Qubes ready to install for Journalist-Human Rights workers

What I want to show in part of the “Trail Guide,”
Options the user should first do in which order.
Login.
Update being the goal;

(Option; How to start a Jqube that has Open VPN installed, to allow them to enter login to VPN provider. Tell the user where to look for an option on the screen. Which option to choose. To get into Qube for VPN.) Need a setting made to use VPN for Update. Where is point to click. How.

Where to look for “Update Icon” , What to expect after Update starts.

I start with the idea of a rigid path for first time users.
Get Online.
Update.
Start Jdisp to get needed information from other places on Internet, email/web pages.
Copy that needed information over to a JQubes app, (probably based Work Qubes. This Qube Offline always, which has software added to facilitate effort. I have a list, but anyone want to build the list,

Someplace in there must be decryption and encryption software. Whether Split-GPG. or just do it. Things outgoing onto Internet or a USB. Like put all the outgoing into one folder, copy it all over to the Outgoing Jqubes. Which is a disp.

The there is having a Vault, copying things into Vault.

Documentation at the point in time where it is needed.

I could be off base, but it seems like much of what you’re proposing is to make the installation and use of Qubes OS a “seamless experience” experience for journalists. That seems like a good thing.

As a rough example, if the journalist needs to lauch a specific qube, why call it qube? Just have a button on the desktop for “Research / Download” and the others activities the journalist performs. The button would link to necessary qube, which could be set up at installation with installation manager interface with drop-downs.

The current publicly-known ways that someone remote can detect Qubes OS:

  • If they manage to get into dom0, and then run cat /etc/os-release or uname -a
  • If they manage to get a shell inside a VM and run uname -a (the standard VM kernel name has the word “qubes” in it)
  • If they manage to do a traceroute or arp -a from a shell inside a VM (they’ll end up seeing that it passes through 10.137.X.X)

Basically, if they manage to get a shell :joy:

Feel free to add more, or correct me on any of these :slight_smile:

———

The reason I was asking the questions before was because I was trying to see if there were things that could be done to Qubes OS to “idiot-proof” (or at least “idiot-mitigate”) it for people in that industry.

Not suggesting that they’re idiots. Quite the opposite, actually. The level of intelligence and street-smarts that would be required is at a level that most industries would think impossible :slight_smile:

But everyone has moments of complacency from time to time.

Maybe they open a file in the wrong VM because they’re tired or distracted or multitasking too hard.

Maybe they don’t see any reason to do things “the Qubes OS way” because they’ve “never done it that way before, and have never had any issues”.

Stuff like that can be turned into very helpful automated user interface changes :slight_smile:

2 Likes

Is there any one here who is a trained Net Work Engineer, who is currently working Keeping Servers properly updated with Security fixes.

Which lets out some former, very highly paid Network managers for major credit evaluation companies, Hate to mention names. Companies which have everyone’s personal data that is used for loans, credit.

Like someone who would know how rig a connection in a hotel to spy on folks? Or how a three letter agency would go about figure out who we? get into our lives?

It makes me wonder at what stage is the topic of implementing an introductory tutorial for qubes os stuck?

In my opinion, it would be possible to leave a tutorial called “for journalists” on the desktop by default, which would contain the most useful links relating to Qubes documentation: configuration of disposable containers, configuration and use of whonix, configuration of pgp and its use in thunderbird.

I don’t need to know cars at an expert level to buy and use it.
The same should be the case with Qubes: after installing qubes os, the system should display any tutorial, because this system is very different in the way of use compared to other systems.
We should not think that privacy should depend mainly on the user.
Privacy and freedom should be a duty, not just a privilege for those who understand the problem and are looking for solutions :slightly_smiling_face:

1 Like

I will attempt to answer these questions and other questions in this thread here.

I would roughly say there are two categories of Human Rights Defenders (HRDs) who need Qubes OS. Category 1: Human rights advocacy groups based in the West, but working for causes all over the world. Category 2: Human rights defenders and advocacy groups in the country they are advocating or living under weak rule of law. They are less institutionalized and often include high profile leaders. Things are more personal.

Both need to defend themselves, their data and their contacts. Category 1 HRDs have better access to resources. Those with good financial resources and good know how (Category 1-A) are reliant on Microsoft services or similar cloud services for their collaboration, conferencing, file storage, and emails. Post-pandemic, there’s a move from own servers to fully-cloud based. They could have a full-time IT staff. They could have remote management/control of the lockdowned Windows laptops. They may have some IT training, and some fishing simulation. Their IT staff can’t justify ditching Windows (or Mac) for Qubes. Many could be locked-in to Windows with remote management. IT staff and NGO leaders have doubts around the benefits vs. usability of Qubes OS, its manageability across an organization, and whether the unknown threats justify moving to Qubes OS.

As for category 1 HRDs with limited resources, and most category 2 HRDs, they have less resources or less know how at the leadership level or lax policies in place. These are the majority of people. They would be struggling to find the right approach. Staff are usually free to use whatever they want - Windows, Mac, Linux or Qubes OS. Things are getting worse for category 2 NGOs as rule of law continues to breakdown in many countries around the world. Qubes OS and the Linux environment is cost efficient and they would go for it if they knew what they were getting into.

The following are 3 organizations that provide workshops and attempt to build capacity: www.smex.org www.7amleh.org www.cyberpeaceinstitute.org

There are many more of course. The approaches and context of each of these organizations vary significantly.

I personally presented in 2019 and 2021 in one event in the Middle East about virtulization and about Qubes OS to HRDs from Category 2 – from the field -, in Arabic. Participants were from across the Middle East and North Africa. After my talks, I felt that I shared I was flying above the heads of the participants. FYI I also did an introduction video in Arabic that got 3000 views which is quite good for an Arabic language video. Qubes OS مدخل إلى نظام تشغيل كيوبز الجزء الأول - Invidious I also did a full-install video that got around 1000 views. Qubes OS مدخل إلى نظام تشغيل كيوبز الجزء الثاني - Invidious.

Language also hinders knowledge about Qubes OS. Under one of my videos, there were requests to make additional Arabic language content on privacy and security that is available in English elsewhere.

I’ve spoken to many people about Qubes OS and about Graphene OS. I’ve seen trainers discuss these in sessions. The problem is that it’s too vague and conceptual for them. The expectation is that phones and laptops work out of the box. HRDs need a person to talk to, a human being, and they need a presentation. They don’t need guidelines. They need support. This is beyond the mission of Qubes OS. There’s an illusion that the newest OS is safe from government hacking, an illusion shattered every now and then when a hack becomes known. But the illusion endures.

Major hurdles that are prohibitive for HRDS: finding the right laptop (specs, fully compatible) especially in low-income countries (most cannot safely ship Insurgo / Nitropad laptops to their country), installing Qubes (from downloading and verifying the ISO, to the install process), the initial setup even if it’s a basic and simple setup of one Qube for all activity (including setting up MS Exchange emails or Protonmail email bridge or installing Zoom and other proprietary software necessary). No amount of guides can solve this.

The reality is that Qubes OS is competing with Apple Macbooks. Macbooks have topnotch security for a mainstream device. The main difference with Qubes is that it comes ready to use with a much smaller learning curve if you were coming from Windows.

Michael Bazzel said on his Privacy Security and OSINT podcast that he had tried Qubes OS and concluded that it is isn’t for the majority of people. He recommends Macbooks for security and Pop_OS for privacy. Source: Episodes 264 or 265 of his podcast: The Privacy, Security, and OSINT Show. (His comment is what made me write the article in his publication Unredacted Magazine which, to my surprise, had over 50,000 downloads in previous editions.)

The Hated One in an interview with a Graphone OS developer said: “Before Graphene OS, I tried to use Qubes. The problem with Qubes is that there’s such a steep learning curve, and not just when you try to install it – that’s actually the easiest part – but when you’re trying to use it on a daily basis, it’s gonna drain your battery and you need a beefy machine also the usage. But Graphene OS is so simple. I can use it as my daily driver.” Source: Exclusive Interview With A GrapheneOS Developer - Invidious

No one is complaining that the documentation is insufficient. The problem is that using Qubes OS currently requires a learning curve that challenges even the IT security and privacy communities!

Human Rights Defenders HRDs and journalists already have so much on their mind. The have to think of the victims of violations, of protecting their sources, of funding for their projects, of their government harassment, etc. As a result, they have very high expectations that their laptops work out of the box. I work with such (wonderful) people. For these people, the current state of the Qubes OS offer (high security, low usability) cannot compete with Apple Macbooks in terms of security and usability.

The best example of how useless guides are is setting up a VPN on Qubes. VPN is an absolute must because HRDs need their connection to “exit their country” before accessing the Internet. Tor is not an option for day-to-day emailing, conference calls, and cloud collaboration. Maybe 5% of HRDs I work with can figure out the VPN setup guides after wasting hours of going through the guides and learning basic terminal commands.

Another example is Zoom. It has become ubiquitous. How can one install Zoom and keep it up-to-date on Qubes? Even for me, it was a difficult experience (sudo dpkg -i instead of sudo apt install? Seriously?) There’s no guide for that. If someone wants to install and use the encrypted cloud service Tresorit, or the Proton drive, or Proton mail bridge, or Signal Messenger, how do you do that?

I am personally convinced of the relevance and importance of Qubes for HRDs. I stand by my assumption that if better off switching to Qubes OS if a person decides to dump Mac and Windows for Linux - and learning the Linux environment.

But I am amazed at the deep divide between the Qubes OS community here, and the situation and expectations of HRDs who genuinely need Qubes OS.

I got 3 people I work with to use Qubes. I installed Qubes on their laptops and set it up. But I’m stuck now upgrading their system (2 are still on 4.0 by the way), fixing problems, updating their Zoom and other type of software, etc. I recommended it to more people but because I could not install it on their laptops and set it up fully (because of distance), so they didn’t use it.

So what are the solutions? I will think of something and write it. It’s certainly not “more guides.”

A beginning of a solution could be the availability certified laptops with Qubes OS all over the world, that include additional software pre-installed (Signal messenger, LibreOffice, VLC, digikam, and the likes). Like that, if I recommend Qubes to someone who needs it in an Asian or an African nation, I can also tell that person where to find buy one.

These are some messy thoughts. i apologize if this was quickly written and if any part is unclear.

4 Likes

I am thinking I want to put a Documentation file on the desktop, and I think it a bad idea to put it in Dom0.

Anyone know a clever way to put a documentation file, or a link to a documentation file on the desktop that does not involve changing Dom0?

When I say a “Trail Guide” Take the user by the hand to guide through the steps of first using Qubes safely as a Journalist.

I intended to think of an exact. Do this to accomplish that. Find the Qube or program you need at this place on the screen. Open it (give expectation of how long it takes to open) What options the new user will see. Which one to choose. As much as possible, a rigid fixed path, so the user does not get off into worrying about other things. And as much as possible, for the new user to not install any application. clone up a Qube. Housekeeping stuff.

Open an App Qube that is offline, that has software already installed for working with Information. TXT files. document files. Photos. Video Files. Read emails. Write Emails. Decryption. Encryption Yes, this qube is cloned from somewhere else. But; I am not asking the beginning user of Qubes to clone up a Qube, install all the correct software.

In first disp Qube, you can do these things. Obtain information to work with: Off the internet. Off USB. Documents. Emails. *but not opened Emails." Files. Photos. Videos. and place them into one folder.

Then Swoop copy all that folder into the second Qube. An app Qube which is offline, and where the Journalist can work with all that data as they choose. Decrypting. Reading. Examining. Then choose which parts to save in the app Qube. and or the Vault. One might use an auto-generated name for the folder copied to App Qube which has a date-time. so it does not accidentally get deleted.

Obviously the information the Journalist wants to go back out into the big bad dangerous world. He will put into another folder. and copy to another disp Qube.

I would be really glad if you see a better: The Trail Guide will take the user through the early uses of Qubes to allow full use of Qubes.

Here, I left out some details that would be in the; “Trail Guide” (maybe I need a more descriptive name?) that are obvious to an experienced user of Qubes.

Actually, that brings up another point. I have had some odd issues doing Updates to Qubes. I found that doing Updates to other versions of Linux sometimes were solved by using a VPN. Some ISP’s seem to be messing with the connections used for Qubes. Perhaps it is only a timing thing.

Which is why I mentioned in an earlier version of the “Trail Guide,” a Qube already created to allow for the input of OpenVPN credentials, for a VPN to aid in Updates.

How I do not intend to repeat what other Guides have.

One: I intend to tell the new user where on the screen they can find the point they click to go in the direction I intend them to go.

Two: As much as possible I want to have created for the new User, already created jQubes which have all the bits and pieces they need at that point.

Such as:
Software for OpenVPN. (although each VPN has their own documentation for the user.

Software installed in the first disp (input side of system). to catch email. surf the web. A folder to save whatever the Journalist chooses to work on. (in an offline Qube)

Obviously the Offline Qube has a bunch of software to facilitate for the work up of information. Decryption. Encryption. Working with emails. Documents. Photos. Videos. taking care of passwords.

I have not made any effort to allow for things like a video chat. Which off the top of my head. Belongs in a Qube by itself. Once again, the Qube should be already created for the new user, with all the needed software installed, updated for the new User. Like always, I am open to be wrong on that too. I never knew there was a resurrected version of Zoom. Used to be I thought to avoid Zoom, as it went through servers in China. I do not have anyone I want to video chat with, so I do not think along those lines.

I may be completely off the point of what is needed. One one hand I want to think like the new user. I got this thing loaded. Started. How do I get online? and why do they say Qubes is so much safer? How am i supposed to accomplish that. And the current guides/Documentation seem to go on forever.

All that Documentation for the new user to keep in mind while he is trying to - also put software into an App Qube. And . . .

Someone mentioned “Secure Drop.”
Secure Drop is used as a name in two different uses. One is a Tor, Onion side connection to send messages to News Organizations that have signed up. Like the New York Times. Well if you go that version of the Secure Drop website, they have a list of news organizations to send stories, or news tips --Hopefully without any one else being aware you sent the info.

The other use of Secure Drop was a software system, which I think is no long maintained. Where two Physically different computers. Both with the same Operating System. (Then it was Windows, or Mac) One receives information off the internet. Then the information is moved over the the second computer (which is air-gapped) which is by a physical Medium. Flash Drive, or. . . . Something like this is being done in Qubes. Each Qube representing a different isolation of information. There may be an application for Linux that does this in github I missed?

I am not really working on this project for another two weeks. So like the others posting here, this is off the top of my head. Be good to get some criticism of why my idea does not work.

Once again, I am open to be wrong, I frequently am.

2 Likes

Wissam,

As I re-read through your post. I feel I should more directly speak to the needs that you are bringing up, as opposed to my advocacy for my project. Qubes -Ready to Install for Journalist-Human Rights workers.

I have installed Mullvad VPN - GUI App, in a Qube and it works. No need to do any thing with Terminal. Or Open VPN. I mentioned creating a Qube with OpenVPN because someone on the forum said that they felt OpenVPN system was maintained by several hundred people, versus an VPN App which is likely maintained by two people. The GUI Mullvad App makes it easier to switch between different countries.

I am aware of someone who has created a Qube which allows one to substitute into using as sys-net. That is for being used with Open VPN.

Not sure how many other VPN Apps could be installed into Qubes. I have used Proton VPN on a former Iphone.

What I did not like about installing Graphene is that the tutorial did not tell me how long some parts of it would take. At the first several times I installed Graphene I felt frustrated, angry. As I think back, it was pretty easy. Installing some Apps proved so difficult I returned to the Android.

I feel sure you have heard of TAILS Linux, a live version of Linux based on 64 bit Debian. Might be fruitful to ask at the Tails Forum for description of how to install those Application bits of software you need, rather than trying to use Qubes.

There is a Linux Distro, Easy OS. Can be run as a Live Distro. Likely runs on nearly any hardware (which could be a security hazard, but a lot of countries which have HRD, don’t have the skills of the NSA either.) I would be more afraid of being beaten for passwords.

EasyOS uses Containers for Security.

You may find on first start up, some software is not there, but can easily be downloaded and auto installed. The explanation of why it is not there may be very interesting, in that it usually involves a choice to stick with FOSS, and avoid a security issue.

While EasyOS does not have a thousand people who do a security audit on it. The intent seems good.

If you need any software, App that is not available in the EasyOS repository, then ask the forum to give you a hand. It is a friendly forum. If I don’t fall asleep this afternoon. I could see if I could install Mullvad App, The GUI, not the OpenVPN with terminal entries this afternoon.

Either of these live Distros, Tails, or EasyOS is likely safer for a HRD than Windows.

Download from here:
https://distro.ibiblio.org/easyos/amd64/releases/dunfell/2022/4.2.3/

https://easyos.org/

https://www.forum.puppylinux.com/viewforum.php?f=63

That would make sense, actually.

I had a feeling this would be the case….

Especially when the internet infrastructure wherever they are working either deteriorates or gets more and more locked down…

“Virtualisation? I don’t understand… I was able to do my work just fine without it, so why would I need such an unnecessary extra step…?”

I bet you heard that a few times……

I know. I watched it, and it was extremely comprehensive. Maybe a little overwhelming for someone who “just wants to send and receive work emails and browse the web”, but still incredibly detailed.

If imagine accessibility would be a big challenge, too…. I’ve been in places where the public internet is censored and monitored heavily, all IP addresses are static, port forwarding requires a “background check”, and you basically can’t do anything online without verifying your ID. It’s basically a game of cat-and-mouse trying to circumvent their restrictions, and they constantly change their methods without any notice….

……so, people are comparing an Android fork to a computer OS? Wow…:

I guess that’s one of the things that we need to address. If there are people out there who are genuinely comparing a mobile OS to a full-blown computer OS, then that means that they’re classifying them in the same category in their mind…

It’s because they often focus on what’s “under the hood”, rather than what that stuff could be used for in the real world. We’ve all understood what’s “under the hood”, and have been able to find real-world applications for Qubes OS based on our own individual needs, but we are unfortunately a very small minority of computer users.

I’d say that’s a fair expectation when you’ve got such an important job to do. You need your tech to “just work”.

There are things in the pipeline. They’re still a fair way off being production-ready, but they’re getting there….

Well, yes, but I can see some salt scripts being written to auto-configure an HRD’s machine.

Are they aware of how much stuff shoots out of your machine into the internet without your knowledge, consent, and without it being able to be stopped; when your machine runs “the latest OS”…?

It’s a lot, in case anyone is wondering :woozy_face:

Yeah, most of it is encrypted, and most of the time it’s reasonably “anonymous”, but it’s more than enough when amalgamated with other data (for example a hostile government could easily get useful insights from it), and sometimes they FORGET TO ENCRYPT IT!

Are they worried about compromised firmware, or is it purely a cost and access issue?

Yeah, you do need a pretty beefy computer to be able to run Qubes OS and do anything meaningful on it, particularly RAM. I’ll admit t that.

I’m sure that a lot of those things can be achieved with readily-available hardware that they’d have access to…:.(requires further investigation, of course)

I can see an “unattended install ISO” being very useful for this use case (as well as corporate IT). Boot from the ISO, and it automatically installs and configures everything for you, without the user having to interact with the machine at all.

But a salt script can :wink:

Yes. Every time the user does anything, a data packet shoots out across the internet to Apple saying “He just did this! She opened the document called ‘Damning evidence.docx’! He just turned on a VPN! She just opened the Tor browser!”

Top-notch security, indeed. And Apple collects all that juicy information for “bug fixes” :expressionless:

That is not meant to sound belittling at all. It is the unfortunate reality that the majority of the general public actually believe this, and it seems that the HRD industry is no different (which kind of makes me worry about HRDs in category 2!).

HRDs aren’t “the majority of people”, though :slight_smile:

Where do I begin with this……

“Before I used a phone, I used a laptop. It was too difficult, so now I use a phone for all my computing needs.”

(Not an attack, but yeah, it does sound completely ridiculous…)

But this part is pretty accurate. I’ll pay this one.

I wouldn’t say that it’s a “learning curve”. I’d say that it requires a lot of assembly and configuration by the user after install, which the majority of the general public don’t usually warm to.

But hey, potato, potahto :slight_smile:

I completely agree.

On a side note, it concerns me even more that they see Windows and macOS as viable alternatives, especially when they have so much at stake :scream:

Then I guess we need to come together as a community and figure out how to make Qubes OS more usable for HRDs :slight_smile:

The guides are so complex because they allow customisation of where in the Qubes stack you put the VPN.

But yes, I agree that it’s way too much, especially for someone who thinks that a VPN is just a way to access Netflix in another country, and there are things that can be done.

HRDs use Zoom? Seriously….?

That’s the equivalent of a drug dealer asking around for a hit on Facebook!

Yes, I can definitely see your point, and Qubes OS would need to be able to automatically mitigate those threats if they absolutely must use Zoom. The things that we would instinctively configure ourselves without a second though don’t cross the minds of the general public, so this would be a good place to start in Qubes OS.

This would be a good thing to set up as an auto-configure option, even if it’s not part of the main Qubes OS ISO. Like, maybe in the Contrib repo.

That’s a good point about automation, particularly updates.

And you’re right about people you help install Qubes OS for neglecting their machine maintenance. So true. I’ve definitely been there…

  • Unattended install ISO
  • Qubes OS “Trail Guide” like what @catacombs is suggesting
  • Automated system maintenance frameworks (even if they’re basic)
  • Qubes remote support built in
  • Promoting awareness to HRDs of this forum for any and all tech support (we can help)

There will be many other solutions, too :slight_smile:

That would be awesome. A lot of hurdles to overcome to make it a reality, but would still be awesome.

——-

A script on the desktop that executes a qvm-run command, maybe?

I think that’s the most important one. It’ll create muscle memory for the user.

You can already do that in NetworkManager in sys-net. But you’re right. It isn’t exactly the first place people would look, especially if they’re used to downloading programs to connect to a VPN, instead of just config files….

———-

Is there anything to be said for creating, maintaining and hosting Qubes templates that are preconfigured for HRDs?

1 Like

I felt I could provide some definitions of some things in this thread, which those who have contributed to the thread probably already know. Where I am incorrect, please clarify.

Qubes Certified machines are a re-manufactured machine, with some specific alterations and components that have been -checked over by the Qubes organization. The requirements are on the Qubes OS page. Or you can look at the computers sold by Insurgo, and NitoKey which have a list of the changes to a standard from manufacturer (Lenovo) which have been made.

Besides buying a ‘Certified’ Laptop from either Insurgo, or Nitro Key, if you are the geeky type, you could accomplish most of those changes to create a Certified Computer yourself. I would be pretty certain that, for enough money, my local computer shop could create the equal to a 'Qubes Certified Laptop."

Insurgo is very generous in providing all the detail to what he has done. NitroKey website has a forum which might be useful as well. The description of the link of the 'How to" create a 'Qubes Certified Laptop" is on this forum as well.

Actually one can create a pretty secure laptop that does not require all that effort. If one is in a country where one is at risk. If a computer shop, or a geeky individual built “Qubes Certified Laptops,” I suspect he would not make very many before the local power group came around to at least dissuade him. A lot of risk for the computer shop.

Notice that laptops which are used to to build “Qubes Certified laptops” are Lenovo X-230, with either a Core I5, or a Core I7, and Lenovo T430, with several processors, (Maybe a Processor that does not work with Qubes) and likely the lenovo 530 will work as well.

As you might notice, they are older, slower computers. Except for the Pandemic, many of these would be around for the lower prices for working laptops.

In the last year. I bought a remanufactured (hardware checked over) X230 for under two hundred dollars. A remanufactured Lenovo T430 for $130.00 - maybe because the Pandemic seemed over, and the seller needed to clear off his stock. The upgrades of RAM and some other things can cost a bit as well.

The Qubes OS has a web page, HCL which describes the laptops which are known to work,or which can be adapted to work, or don’t work at all with Qubes.

I suspect the bigger problems folks, even in the US, face is that ISP’s make connections for things like github, linux, strained. Hard for updates. Since doing updates over Tor would take, like days. I feel the need for a VPN.

Virtual Privacy Network (VPN). There are several services. Some offer some free inducements. In my limited experiences, free soon has speed limits, which I suspect is what the issues some have in using the services.

I had originally felt my version of jQubes could provide a Qube, with the basic software for OpenVPN, which most of the VPN’s interface with, already installed. Still, to use OpenVPN, one must copy and paste commands into the terminal.

Another instance where take the user by the hand, with step by step instructions, to get the VPN working. First one must have chosen a VPN service, and paid for it. Perhaps the Human Rights Organization, being outside the country where it is needed could make the VPN choice, payment to VPN. and create a jQube-VPN, which can be downloaded. with needed instructions in the local language to do the terminal work.

Perhaps easier, I know I can install the GUI (Graphical User Interface – point and click use) in sys-net. The process of install was abysmally slow, and I have to do it each time, by the method I used. I am not sure I have the correct place in Qubes for this. I know I needed to be near the top, so Qubes Updates go through the VPN.

First we need someone more technically qualified than myself to create a jQube-VPN, that has all the correct settings, and will install in the correct place in the heirarchy of Qubes for ‘Mullvad VPN.’ Then this JQube-VPN (Journalist Qube for ease of VPN install and use) must be put somewhere it can be downloaded from and auto installed. Who out there maintains a repository of Qubes would do that?

Perhaps Wessam, who has need of this for Arabic Speakers could write a small guide in Arabic to aid them in using it? Then this group could – I hope, accomplish Qubes Updates.

I am not all that technically qualified, and I have low energy with some old age health problems, which no one wants to hear about. So. Not Me.

More simply. If Qubes Developers felt it was safe, secure.

Install the Mullvad App into the software section for Qubes.

Now we are left with creating a -for beginners - “How To” create a Qube to run the Mullvad VPN. Correctly placed in the OS to use the VPN for Qubes updates. Yes, there are other VPN’s, but they must have an GUI App to be useful in this.

Or perhaps, if that is unsafe, creates too big of an attack surface, Put the Mullvad VPN app -Qube in a place for many other Qubes to use while online.

The binaries you need to update the host or guest OS are all cryptographically signed, and they are downloaded using a secure TLS connection.

What is it you hope to gain by adding the VPN to the updates process?

It seems to me that forcing the system to use VPN if anything just makes it more likely that the update process will fail.

A fair question. My public computer face is a computer using Mint Linux. In the morning, I go to my local McDonalds restaurant to eat some breakfast, and since I do not have at home internet, to get online to discover whatever wonderful has happened. Sure could use a little good news today.

I start Firefox, where I have added a lot of Privacy Addons.

I go through the garden wall where the McDS website warns me of -something unknown could happen. (Que sound of Thunderstorms. Dark Music) Click here to take the risk.

I can see news channels. Weather. I see Mint claims it wants/needs to update something. I click go ahead. Enter Password. and update gives an error message. Repeat sequence, same message.

I go to Qubes Forum. I login. I click on one of the Threads in the forum. I get an error message. I try Chromium Browser, Bave Browser. Same error message.

I start up a VPN.

Qubes Forum thread opens. Update will run.

I live in the US. I feel it obvious to me that some ISP’s have a policy of blocking, disrupting, discouraging the use of Linux. AT&T programs the McDs public wireless service. They say they only block websites links as directed by the McDs management. Not clear if that is the local McDs store, or nationwide. McDs used to have a message, “We are blocking this for the safety of our customer.”

To come clean. Several years ago, I was in McDs when a man came up to me and asked what I was doing. I told him I was downloading several different distros of Linux for later experimentation. He told me he used to manage a ‘Burger King’ where 12 or more young men sat in the store all day downloading movies. Never bought anything. Their presence discouraged other customers.

Still, when I hear of folks who have had problems with Downloads of Qubes, I suspect it is less likely a version of Qubes is not working, but rather the ISP is involved in some - Protecting their Customers.

This thread is about those who are Journalists, and Human Rights workers (Human Rights Defenders) some of whom live in countries where the ISP’ are generally supervised by a power structure, whose methods of acquiring keeping power, control of the country are violent.

Perhaps HRD’s don’t need to Tunnel out of their countries internet with a VPN to do updates. Then again, I have seen times I need a VPN to run updates while in US. I am certain that HRD’s will need a VPN to accomplish their mission.

I read from Wissam that those who do work of HRD’s have problem with technical things. Probably also a language barrier, he mentioned Arabic. I am not surprised. I always suspected that Journalists, and Word Smith type people minds worked differently that Computer Types.

For anyone, working late at night to send a message. How easy could it be to send the message without encrypting it. That is, using any computer, when tired, sleepy, even if they had a good background in Computers could lead to a disaster.

I am astonished at what an excellent job the Qubes Developers have done with the level of resources they have. I am old, and very poor. All I can offer them is to repeat that last statement in a post. If a version of Qubes is developed for Journalists, that keeps that group in a safe use. Then Qubes will become the chosen OS of business travelers. And that group will have money to donate.

I have tens of packages that I have used and distribute to users.
Some of them are based on https://github.com/unman/shaker - they
provide salt states and automatically run on installation, to create new
templates and qubes as needed, and install and configure whatever
software is required.
I’ve just checked and the packages there currently will:
Provide salt states for Debian templates.
Create and configure a caching proxy
Set up split gpg
Set up split ssh-agent
Create an offline media store - files are automatically opened in a
named “multimedia” disposable.
Create a system printer. (currently broken)

Any one should be able to examine these packages and see exactly what
they do - the salt is extremely basic (deliberately so) so that they are
transparent as possible.

I have additional packages for sys-vpn and Mullvad VPN - again these
packages create templates and qubes, and configure them as needed.
I’ll look through what else I have that might be generally useful, and
add it to the repo.
I’ve been using this process for a while.

The repo is available at
https://qubes.3isec.org/rpm/r4.1/current/dom0/fc32
Naturally the packages and repo are signed with my Qubes signing key.
You can access it (bearing in mind the trust issues) from any Fedora
machine, or with a browser.
It’s intended that you add my Qubes signing key to your management
machine (for most people that will be dom0), and create a new repo
definition e.g. :

[3isec-dom0-current]
name = 3isec Qubes Dom0 Repository (updates)
baseurl = https://qubes.3isec.org/rpm/r$releasever/current/dom0/fc32
skip_if_unavailable=False
enabled = 1
metadata_expire = 6h
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

I’ll check the status of the packages that are there - I know that
sys-printer is broken currently - and add more.

If anyone has ideas for other packages that would be useful like
this, I’ll take contributions or suggestions.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
2 Likes

Renehoj,

Can you document how you set up VPN connection to always work?

I add the OpenVPN config file to the Network Manager and use this shell script from rc.local

#!/bin/bash

while ! ping -c 1 -W 1 VPN-IP-HERE; do
	sleep 5
done

nmcli con up id proton passwd-file /rw/config/NM-system-connections/secret

It waits for the internet connect to available and connect the VPN configuration with the given id, using the username and password from the secret file.

The firewall is set to reject all traffic not going to the VPN gateway.

If this is using Debian. Does the Wireless Adapter need to be one which works with Debian?

Hi. I’m late for this thread but I’ve been following it from the beginning.

Wow. For quite a while now I’ve been thinking about jQubes (before this thread existed) and considered making some some “Trail Guides”. So it seams we are looking in the same solution space and came up with something quite similar.

The first things first is understanding journalist’s general workflow. I’d assume it’s goes from sourcing to publishing but there are many things in between in a journalist’s toolbox (think audio transcription software, VPNs, videoconferencing etc.). Then threat modeling and according to the 2 previous stages deciding on a decent configuration. For sure it’s not possible to have the perfect setup. But a good enough starting base would go a long way…

Ah. I had not noticed this was a project that was already planned. I’d be keen to share some thoughts or go for a synchronous meeting about the topic.

The tutorial’s code is published but needs documenting. I expect to have more news around September.

Thanks a lot for sharing your insights into the HRD’s field. I think there is a clear distinction between journalist’s thread models and HRD’s. Qubes does send out a lot traffic (e.g. when updating VMs) and doesn’t have MAC randomization and other kinds of protections that may be essential for HRDs and certain journalist’s. The simple fact that Qubes is not on a hidden volume can be life-threatening if the device is inspected and using something like Tails could be a better solution in those cases.

I don’t think Qubes only ready for this. It’s like regular organizations. Non-technical organization members need tech support and if we encourage others to venture in this direction we should make it clear that either we need to support them or that it will require some extra time and willingness to do extra work. When organization have the capacity to help with tech support then it’s another thing.

Yes, there is some talk about this: https://github.com/QubesOS/qubes-issues/issues/1019

1 Like

@deeplow Wifi MAC randomization is default since 4.1, thanks to Accessible Security project and Nlnet.

I have saw that @unman has deployed new salt recipes for apt-cacher, another project that should get more love to be deployed by default to economize that precious bandwidth and URLs sanitized in some ways per Qubes, so that packages are downloaded once even if Templates are cloned.

I’m really interested in HRD, journalist and source personas myself. If some working group happens there, Harlo from FPF should definitely be on the call. Could reach her let me know.

2 Likes