On Saturday, August 5, 2017 at 4:38:23 PM UTC, cooloutac wrote: > On Saturday, August 5, 2017 at 12:28:32 PM UTC-4, yura...@gmail.com wrote: > > On Saturday, August 5, 2017 at 4:15:43 PM UTC, cooloutac wrote: > > > On Saturday, August 5, 2017 at 12:05:58 PM UTC-4, yura...@gmail.com wrote: > > > > On Saturday, August 5, 2017 at 3:56:25 PM UTC, cooloutac wrote: > > > > > On Saturday, August 5, 2017 at 11:34:32 AM UTC-4, yura...@gmail.com > > > > > wrote: > > > > > > On Saturday, August 5, 2017 at 3:26:05 PM UTC, cooloutac wrote: > > > > > > > I'll be disappointed but I'm not going to be mad at them for > > > > > > > trying to get paid, they deserve it. > > > > > > > > > > > > > > But I also wouldn't mind if they turned me into a money asset > > > > > > > like windows so they can keep designing it for home users...lol > > > > > > > > > > > > > > I look at things differently. You are referring to linux > > > > > > > architecture and developers, while I'm referring to the majority > > > > > > > of its users and community members, as the Product. > > > > > > > > > > > > Alright, I respect that, we see some things differently. But the > > > > > > discussion is good, it does not have to come down to agreeing in > > > > > > the end. > > > > > > > > > > > > I don't like customers being turned into assets though. The way I > > > > > > see it, it essentially make people "not people" anymore, customer > > > > > > service is out of the window, it's all about cheating and > > > > > > manipulating people into making the best use of them, rather than > > > > > > making a fair trade between a company and a customer. So I kind of > > > > > > black out when I see business models that turn people into assets, > > > > > > I really, really don't like that approach. > > > > > > > > > > > > But I do really agree that I wouldn't mind Qubes taking a fee, ask > > > > > > for more donations, or focus partly or entirely on business users. > > > > > > They do a lot of hard work, and regardless of the target group, the > > > > > > change will be for the better of humanity. Perhaps it's asking too > > > > > > much for Qubes to focus on both companies and end-users at the same > > > > > > time, nontheless, I do hope they can manage to do that. > > > > > > > > > > > > It's obvious they had their hands full on Qubes 4 too, so it might > > > > > > just be that and we're reading too much into the issue here at > > > > > > hand. But lets see, with time comes answers. I just hope it wiill > > > > > > be in good time rather the long wait. > > > > > > > > > > You are going to be someones asset or product as part of nature, > > > > > whether you know it or not. > > > > > > > > > > The ends justify the means to me. Especially if it means being able > > > > > to use Qubes or not. > > > > > > > > > > I also think its silly to not support secure boot, simply because the > > > > > idea was created by Microsoft. FSF/Richard Stallman supporters who > > > > > are against secure boot, is like Bernie supporters not voting for > > > > > hillary. Seems more spiteful then practical. > > > > > > > > Well yeah, only if one allows oneself to become a victim. We can oppose > > > > and create balance in the world. > > > > Also secure boot is entirely pointless in a stateless computer. A > > > > non-stateless computer has a lot of closed source firmware which can be > > > > either buggy (which closed software have proven to almost always be), > > > > and backdoored, which is either illegal, can be abused by other than > > > > for the intended, and is at the fringe limit crossing into the realm of > > > > human rights. > > > > > > > > We don't need closed source firmware, it only creates problems, and no > > > > benifit or solutions, other than maintaining market shares through > > > > force, rather than surviving on good customer service and customer > > > > support. > > > > We don't need companies that leech on society. > > > > > > > > I gather you think the world is ruled by bullies, and that you think > > > > it's okay. If so, using that perspective, we just have to become the > > > > bullies towards to big companies who wants to make use of us. By the > > > > end of the day, we the people are what matter, humanity matter, not > > > > some greedy individuals behind a large company. Having said that, I'm > > > > not a fanatic against big companies, but they must behave, or I'll be > > > > against them. > > > > > > You can promote change, but we have to work with what we got right now. > > > > > > And right now secure boot would of stopped hacking teams insyde bios > > > attacks, which some experts said could be exploited remotely, and would > > > of worked on most ami bios as well. Without it whats the point? Why > > > even bother with Qubes? Like you said hardware has backdoors, and if > > > bios also has no protections. Whats the point then? > > > > > > The problem for me is this is not a cool tech experiment. Its for > > > practical use. > > > > ah I see, I follow you now. > > I'm not entirely sure how effective Anti-Evil-Maid is into detecting change > > in the BIOS/UEFI, perhaps someone can enlighten us on the topic? Can AEM be > > tricked or bypassed? Practically or theoretically? > > > > Though Joanna (head of Qubes) have said it might just be some years, if I > > remember correctly, before we might see true stateless computers. I'm not > > sure if anyone with resources would want to commit to such a thing, but it > > would definitely help us all out. I hope she can convince someone with > > resources with her goal for a true stateless pc. > > > > But meanwhile, we have to live with closed off firmware indeed, and it > > would be interesting to know how effective and trustworthy AEM is. > > > > I suppose it might also be possible to hardware firewall off any incoming > > signals to the computers BIOS/UEFI, which most routors do by default these > > days. At this point, it should be a simple matter to have a team to test if > > any BIOS/UEFI are phoning home. > > > > The only way someone can attack a BIOS/UEFI is if they have a leak through > > the firewall, which be be gained by trojan horses by either user mistakes > > and hidden software malware. > > The only other method, would be to have the BIOS/UEFI to phone home > > regularly, so that it can open up the hardware firewall, and these can be > > detected easily if someone keeps taps on them. > > In other words, our BIOS/UEFI should only be exploitable if our firewalls > > are not set up properly or we make mistakes on the internet. > > > > If I'm not mistaken, I don't want to claim to be an expert on this topic, > > I'm definitely not an expert. But as far as I understand the issue, this is > > the limit. > > > > We should probably try stirrer back on-topic though, this is more Qubes > > general discussion than Qubes 4 discussion. > > Unlike secure boot, aem does not stop a compromise, only notifies you of a > change which might indicate a compromise has happened, which basically is a > prompt to buy a new pc. > > Reading posts on the forums tells me it can be buggy and false alarms happen > though. > > Intel says you need 3 things for the best boot protection. Secure boot, > trusted boot, and measured boot. I'm a total noob but I believe aem falls > into trusted boot category? So I wonder if its possible to use both? And I > have no idea what measured boot is. > > Another thing to consider is that if you use a usb key, which makes most > sense to use with aem, then you can't use a sys-usb at the same time. So it > depends on your threat model and how you use your system. Someone might have > to correct me on this but I believe this to be the case.
Well yeah, most people with resources and knowhow to attack the BIOS/UEFI are governments. If you become a target of those, you really need to watch your step, in all liklihood, most if not all, would eventually get caught if they repeatedly appear on the internet with something that can tie them previous instances. Eventually you build up a profile that can lead to your detection, or vulnerabilities to use against your system. I don't think we need to worry about regular and everyday hackers meaning to do harm, after all, these attacks are mostly only worth it on high profile people. ALso in your scenario, BIOS/UEFI is still closed source firmware. It can be backdoored, and backdoors can be used by others than the creators. But it remains a fact (for now at least), that only groups with a lot of resources, can use these attacks, and they will only invest it into high target profile people. Regarding the USB while Qubes isn't booted, that is a really good point. I've been thinking about that too, maybe create our own USB with open source firmware which can be hash value verified after it is turned into a binary package sitting on the USB sticker. But my knowledge is too limited to say for sure if this is possible, but it's worth studying more. There are some tools out there already as it is, but it's a bit cumberstone and "do it yourself". Albeit for now, these USB attacks appear to be exotic and rare enough to ignore for low profile targets (for now). However AEM should detect changes between reboots at least. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to firstname.lastname@example.org. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/61bff6d3-8d5d-4c02-8614-fca037e1e185%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.