> The "listening" services are less of a concern, since the firewall > wouldn't permit any incoming connections to be passed through to start > with. It's the "phone home" style services, like time sync, Samba name > lookups on microsoft servers, and such, that are more concerning, and > privacy-busting.
The paranoid part of me (which is about 95% of me) half-suspects that NTP is actively monitored by the powers that be, to keep tabs on us security-minded Linux geeks. There's been enough major security bugs in NTP, that one must wonder if they're akin to the heartbleed/rng/SSL/etc. compromises that don't necessarily look like innocent mistakes. Qubes is good at trying to get dom0 to push the time to the VM's by its own means. And if you set the ClockVM to sys-whonix, say, you remove, or at least greatly reduce, the ability of TPTB to track your setting your clock. :) However, as mentioned, the default of using NTP time syncing is enabled by default in the Debian-8 template, which defeats that protection for Debian Appvms, unless you disable it in the template. Just an oversight, I'm sure. (No sarcasm, for once.) My PC's RT clock might drift by a few seconds each week, if that; I'm not sure why time synchronization has to be so damn frequent and aggressive. A red flag for the paranoid. :) I have a RS232 GPS dongle that spits out the time with 1-second accuracy (or atomic-clock level accuracy, if you use the 1-second clock-tick signal available on one of the chips, which I have done, lol). I plan on hooking that up to my Qubes setup in the near future, and disabling network-based clock sync all together. (Until Qubes 4.0 comes out, forces me to upgrade to a newer motherboard with no RS232 support. :) ) Might be a good open-sourced hardware project. I think I've seen some out there already, although not necessarily integrated smoothly into Qubes. Just one more hole to make sure we plug. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bf7ec94cf1cebb9c873ff1cdb58667bf.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.