I would make a full forensic image and then start investigating. Otherwise the evidence is very fragile.
On Friday, November 6, 2020 at 12:20:32 AM UTC+2 tetra...@danwin1210.me wrote: > On Mon, Oct 26, 2020 at 04:04:30PM -0400, Chris Laprise wrote: > >On 10/25/20 10:24 PM, 'J.M. Porup' via qubes-users wrote: > >>One morning last week, I launched a disposable Debian 10 template with > my preset > >>defaults of no netvm and a blank page preset--but instead a default page > of > >>"https://www.youtube.com/" appeared. It only happened once, but it was > enough. > > > >So to clarify, you launched a dispVM with no networking, and a youtube > >page was loaded and rendered on screen? > > > >That seems highly unlikely to be an accidental input or glitch. > > No, he's saying the Firefox homepage in his Debian-10 template was > changed from about:blank to youtube.com, leading the debian-10 > template-based DispVM to launch Firefox with youtube.com as the default > page. > > Ergo someone compromised his Debian-10 template and changed the Firefox > homepage... or, there was an error in the template configuration leading > to him accidentally changing the hompeage in what sounds like a > stressful situation. > > J.M., assuming you are indeed correct about a major attack, most of the > major Xen vulnerabilities that threaten a Qubes full compromise involve > sys-net. Since Five Eyes may get advance notice of Xen holes, if your > machine was indeed fully rooted it could be you were hit by the PCI > vulnerability from a while back. > > Due to precisely these kinds of issues, there is discussion for using > the much-harder-to-exploit OpenBSD as an operating system for the > sys-net VM: > https://github.com/QubesOS/qubes-issues/issues/5294 > > You may want to give it a go (after buying a new laptop, of course). > > Additionally, if a sys-net based attack is indeed a concern for your > threat model, consider disabling wi-fi entirely and using an ethernet > cable, wi-fi drivers are generally terrible. > > Nevertheless if you are really up against serious Five Eyes type > adversaries then it's unlikely you'll be able to keep *any* computer > secure for long and should probably buy that cabin in the Rockies you > always wanted... > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b70d4e94-7e63-4da1-819c-c72cf2a085e7n%40googlegroups.com.