“They” talk a lot of SEPARATION but when it comes to implementation… “they” walk away and sell-out.
The best SEPARATION at the template level is achieved with GUIX OS, Silver Blue or NixOS. You should also have encrypted BTRFS, XFS or Hammer file systems. I get hacked everyday with Qubes… but Mr Censor (Danish Sven) wants proof from an unpredictable build. I expect him to block this posting also to secure a high paying gig with Facebook or Twitter.
I don’t know if this message was blocked or not.
The problem is that anyone can say - “I’ve been hacked.” In most
cases, it’s simply not true. I’ve been involved in a number of
investigations and in most cases, the reporter is simply mistaken.
In the case of Qubes, “I’ve been hacked” could be true, but not
particularly important. I mean that if a standard qube is hacked, the
isolation given in Qubes will reduce the impact.
There are some steps that users can take to enhance the protections
given by Qubes - multiple qubes, disposables, firewall protections,
template configurations, limiting installed applications, good isolation
within security domains, and so on.
In most cases in Qubes, “I’ve been hacked” will be relatively
unimportant, and no more concerning than being hacked when running a
The important cases would be where the claim is either intra-qube or
attack on dom0. Both of these are possible. But a claim that either has
taken place has to come with some evidence. (The fact that the build is
not reproducible is unimportant here.)
You may not want to provide evidence publicly - the right thing to do
then is to send detailed information to the security team, and say that
you have done so. You should send a PGP encrypted email to
firstname.lastname@example.org but the team will expect detail.
The detail might include details on your Qubes configuration, templates
and qubes, installed applications, and so on. You should provide
information about how you think you may have been hacked - e.g “I
visited this website and clicked on this”, or “I opened an attachment
from this email”.
You should also provide information about why you think you have been
hacked, or what the security fault might be. This might range from “my
mouse clicked on a new tab, and a web address was entered, but
not by me”, to “All the money was taken from my bank account, and the
only keys were stored in my offline vault”, with variations in between.
This might sound like a lot of work, but remember, you are a) asking to
be taken seriously, and b) asking other people to put in their time to
The best detail would allow the team to reconstruct the issue for
In some cases, there may be evidence of hacking, but it is irrelevant
to Qubes. For example, if a user reported that material entered in to
the vault was appearing online, it could be that the keyboard has been
compromised with a keylogger, hardware or software, or that someone has
set up a camera over the keyboard and is capturing enough detail to
reconstruct what has been typed, or that someone is keyjacking, or that
someone has access to the computer, or that…
Asking for evidence is not unreasonable - after all,it’s you that
has made the claim and hopes to be taken seriously.