This may sound a stupid idea, but you can avoid using Qubes OS by using multiple computers with operating systems that would sound more mainstream. The compartmentalization would be physical in that case.
1 Like
Sorry to say, but I agree! 
Qubes OS goes beyond simple compartmentalization, which can be achieved just by using multiple computers.
I was merely asking if anyone could provide suggestions on reducing or eliminating OS fingerprinting, even though Iāve expressed doubts about its feasibility.
No need for sarcasm, I think.
1 Like
You can probably disable NTP, however since sys-net is distrusted, any security mechanism you implement inside it is unreliable too.
BTW revealing that you use Qubes OS might be beneficial - the attacker will know his chances are very small and may give up 
1 Like
I believe thereās some misunderstanding regarding my points.
Firstly, on the topic of NTP requests, these use the UDP protocol, which means TCP/IP passive OS fingerprinting isnāt applicable here. Qubes OS uses standard NTP servers that are not specific to Qubes or Linux, and Iāve modified the fallback NTP servers as well. From what Iāve observed, this setup should suffice.
Secondly, Iāve configured sys-whonix as the NetVM for the default DispVM (DVM) and added an update check exception for sys-firewall, sys-net, and sys-net-dvm, which are all upstream VMs in my setup.
Thirdly, I am using custom obfuscated Tor bridges, which helps in concealing Tor usage.
My main question was: With all these configurations in place, does my data stand out from other users when it reaches my ISP, or is it sufficiently blended in without someone needing to dive into pattern analysis or OS fingerprinting?
Additionally, I want to clarify my understanding of sys-net. I donāt believe itās inherently untrustworthy, especially when Iām using it as a disposable VM. Someone on this forum pointed out that sys-net only accepts packages that have been requested by a VM, rejecting unsolicited incoming traffic. If this is true, then sys-net might not be as insecure as some might think.
I regret to mention, but the last few responses Iāve received have felt somewhat discouraging. I genuinely believe in having a healthy discussion since Iām keen to learn more about these aspects, being a big fan of Qubes OS after using it for around a year. However, if this topic is starting to annoy anyone, Iām ready to leave it here to keep things positive.
Best Regards,
Yes, but you can still inspect the contents. It might be unintelligeible, but you can still inspect it.
You were originally concerned about someone observing your network traffic and going āHmmm. This node keeps contacting Fedora NTP serversā¦ Methinks thereās a Fedora machine hereā¦ 
ā
You have now addressed this, and they will now see NTP packets being sent to somewhere else.
So literally everything that isnāt an NTP/ICMP packet is going straight to a Tor node. Anyone observing the network youāre on will notice this, and it will stand out. It may not necessarily be a cause for concern for your ISP, but itās a pretty unique traffic patternā¦
But if your machine moves across different peopleās networks (i.e. like a laptop), it can also have the opposite effect. If you keep contacting the same IP addresses, and ONLY them, then youāve self-fingerprinted yourselfā¦
Fingerprinting is not just the OS. Itās any trait about your machineās behaviour that is unique, either on its own or coupled with other traits. This includes the fact that youāve set your machine up to only connect to specified bridges.
So for example, if youāve set up any kind of repeatable system event, like checking for updates on a particular day at a particular time, then a network observer would expect to see predictable data packets being sent to your custom bridges.
I hope you can see that this is a fingerprint. Not a very conclusive one, but coupled with a few more datapoints, it wouldnāt be that hard to guess where you were on a network.
It is designed to keep your hardware, firmware and drivers from being able to interact directly with any other part of your machine, particularly your userspace applications.
Unless youāve written your own NIC firmware (massive respect if you have), then youāre in the same boat as the rest of us.
sys-net does exactly what itās told. Nothing more. Nothing less.
Itās also designed to not make the LAN IP of the NICs accessible to the AppVMs if they try to ask for it (curious user, malware, etc.).
Generally, no machine will accept unsolicited packets unless theyāve been explicitly instructed to do so.
This is not sarcasm. Iām trying to explain it to you so that you understand what you look like to your ISPā¦
There was a thief who was frustrated that he kept getting caught. He couldnāt figure out why, until one day, he came to the conclusion that he must have been leaving fingerprints everywhere.
So, he decided to burn his fingerprints off.
The rationale was that whenever he robbed a place, he would not leave behind any identifiable information, and he would be able to get away with it.
However, unbeknownst to him, by removing his fingerprints, he became one of the few human beings in existence who did not have fingerprints, and the only one currently known about who was involved in thievery.
And after that, once the police were able to link the āblankā fingerprints to him, he kept getting caught again. He became known as the āno fingerprint guyā.
From then on, literally any time blank fingerprints were discovered at a crime scene, the police would immediately go out and arrest him.
The thief didnāt realise that by removing a trait that everyone else had, he inadvertently made himself more identifiable than ever before.
Just make sure you donāt do that to yourself by only directly communicating to a small subset of IP addresses on specific ports, and nothing else (your custom Tor bridges). Thatās a dead giveaway that youāre communicating to a proxy/relay.
You just have to be aware of what you look like on a network. Thatās all.
3 Likes
Thanks a lot for your response and for explaining this to me so patiently, I really appreciate it!
I just have one more question for clarification:
Are you referring to computer systems in general? I hope not, as Iāve never heard that before. If that were the case, how would Pegasus or other zero-click malware manage to infiltrate a system?
Yes, I am referring to computer systems in general.
(Iām paraphrasing, but the general gist is accurate)
Because those devices actually have been explicitly told to be ready to accept incoming packets of a particular format.
When you figure out what parts of the message go where once it is accepted by the device (parsing), and then what it actually does with those bits of information, you can start to experiment by sending it things that it wouldnāt expect to be there.
The device was just told to take characters 8-24 from a 64-character string of text, and treat it as a command. It canāt think for itself, and wonāt know the difference between THIS:
{sender:'+492345422344';message:'hi!';checksum:'mv $message /data/message_box'}
and THIS:
{sender:'+492345422344';message:'hi!';checksum:'echo root:123456 | chpasswd'}
This is called remote code execution (RCE). It only works because whoever wrote the script that handles and parses incoming messages didnāt restrict what could be put in the values (and should rightly be ashamed of doing so).
Thereās a reason why it works on certain devices, and not on others. If you were to launch this at a completely different device that was not listening for incoming packets, it would respond with this:
1 Like
Right! Thank you for the detailed explanation and valuable insights.
Best regards!
1 Like
We have two situations:
1 sys-net is based on the Fedora template
Will this passive identification of the operating system from TCP/IP packet headers performed by my ISP show the use of Qubes OS or Fedora OS?
2 sys-net is based on the Debian template
Will this passive identification of the operating system from TCP/IP packet headers performed by my ISP show the use of Qubes OS or Debian OS?
This will show up as āLinux packetsā.
As NTP is unencrypted protocol, what would stop the adversaries to intercept and fetch you a ācustomized timeā and track you? The whole infrastructure is in Big Techās hand. Make your own atomic clock, or better, build your own internet if you want to mitigate the privacy implications of NTP requests. 
They could send you a ācustomized timeā, but thatās all.
NTP requests looks likes this:
- [client] what time is it?
- [server] itās XXXXXX Āµs
The client shares no information, even if you lie about the time, this does not permit to track the client because every NTP client is only asking the time, you canāt differentiate one among others, even if they have a wrong local time as they do not share this information in the request.
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Time_Attacks
Clearnet link:
Time Attacks - Whonix
Thanks, this was interesting to read
A ClockVM based on the Kicksecure Template is functional out of the box.
The only requirement is that the ClockVM uses Kicksecure as its Template. For example, if using Qubesā default settings, where ClockVM is set to
sys-netby default andsys-nethas been configured by the user to use thekicksecure-17Template, then ClockVM will be functional out of the box and use sdwdate for clock synchronization
In worst case: your geolocation.
NTP work in way it sync with server with lowest ping, by collecting statistic over time of NTP servers you sync with it possible to set your location up to street/region of specific city.
Your geolocation.
NTP work in way it sync with server with lowest ping, by collecting statistic over time of NTP servers you sync with it possible to set your location up to street/region of specific city.
Only if the geoip DB is correct. I have noticed various web tools often ādetectingā my location by saying I am in cities which are 50-300 km from where I actually am.
Thank you solene for your answer
Iām not a technical user and itās hard for me to understand anything from what other people have written under my post as well as from the links they have placed in the posts under my post. It seems to me that the people writing under my post responded to someone higher, not me.
Thatās why I have one more question for you.
After reading all the posts under my post, as well as checking the links that were placed under my post, do you still think that the passive identification of the operating system based on TCP/IP packet headers made by my ISP will show Linux usage but not indicate a specific distribution (for example, Qubes, Fedora(if sys-net based on the Fedora template), Debian(if sys-net based on the Debian template)?
Thank you again for your help Solene.
If @solene said this, it was a mistake. Itās possible to differentiate
different distributions on the basis of TCP/IP characteristics.
But in most cases someone monitoring at ISP will see traffic coming
from your router, not from your Qubes box. Of course, they could place a
monitor on the router, but thatās a separate level of surveillance.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Thank you for your reply unman.
Could you answer my original question(I quoted them above) ?
Letās assume that I use my own router (not the one received from my ISP).
In order to perform such passive identification of the operating system based on TCP/IP packet headers, would my ISP need to access my router and place monitoring on it?