> Let's say I have a Qubes machine connected to a 2nd laptop by Ethernet. > > The Qubes machine is sharing its Internet connection. > > Let's say the Qubes machine gets hit with a DMA attack. > > The 2nd laptop is not a Qubes machine, and therefore doesn't have VT-D for > DMA protection. > > Can the DMA attack be "carried forward" to the 2nd laptop... or is it > killed for good by the Qubes machine..?
My take on it: If the Qubes machine is hit by a DMA attack, it is compromised and could thus tamper with the forwarded Internet connection however the attacker desires. (As well as scraping any credentials you might use in common on the Qubes box, and carrying out aggressive attacks on anything on your network.) So a compromised machine couldn't specifically "forward" a DMA attack per se, but it has full control of the Internet connection and traffic to and from the laptop. Any unencrypted net connections could be spied upon, tampered with, MITM'd, injecting spyware (which may in turn use a DMA attack itself, or 0day exploits, or whatever) into an unencrypted mail/http connection, for example. I'd say it's no more risky than what a crooked ISP, a hacked Cable Modem, or anything else upstream in the net connection could achieve. Any strongly encrypted connection (Tor, OpenVPN, HTTPS without state-actor CA certificate tampering/spoofing, etc.) should be safe, other than potential denial-of-service which would be pretty noticeable. I would say having the Qubes box between the laptop and the Internet generally increases the safety of the laptop. The benefits far outweigh the risks, as long as you don't do most of your critical browsing/email through unencrypted connections; in which case your probably screwed anyway :). JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bfbc4f1250a9ae5f80d3cc221b6d6ba8.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.