Hello Alexandre, Am Mo., 14. Jan. 2019, 12:17 hat Alexandre Belgrand < alexandre.belgr...@mailbox.org> geschrieben:
> I am still brooding over before installing Qubes. > I suggest installing Qubes on a second harddrve and give it a try, before "brooding over" it ;-) I think the main question should be against which threats you're trying to protect yourself. Then based on how likely each individual threat is you need to combine different solutions to a package, thinking that Qubes alone will help you is wrong. My first thinking is that since Intel ME backdoors provide full access > to authorities, If this is true this is something which will affect every (!) Operating System. Therefore it is not a Qubes topic, but a preboot/BIOS topic. As you have a X230 you can use Coreboot and overwrite the largest part of the ME which will reduce the risk that the remaining parts will offer a big attack window. Look at this howto how you can coreboot the x230: https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md There is no way we can stop government agencies. > This is true as the government can change the law at any given time. What you can do is to make it as hard as possible to spy on you. But if you are a high profile target there is not much chance that you can protect yourself (IMHO) > research (read 1) shows that Intel ME has access to all parts of a > computer, even switched-off > You can use ME Cleaner to reduce this risk. but I read that on my laptop, a Lenovo Thinkpad X230, it was > impossible to completely remove Intel ME. Intel ME is constantly > monitoring hardware and if it is removed, the computer will reboot > after 30 minutes Not true, if it is done right. So a reasonable approach to me is to rely on a firewall and monitor > incoming and outgoing packets. This can be an additional line of defense. When I discovered Qubes, it caught my eye but ... > (a) It does not protect from Intel ME backdoors. > As stated above this is not something Qubes must address as Qubes is an Operating System. > (b) Has a Linux firewall running on a normal Fedora kernel, not even > compiled statically with a limited number of modules. This firewall can > be replaced with OpenBSD as discussed on the mailing list. > Not sure what this is about as I am not a firewall expert (c) Using Coreboot might be an alternative, but I don't know how secure > is Coreboot against other attacks. > This is something which the folks at the coreboot mailing list can answer (they have been very helpful when I started to get coreboot running). So my first opinion would be that Qubes can only protect against a > simple software attack, not a complex hardware attack. > I don't see why hardware attacks are complex and software attacks are simple? For me the compartilization which Qubes is offering and the Disposable VMs feature together with other actions like running Coreboot, using TOR and a VPN offers the best protection which I can get today (with my limited technical skillset), your mileage may vary. Give it a try. - O -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sS%2BFvz35KwA3C8MtpfzHeW8POVZ-efD%2BdASXRYBhAQtQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
