[unofficial] Qubes security advisory
106 views
Skip to first unread message
J.M. Porup
Oct 25, 2020, 10:24:45 PM10/25/20
to qubes...@googlegroups.com
#This email represents my analysis of the events of the last few weeks.
#It does not reflect the views of the Qubes Project or Qubes developers
#in any way.
My Qubes laptop got hacked by Five Eyes because they thought I was a
terrorist, when in fact I was only making clown videos.
That is surely one of the strangest sentences I have ever had to write,
so let me establish my bona fides. I'm a cybersecurity reporter [0],
and have covered cybersecurity and national security since 2013. I have
a masters degree in cybersecurity from Berkeley, and am currently working
on my OSCP. I've been using Qubes as my daily laptop since 2014. I'm not
a Qubes developer, but I would consider myself an advanced user.
I'm also a clown. (I gave a talk at Hackers on Planet Earth this year
called "Cybersecurity and Clown" [1]). In fact, when Covid hit I was in
France studying clown with Philippe Gaulier, the same clown master who
trained Sacha Baron Cohen. I'm a standup comedian and comic actor as well.
So when I made these incredibly silly clown videos [2], I didn't expect to find
myself under intense physical surveillance for several weeks. I mean, intense.
I've been under physical surveillance before for national security reporting
I've done (like this article [3]), but this was the closest I've ever seen the
security services here in Canada swing their elbows.
Knowing that physical surveillance is always accompanied by electronic
surveillance, I kept an eye on my devices. My phone got popped first. Zero-click
iPhone RCE. Two missed calls from a non-existent number right when the physical
surveillance started.
But would they risk a Qubes 0-day to go after me--for being a literal fscking clown?
They did, and per their new "flyswatter policy" left a JTRIG-style goodbye
present when they finally realized I'm just a journalist, and a clown.
One morning last week, I launched a disposable Debian 10 template with my preset
defaults of no netvm and a blank page preset--but instead a default page of
"https://www.youtube.com/" appeared. It only happened once, but it was enough.
Does this rise to the standard of journalist proof I'm accustomed to? Of course
not. Would I risk my reputation by writing this email to the qubes-users list
if I was not confident in my assessment? What do you think?
So why am I writing this message? First, and most importantly, there is clearly
a great Qubes 0-day floating around that needs to be found and squashed. But also,
if Five Eyes are prepared to risk a Qubes 0-day on a clown, who would they *not*
risk it on? There must be dozens, if not hundreds, of active Qubes implants out
there right now.
And this email is meant to burn those implants and make them go dark. If you have
Five Eyes in your threat model, then you need to assume compromise and do whatever
you need to do. Now.
Does this mean I'm going to stop using Qubes? No. Of course not. Qubes is still
our best hope for a reasonably secure laptop. Nothing I've said in this email
changes that big picture analysis.
kind regards,
jmp
p.s. And yo, guys? Cause I know you're reading this. Next time you decide to
dishonor your oath to protect the Constitution, you might read the First
Amendment first.
[0] https://www.jmporup.com/
[1] https://www.youtube.com/watch?v=fiaZaPwvz54
[2] https://www.youtube.com/playlist?list=PLmE_cQ9Hok0nv7RxYZ_xMJtZb216uvdxi
[3] https://arstechnica.com/information-technology/2016/02/the-nsas-skynet-program-may-be-killing-thousands-of-innocent-people/
--
J.M. Porup
www.JMPorup.com
#It does not reflect the views of the Qubes Project or Qubes developers
#in any way.
My Qubes laptop got hacked by Five Eyes because they thought I was a
terrorist, when in fact I was only making clown videos.
That is surely one of the strangest sentences I have ever had to write,
so let me establish my bona fides. I'm a cybersecurity reporter [0],
and have covered cybersecurity and national security since 2013. I have
a masters degree in cybersecurity from Berkeley, and am currently working
on my OSCP. I've been using Qubes as my daily laptop since 2014. I'm not
a Qubes developer, but I would consider myself an advanced user.
I'm also a clown. (I gave a talk at Hackers on Planet Earth this year
called "Cybersecurity and Clown" [1]). In fact, when Covid hit I was in
France studying clown with Philippe Gaulier, the same clown master who
trained Sacha Baron Cohen. I'm a standup comedian and comic actor as well.
So when I made these incredibly silly clown videos [2], I didn't expect to find
myself under intense physical surveillance for several weeks. I mean, intense.
I've been under physical surveillance before for national security reporting
I've done (like this article [3]), but this was the closest I've ever seen the
security services here in Canada swing their elbows.
Knowing that physical surveillance is always accompanied by electronic
surveillance, I kept an eye on my devices. My phone got popped first. Zero-click
iPhone RCE. Two missed calls from a non-existent number right when the physical
surveillance started.
But would they risk a Qubes 0-day to go after me--for being a literal fscking clown?
They did, and per their new "flyswatter policy" left a JTRIG-style goodbye
present when they finally realized I'm just a journalist, and a clown.
One morning last week, I launched a disposable Debian 10 template with my preset
defaults of no netvm and a blank page preset--but instead a default page of
"https://www.youtube.com/" appeared. It only happened once, but it was enough.
Does this rise to the standard of journalist proof I'm accustomed to? Of course
not. Would I risk my reputation by writing this email to the qubes-users list
if I was not confident in my assessment? What do you think?
So why am I writing this message? First, and most importantly, there is clearly
a great Qubes 0-day floating around that needs to be found and squashed. But also,
if Five Eyes are prepared to risk a Qubes 0-day on a clown, who would they *not*
risk it on? There must be dozens, if not hundreds, of active Qubes implants out
there right now.
And this email is meant to burn those implants and make them go dark. If you have
Five Eyes in your threat model, then you need to assume compromise and do whatever
you need to do. Now.
Does this mean I'm going to stop using Qubes? No. Of course not. Qubes is still
our best hope for a reasonably secure laptop. Nothing I've said in this email
changes that big picture analysis.
kind regards,
jmp
p.s. And yo, guys? Cause I know you're reading this. Next time you decide to
dishonor your oath to protect the Constitution, you might read the First
Amendment first.
[0] https://www.jmporup.com/
[1] https://www.youtube.com/watch?v=fiaZaPwvz54
[2] https://www.youtube.com/playlist?list=PLmE_cQ9Hok0nv7RxYZ_xMJtZb216uvdxi
[3] https://arstechnica.com/information-technology/2016/02/the-nsas-skynet-program-may-be-killing-thousands-of-innocent-people/
--
J.M. Porup
www.JMPorup.com
Frédéric Pierret
Oct 26, 2020, 2:30:56 AM10/26/20
to J.M. Porup, qubes...@googlegroups.com
Le 10/26/20 à 3:24 AM, 'J.M. Porup' via qubes-users a écrit :
Sorry for what happened to you but before stating there "existing clearly a zero day" in default provided Qubes vs my "current customized Qubes seems compromised", further proof/investigation would be needed.
If from what what I read you go to this conclusion because your browser has unexpected homepage, there is so many ways for having a template compromised. I would say to be *really* careful to what to put into a template too. Here I mean mostly third party apps not coming from the underlying distribution. Don't hesitate to create scripts or using salt to recreate customized template and to reinstall template. Even better, don't hesitate to build template directly.
Best,
Frédéric
Chris Laprise
Oct 26, 2020, 4:04:53 PM10/26/20
to J.M. Porup, qubes...@googlegroups.com
On 10/25/20 10:24 PM, 'J.M. Porup' via qubes-users wrote:
> One morning last week, I launched a disposable Debian 10 template with my preset
> defaults of no netvm and a blank page preset--but instead a default page of
> "https://www.youtube.com/" appeared. It only happened once, but it was enough.
So to clarify, you launched a dispVM with no networking, and a youtube
> One morning last week, I launched a disposable Debian 10 template with my preset
> defaults of no netvm and a blank page preset--but instead a default page of
> "https://www.youtube.com/" appeared. It only happened once, but it was enough.
page was loaded and rendered on screen?
That seems highly unlikely to be an accidental input or glitch.
>
> Does this rise to the standard of journalist proof I'm accustomed to? Of course
> not. Would I risk my reputation by writing this email to the qubes-users list
> if I was not confident in my assessment? What do you think?
>
> So why am I writing this message? First, and most importantly, there is clearly
> a great Qubes 0-day floating around that needs to be found and squashed. But also,
> if Five Eyes are prepared to risk a Qubes 0-day on a clown, who would they *not*
> risk it on? There must be dozens, if not hundreds, of active Qubes implants out
> there right now.
you saved the contents of your system in that state.
However, if you're looking for plausible explanations and attack
vectors, you should look at side-channels first (I don't think
exploiting a side-channel against Qubes would count as a 0-day).
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
tetra...@danwin1210.me
Nov 5, 2020, 5:20:32 PM11/5/20
to Chris Laprise, J.M. Porup, qubes...@googlegroups.com
On Mon, Oct 26, 2020 at 04:04:30PM -0400, Chris Laprise wrote:
>On 10/25/20 10:24 PM, 'J.M. Porup' via qubes-users wrote:
>>One morning last week, I launched a disposable Debian 10 template with my preset
>>defaults of no netvm and a blank page preset--but instead a default page of
>>"https://www.youtube.com/" appeared. It only happened once, but it was enough.
>
>So to clarify, you launched a dispVM with no networking, and a youtube
>page was loaded and rendered on screen?
>
>That seems highly unlikely to be an accidental input or glitch.
No, he's saying the Firefox homepage in his Debian-10 template was
>On 10/25/20 10:24 PM, 'J.M. Porup' via qubes-users wrote:
>>One morning last week, I launched a disposable Debian 10 template with my preset
>>defaults of no netvm and a blank page preset--but instead a default page of
>>"https://www.youtube.com/" appeared. It only happened once, but it was enough.
>
>So to clarify, you launched a dispVM with no networking, and a youtube
>page was loaded and rendered on screen?
>
>That seems highly unlikely to be an accidental input or glitch.
changed from about:blank to youtube.com, leading the debian-10
template-based DispVM to launch Firefox with youtube.com as the default
page.
Ergo someone compromised his Debian-10 template and changed the Firefox
homepage... or, there was an error in the template configuration leading
to him accidentally changing the hompeage in what sounds like a
stressful situation.
J.M., assuming you are indeed correct about a major attack, most of the
major Xen vulnerabilities that threaten a Qubes full compromise involve
sys-net. Since Five Eyes may get advance notice of Xen holes, if your
machine was indeed fully rooted it could be you were hit by the PCI
vulnerability from a while back.
Due to precisely these kinds of issues, there is discussion for using
the much-harder-to-exploit OpenBSD as an operating system for the
sys-net VM:
https://github.com/QubesOS/qubes-issues/issues/5294
You may want to give it a go (after buying a new laptop, of course).
Additionally, if a sys-net based attack is indeed a concern for your
threat model, consider disabling wi-fi entirely and using an ethernet
cable, wi-fi drivers are generally terrible.
Nevertheless if you are really up against serious Five Eyes type
adversaries then it's unlikely you'll be able to keep *any* computer
secure for long and should probably buy that cabin in the Rockies you
always wanted...
Alex Smirnoff
Nov 6, 2020, 1:54:16 AM11/6/20
to qubes-users
I would make a full forensic image and then start investigating. Otherwise the evidence is very fragile.
Ulrich Windl
Nov 21, 2020, 6:46:28 PM11/21/20
to qubes...@googlegroups.com
attacked offline (breaking the LUKS encryption), or do you think it was
hacked online?
Reply all
Reply to author
Forward
0 new messages