Re: [qubes-users] Does Qubes OS Has A Leak Hole ?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-11 00:24, Drew White wrote:
> On Monday, 11 July 2016 00:10:10 UTC+10, Andrew David Wong  wrote:
>>> https://www.deepdotweb.com/2016/03/12/ 
>>> does-qube-os-has-a-leak-hole/ Has some Qubes dev contacted with
>>> this guys?
>>> 
>>> 
>> 
>> I doubt it. It would be a supreme waste of our developers' time 
>> to contact this author.
> 
> If the author knew English, would it be worth 1 second to consider
>  saying maybe and then say no?
> 

The main issue is not whether the author knows English (though that's
important if you're going to publish articles in English for an
English-reading audience, IMHO). Rather, it's that the author
evidently hasn't done any due diligence to check whether the things he
or she is writing have any basis in fact (or even make any sense at
all). Instead, it looks like the author just skimmed our website and
the arch spec doc, made a bunch of unfounded assumptions, then wrote
the article. If the author isn't going to take the time and effort to
look into Qubes a bit more before writing about it, why should our
developers take time away from their work to contact him or her?

Also, remember that we have little (and, in some cases, no) control
over what other people publish about Qubes in independent publications
and on various websites. Responsible journalists typically contact us
before writing a story about us. I think it would be a fool's errand
for us to try to contact every author of every article about Qubes
that contains a factual error (even egregious ones) without carefully
considering the importance (based on things like the reputation of the
publication and the breadth of its readership) and the opportunity
cost of doing so.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXhCa4AAoJENtN07w5UDAw7Q4QAJyND4CceI4VV+phxRzqY/9M
wyVGiygDvAsu0wWIA7AiWOCb7epuHR4BlavA39mLC5D9YV8eSRnXA5gZO3+XLy14
8dgX+Wb/JfTLpOpgrmfvSOtigqpJRuoiMV5NPGRXCpWNtjbsIzBJqUhodIXc2ArV
SuY6NiVjKJESK7BSaqEeyajo6DpbK5CCWwNgq39JBj1wCr+/aRbZpXcRoUsMaQ/8
KGOOFM8V+4fmU1AUA+1lqz7RpQyTK8uFVCyM3LZgt/RurbWuviwiorfb7zEBXTWb
q+XBW2gGQd8ZOaHalXPAT9mQ6kbjbssDauavZKdls30bKzLP0TNE0QYuvQ42mQgD
nIQvuYjyqshsEoaa237e2OiNW2wL40pBpjqiachg4LCmN7Q3oFUKpXcWIS3zSaip
gQ/mgKnFX8zamytSrMjkdsIyuHHILiZr/UsSNXeFdVr89ZBp3UFWqj7wn0/fM++J
E7qzTDdk2LFdkJ5aNE+RHVGr3KsPP/7EvYhsLnPciyHMUnDh/gSJfH/XqQJuMj0+
ABKtnQcoLcZShuuU3ZEYxQpMnld9/cTjuh13fxt/2Tbn8qPKtNmKAe5ZRNiItqDi
hLbo41DBrYov/n5/QpN0ljTLaHI1zT9zMoPmS++ISS1JA4GC6O3x6Tx16Ktsuel9
seCQfBMSS2l0hfcKRXb6
=DXdG
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67cf58dc-5b03-6ef2-854a-94507c49887f%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Does Qubes OS Has A Leak Hole ?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-10 06:51, donoban wrote:
> Very fun read: 
> https://www.deepdotweb.com/2016/03/12/does-qube-os-has-a-leak-hole/
>
>  Some parts:
> 
> "According to technical documentation concerning Qubes structure, 
> domains are separated from each other  via encryption . Like the
> Dom0, the storage domain is literally protected from other domains
> via encryption to prevent viruses in other domains [ such as
> Network Vm ] from penetrating into each other."
> 

No.

> "Seemingly, Qubes OS depends on a backup system to prevent huge
> mass of data.  In default, the backup system relies on weak key
> derivation scheme . So it is recommended that users select a
> high-entropy passphrase for use with Qubes backups  ."
> 

This appears to be taken directly from what I wrote at the top of this
page:

https://www.qubes-os.org/doc/backup-restore/

> 
> "Qubes allows users not to ‘send’ or ‘transport’ but to copy and
> paste files and folders . Let’s assume users download a file or a
> program from a ‘phished’ website ( designated as an https website
> ) unknowingly . Later, the file or program downloaded from the
> phished website is copied from the App Vm to the Storage Vm.
> 
> The storage Vm is encrypted from the Network Vm to prevent
> replication of malwares ( i.e virus ) .  Can the encryption method
> employed to prevent malicious software in the programs or folders
> on the App Vm from attaching itself to the Storage Vm ?"
> 

Nonsense.

> Has some Qubes dev contacted with this guys?
> 

I doubt it. It would be a supreme waste of our developers' time to
contact this author.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXglc8AAoJENtN07w5UDAwEPEQALX5hf+7RnTlH0P2aFK8S2Ue
4FaSfnvfCztO5sDWfr5/dRab7LfGSfaE3YhIEB8xi+7FLqC2BZPUvI9pvn76tfJZ
MnmHzxt9bVWB2nO7uMUJy3P93BMZlrZe7eWz4dr8GRMOrWvzZJd9zcy5Mi6PlQ8n
ahRLaCorMvQjIrAdGdbbnvD6k+YvaLKefQ1uuyCoLslX2fzvIXGfLTFr8tGQ9WvN
RUJobWk5dyF6EZ/QPw2zPZg14oWNqZZu1B99jJ+F1dYCVjZhO3EM7wkxPebYC2+6
Dd0pX6uTwlYmPzwarGq6b98QCk0c7lOVJfv30EnYavJQobELPV0pgp2GUV3T+Tb7
l3MJt7LKubXHD0Pbw5rAeOWyCgbx+UHa3G3mjcpP1DPo0Td8fJtF78N1z7fanMGU
JEr0z3tJzj8DCc46Cwj3GyRCEx/HjUpBKxxszeW+f8xNtFaVjm5gq0BdsaSibSea
oNjZdARTz5NnJBp6vZIQguWYHjbpcM+ny6LBwdZcle0WS3b1/LXRfh/wcITafB9s
LICDI1t0Atnx6JmWudmH7eMT+G5RQK7JzpjZf22fMLKZkk5o0V3XSTJbcQXNNNO5
jWIf9CMbBuMNYEinIBA4mJO1fPmUFyqxIFtUtvHn3jkoqKVincRvmTYZcOZF3GHc
uljM557dU2fVLwhsDNzB
=p+cj
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bfecba29-c938-fafa-2a42-7d0a3c275510%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.