Re: [qubes-users] Qubes VM compromised? - Follow up
On Saturday, August 27, 2016 at 2:49:52 PM UTC, johny...@sigaint.org wrote: > >> Whether using an "isolating proxy" (multiple machines) or not, using a > >> white-listing proxy like Corridor can help ensure all of your traffic > >> passes through Tor (Entry Guard, at least). > >> > > > > That's right. Also, using Firefox with those extensions is *not* the same > > as > > using Tor Browser: > > Understood. I do take a few more precautions (with iptables, bridges, > etc.) but Torbrowser certainly does take care of a lot of important things > for you. > > > https://www.torproject.org/projects/torbrowser/design/ > > Wow, that's a great resource, thanks! > > I think I still prefer to "roll my own" versus using TBB. (And that link > is great for tips on doing that.) > > There are four (probably reasonable and legitimate) things about TBB (and > tails) that are red flags to my overly-paranoid mind: > > 1) Not a problem in Tails (being a bit "read-only), but the normal > Torbrowser Bundle is very stubborn about doing an update check every time > it starts. I understand the reasoning behind it, keeping up with 0days as > they're discovered, and at least one exploit in the past would have been > avoided by anybody who stayed updated. > > Sure, notify me, but forcing that "phone home" on every start is a bit too > much like MS-style tracking to me. > > I could be wrong (I often am), but even turning off the update check in > settings didn't seem to work for me. Although I might have screwed up > somehow or it might have been an artifact of non-persistence in an AppVM. > Having that update check/download on by default, I don't like. > > Finding the actual tor browser binary to launch is a major pain. It > almost seems intentionally hidden. :) > > 2) JavaScript on by default. I understand the convenience for the general > public, but TBB isn't really for the general public but the > security-conscious. And the security-conscious shouldn't turn on JS > unless necessary. (And with Qubes, one can keep their JS-dependant sites > to a separate VM, whoohoo!) > > In Tails, having JS on plus automatically loading Tails home page (which > could be subverted by someone with CA ability) is a bit of a risk, IMO. > To avoid having a JS-enabled load of the Tails home page, you have to > start it without networking, disable things, then enable networking. > Blah. > > 3) Default search engine set to Disconnect.me. And disconnect.me seems to > do nothing but redirect your search to duckduckgo. Why are they even in > the loop then? Supposedly they financially support the tor project. So a > company founded by a former NSA person paid money to be able to capture > all the searches that are eventually done by DDG in TBB/Tails. Oky... > > Whenever I do launch Torbrowser, the first two things I do is disable > global javascript, and change the default search provider. > > 4) It's not really fair to include this one, as I have nothing to back it > up with, but I remember something in the past that made me a bit uneasy > about Torbutton. I'll follow up if I can remember/find my concern. > > Interested in hearing others opinions on those points. > > Cheers. > > JJ Those are fair points. In fact, I deal with those complaints every time I install a new Tor Browser. 1. Automated updates: I set it to notify only - just because I don't want to be interrupted / surprised - not because I don't trust TPO or the update process. If you're worried about eavesdropping or metadata scavenging, this is not the same as MS phoning home because you can check the source and build it yourself. 2. Javascript on by default. I turn it off or set security to 'high'. 3. Disconnect.me default search. I change it to something else. 4. Not sure if this is your concern but TorButton works through Tor's Control Port. There exists a Tor control command called GETINFO that will retrieve the real public IP of your Tor client. In Whonix, these commands are filtered by the Control Port Filter Proxy. The control port can optionally be disabled entirely. This approach is much safer than using the Tor Browser Bundle on its own. I don't know how Tails addresses this. As to your inclination to "roll your own" privacy browser, there are 2 things you might want to consider: 1. In general, security software (and anything involving cryptography) is best tackled as a community. No matter how brilliant you might be, one error is all it takes to render the whole solution dangerous. More eyes the better. 2. Unless you replicate Tor Browser *exactly* (why roll your own if you're going to do that?), you will likely have a fantastically unique fingerprint that will identify you anywhere you go on the Internet, regardless of however many anonymous proxies you sit behind. Browser fingerprints can not be eliminated completely. Instead of trying to hide, Tor Browser sets a public fingerprint that all users can share. As in #1, having a
Re: [qubes-users] Qubes VM compromised? - Follow up
>> Whether using an "isolating proxy" (multiple machines) or not, using a >> white-listing proxy like Corridor can help ensure all of your traffic >> passes through Tor (Entry Guard, at least). >> > > That's right. Also, using Firefox with those extensions is *not* the same > as > using Tor Browser: Understood. I do take a few more precautions (with iptables, bridges, etc.) but Torbrowser certainly does take care of a lot of important things for you. > https://www.torproject.org/projects/torbrowser/design/ Wow, that's a great resource, thanks! I think I still prefer to "roll my own" versus using TBB. (And that link is great for tips on doing that.) There are four (probably reasonable and legitimate) things about TBB (and tails) that are red flags to my overly-paranoid mind: 1) Not a problem in Tails (being a bit "read-only), but the normal Torbrowser Bundle is very stubborn about doing an update check every time it starts. I understand the reasoning behind it, keeping up with 0days as they're discovered, and at least one exploit in the past would have been avoided by anybody who stayed updated. Sure, notify me, but forcing that "phone home" on every start is a bit too much like MS-style tracking to me. I could be wrong (I often am), but even turning off the update check in settings didn't seem to work for me. Although I might have screwed up somehow or it might have been an artifact of non-persistence in an AppVM. Having that update check/download on by default, I don't like. Finding the actual tor browser binary to launch is a major pain. It almost seems intentionally hidden. :) 2) JavaScript on by default. I understand the convenience for the general public, but TBB isn't really for the general public but the security-conscious. And the security-conscious shouldn't turn on JS unless necessary. (And with Qubes, one can keep their JS-dependant sites to a separate VM, whoohoo!) In Tails, having JS on plus automatically loading Tails home page (which could be subverted by someone with CA ability) is a bit of a risk, IMO. To avoid having a JS-enabled load of the Tails home page, you have to start it without networking, disable things, then enable networking. Blah. 3) Default search engine set to Disconnect.me. And disconnect.me seems to do nothing but redirect your search to duckduckgo. Why are they even in the loop then? Supposedly they financially support the tor project. So a company founded by a former NSA person paid money to be able to capture all the searches that are eventually done by DDG in TBB/Tails. Oky... Whenever I do launch Torbrowser, the first two things I do is disable global javascript, and change the default search provider. 4) It's not really fair to include this one, as I have nothing to back it up with, but I remember something in the past that made me a bit uneasy about Torbutton. I'll follow up if I can remember/find my concern. Interested in hearing others opinions on those points. Cheers. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d21ff94ceb2ed97c456bc3e127f1318a.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
> Am 25.08.2016 um 21:33 schrieb johnyju...@sigaint.org: > >> While it's a bit slower, I prefer booting from DVD, a read-only medium. > > There are verifyably hardware-controlled (physical switch) unwritable > USB storage devices. A bit expensive but you can get one. I might look into that, it would be a lot more convenient (and faster) than DVD. In case anyone's not aware, the slider on "secure" digital media cards is just an advisory for the software to not write to the SD card, and not enforced by hardware, so very easy for malware to bypass. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5d85ce7a951b0b438891c9f46aaa3f5b.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
Am 25.08.2016 um 21:33 schrieb johnyju...@sigaint.org: > While it's a bit slower, I prefer booting from DVD, a read-only medium. There are verifyably hardware-controlled (physical switch) unwritable USB storage devices. A bit expensive but you can get one. Achim -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c7362495-014d-3b77-b62d-17a06366ac49%40noses.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-25 21:49, 3n7r0...@gmail.com wrote: > On Thursday, August 25, 2016 at 7:34:01 PM UTC, johny...@sigaint.org > wrote: >> Setting up Tor and Firefox (with noscript, ssl observatory, adblocker) to >> use it as a proxy is essentially the same effect as Whonix (or tbb). Even >> if tor/firefox are on the same vm rather than separated, you're behind >> sys-net and sys-firewall, so your real world address isn't going to >> leak. >> > > This is incorrect. The primary motivation for separating the Tor Gateway > from the User VM is to prevent a bypass of the Tor proxy. This is one of > the main advantages of Whonix / TorVM over Tails. If a packet reaches your > destination without having been routed through Tor, it will be stamped > with your actual public IP as it's source, regardless of how many NATs / > firewalls might be involved. > > There are real world examples of both malicious and non-malicious cases of > Tor circumvention. An example of the former includes the FBI's > TBB-targeted NIT, called Magneto. In terms of the latter, inadvertent > leaks happen when programs don't respect proxy rules, as has happened with > Flash, Skype, Torrents, WebRTC, etc. > > Whether using an "isolating proxy" (multiple machines) or not, using a > white-listing proxy like Corridor can help ensure all of your traffic > passes through Tor (Entry Guard, at least). > That's right. Also, using Firefox with those extensions is *not* the same as using Tor Browser: https://www.torproject.org/projects/torbrowser/design/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXwQIyAAoJENtN07w5UDAwHtkP/A3kywWti8ZmW2rXJWJ+l+2F O75iNH2iH7bbvJs/+a64ZMQGM38qx79ADd9CTcoYjAXOrnw6SfIUI5HfkiSMf7EF bsOzZSUPlAMzHzaiwzp5rbv8VseDpIr85fy7ptlQk0Dea47WoepkLuDxhv4Cmq1y 1AQ7j2d5K5InPkOEqgrtqhXSzgdiCjnnD7cyDrWxyeeRQnEWMkGIZTXmoICV4JDg cBRnFPPBIpU7EXMJFH+uzTDjX6MycrnyJX0bm3doyA+bJxmf6Repj2PbHOPaXYRQ YaSdm0LUS54MNf/ETFXGPG/d5ZofpvsEmNELsPZxOAWJQ0KQZLC1rtSnxdCDeZFD 2Av4Gv0zDBynf0uw/rtb8j+9sv2qlOLJsf/QqM9Hxcu33Y622v++DKgg5CsWnfE5 tEhd4Dv5LgenVePSZTncO0KEM8gnDvDDKxlCfAvQ9E1KRQFAFA/e6T2jQ6tDAOYp WEmSBt3vI5Ap2RN/ItELk0tf9dKD7rTwWitjcW+otPOKzOqUe/v4jwzJOkFem33/ cPlxHW/X2Fd61blnDXreaHViAy3XxbRPrOyeFd0T3SrOUc+q5kSHNYc0Cv9GcVH5 h4y7F0481q9ObihzeyXM+W0VxLTq7FxDjODXPqN9S+nLi0uBY8o0wqjse3jODF5m 79r+DNlsM6DqqiaQ0ksR =uu+p -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20544614-5419-efa4-41b8-2c776a5e15b0%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
johnyju...@sigaint.org: > >> I just use Whonix within Qubes and I like it. I'm glad it comes out of >> the box since 3.1 > > I've retreated to only using Fedora. Setting up Tor and Firefox (with > noscript, ssl observatory, adblocker) to use it as a proxy is essentially > the same effect as Whonix (or tbb). Even if tor/firefox are on the same > vm rather than separated, you're behind sys-net and sys-firewall, so your > real world address isn't going to leak. Another two VM's on top of that > (whonix-gw and whonix-ws) is a bit of overkill IMO, and a memory pig. Running Tor in the same VM as the browser won't keep your public IP from leaking to the same extent as using Whonix. For example, if Firefox gets pwned, it can simply generate a request to whatismyip.com without going through Tor, and then send the result to whoever it likes. (Unless I'm misunderstanding what you're doing.) Cheers, -Jeremy Rand -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/204c1635-520a-e9c4-aa87-edc40e59b59f%40airmail.cc. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Qubes VM compromised?
> On 08/23/2016 07:25 PM, Chris Laprise wrote: >> What threat model does this fit? If a skilled attacker tricks you into >> thinking you created an account at sigaint, but you later cannot use >> it... what is the advantage of that? The possible gain seems to be >> little or nothing. > > Well, (s)he has changed all its passwords. Tricking someone into > changing all passwords has been done before. Indeed. Psyhchological harassment can often by the goal, not necessarily theft of credentials. (There's nothing left to take, in my case, lol.) And when I said I had a psycho ex, I truly meant that she has truly shown all the signs of being a textbook psychopath or sociopath, and invested heavily in having me harassed online. (I don't think she's a genius hacker herself, lol.) When you're dealing with a psycho/socio-path, logical and rationality doesn't always factor into things, which can be hard to get your head around at times. Sheer destruction can be the goal (in her case, a stated goal). That being said, I can believe that the recent password weirdness was probably PayPal anti-fraud mechanisms being careful (or confused) with Tor. (I'd say it could also be someone trying to grab all credentials from a dodgy exit node, but the fact I saw the SSL lock/certificate and the real PayPal URL makes me doubtful, unless the browser was compromised and lying.) Part of the leverage of psychological harassment is that you start seeing unrelated screwups as part of the harassment. It's good to be careful to try and separate the two. Not always easy. Cheers. :) JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/72e45af0b5117271fbbff0ae7e40d5c8.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
> I am too paranoid for using tails other than the reccomended method (two > usb drives updating each other - I have two pairs of three). No aware of the two drive method. Is that just updating to the next version from the previous version, onto another USB drive? While it's a bit slower, I prefer booting from DVD, a read-only medium. (A bit of a pain to update, having to boot to a USB stick to write the newer version, but it has to be done infrequently.) There's peace of mind in a true read-only medium, that you keep with you. > I just use Whonix within Qubes and I like it. I'm glad it comes out of > the box since 3.1 I've retreated to only using Fedora. Setting up Tor and Firefox (with noscript, ssl observatory, adblocker) to use it as a proxy is essentially the same effect as Whonix (or tbb). Even if tor/firefox are on the same vm rather than separated, you're behind sys-net and sys-firewall, so your real world address isn't going to leak. Another two VM's on top of that (whonix-gw and whonix-ws) is a bit of overkill IMO, and a memory pig. (I've wondered if it might be more natural to have tor running in sys-firewall; it is kind of a fire-wall-ish thing. But having the firewall separate is a nice additional barrier in case of compromise.) > Also, I would never use tor for banking, unless the banking wouldn't > involve my real world name - understand that one how you want. Yeah, exit nodes are too scary. Okay to keep reduce cyberstalkers, but for financial transactions, it seems a bit risky unless you got a solid HTTPS connection (and trust the govt and crooks not to abuse CA's; I guess that's not something seen in the wild much. For a high value target, maybe; for someone being harassed by an ex, less likely.) JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9a51f2eb8dd6a8744cf6411ed09cae47.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
On 08/25/2016 01:54 AM, johnyju...@sigaint.org wrote > (Although accepting the password change on a Tor exit, and then refusing > that on a non-Tor https: connection was rather weird. Would they silently > fail a password change? Oh well, I won't stress over it, but will keep a > close eye on things, for sure. Ever vigilant...) Not weird at all, could be just the lag between the red flag raising for a given account (yours) and someone manually deciding to block your account "for security reasons" - read that as: "we crap our pants when we see tor, and we rather block your legitimate attempt to login to risk accepting a real world account hijacking". > Worst case, I could (and have successfully) just run Tails inside Qubes, > and it should be no worse (safer, actually) than Tails standalone, for > banking or email. (I was reading that the IOMMU protection prevents DMA > attacks, which is sweet.) I am too paranoid for using tails other than the reccomended method (two usb drives updating each other - I have two pairs of three). I just use Whonix within Qubes and I like it. I'm glad it comes out of the box since 3.1 Also, I would never use tor for banking, unless the banking wouldn't involve my real world name - understand that one how you want. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1982b061-15a5-c452-b9b2-f2327f0cfe4e%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised?
On 08/23/2016 07:25 PM, Chris Laprise wrote: > What threat model does this fit? If a skilled attacker tricks you into > thinking you created an account at sigaint, but you later cannot use > it... what is the advantage of that? The possible gain seems to be > little or nothing. Well, (s)he has changed all its passwords. Tricking someone into changing all passwords has been done before. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a0b37dd6-248c-eb36-31ce-94ad47efef54%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
> My guess is that Paypal is giving you a hard time just because of the > tor exits you use to interact with their website. Could be. At first I didn't see how/why, but I guess refusing a legit password from what they judge as a dodgy IP address is a possibility. (Although accepting the password change on a Tor exit, and then refusing that on a non-Tor https: connection was rather weird. Would they silently fail a password change? Oh well, I won't stress over it, but will keep a close eye on things, for sure. Ever vigilant...) > So it seems to me all that you are saying is really related to > using tor via sys-whonix or manually trough the traditional means. Yes. I guess it really isn't necessarily anything to do with Qubes, unless there is some dom0 compromise somewhere. That's probably pretty unlikely, and I've only seen weirdness in Tor-based VM's, so I won't give up on Qubes. I've been using Tails for awhile, and never had strangeness like this; but the new factors aren't necessarily Qubes, but the TorBrowser bundle (not the Tails-reviewed/tested one) and Whonix. Worst case, I could (and have successfully) just run Tails inside Qubes, and it should be no worse (safer, actually) than Tails standalone, for banking or email. (I was reading that the IOMMU protection prevents DMA attacks, which is sweet.) > The sigaint episode is easily explained through the e-mail you provided. Certainly. > But yes, the Paranoia is our shepherd and nothing shall lack. > Paranoia is what justifies the development of a operational system > of this nature, it shall never die. Beautiful. I think I'll put that on a plaque for my wall. Respect for paranoia, awesome. I guess a mailing list for a security-focused operating system is a bit more sympathetic to my concerns than the general public. Feels like home, man. :) If I tell family and friends about the sad state of computer/network security these days, the hacks I've seen, and the Snowden stuff, they think I'm bonkers. Now why I didn't receive your response (posted a few hours ago) via email but only see it on the Google Group's page. . . I'll just assume SIGAINT is still dealing with some capacity issues. :) (I wonder if their surge in signups is possibly a denial of service. They've been targeted with at least one significant exit-node attack in the past. https://lists.torproject.org/pipermail/tor-talk/2015-April/037549.html ) Thanks for your reply. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/871a2a68cefc1b3ebf7af8df53bc5ffb.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised? - Follow up
My guess is that Paypal is giving you a hard time just because of the tor exits you use to interact with their website. So it seems to me all that you are saying is really related to using tor via sys-whonix or manually trough the traditional means. The sigaint episode is easily explained through the e-mail you provided. But yes, the Paranoia is our shepherd and nothing shall lack. Paranoia is what justifies the development of a operational system of this nature, it shall never die. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bd3c3f0a-6a20-7f99-e486-3dc9393a5c54%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised?
>> On 08/23/2016 06:01 PM, johnyju...@sigaint.org wrote: >>> Wow, what a weird day. >>> >>> A rather bizarre story, which is possibly a good example as to how >>> Qubes >>> can help protect you from hacking, or at least spot the effects of it. >> >> What threat model does this fit? If a skilled attacker tricks you into >> thinking you created an account at sigaint, but you later cannot use >> it... what is the advantage of that? The possible gain seems to be >> little or nothing. Oh, I should add, that on the dodgy VM, I tried accessing a few different onion addresses, and they all failed. But cleartext http sites worked fine. Once again, maybe just a technical glitch, but combined with the other weirdness, one has to wonder, and follow up a bit. It reminded me of awhile back, when I downloaded from (presumably) the Apple store, a Tor browser/Onion browser. In viewing the actual traffic on the network coming from the iphone, the first few pages it loaded went over tor, then the rest went cleartext over the Internet. Innocent screwup, or malware? After awhile, one would be a bit stupid not to wonder a bit. I hope you never have to deal with it. :) Cheers. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba6d2d8244e628dcfe81ae0c1f05e805.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes VM compromised?
On 08/23/2016 06:01 PM, johnyju...@sigaint.org wrote: Wow, what a weird day. A rather bizarre story, which is possibly a good example as to how Qubes can help protect you from hacking, or at least spot the effects of it. What threat model does this fit? If a skilled attacker tricks you into thinking you created an account at sigaint, but you later cannot use it... what is the advantage of that? The possible gain seems to be little or nothing. It sounds like the sigaint server has bugs triggered by some variable, such as tor/IP origin, lack of javascript, or signing in with a new cookie right after you created the account (also with a new/different cookie), etc. One thing that seems missing from your description is whether you stuck to https for security... Tor exit nodes are really frightful. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b5ea2a31-9404-45c6-57a7-7676e2ae11c0%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes VM compromised?
Wow, what a weird day. A rather bizarre story, which is possibly a good example as to how Qubes can help protect you from hacking, or at least spot the effects of it. I use a sigaint address, because of a psycho ex and her corrupt cop buddies. Anyhow, I created another sigaint address today, to keep identies split/anonymous as much as possible, to share with a (supposed :P) friend. It said it was successfully created, and I logged in to test it. It was fine. Went out for a couple of hours (including giving my buddy, ironically also a police officer, the email address). When I returned home, I tried logging in again, but from a different VM. Failed repeatedly. I figured I must have messed up the password. No luck trying other possibilities. Eventually, I tried creating the same email address again, and it worked! WTF? So I tried logging into the sigaint account for *this* address, that I use with qubes-users. It also failed repeatedly, until I attempted creating a new account. That worked! Went to the other VM, and the other old account was there. Two different views of sigaint, with different accounts with the same name, from two different VMs!!! >From the VM that let me (re)create the two accounts, I attempted to email sigaint's support to ask if they were having problems, and that email repeatedly failed. So if there is a shadow sigaint on a hacked VM, I'm suspecting that one. Where I was on testing, in case there's a dom0 vulnerability, I've retreated to another OS for now, and I sent the info to sigaint support with no problem, and this sigaint account and the other one I created seem to be as expected. It's entirely possible that sigaint is having server issues, and different routes through tor hit different load-sharing servers, and it's all innocent. But dayum, it seemed odd. One was a Qubes-Whonix VM, and one was a "torbrowser-launcher" package from Debian-8 (and qubes 3.2-testing). The latter (Debian-8/torbrowser-launcher) had JavaScript enabled on some possibly dodgey sites, which is why it was in its own VM. That separation may have paid off on not getting my whole system pwned (yet again). Creating the new sigaint account from that VM was sloppy, but might have revealed a hack. (Again, if it's not an innocent glitch.) I'll report back when I hear from sigaint (if I'm talking to the real one! :) ), in case they just had some temporary service issues or something. But all signs point to a VM compromise from what I've seen. Will do a bit of amateur forensics from a safe offline OS tonight to see if I can spot any weirdness in either of the VM's. If it was actually compromise of the Debian-8/3.2-testing/torbrowser-launcher VM, that would mean there's possibly a 0-day vulnerability in there somewhere (or a boot sector virus, or a comporomised bios, or . . . :P). I don't think intercepting an .onion address in the network is possible these days. If it is a real compromise, it is confirmation that Qubes VM separation is one of the few hopes for sanity on this crooked thing we call the Internet. I think I'll go work in another industry. This one isn't fun any more. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a0ab6b513f987b00e97594d548a79519.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.