On Tuesday, March 20, 2018 at 10:11:29 AM UTC+1, Linus Stridbeck wrote: > Obviously you seem understand the technical aspects. > > So conclusively its less secure to boot from different hard drives compared > to switching manualy becous the first option could alow some one to get in to > bios not only firmware? > > Its amzing to me that its even possible to get in the firmware! Ones in the > firmware youre basicly one step from the hardrive right? Is it easier to get > in the firmware whern using Windows than when using qubes? > > Besides when in the firmware you per se have to IP address right?
The BIOS/UEFI is also firmware btw, so in the future you read security articles and firmware is mentioned, it might indirectly include mention of BIOS/UEFI as well. The same goes to any other firmware, drives like HHD's/SSD's/HVMe's/thumb-drive's all have firmware too, and so does USB, and many other pieces of hardware. Qubes OS founder Joanna is advocating for stateless hardware, essentially hardware without firmware, where the software fully controls the hardware. This allows for machines to be wiped clean and install fully secure software on it again, or to reset if you suspect you got infected. Unfortunately right now market forces, politics, society habits, as well as competition and costs, all make it unlikely for anyone to start creating stateless hardware. It'd require a big push, or for a significant producer to start doing it, politics demanding it via law, or something like that. Also note if you for example link your drives directly into an AppVM for example via qvm-block or qvm-usb, as far as I understand it, you're essentially exposing the firmware of the drives/thumb-drives, and thereby new firmware threats can reach this firmware, even if you're using Qubes. This is something the developers warned us about and are working on solving. But it goes to show that you're not fully safe, not yet, though using Qubes OS gets you far into the right direction at least, and it's a direction that is rapidly improving further. And as you might suspect now, your question if it's easier to access firmware from windows, is essentially a big yes, your firmware is completely exposed in any operation-system running directly on the hardware. That's the strength of virtual environments, you can keep it out of reach of the hardware's firmware. Unfortunately virtual technology isn't perfect yet, it's still under development and improvements. But the protection Qubes provides, is far superior than the non-existing protection i.e. Windows provides. Dual booting has two major issues that are solved by not dual booting - Easier to cause new infection of firmware from a less secure Operation System. - Attacks carried out on the secure OS from the non-secure OS. I believe those two can carry all the exploit methods meta-headlines, beneath them it gets much more complicated, but essentially it can be narrowed down to those two headlines in a broad sense. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/96f7b2ce-9636-4a13-9648-ff6eaa8da99b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
