Wow, what a weird day. A rather bizarre story, which is possibly a good example as to how Qubes can help protect you from hacking, or at least spot the effects of it.
I use a sigaint address, because of a psycho ex and her corrupt cop buddies. Anyhow, I created another sigaint address today, to keep identies split/anonymous as much as possible, to share with a (supposed :P) friend. It said it was successfully created, and I logged in to test it. It was fine. Went out for a couple of hours (including giving my buddy, ironically also a police officer, the email address). When I returned home, I tried logging in again, but from a different VM. Failed repeatedly. I figured I must have messed up the password. No luck trying other possibilities. Eventually, I tried creating the same email address again, and it worked! WTF? So I tried logging into the sigaint account for *this* address, that I use with qubes-users. It also failed repeatedly, until I attempted creating a new account. That worked! Went to the other VM, and the other old account was there. Two different views of sigaint, with different accounts with the same name, from two different VMs!!! >From the VM that let me (re)create the two accounts, I attempted to email sigaint's support to ask if they were having problems, and that email repeatedly failed. So if there is a shadow sigaint on a hacked VM, I'm suspecting that one. Where I was on testing, in case there's a dom0 vulnerability, I've retreated to another OS for now, and I sent the info to sigaint support with no problem, and this sigaint account and the other one I created seem to be as expected. It's entirely possible that sigaint is having server issues, and different routes through tor hit different load-sharing servers, and it's all innocent. But dayum, it seemed odd. One was a Qubes-Whonix VM, and one was a "torbrowser-launcher" package from Debian-8 (and qubes 3.2-testing). The latter (Debian-8/torbrowser-launcher) had JavaScript enabled on some possibly dodgey sites, which is why it was in its own VM. That separation may have paid off on not getting my whole system pwned (yet again). Creating the new sigaint account from that VM was sloppy, but might have revealed a hack. (Again, if it's not an innocent glitch.) I'll report back when I hear from sigaint (if I'm talking to the real one! :) ), in case they just had some temporary service issues or something. But all signs point to a VM compromise from what I've seen. Will do a bit of amateur forensics from a safe offline OS tonight to see if I can spot any weirdness in either of the VM's. If it was actually compromise of the Debian-8/3.2-testing/torbrowser-launcher VM, that would mean there's possibly a 0-day vulnerability in there somewhere (or a boot sector virus, or a comporomised bios, or . . . :P). I don't think intercepting an .onion address in the network is possible these days. If it is a real compromise, it is confirmation that Qubes VM separation is one of the few hopes for sanity on this crooked thing we call the Internet. I think I'll go work in another industry. This one isn't fun any more. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a0ab6b513f987b00e97594d548a79519.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
