Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-02-01 Thread 'awokd' via qubes-users

Alexandre Belgrand wrote on 1/29/19 8:13 AM:

Le mardi 29 janvier 2019 à 09:51 +0200, Ilpo Järvinen a écrit :

Yeah yeah, the only modification was that chip as claimed in the
article?
Magically all the necessary signal pins were routed to its location
but nothing else was changed (and you cannot have that many pins in
that sized chip anyway which will seriously limit the possible
functionality
and processing speed). ...But it must all be true and present in
thousands
of servers because a sensational article so claims (funny though that
the
so claimed victims of the attack consistently denied presence of such
a
chip in their servers but I guess you'll anyway think they must be
lying
for the benefit of the Chinese, damage control, because of the
"investigation", or whatever reason).



Good point. Obviously, this article has had access to classified
informations and is  part of a new "name and shame" policy. So can we
trust it?


No. That Bloomberg article is a good example of FUD. Simplest 
explanation is it's sown by someone looking to make a quick buck by 
shorting Supermicro stock. Slightly more paranoid is it's coming 
verbatim from Chinese intelligence services to introduce distrust into 
supply lines, similar to what CIA did with Russian pipelines decades 
ago. More paranoid is it's from domestic intelligence services seeking 
to increase their own obscene budgets by offering to protect us from 
these scary threats. In conclusion, it should be ignored until there is 
independent confirmation from multiple sources.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c647b876-cf94-5666-7ff9-591bc62b8501%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-29 Thread Alexandre Belgrand
Le mardi 29 janvier 2019 à 02:24 -0800, goldsm...@riseup.net a écrit :
> To Alexandre
> So you found this stuff on the internet and were gullible enough to
> swallow it, hook line and sinker, without first verifying its
> authenticity. I suppose your allegations against the Debian Team's
> security keys are based on equally unstable foundations.
> 
> The making of serious random and unsolicited allegations with the
> intention of scaremongering, could be described as TROLLING. 

No, but I talked to Debian developers and attended Debian conferences
in the past. The main GPG key of Debian distros is only protected by a
password, not even a smartcard. Today, this is not enough.

All Debian developers should sign code with a smartcard and the main
GPG key should be protected in an HSM. Unless this is the case, you can
consider Debian keys as "compromised". Please note that I have been
using Debian since 1998. But at least I am aware of the lack of
security of Linux distros.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7dbc4834141e628eeb6d79a0560ac9bd03b19560.camel%40mailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: getting rid of ME on modern CPUs (Re: [qubes-users] QSB #46: APT update mechanism vulnerability)

2019-01-29 Thread Stuart Perkins
Like I said, we need to reverse engineer.

On Mon, 28 Jan 2019 17:56:17 +
Holger Levsen  wrote:

>On Mon, Jan 28, 2019 at 11:46:55AM -0600, Stuart Perkins wrote:
>> Up to a certain manufacture, you can go to coreboot and lose the ME 
>> entirely.  After that point, setting the HAP bit may be your best option.  
>> We need someone to to reverse engineer the ME and implement enough of it in 
>> coreboot to take over so the newer ones will run.  
>
>thats not enough. on modern intel cpus there's boot-guard which will
>prevent booting with coreboot unless it's signed with a secret intel
>key.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190129071645.629953f1%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


pgpW4tGXCZNTw.pgp
Description: OpenPGP digital signature


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-29 Thread goldsmith
On 2019-01-28 21:51, Alexandre Belgrand wrote:
> Le lundi 28 janvier 2019 à 13:08 -0800, goldsm...@riseup.net a écrit :
>> To Alexandre Belgrand
>>
>> I'm intrigued how you know can catagorically state "CAs and GNU/Linux
>> distributions are #1 targets for national
>> intelligence agencies". This is classified information and therefore
>> only available to a "Spook". Otherwise, it's entered the public
>> domain
>> via say a whistle blower like Ed Snowden. If that's how you came upon
>> it, please state the source and location.
> 
> I am not a whistle blower, but I believe that all CAs and GNU/Linux
> distributions are primary targets for Intelligence agencies. This is
> not secret, this is why I am writing it, sitting behind my real IP. 
> 
> You will find this information on Internet. Look for the recent
> problems with China for example.
> 
> Stealing root certificates allow Intelligence agencies to set-up mirage
> Internet : i.e. decrypt SSL/crypted content and present modified
> content to the user and make man-in-the-middle attack.
> 
> Think about Debian private keys. The keys are stored on a server in a
> datacenter, not even on smartcards. What can stop a remote attacker
> with a remote console (either directly or using Intel ME) from stealing
> the keys and then breaking password using a keylogger in Intel ME.
> Answer : nothing can stop a local government from doing so.
> 
> Think about SSL X509 certificates. To deliver encrypted content, the
> private key has to be on the server. You only need serial console
> access to steal the private key. 
> 
> The only solution is to compile the same bytecode and verifying hashes
> online, but Debian is lagging behind important patches, because they
> don't understand what already happened.

To Alexandre
So you found this stuff on the internet and were gullible enough to
swallow it, hook line and sinker, without first verifying its
authenticity. I suppose your allegations against the Debian Team's
security keys are based on equally unstable foundations.

The making of serious random and unsolicited allegations with the
intention of scaremongering, could be described as TROLLING. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0efc60370976fc6e0e12530b8a9c89e1%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-29 Thread qubes-fan


Jan 28, 2019, 9:25 PM by alexandre.belgr...@mailbox.org:

> Le lundi 28 janvier 2019 à 16:47 +0100, > qubes-...@tutanota.com 
> >  a
> écrit :
>
>> What do you yourself use?
>>
> Hope I can answer too. 
>
> I use an X230 with Intel ME disabled from BIOS. It costs about 160€ on
> the second hand market and it has pretty decent hardware. Lenovo claims
> that Intel ME can be disabled, but Intel ME is still running and may
> accept remote shadow connections given a signed certificate from Intel.
>
> This is why I am only reading the mailing list and not using Qubes. At
> present, I consider Qubes as an interesting development, but not
> reaching its goals because dom0 can be penetrated using Intel ME.
>
> I am quite amused by tails sending an update command on each boot. You
> can be sure to light red light in a control center and be penetrated
> within seconds if need be. Remember that governments have control of
> most outgoing nodes. So neither do I use Tor.
>
> You just can't simply store valuable documents on a computer when
> connected to a network. Companies that care about security should have
> a complete process to manage workstations and internal networks,
> without access to the Internet. We are back to ancien times.
>
> Kind regards,
> Alexandre Belgrand
>

Hardware is only one part, right? The question was about the package you use. 
What OS, network, apps...yu propose? So, what so you use?

Realize please, that you stand against SW, the OS (Qubes), arguing about HW. 
Also you argue about statements Qubes devs and especially Joanna Rutkowska, 
never claimed. They never claimed that Qubes is IME resistant. Actually the 
opossite. If they did, post their statement here please. I heard her instead  
stressing publicky and repeatedly that the IME is a global issue, not only of 
Intel (see PSP), to be addressed. You are fighting against non-existent claims 
arguing against Qubes. Even the name of the Qubes-OS - A REASONABLY secure OS. 
They dont claim Qubes is - An omnipotent 100% solution and IME resistant. Or do 
they? :)

The IME attack is only one of many possible attacks. If you are opened to this 
kind of attack only, and resistant against many others, present in the 
traditional OSes, you increased your sec reasonably.

Lets put it other way round. Everyone of us is a wrench-decryption 
non-resistant. If an adversary starts your thumb-wrench party, what 
finger-wrench decrypts your password and all the secrets? Now knowing this, do 
you use passwords or you just gave up, because the found that terrible 
wrench-security-hole in the system? Do you let your phone unencrypted and 
unlocked, available to anyone, your credit card number CVV and PIN public, 
cause both ways it can be cracked? Your email password, chat pass, your https 
cert if you own the domain? Do you keep your house unlocked at all times, cause 
both ways the lock can be hacked? Do you see the point?

And the last question. Last but not least. You stated in one of your 
conversations here that you want people to stop using Qubes for security. 
Interesting - why would wish to do that? What is the benefit for you? How do we 
know you are not just another IS spook tasked with the attack on reasonable 
secure system, which provides very high security for even semi-tech users? 

Also if you would like to increase you paranoia, read the Yasha Levine, 
Surveillance Valley. In that case you can forget everything and ask only one 
question - can the tech that was designed to enslave us, save us? And if so, 
how one does that.


>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to > qubes-users+unsubscr...@googlegroups.com 
> > .
> To post to this group, send email to > qubes-users@googlegroups.com 
> > .
> To view this discussion on the web visit > 
> https://groups.google.com/d/msgid/qubes-users/84ef99dc3a6aad1e8e035b5dda640ed306d27792.ca...@mailbox.org
>  
> >
>  .
> For more options, visit > https://groups.google.com/d/optout 
> > .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LXO7VPB--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-29 Thread Alexandre Belgrand
Le mardi 29 janvier 2019 à 09:51 +0200, Ilpo Järvinen a écrit :
> Yeah yeah, the only modification was that chip as claimed in the
> article? 
> Magically all the necessary signal pins were routed to its location
> but nothing else was changed (and you cannot have that many pins in 
> that sized chip anyway which will seriously limit the possible
> functionality 
> and processing speed). ...But it must all be true and present in
> thousands
> of servers because a sensational article so claims (funny though that
> the 
> so claimed victims of the attack consistently denied presence of such
> a 
> chip in their servers but I guess you'll anyway think they must be
> lying 
> for the benefit of the Chinese, damage control, because of the 
> "investigation", or whatever reason).


Good point. Obviously, this article has had access to classified
informations and is  part of a new "name and shame" policy. So can we
trust it?

My personal opinion is that adding backdoors in consumer electronics is
like an arms race. Once it starts, it cannot and will not stop.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/396a2f398ea08e9a9f4b4f362629d6422ae0454b.camel%40mailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Ilpo Järvinen
On Tue, 29 Jan 2019, Alexandre Belgrand wrote:

> Le mardi 29 janvier 2019 à 00:59 +0200, Ilpo Järvinen a écrit :
> > There are many technical reasons raising from plain
> > physics/electronics 
> > which make an attack chip of that size with the described
> > capabilities to 
> > seem quite utopistic (and the article therefore bogus). ...But of
> > course 
> > you can choose to believe what you want.
> 
> The Chinese chip has been found and exists, no doubt about it. It was
> found on thousands of servers, so I believe it is being analyzed.

Yeah yeah, the only modification was that chip as claimed in the article? 
Magically all the necessary signal pins were routed to its location
but nothing else was changed (and you cannot have that many pins in 
that sized chip anyway which will seriously limit the possible functionality 
and processing speed). ...But it must all be true and present in thousands
of servers because a sensational article so claims (funny though that the 
so claimed victims of the attack consistently denied presence of such a 
chip in their servers but I guess you'll anyway think they must be lying 
for the benefit of the Chinese, damage control, because of the 
"investigation", or whatever reason).

-- 
 i.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/alpine.DEB.2.20.1901290940250.13141%40whs-18.cs.helsinki.fi.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Alexandre Belgrand
Le mardi 29 janvier 2019 à 00:59 +0200, Ilpo Järvinen a écrit :
> There are many technical reasons raising from plain
> physics/electronics 
> which make an attack chip of that size with the described
> capabilities to 
> seem quite utopistic (and the article therefore bogus). ...But of
> course 
> you can choose to believe what you want.

The Chinese chip has been found and exists, no doubt about it. It was
found on thousands of servers, so I believe it is being analyzed.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5f5d8eaa5e35a8774d2aa67fbb096c0f7270b126.camel%40mailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Ilpo Järvinen
On Mon, 28 Jan 2019, Alexandre Belgrand wrote:

> Le lundi 28 janvier 2019 à 13:08 -0800, goldsm...@riseup.net a écrit :
> > I'm intrigued how you know can catagorically state "CAs and GNU/Linux
> > distributions are #1 targets for national
> 
> China:
> https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
> 
> China uses a tiny chip to intercept data. Read Bloomberg article.
> 
> "A chip can also steal encryption keys for secure communications, block
> security updates that would neutralize the attack, and open up new
> pathways to the internet."

There are many technical reasons raising from plain physics/electronics 
which make an attack chip of that size with the described capabilities to 
seem quite utopistic (and the article therefore bogus). ...But of course 
you can choose to believe what you want.


-- 
 i.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/alpine.DEB.2.20.1901290037280.13141%40whs-18.cs.helsinki.fi.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Alexandre Belgrand
Le lundi 28 janvier 2019 à 13:08 -0800, goldsm...@riseup.net a écrit :
> I'm intrigued how you know can catagorically state "CAs and GNU/Linux
> distributions are #1 targets for national

China:
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

China uses a tiny chip to intercept data. Read Bloomberg article.

"A chip can also steal encryption keys for secure communications, block
security updates that would neutralize the attack, and open up new
pathways to the internet."


US:
https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf

The US are using Intel ME backdoor to take complete control of a
computer using a built-in VNC server and shadow connections.

"Has built-in full-fledged web and VNC servers" (page 20)

So my assumption was that all these backdoors were made for the primary
targets of stealing secret keys.

Game-over. Once the private keys have been stolen, "mirage Internet".
At the state of technology, I don't want Qubes users to believe that
Qubes is secure. Qubes is INsecure.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4cbe82097aedd67b76c1e95293e8615266256591.camel%40mailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Alexandre Belgrand
Le lundi 28 janvier 2019 à 13:08 -0800, goldsm...@riseup.net a écrit :
> To Alexandre Belgrand   
> 
> I'm intrigued how you know can catagorically state "CAs and GNU/Linux
> distributions are #1 targets for national
> intelligence agencies". This is classified information and therefore
> only available to a "Spook". Otherwise, it's entered the public
> domain
> via say a whistle blower like Ed Snowden. If that's how you came upon
> it, please state the source and location. 

I am not a whistle blower, but I believe that all CAs and GNU/Linux
distributions are primary targets for Intelligence agencies. This is
not secret, this is why I am writing it, sitting behind my real IP. 

You will find this information on Internet. Look for the recent
problems with China for example.

Stealing root certificates allow Intelligence agencies to set-up mirage
Internet : i.e. decrypt SSL/crypted content and present modified
content to the user and make man-in-the-middle attack.

Think about Debian private keys. The keys are stored on a server in a
datacenter, not even on smartcards. What can stop a remote attacker
with a remote console (either directly or using Intel ME) from stealing
the keys and then breaking password using a keylogger in Intel ME.
Answer : nothing can stop a local government from doing so.

Think about SSL X509 certificates. To deliver encrypted content, the
private key has to be on the server. You only need serial console
access to steal the private key. 

The only solution is to compile the same bytecode and verifying hashes
online, but Debian is lagging behind important patches, because they
don't understand what already happened.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7855e6cc67bad1e8aca6e6837426a63869e5289c.camel%40mailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Alexandre Belgrand
Le lundi 28 janvier 2019 à 16:47 +0100, qubes-...@tutanota.com a
écrit :
> What do you yourself use?
Hope I can answer too. 

I use an X230 with Intel ME disabled from BIOS. It costs about 160€ on
the second hand market and it has pretty decent hardware. Lenovo claims
that Intel ME can be disabled, but Intel ME is still running and may
accept remote shadow connections given a signed certificate from Intel.

This is why I am only reading the mailing list and not using Qubes. At
present, I consider Qubes as an interesting development, but not
reaching its goals because dom0 can be penetrated using Intel ME.

I am quite amused by tails sending an update command on each boot. You
can be sure to light red light in a control center and be penetrated
within seconds if need be. Remember that governments have control of
most outgoing nodes. So neither do I use Tor.

You just can't simply store valuable documents on a computer when
connected to a network. Companies that care about security should have
a complete process to manage workstations and internal networks,
without access to the Internet. We are back to ancien times.

Kind regards,
Alexandre Belgrand

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/84ef99dc3a6aad1e8e035b5dda640ed306d27792.camel%40mailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread goldsmith
On 2019-01-27 14:33, Alexandre Belgrand wrote:
> Le dimanche 27 janvier 2019 à 13:11 +, Holger Levsen a écrit :
>> I *believe* they probably misunderstood evil32.com and it's fallout.
> 
> CAs and GNU/Linux distributions are #1 targets for national
> intelligence agencies.
> 
> Debian developers are not using smartcards to store their GPG keys,
> including the master key signing code. It is very likely that Debian
> master key has been stolen. I would be very surprised if it had not
> been stolen.
> 
> One reason why nobody wants to use SSL, including OpenBSD, is that
> there is a wide belief that SSL private keys have been stolen.
> Therefore there is no need to use SSL, as it does not offer a real
> protection.
> 
> This is simply GAME OVER (part 1 of the game).
> 
> One reason why I am not using Qubes, is that it does not offer a real
> protection compared to Debian, as both systems are IMHO compromised.
> 
> At present, any government with a valid certificate from Intel can use
> Intel ME backdoor to access all resources from a computer, including
> keyboard and screen and there is no way to secure an X86 computer.
> 
> If Qubes was making a wide use of Smartcards with a separate pinpad
> reader and was using a hardened operating system like OpenBSD or even a
> hardened GNU/Linux, I would have a closer look at it.

To Alexandre Belgrand   


I'm intrigued how you know can catagorically state "CAs and GNU/Linux
distributions are #1 targets for national
intelligence agencies". This is classified information and therefore
only available to a "Spook". Otherwise, it's entered the public domain
via say a whistle blower like Ed Snowden. If that's how you came upon
it, please state the source and location. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2b8a5894a649357c09b0664a2f023245%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


getting rid of ME on modern CPUs (Re: [qubes-users] QSB #46: APT update mechanism vulnerability)

2019-01-28 Thread Holger Levsen
On Mon, Jan 28, 2019 at 11:46:55AM -0600, Stuart Perkins wrote:
> Up to a certain manufacture, you can go to coreboot and lose the ME entirely. 
>  After that point, setting the HAP bit may be your best option.  We need 
> someone to to reverse engineer the ME and implement enough of it in coreboot 
> to take over so the newer ones will run.

thats not enough. on modern intel cpus there's boot-guard which will
prevent booting with coreboot unless it's signed with a secret intel
key.


-- 
tschüß,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190128175617.bclbga5ojb6i6feh%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Stuart Perkins



On Mon, 28 Jan 2019 16:47:08 +0100 (CET)
 wrote:

>Jan 27, 2019, 5:04 PM by alexandre.belgr...@mailbox.org:
>
>> Le dimanche 27 janvier 2019 à 16:47 +, unman a écrit :
>>  
>>> I'd be interested to know what system has been graced with your
>>> approval.
>>> If you believe all this, then what makes you think that national
>>> intelligence agencies haven't infiltrated *bsd, coreboot and any
>>> other
>>> system you can name. 
>>> imo Qubes does a reasonable job of providing a more secure system
>>> that's usable by ordinary users.
>>>  
>>
>> Simply no x86 system is reasonably secure.
>>  
>>> Spreading unfounded allegations is a disservice to the community.
>>>  
>
>Most of the serious users are very well aware of the IME/AMT vulnerability and 
>are addressing it continuously and publicly. See Joanna Rutkowska and her 
>talks. You are looking for a 100% solution. Big surprise is a 100% solution is 
>not existing and will never be. 
>You can of course use a libre X200 without IME and without real virtualization 
>too, having again to deal with issues of a monolythic system. 
>Tradeoff can be the X230 with more-less disabled IME with proper 
>virtualization.
>
>What do you yourself use?
>
>
>> Qubes is interesting because it is trying to answer security needs and
>> the design is nice. 
>>
>> But think about Intel ME backdoor. Imagine that any officer with a
>> signed certificate of Intel can penetrate dom0 in your computer within
>> seconds and then view your screen, move your mouse and type on your
>> keyboard. This is reality and Qubes cannot change it.
>>  
>Qubes doesn't even claim to change it. You need to address Intel same way as 
>Qubes ppl do and ask them to close the backdoor. 
>
>Are you aware that spreading of the false claims *can be* an intelligence 
>operation to undermine user's support and appreciation of the codes like 
>Debian and Qubes? From leaked materials is known that the US IAs named for 
>example Tails based on Debian as a total apocalypse for intelligence 
>collection for them, if spread. 
>
>Keep in mind, nothing is perfect. But if you have an option for a better set 
>and setting, put it up.
>
>
>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to > qubes-users+unsubscr...@googlegroups.com 
>> > .
>> To post to this group, send email to > qubes-users@googlegroups.com 
>> > .
>> To view this discussion on the web visit > 
>> https://groups.google.com/d/msgid/qubes-users/65d4efc1f6cc5203a5fc0802e2cdff2e9fc992f7.ca...@mailbox.org
>>  
>> >
>>  .
>> For more options, visit > https://groups.google.com/d/optout 
>> > .
>>  
>

Up to a certain manufacture, you can go to coreboot and lose the ME entirely.  
After that point, setting the HAP bit may be your best option.  We need someone 
to to reverse engineer the ME and implement enough of it in coreboot to take 
over so the newer ones will run.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190128114655.7cb7309b%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread qubes-fan


Jan 27, 2019, 5:04 PM by alexandre.belgr...@mailbox.org:

> Le dimanche 27 janvier 2019 à 16:47 +, unman a écrit :
>
>> I'd be interested to know what system has been graced with your
>> approval.
>> If you believe all this, then what makes you think that national
>> intelligence agencies haven't infiltrated *bsd, coreboot and any
>> other
>> system you can name. 
>> imo Qubes does a reasonable job of providing a more secure system
>> that's usable by ordinary users.
>>
>
> Simply no x86 system is reasonably secure.
>
>> Spreading unfounded allegations is a disservice to the community.
>>

Most of the serious users are very well aware of the IME/AMT vulnerability and 
are addressing it continuously and publicly. See Joanna Rutkowska and her 
talks. You are looking for a 100% solution. Big surprise is a 100% solution is 
not existing and will never be. 
You can of course use a libre X200 without IME and without real virtualization 
too, having again to deal with issues of a monolythic system. 
Tradeoff can be the X230 with more-less disabled IME with proper virtualization.

What do you yourself use?


> Qubes is interesting because it is trying to answer security needs and
> the design is nice. 
>
> But think about Intel ME backdoor. Imagine that any officer with a
> signed certificate of Intel can penetrate dom0 in your computer within
> seconds and then view your screen, move your mouse and type on your
> keyboard. This is reality and Qubes cannot change it.
>
Qubes doesn't even claim to change it. You need to address Intel same way as 
Qubes ppl do and ask them to close the backdoor. 

Are you aware that spreading of the false claims *can be* an intelligence 
operation to undermine user's support and appreciation of the codes like Debian 
and Qubes? From leaked materials is known that the US IAs named for example 
Tails based on Debian as a total apocalypse for intelligence collection for 
them, if spread. 

Keep in mind, nothing is perfect. But if you have an option for a better set 
and setting, put it up.



> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to > qubes-users+unsubscr...@googlegroups.com 
> > .
> To post to this group, send email to > qubes-users@googlegroups.com 
> > .
> To view this discussion on the web visit > 
> https://groups.google.com/d/msgid/qubes-users/65d4efc1f6cc5203a5fc0802e2cdff2e9fc992f7.ca...@mailbox.org
>  
> >
>  .
> For more options, visit > https://groups.google.com/d/optout 
> > .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LXK87wZ--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-27 Thread Alexandre Belgrand
Le dimanche 27 janvier 2019 à 16:47 +, unman a écrit :
> I'd be interested to know what system has been graced with your
> approval.
> If you believe all this, then what makes you think that national
> intelligence agencies haven't infiltrated *bsd, coreboot and any
> other
> system you can name. 
> imo Qubes does a reasonable job of providing a more secure system
> that's usable by ordinary users.

Simply no x86 system is reasonably secure.

> Spreading unfounded allegations is a disservice to the community.

Qubes is interesting because it is trying to answer security needs and
the design is nice. 

But think about Intel ME backdoor. Imagine that any officer with a
signed certificate of Intel can penetrate dom0 in your computer within
seconds and then view your screen, move your mouse and type on your
keyboard. This is reality and Qubes cannot change it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/65d4efc1f6cc5203a5fc0802e2cdff2e9fc992f7.camel%40mailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-27 Thread unman
On Sun, Jan 27, 2019 at 03:33:11PM +0100, Alexandre Belgrand wrote:
> Le dimanche 27 janvier 2019 à 13:11 +, Holger Levsen a écrit :
> > I *believe* they probably misunderstood evil32.com and it's fallout.
> 
> CAs and GNU/Linux distributions are #1 targets for national
> intelligence agencies.
> 
> Debian developers are not using smartcards to store their GPG keys,
> including the master key signing code. It is very likely that Debian
> master key has been stolen. I would be very surprised if it had not
> been stolen.
> 
> One reason why nobody wants to use SSL, including OpenBSD, is that
> there is a wide belief that SSL private keys have been stolen.
> Therefore there is no need to use SSL, as it does not offer a real
> protection.
> 
> This is simply GAME OVER (part 1 of the game).
> 
> One reason why I am not using Qubes, is that it does not offer a real
> protection compared to Debian, as both systems are IMHO compromised.
> 
> At present, any government with a valid certificate from Intel can use
> Intel ME backdoor to access all resources from a computer, including
> keyboard and screen and there is no way to secure an X86 computer.
> 
> If Qubes was making a wide use of Smartcards with a separate pinpad
> reader and was using a hardened operating system like OpenBSD or even a
> hardened GNU/Linux, I would have a closer look at it.
> 

I'd be interested to know what system has been graced with your
approval.
If you believe all this, then what makes you think that national
intelligence agencies haven't infiltrated *bsd, coreboot and any other
system you can name. 
imo Qubes does a reasonable job of providing a more secure system
that's usable by ordinary users.
Spreading unfounded allegations is a disservice to the community.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190127164722.becnlytbz5bidzhz%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-27 Thread Alexandre Belgrand
Le dimanche 27 janvier 2019 à 13:11 +, Holger Levsen a écrit :
> I *believe* they probably misunderstood evil32.com and it's fallout.

CAs and GNU/Linux distributions are #1 targets for national
intelligence agencies.

Debian developers are not using smartcards to store their GPG keys,
including the master key signing code. It is very likely that Debian
master key has been stolen. I would be very surprised if it had not
been stolen.

One reason why nobody wants to use SSL, including OpenBSD, is that
there is a wide belief that SSL private keys have been stolen.
Therefore there is no need to use SSL, as it does not offer a real
protection.

This is simply GAME OVER (part 1 of the game).

One reason why I am not using Qubes, is that it does not offer a real
protection compared to Debian, as both systems are IMHO compromised.

At present, any government with a valid certificate from Intel can use
Intel ME backdoor to access all resources from a computer, including
keyboard and screen and there is no way to secure an X86 computer.

If Qubes was making a wide use of Smartcards with a separate pinpad
reader and was using a hardened operating system like OpenBSD or even a
hardened GNU/Linux, I would have a closer look at it.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1d33856a9f5065d64564649bd56b6a0b6d746d7c.camel%40mailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-27 Thread unman
On Sun, Jan 27, 2019 at 01:11:37PM +, Holger Levsen wrote:
> On Sun, Jan 27, 2019 at 12:54:26AM +, unman wrote:
> > > Keep in mind that all PGP Debian/Ubuntu signing keys have been stolen
> > Do you have *any* evidence for this claim?
> 
> I *believe* they probably misunderstood evil32.com and it's fallout.
> 
> 
> -- 
> tschüß,
>   Holger
> 
> ---
>holger@(debian|reproducible-builds|layer-acht).org
>PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
> 

Do you think so? That doesn't seem what they are claiming. 
Alexandre , what was it you meant?

The problem is that I *already* see this sort of claim spreading - see
another posting by John Redcap - and eventually there'll be a group of
users convinced that all signing keys have been stolen.
It's very difficult to stop a canard like this.
Unless, of course, Alexandre has some evidence?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190127140934.rmrnn3azaqsffy7w%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-27 Thread Holger Levsen
On Sun, Jan 27, 2019 at 12:54:26AM +, unman wrote:
> > Keep in mind that all PGP Debian/Ubuntu signing keys have been stolen
> Do you have *any* evidence for this claim?

I *believe* they probably misunderstood evil32.com and it's fallout.


-- 
tschüß,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190127131137.owl7xgjibz5m4sxv%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-26 Thread unman
On Sat, Jan 26, 2019 at 11:42:27AM +0100, Alexandre Belgrand wrote:
> Le mercredi 23 janvier 2019 ŕ 18:05 +0100, Marek Marczykowski-Górecki a
> écrit :
> > We have just published Qubes Security Bulletin (QSB) #46:
> > APT update mechanism vulnerability.
> 
> Keep in mind that all PGP Debian/Ubuntu signing keys have been stolen
> and injection may occur during apt-get install/update using man-in-the-
> middle attack, at least in some countries. Unless packages are compiled
> with reproducible builds and fingerprints are available online, there
> is no way to avoid such an attack.

What a great start to the week.
Do you have *any* evidence for this claim?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190127005426.3qne7kcdcvv6pses%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-26 Thread Chris Laprise

On 01/26/2019 05:42 AM, Alexandre Belgrand wrote:

Le mercredi 23 janvier 2019 à 18:05 +0100, Marek Marczykowski-Górecki a
écrit :

We have just published Qubes Security Bulletin (QSB) #46:
APT update mechanism vulnerability.


Keep in mind that all PGP Debian/Ubuntu signing keys have been stolen
and injection may occur during apt-get install/update using man-in-the-
middle attack, at least in some countries. Unless packages are compiled
with reproducible builds and fingerprints are available online, there
is no way to avoid such an attack.



WAT?

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ef6f8a6b-2bcf-17d3-2798-402906016f4b%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-26 Thread Alexandre Belgrand
Le mercredi 23 janvier 2019 à 18:05 +0100, Marek Marczykowski-Górecki a
écrit :
> We have just published Qubes Security Bulletin (QSB) #46:
> APT update mechanism vulnerability.

Keep in mind that all PGP Debian/Ubuntu signing keys have been stolen
and injection may occur during apt-get install/update using man-in-the-
middle attack, at least in some countries. Unless packages are compiled
with reproducible builds and fingerprints are available online, there
is no way to avoid such an attack.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/16d91083bd8dbf847a75b8548de0c1b8ac5a58bc.camel%40mailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-23 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Jan 24, 2019 at 01:10:42AM +, js...@bitmessage.ch wrote:
> Marek Marczykowski-Górecki:
> > Summary
> > 
> > 
> > The Debian Security Team has announced a security vulnerability
> > (DSA-4371-1) in the Advanced Package Tool (APT).  The vulnerability lies
> > in the way APT performs HTTP redirect handling when downloading
> > packages. Exploitation of this vulnerability could lead to privilege
> > escalation [1] inside an APT-based VM, such as a Debian or Whonix VM.
> > This bug does _not_ allow escape from any VM or enable any attacks on
> > other parts of the Qubes system. In particular, this bug does _not_
> > affect dom0, the Xen hypervisor, or any non-APT-based VMs. Nevertheless,
> > we have decided to release this bulletin, because if a TemplateVM is
> > affected, then every VM based on that template is affected.
> 
> Hi,
> 
> Does this vulnerability apply to whonix users who download updates over tor
> from .onion repos?
> 
> My understanding is that it shouldn't, since the exit node operator or any
> other MITM doesn't even know it's apt traffic, they just see encrypted
> traffic to a hidden service.
> 
> Is this right, or am i not understanding something?

In case of onion indeed MitM attack is not that easy, but if someone
takes over Debian (or Whonix) mirrors still could perform the attack.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxJE2sACgkQ24/THMrX
1yxbaAf+LBDndywJFQnv8ecVh3MADbYF3I1fpBJuPFP58MW3Iti2zB1US0jcxFbk
9GevFxLRd0f0u6sblyX+lko8f469gGhl/N0eK5Tl77omJNQc2on5uZb9pPotuuAi
0S8f49SJhl7B1WaJLKV9MAL2sXraHfZ59juQaLmQiSearuJcanPJAqEM/D0OI/aT
BWTc/fsjDpfQ9hV/BQcEOjoOqKuwnZDBLSrXR/ychWFA0zRPzmFtJjA6shFprPf1
NGxhdabDWSEzcKGyUW+GM/eoBo3qwH7cvQk9tHBFJfSpDDUAmgkodCO3PfVYw44L
5wAONEFFZZJH8xs7V/NSo9nqZVjuKQ==
=zzzU
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190124012252.GA9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-23 Thread jsnow

Marek Marczykowski-Górecki:

Summary


The Debian Security Team has announced a security vulnerability
(DSA-4371-1) in the Advanced Package Tool (APT).  The vulnerability lies
in the way APT performs HTTP redirect handling when downloading
packages. Exploitation of this vulnerability could lead to privilege
escalation [1] inside an APT-based VM, such as a Debian or Whonix VM.
This bug does _not_ allow escape from any VM or enable any attacks on
other parts of the Qubes system. In particular, this bug does _not_
affect dom0, the Xen hypervisor, or any non-APT-based VMs. Nevertheless,
we have decided to release this bulletin, because if a TemplateVM is
affected, then every VM based on that template is affected.


Hi,

Does this vulnerability apply to whonix users who download updates over 
tor from .onion repos?


My understanding is that it shouldn't, since the exit node operator or 
any other MITM doesn't even know it's apt traffic, they just see 
encrypted traffic to a hidden service.


Is this right, or am i not understanding something?

--
Jackie

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0276ef7-cee4-ed9e-6323-6928ca61dbeb%40bitmessage.ch.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-23 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) #46:
APT update mechanism vulnerability.
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).

View QSB #46 in the qubes-secpack:



Learn about the qubes-secpack, including how to obtain, verify, and read it:



View all past QSBs:



```


 ---===[ Qubes Security Bulletin #46 ]===---

 2019-01-23

APT update mechanism vulnerability


Summary


The Debian Security Team has announced a security vulnerability
(DSA-4371-1) in the Advanced Package Tool (APT).  The vulnerability lies
in the way APT performs HTTP redirect handling when downloading
packages. Exploitation of this vulnerability could lead to privilege
escalation [1] inside an APT-based VM, such as a Debian or Whonix VM.
This bug does _not_ allow escape from any VM or enable any attacks on
other parts of the Qubes system. In particular, this bug does _not_
affect dom0, the Xen hypervisor, or any non-APT-based VMs. Nevertheless,
we have decided to release this bulletin, because if a TemplateVM is
affected, then every VM based on that template is affected.


Description


As described in [1]:

| Max Justicz discovered a vulnerability in APT, the high level package
| manager.  The code handling HTTP redirects in the HTTP transport
| method doesn't properly sanitize fields transmitted over the wire.
| This vulnerability could be used by an attacker located as a
| man-in-the-middle between APT and a mirror to inject malicious content
| in the HTTP connection. This content could then be recognized as a
| valid package by APT and used later for code execution with root
| privileges on the target machine.


Impact
===

Users who use Debian or Whonix VMs are affected. Users who use only
Fedora VMs are not affected.  Although we do not provide any other
official or community APT-based templates, any other APT-based VMs that
users have installed on their own should also be assumed to be affected.


Discussion
===

Normally, we do not release Qubes Security Bulletins (QSBs) to address
vulnerabilities that only affect VMs internally without affecting the
rest of the Qubes system, i.e. vulnerabilities that do not undermine the
Qubes security model.

For example, we do not release QSBs to address bugs in Firefox or Linux
kernel USB stacks, because Qubes OS was designed under the primary
assumption that in a typical desktop OS there will be countless such
bugs and that humankind will never be able to patch all of them promptly
(at least not as quickly as developers introduce new bugs). This is, in
fact, the very reason we designed Qubes OS as an implementation of the
security-by-compartmentalization approach.

The APT update bug discussed today is, however, somewhat special.
While it is indeed a bug that only affects VMs internally, it could
allow an attacker to compromise TemplateVMs, which are used as a basis
for creating other VMs, such as AppVMs and ServiceVMs. If a TemplateVM
is compromised, then all the VMs based on that TemplateVM will be
compromised. Since AppVMs operate directly on user data, and since
ServiceVMs can be critical to user privacy (especially in the case of
Whonix and VPN ProxyVMs), this is a serious matter.

In Qubes OS, we take special precautions to make TemplateVMs difficult
to compromise. For example, we block all network connections to and from
templates, with one exception: We allow templates to connect to the
so-called "Update Proxy" (which runs in the NetVM). This allows the
TemplateVM to retrieve updates while protecting users from accidentally
using TemplateVMs to perform risky activities, such as browsing the web.

Since the bug under discussion has the potential to subvert this very
protection mechanism, we've decided to issue this QSB.

We would like to point out, however, that Qubes OS does a good job of
mitigating this kind of a vulnerability. Instead of having to reinstall
the whole operating system from scratch, Qubes users may need only to
reinstall the affected template(s).

If users are concerned that potential attackers may have compromised not
only the root filesystem of the template, but also attempted to infect
user files in AppVM filesystems (e.g. ~/.bashrc or a Web browser profile
directory), Qubes allows for mounting each of the suspected AppVM
private images into a different, trusted VM, based on a trusted
template, for "offline" analysis and cleanup, allowing users to preserve
their data.


Patching
=

If you are a Qubes user, you should remove all APT-based (including
Debian and Whonix) TemplateVMs and StandaloneVMs, then install fresh