On Saturday, February 10, 2018 at 12:41:22 PM UTC+1, Tim W wrote: > On Friday, February 9, 2018 at 4:33:00 AM UTC-5, Yuraeitha wrote: > > On Friday, February 9, 2018 at 7:09:32 AM UTC+1, Tim W wrote: > > > On Wednesday, September 20, 2017 at 4:47:16 PM UTC-4, Yuraeitha wrote: > > > > On Wednesday, September 20, 2017 at 12:50:46 PM UTC, Dominique > > > > St-Pierre Boucher wrote: > > > > > On Wednesday, September 20, 2017 at 8:27:40 AM UTC-4, cooloutac wrote: > > > > > > On Monday, September 18, 2017 at 11:02:50 PM UTC-4, Person wrote: > > > > > > > Let's say you have an online identity that you want to keep > > > > > > > separate from your personal information. On Qubes, is it possible > > > > > > > to keep i information completely separate without physical > > > > > > > separation? I have considered using a separate OS virtualized in > > > > > > > Qubes, but it may possibly leak the same device data. > > > > > > > Multibooting with Qubes is also not the safest idea. > > > > > > > > > > > > > > What is the best way to keep online information from being traced > > > > > > > back to you on Qubes? > > > > > > > > > > > > Not really sure what you are asking, or what information > > > > > > specifically. Keeping information separate is the general purpose > > > > > > of Qubes. One vm doesn't know what data is on the other one. > > > > > > > > > > > > If you are talking about keeping your identity hidden from the > > > > > > internet. Just don't let the vm connect to the internet? > > > > > > > > > > > > As far as information like device id's, that would depend on the > > > > > > program you are connecting to the internet and if it gathers such > > > > > > information. I really don't know if what core linux processes do > > > > > > this. Browsers prolly do yes? > > > > > > > > > > > > In general, hiding your identity is not really something thats > > > > > > Qubes specific. Use multiple whonix qubes with tor browser? Don't > > > > > > log in the same online identities on the same vm? > > > > > > > > > > If you are talking about the first the identity of your computer, > > > > > that will always be the same hostname, mac address if you connect > > > > > both vm through the same network card. If you have 2 network card > > > > > (and different sys-net), you can maybe have the traffic through one > > > > > card for one ID and the other ID through the other card but if you > > > > > are using it at home on the same lan, I don't see the point. But > > > > > doing it on a public wifi and using 2 differents network card (and > > > > > different sys-net vm) you can have 2 different session on the same > > > > > website and I don't see a way from the server side to figure out that > > > > > you are doing it from the same computer. > > > > > > > > > > Hope I make sense!!! > > > > > > > > > > Dominique > > > > > > > > I second Dominique here, this is what I would do too if I wanted to > > > > maximize anonymity. However be mindful that it's still risky if its a > > > > matter of life and death, or anything other really serious/important. > > > > There is always a remote chance that something can be used to track > > > > back to you, be it something brand new, zero-day exploits, or what else > > > > hidden tricks is out there. Although these is mostly only used against > > > > high-profile targets, and typically, or most likely not,on your > > > > everyday internet users. > > > > > > > > For example virtualization isn't perfect. To my knowledge, this is one > > > > of the reasons Qubes is switching from PV to HVM. And even then, HVM > > > > seems to only be a temporay solution, as while it's better than the > > > > current PV, it isn't perfect either. Generally, you're in deep trouble > > > > if someone is hunting you as a high-profile, but if its the average > > > > joe-hacker? Probably not. From what I can gather, Qubes attacks are > > > > difficult to pull off, so much that it hasn't been observed in the > > > > wild. However one of Qubes's weakpoints is the lack of reward pools for > > > > white-hat hackers who hunt for bugs and weakenesses, although it may be > > > > solved soon through donations I think? Anyway, just be careful, don't > > > > do anything that you can't pay for afterwards, be it your life, prison, > > > > or what else may be hunting you. > > > > > > > > Also to do Qubes justice, it's still pretty darn secure. It requires > > > > exotic and probably difficult hacks to get through, such as hacking one > > > > DomU and mess up your memory in other to break into another DOmU, and > > > > thereby indirectly get access to Dom0, or something like that. > > > > Presumably the Qubes 4 system is much better protected against this > > > > kind of difficult but theoretical possible attack, than Qubes 3.2 is. > > > > > > > > Then again, I'm no security expert, take my words with some salt. But > > > > definitely don't believe Qubes has perfect isolation, it doesn't, not > > > > with modern technology anyway. However it's a massive leap in the right > > > > direction for better security. > > > > > > > > Furthermore, be extremely mindful of user-habits and which websites you > > > > visit within the same Tor sessions. If someone is specifically > > > > targeting you, they might be able to do simple detective work to figure > > > > out who you are. Be sure to make a new session before you do anything > > > > that can tie your identity to anything which must be anonymous in the > > > > future. It can even be the combination of websites you visit, > > > > fingerprints in the Tor browser (they are hard to get rid off, even for > > > > Tor/Whonix). Never turn on Javascript when browsing websites that must > > > > be anonymouse (fingerprinting is heavily increased with javascript > > > > enabled), and never move the Tor window from its default launch > > > > location, never resize it, never zoom or scale, never install addons, > > > > never change anything which affects your browsers fingerprint. > > > > > > > > Basically, anyone can be tracked on Tor, if enough resources and > > > > skilled people are being thrown at you, and they have an anchor point > > > > of which they can see you return, to keep watch, until you make a > > > > mistake to give further clues, which eventually will make the puzzle > > > > click and identity you. > > > > factor > > > > Although you may know some of this already, I took the liberty to write > > > > some warnings. Always be ready and cabable to pay the risk if you get > > > > found out, if not, then is the gamble worth it? > > > > > > > > Tor for casual browsing to avoid businesses and macro-surveillance is > > > > pretty harmless even with more loose habits. Though, be warned, it > > > > isn't all sunshine either. Mega servers complexes making use of > > > > Economics of Scale to build cheap Cloud storages etc. are already > > > > showing up around the world, with the single purpose, to collect > > > > encrypted or non-encrypted data, which will never be deleted, forever. > > > > This is legal too, since there are plenty of loopholes in law, for > > > > example it isn't illegal for the USA to collect data of anyone non-US > > > > citezen outside of USA, and then trade such information with allies who > > > > keep track of USA citizens. Nothing gets deleted in these massive > > > > server/cloud infrastructures. With the now very recent news of quantum > > > > computers making big breakthroughs, and already emerging A.I.'s that > > > > can automatically search and find anything among massive amounts of > > > > data... well.... > > > > > > > > Huge data collection of encrypted data + Quantum computing breaking > > > > encryption + Advanced emerging A.I. to sort through all the data > > > > automatically = essentially the same as reading the internet in > > > > clear-text non-encrypted. > > > > > > > > Basically, anything encrypted today, may not remain encrypted in say > > > > 3-7 years. Many don't worry about the future though, but the issue is > > > > many things are collected and kept for safe keeping, until the day this > > > > vast amount of data can be effortlessly opened and sorted. > > > > > > > > Worth the risk? If anything big is on the line, then probably not. > > > > If you just want to protect your liberty, freedom of speech, democracy > > > > itself, and businesses marketers profiling you, then its worth keep > > > > using it. > > > > > > Anything encrypted today maybe broken in 3-7 years? While its an the > > > minute realm of possible as is in 5 mins from now AES could be broken > > > thru a mathematical break thru the chances of this are astronomically > > > minimal. Quantum computers still do not get around the energy needed and > > > have the most threat to public key algorithms i.e RSA 2048. Still when > > > you actually look at it even with our strides we are way way far away > > > from a quantum computer that powerful. > > > > > > We are talking about the use of Shor's Algorithm. But that is no small > > > feat if you actually look at that algorithm and its cryptographical > > > application in finding an RSA key. Shor's take 2N qubits. N = bits size > > > of the composite factor. 2048-bit certificate = 4096 qubits needed which > > > requires a state space of over 10^1100. The needed power of that is so > > > many factor more powerful than anything even on future drawing boards its > > > practically scifi futuristic. To the effect this would have would be > > > along the lines of traveling via wormholes in terms of advancement. Not > > > that is not to say something could be found to break it tomorrow. While > > > quantum computers bring us some interesting possibilities they still are > > > bound by the laws of physics which in this case focuses on the second law > > > of thermal dynamics. > > > > > > Then you have symmetric which using Grovers Algorithm to act as a brute > > > force application by search/finding the entire key string with the > > > projected effect of reducing a 256 to a 128 bit key. So lets say 50-60 > > > yrs and again a very powerful q-comp. > > > > > > This is not being applied to targeting state secrets but individual > > > personal ones by 99.9% of the users. Even the largest % of state secrets > > > have expiration dates to where they can really be damaging. So who are > > > those that are targeting all of your encrypted data and will be willing > > > to use the worlds most advanced computer when they finally have them and > > > then maybe one or two in the whole world to crack the keys of data 50-100 > > > yrs old? How pertinent would that data have to be when you consider just > > > how much data is accrued as they are after all collecting the entire > > > worlds worth of encrypted data that flows the copper fiber light waves > > > 24/7. It still has to spend tremendous compu time breaking that key. > > > > > > Not only will most be dead and the people of their time that would care > > > but you would have to have data that is very highly targeted. Hell even > > > if it was 5 yrs from now how much data would they have and at best one or > > > two of these computers and it still going to take serious computational > > > time. That has to be a serious HVI they are after. Its not going to be > > > just like reading clear txt as even then its not as if they push a button > > > and poof clear text such as if the encryption application had a bug that > > > just gave up the key. > > > > > > Work has been done for public key algorithms that resist quantum crypto > > > analysis. Lattice based open sourced NTRU is the first to come to mind; > > > published in 1996 and was patented but last year released to the public > > > domain. Free for all to use. To date, as far as I have read, no > > > feasible attack has been found. Its also space light compare to others > > > bits vs kbs and even mbs size other solutions. There are plenty of others > > > though as well. With the Open Quantum Safe (OQS) project started 2 yrs > > > ago it working towards a full library and tools for quantum and future > > > resistant algorithms that could be used of openssl or plugged into gnupg. > > > Thus its not as if we are standing still and have nothing for the future. > > > > > > How I handle my coms: for very high security coms I personally do not > > > public key i.e to actually be the primary encryptor of the data. While > > > withholding some details, I user GPG as an outer layer and at times as a > > > way to pass a shared symmetric key (AES two fish etc) to the other party > > > as a last resort if I can not contact thru more secure means i.e. in > > > person, other covert means etc.. Then the actual data is symmetrically > > > encrypted and then sealed with gpg to transmit. For me GPGs main use is > > > authentication of the intended parties. That is for higher levels of > > > security for others such as basic emails etc I use normal txt and gpg SOP > > > use. > > > > > > There are ways to make your use of tor much more difficult to track. > > > Careful choice of the entrance and exit servers geographical locations. > > > Without getting into details as there is opsec involved, use of multiple > > > VPNs in the chain but must be done correctly for the need. After all > > > this is not about getting some torrent or for rec but for high need > > > anonymity speed of connection should be a low rank priority. Even then > > > in the data sent best not to use anything that could readily identify > > > your real identity. Everyone should be using a shadow identity for all > > > but typical open tasks. > > > > > > We are talking about being a high value state target at this point and > > > beyond. How many are fitting this profile? Even in oppressive countries > > > to devote those level of resources you have to be an HVT. Not just > > > someone circumventing the states firewall or even sending out disparaging > > > info but not state secrets. Here in opsec/tac becomes even more critical. > > > > While I in the general sense agree with you, there are however a couple > > major flaws to this applied logic. > > > > The biggest flaw, is not calculating the amount of raw power a quantum > > computer can output. While true, it has to follow the laws of physics, but > > remember quantum computing is more strictly following the laws of quantum > > mechanics, which is a lower below physics, closer to base reality. The > > computational power quantum computers can do, is astronomical huge. Without > > calculating just how huge, you cannot compare other huge numbers, such > > calculation needed to crack encryption schemes. > > > > And here is the cake, most people dramatically underestimate the power of > > exponential growth, because the human brain is not build for it, it's build > > to think in linear lines. And quantum computers are anything but linear > > power outputs. The human brain cannot grasp how powerful they can become, > > and that's why, without calculating the calculation power, you cannot make > > claims that it cannot easily crack encryption in the time-frames mentioned. > > Your brain is human, and so is mine, we both, like all other humans, have a > > flaw, we cannot perceive the sheer power of this thing. We need numbers, > > otherwise you cannot compare. And given how the human brain naturally > > underestimates, the odds are that you are underestimating just how powerful > > quantum computers can be. > > > > Among some of the recent quantum computer developments, they're getting > > closer to make actual computer chips with quantum mechanics computing that > > can scale like current day binary chips. Here many are getting, current > > advances in binary computational chips, may easily be applied to quantum > > computational chips. The recent development of a quantum computer chip, may > > simply require to perfect the single quantum transistor unit, and then you > > can apply large scale quantum chips, in similar scale as today's modern > > chips. > > > > This is not all, as mentioned earlier quantum computing grows > > exponentially, and the human brain tends to dramatically underestimate the > > power of exponential. The small quantum computers today, will rapidly > > develop computational power, even with a poor chip scale factor compared to > > today. If the above example comes true, within a few years, you'll have > > extremely powerful quantum computer very, very quickly by applying large > > chips, but instead of binary transistors, you'll have them with quantum > > transistors. > > > > Now build a small super computer complex, doesn't have to be big, just a > > small one, and you will probably already have enough computing power to > > dismantle any current day encryption that is not immune to quantum > > computations. And this is not even a large scale supercomputer with quantum > > computer chips. Imagine what you could do with a massive server complex... > > the implications... > > > > What's more, this can even be better explained, I did a poor job. The > > potential of quantum computing is massive, and many people are dramatically > > underestimating it, and also forgetting that existing technology today, > > means once we have working quantum transistors, it will not be a matter of > > having to "start over" again, it'll be a simple matter of using existing > > technology. > > > > Most chat messages and e-mails take almost no storage, and it's easy to > > collect it all in todays massive cloud systems, due to one single fact, > > 'economics of scale' works absolutely truly amazingly when it comes to > > Cloud economy. It just keeps getting cheaper, and cheaper, and cheaper to > > store huge massive amounts of data. > > > > What's more, once you have all this data, and you have low effort > > decryption means, then you can simply apply Artificial Intelligence to go > > through it all to profile everything for you. This is already happening > > today, in fact it started happened already 3 years ago when the first A.I. > > systems started to profile public social media, for example the case where > > one looked at a natural disaster, to figure out from the choice of language > > and words of the person, who was present at the disaster zone, and who was > > just commenting on it. > > > > These technologies are improving, and rapidly. I'm not saying next year or > > within 3 years, but they'll probably be something scary in less than 10 > > years. Quantum computing may arrive quicker than estimated too, if there is > > one thing that is typical in many predictions about existing technology, is > > the underestimation of how quickly it will advance. > > > > Don't say it will take 100 years to get quantum computing this powerful, it > > will be far sooner than that. Maybe 20 years is a better guess if you take > > all these things into account, maybe even sooner. > > > > I was going to lay out the size of the Q computer need and the power > requirement and formulas etc as this is already fairly well locked down as is > over all cost estimates Then I realized I had the NIST paper on it as they > started a few years ago address this with new round of encryption comps and > review process and it had some of that info about the computer in it. It > does not have the size so I will post that. Also the cost they project IIRC > is for the computer only not infastructure power or building so 3x+ the > projection for the computer. > > Computer size: Trapping 2 × 109 ions will require 23 × 23 vacuum chambers > occupying an area of ca. 103.5 × 103.5 m2 110 days projected to break > 2048rsa 14 days for 1024. > > It will take a stadium size building to house and support it. > > > 102. > https://csrc.nist.gov/csrc/media/projects/post-quantum-cryptography/documents/pqcrypto-2016-presentation.pdf > > That is far from a cluster of these in each data center and not even close to > turning encrypted as fast as producing clear text. 1/3 of a year 100% > processing full power from a dedicated nuclear power plant in a build the > size of a professional stadium. So 4 months after this 3.5 billion dollar > complex is up and running they will be able to crack 3-4 keys per year. So a > few billion exabytes of encrypted data using how many millions of different > RSA keys... 110 days per key. Not exactly as quick as reading clear txt. > You would have to be a VERY high state level or world level HVT with HVI to > use the full capacity of a nuclear power plants energy fed into a billion > dollar computer for 110 days straight. Snowden only got a small portion of a > super computers power for a couple days in what was considered the largest > publicly known breech in history. > > We are a LONG ways off from using this as a way to get encrypted intel as > long as side channel attacks work as well as they do currently. Years before > this is running we will be using new encryption for coms and frankly people > can protect themselves today against it if they so chose. > > > Anyways this is way off topic and is a rabbit hole with no bottom back to > qubes for me. > > I do agree with you on the collection of data though and the cost factor. > Mainly energy use and space. We can gig in something 100x smaller than just > 10 yrs ago even smaller. Cost per gig way way down as speed of read and > writes is where tech and money is. Archive storage is just going to be cheap > cheap cheap.
True, this is a very deep rabbit hole, but you do bring forward interesting point of views and sources, I'm intrigued, and for that reason tempted to down that rabbit hole. But unfortunately I don't have much free-time, and I suspect you may be in a similar situation, this is a very timeconsuming discussion if it has to be done right. I already try to reduce the amount of time I spend online during busy times. But if a new thread comes up to contniue this discussion on-topic (it's sort of relevant for Qubes, since it brings awareeness to Qubes users to discuss such matter), or even if this one should continue (it's old and unused from main-topic, so I guess its not too much harm), then I may keep up the discussion too, albeit over a longterm timeframe since this topic is very tricky if having to reach an objective ontological view of the topic, preferably using both objective and subjective epistemological discussions to cover all viewpoints. I do not mean to turn away from evidence, quite on the contrary actually, but there are times when these reports are flat out wrong or even mostly right but missing a few critical points that makes a big difference. That's why we have peer-review in science right, so that we critisize and repeat experiments, logical discussions, etc. to make sure they are as accurate and correct as possible. A single paper, can never prove anything to sway a scientific minded community, but it may incite the beginning of a proof to sway the view of a scientific minded community. Even if peer-reviwed though, when trying to predict something, it can go very differently from the prediction, although, many times predictions can be quite accurate too. I do not have any reports on hand for this example, but as an example to look up; I'm pretty sure the electric batteries for large electric grids in society, including for small size purposes like houses and cars, was underestimated by a few years by the very industry itself. It's a good example of how something is somewhat understood but not entirely, and as a result the unexpected can happen despite the confidence for otherwise. It seems like it's a trend for predictions, especially when it's about technology, to underestimate. The general trend is if someone does not know about the technology question, then many tend to overestimate it if they are feeling emotionally positive about it (for example flying cars that was hyped year after year for decades now). But the deeper an understanding is about how the technology in question works, the more the trend seem to point to there being risk to underestimate it, for example large-sized batteries for scale-able purposes, such as houses and entire countries power-grid. Similar, if you look on the last page on the powerpoint slide you linked, they're hinting towards exactly that problem in their conclusion on the last page, "We don't have all the answers". Indeed,they may very well be right, but there are no one that truly understand this technology yet. If more time allowed for it, it'd be interesting to try dig into this, and discussions are very valuable and interesting for that purpose to break assumptions, create new and different views and ideas, and so on. But alas, if anyone creates a new topic, I'd love to join, but will probably be longer period of times between posting on something this complicated that requires a lot of prep-time on every post, at least if it should be approached scientifically. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3f8b8907-2e0e-4f93-82fe-14e24447fa90%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
