Re: [qubes-users] More information needed about Qubes security
On 01/14/2019 06:17 AM, Alexandre Belgrand wrote: Hello, I am still brooding over before installing Qubes. My first thinking is that since Intel ME backdoors provide full access to authorities, there is no way we can stop government agencies. Recent research (read 1) shows that Intel ME has access to all parts of a computer, even switched-off. This is not an NSA problem. If the NSA can do it, then any government agency including the Chinese, the Russians, the Germans, the French, India, etc .. can break into anyone's computer. Intel ME even includes a VNC server (VNC is crap), which should be able to display dom0. Intel ME has direct access to network cards and connections are routed to the Intel ME before they reach the network stack. Therefore, network connections from intruders should be invisible to dom0 and other cubes. There is also the alternative to switch to Coreboot and try to disable Intel ME. But I read that on my laptop, a Lenovo Thinkpad X230, it was impossible to completely remove Intel ME. Intel ME is constantly monitoring hardware and if it is removed, the computer will reboot after 30 minutes. In the X230 legacy bios, I disabled Intel ME completely, but a test in Gnu/linux shows it is still active. Also, when installing Coreboot, I loose Lenovo's frequent BIOS updates, and I am not very sure to be protected against Intel meltdown and Spectre. So a reasonable approach to me is to rely on a firewall and monitor incoming and outgoing packets. Network surveillance is IMHO the only way to discover an attack. I am using PC Engines APU with coreboot and open hardware, which is the best I can find in my price range. Network surveillance is how I discovered last time that my computer had been hacked, when I saw packets flowing to China. A lot of Qubes users have come to similar breaking points about computer security. We recognize the severity of the situation but refuse to be debilitated by it. Since then, now I keep no personal document on a computer. When I discovered Qubes, it caught my eye but ... (a) It does not protect from Intel ME backdoors. Since Qubes offers some protection against hardware, many discussions were had in Qubes' earlier days about the scope of that protection. IIRC the consensus was that nothing could be done in the near future about Intel/AMD's position and it was best to reduce the number of trusted components/vendors to as few as possible. That means the CPU is the hardware focus of trust for Qubes, with the goal of reducing it to the CPU only. More realistically, the keyboard and graphics must be trusted as well. That is still a small set of trusted components. The only hardware alternative that has emerged is OpenPOWER CPUs because they're an open source design and have no ME-like infrastructure. Unfortunately, no Qubes-like OS currently runs on it. (b) Has a Linux firewall running on a normal Fedora kernel, not even compiled statically with a limited number of modules. This firewall can > be replaced with OpenBSD as discussed on the mailing list. Fedora is an issue because its vulnerable to manipulation by recently patched bugs. However, Debian is available and is more secure. There is also a unikernel firewall available for a bare minimum system footprint. OTOH, firewall is the one application I don't worry about too much because by nature its fairly low-risk. (c) Using Coreboot might be an alternative, but I don't know how secure is Coreboot against other attacks. You may want to ask their mailing list about that. I think their main threat model is avoiding mishaps in the system firmware that otherwise could be fixed or prevented in an open source setting. So my first opinion would be that Qubes can only protect against a simple software attack, not a complex hardware attack. I would think that most complex software attacks would also fail on Qubes. But there is not much reporting on this topic except that researchers occasionally mention Qubes in a positive light when they announce new vulnerabilities affecting popular operating systems. What's interesting in Qubes is that : (d) It has reasonable defense in depth, at the scale of today's hardware. I'm not sure that term even applies here. Qubes isolates anything that carries substantial risk using a small 1MB hypervisor called Xen... everything hinges on it. Linux or Windows or whatever can do their thing within VMs to provide features, but as far as security goes they have been demoted. (e) It has good privacy protection. For example, it can protect me and my family when surfing on Internet and keep my data private. If you can tell me anything more about Qubes security, I am really interested. I am still waiting for more information before stepping on. Check out Joanna's blog at Invisible Things Lab. Lots of Qubes' DNA is there. (1) What we have learned about Intel ME http://blog.ptsecurity.com/2018/11/what-we-have-learned-about-in
Re: [qubes-users] More information needed about Qubes security
On 20190114 at 07:16 -0500 Chris Laprise wrote: > The only hardware alternative that has emerged is OpenPOWER CPUs because > they're an open source design and have no ME-like infrastructure. > Unfortunately, no Qubes-like OS currently runs on it. That's not quite true; you can do something very Qubes-alike on it but it would cost you an arm and a leg because you would have to license an IBM hypervisor to do so. LPAR would definitely give you an adequate environment to implement a similar setup. And yes, I've seen it done already. Although If I really had to start from scratch I would probably reinvent OS/400 with a focus on security. Achim -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/357e9f114462344faee178445dab07a919a57f97.camel%40noses.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] More information needed about Qubes security
Le lundi 14 janvier 2019 à 07:16 -0500, Chris Laprise a écrit : > Check out Joanna's blog at Invisible Things Lab. Lots of Qubes' DNA > is > there. Got it, thanks: Intel x86 considered harmful https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/24905b36b567cf92ddb59a785739bc9ced0cbe56.camel%40mailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] More information needed about Qubes security
Hello Alexandre, Am Mo., 14. Jan. 2019, 12:17 hat Alexandre Belgrand < alexandre.belgr...@mailbox.org> geschrieben: > I am still brooding over before installing Qubes. > I suggest installing Qubes on a second harddrve and give it a try, before "brooding over" it ;-) I think the main question should be against which threats you're trying to protect yourself. Then based on how likely each individual threat is you need to combine different solutions to a package, thinking that Qubes alone will help you is wrong. My first thinking is that since Intel ME backdoors provide full access > to authorities, If this is true this is something which will affect every (!) Operating System. Therefore it is not a Qubes topic, but a preboot/BIOS topic. As you have a X230 you can use Coreboot and overwrite the largest part of the ME which will reduce the risk that the remaining parts will offer a big attack window. Look at this howto how you can coreboot the x230: https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md There is no way we can stop government agencies. > This is true as the government can change the law at any given time. What you can do is to make it as hard as possible to spy on you. But if you are a high profile target there is not much chance that you can protect yourself (IMHO) > research (read 1) shows that Intel ME has access to all parts of a > computer, even switched-off > You can use ME Cleaner to reduce this risk. but I read that on my laptop, a Lenovo Thinkpad X230, it was > impossible to completely remove Intel ME. Intel ME is constantly > monitoring hardware and if it is removed, the computer will reboot > after 30 minutes Not true, if it is done right. So a reasonable approach to me is to rely on a firewall and monitor > incoming and outgoing packets. This can be an additional line of defense. When I discovered Qubes, it caught my eye but ... > (a) It does not protect from Intel ME backdoors. > As stated above this is not something Qubes must address as Qubes is an Operating System. > (b) Has a Linux firewall running on a normal Fedora kernel, not even > compiled statically with a limited number of modules. This firewall can > be replaced with OpenBSD as discussed on the mailing list. > Not sure what this is about as I am not a firewall expert (c) Using Coreboot might be an alternative, but I don't know how secure > is Coreboot against other attacks. > This is something which the folks at the coreboot mailing list can answer (they have been very helpful when I started to get coreboot running). So my first opinion would be that Qubes can only protect against a > simple software attack, not a complex hardware attack. > I don't see why hardware attacks are complex and software attacks are simple? For me the compartilization which Qubes is offering and the Disposable VMs feature together with other actions like running Coreboot, using TOR and a VPN offers the best protection which I can get today (with my limited technical skillset), your mileage may vary. Give it a try. - O -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sS%2BFvz35KwA3C8MtpfzHeW8POVZ-efD%2BdASXRYBhAQtQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] More information needed about Qubes security
Hello, id suggest to configure coreboot so you can update it internally with the latest microcode-updates. Just make sure its correctly configured to only accept updates signed by yourself. Coreboot can/ will improve your security by a lot even with IME untouched for a number of reasons, personally, i would consider an proprietary Bios or central Bios blobs a much higher risk then Intel Me untouched. I really dont want to defend the Intel ME or AMD PSP (id never use a computer with newer ME versions), but in comparison, this whole Me thing is a bit blown out of proportion. There are bigger issues with recent hardware. Also, while your right about the Intel ME, the me version on the x230 can be reduced to the minimal amount of blobs, and more important, contrary to newer versions shuts down/ is only active in the very first states of the boot process, thus providing a significant security benefit. I suggest to also check out Raptor Engineering, its completely free and real open source hardware, altough unfortunately its not possible to use with qubes (yet?). Its really awesome hardware, and one could build even a poor mans Qubes os with OpenBSD. cheers On 1/14/19 12:17 PM, Alexandre Belgrand wrote: > Hello, > > I am still brooding over before installing Qubes. > > My first thinking is that since Intel ME backdoors provide full access > to authorities, there is no way we can stop government agencies. Recent > research (read 1) shows that Intel ME has access to all parts of a > computer, even switched-off. > > This is not an NSA problem. If the NSA can do it, then any government > agency including the Chinese, the Russians, the Germans, the French, > India, etc .. can break into anyone's computer. > > Intel ME even includes a VNC server (VNC is crap), which should be able > to display dom0. Intel ME has direct access to network cards and > connections are routed to the Intel ME before they reach the network > stack. Therefore, network connections from intruders should be > invisible to dom0 and other cubes. > > There is also the alternative to switch to Coreboot and try to disable > Intel ME. But I read that on my laptop, a Lenovo Thinkpad X230, it was > impossible to completely remove Intel ME. Intel ME is constantly > monitoring hardware and if it is removed, the computer will reboot > after 30 minutes. In the X230 legacy bios, I disabled Intel ME > completely, but a test in Gnu/linux shows it is still active. > > Also, when installing Coreboot, I loose Lenovo's frequent BIOS updates, > and I am not very sure to be protected against Intel meltdown and > Spectre. > > So a reasonable approach to me is to rely on a firewall and monitor > incoming and outgoing packets. Network surveillance is IMHO the only > way to discover an attack. I am using PC Engines APU with coreboot and > open hardware, which is the best I can find in my price range. > > Network surveillance is how I discovered last time that my computer had > been hacked, when I saw packets flowing to China. > > Since then, now I keep no personal document on a computer. > > When I discovered Qubes, it caught my eye but ... > (a) It does not protect from Intel ME backdoors. > (b) Has a Linux firewall running on a normal Fedora kernel, not even > compiled statically with a limited number of modules. This firewall can > be replaced with OpenBSD as discussed on the mailing list. > (c) Using Coreboot might be an alternative, but I don't know how secure > is Coreboot against other attacks. > > So my first opinion would be that Qubes can only protect against a > simple software attack, not a complex hardware attack. > > What's interesting in Qubes is that : > (d) It has reasonable defense in depth, at the scale of today's > hardware. > (e) It has good privacy protection. For example, it can protect me and > my family when surfing on Internet and keep my data private. > > If you can tell me anything more about Qubes security, I am really > interested. I am still waiting for more information before stepping on. > > (1) What we have learned about Intel ME > http://blog.ptsecurity.com/2018/11/what-we-have-learned-about-intel-me.html > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6d8a2cc6-1885-114f-e733-4808354b714d%40cryptogs.de. For more options, visit https://groups.google.com/d/optout.
