On 3/5/20 1:45 PM, Mark Fernandes wrote:
On Thu, 5 Mar 2020 at 18:21, Chris Laprise <tas...@posteo.net
<mailto:tas...@posteo.net>> wrote:
On 3/5/20 7:31 AM, Mark Fernandes wrote:
> I want to get a genuine copy of Qubos, from here in the UK
(United Kingdom).
>
> The only way described on the Quebos website at present, appears
to be
> to download the ISO.
>
> I have the classic security problem described on the website
> <https://www.qubes-os.org/doc/install-security/>, where not having a
> trust-worthy machine, means that I have a never-ending chain of
trust
> issues for each machine that I use in the obtaining of the software.
Many of us work with a threat model that assumes at least some
computers
available by retail are not compromised "out of the box", or else if
compromised then not at the BIOS/UEFI firmware level. For this model,
verifying the Qubes ISO with gpg is acceptable.
Hello Chris,
I've only heard of gpg as a binary running over an operating system. Is
it available as something you can run directly off boot-able media?
Gpg is usually available in live DVD or live USB distros. Its also
incorporated into 'Heads', a firmware boot verification system that's
compatible with Qubes.
In any case, you still need to ensure that gpg hasn't been compromised.
If it has to run off an OS, that OS needs to have not been compromised.
If you need to download gpg, the OS which you use for downloading gpg
has to be not compromised. The website doesn't appear to address these
issues. The security Qubes OS offers may be great. But getting from a
position where you don't have Qubes OS at all, to having Qubes OS
installed, appears to be a serious security concern.
There is a definite chicken-and-egg aspect to this issue. That's bc what
we're dealing with at some level is a failure of Computer Science and
industry to advance computer security in an objective and democratic
manner. It is mostly a VC culture, even in university settings, and
selling bling to the masses now sets the tone for everything else.
That's why things that would have been shocking (like shutting Linux out
of recent TCG updates & making devices that can't really be
switched-off) in the 90s-mid 2000s are now commonplace, and the
"victims" like Linux Foundation don't care anymore bc they are comprised
of megacorps with staff who go home to their iDevices and surveillance
tchotskies.
So computing culture became a worst-case scenario and projects like
Qubes are back-eddies in its wake. Your/our problem can't be solved in a
fundamental way without PC-type hardware that is open source. I think
Qubes has expressed a willingness to help make that happen, since they
are open to the idea of porting Qubes to OpenPOWER architecture.
In the meantime, we have to use hedges and stop-gaps. One is to verify
ROM (e.g. DVD) media on multiple systems, just as one would try to
verify a single gpg key from multiple pathways. Another is to use Qubes,
which reduces the number of components you have to trust down to a
minimum. Also consider what makes a good hardware distributor. Yet
another is to realize the biggest adversaries are not omnipotent and
can't control everything simultaneously; i.e. do random spot checks,
maintain your sanity.
Finally, we need to be able to question things in philosophical terms
because that is the basis of relatable information in modernity. If we
only think about the mechanics, then we remain locked onto the same path
of transistorized irrationality that has begun to weigh on you. For
example, a philosophical approach to your question should recognize
early that its a quandary (or "turtles all the way down") if we keep
accepting the old parameters (i.e. what industry wants to keep selling
us); there are even situations when its illogical to use computers (even
though the above mentioned failed culture still insists its necessary to
do so).
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ac6a1867-14e1-eec3-c65c-20c82b500925%40posteo.net.