Patrik Hagara: > On 07/21/2017 04:05 PM, Patrik Hagara wrote: >>> Qubes is still worth it anyway, and I can always copy files over >>> to my other machine via USB stick when I need to print >>> something. > > This might be a pretty nice attack vector for the "other machine" to > compromise your Qubes system. > > Say you buy (assumed clean) USB stick, connect it to your Qubes system > (which is not using USB VM), format it and copy some documents to > it... Then you plug the stick into your non-Qubes system and print the > docs. That machine might be infected and in turn infect the USB stick. > Now the next time you connect it to your Qubes system, it gets > infected as well. > > Game over. > > Please note that this scenario is not at all far-fetched -- malware > routinely spreads via removable media. Plus, it's the perfect way of > bridging air-gaps (see eg. Stuxnet for a high-profile malware example). > > This might make you think really hard about the trade-offs between > keyboard/mouse security (detailed in my previous e-mail) and not > having an USB VM at all. > > > Cheers, > Patrik
Yep that's definitely a concern. And usb sticks can be compromised straight out of the box even. Clearly the ideal solution is to use a PS/2 mouse and keyboard (or just using a laptop as long as the mouse and keyboard connect internally via PS/2), but unfortunately that's not really an option for me. And I'm going to have to transfer files back and forth between these two systems anyway, one way or another. This is even more problematic because my other system is Linux/Windows dual boot, so my Linux OS is really only as secure as Windows! Though I guess using an online file upload service is an option too, but I might have problems when I need to transfer 40GB of files! If I'm going to have to use usb sticks anyway, then it seems like there's really no point in creating the usb qube and exposing myself to that additional attack vector in qubes. Thanks for your help though! -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4838acde-85d3-5665-df25-3c3b4eec46eb%40riseup.net. For more options, visit https://groups.google.com/d/optout.
