On Thu, 5 Mar 2020 at 15:01, Mike Keehan <[email protected]> wrote: > On 3/5/20 2:40 PM, Mark Fernandes wrote: > > On Thu, 5 Mar 2020 at 13:30, Mike Keehan <[email protected] > > <mailto:[email protected]>> wrote: > > > > On 3/5/20 12:31 PM, Mark Fernandes wrote: > > > I want to get a genuine copy of Qubos, from here in the UK > > (United Kingdom). > > > > > > The only way described on the Quebos website at present, appears > > to be > > > to download the ISO. > > > > > > I have the classic security problem described on the website > > > <https://www.qubes-os.org/doc/install-security/>, where not > having a > > > trust-worthy machine, means that I have a never-ending chain of > > trust > > > issues for each machine that I use in the obtaining of the > software. > > > > > > I suggest that the hyper-linked web-page above, be updated to > > provide > > > further guidance as to how to ensure you have a genuine copy of > the > > > Qubos software. *_Also, can anyone in this news group provide any > > such > > > guidance for myself (and others?)_* > > > > > > > > > > > > (Solely) some thoughts on how to help ensure possession of a > > genuine > > > copy of Quebos: > > > > > > 1. If Quebos is distributed through PC magazine DVDs, users > can > > > purchase a few copies of a particular magazine having > such a > > > DVD, at random, from different stores, in widely different > > > locations (different counties, etc.) Users can then > > compare the > > > copies to make sure they are identical. > > > 2. Purchase Quebos from a randomly chosen big PC store, that > has > > > perhaps 100 copies of the software on its shelves, on a > day > > > picked at random, by selecting one of the copies at > > random from > > > the shelves. > > > 3. If a user believes they are being tracked, what they can > > do, is > > > schedule in their mind (or otherwise), to make such a > > purchase > > > over the next few months, and then when they are doing > some > > > activity (for example visiting a friend in the city), > > they can > > > just as an aside go and purchase a copy of the software. > > > 4. Purchase the Quebos software from an online retailer, > > that uses > > > special tamper-evident packaging > > <https://www.jwproducts.co.uk>, > > > and then compare the copy obtained in this way, with > software > > > downloaded from the Quebos website. > > > 5. Obtain software in several ways, then compare copies to > make > > > sure they're identical. > > > > > > > > > > > > Thanks, > > > > > > > > > Mark Fernandes > > > > > > > > > > Have you read the documentation at > > https://www.qubes-os.org/doc/installation-guide/ ?? > > > > > > I previously skim read what appeared to be the relevant parts from the > > guide. Just now, I read from the beginning till the following text in > > the guide: > > > > /Once the ISO has been verified as authentic, you should.../ > > > > > > The text after that point appears to be irrelevant. > > > > The only thing relevant to this topic in the guide, appears to be the > > information on verifying signatures (which is of course standard > > practice). In reading information on the Quebos website, there was > > implicit mention that users may be operating under oppressive > > regimes/circumstances. With this in mind, I just feel that more guidance > > is needed on how to obtain authentic copies of the Quebos software. I've > > hinted at some ideas as to how to do this, in my starting post for this > > topic. > > > > > > Thanks, > > > > > > Mark Fernandes > > > > And did you thoroughly read the linked "our guide on verifying > signatures" page? > > https://www.qubes-os.org/security/verifying-signatures/ > > It shows you how to verify that the ISO you download was actually > created by the Qubes OS team. (Quebos is not correct the spelling!). > > Mike. > > > Hello all,
Firstly, apologies for misspelling Qubes OS (the word is strange, which is probably why I've been getting confused..) So if your computer has been compromised, the methods you suggest may be useless. It doesn't matter whether you use search engines, chat rooms, different ISPs, etc. to get the keys, in the scenario that some intruder has control of your machine so that they replace every single instance of the key you download with their own key matching the tampered-with software. Another plausible scenario, is that of the Chinese government controlling the internet of their citizens, where such an entity (without taking control of a computer), makes sure that only compromised software and keys are available to their internet users in China. I'd like to point out that I have verified signatures before, and am aware of their significance. Signatures also don't appear to be full-proof, in the sense that it seems two different files may produce the same signature. I concede that I don't know the full extent to which that is an issue. I'm posting to this newsgroup to get the views of others. As to my thoughts on possible ways to ensure one obtains an authentic copy of the software, whilst I'm not a security specialist (by any means), my thoughts have been developed over several years in light of needing computer security when working as a self-employed individual, and I should add that I work in software development. Thanks, Mark Fernandes -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CANJMFk9i81kXAtvxckb8kgoMj1PXj0vTktu7BSqFv3AMaSWoMg%40mail.gmail.com.
