"They managed to hack the AppVM Whonix-gw-15 on one of my secure Qubes install"

Related reading:

1 Like

How to hack Qubes:

  1. Keep screen unlocked and walk away

In seriousness, if something was hacked at a sophisticated level, we should not be surprised. Qubes does more to acknowlege their possibility and protect against them compared to standard linux distros, but should not be considered immune to all forms of attacks. Those familiar with security already accept that vulnerabilities exist and the best defense is to find them, acknowledge them, and fix them.

That said, many things can go wrong with an install or intermittent network conditions which makes you think your machine is “hacked”.

2 Likes

Taken from the screenshot it could be a man-in-the-middle attack “only”.
No AppVM needs to be compromised for this to happen.
Workaround: use another (open wifi) internet connection, socks/vpn bouncer, etc.

2 Likes

Yeah, if you think about intrusions hard enough, you will eventually see one.

1 Like

Starting a news post on the site with “Occasionally fuckups happen”

Liking the personality on display here. Maybe @adw can bring back some of Joanna’s flair for QSBs and other announcements?

could you stop spamming? this is so annoying, hecking textbots.

Not really my style, sorry. :grin:

1 Like

I was hoping to see a critical QSB begin with a string of expletives, just to emphasize the dire situation. I’ll just have to write my own Joanna QSB fanfiction then.

2 Likes

“They” talk a lot of SEPARATION but when it comes to implementation… “they” walk away and sell-out.

The best SEPARATION at the template level is achieved with GUIX OS, Silver Blue or NixOS. You should also have encrypted BTRFS, XFS or Hammer file systems. I get hacked everyday with Qubes… but Mr Censor (Danish Sven) wants proof from an unpredictable build. I expect him to block this posting also to secure a high paying gig with Facebook or Twitter.

I don’t know if this message was blocked or not.

The problem is that anyone can say - “I’ve been hacked.” In most
cases, it’s simply not true. I’ve been involved in a number of
investigations and in most cases, the reporter is simply mistaken.

In the case of Qubes, “I’ve been hacked” could be true, but not
particularly important. I mean that if a standard qube is hacked, the
isolation given in Qubes will reduce the impact.
There are some steps that users can take to enhance the protections
given by Qubes - multiple qubes, disposables, firewall protections,
template configurations, limiting installed applications, good isolation
within security domains, and so on.

In most cases in Qubes, “I’ve been hacked” will be relatively
unimportant, and no more concerning than being hacked when running a
live distro.

The important cases would be where the claim is either intra-qube or
attack on dom0. Both of these are possible. But a claim that either has
taken place has to come with some evidence. (The fact that the build is
not reproducible is unimportant here.)
You may not want to provide evidence publicly - the right thing to do
then is to send detailed information to the security team, and say that
you have done so. You should send a PGP encrypted email to
security@qubes-os.org but the team will expect detail.

The detail might include details on your Qubes configuration, templates
and qubes, installed applications, and so on. You should provide
information about how you think you may have been hacked - e.g “I
visited this website and clicked on this”, or “I opened an attachment
from this email”.
You should also provide information about why you think you have been
hacked, or what the security fault might be. This might range from “my
mouse clicked on a new tab, and a web address was entered, but
not by me”, to “All the money was taken from my bank account, and the
only keys were stored in my offline vault”, with variations in between.

This might sound like a lot of work, but remember, you are a) asking to
be taken seriously, and b) asking other people to put in their time to
help you.
The best detail would allow the team to reconstruct the issue for
themselves.

In some cases, there may be evidence of hacking, but it is irrelevant
to Qubes. For example, if a user reported that material entered in to
the vault was appearing online, it could be that the keyboard has been
compromised with a keylogger, hardware or software, or that someone has
set up a camera over the keyboard and is capturing enough detail to
reconstruct what has been typed, or that someone is keyjacking, or that
someone has access to the computer, or that…
Asking for evidence is not unreasonable - after all,it’s you that
has made the claim and hopes to be taken seriously.

4 Likes

It was only hidden. Users can still see it if they click “view ignored content”.

Really great reponse. Do you mind if I make canned response out of it and use it in similar situations?

1 Like

6 posts were split to a new topic: What’s Needed to Report Your System Getting Hacked?

A post was merged into an existing topic: What’s Needed to Report Your System Getting Hacked?

My disposable Whonix-ws got hacked as well. The version of Qubes OS is 4.0 running on a HP laptop. I have tried to post a thread in discussion category about it, but always gets marked as spam and removed by spam filter. I recorded the video of my Qubes OS getting hacked. You can find it by typing down its tittle on Youtube search as “Qubes OS 4.0 got hacked by Russia and Vietnam (disposable: Whonix-ws)”.

Did you report the incident as detailed by @unman above? Unfortunately talk is cheap, and so is the creation of youtube and discourse accounts. As both of your accounts are brand new, I’m surprised this post made it past the same spam filter… Assuming your account of the hack is true, please follow the advice above and report it directly to the Qubes team in as much, costly to you, detail as possible.

As far as it looks to me, Qubes didn’t get hacked. Tor Browser did and maybe the Whonix VM. Qubes can do nothing to prevent that. The point of Qubes is compartmentalization. So if one of your VMs gets compromised, the rest is still safe.
Also it will be hard to know whats going on from a vague video with no technical details. Also make sure you’re always using the latest Tor Browser version. Security issues in Firefox get patched frequently, recently also those known to be already actively exploited.

2 Likes

here’s the link Qubes OS 4.0 got hacked by Russia and Vietnam (disposable: Whonix-ws) on March 22 2022 - YouTube

I don’t use audio, what i can tell from the video, there’s only 3 tabs there, but when closing the browser, there’s a pop up telling more than 3 tab to close.

Please do not report this to the team - there’s nothing actionable
here.

You might consider reporting it to the folks at Whonix, but I don’t see
anything in that video to interest Qubes.
First, because it isn’t clear that it’s a hack on Qubes - there’s nothing
to suggest a compromise on the qube, and absolutely nothing to suggest
a compromise on Qubes itself.
Second, because there’s no effort to identify what’s going on. Just
clicking about within a single window is of no use in the context of
Qubes. At a minimum I would have liked to see what was happening at
process level in that qube, in sys-usb (if there was one), (in other
qubes), and in dom0.
Third, because there’s no context - what does the complete recording
show?
Finally, because there’s no evidence of anything malicious - literally
none. I have seen missing and hidden tabs in browsers in Qubes and
outwith Qubes. The effect is more common in Qubes, but I put this down
to resource allocation.

If you seriously want to investigate this, I’d be happy to work with you
to do so. PM me. i
If there’s anything here worth following up, we could then take it
further, and report back in the Forum. But it will take effort on your
part - far more than posting a youtube clip.

To make it clear. I have looked at numerous reports of hacked machines
and hacked Qubes. In almost every case there is an explanation (sometimes
simple) for what has been observed, and NO evidence of malicious
activity.
In some cases there is evidence of malicious activity, but it takes some
effort to identify this. The level of effort depends on the ability of
the attackers.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
4 Likes

@unman Thank you. I have switched to Kali Linux as Qubes doesn’t seem to provide the security level that I expect and relatively difficult to use. After switching to Kali, the OS still gets hacked. I’m a bit tired of this.

It should be added that when still using Qubes, my left mouse-click often got the functionality of right mouse click and vice versa, plus one left mouse-click became double mouse-click.

Looks like a bug. You could create a separate topic and the Community would help you to debug it.

1 Like

4 posts were merged into an existing topic: My Qubes OS got hacked on March 22 purportedly by Russia and Vietnam