> Let's say I have a Qubes machine connected to a 2nd laptop by Ethernet.
> The Qubes machine is sharing its Internet connection.
> Let's say the Qubes machine gets hit with a DMA attack.
> The 2nd laptop is not a Qubes machine, and therefore doesn't have VT-D for
> DMA protection.
> Can the DMA attack be "carried forward" to the 2nd laptop... or is it
> killed for good by the Qubes machine..?

My take on it:

If the Qubes machine is hit by a DMA attack, it is compromised and could
thus tamper with the forwarded Internet connection however the attacker
desires.  (As well as scraping any credentials you might use in common on
the Qubes box, and carrying out aggressive attacks on anything on your

So a compromised machine couldn't specifically "forward" a DMA attack per
se, but it has full control of the Internet connection and traffic to and
from the laptop.

Any unencrypted net connections could be spied upon, tampered with,
MITM'd, injecting spyware (which may in turn use a DMA attack itself, or
0day exploits, or whatever) into an unencrypted mail/http connection, for

I'd say it's no more risky than what a crooked ISP, a hacked Cable Modem,
or anything else upstream in the net connection could achieve.

Any strongly encrypted connection (Tor, OpenVPN, HTTPS without state-actor
CA certificate tampering/spoofing, etc.) should be safe, other than
potential denial-of-service which would be pretty noticeable.

I would say having the Qubes box between the laptop and the Internet
generally increases the safety of the laptop.

The benefits far outweigh the risks, as long as you don't do most of your
critical browsing/email through unencrypted connections; in which case
your probably screwed anyway :).


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to