'jrsrrs33' via qubes-users: > I used to think my communications where private doing this changes, until I > started to realize that It was not.
The IT security rabbit hole is pretty deep. I believe at the bottom it ends with securely disposing all your electronics, but I'm not prepared to do that quite yet. :) Try to find a balance between realistic threats to you and counter-measures to oppose them. > I decide to verify the ISO (4.0.1) that I download of your canonical webiste > [qubes-os.org](http://qubes-os.org/), so I have a windows program called md5 > & sha Checksum utility and it says it all right (open digest and confirm that > iso sha256 is the same as in the hash sha 256 of website > (https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.0.1-x86_64.iso.DIGESTS)). > > I decide also to try to do it with gpg4win program, but I do not know how to > do it because is an iso, I do it with exe. > I also try with the instructions of your website, but I do not know how to > follow. > How will be the process? Did I do it good or bad verifying the ISO with > checksum utility? Verifying the SHA256 hash is good. You can be pretty confident the ISO hasn't been tampered with, but the only way to be sure is to verify signatures per https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-qubes-iso-signatures. If you can't figure out how to do that with gpg4win, you might want to get some practice with a GNU/Linux distribution instead. You can live boot Mint for example, and I think Debian 10 too https://www.debian.org/CD/live/#choose_live. Then you can use native gpg to verify the ISO. You could also install Virtualbox in Windows and run Debian or whatever in a VM to get familiar with it first. > Why do I have to verify Qubes Repos if I had verify the iso? Are Qubes Repos > different from the iso, or complements for the software? You do not have to verify the repos if you've verified the ISO. > Qubes was created in September 3, 2012. What has happened with the other > developers of 2012 (I do not see in your web)? https://www.qubes-os.org/team/ > All the instructions are for apple users? It because it is writed "sudo" in > the steps. Apple runs BSD, which also uses sudo. Instructions are for Linux users which is why it will be helpful if you practice first before committing to Qubes. > "Untrustworthy firmware. (Firmware can be malicious even if the drive is new. > Plugging a drive with rewritable firmware into a compromised machine can also > compromise the drive. Installing from a compromised drive could compromise > even a brand new Qubes installation.)" This is one of those rabbit holes. You need a secure machine to build a secure machine. If you suspect yours is already compromised, get one that isn't. Here's where you have find a balance against realistic threats to you. > I read article of badusb, but what usb do you recommend (because I do not > find)? Name brand in factory packaging, not something you found laying on the street. -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/af17aa97-cb6b-53f4-05e2-8670bd20e798%40danwin1210.me.
