Advantage of connecting through a mobile router in public?
Gaiko Kyofusho
Chris Laprise
> I keep reading examples where people are using something like mobile
> routers between thier phone/computer and public wifi spots, example
> the Internet through a second, less-trusted phone, or a cheap Wi-Fi
> cell router."
into the mobile router and using that as an attack platform to break
into your main device? A few minutes...?
>
> Are Qubes separate firewall and net (and whonix gw) VMs serving the
> same purpose? If not how is what blackholecloud and what MP are doing
> improving thier priv/sec?
else (internally) for anti-NIC attacks to go (except to other machines
on the LAN).
Chris
Franz
On 01/31/2017 10:47 PM, Gaiko Kyofusho wrote:
I keep reading examples where people are using something like mobile routers between thier phone/computer and public wifi spots, example like the blackholecloud <https://blackholecloud.com/>device or apparently Mike Perry of the tor project told arstechnica <https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/>that "He suggests leaving the prototype in airplane mode and connecting to the Internet through a second, less-trusted phone, or a cheap Wi-Fi cell router."
This is pretty dubious advice. What is to stop an attacker from breaking into the mobile router and using that as an attack platform to break into your main device? A few minutes...?
Are Qubes separate firewall and net (and whonix gw) VMs serving the same purpose? If not how is what blackholecloud and what MP are doing improving thier priv/sec?
Basically, yes. But the NIC is isolated in sys-net and there is no where else (internally) for anti-NIC attacks to go (except to other machines on the LAN).
Chris
--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/050bca64-e23a-ea17-181c-617549d40470%40openmailbox.org.
Michael Carbone
> wrote:
>
>> On 01/31/2017 10:47 PM, Gaiko Kyofusho wrote:
>>
>>> I keep reading examples where people are using something like mobile
>>> routers between thier phone/computer and public wifi spots, example like
>>> the blackholecloud <https://blackholecloud.com/>device or apparently
>>> Mike Perry of the tor project told arstechnica <
>>> https://arstechnica.com/security/2016/11/tor-phone-prototyp
>>> e-google-hostility-android-open-source/>that "He suggests leaving the
>>> prototype in airplane mode and connecting to the Internet through a second,
>>> less-trusted phone, or a cheap Wi-Fi cell router."
>>>
>>
>> This is pretty dubious advice. What is to stop an attacker from breaking
>> into the mobile router and using that as an attack platform to break into
>> your main device? A few minutes...?
access/tracking by only using a phone's WiFi and to (2) protect against
the current poor situation of firewalling in Android to *protect against
non-Tor identity leaks*.
It seems pretty orthogonal to what you want to discuss with this thread
- using mobile routers as a firewall for non-phone devices (Qubes)
against active attackers.
--
Michael Carbone
Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>
PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4
Gaiko Kyofusho
> Franz:
> > On Wed, Feb 1, 2017 at 2:13 AM, Chris Laprise
> >
> >> On 01/31/2017 10:47 PM, Gaiko Kyofusho wrote:
> >>
> >>> I keep reading examples where people are using something like mobile
> >>> routers between thier phone/computer and public wifi spots, example like
> >>> the blackholecloud <https://blackholecloud.com/>device or apparently
> >>> Mike Perry of the tor project told arstechnica <
> >>> https://arstechnica.com/security/2016/11/tor-phone-prototyp
> >>> e-google-hostility-android-open-source/>that "He suggests leaving the
> >>> prototype in airplane mode and connecting to the Internet through a second,
> >>> less-trusted phone, or a cheap Wi-Fi cell router."
> >>>
> >>
> >> This is pretty dubious advice. What is to stop an attacker from breaking
> >> into the mobile router and using that as an attack platform to break into
> >> your main device? A few minutes...?
>
> The point of Mike Perry's strategy is to (1) protect against baseband
> access/tracking by only using a phone's WiFi and to (2) protect against
> the current poor situation of firewalling in Android to *protect against
> non-Tor identity leaks*.
>
> It seems pretty orthogonal to what you want to discuss with this thread
> - using mobile routers as a firewall for non-phone devices (Qubes)
> against active attackers.
Sorry yes, mentioning MP's use of a phone here was perhaps a bit tangential but as he seems to be a fairly well respected sec/priv person and uses an external/mobile router (a model that I thought could be applied to my Qubes opsec useage if it was applicable/made-sense) I thought I'd ask.
Anyway, according to Chris it seems that its a bit moot as I think he confirmed that Qubes separate firewall and net VMs kind of serve the same purpose?
Chris Laprise
>
>
> On Wed, Feb 1, 2017 at 2:13 AM, Chris Laprise <tas...@openmailbox.org
> <mailto:tas...@openmailbox.org>> wrote:
>
> On 01/31/2017 10:47 PM, Gaiko Kyofusho wrote:
>
> I keep reading examples where people are using something like
> mobile routers between thier phone/computer and public wifi
> spots, example like the blackholecloud
> <https://blackholecloud.com/>device or apparently Mike Perry
> of the tor project told arstechnica
> <https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/
> <https://arstechnica.com/security/2016/11/tor-phone-prototype-google-hostility-android-open-source/>>that
> "He suggests leaving the prototype in airplane mode and
> connecting to the Internet through a second, less-trusted
> phone, or a cheap Wi-Fi cell router."
>
>
> This is pretty dubious advice. What is to stop an attacker from
> breaking into the mobile router and using that as an attack
> platform to break into your main device? A few minutes...?
>
>
> But doesn't a firewall add some additional security? Otherwise which
> is the purpose of having a firewall?
Now, if we're going to pretend that NIC-DMA attacks are not a part of
the threat model, then we can just run a regular OS instead of Qubes.
Router firewalls were a "good" option in 2002, and the word "firewall"
itself is powerful and insists we place trust in it. But it was folly to
place trust in network infrastructure in the first place and now
router-firewalls are popular targets. They contain NICs with imperfect
and obscure hardware and firmware.
Chris
Chris Laprise
really want to use for protection. It will maintain its integrity where
external firewalls cannot.
So I'm thinking that, regarding the article, I'd rather just not use a
"Tor phone" at all, at least not until it can protect itself the way
Qubes can.
Chris
Franz
Chris
Chris Laprise
>
>
> On Wed, Feb 1, 2017 at 2:34 PM, Chris Laprise <tas...@openmailbox.org
> <mailto:tas...@openmailbox.org>> wrote:
>
> On 02/01/2017 01:16 AM, Franz wrote:
>
>
>
> On Wed, Feb 1, 2017 at 2:13 AM, Chris Laprise
> <tas...@openmailbox.org <mailto:tas...@openmailbox.org>
but its open and security updates are more readily available. Beyond
that, I haven't thought about better routers in years because I've seen
no sign of a breakthrough in architecture, and I've also become more
mindful of the maxim that net infrastructure shouldn't be trusted.
Endpoint security is the one truly good type of security practice, and
Qubes is like the "fine point" on the endpoint. :)
Papers are starting to circulate that call-for or describe better
security architecture for IoT, including Qubes' approach of isolating
NICs and such. To me, IoT is very similar to (if not the same as) net
infrastructure, but in smaller packages. The attention gives me reason
to hope that even tablets and phones will significantly improve.
But for now, we should remind ourselves that smartphones have one main
design goal over other devices: Ultra-convenience. We shouldn't
automatically assume they are appropriate for whatever use case, and I
find it a little disturbing that the Tor Project's interest in hardware
has gone in this direction. But the odd thing about such projects they
have a history of catering to mostly Windows users and absorb some of
the blindness that platform engenders.
Chris
Tim W
Quote from Chris:
"I find it a little disturbing that the Tor Project's interest in hardware
> has gone in this direction. But the odd thing about such projects they
> have a history of catering to mostly Windows users and absorb some of
> the blindness that platform engenders."
You might want to consider where the majority of the funding for many of the most popular privacy and anonymity software comes from........US Gov. This includes Tor. The same gov that allows NSA surveillance of its own citizens and breaking encryption and security schemes within its own countries. Yet we are then suppose to trust its other division NIST that gives us recommendations for infosec. The same NIST that had culpability in the RSA fiasco.
Sorry but IMHO you can not stick your hand into a pile of doo and then claim none of the stink has stuck to you. When one of, if not your largest granter is a US Gov agency, what well reasoned person in this day and age, knowing what we know from all the spilled intel doc, would not expect them to have influence of some level over that project it funds??? This is basically the line all of these nonprofit software projects are trying to sell us on. First be the opposite of transparent and never under your own volition admin you were taking US Gov fund. Then once found out via FOIA requests claim taking millions from what you publicly claim is one of you major adversaries has in no way effected or compromised that supposed goal?!? Who here would belevie that if say a politician claimed a company that sunk millions to get them elected would not have undo influence of the actions of said official? Seriously!?!?! There is no difference. Same same
It happens all the time in scientific research. Its one of the primary reasons the first thing seasoned research reviewers do is go right to the funding page to see who funded the research so they can access the possible type and level of bias and influence that has been introduced.
A Brief History of the Broadcasting Board of Governors : https://pando.com/2015/03/01/internet-privacy-funded-by-spooks-a-brief-history-of-the-bbg/
Article linking the same about TOR with supportive links: https://pando.com/2014/12/26/if-you-still-trust-tor-to-keep-you-safe-youre-out-of-your-damn-mind/
Yrs ago I started only using tor with VPNs as both and inner and outer layer + some other opsec protocols as from what I could see Tor itself could not be trusted to keep your ID secure. I have some hope for GNUnet to keep maturing to the point where it becomes a replacement or at least Tor can run inside it. Jury is still out though.
BTW does anyone finding it interesting that every app Snowden recommended using in his multiple interveiws are all funded by OTF (Open Technology Fund)which is a fund of Free Asia Radio which is subsidiary of BBG (Broadcasting Board of Governors) which is a USA quais agency that gets annual Congressional Budget funding of 3/4 of a billion. All of this coming as a spin off of the CIA Cold war pysops American propaganda campaign i.e freedom radio Free Asia, Free Europe, Free etc... So all those companies from Whisper, TOR, Signal, etc
According to FOIA releases from what I have read in articles Tor has received around $5 million over the last 9-10 yrs from BBG and its subsidiary FAR/ OTF. It makes you wonder what 5 million dollars buys you in a nonprofit anonymity and privacy software project does it not?
IMO US gov wants everyone to be able to have privacy and anonymity from everyone EXCEPT itself and maybe, just maybe, its closest allies/ So sure it wants these software apps and projects to be good but it also wants to know it has control and can see in. Loss of control= freedom and no government today will every knowingly allow that.
I was taught to always follow the money to know what you are really dealing with.