cant win with.

You are talking conspiracy to mislead naive people.

There are probably not many here including the devs that could go thru the code and be sure a team of government super geniuses did not hid some extremely elegant never before seen hack in there somewhere.

You can say that about any piece of software, including Qubes’s upstream. Why make this whole thing about Qubes specifically?

Kali is merely a Debian testing installation with all the
insecurities that brings.

Ah yeah, I forgot about the fact that it is also Debian testing. This is even worse than Debian.

For the last few days, I have been following this thread about Qubes possibly being a honeypot. I think that this is a very valuable discussion, but so far I find it rather disturbing. There are many arguments for and against this proposition, but they are rather unstructured and so have no chance to come to a real conclusion.

What is needed, in my opinion, is a systematic approach to this question, and that needs to build a threat model, analyzing which threats are relevant and which are not. I will try to collect these arguments and structure them in the following paragraphs. Please excuse if it is a rather lengthy text, but Qubes is a complex system, and so the threat model is complex, too.

The first question is: Can / should we trust the ISO used to build Qubes?

This file is accompanied by a digest and a PGP signature, based lastly on the Qubes master signing key whom you have to trust as a security anchor. The fingerprint of this key is rather widely available, so there is some hope that you will get the real thing and not a fake one. Downloading the ISO file and checking it against its digest will assure you that you get the correct and unmodified file provided by the developers.

But is this really the system built from the correct sources?

Contrary to closed source software like windows, you have the possibility to dowload the sources, check them against their signature in github and build the ISO file yourself. This process is well documented and, according to cries for help in the forum, is used by a lot of Qubes users. So there is the possibility to have a Qubes installation media verifiably consistent with the sources.

But do you trust the developers to provide sources without backdoors?

This is rather a key question. As has been correctly pointed out in this thread, there exists the possibility that one or more developers might be forced or bribed to install a backdoor somewhere in the sources. If this were well hidden, most users will not be able to detect it. On the other hand, if not all developers were subverted - which is highly improbable due to their worldwide distribution - some of them will surely detect code that should not be there and start asking questions.

Here the canaries, which are published every three months or so, come into play. In these canaries, the Qubes team assures that the system is clean and not compromised and that no attempt has been made to force the introduction of unwanted code. While possibly one of the signers of these canaries might have compromised the system and be forced to state the opposite in the canary, it is highly improbable that all signers could be forced to sign such an untrue statement, just because they work in different countries and under different legislation. And since they are developers and understand the system, they would detect such a modification and reject signing a false statement - and not all of them can be forced to sign it anyway.

There is one more argument: Since Qubes is an Open Source project, the group of developers might, at any time, be joined by new developers, as has occurred several times in the past. Hiding a backdoor from these new members of the team will be impossible so thus even if a backdoor was installed at some time, it has no chance to stay undetected.

Could a third-party review detect backdoors in the source?

@anon11917472 rightly states that the openness of Open Source is of no additional value if no one inspects these sources. To get trust in these sources, audits have to be performed, analyzing the sources in depth and checking for potential security flaws. At least one such audit has been performed by the Freedom of the Press Foundation, for its SecureDrop workstation. The audit has shown some minor bugs, but no backdoors. It is, however, somewhat difficult to estimate the value of this audit, as its depth is, to my knowledge, not sufficiently documented. According to ISO/IEC 15408, an audit that would reveal backdoors in the sources should be done at level EAL5 or higher, but even at lower levels, backdoors might be found.

It would greatly enhance the confidence in the sources of Qubes if such an audit would be performed by one of the official certification bodies, and I think that it is a serious deficiency that, to my knowledge, this has not been done already. (For this, I have already contacted the BSI, the German government security agency, but they seem to have no one in charge of operating system security, and there is nobody available to finance such an audit!)

What implications of Qubes system Architecture are there?

Qubes heavily relies on compartmentalization and isolation of system components. This is somewhat ignored by the critique of @anon11917472, when they remark that an unhardened Firefox is used, which might pose some risk. I do that myself: For surfing, I just use the standard untrusted Fedora qube with the Firefox provided there. I have even added some extensions which may increase or decrease its security - I don’t know and I don’t care! This qube has no valuable data, just some files that were downloaded, could be downloaded again if needed, and will be thrown away after inspection. So, even if this qube were somehow compromised permanently, e.g. by inserting something bad into the Firefox profile, it does not matter at all. If necessary, I could throw the whole qube away and recreate it within minutes.

This situation would be different if an attacker could break out of this qube and attack other parts of Qubes, possibly even dom0. But this would require the attacker to find a loophole in Xen which could be used from one of the VMs. Such a loophole would not be a backdoor in Qubes itself, but an upstream fault in its supply chain. In order to get control over Xen, an attacker would have to cross the hardware ring protection provided by the processor and get from the maximum ring 1 allowed for VMs to ring 0 reserved for Xen, and this would be such a serious fault that it cannot stay undetected for a longer time. Such faults have existed for the whole lifetime of Qubes and they are a consequence of using Xen as its technical basis. But, if and when such a fault has been detected, it will normally be corrected within a few days and so has only a rather limited impact.

With this one exception, my permanent data are protected, as they are lying in a different qube, having no network access and no software like Firefox installed, and, just for enhanced security, being based on a different operating system (Debian instead of Fedora). All this except the last point holds true for dom0, which therefore cannot be compromised unless there is a serious flaw (or backdoor?) in Xen. But Xen, too, is Open Source and thus could (and should!) be subject to the same audits as Qubes.

For access to sensible websites, I use the Tor browser in a Whonix AppVM or, for higher-risk locations, from a dispVM based on Whonix. I assume that the Tor browser in its basic configuration, is more secure than the unhardened Firefox, and that any compromise of it, which would not only affect Qubes, but also Whonix and Tails, would be and has been quickly corrected.

What about the costs of an attack?

The arguments above, mainly the multi-party structure of the development team and the effect of compartmentalization, raise the needed effort and therefore the costs of a security compromise of Qubes considerably. So attackers working on the principle of getting most bang for their buck would surely give a wide berth to Qubes and instead attack systems like Windows or MacOS, where they have more targets, and success can be achieved without much effort. So, probably, you and I will have nothing to fear from such attackers, because we are simply not worth the effort.

But what about some possible high-profile users of Qubes? Such a user might be attacked with nearly limitless effort, for instance, if some three-letter agency decides to attack them. But such a user would - if they are serious - not use Qubes unprotected and without additional security measures. There would probably be firewalls, intrusion detection systems, and a decent network structure, and such a user could and probably would do source audits so that any backdoors in Qubes would be detected prior to its deployment. So even there is no need to use Qubes as a honeypot, as it would not work at all.

One should not overlook the fact that security is not only technical security but there are other ways to reach the goal of a security breach. Instead of spending a million dollars on subverting an IT system, the same result might be reached by paying a suitable user of this system a thousand dollars for the data to obtain.

Conclusion

Qubes is a highly but not absolutely secure system. Trying to use it, via some backdoors, as a honeypot would be extremely difficult and, from an economic view, might not make sense. Following this reason, Qubes is secure, and that is just what is claimed, to be a reasonably secure operating system. So, at least, I am glad to have it!

I expected that you would say something like this, but I’m afraid it’s simply not accurate. At the very least, by asking certain questions, you’re suggesting that some possibilities are more salient or worthy of consideration than others. Doing that isn’t necessarily a bad thing.

This is a security-oriented software project. We are in the realm of the technical – the domain of science and engineering. Whether something “sounds convincing” was never really a relevant criterion.

• Unman is saying that something can be used as a honeypot when the method by which it is distributed is used to spy on the users who obtain it.

• You are saying that something can still be a honeypot even if the method by which it is distributed is not used to spy on the users who obtain it.

• You are both correct, because not all honeypots are the same. In some honeypots, the method of distribution is used for spying. In others, it is not.

• Unman is saying “X is true.” You are saying, “No, Y is true!” But actually, X and Y are both true. They are just statements about different things, even though they sound similar on the surface. You think you are disagreeing with unman, but actually you are not.

Small correction: Descartes, not Kant.

To be clear, authenticating the developers’ PGP signatures doesn’t require the ability to read code. We have a guide here.

I’ll leave it up to @deeplow and others to decide whether a new forum section would be a good idea.

There are already quite a few open issues for things like this. Many of them will probably require community dev contributions.

As for guides, the type you’re describing would probably need to be community doc contributions.

That already exists. Simply click on the Nyx shortcut in sys-whonix’s menu.

In that scenario, Qubes is unlikely to be the target’s weakest link anyway. The agency’s resources would likely be better spent on things like physical surveillance, obtaining surreptitious physical access to the target’s home, bribing/coercing associates, etc. than on trying to subvert a global software project with tens of thousands of (exceptionally paranoid) eyes on it undetected. Would an assassin rather attempt to subvert the supply chain at the automobile factory or instead sabotage the brakes on his target’s car?

It could be a backdoor similar to the dual elliptic curve deterministic random bit generator weakness, even with thousands of people looking at the code it could still take a really long time to discover the backdoor.

Yeah I don’t trust Qubes 100%. It doesn’t have to “be” a honeypot - if somebody high enough wants to they can fund 1 dude to join the project and sabotage it from the inside. Or they can assault the devs IRL and force them to push a malicious PR. Or (God forbid) snuff the poor guy out and take over his entire online persona, including his github or wherever they keep the sauces for this. “Hey guys it’s me Timmy your trusty Qubes OS maintainer” but it’s actually a talking piece of bacon.

With that said though, I consider my Qubes system my safest system other than one that’s fully airgapped and rigged to blow.

The ken Thompson hack is interesting in that is turns clean source code into hacked binary thru the compiler. Not sure what that means but it sound elegant and very clever and it seems to have impressed the best of the best.
Using invisible unicode symbols as variables looks like it could be used in C++ as well but I dont feel like looking into it further.
But from what I am finding something being opensource does not inspire any confidence in me except for in extremely basic stuff. Once you get into thousands of lines of code written in multiple languages it appears to be impossible for even a small team of professionals to be 100% certain they didn’t miss anything.
Again I dont think Qubes is a honeypot. After looking into it it seems like it would be much easier for state actors just to slip a backdoor into some upstream code and save themselves the effort of running the website for years.
Either way I will continue to use Qubes as it is the best option and stick to my life long policy of not committing crimes or doing banking or sensitive stuff on the PC.

https://wiki.c2.com/?TheKenThompsonHack

http://underhanded-c.org/

https://blog.cloudflare.com/how-the-nsa-may-have-put-a-backdoor-in-rsas-cryptography-a-technical-primer/

Also TommyTran if you are waiting for Microsoft to admit to backdooring Windows you might be waiting for a while. I would suggest you research the term “plausible deniability”.
Microsoft also holds the authentication key for Windows and can put anything they want in Windows at any time. What better backdoor can you want more than being the one pushing closed source updates at will. I mean think bud. No backdoor LOLZ.
But you can read the Snowden leaks to find more examples or actual backdoors, for example handing the NSA preEncryption access to all of Outlook.com

This should get you started. Also its funny because I learned about qubes from one of the guys Snowden leaked too.

I have spent the last few days looking into it and am now confident to say that Qubes is almost certainly not a Honeypot.

Why am I so sure of it?
Because it does not need to be and nothing would be gained if it was that couldn’t be had for much less work, effort and money.

Why am I not absolutely positive it is not?
Because the US government prints money at will and is always looking for a project for no other reason than that you have to spend money to be able embezzle money and procure kickbacks.
Plus their children are always looking for a do nothing government job that pays in the hundreds of thousands of dollars and I can see being a honeypot forum admin as that type of gig.

Now I would consider the probability of that to be somewhere in the vicinity of a 0.00000000000000000000000000001% chance so please dont take that as me making a claim or take offense if you are a moderator. It is just within the realm of possibility as I see it.

My real belief is that the devs and mods are doing what they can and should be respected by all freedom loving individuals. I solute you and would lay down my life for you if I ever had the chance as you are some of the most high quality individuals that exist these days.

They appear to be the kind of people that would exchange a walk on part in a war for a lead roll in a cage and if we ever meet in the place where there is no darkness they are welcome to my rations and my blanket and bedroll.

I will continue to use Qubes because it is a great tool for 99.9% of the people that use it and I respect the effort and intentions of the devs and frankly there does not appear to be any better alternatives.

I will continue to learn and look forward to one day being able to build my own Qubes from source and have the knowledge to make it as secure as possible from government agents that want to spend a fortune in tax payer money to read my shopping list.

Also if anyone knows where I can get a good used oscilloscope that can output to a video recording device I am in the market lolz.
I guess I need eight of them, one for each wire in my Ethernet cable haha.

It’s not the topic of this thread but you accidentally touched a bit on my core competence (in-vehicle networking / ECUs). In your example of the assassin it might not be so clear, but let me slightly rephrase your question to make you think of the involved risks and scale:

Would an intelligence gatherer attempt to remotely compromise the software running in a telematic systems to gain on-demand access to the hands free (and other) microphones build-in or rather send a person to plant a microphone which could be discovered (the person and/or the microphone)?

I fully agree with your point about the ‘weakest link’, but couldn’t resist to digress a bit.

Also don’t forget that every microphone is a speaker and every speaker is a microphone.
If someone is clever enough and if the hardware is capable of outgoing and incoming signals or you can manipulate the busses and whatnot to a speaker someone could use a device that does not even have a “microphone” to listen in on you. Sure the quality would not be great but it would be perfectly fine for vocal clarity. For example those crappy speakers built into motherboards for warning tones and whatnot.

Enmus, with all due respect. I have been reading this forum daily since it was launched, however, today I had to make an account to respond to your comment.

Please reconsider to delete your post I’m replying to. You quoting “I’m just an idiot” & “but I am autistic” to formulate an [unsound] ‘argument’ on why OP should be disregarded, while in line with your post history & assumed cognitive abilities due to those, is very counter productive.