#This email represents my analysis of the events of the last few weeks. #It does not reflect the views of the Qubes Project or Qubes developers #in any way.
My Qubes laptop got hacked by Five Eyes because they thought I was a terrorist, when in fact I was only making clown videos. That is surely one of the strangest sentences I have ever had to write, so let me establish my bona fides. I'm a cybersecurity reporter [0], and have covered cybersecurity and national security since 2013. I have a masters degree in cybersecurity from Berkeley, and am currently working on my OSCP. I've been using Qubes as my daily laptop since 2014. I'm not a Qubes developer, but I would consider myself an advanced user. I'm also a clown. (I gave a talk at Hackers on Planet Earth this year called "Cybersecurity and Clown" [1]). In fact, when Covid hit I was in France studying clown with Philippe Gaulier, the same clown master who trained Sacha Baron Cohen. I'm a standup comedian and comic actor as well. So when I made these incredibly silly clown videos [2], I didn't expect to find myself under intense physical surveillance for several weeks. I mean, intense. I've been under physical surveillance before for national security reporting I've done (like this article [3]), but this was the closest I've ever seen the security services here in Canada swing their elbows. Knowing that physical surveillance is always accompanied by electronic surveillance, I kept an eye on my devices. My phone got popped first. Zero-click iPhone RCE. Two missed calls from a non-existent number right when the physical surveillance started. But would they risk a Qubes 0-day to go after me--for being a literal fscking clown? They did, and per their new "flyswatter policy" left a JTRIG-style goodbye present when they finally realized I'm just a journalist, and a clown. One morning last week, I launched a disposable Debian 10 template with my preset defaults of no netvm and a blank page preset--but instead a default page of "https://www.youtube.com/"; appeared. It only happened once, but it was enough. Does this rise to the standard of journalist proof I'm accustomed to? Of course not. Would I risk my reputation by writing this email to the qubes-users list if I was not confident in my assessment? What do you think? So why am I writing this message? First, and most importantly, there is clearly a great Qubes 0-day floating around that needs to be found and squashed. But also, if Five Eyes are prepared to risk a Qubes 0-day on a clown, who would they *not* risk it on? There must be dozens, if not hundreds, of active Qubes implants out there right now. And this email is meant to burn those implants and make them go dark. If you have Five Eyes in your threat model, then you need to assume compromise and do whatever you need to do. Now. Does this mean I'm going to stop using Qubes? No. Of course not. Qubes is still our best hope for a reasonably secure laptop. Nothing I've said in this email changes that big picture analysis. kind regards, jmp p.s. And yo, guys? Cause I know you're reading this. Next time you decide to dishonor your oath to protect the Constitution, you might read the First Amendment first. [0] https://www.jmporup.com/ [1] https://www.youtube.com/watch?v=fiaZaPwvz54 [2] https://www.youtube.com/playlist?list=PLmE_cQ9Hok0nv7RxYZ_xMJtZb216uvdxi [3] https://arstechnica.com/information-technology/2016/02/the-nsas-skynet-program-may-be-killing-thousands-of-innocent-people/ -- J.M. Porup www.JMPorup.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20201026022434.GA765%40fleas.
