On Friday, 11 August 2017 17:02:13 UTC+2, yura...@gmail.com wrote: > On Friday, August 11, 2017 at 2:07:44 PM UTC, cooloutac wrote: > > On Saturday, August 5, 2017 at 12:48:29 PM UTC-4, yura...@gmail.com wrote: > > > On Saturday, August 5, 2017 at 4:38:23 PM UTC, cooloutac wrote: > > > > On Saturday, August 5, 2017 at 12:28:32 PM UTC-4, yura...@gmail.com > > > > wrote: > > > > > On Saturday, August 5, 2017 at 4:15:43 PM UTC, cooloutac wrote: > > > > > > On Saturday, August 5, 2017 at 12:05:58 PM UTC-4, yura...@gmail.com > > > > > > wrote: > > > > > > > On Saturday, August 5, 2017 at 3:56:25 PM UTC, cooloutac wrote: > > > > > > > > On Saturday, August 5, 2017 at 11:34:32 AM UTC-4, > > > > > > > > yura...@gmail.com wrote: > > > > > > > > > On Saturday, August 5, 2017 at 3:26:05 PM UTC, cooloutac > > > > > > > > > wrote: > > > > > > > > > > I'll be disappointed but I'm not going to be mad at them > > > > > > > > > > for trying to get paid, they deserve it. > > > > > > > > > > > > > > > > > > > > But I also wouldn't mind if they turned me into a money > > > > > > > > > > asset like windows so they can keep designing it for home > > > > > > > > > > users...lol > > > > > > > > > > > > > > > > > > > > I look at things differently. You are referring to linux > > > > > > > > > > architecture and developers, while I'm referring to the > > > > > > > > > > majority of its users and community members, as the Product. > > > > > > > > > > > > > > > > > > Alright, I respect that, we see some things differently. But > > > > > > > > > the discussion is good, it does not have to come down to > > > > > > > > > agreeing in the end. > > > > > > > > > > > > > > > > > > I don't like customers being turned into assets though. The > > > > > > > > > way I see it, it essentially make people "not people" > > > > > > > > > anymore, customer service is out of the window, it's all > > > > > > > > > about cheating and manipulating people into making the best > > > > > > > > > use of them, rather than making a fair trade between a > > > > > > > > > company and a customer. So I kind of black out when I see > > > > > > > > > business models that turn people into assets, I really, > > > > > > > > > really don't like that approach. > > > > > > > > > > > > > > > > > > But I do really agree that I wouldn't mind Qubes taking a > > > > > > > > > fee, ask for more donations, or focus partly or entirely on > > > > > > > > > business users. They do a lot of hard work, and regardless of > > > > > > > > > the target group, the change will be for the better of > > > > > > > > > humanity. Perhaps it's asking too much for Qubes to focus on > > > > > > > > > both companies and end-users at the same time, nontheless, I > > > > > > > > > do hope they can manage to do that. > > > > > > > > > > > > > > > > > > It's obvious they had their hands full on Qubes 4 too, so it > > > > > > > > > might just be that and we're reading too much into the issue > > > > > > > > > here at hand. But lets see, with time comes answers. I just > > > > > > > > > hope it wiill be in good time rather the long wait. > > > > > > > > > > > > > > > > You are going to be someones asset or product as part of > > > > > > > > nature, whether you know it or not. > > > > > > > > > > > > > > > > The ends justify the means to me. Especially if it means being > > > > > > > > able to use Qubes or not. > > > > > > > > > > > > > > > > I also think its silly to not support secure boot, simply > > > > > > > > because the idea was created by Microsoft. FSF/Richard > > > > > > > > Stallman supporters who are against secure boot, is like > > > > > > > > Bernie supporters not voting for hillary. Seems more spiteful > > > > > > > > then practical. > > > > > > > > > > > > > > Well yeah, only if one allows oneself to become a victim. We can > > > > > > > oppose and create balance in the world. > > > > > > > Also secure boot is entirely pointless in a stateless computer. A > > > > > > > non-stateless computer has a lot of closed source firmware which > > > > > > > can be either buggy (which closed software have proven to almost > > > > > > > always be), and backdoored, which is either illegal, can be > > > > > > > abused by other than for the intended, and is at the fringe limit > > > > > > > crossing into the realm of human rights. > > > > > > > > > > > > > > We don't need closed source firmware, it only creates problems, > > > > > > > and no benifit or solutions, other than maintaining market shares > > > > > > > through force, rather than surviving on good customer service and > > > > > > > customer support. > > > > > > > We don't need companies that leech on society. > > > > > > > > > > > > > > I gather you think the world is ruled by bullies, and that you > > > > > > > think it's okay. If so, using that perspective, we just have to > > > > > > > become the bullies towards to big companies who wants to make use > > > > > > > of us. By the end of the day, we the people are what matter, > > > > > > > humanity matter, not some greedy individuals behind a large > > > > > > > company. Having said that, I'm not a fanatic against big > > > > > > > companies, but they must behave, or I'll be against them. > > > > > > > > > > > > You can promote change, but we have to work with what we got right > > > > > > now. > > > > > > > > > > > > And right now secure boot would of stopped hacking teams insyde > > > > > > bios attacks, which some experts said could be exploited remotely, > > > > > > and would of worked on most ami bios as well. Without it whats > > > > > > the point? Why even bother with Qubes? Like you said hardware has > > > > > > backdoors, and if bios also has no protections. Whats the point > > > > > > then? > > > > > > > > > > > > The problem for me is this is not a cool tech experiment. Its for > > > > > > practical use. > > > > > > > > > > ah I see, I follow you now. > > > > > I'm not entirely sure how effective Anti-Evil-Maid is into detecting > > > > > change in the BIOS/UEFI, perhaps someone can enlighten us on the > > > > > topic? Can AEM be tricked or bypassed? Practically or theoretically? > > > > > > > > > > Though Joanna (head of Qubes) have said it might just be some years, > > > > > if I remember correctly, before we might see true stateless > > > > > computers. I'm not sure if anyone with resources would want to commit > > > > > to such a thing, but it would definitely help us all out. I hope she > > > > > can convince someone with resources with her goal for a true > > > > > stateless pc. > > > > > > > > > > But meanwhile, we have to live with closed off firmware indeed, and > > > > > it would be interesting to know how effective and trustworthy AEM is. > > > > > > > > > > I suppose it might also be possible to hardware firewall off any > > > > > incoming signals to the computers BIOS/UEFI, which most routors do by > > > > > default these days. At this point, it should be a simple matter to > > > > > have a team to test if any BIOS/UEFI are phoning home. > > > > > > > > > > The only way someone can attack a BIOS/UEFI is if they have a leak > > > > > through the firewall, which be be gained by trojan horses by either > > > > > user mistakes and hidden software malware. > > > > > The only other method, would be to have the BIOS/UEFI to phone home > > > > > regularly, so that it can open up the hardware firewall, and these > > > > > can be detected easily if someone keeps taps on them. > > > > > In other words, our BIOS/UEFI should only be exploitable if our > > > > > firewalls are not set up properly or we make mistakes on the > > > > > internet. > > > > > > > > > > If I'm not mistaken, I don't want to claim to be an expert on this > > > > > topic, I'm definitely not an expert. But as far as I understand the > > > > > issue, this is the limit. > > > > > > > > > > We should probably try stirrer back on-topic though, this is more > > > > > Qubes general discussion than Qubes 4 discussion. > > > > > > > > Unlike secure boot, aem does not stop a compromise, only notifies you > > > > of a change which might indicate a compromise has happened, which > > > > basically is a prompt to buy a new pc. > > > > > > > > Reading posts on the forums tells me it can be buggy and false alarms > > > > happen though. > > > > > > > > Intel says you need 3 things for the best boot protection. Secure > > > > boot, trusted boot, and measured boot. I'm a total noob but I believe > > > > aem falls into trusted boot category? So I wonder if its possible to > > > > use both? And I have no idea what measured boot is. > > > > > > > > Another thing to consider is that if you use a usb key, which makes > > > > most sense to use with aem, then you can't use a sys-usb at the same > > > > time. So it depends on your threat model and how you use your system. > > > > Someone might have to correct me on this but I believe this to be the > > > > case. > > > > > > Well yeah, most people with resources and knowhow to attack the BIOS/UEFI > > > are governments. If you become a target of those, you really need to > > > watch your step, in all liklihood, most if not all, would eventually get > > > caught if they repeatedly appear on the internet with something that can > > > tie them previous instances. Eventually you build up a profile that can > > > lead to your detection, or vulnerabilities to use against your system. > > > > > > I don't think we need to worry about regular and everyday hackers meaning > > > to do harm, after all, these attacks are mostly only worth it on high > > > profile people. > > > > > > ALso in your scenario, BIOS/UEFI is still closed source firmware. It can > > > be backdoored, and backdoors can be used by others than the creators. But > > > it remains a fact (for now at least), that only groups with a lot of > > > resources, can use these attacks, and they will only invest it into high > > > target profile people. > > > > > > Regarding the USB while Qubes isn't booted, that is a really good point. > > > I've been thinking about that too, maybe create our own USB with open > > > source firmware which can be hash value verified after it is turned into > > > a binary package sitting on the USB sticker. But my knowledge is too > > > limited to say for sure if this is possible, but it's worth studying > > > more. There are some tools out there already as it is, but it's a bit > > > cumberstone and "do it yourself". > > > Albeit for now, these USB attacks appear to be exotic and rare enough to > > > ignore for low profile targets (for now). > > > > > > However AEM should detect changes between reboots at least. > > > > This aint the 90s anymore. low level actors have become equal to state > > level. Its probably partly why nsa built prism, only way they could one up > > them. 90% of ddos sites are run by 15 year olds. 2005 saw a dramatic > > increase, but 2012 was a real turning point, we are in an epidemic now. > > > > I was complaining about bios exploits 10 years ago and people were lying to > > themselves then, nothing has changed. > > > > And if you are worried about the gov't spying on you. Don't do anything > > online, period. Why are you even using a computer? Even worse, a > > cellphone. Just assume most things are not private. > > Listen, you're not reading what I'm saying, especially across multiple of > posts in this thread. Also there is a very, very thin line between fear and > anxiety. I'm not planning to live a life of concerns through anxiety, I live > a life with concerns through real fear from real threats. Fear is > rationalized and real, while anxiety is based on baseless emotions which > swallow you up. I'm pragmatic, I do what can be done now, I do not want to > live in anxiety, or bash words around aimlessly. Things has to be done, and > not just talking about it. > > Security and privacy has always been a concern of real fear for me, > especially with democracy rotting away slowly, year by year, which is made > worse by technology that is increasingly, and slowly ever more so, being used > against people. The fall of democracy, is what worries me, especially with > the technology that can be used to either protect it, or destroy it. > > I worry about the future. I do not worry much about the past, like the 90s > repeating itself, rather new threats have the risk of emerging. They too must > be handled with concerns of rationalized fear, and not through baseless > anxiety. Even if there is just 5% risk, it must be taken seriously, and > approached logically. > > I do not see it as being good or constructive to continue discussing this in > this thread, if you want, make a new thread and throw a link here, then I'll > follow and keep discussing with you for as long as I have free time to do so. > We're getting vastly off-topic here, in a thread which is about Qubes 4 > release, we shouldn't talk more about this in this thread.
this is probbaly a good time to try the unofficial qubes irc chat on freenode. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e6a41b3d-d3cf-42e9-908f-9eed3fca17d9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.