On 02/01/2017 02:59 PM, Franz wrote:
On Wed, Feb 1, 2017 at 2:34 PM, Chris Laprise <tas...@openmailbox.org
<mailto:tas...@openmailbox.org>> wrote:
On 02/01/2017 01:16 AM, Franz wrote:
On Wed, Feb 1, 2017 at 2:13 AM, Chris Laprise
<tas...@openmailbox.org <mailto:tas...@openmailbox.org>
<mailto:tas...@openmailbox.org
<mailto:tas...@openmailbox.org>>> wrote:
On 01/31/2017 10:47 PM, Gaiko Kyofusho wrote:
I keep reading examples where people are using
something like
mobile routers between thier phone/computer and public
wifi
spots, example like the blackholecloud
<https://blackholecloud.com/>device or apparently Mike
Perry
of the tor project told arstechnica
<https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/
<https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/>
<https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/
<https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/>>>that
"He suggests leaving the prototype in airplane mode and
connecting to the Internet through a second, less-trusted
phone, or a cheap Wi-Fi cell router."
This is pretty dubious advice. What is to stop an attacker
from
breaking into the mobile router and using that as an attack
platform to break into your main device? A few minutes...?
But doesn't a firewall add some additional security? Otherwise
which is the purpose of having a firewall?
A layer 3 service cannot protect you against a layer 2 attack.
Now, if we're going to pretend that NIC-DMA attacks are not a part
of the threat model, then we can just run a regular OS instead of
Qubes.
Router firewalls were a "good" option in 2002, and the word
"firewall" itself is powerful and insists we place trust in it.
But it was folly to place trust in network infrastructure in the
first place and now router-firewalls are popular targets. They
contain NICs with imperfect and obscure hardware and firmware.
Thanks Chris. Would you think the same of openwrt firmware? Qubes
firewall architecture is obviously the way to go. But phones, netbooks
etc cannot afford Qubes. While they would deserve some sort of perhaps
minor protection.
Best
Fran
I have installed Openwrt myself. It doesn't have better architecture,
but its open and security updates are more readily available. Beyond
that, I haven't thought about better routers in years because I've seen
no sign of a breakthrough in architecture, and I've also become more
mindful of the maxim that net infrastructure shouldn't be trusted.
Endpoint security is the one truly good type of security practice, and
Qubes is like the "fine point" on the endpoint. :)
Papers are starting to circulate that call-for or describe better
security architecture for IoT, including Qubes' approach of isolating
NICs and such. To me, IoT is very similar to (if not the same as) net
infrastructure, but in smaller packages. The attention gives me reason
to hope that even tablets and phones will significantly improve.
But for now, we should remind ourselves that smartphones have one main
design goal over other devices: Ultra-convenience. We shouldn't
automatically assume they are appropriate for whatever use case, and I
find it a little disturbing that the Tor Project's interest in hardware
has gone in this direction. But the odd thing about such projects they
have a history of catering to mostly Windows users and absorb some of
the blindness that platform engenders.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/5760399b-9d7e-0024-425f-131c65db215c%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.