Question to develepors: what hardware information reveals Qubes system clearnet traffic to an ISP?

Hello, everyone! Today I have a question for someone from Qubes developers team. Why? Because only they can really know the answer. The question is: DO the Qubes have something in its update request traffic or in its regular system (not user’s) clearnet traffic that could directly or somehow indirectly let the ISP know what processor model has the user’s computer? Or maybe some other accurate information on hardware components’ models (serial numbers, model names)?
I know there are the ways to disable clearnet update requests, time sync, or that there are possibilities to disable networking for some qubes / configure updates through Tor network (all this in order to disable all possible clearnet traffic and to leave only Tor traffic). But it seems no one from us, regular Qubes users, is really sure if there still aren’t left some clearnet traffic, generating by the system, that can tell the ISP that particalar user uses Qubes OS or even what hardware components has his computer. It is important for those users that use Qubes in the authoritarian countries that have big surveillance and collecting information about network users.
P.S. I want to emphasize: the main sense is not about possible exploits that adversary can get, but about users de-anonimization through collecting user information. I hope I don’t need to explain much to make you understand how it can work.

Default templates and dom0 will search for updates on qubes’s os repository, hence it will leak DNS and HTTPS requests containing the specific hostname.

2 Likes

OP has already given this case: “ways to disable clearnet update requests”
I do not think this traffic will leak any information about “what
hardware components has his computer”.

The official advice is that you should turn to Whonix for privacy in
Qubes.
If you combine this with dropping all outbound traffic from sys-net and
sys-firewall, then that is the best that Qubes can currently offer.
Passive surveillance of the network traffic will likely show some
things about the networking hardware.
Surveillance of the network traffic will also show use of Tor, and
Whonix.

Use of Tor is not a panacea: there is now extensive work on traffic
analysis of Tor traffic, and it is possible to demonstrate
fingerprinting of Whonix traffic, given sufficient resources at the ISP.
This does not necessarily lead to de-anonymization - people often do
not think about this clearly enough. Compare with leaving a fingerprint
or DNA at the scene of an incident - in some cases, that might be
sufficient to narrow the range of suspects, (me in my current situation);
in others, it might only serve to identify a suspect if they have
already been brought in for questioning. These are different cases and
can be mitigated in various ways.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

3 Likes

As I read this, you’re drawing a distinction between merely leaving a fingerprint that is unique, but the owner isn’t known (yet), and leaving one whose owner is known already. An important distinction!

I’m interested to know more about identifying the fact of Whonix usage. I understand how it is possible to identify Tor usage but what is the unique thing that generates Whonix traffic to reveal its use in this way? Once before I heard from people here that Whonix performs some actions to hide the fact of Whonix usage from ISP, in contrast to Qubes OS that doesn’t the same for itself. Tried to find more info. So far found this article: VM Fingerprinting But it’s about the case when user installed unsafe software and the adversary got this way the access to the hardware info, etc. Can you tell a little more about the things in traffic that can reveal Whonix usage or maybe you know articles on the subject? They can definitely establish that I used Whonix?

Sorry, it seems I found: Network, Browser and Website Fingerprint Let it be helpful for other users that are interested in this subject too!

2 Likes

Read. But one thing is still unclear for me, especially from this part: Network, Browser and Website Fingerprint Based on traffic: do they can tell that specific user uses Whonix itself or the only thing they can tell is that the user uses some torified OS like Tails, Whonix or even just torified Debian? It’s a big difference between possibility to know that particular user uses Whonix itself and possibility to tell that he maybe uses Whonix or maybe Tails, or maybe whatever is entirely torified.

  1. The owner is not yet known.
  2. The owner is not yet known but the fingerprint or DNA is
    sufficiently unique so as to aid identification, or narrow range of
    suspects.
  3. The owner is not known, is brought in for questioning and the
    fingerprint or DNA is used to identify them.

And perhaps more.

Note that hardware/software/connectivity/power can all be used, and
there are ways and means to mitigate against each of these risks.
Users have to consider what category of risk they consider to be most
relevant to their situation, and apply appropriate responses…

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

The former - Qubes Whonix generates uniquely identifiable traffic. This
is not necessarily an issue.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

1 Like

[quote=“unman, post:9, topic:33778”]
The former - Qubes Whonix generates uniquely identifiable traffic. This
is not necessarily an issue.
[/quote] I very appriciate your response but the question was not about Qubes + Whonix. It’s understandable that Qubes’ clearnet traffic and Whonix’ traffic will generate unique fingerprint for this bundle, but I asked about Whonix alone, installed on KVM for example. As I understand, VM should not to permorm its own internet connections, it does Whonix alone + it can do (and will) the host. For example, if there will be Debian as the host and KVM + Whonix, it will look like user using Debian and Tor Browser in it. IF only Whonix is not generating some unique traffic that can be identified as the traffic originating from Whonix. On one hand devs say that Whonix generates some unique patterns in traffic, on the other hand they compare it with traffic from some fully torified OS, like Tails, so it’s a bit confusing. Traffic identifying Whonix and traffic looking like some torified, anonimous OS is the two different things. To look like Qubes + Whonix or Whonix + host, or some unidentified anonimous OS - three different things.

I think I should a little explain to everyone why I see this as an issue. Imagine a program like SORM. Imagine a user that lives in a contry that operates it. Let’s assume once user used just Windows on his personal computer, but one day became a day when user needed anonimity from his repressive government. He installed Qubes with Whonix in it on that personal PC. To perform anonimous activity (let’s say for posts in Telegram). The two things that user didn’t know:

  1. With default settings Qubes and Whonix reveal their presence on PC through originating traffic.
  2. When the user used Windows it revealed to ISP (through update requests and up/incoming update traffic, or through visiting http sites, whatever) that his PC has a specific processor model.
    So what we have? - When user posted his stuff on Telegram, the app got his fingerprint. Among all fake info there was real processor model (since it can’t be hidden) and the name of the OS (because of the same reason). First, “evil government” asked the fingerprint at Telegram. Since it most likely co-operates with Russian goverment - they gave it. Now it knows that user used Qubes with Whonix and had such processor. What can they do next? - Since SORM stores users’ traffic and can operate with it, they can search for specific patterns in these recordings, such as Qubes usage + traces of presence of some specific processor. Since our user used Qubes on the same computer that he used with Windows that revealed processor info, they now have matching of all these two patterns - Qubes and specific processor. We all know that not so many people around the world using Qubes. Even lesser in Russia, even lesser in Russia with some specific processor. Further only the work of technology to perform further surveillance to make conclusion that this is the guy they need.
    P.S. Of course I’m not specialist and all this based on the assumption that Windows can reveal in its traffic processor model. But the other things with a probability of 99 percent are facts. SORM exists, it records and collects user traffic and it can be analyzed and structured later. Telegram most likely co-operates with Russian government and so on, you know.

If so, it’s an unclear question :slight_smile: And if it’s not about Qubes OS, you need to ask it elsewhere, like:

1 Like

Since this is a Qubes forum, it seems your question is not appropriate
here. You should take it to the Whonix Forums instead.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

@Qubie Can you explain how evil government can move from knowledge of
what processor is installed to knowledge of who should be subject
of surveillance?

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

As I said, SORM collects and stores traffic that can be analyzed later. So it means that they can search for specific patterns. In our case they have two patterns: Qubes usage and processor model. SORM would be useless if it could just only store traffic without any binding to the concrete user profile. So the all they have to do is to search if there is a profile where two of these parameters are matching. Since I doubt that there are so many users in Russia that use Qubes with Whonix and with the same processor model, they probably will get maximum several suspects at the output. And most likely a single one.

And a question along the way: are there some metrics that could show Qubes usage per country? Something like Tails devs did. They show from time to time their metrics where is shown the total user pool per contry for a certain period. The mertrics I found of yours shows only total user count: Statistics | Qubes OS

This does not answer my question.
How do they move from processor to individual?

I am trying to get you to see that the processor leak is not the
main issue here.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

Well. If SORM binds user traffic to conrete user (it can be possible at least because ISP allows traffic only for user router when user told its mac-address - in case of the wired internet - or because user can’t sign a contract for communication services without passport data - in case of the mobile internet. All ISPs have SORM installed in their equipment and it records, stores and catalogues traffic data in real-time. So there will be (at least “may be”, as I assume) a record about user who had specific processor and used Qubes OS. To find this data SORM operator should get these two search parameters and enter them in his “remote control” (as they call it). How they can find these two parameters? In my concrete example imaginary user posted stuff in Telegram. Since it with almost 100% probability co-operates with Russian government its administration will give user’s metadata where will be those parameters. I think these two parameters are the most useful for them, in this case.
If I’m missing something, tell me what. If you about Telegram then there will be also timestamps in user metadata, IP, faked hardware info, some portions of real gardware info. As I told, user used Whonix with Qubes so IP will be from Tor and since Tor is blocked in Russia user will use bridge. So from all that I have enumerated I find only two most useful parameters that they can use, due to the above reasons.

If you are referring to the use of Telegram, then why use any apps at all? Does VMs suppose to protect user from exposing his real hardware info? Maybe VMs were not made specifically for that but now there are some VMs or OS :wink: that users utilize specifically for this. If to use only Tor Browser then all secure/anonimous OSes’ development can be stopped since it has no reason anymore. Because there already are the ones that already protect from IP leaks. But not. That’s no reason to stop. It has always been a battle of the shield with the sword and if this strategy of struggle did not work, it would not exist.

Since it is possible to identify NIC from passive analysis of network
traffic, you should add that to your concerns, that is a) more
easily accessible, and b) arguably more identifiable than processor.
I would not use Telegram or ilk unless from vanilla device, and
certainly not where contacts included any high risk individual.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.