Qubes ready to install for Journalist-Human Rights workers

@alzer89: You’re asking good questions. As @unman has suggested, you may find users here who are journalists/HRDs who are comfortable sharing their day-to-day workflows; I can’t necessarily share the workflows of the people I work with without their consent (and I’m not sure how helpful the broad strokes workflows are in terms of actually meeting users’ needs; to take a trivial example, for an end user, “use Slack to communicate” and “use Mattermost to communicate” are actually quite different; even though they might both have the same broad strokes/high-level representation and do almost the same thing, one tool could require a high cognitive/interpersonal load to get people to switching to the new system, or could mean disruptions with partner orgs who use a different system, or…etc. There is so much that’s context-dependent, really down to the organizational level or even the user level–we may be accustomed to switching between semi-equivalent tools or platforms, but that may be a big deal to someone who would have to train all their colleagues on a new tool, or work in a tool that isn’t well localized/internationalized, and so on. So it’s very hard to design a ‘one size fits all’ or even a ‘one size fits many’ system that users will actually use and like using).

What I’m saying is, I’m excited by the enthusiasm in this thread and also I agree with @unman that any project like this needs to involve and be driven by the end users in an ongoing way and from a very early point in the process. Rather than an initial touchpoint where you find out some workflows, develop tools or configurations, then present them to journalists/HRDs as a finished product, you probably want some ongoing collaboration and ongoing working relationships/familiarity with the community you’re building tools for.

I think it would be great to figure out how to make use of everyone’s skills and interest here. Maybe we can bring in some of our user research folks to see if there’s any way we can ‘combine forces’ so to speak to connect interested developers with end-users.

1 Like

@qqubes, the short answer is, we don’t really know. I suggest making a separate thread for vPro, as there is a lot to discuss about it :slight_smile:

Thank you. This is actually something I feel strongly about, having been in places where you think “that only happens in the movies…”.

If there are, they’re very quiet…

I don’t want things like “Met with whistleblower Aaron Schmidt-Chan for lunch at restaurant. Got followed home by unmarked police car. Went to visit Kurdish family in eastern Turkey, Palestinian protest in Gaza Strip, and then quick shower, saw hidden camera and microphone in my shower cubicle”…

I feel like that stuff would make an excellent thriller novel rather than useful software :stuck_out_tongue:

What I meant was things like:

  • “distribute a document publicly in a way that only the recipient can decipher, but my network is being watched, so I have to obfuscate it to make it look like Microsoft Teams network traffic”
  • “publish a photo, but I need to make sure that all the EXIF data has been scraped from it, otherwise my informant may be paid a visit and shot”
  • “I’m in transit, and there’s a chance I will be stopped and have my laptop searched. I need plausible deniability, and may have to use my duress password if they force me to unlock it, so that it will boot into a harmless Ubuntu environment, which should get me past a basic visual inspection (but I’m screwed if they image the drive)”
  • “I need to be able to get access to Tor to interview someone, but I’m in a territory that blocks standard Tor data packets, so I need a way to get around that without drawing too much attention”
  • “My place of residence could be broken into and my hard drives stolen at any time, so I need a way to ensure that I’m the only person who can unlock my drive, so I’ll detach the LUKS header and keep it on an RFID tag disguised as a gym locker key”
  • “I’ve received some files that I know I won’t really be able to do much with unless I open them with the original software they were created with, but the thing is, that software is backdoored TO THE MOON, so I need a way to make sure I can use that software without my laptop snitching on me”
  • “I wasn’t able to obtain a SIM card or data connection without handing over my passport, and I need to be able to visit some potentially eyebrow-raising websites, so I need a way to be able to do that so that it’s not against my name”
  • “The government deactivated the broadband internet infrastructure because of the recent civil unrest (but really as a way for news not to get out), but phone calls still work, so I need a way to be able to get internet access over 56k modem”
  • “I need a way to securely back up my entire laptop every night at the same time, so that WHEN it is lost, stolen, damaged, or seized, I will be able to buy any old replacement laptop locally and restore my backups so I can keep working”
  • “I need a way to be able to pay for flights out of the country, but I can only pay with Monero, so I need a way to be able to do that”
  • Or even “I miss home, and want to be able to communicate with my family without them being used as a bartering chip against me by hostile forces, so we need a way to be able to communicate without anyone snooping on us, preferably in normal conversation, not in code”

Stuff like this will greatly assist in coming up with ways to get those tasks done, all while educating the journalists/HRDs about the reasons why they’re done this way, what third parties can and can’t see when you do them, and what not to do…

I’d never ever want you to even consider doing anything without another party’s consent. That is unacceptable in my books.

Ok, that’s a perfect example.

  • Communicate with who? Colleagues? Interviewees? Agents? Family?
  • Do they care if they are doxxed? Do they have a plan for damage control if Slack’s servers are breached (let’s be honest, WHEN their servers are breached)
  • Do they encrypt their collaborative project data with their own keys before they upload them to Slack, so that Slack can’t make sense of it, or do they just give them the sensitive files?
  • Do they ever use Slack for any function that Slack wasn’t intended to do, like for concealment or obfuscation (eg hiding whistleblowers’ phone numbers as sports statistics, document numbers as GPS coordinates, etc.)? (software plugins can be written to do this automatically, so that they don’t have to do it manually, and would be worth it if enough were doing it)

Yes, especially an end user who has gotten into a mould. I fully understand that.

I guess I’m somewhat concerned that there may be some journalists and HRDs are just “using someone else’s computer while they’re watching your every move”, placing all their stuff (other people’s contacts, home addresses of fugitives, photo sync from mobile devices, etc.) onto someone else’s server (“the cloud” makes it sound more inviting :stuck_out_tongue:), whose operator may or may not give a crap about whether those files are kept safe, as long as the customers pay their bills on time (you never know, that server operator may even be digging through those files looking for ways to monetise them).

I would be even more concerned if there were investigative journalists in hostile territories doing fact-checking by holding up their phone and saying “Hey Google…” or “Hey Siri…” :scream:

If that’s their workflow, then who am I to judge? My only wish is that they understand the ramifications of that workflow, because I can guarantee you that they’d be using Siri a lot less if they did :wink:


Also agreed.

My interest, among many others, is getting Qubes OS to be considered as a viable option in the workplace, because, it really is.

Switching to Qubes OS doesn’t require you to “give up” anything. In fact, it augments your previous computer uses…behind 36 inches of concrete and steel. There’s a reason why we use our machines this particular way, because we know that is how you counter potential threats. Doing extra steps without any benefit are a waste of energy, and we wouldn’t do them if they were. Yet that is how it is perceived by some members of the general public. We’ve been trying to leap that hurdle for a while now…

Qubes OS also vastly increases the flexibility and usability of your computer, all with piece of mind knowing that only YOU (…well, and anyone you gave access to) are the gatekeeper.

Another analogy would be a bespoke suit. Once you’ve worn one, it’s impossible to go back to off-the-rack…

Many many years ago, I managed to convince an ex-partner to never use Windows again, by connecting the laptop up to my machine running wireshark and cold booting it. My partner watched as their full name, login password, home address, Internet Explorer browser history and the contents of the Word document they were typing up the night before; all shot out of the laptop UNENCRYPTED, bound for Microsoft’s servers.

All of this happened before the login screen showed up. Thankfully, Microsoft has started encrypting that stuff, but can you imagine if that document was something sensitive, like minutes of a government meeting, and they had notified ISPs to be “on alert” for any data in transit matching it?

And who’s to say that Microsoft wouldn’t “snitch”? Nothing against Microsoft, but I’d rather not take that chance, and I genuinely believe that it’s a chance that journalists and HRDs simply can’t afford to take, given the nature of their work.

I can guarantee that if this was explained to investigative journalists and HRDs in a way that was relevant to them, they’d be scrambling over each other to install Qubes OS :slight_smile:

1 Like

There’s this:


I’m not sure I understand your meaning. Are you saying that Intel doesn’t explicitly state which systems use vPro? Or that they may be using vPro without admitting it?

I took “we don???t really know”, as an answer to your question -" These would be futile if they still have Intel vPro I think?"

1 Like

I believe you are correct as @alzer89 gave a like to your quoted post :stuck_out_tongue:

1 Like

You forgot this:

https://github.com/QubesOS/qubes-issues/issues/1856 (and probably more fingerprint-related stuff).


At least you can already order Librem 14 with preinstalled Qubes to any country AFAIK (but not with other software).

1 Like

The problem with caislean was that it was not well maintained, unfortunately. So when the project started, it was a bit immature, but once stable it stalled.
But I remember the days I used it on Qubes 3.2 with @Rudd-O 's qubes-network-server, which permitted to expose qubes as servers on my kgpe-d16 I was using remotely as a builder to compile stuff and self-host a bunch of services. But that Caislean project is dead now, having been updated for the last time in 2018. Maintainership is a real problem.

In the time we live in today, self-hosting with projects like yunohost under Qubes would be again fabulous, where Qubes provides all the requirements even disaster recovery (multiple qvm-volume revert snapshots by default), where wyng-backup can restore known safe states within minutes. With dom0 pool being separated from vm-pool, a server in this setup (accessible through BMC, even through tor hidden services offered through router) permits to even access dom0 when vm-pool needs to be fixed to be able to relaunch sys-net. But the kgpe-d16 is not yet re-upstreamed yet, qubes-network-server doesn’t cascade automatically anymore (service exposed through sys-whonix tor hidden service, where qubes is behind it requires lot of configuration today under Q4.1 as opposed to under Qubes 3.2). Maintainership is a real problem.

I think, but i’m an idealist and optimist, that what is happening under this thread is one of the most interesting thing I’ve seen for a long while. There is a lot of content going in a lot of different directions, but most of the problems/needs stated here are actionable and as far as I read them, could be turned into salt scripts.

Again, https://github.com/unman/shaker is a long awaited project (thanks again @unman for doing this) where those recipes are even packaged and a repository is provided by @unman.
This cannot be more magical: install the package corresponding to your needs, and the salt recipes are doing their magic automatically as post-install scripts: where the recipes themselves can be audited and are quite easy to understand once you understand the hierarchy and global internals of salt. I think the next step is to organize around this and upstream those under qubes-community repository.

@unman: you thought about creating a online course to teach salt+qubes salting? Maybe that could even be funded? You have most of your salt notes that could be turned into tutorials if they were a tad more organized. That would be lovely and would definitely bring interest into salting.

I think the challenge here is to really understand the needs, scope and streamline into proper hierarchies of needs, resulting in salt scripts, where personas (journalist, activist, HRD, programmer, communicator, editor, auditor) would wrap around regrouped salt recipes (free/proprietary counterparts of : video-edition, graphics, communication, compilers, financials, etc.)

Reading this thread, it seems that we need to explode requirements into software requirements and workflow requirements, where the workflow requirements could be pushed by persona selection, and software could be enabled/disabled (and shortcuts removed/added automatically) through them.

What do you think?


This is a real big challenge, actually. From my experience, shipping with Windows 10 LTSC, deployed through https://github.com/elliotkillick/qvm-create-windows-qube was the most controversial deployment I ever done. Customers were asking for it, then when I shipped it, people were totally against it. At the end of the day, a specialized template upon reception only consumes the space for the additional packages, but this is not the best way. Its better to deploy clean templates and have organizations and IT departements trained to deploy as their users need.

The same story applied to Signal. And basically any software deployment choice that doesn’t come from the user. Meaning more bandwidth needed as well to maintain those updated over time…

Unfortunately, this is not something an OEM should force on users, nor maintain (multiple disk images for different personas).

The ideal, really, would be to have those salt recipes under packages with really clean names, that just does the magic, and being able to call those salt recipes if needed (could also be deployed as a whole and maintained by Qubes OS).

And yet again, the dream would be to have those persona/templates customization options at install, but as Qubes is currently deployed, I understand that it would be way more cleaner and desirable that a “salt store” gets created.

But here I’m interested in steps to get there. And salt recipes under a repository, with peer review, merged and packaged and made available under qubes-contrib repo seems a really good start here.

But today, the need us to clarify software needs, templates specialization where those should be installed, what needs to be removed to reduce/mitigate user errors, and from that process, define salt recipes to to the job specifics, and then assign them to personas.

At least, this is how I see those increments going where this thread wants to go.

1 Like

Hope all of you are doing well. I see a group of names on this forum who have contributed greatly to the concept of getting us to a computer which is as much a privacy/security computer as is possible. Thanks for all that hard work. In comparison I am mostly a installer of software others have written.

I used to know a fellow who wrote code. He worked for a company who sold computers, and needed software to match a business company’s practice. Order. Financial. General Ledger. His company employed an individual, who always had a Bachelors degree, and who was good with people, interaction - communication skills. They called this person a System Manager. System Manager would spend time at the customers business, and write a description of the programs needed. Programmer wrote to fit those specifications. I am sure a lot of folks here already know the punch line. Once the customer saw the actual system they said they wanted, they wanted a lot different kind of thing, at least a lot of changes all over the place.

As those who have written code know. It can take a lot of time/effort to implement even a small change. Usually one realizes the customer who did the original interviews, was just riffing on what he wanted. Not deep consideration.

Right now, I am not concerned with creating a salt file to describe each of the Jqubes. Yes, I am, still, interested in what a Journalist would say as to what they want.

I would instead be concerned with describing a group of Qubes for Journalists/HRD (JQubes) and, that have as a first consideration being secure. Build them by cloning off of current Qubes, install relevant software. Set whether they are online or offline.

For the time being, besides a verbal description of the different Jqubes. To place those Jqubes where they can be downloaded and tested by those on forum, Journalists. That is folks who have the bandwidth to easily download them, and test them, while the tester is residing in a physically safe location.

It is from this I think I, or we, would see a lot of disagreement from Journalist saying that is not how I want it to look.

Putting things into Salt is part of the end of the project. Like the fellow re-writing code because he did not get a clear first description.

The points about the Intel Firmware which creates a security hole, for the newcomer to the concept is a good description of why those who are closely involved with Qubes are willing to use hardware which is ten years, or more older to help maintain security. The Firmware - code, and even better the firmware after it has been modified, — can be well understood, and is more secure than all the latest hardware/firmware from - Intel or. . .

I had a list of the uses of Jqubes based upon; Input. Process. Output.

To which someone has clearly pointed out it would be wise to have a Jqube for a VPN, (Virtual Privacy Network) to allow one to gain access to the internet without the local Hotel, public WiFi provider. Local ISP. or where-ever one gets online at - Watching. Gathering information on computer logged in.

Input, JQube which internet. is Online. Never opens documents. Can save all things to be worked on in one Directory. For which can be copied in one command to the Process Jqube, which is never online. Therefore its software is provided through being off another Template. Which in some ways I do not like, having a template for each of the other Jqubes is a lot of new Qubes to be added. How to handle emails, without all the extra connections the email might want. And still for some need email to buy a plane ticket or , I think many can be influenced to allow access of an particular email to allow those extra connections to be made. So? I know how I would do it. But to write a plan for someone else?

Once again, someone pointed out, they do a lot of ‘Video interactive chat,’ Which to me indicates a need for a specialized Qube. Even more its own Jqube because it was suggested that included in the Video Chats, Face-Time. Zoom. Who to me have a dubious security. but the Journalist must appear to have a public connection, and a private, secure connection. ??? If I was doing it for myself. I would put Face Time in a separate Qube from everything else. No way that bit of software grows tentacles to look for other information. Zoom the same, in its own Sandbox.

Process; Jqube. Never online. Here documents are read. Emails are opened. Things are De-crypted. Some go into Vault. Some are encrypted. Some are placed in directory for Outgoing Jqube.

Does Encryption/Decryption belong in a temporary disp Jqube, and a template to to the work of online key things. We have a great looking program for doing things, but from the things I see on the forum, it seems to have its own difficulties. ??? I am not using it, so I am not qualified to say, ‘Yeah that is definitely the thing to include.”

Outgoing Jqube 'Outgoing" directory; where it can be put onto internet. Printed. Put onto flash drive. And so on. Gee, that has the same software as Incoming Jqubes.

Standard Qubes documentation, which I think is pretty well written. Is kind of a select which option the individual wants - when. I used to use a piece of utility software which worked well. But to use it I needed to know not just what I wanted to accomplish, but where it was in all those tabs, and what it was named. Just like we have a Qubes Cult language. Then spend time reading about that issue. So the frustration with using Qubes begins, and seems forever ongoing.

I think we start with a sticky note. Before going online, decide to use Whonix-Tor, or a VPN. If the the user does not have a VPN, click here to get detail on getting one, starting one. Always, a nearby box of – this is the hazard of not following this guide path.

Hopefully we should develop like a check list of things to do. Like a pilot who is preparing to take off. Even if the pilot has done the take off thousands of times, he still uses the check list. Yeah, eventually the checklist is for a Journalist to write.

Which ones of these need to be disp qube. Need to be based on a special Template. Which pieces of software are pre-installed into that Jqube.

I had started to write a overly simple portion of the first. Jqube to do Mullvad VPN. For which I felt I should read all the different way others had accomplished that. I got distracted by - problems of life.

I think that it would be wise to set a date to finish the first set of Jqubes. Projects can drag along forever. Like all great leaders, I had thought all the rest of you do the work. Not to mention. For some of you. Doing some of these Jqubes, and all the intricacies involved that particular Qube is something you have accomplished before. No study or reading of documentation needed.

No doubt someone will let me know about this. I still have some more powerful pain killers.

Does someone have an alternate list of Qubes which should be in the Journalists - software ready, version of Qubes?

Perhaps Wissam can quick type descriptions the 7 or so Qubes he uses frequently?

Truthfully, I do not have high speed internet available right now. Just slow internet and a limited amount of data on a HotSpot. So I am not getting much on my temporary implementation of this project done right now.

Journalism Qubes, front of desktop - sticky 2-22-2022

To Start a connection. On the opening Qubes Screen, upper right hand side, just a few icons in is two red terminals/Click there

Choose from available connections.

If the user needs a secure connection.
Go to upper left, down the column to Whonix/Tor Browser

Takes a minute or two to start.

To initiate a Public WiFi, to click a Permission Button.

If you are at a public WiFi, which requires you click on a permission button (really effectively saying- we warned you)

Upper left hand side of desktop: Go down the list. Pick dispxxx/Firefox
Takes a minute or more to start. Feels longer.

From a Browser not in Tor, such as Firefox. Start Firefox.

If nothing appears in Browser, and you want to force the Permission Button to show up, or test whether you have a working connection, type in the browser bar four ones separate by periods,

This is the web address (IP) for CloudFlare, a Domain Name Server (DNS) which many people use often, and has no security ramifications for you to use it.

Likewise you could substitute the number 8 for ones, and that is the DNS of Google.

This should bring up any Permission Button that the public WiFi has, or a webpage for the DNS.

After the Public WiFi. Best to close the insecure (in this case, Firefox) web Browser.

Tor Browser, go to upper left. go down Menu to Help/About Tor
When it starts this box will either say. ‘Tor Browser latest’ or Update available.

Update and choose Restart.

Tor Browser will allow you to accomplish some things anonymously.

If the user desires to do Video Chat.
Choose which App the user wants to use.

Upper left of screen. Go down column to Jqube-xxxxx where the xxxxx refers to the Chat App user wants to use.

Look on upper left, go down column to Jqubes-input. click there.
This Qube is accept information, pictures, video files for evaluation by individual.
For security, Do not open documents, or such while these are in this Qube.

Copy these files in to the Directory - Work.

When ready; Start Jqube-work, depending on how fast your computer is, it could take more than a minute to start up.

Use command “xxxxxxxxx” (this could be a gui command just to copy from one to the other.) to copy the directory Jqubes-Input work into Jqubes-work work, append date and time(?)

While it is possible to put what Work does in the first Qube, what I now call Jqube-Input. When needed to turn off Internet. and do work.
I have problem one. Email has attachments one must download, but not open.

I personally, wanted to use a change of Qube to help others be secure in opening documents, images, videos to turn off internet, by moving the work portion into another Qube. (Yes, we have a great program for opening douments thanks to the hard work of Deeplow, “DangerZone” and some other things. Also much thanks to Unman. I am missing acknowledging, thanking some folks. Thanks.

I am posting this now, I can see I have to do a lot of reading on how to get things into Qubes without allowing them to phone home to evil lair of those trying to get into our lives, and world. Place themselves in a place to give individuals hardship.

What I wanted to show, placing documentation, pointers of where the newbie can look to start a program where needed.

Surely can be better written.

Perhaps the best example of someone who comes from the computer geek side of Qubes writing flow versus a Journalist. is Zoom. Which is under the domain of China. Allows someone in China to watch Videos of anyone. I suspect, they can send an update to a computer, which has tentacles. Tries to find out information on user. At least IP.

I get why Journalists still value Zoom. It allows a public face for them. And as they suggest, Zoom is what some people can use. Trying to raise them up in computer security is hard.

Oh, the irony…. :joy:

@Insurgo, I have to agree with you on this one. Assuming that IT departments “know what they’re doing” (for the purposes of this dialogue, let’s just assume they do…), that will provide much more flexibility for them to configure Qubes OS exactly the way they want it.

It’ll also be a massive time-saver when doing a batch-install of Qubes OS machines.

The only drawback is, for someone in @Wissam’s Category 2, this would probably be a turn-off, or even a deal-breaker.

But there will definitely be a way to get the best of both worlds.

I agree.

Ask any business lawyer about this, and I can guarantee you they’ll freak out about liability and “duty of care”.

Not to mention, if anyone’s machine in Category 2 is picked up by someone nasty, and they discover a vulnerability in a pre-configured Qubes OS, the first thing they would do is try that vulnerability on any Qubes OS machine, and it would likely work (let’s be honest, even tech-savvy users have trouble updating their machines at the best of times, let alone people who just want their machines to “work”).

But again, there will be a way. We just haven’t found it yet… :slight_smile:

Salt scripts would basically do this :slight_smile:

You can write a salt script to clone a Qube and install software. That’s basically what they do!

You also don’t necessarily need an internet connection to run them.

I agree with what you are saying, but there will be some people who will see this as being similar to “just download this EXE file and run it”.

There is unfortunately no guarantee that the 5+GB template you’re downloading that someone else made is 100% trusted.

Salt scripts basically specify the different aspects of the template (what OS, what software is installed, how big it is, what PCI devices are given to it, and all the other things).

I’m happy to find somewhere to host it, and I will get back to you on this. But we still need to have a list/table of the actual contents of this template! :grin:

What would really really help us start off would be something like this:

Please tell us how frequently you would do this as part of your work

0 = Never
1 = Rarely
2 = Sometimes, but not often enough to remember how to do it without reading a manual
3 = Often, and I remember how to do it without reading instructions
4 = Once a day
5 = Multiple times a day
Picking up “sensitive information” from somewhere on the clear-net (NOT Tor, I2P, etc.)
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

Picking up “sensitive information” from somewhere on the dark net
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

Communicating with “sensitive people” electronicall/y (internet, computer, phone app, etc.)
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

Communicating with “sensitive people” face-to-face
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

Communicating/collaborating with co-workers electronically
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

Communicating/collaborating with co-workers face-to-face
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

Opening untrusted files locally (ie. not in a web browser)
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

Interacting with online “project collaboration software”
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

Using encryption/decryption software (like GPG)
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

“Hiding in plain sight” (Appearing to a third party that you’re engaged in a harmless and uninteresting activity, while using that as a cover to conceal you performing other tasks)
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

Storing credentials (usernames, passwords, encryption keys, OTPs, etc.) locally (ie. on the storage of something you can hold in your hand)
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

Connecting your computer to networks that you’ve never connected to before (public wifi, friend’s wifi, police station wifi, etc.)
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

0 voters

How much sensitive data would you store locally (ie. not on a server that you can’t see with your own eyes)?
  • All of it
  • None of it
  • All of it, with a local copy
  • I haven’t really given it much thought….

0 voters

How often would you say you’d be “under surveillance” and be aware of it?
  • At least multiple times a day
  • At least once a day
  • At least once a week
  • At least once a month

0 voters

How often would you have someone come to you to have your things physically searched?
  • I know the officers by first name, and we play tennis on weekends, and we (in other words, A LOT)
  • Once a week
  • Once a month
  • I’ve never had this happen to me…

0 voters

How often would you have your electronic devices confiscated/searched at checkpoints?
  • Every single time. It’s annoying!
  • I’ve never had this done to me…
  • Every now and then, but it doesn’t follow a predictable pattern.

0 voters

If you get your devices searched, what is the most common method that has been used on you?
  • My device is taken away and I can’t see what happens to it.
  • Someone asks me to type in a password on the device, and they inspect it by interacting with the device directly with their own hands
  • I am asked to type in a password on a keyboard that I do not own
  • They plug a cable into my device and just let it sit there. I think some kind of software does the rest…
  • I’ve never been searched, so I wouldn’t know…

0 voters

Have you ever been the target of spearphishing attacks? (ie. a scam email that has been specially-designed just for you)?
  • Yes, all the time, and they always seem to dupe me.
  • No, never.
  • Yes, but then I educated myself on what to look for, and I can spot them a mile away now!

0 voters

How often are you harassed/bullied/threatened online?
  • On a daily basis
  • Never
  • Every now and then, but not often enough me to recall easily…

0 voters

What is your usual method of internet connections?
  • Connect to Public WiFi, and that’s it
  • I tether my own mobile device with an account registered to myself
  • An internet connection at my place of residence
  • I tether my own mobile device with an account registered to another entity (friend, company etc.)
  • Some other way

0 voters

Do you use any sort of proxy or VPN?
  • I have a VPN provided by my employer
  • I have a VPN that I bought myself from a commercial provider, that connects to someone else’s server
  • I have set up my own VPN server that I connect to
  • I do not use a VPN

0 voters

Do you use any of the following when you use the internet?
  • Tor
  • I2P
  • Yggdrasil
  • I have no idea what any of these are. I’m not a Blackhat Hacker…

0 voters

Do you use any of the following chat software?
  • Facebook Messenger
  • iMessage
  • Matrix
  • 3rd-party-hosted chat service (Slack, Microsoft Teams, Monday, etc.)
  • Self-hosted chat (Nextcloud Talk, etc.)
  • I don’t use any of these…

0 voters

This is not an exhaustive list of things that would be helpful, but I believe it’s a good start.

It would not only allow us to create the custom templates/salt scripts that @catacombs is interested in, but also guided tutorials that would educate and drill users on how to do those tasks, building “muscle memory”…

Any thoughts?

This is an interesting recent and very relevant news about threats to journalists:

Qubes OS is certainly capable of thwarting such attacks if the main “work” Qube is a minimal VM without browsers (for email and cloud service for example), and if browsing and web browsers are confined to untrusted / disposable Qubes.

I would argue a Qubes OS with a configuration of work Qube (without web browser) and where web browsing is limited to disposables and to an unstrusted Qube is something to recommend to Qubes OS users, including journalists and HRDs regardless of their threat model because it seems that infection via web browsers is easy and should be included by default in any threat model.

I will try to write a longer post and to reply to some questions/issues raised.


Unfortunately web browser have become almost the most complex piece of software in computers today. And the more things a program can do, the more ways it can potentialy be exploited…

I was wondering when Candiru would be back…

Oddly enough, Google Chrome was the first browser to be properly patched against CVE-2022-2294, which is funny, because it’s usually the last!

I feel the poll is a good idea.

The mention of a current hack against Journalists might push progress to a simpler version of Journalists Qube to cover at least some of risks. I am using Mint Linux with Mullvad VPN App enabled. The Mullvad site does a check, and says ‘no WebRTC leaks,’ Might be an extension I have in Firefox doing that. but seems to advocate for using a VPN.

Some seem to feel we need a perfect computer hardware, system, and a perfect implementation of Jqubes. I don’t feel we have that kind of time. We could be here a year from now, still not having done anything.

I have read of several experienced computer people who said they have been involved in projects, where the original specifications kept being changed, and causing all kinds of extra work for programmers.

So I do not advocate initially building anything in Salt until the Jqube specifications are at a finish point. It is pretty easy for many here to build a Qube Template for a specific purpose. I hope we can focus on the simplest version. of this. Not to cover all the possible options.

I used to drink coffee at a McDs with a fellow and his wife, who was a tailor. Made clothing from the basics of cloth, sewing, and so on. I asked her one time if there was any type of clothing she would never make again. Immediately she said, “Prom Dresses. I will never make another Prom Dress.” Meaning for teenage girls. They used to come to her with their accumulation of baby sitting money and define their Prom Dress. After she made it, they would try it on, and say, “It is what I said, but I did not think it would look like this.”

Then they would want her to change it, emergency.

The closer I look at my design, the less I like it.

Still it is security before ease of use.

1 Like

Aren’t you using Qubes OS…? :face_with_raised_eyebrow:

The only people saying this are people who haven’t got a clue about how computers actually work, and possess a stubborn reluctance to actually “get their head out of their a**” and learn.

I’m definitely not saying that you’re one of those people. I’m saying that these people would probably feel more comfortable in “The Cathedral” instead of in “The Bazaar”…


…or if you prefer the TL;DR version:

Isn’t that why they charge such extremely high rates for their services?
(If the wife of this friend of yours isn’t charging what she deserves, then she really should, because she sounds like a good, hard-working person who definitely deserves it :slight_smile:)

If you ask any security guard where they’d never like to work again, most will say “Airport Screening and Nightclub Bouncer/Doorman”.

Every form of employment has its own negative aspects.

But this is not employment. This is done in our own spare time, out of the goodness of our hearts.

I can guarantee you that the wife of this friend of yours would react completely differently if she wasn’t getting paid. She’d probably react similarly to most FOSS devs when asked to change something “right now”:

“Here’s the fabric, the needles, the sewing machine. SHUT UP AND MAKE IT YOURSELF!” (Who would blame her for this? Definitely not me…)

Well I do :slight_smile:
Nobody expects things to be perfect the first time round, but it’s better to have something half-baked an FOSS, than nothing at all. That way, the community can improve on it collectively.

Welcome to the world of FOSS! The users are also the contributors.
*to the tune of Montell Jordan* :musical_note: This is how we do it! :musical_note:

So build one! Seriously, build one! I will even help you create it and host it, and we can dissect it, and the experts can turn that into a Saltstack pillar that will:

  • create the Qube(s)
  • install all the necessary software in said Qube(s)
  • put all the necessary config files in the right place (including dom0)
  • do all of this automatically

…and the size of the Saltstack files will be TINY compared to the 5+GB of an entire template.

Ok. So…

Task Method Already Present in Qubes OS? Automated? Command Line Required? Potential Methodology for Improvement?
Connecting to VPN Yes - sys-net No No Telling user that VPN options are in nm-applet, Making dedicated GTK applet just for VPNs that sits in XFCE tray
Configuring Qubes OS to connect to VPN Yes - sys-net No No Option for Installation of VPN config in Initial Setup, Creating option in “Qubes Global Settings”, etc.
Connecting to Tor Yes - Whonix Yes No Educating the user about Tor/Whonix
Guided Tutorial No N/A Currently Yes, In Future No Currently being worked on by the amazing @deeplow
Opening suspicious files in disposable VMs by default Yes No No Add qvm-prefs ability for all software opened in a particular AppVM to be opened inside a DispVM, preventing self-pwnage and increasing convenience for user
Create Custom Tutorials for Guided Tutorial No N/A Currently Yes, In Future No Currently being worked on by the amazing @deeplow
Configuring Qubes OS dom0/Templates/AppVMs for Specific Purpose (eg. Journalist/HRD use) Yes - salt No Currently Yes Possible GUI tool for Saltstack file generation (even if it’s incredibly rigid and basic, it’d be a good start)
Installing/Removing Custom Software in Existing Templates Yes - Opening Template & Running Package Manager No Not Required, But Definitely The Most Efficient Way Salt Pillars that would automatically install software in templates
Randomising MAC Address & Hostname Yes No Currently Yes Create option in Qubes Global Settings
USB Qubes not being set up by default Yes Yes, but not 100% reliable for all machines Currently Yes Create separate sys-usb by default on initial setup, with "sys-usb dom0 allow" enabled for all USB input devices, and then explain to user that they should examine this and edit this to their liking. Minimises new users being unable to use USB peripherals properly (seems to be a major deal-breaker for new Qubes OS users)
Preventing self-pwnage by cross-contamination of Qubes No N/A N/A Create option to have warning alerts when potentially compromising qrexec fuctions are called (Don’t worry, I wouldn’t want this enabled by default)

Have I missed anything?


What you are doing is designing (and perhaps making) dresses without
even asking people what they want to have as a prom dress, and then you
hope that your design will be just what they want.
It’s far more likely that you’ll end up with racks of unsold dresses.

If you have something made to measure, then you would expect to walk
through designs, and then go for many fittings, long before you get to a
finished item.

Software is the same. You should involve your target users from the
outset, and then run through iterations with them, as you develop.
I don’t understand why you wont do this.

So what? You are not the target user.
But since you haven’t involved any journalists in the process, I suspect
that they wont like it any more than you do.


My use of Mint as a public computer face to pay power, insurance, city water, and so on came from a time when the city council fired our city manager and the city librarian quit, or was no longer there. Without the library connection to download updates, software, with 4.1 just about to come out. With Just my limited amount of data on my phone hotspot. I uh, just got on with business. Installed Mint to use.

Today I will do worse. I have to find a partition to update Windows 10 because tomorrow I have to do a Video Conference with my doctor, and the clinic software only works with Windows. or at least, I have no opportunity to experiment with what would work with Linux. Last time Google Chrome would not work.

The teenage girl did design what she wanted. What she thought she wanted. The tailor ended up with 20 or so crying teenage girls saying fix it, whose lives were going to end with the dress they designed, the tailor spent three and a half days trying to fix things.

People often do not know what they want. I think a design of Jqubes written from the perspective of a computer techie worried about security is different than the initial thoughts of a Journalist, who is concerned with 'ease of use."

I see some journalists are reading this post, and Could state an opinion. Right now, if we build something to show them. Let them riddle it with complaints.

but I did not want to burden the folks who do Salt. Yet.

My design is ending up with too many Jqubes. I hoped someone with a clearer thinking process, more experience in Qubes could find a way to omit needless reproduction of effort.

Let me put that another way. In 2001 I was about to undergo a four way Bypass open heart surgery. I told the anesthesiologist I was trying to write a fiction book to earn money, as I had severe arthritis, and could not do much labor, or even standing on my feet. He said, I warn you, after the surgery your memory will never be as good after the surgery as it is right now.

To apply someone’s experience to the problem of receiving emails. I had wanted to use a single disp Jqubes to receive information off the internet. Copy and paste out of browser. Easy enough. Yet, emails. Thunderbird - many emails in my Thunderbird arrive with message, “Thunderbird has blocked remote content.” This is where the Journalist can allow a program to enter, and scavenge about for information. Other emails, things off net. or even the true IP address of Journalist, for some that might give a government exact knowledge of where to find him. I have never, myself, needed to worry about that.

The Jqube work, where most of the work is done is more easy to envision. it is always offline. It has all the software to open different things that have no risk for the Journalist.

Decrypting and Encrypting emails belongs in Jwork Qubes, but I see no way to exchange Thunderbird data files. Leaving one with the workaround. close the internet connection to the disp which is online. Decrypt and put into Jqube work. that being the last thing done in that disp Qube. close it.

I was hoping for a clear mind to come up with a better solution.

And no, I have not read all the different suggestions for how to accomplish this.
for the next few days. I am spending time doing something to aid in the material quality of my life. anyway, Our public library has the Air Conditioning out.

While it is a good policy, to not install any outside software in Qubes. It would be nice to be able to nice to install the documentation for some of the VPN’s inside dom0. That parts one needs to copy and paste into terminal to get the VPN to work.

It is my hunch, if we wait on the opinion of Journalists, HRD. Nothing will get accomplished. Create something for them to look at. And we can get a lot of complaints to base the next generation off of.