So I have an airgapped PC that runs Qubes. I don’t do much with it, but it’s there, and the times I do dust it off and turn it on, I find myself wondering, “What’s the point of this?”
In previous discussions (a year ago) it was mentioned that airgapped PCs might actually be less secure than networked Qubes, since badUSB exists, but assuming that isn’t an issue (e.g. sidestep it using microSD cards), and assuming that you simply have to have an airgapped PC (i.e. zero networking hardware), are there any benefits or drawbacks to using Qubes? Since the main threat model switches to physical access, is Qubes a decent choice, or are there better?
Also, is there a way to update Qubes offline, like what WSUS Offline does for Windows?
since you sad “update”, i guess you need to find all the update available (this is the most painful part so i haven’t tried it myself) then download the package file and install it
Speaking on update security, am I right that as of now, only dom0 has a properly isolated vm-based update mechanism, and regular “non-networked” templates actually can access internet via localhost:8002 proxy in a quite unrestricted way, making it more “security by obscurity” issue rather than actual protection?
you could clone the repo and host it in a qube, let the templates load updates from that internal qube.
qubes is a relatively more secure operating system, with or without networking it uses the hardware suppported virtualization for compartentalization. so even if its just a pgp sub key that gets extended from that offlne machine, i guess you’re not writing down a 4096Bit key on paper to transfere it to another machine, or a closed source smartcart/hardware-token… so compartmentalize your main-key in a qube that gets no network (obv…) and no hardware attached. and qvm-move the created subkey to a disposible VM where you connect your USB device to. - there it is the use case for qubes even offline
Several years ago, for a Journalist or Human Rights Worker, it was suggested to run two exactly alike computers, I think with Whonix. One is to be Air-Gapped, and the other is online. Online one receives encrypted message, which is moved over to the Air Gapped one (USB Problems not mentioned.) Encryption and Decryption of Messages is to be handled only on the Air Gapped Computer.
There was some mention of installing OS from Scratch frequently, routinely.
I say this to partially answer the original question, Benefits of Airgapped computer (Qubes PC was the specific question.)
When US based Security Expert Bruce Schneier was reviewing the information provided by Snowden. After he did it, he wrote about how he did it. He purchased a used, refurbished laptop from a randomly chosen computer store. (They used to exist.) He removed the physical hardware that allowed it to be online. He installed and review the entirety of the Snowden Files (I am guessing including the parts that have yet to be made public). After he took his notes. He Hard Erased all the information on the Drive. Then I think removed the drive and physically destroyed it.
Only after he destroyed his copy of the Snowden Information, did he write that, - for awhile - he had a copy.
I wouldn’t assume that you can sidestep it simply by using a different type of external storage device. Why couldn’t there ever be a “BadMicroSD”? It might not work the same way as BadUSB, but it might have the same practical detrimental effect.
But why should we simply assume this? In a world where Qubes offline vaults exist, why does anyone have to have a PC with zero networking hardware?
It’s worth pointing out that any such method will involve you somehow transferring the same bits from the internet to your air-gapped PC, just with different and extra steps. Effectively, you’d be trying to implement a firewall through physical procedures rather than software.
Isn’t this SecureDrop? My understanding is that that’s the setup they used to have before they switched to Qubes.
Good to mention SecureDrop in this discussion. What I was referring to was years before SecureDrop was available, I seem to recall. One might keep in mind, if one was say sending information on a Human Rights case to -say , the New York Times with Secure Drop. The eventual goal of the New York Times is to make very public what was once secret. Or is it the goal of SecureDrop is to keep the identity of the Whistle Blower, unknown?
In the earlier scheme, the goal was to keep all the texts of messages encrypted on the computer which was connected to the internet. Qubes, in effect, is several different computers connected on the same hardware.
Perhaps what would be more interesting to ask; "What is the threat which makes one want to do an Airgapped Qubes? In my case, it might be my writing the great novel, without it being stolen before I get it finished.
Perhaps OP is not aware of the Security which is inherent in a properly used Qubes. Which, once again, brings up the discussion of what one can accidentally do to compromise Security while using Qubes? What one needs to do to use Qubes without being compromised?
Security is not just in the hardware or Software. It is how one uses it.
I did some digging around the issue in our previous discussion on this issue and remember finding that it was too difficult to pull off in most scenarios since it involves physically accessing the microSD card and opening the tiny package for modifications, which would likely leave marks.
Some workplaces have such requirements to reduce risk to a minimum; others are just cautious. Regardless, this is one of those ‘thought experiment’ assumptions, like when someone asks you to imagine flying a plane on Jupiter–you can ask, “Why assume this?” but that’d be beside the point.
But the physical firewall has far more assurances than the digital firewall, since the connection between the containers are less prone to attacks of the unknown unknown variety (e.g. a yet unknown flaw in a firewall built from issues with the microcode)–the “different and extra steps” are valuable and generate an asymmetry in cost in your favor. The laws of physics are harder to find workarounds to than code.
The digital barrier only requires the circumvention of digital defences (everything is hackable), while the physical barrier in almost all cases require physical presence and novel techniques on top of the requirements for the former if implemented and relevant.
there one problem, microsd card is too small to do that
i remember i read somewere even a usb that when plug in there only enough plastic to unplug it can be considered safe
is that true?
Honestly, I wouldn’t be assuming anything like that, just in case…
Basically, with cybersecurity, if you can imagine it, it’s most likely possible; and if you assume it “can’'t be done” or is “impossible”, you do so at your own peril…
Microsoft thought their Exchange servers were bulletproof (or at least “sufficient”). Solarwinds thought their updates were “secure”.
Hacking (both malicious hacking, and rooting your phone or ISP router to unlock features) is a creative art. I mean, you’re basically trying to find creative ways to achieve access to something, while working within certain parameters. It’s a logic game, and usually the most outlandish solutions end up working.
My point is, thinking up ways to attack is a creative process, and so is defending against them. Kind of like the way a lawyer will look for loopholes in legislation
For what it’s worth, desktop SD card readers are SATA-based, and I have a feeling built-in laptop readers are as well.
I think the technical difficulty of writing malware that rests on your microSD that then hacks your SD card reader firmware (serial or not) is insane if not outright impossible, but I’m not the best judge of that. This is something the resident firmware expert @plexus might weigh in on.
When I say ‘logical possibility’, I meant to highlight how the possibility belongs in the realm of academic curiosities, but not really in the realm of practical threats. For one: microSD cards, AFAIK, have basically nothing beyond the filesystem space for firmware malware, and are compact enough that physical tampering and hardware modifications would be immediately spotted if one is paying attention (and if you think your threat model includes someone who can hack you by tampering with your microSD, you’d better be paying attention–everywhere; all the time)