On Thursday, February 2, 2017 at 6:51:19 PM UTC-5, Chris Laprise wrote: > On 02/01/2017 02:59 PM, Franz wrote: > > > > > > On Wed, Feb 1, 2017 at 2:34 PM, Chris Laprise <tas...@openmailbox.org > > <mailto:tas...@openmailbox.org>> wrote: > > > > On 02/01/2017 01:16 AM, Franz wrote: > > > > > > > > On Wed, Feb 1, 2017 at 2:13 AM, Chris Laprise > > <tas...@openmailbox.org <mailto:tas...@openmailbox.org> > > <mailto:tas...@openmailbox.org > > <mailto:tas...@openmailbox.org>>> wrote: > > > > On 01/31/2017 10:47 PM, Gaiko Kyofusho wrote: > > > > I keep reading examples where people are using > > something like > > mobile routers between thier phone/computer and public > > wifi > > spots, example like the blackholecloud > > <https://blackholecloud.com/>device or apparently Mike > > Perry > > of the tor project told arstechnica > > > > > > <https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/ > > > > <https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/> > > > > > > <https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/ > > > > <https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/>>>that > > "He suggests leaving the prototype in airplane mode and > > connecting to the Internet through a second, less-trusted > > phone, or a cheap Wi-Fi cell router." > > > > > > This is pretty dubious advice. What is to stop an attacker > > from > > breaking into the mobile router and using that as an attack > > platform to break into your main device? A few minutes...? > > > > > > But doesn't a firewall add some additional security? Otherwise > > which is the purpose of having a firewall? > > > > > > A layer 3 service cannot protect you against a layer 2 attack. > > > > Now, if we're going to pretend that NIC-DMA attacks are not a part > > of the threat model, then we can just run a regular OS instead of > > Qubes. > > > > Router firewalls were a "good" option in 2002, and the word > > "firewall" itself is powerful and insists we place trust in it. > > But it was folly to place trust in network infrastructure in the > > first place and now router-firewalls are popular targets. They > > contain NICs with imperfect and obscure hardware and firmware. > > > > > > Thanks Chris. Would you think the same of openwrt firmware? Qubes > > firewall architecture is obviously the way to go. But phones, netbooks > > etc cannot afford Qubes. While they would deserve some sort of perhaps > > minor protection. > > Best > > Fran > > I have installed Openwrt myself. It doesn't have better architecture, > but its open and security updates are more readily available. Beyond > that, I haven't thought about better routers in years because I've seen > no sign of a breakthrough in architecture, and I've also become more > mindful of the maxim that net infrastructure shouldn't be trusted. > Endpoint security is the one truly good type of security practice, and > Qubes is like the "fine point" on the endpoint. :) > > Papers are starting to circulate that call-for or describe better > security architecture for IoT, including Qubes' approach of isolating > NICs and such. To me, IoT is very similar to (if not the same as) net > infrastructure, but in smaller packages. The attention gives me reason > to hope that even tablets and phones will significantly improve. > > But for now, we should remind ourselves that smartphones have one main > design goal over other devices: Ultra-convenience. We shouldn't > automatically assume they are appropriate for whatever use case, and > I find it a little disturbing that the Tor Project's interest in hardware > has gone in this direction. But the odd thing about such projects they > have a history of catering to mostly Windows users and absorb some of > the blindness that platform engenders. > > Chris
Quote from Chris: "I find it a little disturbing that the Tor Project's interest in hardware > has gone in this direction. But the odd thing about such projects they > have a history of catering to mostly Windows users and absorb some of > the blindness that platform engenders." You might want to consider where the majority of the funding for many of the most popular privacy and anonymity software comes from........US Gov. This includes Tor. The same gov that allows NSA surveillance of its own citizens and breaking encryption and security schemes within its own countries. Yet we are then suppose to trust its other division NIST that gives us recommendations for infosec. The same NIST that had culpability in the RSA fiasco. Sorry but IMHO you can not stick your hand into a pile of doo and then claim none of the stink has stuck to you. When one of, if not your largest granter is a US Gov agency, what well reasoned person in this day and age, knowing what we know from all the spilled intel doc, would not expect them to have influence of some level over that project it funds??? This is basically the line all of these nonprofit software projects are trying to sell us on. First be the opposite of transparent and never under your own volition admin you were taking US Gov fund. Then once found out via FOIA requests claim taking millions from what you publicly claim is one of you major adversaries has in no way effected or compromised that supposed goal?!? Who here would belevie that if say a politician claimed a company that sunk millions to get them elected would not have undo influence of the actions of said official? Seriously!?!?! There is no difference. Same same It happens all the time in scientific research. Its one of the primary reasons the first thing seasoned research reviewers do is go right to the funding page to see who funded the research so they can access the possible type and level of bias and influence that has been introduced. A Brief History of the Broadcasting Board of Governors : https://pando.com/2015/03/01/internet-privacy-funded-by-spooks-a-brief-history-of-the-bbg/ Article linking the same about TOR with supportive links: https://pando.com/2014/12/26/if-you-still-trust-tor-to-keep-you-safe-youre-out-of-your-damn-mind/ Yrs ago I started only using tor with VPNs as both and inner and outer layer + some other opsec protocols as from what I could see Tor itself could not be trusted to keep your ID secure. I have some hope for GNUnet to keep maturing to the point where it becomes a replacement or at least Tor can run inside it. Jury is still out though. BTW does anyone finding it interesting that every app Snowden recommended using in his multiple interveiws are all funded by OTF (Open Technology Fund)which is a fund of Free Asia Radio which is subsidiary of BBG (Broadcasting Board of Governors) which is a USA quais agency that gets annual Congressional Budget funding of 3/4 of a billion. All of this coming as a spin off of the CIA Cold war pysops American propaganda campaign i.e freedom radio Free Asia, Free Europe, Free etc... So all those companies from Whisper, TOR, Signal, etc According to FOIA releases from what I have read in articles Tor has received around $5 million over the last 9-10 yrs from BBG and its subsidiary FAR/ OTF. It makes you wonder what 5 million dollars buys you in a nonprofit anonymity and privacy software project does it not? IMO US gov wants everyone to be able to have privacy and anonymity from everyone EXCEPT itself and maybe, just maybe, its closest allies/ So sure it wants these software apps and projects to be good but it also wants to know it has control and can see in. Loss of control= freedom and no government today will every knowingly allow that. I was taught to always follow the money to know what you are really dealing with. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a2486f5-f350-419a-9706-0f5266e08c4c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
