On Friday, February 9, 2018 at 7:09:32 AM UTC+1, Tim W wrote:
> On Wednesday, September 20, 2017 at 4:47:16 PM UTC-4, Yuraeitha wrote:
> > On Wednesday, September 20, 2017 at 12:50:46 PM UTC, Dominique St-Pierre 
> > Boucher wrote:
> > > On Wednesday, September 20, 2017 at 8:27:40 AM UTC-4, cooloutac wrote:
> > > > On Monday, September 18, 2017 at 11:02:50 PM UTC-4, Person wrote:
> > > > > Let's say you have an online identity that you want to keep separate 
> > > > > from your personal information. On Qubes, is it possible to keep i 
> > > > > information completely separate without physical separation? I have 
> > > > > considered using a separate OS virtualized in Qubes, but it may 
> > > > > possibly leak the same device data. Multibooting with Qubes is also 
> > > > > not the safest idea. 
> > > > > 
> > > > > What is the best way to keep online information from being traced 
> > > > > back to you on Qubes?
> > > > 
> > > > Not really sure what you are asking, or what information specifically.  
> > > >  Keeping information separate is the general purpose of Qubes.  One vm 
> > > > doesn't know what data is on the other one.
> > > > 
> > > > If you are talking about keeping your identity hidden from the 
> > > > internet.  Just don't let the vm connect to the internet?
> > > > 
> > > > As far as information like device id's,  that would depend on the 
> > > > program you are connecting to the internet and if it gathers such 
> > > > information.  I really don't know if what core linux processes do this. 
> > > >  Browsers prolly do yes?
> > > > 
> > > > In general, hiding your identity is not really something thats Qubes 
> > > > specific.  Use multiple whonix qubes with tor browser?  Don't log in 
> > > > the same online identities on the same vm?
> > > 
> > > If you are talking about the first the identity of your computer, that 
> > > will always be the same hostname, mac address if you connect both vm 
> > > through the same network card. If you have 2 network card (and different 
> > > sys-net), you can maybe have the traffic through one card for one ID and 
> > > the other ID through the other card but if you are using it at home on 
> > > the same lan, I don't see the point. But doing it on a public wifi and 
> > > using 2 differents network card (and different sys-net vm) you can have 2 
> > > different session on the same website and I don't see a way from the 
> > > server side to figure out that you are doing it from the same computer.
> > > 
> > > Hope I make sense!!!
> > > 
> > > Dominique
> > 
> > I second Dominique here, this is what I would do too if I wanted to 
> > maximize anonymity. However be mindful that it's still risky if its a 
> > matter of life and death, or anything other really serious/important. There 
> > is always a remote chance that something can be used to track back to you, 
> > be it something brand new, zero-day exploits, or what else hidden tricks is 
> > out there. Although these is mostly only used against high-profile targets, 
> > and typically, or most likely not,on your everyday internet users.
> > 
> > For example virtualization isn't perfect. To my knowledge, this is one of 
> > the reasons Qubes is switching from PV to HVM. And even then, HVM seems to 
> > only be a temporay solution, as while it's better than the current PV, it 
> > isn't perfect either. Generally, you're in deep trouble if someone is 
> > hunting you as a high-profile, but if its the average joe-hacker? Probably 
> > not. From what I can gather, Qubes attacks are difficult to pull off, so 
> > much that it hasn't been observed in the wild. However one of Qubes's 
> > weakpoints is the lack of reward pools for white-hat hackers who hunt for 
> > bugs and weakenesses, although it may be solved soon through donations I 
> > think? Anyway, just be careful, don't do anything that you can't pay for 
> > afterwards, be it your life, prison, or what else may be hunting you.
> > 
> > Also to do Qubes justice, it's still pretty darn secure. It requires exotic 
> > and probably difficult hacks to get through, such as hacking one DomU and 
> > mess up your memory in other to break into another DOmU, and thereby 
> > indirectly get access to Dom0, or something like that. Presumably the Qubes 
> > 4 system is much better protected against this kind of difficult but 
> > theoretical possible attack, than Qubes 3.2 is. 
> > 
> > Then again, I'm no security expert, take my words with some salt. But 
> > definitely don't believe Qubes has perfect isolation, it doesn't, not with 
> > modern technology anyway. However it's a massive leap in the right 
> > direction for better security. 
> > 
> > Furthermore, be extremely mindful of user-habits and which websites you 
> > visit within the same Tor sessions. If someone is specifically targeting 
> > you, they might be able to do simple detective work to figure out who you 
> > are. Be sure to make a new session before you do anything that can tie your 
> > identity to anything which must be anonymous in the future. It can even be 
> > the combination of websites you visit, fingerprints in the Tor browser 
> > (they are hard to get rid off, even for Tor/Whonix). Never turn on 
> > Javascript when browsing websites that must be anonymouse (fingerprinting 
> > is heavily increased with javascript enabled), and never move the Tor 
> > window from its default launch location, never resize it, never zoom or 
> > scale, never install addons, never change anything which affects your 
> > browsers fingerprint.
> > 
> > Basically, anyone can be tracked on Tor, if enough resources and skilled 
> > people are being thrown at you, and they have an anchor point of which they 
> > can see you return, to keep watch, until you make a mistake to give further 
> > clues, which eventually will make the puzzle click and identity you.
> > factor
> > Although you may know some of this already, I took the liberty to write 
> > some warnings. Always be ready and cabable to pay the risk if you get found 
> > out, if not, then is the gamble worth it? 
> > 
> > Tor for casual browsing to avoid businesses and macro-surveillance is 
> > pretty harmless even with more loose habits. Though, be warned, it isn't 
> > all sunshine either. Mega servers complexes making use of Economics of 
> > Scale to build cheap Cloud storages etc. are already showing up around the 
> > world, with the single purpose, to collect encrypted or non-encrypted data, 
> > which will never be deleted, forever. This is legal too, since there are 
> > plenty of loopholes in law, for example it isn't illegal for the USA to 
> > collect data of anyone non-US citezen outside of USA, and then trade such 
> > information with allies who keep track of USA citizens. Nothing gets 
> > deleted in these massive server/cloud infrastructures. With the now very 
> > recent news of quantum computers making big breakthroughs, and already 
> > emerging A.I.'s that can automatically search and find anything among 
> > massive amounts of data... well.... 
> > 
> > Huge data collection of encrypted data + Quantum computing breaking 
> > encryption + Advanced emerging A.I. to sort through all the data 
> > automatically = essentially the same as reading the internet in clear-text 
> > non-encrypted.
> > 
> > Basically, anything encrypted today, may not remain encrypted in say 3-7 
> > years. Many don't worry about the future though, but the issue is many 
> > things are collected and kept for safe keeping, until the day this vast 
> > amount of data can be effortlessly opened and sorted.
> > 
> > Worth the risk? If anything big is on the line, then probably not.
> > If you just want to protect your liberty, freedom of speech, democracy 
> > itself, and businesses marketers profiling you, then its worth keep using 
> > it.
> 
> Anything encrypted today maybe broken in 3-7 years?  While its an the minute 
> realm of possible as is in 5 mins from now AES could be broken thru a 
> mathematical break thru the chances of this are astronomically minimal.  
> Quantum computers still do not get around the energy needed and have the most 
>   threat to public key algorithms i.e RSA 2048.  Still when you actually look 
> at it even with our strides we are way way far away from a quantum computer 
> that powerful.  
> 
> We are talking about the use of Shor's Algorithm.  But that is no small feat 
> if you actually look at that algorithm and its cryptographical application in 
> finding an RSA key.  Shor's take 2N qubits. N = bits size of the composite 
> factor. 2048-bit certificate = 4096 qubits needed which requires a state 
> space of over 10^1100.  The needed power of that is so many factor more 
> powerful than anything even on future drawing boards its practically scifi 
> futuristic.  To the effect this would have would be along the lines of 
> traveling via wormholes in terms of advancement.  Not that is not to say 
> something could be found to break it tomorrow.  While quantum computers bring 
> us some interesting possibilities they still are bound by the laws of physics 
> which in this case focuses on the second law of thermal dynamics.
> 
> Then you have symmetric which using Grovers Algorithm to act as a brute force 
> application by search/finding the entire key string with the projected effect 
> of reducing a 256 to a 128 bit key. So lets say 50-60 yrs and again a very 
> powerful q-comp.
> 
> This is not being applied to targeting state secrets but individual personal 
> ones by 99.9% of the users. Even the largest % of state secrets have 
> expiration dates to where they can really be damaging.  So who are those that 
> are targeting all of your encrypted data and will be willing to use the 
> worlds most advanced computer when they finally have them and then maybe one 
> or two in the whole world to crack the keys of data 50-100 yrs old?  How 
> pertinent would that data have to be when you consider just how much data is 
> accrued as they are after all collecting the entire worlds worth of encrypted 
> data that flows the copper fiber light waves 24/7.    It still has to spend 
> tremendous compu time breaking that key.
> 
> Not only will most be dead and the people of their time that would care but 
> you would have to have data that is very highly targeted.   Hell even if it 
> was 5 yrs from now how much data would they have and at best one or two of 
> these computers and it still going to take serious computational time.  That 
> has to be a serious HVI they are after.  Its not going to be just like 
> reading clear txt as even then its not as if they push a button and poof 
> clear text such as if the encryption application had a bug that just gave up 
> the key.
> 
> Work has been done for public key algorithms that resist quantum crypto 
> analysis.  Lattice based open sourced NTRU is the first to come to mind; 
> published in 1996 and was patented but last year released to the public 
> domain.  Free for all to use.  To date, as far as I have read, no feasible 
> attack has been found. Its also space light compare to others bits vs kbs and 
> even mbs size other solutions. There are plenty of others though as well.  
> With the Open Quantum Safe (OQS) project started 2 yrs ago it working towards 
> a full library and tools for quantum and future resistant algorithms that 
> could be used of openssl or plugged into gnupg.  Thus its not as if we are 
> standing still and have nothing for the future.
> 
> How I handle my coms:   for very high security coms I personally do not 
> public key i.e to actually be the primary encryptor of the data. While 
> withholding some details, I user GPG as an outer layer and at times as a way 
> to pass a shared symmetric key (AES two fish etc) to the other party as a 
> last resort if I can not contact thru more secure means i.e. in person, other 
> covert means etc..  Then the actual data is symmetrically encrypted and then 
> sealed with gpg to transmit.  For me GPGs main use is authentication of the 
> intended parties.   That is for higher levels of security for others such as 
> basic emails etc I use normal txt and gpg SOP use. 
> 
> There are ways to make your use of tor much more difficult to track.  Careful 
> choice of the entrance and exit servers geographical locations.  Without 
> getting into details as there is opsec involved, use of multiple VPNs in the 
> chain but must be done correctly for the need.  After all this is not about 
> getting some torrent or for rec but for high need anonymity speed of 
> connection should be a low rank priority.  Even then in the data sent best 
> not to use anything that could readily identify your real identity. Everyone 
> should be using a shadow identity for all but typical open tasks. 
> 
> We are talking about being a high value state target at this point and 
> beyond.  How many are fitting this profile?  Even in oppressive countries to 
> devote those level of resources you have to be an HVT.  Not just someone 
> circumventing the states firewall or even sending out disparaging info but 
> not state secrets.  Here in opsec/tac becomes even more critical.

Also my argument also goes against my self. I cannot make a good case without 
comparing the calculation power of an actual full-scale quantum chip. 

However, given the human brain to underestimate exponential growth in general, 
human inability to grasp such massive power, the rapid advancement of 
technology that follows an exponential growth pattern, and how existing 
technology will help transition quantum computers once they are ready to be 
used. Putting it all together, we are more than likely to be surprised if not 
disrupted of its immense power, sooner rather than later.

Also keep in mind, the one and only thing that preserves and protects 
democracy, is the human number of population that support and back it. What 
many don't realize, is that centralized technology will also slowly centralize 
power. The more centralized technology you build up in society over the years, 
the more and more you centralize power. Eventually you reach a tipping point, 
and if a new crazy leader comes to power, like Stalin, Hitler, or todays crazy 
ones like Putin, Trump, then if democracy cannot protect us any longer due to 
centralized technology enabling centralized power, then we're in huge trouble, 
we may even never recover from it again. 

Now Putin and Trump are still affected by checks and systems blocking their 
power to reach, although this goes more for Trump in comparison to Putin. But 
remember, centralized technology centralizes power, and then democracy will 
just be a fancy word, it won't protect us anymore. 

Essentially, we need to decentralize technology, to keep power that goes with 
it decentralized as well. Otherwise we risk building a super dictatorstate in 
the coming decades. It won't happen within the next few years, this is decade 
long developments. But eventually, and within our lifetime, probably sooner 
than estimation, centralized technology will reach a level, where a single 
crazy organization or person, can do a whole lot of harm without anyone being 
able to stop them.

Now if you have huge databases too with information about all the people who 
ever transpired on the internet, then imagine what would happen if a new Hitler 
appeared. It would get ugly... very ugly... there would be so few secrets, 
everyone would be profiled before the system even even begin to collapse.

This is not some sci-fi novel or crazy rambling, all of this is based on cold 
logic. We have grown too content with the peaceful world we live in today, 
thinking nothing bad can happen. All the bad things in history are relics of 
the past, that kind of thinking. 

Few people dare to think just how bad our future can go, it isn't fun to think 
about, most people would stop right there, and go do something fun instead. But 
if we don't take responsibility today, and steer towards a more safe future, 
then the risk for the above to happen, is very real, and should not be ignored. 

We definitely need to decentralize our technology, and by that, decentralized 
any power that goes with it. And so too, goes for things like data-collection, 
which btw, is not illegal if you do it on people outside your own country, and 
then countries can swap info with each others. Which is happening right now, no 
law is protecting us from trading information about each countries own 
citizens. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0f5769ad-2a95-4b5d-bc3c-f88a4d985f72%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to