On 02/01/2017 02:59 PM, Franz wrote:


On Wed, Feb 1, 2017 at 2:34 PM, Chris Laprise <tas...@openmailbox.org <mailto:tas...@openmailbox.org>> wrote:

    On 02/01/2017 01:16 AM, Franz wrote:



        On Wed, Feb 1, 2017 at 2:13 AM, Chris Laprise
        <tas...@openmailbox.org <mailto:tas...@openmailbox.org>
        <mailto:tas...@openmailbox.org
        <mailto:tas...@openmailbox.org>>> wrote:

            On 01/31/2017 10:47 PM, Gaiko Kyofusho wrote:

                I keep reading examples where people are using
        something like
                mobile routers between thier phone/computer and public
        wifi
                spots, example like the blackholecloud
                <https://blackholecloud.com/>device or apparently Mike
        Perry
                of the tor project told arstechnica
<https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/
        
<https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/>
<https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/
        
<https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/>>>that
                "He suggests leaving the prototype in airplane mode and
                connecting to the Internet through a second, less-trusted
                phone, or a cheap Wi-Fi cell router."


            This is pretty dubious advice. What is to stop an attacker
        from
            breaking into the mobile router and using that as an attack
            platform to break into your main device? A few minutes...?


        But doesn't a firewall add some additional security? Otherwise
        which is the purpose of having a firewall?


    A layer 3 service cannot protect you against a layer 2 attack.

    Now, if we're going to pretend that NIC-DMA attacks are not a part
    of the threat model, then we can just run a regular OS instead of
    Qubes.

    Router firewalls were a "good" option in 2002, and the word
    "firewall" itself is powerful and insists we place trust in it.
    But it was folly to place trust in network infrastructure in the
    first place and now router-firewalls are popular targets. They
    contain NICs with imperfect and obscure hardware and firmware.


Thanks Chris. Would you think the same of openwrt firmware? Qubes firewall architecture is obviously the way to go. But phones, netbooks etc cannot afford Qubes. While they would deserve some sort of perhaps minor protection.
Best
Fran

I have installed Openwrt myself. It doesn't have better architecture, but its open and security updates are more readily available. Beyond that, I haven't thought about better routers in years because I've seen no sign of a breakthrough in architecture, and I've also become more mindful of the maxim that net infrastructure shouldn't be trusted. Endpoint security is the one truly good type of security practice, and Qubes is like the "fine point" on the endpoint. :)

Papers are starting to circulate that call-for or describe better security architecture for IoT, including Qubes' approach of isolating NICs and such. To me, IoT is very similar to (if not the same as) net infrastructure, but in smaller packages. The attention gives me reason to hope that even tablets and phones will significantly improve.

But for now, we should remind ourselves that smartphones have one main design goal over other devices: Ultra-convenience. We shouldn't automatically assume they are appropriate for whatever use case, and I find it a little disturbing that the Tor Project's interest in hardware has gone in this direction. But the odd thing about such projects they have a history of catering to mostly Windows users and absorb some of the blindness that platform engenders.

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5760399b-9d7e-0024-425f-131c65db215c%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to