This is what I was trying to convey here
I guess i didn’t word that very well - I was not trying to say “believe me, no its not” - I was trying to convey its up to the user to verify for themselves everything and reach that conclusion themselves, and we work in an open fashion to make that verification pathway available.
How security flaws aren’t actually backdoors? Intended or not.
Backdoors are implemented deliberately for the purpose of getting covertly access to the system, flaws are not made deliberately.
says who?
The dictionary, the two words have different meaning.
So when I create honeypot with deliberate flaw in the code in order to misuse it later, it’s not a flaw, because the dictionary says so?
Yes, if you do it deliberately it’s a backdoor, but not every mistake is a deliberate action with malicious intent.
I didn’t say that any flaw is deliberate, but that any security flaw is a backdoor.
I agree that the questions around what makes Qubes reasonably secure and testing the falsifiable hypothesis that Qubes is a honeypot are valuable. However, criticizing the format or intent of the asker is not inappropriate. The rhetorical style of the OP, is, to my eyes, strictly there to stir the pot or troll the forum. As others have pointed out, the OP offered zero evidence or even a convincing thought exercise.
The fact that OP thinks that Kali is “plenty secure” is another red flag to me. Running Kali as a daily driver (the implication) is a mistake most experienced folks don’t make; if/when you get popped, then you’ve given your attacker all the tools they need to carry on from there.
My instinct is that OP was not acting in good faith. YMMV.
This post glows brighter than the sun itself. Agent smith is just throwing a bunch of techno babble up in the air, hoping that something sticks and makes visitors distrust our favorite OS.
I find the OP’s thoughts valuable exactly because these are the thoughts of a non-technical person with insufficient knowledge. … as I expect most of the users that we say we target are (journalists, lawyers, activists etc).
So how are these person supposed to judge the risk? Good arguments I heard so far:
I agree that this thread has the potential to make “visitors distrust our favorite OS” … the antidote to that would be arguments as the above and more of the kind.
Speculating about the OP’s “good faith” and hiding the conversation makes us look weak. If you can’t justify or explain why you think the OP is wrong, then on what basis do you feel secure to use Qubes OS?
Again, before anyone questions my intentions… I sincerely hope there is plenty of evidence in the last 5+ years of posting. But to a degree this forum has become a huddle of regulars telling each other “the way”. Strong community is what we want, but it shouldn’t lead to intellectual laziness.
I think what we need is to distill more FAQ’s out of all the material here and then work together on good answers (maybe in megathreads). That way the next time someone comes and asks about honeypot or Hana Montana Linux in dom0 or whatever we can simply point to that collection of good arguments.
It’s on the accuser to lift the burden of proof, I don’t think it’s fair to say you need to prove them wrong, when they didn’t even try to prove they are right.
I don’t like when people use the “X is true, prove me wrong” argument, it’s a extremely lazy and it doesn’t mean X is true.
When you’re in the jungle, you (are often forced to) behave like an animal. When you’re in a Hyde park, you (would be embarrassed not to) behave like a human being.
Well, Qubes made me felt of it like of a Hyde park. It totally positively changed my computer habits, to the extent that for the first time in my life I wouldn’t mind to say that hatred sentence: “I have nothing to hide”.
And I don’t. I did my best to protect my digital property and it is reachable only, and only if Qubes is honeypot, unlike it was constantly on “help yourself” out there in the “jungle”.
So, what are the odds of such a risk assessment?
I am going to bold the cliff notes version and leave the autistic over explanation in standard text. You are welcome lol.
Okay well let me first start out by saying I am not the OP as I understand the term. I did not make this thread, this was a response to someone else in a thread they created that was forked here.
I hope you can see how much of a difference there is between someone who makes these comments in response to someone asking why the default Firefox browser failed a basic security test and someone who would start a thread with these incoherent comments.
I would never in a million years start a thread about this subject, chances are the devs are great people doing the world a service and I would need actual proof before I would make an accusation. It did however seem like a reasonable response to someone else’s question.
Also if I was going to make a claim I would have put a lot more thought into it and used an actual arguments structure.
It’s a relevant question, there are probably lots of people asking the same question, “How do I know Qubes isn’t a honeypot?”
The OP just took it one extra step, and claimed it to be fact with only their gut feeling as evidence.
Extraordinary claims should be supported with extraordinary evidence, you should be allowed to ask the question, but not claim something is fact without any evidence.
It’s on the accuser to lift the burden of proof, I don’t think it’s fair to say you need to prove them wrong, when they didn’t even try to prove they are right.
I don’t like when people use the “X is true, prove me wrong” argument, it’s a extremely lazy and it doesn’t mean X is true.
One could easily make the argument that it’s less than nothing, seeing how you make some wild claims about things you clearly don’t understand and provide no evidence to back up your claims.
I dont believe I made any real claims. I believe you may be emotionally invested which is know to cloud ones judgment. The alternative is poor reading comprehension and I doubt that is the case.
A claim would be “Qubes is a honeypot.”.
“Have you considered that Qubes may be a honeypot?” is a question.
I also see that many did not read the second comment which I dont blame them for, as within it I explicitly give an alternative view and claim that I am more inclined to believe that second explanation.
There is also the implied explanation in my statements that it all makes sense if you trust what you are being told.
After these, how the one could expect others to believe
I never expected others to believe, I wanted to provoke critical thinking and thought and it appears I succeeded though I admit far outside the scope of the original reply. I also wanted to write a bunch of run on sentences and obviously I succeed there as well.
No one forces you to use QubesOs. You can use Windows, macOS, or some other Linux of your choice if you don’t trust QubesOS or trust another OS more.
And you can prove your guess (wrong) by checking the source code yourself or paying someone you trust to do it.
I never said I was forced, obviously I am not. I was forced into some action as continuing to use windows was not an option what with their being literal open discussions about weather or not me and my family should be “allowed” to buy food or sent to a concentration camp for refusing the BillGates MAGA jab.
The censorship is getting people killed en mass, the public is about a year behind with things those of us that make avoiding it an option have known. “how could we have known?” Well ask us because we have known from the beginning. Many of us knew exactly what was going to happen and it was extremely obvious. Yet another example of those darn emotions clouding peoples judgment.
Sure Ill take a shot designed in twenty one days based on a genome emailed to us by the Chinese government… This is public information that was censored from sharing more than any laptop could ever dream of. But how could we have known right…
I chose to use Qubes because I have seen what happens to people that try to make apps that help avoid censorship and I plan to do exactly that. Digital lemon juice and the candle to make it visible…
So here I am, trying to cram a lifetime of cybersecurity and application developing into as short a time span as possible.
From what I understand I should be able to make a program that will encrypt text for use on social media relatively easily. The social media moderators should have a hard time justifying censoring speech that someone has to go out of their way to decrypt to read…
If people are so against using their own finger and the block function to do their own censoring I will make them have to go thru the effort to unblock/decrypt something to read it. I look forward to their mental gymnastics of why they still need to block it.
Also thru the clever use of emojis and other characters it will be possible to fit a lot more text into a small field as a bonus. The most frequently used words can all be converted to a single character and spaces can be cut out by clever use of capitol letters or something along those lines to encrypt the space.
If anyone would like to make something like this please feel free to save me the effort and take all the credit.
I just want people to be able to speak because you can not think of things you have never heard spoken about or read about… God another rant, Glad I bolded the important bits so I dont have to feel bad about wasting peoples time:D
Sometimes the “appeal to authority” can be valid. Provided, of course, that the authority being appealed to is of the sort who can readily defend what he’s saying.
I have enormous respect for certain people because I know they can back up what they say. In some cases I know a little bit about their subject matter, so I have a limited basis for judgment.
No one can know everything, though I’ve certainly tried. The next best thing is to know of a number of people who do know their areas well, and who show it by being able to back up what they say with evidence. (If they can’t do that, they’re just parroting something else, which may or may not be good information.)
Again I will bold the cliff’s notes bite and leave the TL:DR autistic over explanation in standard text.
**This is such a strange comment to me. What exactly do you mean. What “solid technical/scientific proofs” do you speak of?
Are you saying you went thru the source code or are you saying trust the science** and the qubes devs are the science? If so last I heard Anthony Fauci was the science and I am pretty sure he wants us all to use Windows…
I will take a look at it thanks. I was poking around and my initial assessment is that probably few people in the world would even know what they were looking for.
I will look around though and do some basic stuff like search for Ip addresses and whatnot.
Also isn’t the thing about back doors that they don’t look like doors? If people could find them they would just be regular doors and not ready and waiting when someone is willing to pay for them.
That is how they work right? you only get to use them for a little while until they get out and then you patch them and close them forever. Then you call Mr Gates and he shows you the next one?
Or you can kill two birds with one stone and pull a Shadow Brokers and burn hacking tools that are for mostly patched exploits by leaking them on twitter to help you blame the Russians for the leak that we all know was Seth Rich. Plus the added benefit of priming everyone for the Russia Russia Russia hoax.
I mean while we are at it have you considered that the Shadow Brokers were probably US government agents doing what they were ordered to do?
This post was forked from a comment in a thread started by someone else, I am not the one that decided it needed to be here and I wouldn’t have started a thread with an ill thought out rant. The person that put it here probably though it would be a worthwhile discussion though.
The Qubes team has stated many times that I have seen that Qubes is not only for computer scientists. Those folks tend to rely on their gut feelings so censoring questions would be seen by many as a coverup.
The over thinker in me does look back and think that my comment is a pretty good one to highlight if your going for the appearance of transparency while making the idea look like the ramblings of a crazy person not to be associated with.
Kind of like how the CIA funded the black panthers to make civil rights look like the desire of violent madmen.
Would you like to explain why? **Is it crazy to think that maybe nyx would be included in the packages of a tor dispVM? After all this is not supposed to only be for the Linux elite. **
You can not see how someone could wonder how both those things can be simultaneously true?
obviously there are many explanations and I layed out a few others in my second comment on the thread this thread was forked off of.
I completely agree and its good to know there are others out there that like when people think for themselves.
One thing I will note is that nobody that I have seen here has yet to say that they trust qubes because made their own reproducible build and validated their hashes.
I will admit that I gave up on validating my qubes install. I was only able to verify the checksum. I was unable to find any outside sources of the keys and gave up after a few hours of looking for a picture of someone with the qubes key on a tee shirt like I read to do.
I dont break the law so I gave up. Unfortunately it looks like things like choosing what goes in or out of your body will be illegal before long so I am planning for the day when I will be a criminal.
I mean I am a libertarian so my live free or die tee shirt could already be illegal, It surly warrants a spot on the DOJs biggest threats to democracy list it would seem.
I did not make any claims or use my gut feeling as evidence. My gut feelings would be the jury evaluating evidence more like.
If you can show me where I said qubes is or is not anything I would stand corrected.
I asked a question and made a few subjective statements I found suspicious aka fishy smelling and that was it.
This guy gets it. God I miss when this was how most people think.
Man you kids should have seen life before cellphones put the internet into everyone’s hand. The internet use to be suck a cool and fun place back when you needed actual knowledge to be able to use it.
Those were the days. Back then a Vaccine would kill three people and be instantly banned and the right to travel meant the right to travel. God I miss it. You could talk to ten people and get ten opinions. Glorious it was but I digress.
But yes discussion is the best way to expose what is and is not a dumb idea. So far all I have really heard in the anti honeypot camp is that you can learn how to spot backdoors and find them if you like because the code is open.
I have not read a word from anyone that says they have inspected the code and found it to be on the up and up.
As of now Qubes is the winner by a mile against Windows and MacOS though as I know them for a fact to be working with the government any chance they get. The fact that qubes honeypot status is even debatable should be viewed as a huge win other than using Qubes takes away your ability to fit in with the heard on Windows or Mac.
I would like to suggest maybe another topic or whatever its called like general Discussion and user support for a section called something like source code evaluation. It could help and give people a reason to participate if they can get clout and such by posting. Just a thought.
With the Anom phone, which was absolutely a honeypot, it did not matter how you got the phone. Paying a random stranger to order it for you would provide you with zero anonymity or security. They owned your telemetry data.
The point was that the governments around the world could see and hear everything you did with it, watch you thru the cameras.
Not knowing when and how we downloaded qubes means nothing, if it phones home the Mac address of my router they know exactly where I am and who pays my isp or gives them the name and address on the bank card that ordered my motherboard.
You see this is the kind of thing that would would actually make me worry about qubes.
I am sorry if you really believe this but this is the exact kind of thing I would expect to here from a honeypot. Just convincing enough to fool a clueless person but such an obvious bad assessment.
Again none of this would matter if qubes was a honeypot. You are not going to outsmart a nation state typically. Short of going thru every line of code before boot and then capturing it during updates and inspecting that it there is really no way to know if you are beat or not.
At least not for a regular person. I guess you could sniff the packets going in and out of the PC and check them all out but that doesnt sound doable for a typical person.
Yes and you can read all about the acts of congress and yet people still dont believe the government passed indefinite detention and made propaganda legal within the united states by modifying the Smith/Mundt act because most people refuse to read anything but a magazine.
I made the suggestion up above and I will make it again. Even if this is a honeypot and you want to catch more flies I suggest a Source code discussion topic like general discussion and user support.
This would go a great way in inspiring confidence. People could coordinate and maybe form teams to divide the code and go thru it. Maybe there is a place for this already but if so a link to it would be appreciated.
If people are going thru thousands of lines of code it would be easy to miss something or bury it at the end and hope the investigator falls asleep before they get too it.
I mean how many lines of clean code would you go thru before you give up and decided it was all good? I dont know but a game theorist does and they would be on the staff should qubes be a honeypot.
**Word on the street is their are millions of dollars in reward money should someone find ways into qubes. If so dont be surprized if people dont offer them up for free for patching lol. **
I would bet my life that if qubes has not been opened up for the US government already there are teams of people working for money printer go brrrrrr money working on finding them.
Again this is very naive thinking and very governmentesk to throw around conspiracy loons to try to discredit the discussion by lunatic proxy. Not that you are doing that but is seems like it is a possibility.
If qubes was a honeypot who do you think would control the forum? Have you seen how censorship works these days? For all I know I am talking to bots and my account has been flagged to be invisible to the real people on the forum. So no lack if threads about it proves nothing.
I could show you how it works, maybe I will make a video and upload it but here is how it works. When I go on you tube I have been put on a list that only lets me talk to bots or people that already agree with me. I know this for a fact because I can go on the exact same video on a friends account or on a random tails account and I can not see any of the comments that are not the official government narrative.
So saying if qubes was a honeypot you would be able to tell from reading the forum is just nonsensical. Im sorry and I mean no offense but damn.
But thank you for at least trying to address the issue with logic and reason even if I believe it is very flawed. The simple fact that you resorted to reason and logic is enough for me to respect the hell out of you. Provided your just not a government agent doing a bad job and being paid way to much for it hahahaha.
but seriously I salute you!
I agree the delivery does seem crazy but again ill state that I did not create this thread, that would be insane. This was a comment on another post that was written on a whim and later forked out here for general discussion by a mod. I assume they thought it could lead to good discussion and it appears they were right.
Also to repeat I made no claims here, I simply asked someone if they had considered it in a reply to their comment.
I feel your pain and know the feeling. It seems “agree to disagree” is not an option for most people these days.
Pretty much everyone hates me now because I think Trump and Biden are both terrible. I would vote for a monkey that could flip a coin over either of them any day.
I take pride in my ability to change my mind when I receive new information though so I am not the type you cant win with. I appear that way to some but it is because I have thought deeply about every belief I hold so I am not so easy to sway. Its easy to change someones mind with one conversation when they have only ever had two thoughts about something.
Oh I understand that but that may come across to most as well as it does when your parents tell you you will understand when you grow up.
Also I would be surprised if any member of the qubes team has went thru every single line of code in every single update and utility. I very well could be wrong and I hope I am but I could see it as a possibility.
Maybe if I knew enough I would know an easy way to check the code but that would probably only help me to be confident that the qubes devs are not trying to hack my bank accounts. There are probably not many here including the devs that could go thru the code and be sure a team of government super geniuses did not hid some extremely elegant never before seen hack in there somewhere.
I guess what I am missing is a sense of who the devs are. It would be easier to trust people if I had a clue who they were or what they stood for and that is something I would need to learn over time. First I need to get my qubes working before I can look into the philosophical beliefs of the devs unfortunately.
Again I would understand this viewpoint had I made this thread but with the context that this was a reply to someone else in their thread asking why qubes Firefox failed a basic security test I would hope I still wouldn’t come across as bad faith.
I think maybe if we learn nothing else from this we should learn that is should be made obvious to people when a thread is forked to its own thread because I do not appropriate the hate coming my way for something I did not do. It would be deserved if I had made this thread but I simply commented on someone else’s post and now I am catching the flames. Also learn to read people, reading comprehension is a good skill to have and it is very clear in what I wrote that I was not making any accusations. I simply asked if the person considered it.
Also nowhere in any of this do I claim that qubes is a honeypot.
I have not got this much crap since I asked what if the Covid vaccine is dangerous and not doing any of the typical testing is a bad idea before giving it to every person in the military and people with less than a 0.01% chance of dying of Covid.
@anon11917472 I wish you could have made your point without peppering it with unrelated issues that are totally off-topic here but might invite others to share their opinions about these topics. In that case we will have to moderate your post and the replies to keep the conversation on-topic.
This has nothing to do with agreeing or disagreeing with your opinions, or freedom of speech or any such thing. We simply want to keep discussion in this forum limited to the topic of the forum.
If I understand correctly, the line of thought you’re suggesting is something like this:
“If there’s a backdoor in the code, then it will be hidden. It may be so well-hidden that no one finds it before it causes harm. If a backdoor can still exist and cause harm in open-source code, then code being open-source is of limited value.”
To which my question is: Relative to what alternative?
You can either use open-source software, where you have a chance of finding anything bad, or you can use closed-source software, where you have no chance at all.
You can make laws against putting backdoors in software, try to catch offenders, and punish the ones you manage to catch. You can try to persuade people that it’s wrong with moral and political arguments. None of these methods is perfect, and they’re not mutually exclusive. Are you suggesting that since there is no perfect method, we might as well not bother with the decent-but-imperfect ones available to us?
That’s because Qubes builds aren’t fully reproducible yet (see #816). You can read about the latest progress here and here.
Others have already provided a lot of other good considerations. For example, @unman’s reply is a lot broader than just the code being open-source.
Why don’t you do something about it, then? If you don’t have the skills to read the code yourself, start contacting people who do and try to persuade them to audit the code, even just a small part. Many hands make light work. If you have financial resources, hire companies or individuals to audit (parts of) the code. Spend time making content (e.g., videos, podcasts, articles) that provides value to security experts and engages them so that you have a platform for encouraging them to get interested in the project and look at the code. Go on other forums, subreddits, and social media platforms to engage with people about Qubes. Help spread the word. Do something about it.
@unman is simply going through several possible ways in which Qubes could be a honeypot and discussing each one. Neither he nor anyone else has suggested that the fact that Qubes ISOs can be downloaded anonymously is the main or only piece of evidence that it’s not a honeypot. He is not “fooling” anyone. He’s giving a frank assessment of several possibilities. His assessment is also not a bad one, since it is true that an entity who wanted to track downloads would not allow downloads over Tor and VPNs from multiple independent mirrors and via torrents. Your argument here seems to be based on a basic misunderstanding of the way in which @unman’s post is written rather than any substantive disagreement.
In that case, it sounds like your only viable option is to use an OS from an organization has enough resources to compete against the US government, right? I’m guessing only Microsoft, Apple, and Google would stand a chance (and maybe not even them).
Well, I’m not a bot (AFAIK), and I’m replying to you, so there’s that, at least. If you think the forum is being controlled by nefarious entities, why not take your concerns to another platform that isn’t under their control?
Just to clarify, you’re saying that since you don’t see any comments that disagree with “the official government narrative,” this is proof that such comments exists but are being intentionally hidden from you? Have you considered that maybe instead no one else made any such comments?
How would it get into the code in the first place?
I’m a bit surprised by this line of thought, given your earlier remarks. If you’ll indulge me for a moment, I’d like to reflect (what I perceive to be) your own thought process back to you regarding this specific topic: Even if we provided a detailed bio of each Qubes dev, how would you know it wasn’t just made up? Even if the Qubes devs recorded videos or did livestreams where they answered personal questions, how would you know it wasn’t all staged? Even if you went to a conference and met the Qubes devs in person and shook their hands, how would you know they weren’t just paid actors?
At the end of the day, all that really matters is the code that runs on your machine, and all that really guarantees it is the fact that it was signed by certain cryptographic keys that have a sufficiently long history of signing things that consistently turned out to be trustworthy. Joanna used to have a saying: “We are the PGP keys” (in reference to herself and the team in their capacity as Qubes devs). So, while the devs are real people, and their beliefs absolutely do matter, there is also a sense in which, from your perspective as an end user strictly evaluating your own threat model, they are basically synonymous with their signing keys.
That’s fair. I’ll add a notice to the top post indicating that it was forked from the other thread.
I am not making any suggestions or accusations. Also windows, MacOS are without a doubt full of backdoors. The fact that we are even debating QubesOS puts it far far above mainstream Operating systems. If I was to make a suggestion it would be for people to learn all they can, or find someone they trust, on security and censorship evasion ASAP.
Good to know. So that means that when Plexus said this
He was incorrect and this is not a way to find out myself. I did not even know what that even means but it sounded awfully convincing.
I am considering doing something, I mad a suggestion for a source code audit section of the forum and I would participate if one is created. Also there seems to be a misunderstanding here, I did not make a thread asking the world if they have considered that Qubes could be a honeypot.
Someone else made a thread asking why Qubes default Firefox failed almost every area of a basic browser security test. I commented and asked them if they had considered that Qubes could be a honeypot.
I had not given it much thought before because I do not care really because I am not using Qubes for security, I am using it to keep organized in the information war that is going on.
I would be interested in helping out with source code auditing if their was a topic for it like General discussion or user support.
It is just strange that people keep saying the code is open go audit it but not a single person has said they have audited it.
This would actually be evidence to me that Qubes is not a honeypot. If it was I would expect many bots to step in to say "I have audited the code and all was well.
The code being available for audit and people not bothering to do so would jive more with a reality where the project was on the up and up.
I don’t know how to audit code but I am good with logic and organization so maybe I could be useful by congregating the code and keeping track of who has audited what and what has been vouched for by multiple people as well as organizing audit of updates and such. An audit would be useless after all if pieces were missed or only audited by one person.
We will have to agree to disagree on this one, I stated my reasoning above but I will give a brief summery here.
What I am saying is everything he said is irrelevant because it is a false correlation. My example was logically sound. It would make no difference how you obtain your Qubes ISO if it was a honeypot just like it made no difference how you obtained an Anom cellphone. The governments were not tracking the people who bought Anom phones they were tracking the activity that was done on them and the telemetry from the devices. They would not need to know who is using an Anom phone or qubes, they would get plenty of info by having total access to what it was being used for. With the Anom phone they did not arrest people that bought them for legal activities they arrested the people that bought them and used them for illegal activities.
That might be the only viable option for criminals but I am happy with using Qubes. Qubes provides me with what I need honeypot or not. And again I made no claims that qubes is a honeypot, I simply asked one person that was complaining about the default Qubes Firefox if they had considered that qubes may be a honeypot. My personal opinion is that it probably is not. I explicitly explained my opinion in my second response on the original thread this comment was forked from.
I dont think the Qubes forum is run by nefarious entities. I said if it was the lack of posts about Qubes being a government OS would not prove anything because they would obviously be deleted if any were posted. Therefore the lack of said posts is proof of nothing.
Sorry and no that is not what I was trying to say. I was not talking about the qubes forum there I was speaking to how censorship works in general as proof that lack of posts on the forum would be proof of nothing.
It appears that the people in power have realized that people get angry when they are censored so they have moved on to a more elegant and sophisticated form of censorship.
It appears that they are using peoples data to determine who believes what and then letting them talk to each other so they dont notice they are being censored from anyone that does not already agree with them.
As evidence I look towards youtube. On youtube when I am on my personal account I can look at a video, a story about a football player dying on the field for example and every other comment is asking if he was vaccinated against Covid or claiming the vaccine killed him.
If I jump on youtube without an account for example in a fresh DispVM or at the library I can look at the exact same video on the exact same youtube channel and not a single comment will mention the Covid Vaccine.
So with that in mind I would assume that if qubes was a government honeypot they would have a similar system.
For example if an account mentions the word honeypot they are flagged and kicked over to a system where their posts are only visible by agents so they do not know they are being censored.
I just said this was possible on the qubes forum so lack of posts was not proof of anything. I do not believe this is how qubes works because I am on Qubes thru tor and I could see this post before I log in. Could it still be the case sure but it is at least not obvious if it was.
This makes sense if you understand that I do not believe Qubes is a honeypot. It would be more likely that one of the devs would be an agent that would insert code written by a team of government programmers into the code and the other legit devs would not have the ability to notice.
If a team of programmers was making a backdoor for Qubes it would probably take advantage of a security flaw that was unknown to the public therefore unknown to the legit devs. Maybe something like making it difficult to install Qubes without a swap partition because the government has access to the bridge between memory and swap. I am just making this up but its just an example of how devs could miss an exploit if they have no knowledge of what hardware systems are compromised ect ect.
I wouldn’t “know” anything but I would have a sense of their motivations and goals. I am sure many have attended those and do have that sense and it influences their outlook.
But like Socrates there are very few things in this world that I know to be absolutely true. Kurt Godel incompleteness theorem and Wittgenstein’s beetle in a box thought experiments helped me avoid a false sense of certainty about most things.
I know I exist. I can thank Kant for that. I think therefore I am it the common quote but what he really said was that to doubt that I am thinking is still thinking so I doubt therefor I am is a better axiom.
My heroes in life are people like Chelsea Manning, Daniel Hail, Julian Assange, Edward Snowden and anyone else willing to tell the truth or do the right thing at great expense to themselves. People like the creators of the Pirate bay as well. So having a sense of who the devs are would go a long way and it is my fault I do not have one which is why I would never accuse Qubes of being a honeypot. I dont think it is and I think I made that pretty clear. If I was a dev though and I had not been approached by a man in a black suit offering me millions of dollars to slip a piece of code into Qubes I would be seriously thinking about the reason being because someone has already slipped that piece in.
I dont know the technical details and maybe this is not possible but it seems like a reasonable worry. In many places, England for example it is illegal not to give the government access to your PC and passwords so they would probably have issue with Qubes if they really had no way of getting in. I guess they can get in if they have physical access to the system so there is that but it is still something I would ponder.
I understand this but have also read several places that Qubes is not only for people that have the technical chops to evaluate source code. To them including me the main factor will be judging the situation on perceived priorities of the developers. This is what I have based my assessment on and will continue to be the case until I learn to assess the source code which will likely be never because I will never be the able to outsmart a team of the best minds in the world should they be the ones given the task of infiltrating Qubes.
For example it the founders of the pirate bay were involved in qubes development I would know that people I can trust to sacrifice for the little guy are involved. I assume the Qubes devs fit into this category as well which is why I dont believe Qubes is a honeypot. I do think it is something people should consider though especially if they are discussing results of a security analysis.
Thanks you very much. I believe it was important context that means the difference between me appearing to be a lunatic and me appearing to have critical thinking skills and a helpful attitude.
In closing I will just try to be very clear.
I greatly appreciate what the devs are doing with Qubes and consider them to be doing the world a great service ate great personal expense.
I did not claim that qubes was a honeypot at any time, I simply asked someone that was asking about weak default Firefox security if they had considered the potential that Qubes was a honeypot.
My personal belief is that the Qubes devs are genuine but that many governments and people would be extremely motivated to get a way into Qubes systems so remaining ever vigilant is a necessity
I believe others have mentioned this quite a bit and is extremely obvious given the lengths many have gone to to ensure that no human can can have any anonymity, privacy or communicate a thought to another human without them knowing about it and scrutinizing it.
I also believe it would be a good idea to have a Qubes forum section like general discussion and user support for something like source code auditing where people could coordinate and discuss things. People could coordinate efforts to break the task of auditing bulk lines of code into smaller pieces, as you and I said many hands makes lite work.
It could be discouraging people not to bother because it is such a large task but could promote people to take it on if there was a way to organize the efforts so that peoples efforts were not overlapping potentially missing the one piece of code that is compromised.
It is a huge task and could be seen as a waste of time if one expected to not gain any piece of mind at the end anyway. inspecting the code would be meaningless if you did not keep up with new updates and such. In an update something could come in, do its dirty work and delete its self before people got around to auditing it I would assume. I could be wrong obviously because I do not know how that stuff works.
Another thing I would suggest is that maybe Qubes could have some built in features for monitoring security or a guide section of how to set something up for oneself. This stuff is pretty easy to do on Arch linux but on Qubes I don’t even know where to begin because it is hard to get a sense of what is doing what and what is done on a VM basis and what is done globally by dom0.
Thgs like a default of having Nyx setup to monitor tor traffic would save people collectively maybe thousands of human hours trying to figure out where to even put Nyx in a qubes system. This is just an example, I have not even tried yet because I am still working on understanding far more basic stuff than this but it was very simple to do on Arch. It was also easy to setup a system for knowing what and when something was trying to write to disk but with Qubes I dont know if I need to set up a system for every qube or just a system for dom0. Should Nyx be on my dom0, sys firewall, sys-net, sys-whonix, all things that are very complicated for the non technical users that Qubes is claimed to be for as well.
I dont know, these are just thought but I thank the Qubes devs and will be working on clearing this stuff up for the layman when I figure it out for myself
Thanks for all you do and please dont take my comments as casting shade, I am just trying to do what little I am qualified to do to help which is working thru some critical thinking from an autistic layman’s with a good memory and somewhat realistic worldviews perspective.
Also to beat a dead horse I never intended this discussion to make it out of a few comments on someone elses thread.