Re: [qubes-users] How to get trusted iso?

[cooloutac]

On Sunday, May 7, 2017 at 5:06:14 PM UTC-4, Jean-Philippe Ouellet wrote:
> On Sun, May 7, 2017 at 2:41 PM, cooloutac  wrote:
> > On Monday, May 1, 2017 at 3:03:05 PM UTC-4, Chris Laprise wrote:
> >> On 05/01/2017 02:33 PM, cooloutac wrote:
> >> > I know I can't buy one, so how do I get an a fresh iso if my machine
> >> > is compromised?  Obviously,  someone more prudent would of kept their
> >> > original iso on dedicated usb stick. But I was too cheap.
> >>
> >> I'll go out on a limb and say that Qubes is more about defending against
> >> oncoming threats.
> >>
> >> Pre-existing compromise creates a dilemma for the user, who can
> >> pragmatically try to minimize further compromise by degrees. For
> >> instance, burn a DVD and then verify it on multiple machines (incl.
> >> different architectures). This is not unlike trying to validate the
> >> authenticity of a PGP key using different network channels (not quite
> >> "out of band" but possibly effective).
> >>
> >> >
> >> > So what happens if that was not done,  or how can someone get a
> >> > trusted iso for the first time in the first place?  Is just checking
> >> > key signatures and using dd on a compromised machine enough? I
> >> > imagine that would be dangerous.
> >> >
> >> > Thanks for any suggestions.
> >>
> >> Since you will probably want to start with Qubes on a non-compromised
> >> machine, I suggest to download and verify using that.
> >>
> >> --
> >>
> >> Chris Laprise, tas...@openmailbox.org
> >> https://twitter.com/ttaskett
> >> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> >
> > this post makes me think about healthcare debate lol.  last to universal 
> > healthcare is also last to end slavery. not a coincidence.
> >
> > But ya i'll go out on a limb and say most of us are using Qubes cause we 
> > were already compromised before,  and we are using it still believing we 
> > will be compromised in the future.
> >
> > If there is no way to get a trusted iso there is no point in using Qubes.
> 
> I am not aware of any mechanism by which to have a 100% guarantee, but
> then... do you really need one?
> 
> At some point, you just have to say "well... good enough". Even if you
> were to buy install media, as you suggest, how are you sure your
> physical mail wasn't intercepted?
> 
> I believe the "create read-only media and verify it on diverse
> machines" approach should be sufficient. Breaking it should require
> either some rather versatile exploit for something along the
> (hopefully diverse) set of components involved in reading & verifying
> the media from the multiple systems you use to check it, or for all of
> those machines to be independently targeted, possibly with advance
> knowledge of the DVD you're about to try to verify. IMO that's
> sufficiently unlikely to be worth worrying about.

I think the least likely thing to happen is my physical mail gets intercepted. 
(unless by the gov't or police)

Far more likely criminals and peeping toms have all my machines compromised and 
have advance knowledge i'm going to download Qubes.  Also  far more likely my 
hardware is compromised as well.  I never blame the gov't,  cause they usually 
don't try to destroy computers or steal money from people.

So if I build a new machine and can't buy a Qubes iso,  i'll be ordering 
windows 10 and i'm not going to bother installing Qubes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/16653a78-2b39-4fb8-bab2-18b6442fb7b6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to get trusted iso?

[Jean-Philippe Ouellet]

On Sun, May 7, 2017 at 2:41 PM, cooloutac  wrote:
> On Monday, May 1, 2017 at 3:03:05 PM UTC-4, Chris Laprise wrote:
>> On 05/01/2017 02:33 PM, cooloutac wrote:
>> > I know I can't buy one, so how do I get an a fresh iso if my machine
>> > is compromised?  Obviously,  someone more prudent would of kept their
>> > original iso on dedicated usb stick. But I was too cheap.
>>
>> I'll go out on a limb and say that Qubes is more about defending against
>> oncoming threats.
>>
>> Pre-existing compromise creates a dilemma for the user, who can
>> pragmatically try to minimize further compromise by degrees. For
>> instance, burn a DVD and then verify it on multiple machines (incl.
>> different architectures). This is not unlike trying to validate the
>> authenticity of a PGP key using different network channels (not quite
>> "out of band" but possibly effective).
>>
>> >
>> > So what happens if that was not done,  or how can someone get a
>> > trusted iso for the first time in the first place?  Is just checking
>> > key signatures and using dd on a compromised machine enough? I
>> > imagine that would be dangerous.
>> >
>> > Thanks for any suggestions.
>>
>> Since you will probably want to start with Qubes on a non-compromised
>> machine, I suggest to download and verify using that.
>>
>> --
>>
>> Chris Laprise, tas...@openmailbox.org
>> https://twitter.com/ttaskett
>> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>
> this post makes me think about healthcare debate lol.  last to universal 
> healthcare is also last to end slavery. not a coincidence.
>
> But ya i'll go out on a limb and say most of us are using Qubes cause we were 
> already compromised before,  and we are using it still believing we will be 
> compromised in the future.
>
> If there is no way to get a trusted iso there is no point in using Qubes.

I am not aware of any mechanism by which to have a 100% guarantee, but
then... do you really need one?

At some point, you just have to say "well... good enough". Even if you
were to buy install media, as you suggest, how are you sure your
physical mail wasn't intercepted?

I believe the "create read-only media and verify it on diverse
machines" approach should be sufficient. Breaking it should require
either some rather versatile exploit for something along the
(hopefully diverse) set of components involved in reading & verifying
the media from the multiple systems you use to check it, or for all of
those machines to be independently targeted, possibly with advance
knowledge of the DVD you're about to try to verify. IMO that's
sufficiently unlikely to be worth worrying about.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_BVJXvF5SPtc%2BARSAA9j_ZSpE1tKrO1_y7Yv2tva%3DYbsg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to get trusted iso?

[cooloutac]

On Monday, May 1, 2017 at 3:03:05 PM UTC-4, Chris Laprise wrote:
> On 05/01/2017 02:33 PM, cooloutac wrote:
> > I know I can't buy one, so how do I get an a fresh iso if my machine
> > is compromised?  Obviously,  someone more prudent would of kept their
> > original iso on dedicated usb stick. But I was too cheap.
> 
> I'll go out on a limb and say that Qubes is more about defending against 
> oncoming threats.
> 
> Pre-existing compromise creates a dilemma for the user, who can 
> pragmatically try to minimize further compromise by degrees. For 
> instance, burn a DVD and then verify it on multiple machines (incl. 
> different architectures). This is not unlike trying to validate the 
> authenticity of a PGP key using different network channels (not quite 
> "out of band" but possibly effective).
> 
> >
> > So what happens if that was not done,  or how can someone get a
> > trusted iso for the first time in the first place?  Is just checking
> > key signatures and using dd on a compromised machine enough? I
> > imagine that would be dangerous.
> >
> > Thanks for any suggestions.
> 
> Since you will probably want to start with Qubes on a non-compromised 
> machine, I suggest to download and verify using that.
> 
> -- 
> 
> Chris Laprise, tas...@openmailbox.org
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

this post makes me think about healthcare debate lol.  last to universal 
healthcare is also last to end slavery. not a coincidence.

But ya i'll go out on a limb and say most of us are using Qubes cause we were 
already compromised before,  and we are using it still believing we will be 
compromised in the future.

If there is no way to get a trusted iso there is no point in using Qubes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fbc0dfab-a195-4c8d-9777-f6729ec9d2a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to get trusted iso?

[cooloutac]

On Monday, May 1, 2017 at 5:35:56 PM UTC-4, Chris Laprise wrote:
> On 05/01/2017 03:43 PM, cooloutac wrote:
> > Does Qubes ever plan on selling iso sticks?
> 
> I would like to know. And I've suggested this in the past, but with 
> DVD-Rs which I think are preferable to USB sticks (even the ones with 
> hardware write-protect switches).
> 
> 
> -- 
> 
> Chris Laprise, tas...@openmailbox.org
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

ah yes very true but I don't even have a cdrom on my system but I would get one 
for it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/565f3eca-c8ce-4275-b2ad-1044fb26dc63%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to get trusted iso?

[Chris Laprise]

On 05/01/2017 03:43 PM, cooloutac wrote:

Does Qubes ever plan on selling iso sticks?


I would like to know. And I've suggested this in the past, but with 
DVD-Rs which I think are preferable to USB sticks (even the ones with 
hardware write-protect switches).



--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c510a8b1-324f-6f60-030a-67b17dfbeea0%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to get trusted iso?

[cooloutac]

On Monday, May 1, 2017 at 3:03:05 PM UTC-4, Chris Laprise wrote:
> On 05/01/2017 02:33 PM, cooloutac wrote:
> > I know I can't buy one, so how do I get an a fresh iso if my machine
> > is compromised?  Obviously,  someone more prudent would of kept their
> > original iso on dedicated usb stick. But I was too cheap.
> 
> I'll go out on a limb and say that Qubes is more about defending against 
> oncoming threats.
> 
> Pre-existing compromise creates a dilemma for the user, who can 
> pragmatically try to minimize further compromise by degrees. For 
> instance, burn a DVD and then verify it on multiple machines (incl. 
> different architectures). This is not unlike trying to validate the 
> authenticity of a PGP key using different network channels (not quite 
> "out of band" but possibly effective).
> 
> >
> > So what happens if that was not done,  or how can someone get a
> > trusted iso for the first time in the first place?  Is just checking
> > key signatures and using dd on a compromised machine enough? I
> > imagine that would be dangerous.
> >
> > Thanks for any suggestions.
> 
> Since you will probably want to start with Qubes on a non-compromised 
> machine, I suggest to download and verify using that.
> 
> -- 
> 
> Chris Laprise, tas...@openmailbox.org
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

yes good idea,  someone else had suggested to me to verify multiple iso's which 
is also a good idea.  Does Qubes ever plan on selling iso sticks?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f250acb-33b3-4ad1-8f59-974efb499883%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to get trusted iso?

[Chris Laprise]

On 05/01/2017 02:33 PM, cooloutac wrote:

I know I can't buy one, so how do I get an a fresh iso if my machine
is compromised?  Obviously,  someone more prudent would of kept their
original iso on dedicated usb stick. But I was too cheap.


I'll go out on a limb and say that Qubes is more about defending against 
oncoming threats.


Pre-existing compromise creates a dilemma for the user, who can 
pragmatically try to minimize further compromise by degrees. For 
instance, burn a DVD and then verify it on multiple machines (incl. 
different architectures). This is not unlike trying to validate the 
authenticity of a PGP key using different network channels (not quite 
"out of band" but possibly effective).




So what happens if that was not done,  or how can someone get a
trusted iso for the first time in the first place?  Is just checking
key signatures and using dd on a compromised machine enough? I
imagine that would be dangerous.

Thanks for any suggestions.


Since you will probably want to start with Qubes on a non-compromised 
machine, I suggest to download and verify using that.


--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/04021104-354b-ea68-8bf4-a91b2774d073%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to get trusted iso?

[cooloutac]

I know I can't buy one, so how do I get an a fresh iso if my machine is 
compromised?  Obviously,  someone more prudent would of kept their original iso 
on dedicated usb stick. But I was too cheap.

So what happens if that was not done,  or how can someone get a trusted iso for 
the first time in the first place?  Is just checking key signatures and using 
dd on a compromised machine enough? I imagine that would be dangerous.

Thanks for any suggestions.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cc6f21b0-4a46-49a7-ab4f-752e34f6db74%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.