Re: [qubes-users] How to get trusted iso?
On Sunday, May 7, 2017 at 5:06:14 PM UTC-4, Jean-Philippe Ouellet wrote: > On Sun, May 7, 2017 at 2:41 PM, cooloutacwrote: > > On Monday, May 1, 2017 at 3:03:05 PM UTC-4, Chris Laprise wrote: > >> On 05/01/2017 02:33 PM, cooloutac wrote: > >> > I know I can't buy one, so how do I get an a fresh iso if my machine > >> > is compromised? Obviously, someone more prudent would of kept their > >> > original iso on dedicated usb stick. But I was too cheap. > >> > >> I'll go out on a limb and say that Qubes is more about defending against > >> oncoming threats. > >> > >> Pre-existing compromise creates a dilemma for the user, who can > >> pragmatically try to minimize further compromise by degrees. For > >> instance, burn a DVD and then verify it on multiple machines (incl. > >> different architectures). This is not unlike trying to validate the > >> authenticity of a PGP key using different network channels (not quite > >> "out of band" but possibly effective). > >> > >> > > >> > So what happens if that was not done, or how can someone get a > >> > trusted iso for the first time in the first place? Is just checking > >> > key signatures and using dd on a compromised machine enough? I > >> > imagine that would be dangerous. > >> > > >> > Thanks for any suggestions. > >> > >> Since you will probably want to start with Qubes on a non-compromised > >> machine, I suggest to download and verify using that. > >> > >> -- > >> > >> Chris Laprise, tas...@openmailbox.org > >> https://twitter.com/ttaskett > >> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > > > > this post makes me think about healthcare debate lol. last to universal > > healthcare is also last to end slavery. not a coincidence. > > > > But ya i'll go out on a limb and say most of us are using Qubes cause we > > were already compromised before, and we are using it still believing we > > will be compromised in the future. > > > > If there is no way to get a trusted iso there is no point in using Qubes. > > I am not aware of any mechanism by which to have a 100% guarantee, but > then... do you really need one? > > At some point, you just have to say "well... good enough". Even if you > were to buy install media, as you suggest, how are you sure your > physical mail wasn't intercepted? > > I believe the "create read-only media and verify it on diverse > machines" approach should be sufficient. Breaking it should require > either some rather versatile exploit for something along the > (hopefully diverse) set of components involved in reading & verifying > the media from the multiple systems you use to check it, or for all of > those machines to be independently targeted, possibly with advance > knowledge of the DVD you're about to try to verify. IMO that's > sufficiently unlikely to be worth worrying about. I think the least likely thing to happen is my physical mail gets intercepted. (unless by the gov't or police) Far more likely criminals and peeping toms have all my machines compromised and have advance knowledge i'm going to download Qubes. Also far more likely my hardware is compromised as well. I never blame the gov't, cause they usually don't try to destroy computers or steal money from people. So if I build a new machine and can't buy a Qubes iso, i'll be ordering windows 10 and i'm not going to bother installing Qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/16653a78-2b39-4fb8-bab2-18b6442fb7b6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to get trusted iso?
On Sun, May 7, 2017 at 2:41 PM, cooloutacwrote: > On Monday, May 1, 2017 at 3:03:05 PM UTC-4, Chris Laprise wrote: >> On 05/01/2017 02:33 PM, cooloutac wrote: >> > I know I can't buy one, so how do I get an a fresh iso if my machine >> > is compromised? Obviously, someone more prudent would of kept their >> > original iso on dedicated usb stick. But I was too cheap. >> >> I'll go out on a limb and say that Qubes is more about defending against >> oncoming threats. >> >> Pre-existing compromise creates a dilemma for the user, who can >> pragmatically try to minimize further compromise by degrees. For >> instance, burn a DVD and then verify it on multiple machines (incl. >> different architectures). This is not unlike trying to validate the >> authenticity of a PGP key using different network channels (not quite >> "out of band" but possibly effective). >> >> > >> > So what happens if that was not done, or how can someone get a >> > trusted iso for the first time in the first place? Is just checking >> > key signatures and using dd on a compromised machine enough? I >> > imagine that would be dangerous. >> > >> > Thanks for any suggestions. >> >> Since you will probably want to start with Qubes on a non-compromised >> machine, I suggest to download and verify using that. >> >> -- >> >> Chris Laprise, tas...@openmailbox.org >> https://twitter.com/ttaskett >> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > > this post makes me think about healthcare debate lol. last to universal > healthcare is also last to end slavery. not a coincidence. > > But ya i'll go out on a limb and say most of us are using Qubes cause we were > already compromised before, and we are using it still believing we will be > compromised in the future. > > If there is no way to get a trusted iso there is no point in using Qubes. I am not aware of any mechanism by which to have a 100% guarantee, but then... do you really need one? At some point, you just have to say "well... good enough". Even if you were to buy install media, as you suggest, how are you sure your physical mail wasn't intercepted? I believe the "create read-only media and verify it on diverse machines" approach should be sufficient. Breaking it should require either some rather versatile exploit for something along the (hopefully diverse) set of components involved in reading & verifying the media from the multiple systems you use to check it, or for all of those machines to be independently targeted, possibly with advance knowledge of the DVD you're about to try to verify. IMO that's sufficiently unlikely to be worth worrying about. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_BVJXvF5SPtc%2BARSAA9j_ZSpE1tKrO1_y7Yv2tva%3DYbsg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to get trusted iso?
On Monday, May 1, 2017 at 3:03:05 PM UTC-4, Chris Laprise wrote: > On 05/01/2017 02:33 PM, cooloutac wrote: > > I know I can't buy one, so how do I get an a fresh iso if my machine > > is compromised? Obviously, someone more prudent would of kept their > > original iso on dedicated usb stick. But I was too cheap. > > I'll go out on a limb and say that Qubes is more about defending against > oncoming threats. > > Pre-existing compromise creates a dilemma for the user, who can > pragmatically try to minimize further compromise by degrees. For > instance, burn a DVD and then verify it on multiple machines (incl. > different architectures). This is not unlike trying to validate the > authenticity of a PGP key using different network channels (not quite > "out of band" but possibly effective). > > > > > So what happens if that was not done, or how can someone get a > > trusted iso for the first time in the first place? Is just checking > > key signatures and using dd on a compromised machine enough? I > > imagine that would be dangerous. > > > > Thanks for any suggestions. > > Since you will probably want to start with Qubes on a non-compromised > machine, I suggest to download and verify using that. > > -- > > Chris Laprise, tas...@openmailbox.org > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 this post makes me think about healthcare debate lol. last to universal healthcare is also last to end slavery. not a coincidence. But ya i'll go out on a limb and say most of us are using Qubes cause we were already compromised before, and we are using it still believing we will be compromised in the future. If there is no way to get a trusted iso there is no point in using Qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fbc0dfab-a195-4c8d-9777-f6729ec9d2a8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to get trusted iso?
On Monday, May 1, 2017 at 5:35:56 PM UTC-4, Chris Laprise wrote: > On 05/01/2017 03:43 PM, cooloutac wrote: > > Does Qubes ever plan on selling iso sticks? > > I would like to know. And I've suggested this in the past, but with > DVD-Rs which I think are preferable to USB sticks (even the ones with > hardware write-protect switches). > > > -- > > Chris Laprise, tas...@openmailbox.org > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 ah yes very true but I don't even have a cdrom on my system but I would get one for it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/565f3eca-c8ce-4275-b2ad-1044fb26dc63%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to get trusted iso?
On 05/01/2017 03:43 PM, cooloutac wrote: Does Qubes ever plan on selling iso sticks? I would like to know. And I've suggested this in the past, but with DVD-Rs which I think are preferable to USB sticks (even the ones with hardware write-protect switches). -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c510a8b1-324f-6f60-030a-67b17dfbeea0%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to get trusted iso?
On Monday, May 1, 2017 at 3:03:05 PM UTC-4, Chris Laprise wrote: > On 05/01/2017 02:33 PM, cooloutac wrote: > > I know I can't buy one, so how do I get an a fresh iso if my machine > > is compromised? Obviously, someone more prudent would of kept their > > original iso on dedicated usb stick. But I was too cheap. > > I'll go out on a limb and say that Qubes is more about defending against > oncoming threats. > > Pre-existing compromise creates a dilemma for the user, who can > pragmatically try to minimize further compromise by degrees. For > instance, burn a DVD and then verify it on multiple machines (incl. > different architectures). This is not unlike trying to validate the > authenticity of a PGP key using different network channels (not quite > "out of band" but possibly effective). > > > > > So what happens if that was not done, or how can someone get a > > trusted iso for the first time in the first place? Is just checking > > key signatures and using dd on a compromised machine enough? I > > imagine that would be dangerous. > > > > Thanks for any suggestions. > > Since you will probably want to start with Qubes on a non-compromised > machine, I suggest to download and verify using that. > > -- > > Chris Laprise, tas...@openmailbox.org > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 yes good idea, someone else had suggested to me to verify multiple iso's which is also a good idea. Does Qubes ever plan on selling iso sticks? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4f250acb-33b3-4ad1-8f59-974efb499883%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to get trusted iso?
On 05/01/2017 02:33 PM, cooloutac wrote: I know I can't buy one, so how do I get an a fresh iso if my machine is compromised? Obviously, someone more prudent would of kept their original iso on dedicated usb stick. But I was too cheap. I'll go out on a limb and say that Qubes is more about defending against oncoming threats. Pre-existing compromise creates a dilemma for the user, who can pragmatically try to minimize further compromise by degrees. For instance, burn a DVD and then verify it on multiple machines (incl. different architectures). This is not unlike trying to validate the authenticity of a PGP key using different network channels (not quite "out of band" but possibly effective). So what happens if that was not done, or how can someone get a trusted iso for the first time in the first place? Is just checking key signatures and using dd on a compromised machine enough? I imagine that would be dangerous. Thanks for any suggestions. Since you will probably want to start with Qubes on a non-compromised machine, I suggest to download and verify using that. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/04021104-354b-ea68-8bf4-a91b2774d073%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How to get trusted iso?
I know I can't buy one, so how do I get an a fresh iso if my machine is compromised? Obviously, someone more prudent would of kept their original iso on dedicated usb stick. But I was too cheap. So what happens if that was not done, or how can someone get a trusted iso for the first time in the first place? Is just checking key signatures and using dd on a compromised machine enough? I imagine that would be dangerous. Thanks for any suggestions. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cc6f21b0-4a46-49a7-ab4f-752e34f6db74%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.