On Friday, August 11, 2017 at 11:02:13 AM UTC-4, yura...@gmail.com wrote:
> On Friday, August 11, 2017 at 2:07:44 PM UTC, cooloutac wrote:
> > On Saturday, August 5, 2017 at 12:48:29 PM UTC-4, yura...@gmail.com wrote:
> > > On Saturday, August 5, 2017 at 4:38:23 PM UTC, cooloutac wrote:
> > > > On Saturday, August 5, 2017 at 12:28:32 PM UTC-4, yura...@gmail.com 
> > > > wrote:
> > > > > On Saturday, August 5, 2017 at 4:15:43 PM UTC, cooloutac wrote:
> > > > > > On Saturday, August 5, 2017 at 12:05:58 PM UTC-4, yura...@gmail.com 
> > > > > > wrote:
> > > > > > > On Saturday, August 5, 2017 at 3:56:25 PM UTC, cooloutac wrote:
> > > > > > > > On Saturday, August 5, 2017 at 11:34:32 AM UTC-4, 
> > > > > > > > yura...@gmail.com wrote:
> > > > > > > > > On Saturday, August 5, 2017 at 3:26:05 PM UTC, cooloutac 
> > > > > > > > > wrote:
> > > > > > > > > > I'll be disappointed but I'm not going to be mad at them 
> > > > > > > > > > for trying to get paid, they deserve it. 
> > > > > > > > > > 
> > > > > > > > > > But I also wouldn't mind if they turned me into a money 
> > > > > > > > > > asset like windows so they can keep designing it for home 
> > > > > > > > > > users...lol
> > > > > > > > > > 
> > > > > > > > > > I look at things differently.  You are referring to linux 
> > > > > > > > > > architecture and developers,  while I'm referring to the 
> > > > > > > > > > majority of its users and community members, as the Product.
> > > > > > > > > 
> > > > > > > > > Alright, I respect that, we see some things differently. But 
> > > > > > > > > the discussion is good, it does not have to come down to 
> > > > > > > > > agreeing in the end. 
> > > > > > > > > 
> > > > > > > > > I don't like customers being turned into assets though. The 
> > > > > > > > > way I see it, it essentially make people "not people" 
> > > > > > > > > anymore, customer service is out of the window, it's all 
> > > > > > > > > about cheating and manipulating people into making the best 
> > > > > > > > > use of them, rather than making a fair trade between a 
> > > > > > > > > company and a customer. So I kind of black out when I see 
> > > > > > > > > business models that turn people into assets, I really, 
> > > > > > > > > really don't like that approach.
> > > > > > > > > 
> > > > > > > > > But I do really agree that I wouldn't mind Qubes taking a 
> > > > > > > > > fee, ask for more donations, or focus partly or entirely on 
> > > > > > > > > business users. They do a lot of hard work, and regardless of 
> > > > > > > > > the target group, the change will be for the better of 
> > > > > > > > > humanity. Perhaps it's asking too much for Qubes to focus on 
> > > > > > > > > both companies and end-users at the same time, nontheless, I 
> > > > > > > > > do hope they can manage to do that.
> > > > > > > > > 
> > > > > > > > > It's obvious they had their hands full on Qubes 4 too, so it 
> > > > > > > > > might just be that and we're reading too much into the issue 
> > > > > > > > > here at hand. But lets see, with time comes answers. I just 
> > > > > > > > > hope it wiill be in good time rather the long wait.
> > > > > > > > 
> > > > > > > > You are going to be someones asset or product as part of 
> > > > > > > > nature,  whether you know it or not.
> > > > > > > > 
> > > > > > > > The ends justify the means to me. Especially if it means being 
> > > > > > > > able to use Qubes or not.   
> > > > > > > > 
> > > > > > > > I also think its silly to not support secure boot, simply 
> > > > > > > > because the idea was created by Microsoft.   FSF/Richard 
> > > > > > > > Stallman supporters who are against secure boot,  is like 
> > > > > > > > Bernie supporters not voting for hillary.  Seems more spiteful 
> > > > > > > > then practical.
> > > > > > > 
> > > > > > > Well yeah, only if one allows oneself to become a victim. We can 
> > > > > > > oppose and create balance in the world. 
> > > > > > > Also secure boot is entirely pointless in a stateless computer. A 
> > > > > > > non-stateless computer has a lot of closed source firmware which 
> > > > > > > can be either buggy (which closed software have proven to almost 
> > > > > > > always be), and backdoored, which is either illegal, can be 
> > > > > > > abused by other than for the intended, and is at the fringe limit 
> > > > > > > crossing into the realm of human rights. 
> > > > > > > 
> > > > > > > We don't need closed source firmware, it only creates problems, 
> > > > > > > and no benifit or solutions, other than maintaining market shares 
> > > > > > > through force, rather than surviving on good customer service and 
> > > > > > > customer support. 
> > > > > > > We don't need companies that leech on society. 
> > > > > > > 
> > > > > > > I gather you think the world is ruled by bullies, and that you 
> > > > > > > think it's okay. If so, using that perspective, we just have to 
> > > > > > > become the bullies towards to big companies who wants to make use 
> > > > > > > of us. By the end of the day, we the people are what matter, 
> > > > > > > humanity matter, not some greedy individuals behind a large 
> > > > > > > company. Having said that, I'm not a fanatic against big 
> > > > > > > companies, but they must behave, or I'll be against them.
> > > > > > 
> > > > > > You can promote change, but we have to work with what we got right 
> > > > > > now.
> > > > > > 
> > > > > > And right now secure boot would of stopped hacking teams  insyde 
> > > > > > bios attacks,  which some experts said could be exploited remotely, 
> > > > > > and would of worked on most ami bios as well.   Without it whats 
> > > > > > the point?  Why even bother with Qubes?  Like you said hardware has 
> > > > > > backdoors, and if bios also has no protections.  Whats the point 
> > > > > > then? 
> > > > > > 
> > > > > > The problem for me is this is not a cool tech experiment.  Its for 
> > > > > > practical use.
> > > > > 
> > > > > ah I see, I follow you now.
> > > > > I'm not entirely sure how effective Anti-Evil-Maid is into detecting 
> > > > > change in the BIOS/UEFI, perhaps someone can enlighten us on the 
> > > > > topic? Can AEM be tricked or bypassed? Practically or theoretically? 
> > > > > 
> > > > > Though Joanna (head of Qubes) have said it might just be some years, 
> > > > > if I remember correctly, before we might see true stateless 
> > > > > computers. I'm not sure if anyone with resources would want to commit 
> > > > > to such a thing, but it would definitely help us all out. I hope she 
> > > > > can convince someone with resources with her goal for a true 
> > > > > stateless pc. 
> > > > > 
> > > > > But meanwhile, we have to live with closed off firmware indeed, and 
> > > > > it would be interesting to know how effective and trustworthy AEM is.
> > > > > 
> > > > > I suppose it might also be possible to hardware firewall off any 
> > > > > incoming signals to the computers BIOS/UEFI, which most routors do by 
> > > > > default these days. At this point, it should be a simple matter to 
> > > > > have a team to test if any BIOS/UEFI are phoning home. 
> > > > > 
> > > > > The only way someone can attack a BIOS/UEFI is if they have a leak 
> > > > > through the firewall, which be be gained by trojan horses by either 
> > > > > user mistakes and hidden software malware.
> > > > > The only other method, would be to have the BIOS/UEFI to phone home 
> > > > > regularly, so that it can open up the hardware firewall, and these 
> > > > > can be detected easily if someone keeps taps on them. 
> > > > > In other words, our BIOS/UEFI should only be exploitable if our 
> > > > > firewalls are not set up properly or we make mistakes on the 
> > > > > internet. 
> > > > > 
> > > > > If I'm not mistaken, I don't want to claim to be an expert on this 
> > > > > topic, I'm definitely not an expert. But as far as I understand the 
> > > > > issue, this is the limit.
> > > > > 
> > > > > We should probably try stirrer back on-topic though, this is more 
> > > > > Qubes general discussion than Qubes 4 discussion.
> > > > 
> > > > Unlike secure boot, aem does not stop a compromise, only notifies you 
> > > > of a change which might indicate a compromise has happened,  which 
> > > > basically is a prompt to buy a new pc.
> > > > 
> > > > Reading posts on the forums tells me it can be buggy and false alarms 
> > > > happen though.
> > > > 
> > > > Intel says you need 3 things for the best boot protection.  Secure 
> > > > boot, trusted boot, and measured boot.   I'm a total noob but I believe 
> > > > aem falls into trusted boot category?  So I wonder if its possible to 
> > > > use both?  And I have no idea what measured boot is.
> > > > 
> > > > Another thing to consider is that if you use a usb key, which makes 
> > > > most sense to use with aem, then you can't use a sys-usb at the same 
> > > > time. So it depends on your threat model and how you use your system.  
> > > > Someone might have to correct me on this but I believe this to be the 
> > > > case.
> > > 
> > > Well yeah, most people with resources and knowhow to attack the BIOS/UEFI 
> > > are governments. If you become a target of those, you really need to 
> > > watch your step, in all liklihood, most if not all, would eventually get 
> > > caught if they repeatedly appear on the internet with something that can 
> > > tie them previous instances. Eventually you build up a profile that can 
> > > lead to your detection, or vulnerabilities to use against your system. 
> > > 
> > > I don't think we need to worry about regular and everyday hackers meaning 
> > > to do harm, after all, these attacks are mostly only worth it on high 
> > > profile people. 
> > > 
> > > ALso in your scenario, BIOS/UEFI is still closed source firmware. It can 
> > > be backdoored, and backdoors can be used by others than the creators. But 
> > > it remains a fact (for now at least), that only groups with a lot of 
> > > resources, can use these attacks, and they will only invest it into high 
> > > target profile people.
> > > 
> > > Regarding the USB while Qubes isn't booted, that is a really good point. 
> > > I've been thinking about that too, maybe create our own USB with open 
> > > source firmware which can be hash value verified after it is turned into 
> > > a binary package sitting on the USB sticker. But my knowledge is too 
> > > limited to say for sure if this is possible, but it's worth studying 
> > > more. There are some tools out there already as it is, but it's a bit 
> > > cumberstone and "do it yourself".
> > > Albeit for now, these USB attacks appear to be exotic and rare enough to 
> > > ignore for low profile targets (for now).
> > > 
> > > However AEM should detect changes between reboots at least.
> > 
> > This aint the 90s anymore.  low level actors have become equal to state 
> > level.  Its probably partly why nsa built prism, only way they could one up 
> > them. 90% of ddos sites are run by 15 year olds.   2005 saw a dramatic 
> > increase, but 2012 was a real turning point, we are in an epidemic now.
> > 
> > I was complaining about bios exploits 10 years ago and people were lying to 
> > themselves then, nothing has changed.  
> > 
> > And if you are worried about the gov't spying on you.  Don't do anything 
> > online, period. Why are you even using a computer?  Even worse, a 
> > cellphone. Just assume most things are not private.
> 
> Listen, you're not reading what I'm saying, especially across multiple of 
> posts in this thread. Also there is a very, very thin line between fear and 
> anxiety. I'm not planning to live a life of concerns through anxiety, I live 
> a life with concerns through real fear from real threats. Fear is 
> rationalized and real, while anxiety is based on baseless emotions which 
> swallow you up. I'm pragmatic, I do what can be done now, I do not want to 
> live in anxiety, or bash words around aimlessly. Things has to be done, and 
> not just talking about it. 
> 
> Security and privacy has always been a concern of real fear for me, 
> especially with democracy rotting away slowly, year by year, which is made 
> worse by technology that is increasingly, and slowly ever more so, being used 
> against people. The fall of democracy, is what worries me, especially with 
> the technology that can be used to either protect it, or destroy it.
> 
> I worry about the future. I do not worry much about the past, like the 90s 
> repeating itself, rather new threats have the risk of emerging. They too must 
> be handled with concerns of rationalized fear, and not through baseless 
> anxiety. Even if there is just 5% risk, it must be taken seriously, and 
> approached logically.
> 
> I do not see it as being good or constructive to continue discussing this in 
> this thread, if you want, make a new thread and throw a link here, then I'll 
> follow and keep discussing with you for as long as I have free time to do so. 
> We're getting vastly off-topic here, in a thread which is about Qubes 4 
> release, we shouldn't talk more about this in this thread.

I don't know what this fear vs anxiety things is, but neither is automatically 
rational.

If you are not using secure boot, you are not even reasonably secure.  This 
needs to be discussed here.  Worry about the future of Qubes if you care about 
those things.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d6b84b97-5c06-4f4c-89e3-6f10422b3562%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to