Qubes VS Tails

Hi everybody ! :slight_smile:

My pcs (ubuntu), my smartphones (android) and even my internet boxes have been hacked for monthes by perverse and skilled hackers who could spy me through microphones and webcams, steal some texts I’ve wrote, spy my web activities despite of my VPN (Nordvpn), ‘play’ with my internet boxes as well as the screensavers and the fans of my pcs, etc. I’m pretty sure it’s still the case despite of the re-installation of Ubuntu on one machine and Qubes on the other.

Once a machine has been hacked, it’s better to buy another… So I intend to compound my own machines : one for my work totally offline (with no wifi/bluetooth card), and another (with no microphone and no webcam :wink: ) exclusively reserved for my web activity (researches on startpage and/or duckduckgo, mails, bank operations, buying/selling stuff, downloading images, documents and updates/upgrades and packages for my offline machine, uploading some work, etc.). Of course, I will chose the hardware configuration to be able to take these machines with me everywhere I go, to avoid any physical access.

Assuming that I’m personally targeted by skilled hackers, which configuration should be the best to protect myself from spying my web activities, datas exfiltrations and corruption of the packages destined for my offline machine : Tails with Tor over VPN, or Qubes + Whonix Vm over VPN ?

In fact, I see 3 advantages in using Tails :
_ the rapidity due to no virtualization and the usage of the RAM.
_ the possibility of avoiding any admin access by setting no admin password at the start of a session.
_ the possibility of avoiding corruption of the Tails image by installing it on a usb key with write protection.

What bother me in Qubes is its persistent aspect : once Qubes is corrupted, it’s definitively dead. And we can’t know if Qubes is corrupted or not. Whereas if Tails is installed on a usb key with write protection, if I store and install nothing persistent (except the official Tails updates/upgrades), even if hackers manage to corrupt a session, I am sure to have a new clean session at every start. So I can manage things like this : when I am at home, my hackers knowing my IP address can probably corrupt my Tails session and spy me, so I have to avoid sensitive web activity. But every new session will be clean, which will force them to start all over again. And I’ll only need to launch a new clean session from a public spot hazardously selected to dodge my hackers. (unless if they can steal my MAC address and are able to find me thanks to it : is it possible ?)

If I launch Tails from a usb key with write protection, if I store and install nothing persistent (except the official Tails updates/upgrades) and if I launch each session with no admin password to avoid any admin access, is it possible to corrupt my Tails session and steal my datas, spy my web activities, corrupt packages downloads, etc. ? Is it possible to corrupt my machine (Bios…) ?

2 Likes

Not that i doubt what you say, but what do you forensical evidence for that or any IOCs? Why do you suspect this?

If this is the case, the hackers penetrated deep down into your BIOS/UEFI or firmware if they can penetrate your VPN on a fresh Ubuntu or are exploiting vulnerabilities in software you installed. They probably have gained persistence in other network devices as well.

  1. Wipe your laptops and reinstall your OS new from a stick created by a PC that is not contaminated, maybe a friend of yours. If BIOS/UEFI is really a probability, at least try to verify your UEFI/BIOS or reflash it from a known to be good source.
  2. Send back your router to your ISP and request a new one
  3. Disable all network devices, try to reflash them and reintroduce them to your network one by one to see when the hacker gains control again this way you might be able to find out the initial attack vector.

Do not use a VPN with Tor, unless you have a very very exotic use case and know exactly what you are doing.

Your offline machine would not have internet per definition, maybe you mistyped. If you are worried about data extraction from your air gapped machine and want to crank up your OPSEC to the moon: No devices with microphones in the same room.
If physical locality of your adversary is a threat, go full tinfoil hat with EMSEC. How to do this would vastly go offtopic here, but i don’t think this is something you want to worry about.

As Tails “stays how it is”: If your adversary can compromise one session, he is very likely to be able to compromise every session, assuming that he has control over devices in your network and the successful attack originate from them.

If the adversary is able to hack into a clean Ubuntu, persist in BIOS it is unlikely that he cannot escalate privileges on Tails to root, mount the stick with write access and gain persistence that way, if you do not have hardware write protection on your USB stick. But even then: If he is in your BIOS, nothing you do on that machine is secure.

Try to define your protective goals, and if you can your threat model. Fitting tools will fully depend on that.

I am uncertain about that, but if you are facing an actively hostile network, qubes with a disposable sys-net should offer the best protection, against this specific scenario.

If extraction of data is not catastrophic, but deanonymization is, whonix is probably he way to go.

If local forensics are a threat, Tails might be best, or Tails with slapped on whonix. (Which does not seem to be your case)

If you are facing active attacks from the sites you browse, whonix offers the best anonymity as tails will fail in that scenario. Other data might be better protected in a qubes system in this scenario.

It really depends.

3 Likes

Can you explain why sys-net as a disposable vm is the best for operating on an openly hostile network?

Is it just to continually frustrate efforts to maintain persistence in a way that serves as a foundation for further attacks? So deny a stable sys-net and you’ve denied a stable foothold?

Thanks.

I’m reading on Github that sys-usb & sys-firewall are already disposable by default in 4.1, is this right?

I haven’t noticed anything with them. Interesting. Source: Document that sys-firewall and sys-usb are DisposableVMs by default in 4.1 · Issue #6684 · QubesOS/qubes-issues · GitHub

Yeah shoot I guess they are. So that just denies a persistent config that could be tampered with in the long term?

sys-net will be disposable if you switch on the respective option during installation. (and your wifi password will be forgotten after every reboot of sys-net).

2 Likes

The disposable part is exactly for that. However it is not strictly necessary imo, just “something more” that doesn’t cost something.

Regarding qubes providing the best protection against actively hostile networks: Beause you can easily deploy as many netvms/firewalls as you like with as many software diversity as you can manage.

You can have persistent configuration nevertheless! Just drop them in the dispVM-Template! But if you add a new network you need to fire it up and add it there, so it is mildly more cumbersome then.

Just one idea that came to my mind at this moment:

Maybe it is even possible to automatically rotate dispVM netvms every few second that are on wastly different systems like arch, fedora, debian, ubuntu, nixOS, all them BSDs to completely confuse an attacker trying to fingerprint and attack. One can have a lot of fun.

4 Likes

Nice one!

Thanks for your answers :slight_smile:

My web activity is totally normal and I’m not particularly interested in the dark web. But if using a vpn with Tor reinforces anonimity by hiding our real IP address to the first node of Tor circuit (although it’s a little bit more useless if my enemies already know my true IP adress), why do you think I shouldn’t use a vpn with Tor ?

No mistake ^^ My offline machine will never be connected to the web. But I’ll sometimes have to install some packages and updates/upgrades. So I’ll use apt-offline to download them on my online machine and transfer them -with a usb key with physical/matérial write protection- to my offline one where I’ll install them. This is why I worry about my enemies capacity to corrupt my usb key, as well as the downloads of these packages by making me download something that I don’t want, in order to corrupt my offline machine. It seems to me I have read something saying that downloading packages and updates/upgrades using WhonixVM connexion (cf the Qubes installation option which lets us decide if we want the updates/upgrades to be done through whonixVM) prevents attackers to make us download something we don’t want…

Concerning my actual corrupted machines (sorry if it’s a little bit out of subject on this Qubes forum ^^) :
_ Is flashing the BIOS/UEFI enough to erase any corruption ? Or can some BIOS/UEFI corruptions persist despite of the flash ?
_ Motherboard’s BIOS/UEFI and OS aren’t the only elements of a PC that hackers can corrupt : processor’s microcode, motherboard’s chipset, GPU’s bios, etc., in short, every little piece of code can theoretically be potentially corrupted… Could you make an exhaustive list of all the different elements that could theoretically be potentially corrupted ? Is it possible to flash each one of these elements, every little piece of code of my machines, to be sure to recup the whole intégrality of them ? (If we leave aside the obvious fact that if they have hacked my machines once, they’ll probably be able to do it twice)

Concerning my future new online desktop machine that I’ll construct myself with detached pieces, that we can consider clean and without any corruption (at least in a first time xD) and to which my enemies won’t be able to access otherwise than through a web connexion, as I’ll take it with me everywhere I’ll go :
_ If the motherboard has a physical/matérial jumper for the write protection of the BIOS/UEFI, is it enough to prevent any corruption of this BIOS/UEFI ?
_ Does Qubes limit or even prevent the remote exploitation of the security vulnerabilities of the deep layers of the machine (BIOS/UEFI, processor, GPU, chipsets…) ? Does Qubes limit or even prevent a sustainable corruption of these deep layers (by installing something on them, modifying their codes…) ?

If you want to conceal the your IP against your guard, using a VPN would help, while potentially giving more options to more powerful adversaries (but that seems not to be your concern i guess).
So you want to give out your IP do as little people as possible i guess?

You have to give it to either your VPN or your guard for interwebbz to work.

I personally do not see a problem with me giving my guard my IP as i have to place a little trust in it anyways. The fact that i use Tor for everything is nothing that i hide against anybody, but that is a decision i made for me.
I would go so far and say that it could be more private to give the tor guard your IP instead of your VPN:
VPN gets hacked, IP gets known to hacker. One VPN is a very juicy and monolithic target for all sorts of actors. VPNs have some attack surface, many different machines and systems working together, while tor nodes usually only run tor. Also those are thousands of individual targets, run by privacy minded volunteers like me. I personally trust them more to not log than any VPN. This is just my point of view.

For your threat model using a VPN in front of Tor is pretty much equivalent to using none. [Edit: maybe it is not. If you are worried about THAT kind of infection on your end device]

At least that should make it very very hard for him. Can’t target what you can’t see and if you have to target all, this will get out pretty quickly. Of course in certain cases like “you are the only Tor user that downloads that package and your adversary knows that” this could even shoot you in the foot.

It is pretty much the best you can do. It is enough? If your threat model have 3 letters, no. If it is a random blackhat only wanting money, probably yes. Bonus points for actually flashing it with a flasher so the computer cannot pretend to flash itself while it is not :slight_smile: .

*
No. There is so much to go wrong that it is easier to ask what could be considered safe…copper cables for example should be safe. If i suspect that a three letter agency has compromised my machine, i would dump it. You can take a look at what components the GCHQ wanted the guardian to destroy to get a glimpse…

But infecting more than the BIOS is really three letter or academia stuff imo. (PLS correct me if i am wrong).

Physical attack: No. On device attack: Maybe. Depends on implementation i guess.

It tries to contain the infection in virtual machines. If your dom0 gets infected, there is not much more mitigation against this.

If the infection is successfully contained: Most likely yes.

Those BIOS and UEFI exploits are pretty fancy shit, i am not sure if this is sprayed in the wild, but with qubes you should be pretty safe from that.