On Friday, August 11, 2017 at 2:07:44 PM UTC, cooloutac wrote: > On Saturday, August 5, 2017 at 12:48:29 PM UTC-4, yura...@gmail.com wrote: > > On Saturday, August 5, 2017 at 4:38:23 PM UTC, cooloutac wrote: > > > On Saturday, August 5, 2017 at 12:28:32 PM UTC-4, yura...@gmail.com wrote: > > > > On Saturday, August 5, 2017 at 4:15:43 PM UTC, cooloutac wrote: > > > > > On Saturday, August 5, 2017 at 12:05:58 PM UTC-4, yura...@gmail.com > > > > > wrote: > > > > > > On Saturday, August 5, 2017 at 3:56:25 PM UTC, cooloutac wrote: > > > > > > > On Saturday, August 5, 2017 at 11:34:32 AM UTC-4, > > > > > > > yura...@gmail.com wrote: > > > > > > > > On Saturday, August 5, 2017 at 3:26:05 PM UTC, cooloutac wrote: > > > > > > > > > I'll be disappointed but I'm not going to be mad at them for > > > > > > > > > trying to get paid, they deserve it. > > > > > > > > > > > > > > > > > > But I also wouldn't mind if they turned me into a money asset > > > > > > > > > like windows so they can keep designing it for home > > > > > > > > > users...lol > > > > > > > > > > > > > > > > > > I look at things differently. You are referring to linux > > > > > > > > > architecture and developers, while I'm referring to the > > > > > > > > > majority of its users and community members, as the Product. > > > > > > > > > > > > > > > > Alright, I respect that, we see some things differently. But > > > > > > > > the discussion is good, it does not have to come down to > > > > > > > > agreeing in the end. > > > > > > > > > > > > > > > > I don't like customers being turned into assets though. The way > > > > > > > > I see it, it essentially make people "not people" anymore, > > > > > > > > customer service is out of the window, it's all about cheating > > > > > > > > and manipulating people into making the best use of them, > > > > > > > > rather than making a fair trade between a company and a > > > > > > > > customer. So I kind of black out when I see business models > > > > > > > > that turn people into assets, I really, really don't like that > > > > > > > > approach. > > > > > > > > > > > > > > > > But I do really agree that I wouldn't mind Qubes taking a fee, > > > > > > > > ask for more donations, or focus partly or entirely on business > > > > > > > > users. They do a lot of hard work, and regardless of the target > > > > > > > > group, the change will be for the better of humanity. Perhaps > > > > > > > > it's asking too much for Qubes to focus on both companies and > > > > > > > > end-users at the same time, nontheless, I do hope they can > > > > > > > > manage to do that. > > > > > > > > > > > > > > > > It's obvious they had their hands full on Qubes 4 too, so it > > > > > > > > might just be that and we're reading too much into the issue > > > > > > > > here at hand. But lets see, with time comes answers. I just > > > > > > > > hope it wiill be in good time rather the long wait. > > > > > > > > > > > > > > You are going to be someones asset or product as part of nature, > > > > > > > whether you know it or not. > > > > > > > > > > > > > > The ends justify the means to me. Especially if it means being > > > > > > > able to use Qubes or not. > > > > > > > > > > > > > > I also think its silly to not support secure boot, simply because > > > > > > > the idea was created by Microsoft. FSF/Richard Stallman > > > > > > > supporters who are against secure boot, is like Bernie > > > > > > > supporters not voting for hillary. Seems more spiteful then > > > > > > > practical. > > > > > > > > > > > > Well yeah, only if one allows oneself to become a victim. We can > > > > > > oppose and create balance in the world. > > > > > > Also secure boot is entirely pointless in a stateless computer. A > > > > > > non-stateless computer has a lot of closed source firmware which > > > > > > can be either buggy (which closed software have proven to almost > > > > > > always be), and backdoored, which is either illegal, can be abused > > > > > > by other than for the intended, and is at the fringe limit crossing > > > > > > into the realm of human rights. > > > > > > > > > > > > We don't need closed source firmware, it only creates problems, and > > > > > > no benifit or solutions, other than maintaining market shares > > > > > > through force, rather than surviving on good customer service and > > > > > > customer support. > > > > > > We don't need companies that leech on society. > > > > > > > > > > > > I gather you think the world is ruled by bullies, and that you > > > > > > think it's okay. If so, using that perspective, we just have to > > > > > > become the bullies towards to big companies who wants to make use > > > > > > of us. By the end of the day, we the people are what matter, > > > > > > humanity matter, not some greedy individuals behind a large > > > > > > company. Having said that, I'm not a fanatic against big companies, > > > > > > but they must behave, or I'll be against them. > > > > > > > > > > You can promote change, but we have to work with what we got right > > > > > now. > > > > > > > > > > And right now secure boot would of stopped hacking teams insyde bios > > > > > attacks, which some experts said could be exploited remotely, and > > > > > would of worked on most ami bios as well. Without it whats the > > > > > point? Why even bother with Qubes? Like you said hardware has > > > > > backdoors, and if bios also has no protections. Whats the point > > > > > then? > > > > > > > > > > The problem for me is this is not a cool tech experiment. Its for > > > > > practical use. > > > > > > > > ah I see, I follow you now. > > > > I'm not entirely sure how effective Anti-Evil-Maid is into detecting > > > > change in the BIOS/UEFI, perhaps someone can enlighten us on the topic? > > > > Can AEM be tricked or bypassed? Practically or theoretically? > > > > > > > > Though Joanna (head of Qubes) have said it might just be some years, if > > > > I remember correctly, before we might see true stateless computers. I'm > > > > not sure if anyone with resources would want to commit to such a thing, > > > > but it would definitely help us all out. I hope she can convince > > > > someone with resources with her goal for a true stateless pc. > > > > > > > > But meanwhile, we have to live with closed off firmware indeed, and it > > > > would be interesting to know how effective and trustworthy AEM is. > > > > > > > > I suppose it might also be possible to hardware firewall off any > > > > incoming signals to the computers BIOS/UEFI, which most routors do by > > > > default these days. At this point, it should be a simple matter to have > > > > a team to test if any BIOS/UEFI are phoning home. > > > > > > > > The only way someone can attack a BIOS/UEFI is if they have a leak > > > > through the firewall, which be be gained by trojan horses by either > > > > user mistakes and hidden software malware. > > > > The only other method, would be to have the BIOS/UEFI to phone home > > > > regularly, so that it can open up the hardware firewall, and these can > > > > be detected easily if someone keeps taps on them. > > > > In other words, our BIOS/UEFI should only be exploitable if our > > > > firewalls are not set up properly or we make mistakes on the internet. > > > > > > > > If I'm not mistaken, I don't want to claim to be an expert on this > > > > topic, I'm definitely not an expert. But as far as I understand the > > > > issue, this is the limit. > > > > > > > > We should probably try stirrer back on-topic though, this is more Qubes > > > > general discussion than Qubes 4 discussion. > > > > > > Unlike secure boot, aem does not stop a compromise, only notifies you of > > > a change which might indicate a compromise has happened, which basically > > > is a prompt to buy a new pc. > > > > > > Reading posts on the forums tells me it can be buggy and false alarms > > > happen though. > > > > > > Intel says you need 3 things for the best boot protection. Secure boot, > > > trusted boot, and measured boot. I'm a total noob but I believe aem > > > falls into trusted boot category? So I wonder if its possible to use > > > both? And I have no idea what measured boot is. > > > > > > Another thing to consider is that if you use a usb key, which makes most > > > sense to use with aem, then you can't use a sys-usb at the same time. So > > > it depends on your threat model and how you use your system. Someone > > > might have to correct me on this but I believe this to be the case. > > > > Well yeah, most people with resources and knowhow to attack the BIOS/UEFI > > are governments. If you become a target of those, you really need to watch > > your step, in all liklihood, most if not all, would eventually get caught > > if they repeatedly appear on the internet with something that can tie them > > previous instances. Eventually you build up a profile that can lead to your > > detection, or vulnerabilities to use against your system. > > > > I don't think we need to worry about regular and everyday hackers meaning > > to do harm, after all, these attacks are mostly only worth it on high > > profile people. > > > > ALso in your scenario, BIOS/UEFI is still closed source firmware. It can be > > backdoored, and backdoors can be used by others than the creators. But it > > remains a fact (for now at least), that only groups with a lot of > > resources, can use these attacks, and they will only invest it into high > > target profile people. > > > > Regarding the USB while Qubes isn't booted, that is a really good point. > > I've been thinking about that too, maybe create our own USB with open > > source firmware which can be hash value verified after it is turned into a > > binary package sitting on the USB sticker. But my knowledge is too limited > > to say for sure if this is possible, but it's worth studying more. There > > are some tools out there already as it is, but it's a bit cumberstone and > > "do it yourself". > > Albeit for now, these USB attacks appear to be exotic and rare enough to > > ignore for low profile targets (for now). > > > > However AEM should detect changes between reboots at least. > > This aint the 90s anymore. low level actors have become equal to state > level. Its probably partly why nsa built prism, only way they could one up > them. 90% of ddos sites are run by 15 year olds. 2005 saw a dramatic > increase, but 2012 was a real turning point, we are in an epidemic now. > > I was complaining about bios exploits 10 years ago and people were lying to > themselves then, nothing has changed. > > And if you are worried about the gov't spying on you. Don't do anything > online, period. Why are you even using a computer? Even worse, a cellphone. > Just assume most things are not private.
Listen, you're not reading what I'm saying, especially across multiple of posts in this thread. Also there is a very, very thin line between fear and anxiety. I'm not planning to live a life of concerns through anxiety, I live a life with concerns through real fear from real threats. Fear is rationalized and real, while anxiety is based on baseless emotions which swallow you up. I'm pragmatic, I do what can be done now, I do not want to live in anxiety, or bash words around aimlessly. Things has to be done, and not just talking about it. Security and privacy has always been a concern of real fear for me, especially with democracy rotting away slowly, year by year, which is made worse by technology that is increasingly, and slowly ever more so, being used against people. The fall of democracy, is what worries me, especially with the technology that can be used to either protect it, or destroy it. I worry about the future. I do not worry much about the past, like the 90s repeating itself, rather new threats have the risk of emerging. They too must be handled with concerns of rationalized fear, and not through baseless anxiety. Even if there is just 5% risk, it must be taken seriously, and approached logically. I do not see it as being good or constructive to continue discussing this in this thread, if you want, make a new thread and throw a link here, then I'll follow and keep discussing with you for as long as I have free time to do so. We're getting vastly off-topic here, in a thread which is about Qubes 4 release, we shouldn't talk more about this in this thread. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d59fe680-2026-4a83-b177-9a10fa0a93a0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.