Secure-Private-first-download-update of Qubes

If I feel my Internet connection might be watched. And I wanted to obtain Qubes, update it without watchers, who might keep knowledge that I once got Qubes - like forever.

Which includes not just nosy governments, but also ISP’s (who might never forget which websites we visit) or the server in a hotel, or restaurant we are connected to the internet with.

If a person feels their internet connection might be watched, and they have a beginners expertise, or just want someone else’s check list of “how to” download Qubes, and update it without that being recorded by someone on the internet.

Off the top of my head, What not to do:

Don’t use any version of Windows, even with a VPN.

Some versions of Linux, distros put together focused on ease of use, even with a VPN, are also, to me, a no.

Tor, if one decided one could trust it. would take forever to download a small distro, that one might use (Live or Installed) to Download Qubes, while disguising ones own IP from Watchers.

Anyone want to write the “How To” Download Qubes, do first updates, then keep it updated so watchers do not know the individual did it?

Then maybe a Journalist could rewrite the “How to” Download Qubes, keep it updated to be more understandable to the target audience?

I will offer my version of Downloading Qubes more securely for a first install of Qubes.

Explanation for this should be for someone who is less experienced in computer security, than many on this forum.

I presume, “They are all out out to spy on my computer activities.” Maybe some other of my activities, or someone they think I know, as well.

Such a spine chilling word. “They.”

I would start with buying two, or three USB flash drives, still in blister pack, with consideration of buying them someplace no one would expect I go. I would have a computer to devote exclusively to using Qubes. I am guessing that computer likely will accept Windows. So wipe the drive, and do a fresh install of Windows.

Acquire one of the better VPN’s. Yes, I know it costs money. I will not suggest one VPN over the other in this post. This you can do with Tor.

Download one of the later versions of Ubuntu, which I don’t think arouses suspicions, because Ubuntu is often needed to replace some of the sloth and problems of Windows. Also Ubuntu can be , modified used to avoid some of the Privacy issues which are more difficult to avoid elsewhere. My Personal guess is that any software that is large, and meant to be easy for the general public to use, some well intended software might have a security leak. Still, I feel that it is better to use Ubuntu than any, even freshly installed version of Windows with all Updates, to accomplish the download the first install of Qubes.

Install the VPN inside Windows to accomplish the Download. Verify the VPN connection is the one you are on. I want to believe, that having a VPN active on a computer is not suspicious in itself, as some use VPN’s for some things that are quite innocent. I am quite sure that a lot of internet connections can be corrupted if one does not use a VPN or tunnel of some kind. If anyone knows I am wrong I would be glad to hear it. That is relying on the security of a browser alone is enough,

Using Tor, or any of the other types of anonymity services would take forever to download Ubuntu, or even several days to download a much smaller distribution of Linux.

Download Ubuntu, using the VPN. I would have chosen a version of Ubuntu LTS that has been out for awhile. I would read/study the advice on the Ubuntu site about how to verify whether my download is reliable, not corrupted. Likely not complicated, but it is advice which is a moving target, might change by tomorrow morning. Computer Security is often a moving target.

With my verified download of Ubuntu, I would break one of the USB keys out the blister pack wrapping. Kept them safe and secure, right? I would install Ubuntu onto the Key. I have not used Windows to install a Linux Distribution onto a USB Key. I used to use "Balena Etcher.’ No program performs well forever. Ubuntu Forums have a lot of active users, so perhaps best to use their advice.

After you have Ubuntu, (or like a local computer store says, Ubunny) on the flash drive, you can install it to the computer. One must modify the BIOS/EFI of computer to accomplish booting from the USB which has Ubuntu. Recommendations for this are surely on the Ubuntu site. Keep in mind, you will have to use these same modifications to boot the USB key you will have to do to install Qubes.

Install the Flash Drive with Ubuntu onto the computer. Get the appropriate App for the VPN you have, install it. Verify the VPN is working. Personally, I would install the Linux version of OpenSnitch. I am told it drives ordinary people crazy, constantly asking if I would allow it to connect here or there.

Do not use the Ubuntu for real purpose before Downloading Qubes, while using the VPN. Verify the VPN is active and working. So Download the latest version of Qubes in Ubuntu.

Qubes Download is big, this make take awhile on even a fast connection. After your download looks to have finished correctly.

There are several means to verify whether the Qubes download is accurately the correct one. Not so easy for those new to Linux. Some of the instructions are on the Qubes Documentation. Some of the help for installing and using GPG. I would guess the linux newcomer would find help on the Ubuntu site.

After you are satisfied with your having a valid copy of Qubes. There is another verification that Qubes will do on itself before installing. Not sure that qualifies as real security, but just that the download is accurate as nothing is missing. I guess that could be faked by a highly competent government Computer service. I would be sure that the NSA (the United States Computer Security service. Actually “National Security Agency,” or collequially, “No Such Agency.” has thought about trying to have their own version of the Qubes download to slip in. I am also guessing that it is not that easy for even the NSA to insert their own version. But what do I know.

After the download is finished. Verified. User will need to break open another blister pack of a flash drive, install Qubes onto the computer. The newcomer to Linux might find this install vexing. it will require making some decisions of just finding the correct buttons on the install. There is documentation on installing Qubes, on the Qubes site. Just be prepared to spend some time reading, trying. and not feel too frustrated.

I strongly suggest that the user find a way to continue to use the VPN to study issues, and how to resolve issues.

After Qubes is installed on your computer, for most of us that is a laptop. Find a way to install the VPN on Qubes before proceeding. Behind the VPN, do the first update of Qubes.

I would use the third USB key to install Tails to it. That is. “The Anonymous Incognito Linux System.” It is a live version of Linux. Meaning you start it from the Flash drive, it runs from the flash drive. When the computer shuts down. The computer has no memory it has happened. The name of “Tails” is from the fiction book, “Little Brother.” by Cory Doctorow. You will have to make up your own mind.

There are other variations on my instructions. Like use the Live CD of Ubuntu to download Qubes, and before shutting down the Live CD.

I write this hoping a lot of more knowledgeable people will shoot holes in my explanation. I expect it.

For those who live without fear of “They.” Realize that one must not do anything in some places to be taken from storms of ones own life, to a place where agents are trying to earn a bigger salary by obtaining confessions.

Anyway. Halloween is coming soon. Boo. Happy Halloween.

While I’m not sure how this is more secure, wasn’t it easier to install virtualbox in windows and then fire-up Ubuntu VM there to download Qubes? WhonixVM actually.
Or, simply to fire up Tails and download Qubes? Slow days of tor downloading are long time ago over. In 3-8 hours there’s your ISO on your USB over tor.

enmus 2 Catacombs 0


Enmus, you are correct. I tried to download Tails over Tor, with my telephone HotSpot, and it predicted 44 minutes to finish. To some, Downloading to USB might imply, doing either a USB to USB copy, or attempt USB install, which I have read, some hardware people recommend against. I think, overheats part of Mobo.

Yes. I made some presumptions about the person who needs to install Qubes.

Usually the first thing those who speak about the relationship of Computer Security, and need to keep a newbie to the security discussion safe, is the knowledgeable recommend doing a "Threat Assessment "

My thought is:

  1. Internet never forgets what an individual once did.
  2. Always assume the worst case of need of security.

Attempt to keep what websites one has gone to - to be not known by local 'Internet Service Providers," “Public WiFi connections.”

Meaning keep away from them that I have used that I have initially used Tor. Or Whonix. Although I like those programs.

I also presume that the person who is reading my suggestions, acquired a laptop, probably a used laptop, that will work with Qubes, and from the beginning, that laptop is available to use for the project.

Windows, and I am not a Windows expert, I don’t use it much, allows itself to be used to acquire information on users. I, a normal human being, can never know, what Windows is allowing others to know about what I am doing.

I presume any Windows which has been used, at all, web browsing, email, listening to music. Any use of Windows can be subject to "drive by’ malware. Likewise there are risks of opening documents. and more.

I presume the person reading my suggestions is only familiar with Windows, not Linux, else they don’t much need my suggestions. Although they might be amused in measuring my level of Paranoia.

There are some potential security considerations I have not mentioned, like firmware on computer might have been corrupted. Or the drive, even after a complete Format can have some malware on it. Just not probable, and if the kind of person acquired their computer, most likely a laptop, in a way their local power structures did not either have, or would not be likely to feel inspired to install spyware on the laptop.

So I am excluding Journalists when I say that, as Journalists know they have enemies from authoritarian governments. Journalists need more precautions than I describe here.

Some have posted on the internet information about events they have witnessed, which, apparently, they never realized, their government would object to others knowing. That discussion not for this forum. I might point out, that some who have served their nation, their people, their government, have after a lifetime of working for the best for their country, found themselves on the negative side of a government. In a dangerous position. Anyone who has the smallest of apprehensions, should still take the greatest of precautions.

So a fresh install of Windows, and updated. Then use the computer for nothing else before downloading, a trustworthy VPN. and installing it. With the VPN running, and masking where the user has gone. After that, do nothing with the computer before downloading Ubuntu, LTS. After that, then look about finding a means to install Ubuntu onto a Flash Drive. Oh wait, I am repeating myself.

I guess it is genetic. My uncle was a Baptist Missionary. Would never shut up. He would be up in the Pulpit preaching on after ten PM. Those who stayed hoped one of their neighbors would go up to be prayed over, so they could hold it against them.

Might be…? :smirk:

Most internet connections are monitored in some way. In most countries, it’s a legal liability to not monitor them, unfortunately.

Plus, every single ISP in existence continuously monitors all their network traffic. Not necessarily to see what an individual node is doing (although that can easily be done), but to measure things like latency, bandwidth, capacity, whether they need to redesign their network, etc.

Well, all things considering, you’ll definitely achieve your goal, but in all honesty, quite a lot of steps don’t actually contribute to said goal, and can be left out….

Almost a perfect description. The internet never forgets the origin, destination and contents of data packets" would probably be a better statement to base your methodologies off of.

So therefore, knowing this, the key is to remove/obfuscate the identifiers and ability for a third party to derive any meaningful information from the origin, destination, and packet contents. That is how you make the internet work for your needs :slightly_smiling_face:

Make plans for every possible scenario, and hope that you never even have to use a single one :slight_smile:

That’s definitely a fair assumption. And/or MacOS :upside_down_face:

Paranoia is the irrational fear that “everyone’s out to get you”. Sadly, there’s nothing irrational about what you’re describing. Everything you are describing does really happen.

The only comment I would make about your approach is that you don’t yet fully understand the methodologies in which they are able to do those things, and the limitations of those methodologies.

Once you do (you’re about 70% of the way already :slight_smile:), you’ll likely end up modifying a fair chunk of your processes, because you’ll realise that some of the steps don’t actually do anything meaningful to counter what you’re worried about, and are not “essential”.

But that will come with time. We were all like this once :slight_smile:

(CLARIFICATION: @catacombs, I am NOT saying anything negative about you. I am trying to encourage you :slight_smile:)

Well, they’re still good to consider :slight_smile:

Qubes OS will NOT
…I repeat…

NOT :rage:

…protect against that. And it never will. No OS ever will…

If you choose to put something on someone’s elses computer (ie the web server hosting your post), you have absolutely zero control over what happens to it.

This comes from a gross oversimplification and blatant misunderstanding about how the internet actually works :frowning:


But you do bring up a good point.

There would definitely be parts of the world where obtaining the Qubes OS ISO, if identified by network monitors, could be a “red flag” by authorities, and cause them to “investigate further”.

Because of this, having an obfuscated way of obtaining the ISO could prove useful in situations like @catacombs is describing.

What are you trying to achieve?

  • Obtain the Qubes ISO
  • Ensure that the ISO hasn’t been tampered with
  • Do so in a manner that cannot (easily) be linked to your identity

What could prevent you from achieving this?

  • Your network node could be (and probably is) monitored, potentially with DPI (deep packet inspection)
  • The ISO could be tampered with while in transit
  • The machine you use to obtain the ISO could potentially interfere with and jeopardise this process

I will think of some obfuscated methods for Qubes OS ISO for these unique use cases, and get back to you.

1 Like

and now, some in Russia and iran are saying. Oh why did i not set up a secure computer system before events were so extreme.

but I do not want to make the government suspicions. and I have no intention of obstructing the government anyway.

@catacombs, in all honesty, a pluggable transport would be sufficient to prevent anyone monitoring your network traffic to figure out what you were doing.

There are pluggable transports that make your network traffic look like other things “Facebook, YouTube, Azure, Office365, or other “seemingly innocent” things).

Mind you, it wouldn’t do anything to stop your computer from snitching on you. That would be mitigated with other things….

To be honest, I hear here on the forum mostly westerners screaming this. Just search the forum. I just don’t like prejudices…

Enmus, once again you make a good point. And it is good that you point it out.

Then again, things have been more extreme in the west than what news media, and western government imply. But we never talk about those things. Only by oblique reference to events somewhere else.

I will have to try this. I may have heard of plug-gable transports, but never searched for them or tried them.

Perhaps this reference to 'Plug gable transports belongs on the Qubes Download page.

1 Like