On Friday, 11 August 2017 17:02:13 UTC+2, yura...@gmail.com  wrote:
> On Friday, August 11, 2017 at 2:07:44 PM UTC, cooloutac wrote:
> > On Saturday, August 5, 2017 at 12:48:29 PM UTC-4, yura...@gmail.com wrote:
> > > On Saturday, August 5, 2017 at 4:38:23 PM UTC, cooloutac wrote:
> > > > On Saturday, August 5, 2017 at 12:28:32 PM UTC-4, yura...@gmail.com 
> > > > wrote:
> > > > > On Saturday, August 5, 2017 at 4:15:43 PM UTC, cooloutac wrote:
> > > > > > On Saturday, August 5, 2017 at 12:05:58 PM UTC-4, yura...@gmail.com 
> > > > > > wrote:
> > > > > > > On Saturday, August 5, 2017 at 3:56:25 PM UTC, cooloutac wrote:
> > > > > > > > On Saturday, August 5, 2017 at 11:34:32 AM UTC-4, 
> > > > > > > > yura...@gmail.com wrote:
> > > > > > > > > On Saturday, August 5, 2017 at 3:26:05 PM UTC, cooloutac 
> > > > > > > > > wrote:
> > > > > > > > > > I'll be disappointed but I'm not going to be mad at them 
> > > > > > > > > > for trying to get paid, they deserve it. 
> > > > > > > > > > 
> > > > > > > > > > But I also wouldn't mind if they turned me into a money 
> > > > > > > > > > asset like windows so they can keep designing it for home 
> > > > > > > > > > users...lol
> > > > > > > > > > 
> > > > > > > > > > I look at things differently.  You are referring to linux 
> > > > > > > > > > architecture and developers,  while I'm referring to the 
> > > > > > > > > > majority of its users and community members, as the Product.
> > > > > > > > > 
> > > > > > > > > Alright, I respect that, we see some things differently. But 
> > > > > > > > > the discussion is good, it does not have to come down to 
> > > > > > > > > agreeing in the end. 
> > > > > > > > > 
> > > > > > > > > I don't like customers being turned into assets though. The 
> > > > > > > > > way I see it, it essentially make people "not people" 
> > > > > > > > > anymore, customer service is out of the window, it's all 
> > > > > > > > > about cheating and manipulating people into making the best 
> > > > > > > > > use of them, rather than making a fair trade between a 
> > > > > > > > > company and a customer. So I kind of black out when I see 
> > > > > > > > > business models that turn people into assets, I really, 
> > > > > > > > > really don't like that approach.
> > > > > > > > > 
> > > > > > > > > But I do really agree that I wouldn't mind Qubes taking a 
> > > > > > > > > fee, ask for more donations, or focus partly or entirely on 
> > > > > > > > > business users. They do a lot of hard work, and regardless of 
> > > > > > > > > the target group, the change will be for the better of 
> > > > > > > > > humanity. Perhaps it's asking too much for Qubes to focus on 
> > > > > > > > > both companies and end-users at the same time, nontheless, I 
> > > > > > > > > do hope they can manage to do that.
> > > > > > > > > 
> > > > > > > > > It's obvious they had their hands full on Qubes 4 too, so it 
> > > > > > > > > might just be that and we're reading too much into the issue 
> > > > > > > > > here at hand. But lets see, with time comes answers. I just 
> > > > > > > > > hope it wiill be in good time rather the long wait.
> > > > > > > > 
> > > > > > > > You are going to be someones asset or product as part of 
> > > > > > > > nature,  whether you know it or not.
> > > > > > > > 
> > > > > > > > The ends justify the means to me. Especially if it means being 
> > > > > > > > able to use Qubes or not.   
> > > > > > > > 
> > > > > > > > I also think its silly to not support secure boot, simply 
> > > > > > > > because the idea was created by Microsoft.   FSF/Richard 
> > > > > > > > Stallman supporters who are against secure boot,  is like 
> > > > > > > > Bernie supporters not voting for hillary.  Seems more spiteful 
> > > > > > > > then practical.
> > > > > > > 
> > > > > > > Well yeah, only if one allows oneself to become a victim. We can 
> > > > > > > oppose and create balance in the world. 
> > > > > > > Also secure boot is entirely pointless in a stateless computer. A 
> > > > > > > non-stateless computer has a lot of closed source firmware which 
> > > > > > > can be either buggy (which closed software have proven to almost 
> > > > > > > always be), and backdoored, which is either illegal, can be 
> > > > > > > abused by other than for the intended, and is at the fringe limit 
> > > > > > > crossing into the realm of human rights. 
> > > > > > > 
> > > > > > > We don't need closed source firmware, it only creates problems, 
> > > > > > > and no benifit or solutions, other than maintaining market shares 
> > > > > > > through force, rather than surviving on good customer service and 
> > > > > > > customer support. 
> > > > > > > We don't need companies that leech on society. 
> > > > > > > 
> > > > > > > I gather you think the world is ruled by bullies, and that you 
> > > > > > > think it's okay. If so, using that perspective, we just have to 
> > > > > > > become the bullies towards to big companies who wants to make use 
> > > > > > > of us. By the end of the day, we the people are what matter, 
> > > > > > > humanity matter, not some greedy individuals behind a large 
> > > > > > > company. Having said that, I'm not a fanatic against big 
> > > > > > > companies, but they must behave, or I'll be against them.
> > > > > > 
> > > > > > You can promote change, but we have to work with what we got right 
> > > > > > now.
> > > > > > 
> > > > > > And right now secure boot would of stopped hacking teams  insyde 
> > > > > > bios attacks,  which some experts said could be exploited remotely, 
> > > > > > and would of worked on most ami bios as well.   Without it whats 
> > > > > > the point?  Why even bother with Qubes?  Like you said hardware has 
> > > > > > backdoors, and if bios also has no protections.  Whats the point 
> > > > > > then? 
> > > > > > 
> > > > > > The problem for me is this is not a cool tech experiment.  Its for 
> > > > > > practical use.
> > > > > 
> > > > > ah I see, I follow you now.
> > > > > I'm not entirely sure how effective Anti-Evil-Maid is into detecting 
> > > > > change in the BIOS/UEFI, perhaps someone can enlighten us on the 
> > > > > topic? Can AEM be tricked or bypassed? Practically or theoretically? 
> > > > > 
> > > > > Though Joanna (head of Qubes) have said it might just be some years, 
> > > > > if I remember correctly, before we might see true stateless 
> > > > > computers. I'm not sure if anyone with resources would want to commit 
> > > > > to such a thing, but it would definitely help us all out. I hope she 
> > > > > can convince someone with resources with her goal for a true 
> > > > > stateless pc. 
> > > > > 
> > > > > But meanwhile, we have to live with closed off firmware indeed, and 
> > > > > it would be interesting to know how effective and trustworthy AEM is.
> > > > > 
> > > > > I suppose it might also be possible to hardware firewall off any 
> > > > > incoming signals to the computers BIOS/UEFI, which most routors do by 
> > > > > default these days. At this point, it should be a simple matter to 
> > > > > have a team to test if any BIOS/UEFI are phoning home. 
> > > > > 
> > > > > The only way someone can attack a BIOS/UEFI is if they have a leak 
> > > > > through the firewall, which be be gained by trojan horses by either 
> > > > > user mistakes and hidden software malware.
> > > > > The only other method, would be to have the BIOS/UEFI to phone home 
> > > > > regularly, so that it can open up the hardware firewall, and these 
> > > > > can be detected easily if someone keeps taps on them. 
> > > > > In other words, our BIOS/UEFI should only be exploitable if our 
> > > > > firewalls are not set up properly or we make mistakes on the 
> > > > > internet. 
> > > > > 
> > > > > If I'm not mistaken, I don't want to claim to be an expert on this 
> > > > > topic, I'm definitely not an expert. But as far as I understand the 
> > > > > issue, this is the limit.
> > > > > 
> > > > > We should probably try stirrer back on-topic though, this is more 
> > > > > Qubes general discussion than Qubes 4 discussion.
> > > > 
> > > > Unlike secure boot, aem does not stop a compromise, only notifies you 
> > > > of a change which might indicate a compromise has happened,  which 
> > > > basically is a prompt to buy a new pc.
> > > > 
> > > > Reading posts on the forums tells me it can be buggy and false alarms 
> > > > happen though.
> > > > 
> > > > Intel says you need 3 things for the best boot protection.  Secure 
> > > > boot, trusted boot, and measured boot.   I'm a total noob but I believe 
> > > > aem falls into trusted boot category?  So I wonder if its possible to 
> > > > use both?  And I have no idea what measured boot is.
> > > > 
> > > > Another thing to consider is that if you use a usb key, which makes 
> > > > most sense to use with aem, then you can't use a sys-usb at the same 
> > > > time. So it depends on your threat model and how you use your system.  
> > > > Someone might have to correct me on this but I believe this to be the 
> > > > case.
> > > 
> > > Well yeah, most people with resources and knowhow to attack the BIOS/UEFI 
> > > are governments. If you become a target of those, you really need to 
> > > watch your step, in all liklihood, most if not all, would eventually get 
> > > caught if they repeatedly appear on the internet with something that can 
> > > tie them previous instances. Eventually you build up a profile that can 
> > > lead to your detection, or vulnerabilities to use against your system. 
> > > 
> > > I don't think we need to worry about regular and everyday hackers meaning 
> > > to do harm, after all, these attacks are mostly only worth it on high 
> > > profile people. 
> > > 
> > > ALso in your scenario, BIOS/UEFI is still closed source firmware. It can 
> > > be backdoored, and backdoors can be used by others than the creators. But 
> > > it remains a fact (for now at least), that only groups with a lot of 
> > > resources, can use these attacks, and they will only invest it into high 
> > > target profile people.
> > > 
> > > Regarding the USB while Qubes isn't booted, that is a really good point. 
> > > I've been thinking about that too, maybe create our own USB with open 
> > > source firmware which can be hash value verified after it is turned into 
> > > a binary package sitting on the USB sticker. But my knowledge is too 
> > > limited to say for sure if this is possible, but it's worth studying 
> > > more. There are some tools out there already as it is, but it's a bit 
> > > cumberstone and "do it yourself".
> > > Albeit for now, these USB attacks appear to be exotic and rare enough to 
> > > ignore for low profile targets (for now).
> > > 
> > > However AEM should detect changes between reboots at least.
> > 
> > This aint the 90s anymore.  low level actors have become equal to state 
> > level.  Its probably partly why nsa built prism, only way they could one up 
> > them. 90% of ddos sites are run by 15 year olds.   2005 saw a dramatic 
> > increase, but 2012 was a real turning point, we are in an epidemic now.
> > 
> > I was complaining about bios exploits 10 years ago and people were lying to 
> > themselves then, nothing has changed.  
> > 
> > And if you are worried about the gov't spying on you.  Don't do anything 
> > online, period. Why are you even using a computer?  Even worse, a 
> > cellphone. Just assume most things are not private.
> 
> Listen, you're not reading what I'm saying, especially across multiple of 
> posts in this thread. Also there is a very, very thin line between fear and 
> anxiety. I'm not planning to live a life of concerns through anxiety, I live 
> a life with concerns through real fear from real threats. Fear is 
> rationalized and real, while anxiety is based on baseless emotions which 
> swallow you up. I'm pragmatic, I do what can be done now, I do not want to 
> live in anxiety, or bash words around aimlessly. Things has to be done, and 
> not just talking about it. 
> 
> Security and privacy has always been a concern of real fear for me, 
> especially with democracy rotting away slowly, year by year, which is made 
> worse by technology that is increasingly, and slowly ever more so, being used 
> against people. The fall of democracy, is what worries me, especially with 
> the technology that can be used to either protect it, or destroy it.
> 
> I worry about the future. I do not worry much about the past, like the 90s 
> repeating itself, rather new threats have the risk of emerging. They too must 
> be handled with concerns of rationalized fear, and not through baseless 
> anxiety. Even if there is just 5% risk, it must be taken seriously, and 
> approached logically.
> 
> I do not see it as being good or constructive to continue discussing this in 
> this thread, if you want, make a new thread and throw a link here, then I'll 
> follow and keep discussing with you for as long as I have free time to do so. 
> We're getting vastly off-topic here, in a thread which is about Qubes 4 
> release, we shouldn't talk more about this in this thread.

this is probbaly a good time to try the unofficial qubes irc chat on freenode.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e6a41b3d-d3cf-42e9-908f-9eed3fca17d9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to