Announcement: New community forum for Qubes OS users!

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Qubes community,

We're pleased to announce the launch of a new forum for Qubes OS users:

https://qubes-os.discourse.group

This is an official user forum where you can ask questions, get help,
share tips and experiences, and more! For a long time, members of our
community have sought a privacy-respecting forum experience with modern
features that traditional mailing lists do not support. The open-source
Discourse [1] platform fills this need for us, as it does for many other
open-source projects. Thanks to their generous free hosting for open
source projects [2], we're pleased to be able to create this space for
our community.


Why create a forum now?
=======================

Previously, the only option for a forum-like experience was to interact
with our mailing lists via Google Groups, but we understand all too well
that the privacy implications and user experience were unacceptable for
many members of our community, especially with the recent addition of a
sign-in requirement to view threads. Many of you value the lower barrier
to entry, organization, ease-of-use, and modern social features that
today's forums support. Moreover, Discourse features email integration
for those who still prefer the traditional mailing list format.


How is this different from our mailing lists?
=============================================

To be clear, this is *not* a replacement for our mailing lists [3] (such
as qubes-users and qubes-devel), which will continue on as they are.
This new forum is simply an *additional* place for discussion. Certain
types of discussions naturally lend themselves more to mailing lists or
to forums, and different types of users prefer different venues. We've
heard from some users who find the mailing lists to be a bit
intimidating or who may feel that their message isn't important enough
to merit creating a new email that lands in thousands of inboxes. Others
want more selective control over topic notifications. Some users simply
appreciate the ability to add a "reaction" to a message instead of
having to add an entirely new reply. Whatever your reasons, it's up to
you to decide where and how you want to join the conversation.


Will this split the community?
==============================

Many open-source projects (such as Fedora and Debian) have both mailing
lists and forums (and additional discussion venues). In fact, Qubes
already has non-mailing-list discussion venues such as IRC [4] and
Reddit [5]. We believe that this additional venue will foster the
continued growth of community participation and improve everyone's
experience. In addition, we fully expect that many community members --
especially the most active ones -- will choose to participate in both
venues. (Again, for those who still prefer interacting via email,
Discourse supports that too!)

- -----

Special thanks to Michael Carbone for spearheading the creation of this
forum and to deeplow who, as our first forum administrator, has done
much of the legwork to help get it looking good and working well!


[1] https://www.discourse.org/
[2] https://blog.discourse.org/2018/11/free-hosting-for-open-source-v2/
[3] https://www.qubes-os.org/support/
[4] https://www.qubes-os.org/support/#unofficial-chat-channels
[5] https://www.reddit.com/r/Qubes/

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2020/08/20/new-community-forum-for-qubes-os-users/

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8+sPQACgkQ203TvDlQ
MDDYTxAApehnwrpqFCoadx3Cmcu2llDOYbV5CuCjQFj7aMwGg2Gq3TWuugiXFjQ1
z6uW+asPIEvCu4XxP5K9FfVYiSF1bqLTEGomib0npapNMM1ZbULUoSU2EoACz8OS
BpYxgrcX1YyN8/3qQ2N2a3yRe+c0XBD72CJQ2sPu/U+xaTRKZgW6saI5Y/jpwxb7
WKQR0Mc9Y2vP6GRNb5ICcCNelS9fUiBJPaGQBJX7XRyAcW1y0hvF6dBZpdG70TDF
DN0ddhSbYQnv0aHjNnU5ajU81PZWpr5ZqK8ObZwlU/Br8ZznNlApf2ATk73x/5up
eMhwGqDMebJPKaIUPUEKb1FWdObKtW9TvRxhb+yybDkI4Gtfj0fIO5SfJrJ5Ud94
Vyt4TJfqyI4RmCpKfv3QXM3DnjKbjD0yAThVVnphqD9s+NIVSVi7K0LWGxLcX6TS
vCTouzWkPCrNxMylCf8M4v3V4uUJ9b8AQA3iF/v+a2tKzPveK4+mOF590918YGYE
CxwlrOKzb0Ecpl/LzdcrX+jq4j+Zj+B0evLc3ZbaTp+Bfr6gihOnocL/1YjHwGPU
6PSJ4lYHzZzZotPaaJ1tmZtSGIkK2d7mmJBPDCSG2gSMS0QL474ObfKjAvolQ9ph
ZKMhEME8YbHje+X/nyxTcgO4GAoLyuPeYuDIkjmXzD0hGYFnKYA=
=ngAL
-----END PGP SIGNATURE-----

[54th Parallel]

Thanks for acting so quickly. I'll be on Discourse as 'fiftyfourthparallel'

[54th Parallel]

On Friday, 21 August 2020 at 01:21:11 UTC+8 a...@qubes-os.org wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Qubes community,

We're pleased to announce the launch of a new forum for Qubes OS users:

https://qubes-os.discourse.group

Not sure if I'm the only one, but after working for me earlier (I replied to a question), the discourse.group link no longer works and just displays a blank page on Chrome with extensions disabled. Doesn't seem like VPN blacklisting.

[deeplow]

It's working just fine for me (also tried it in chromium version 83.0.4103.116). Does it work for you in other browsers?

[54th Parallel]

On Friday, 21 August 2020 at 23:35:05 UTC+8 deeplow wrote:

It's working just fine for me (also tried it in chromium version 83.0.4103.116). Does it work for you in other browsers?

Working fine on Firefox and Tor Browser, but not Chrome 84.0.4147 on Chrome OS (yes, I'm a dirty Google user). I did some tinkering and I misspoke earlier--uMatrix was showing everything being allowed so I said it was disabled. It turns out actually switching off uMatrix allows the site to appear, even though it should theoretically not be doing anything.

This was *not* the case earlier, hence why I was (and am) so confused.  Someone should see if they can replicate this.

[deeplow]

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

uMatrix has also trolled me quite a few times when accessing discourse instances due to all the CDN stuff. Glad it's sovled. See you there!

[Qubes]

If you configure Firefox and uMatrix properly you should see less of
these funnies creep up. Have a look at this guide,
https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs.

If that is too much for you there is also a 'for dummies' guide,
https://12bytes.org/articles/tech/firefox/the-firefox-privacy-guide-for-dummies.

The above guides are linked full of very useful information, tips and
tricks, proper configuration methodology, and plain good old advice.


I find it a bit funny that you are paranoid about some unknown adversary
tampering with your hardware in transit but you seem to use Google
products a lot.

[54th Parallel]

On Saturday, 22 August 2020 at 01:35:05 UTC+8 Qubes wrote:

If you configure Firefox and uMatrix properly you should see less of
these funnies creep up. Have a look at this guide,
https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs.

If that is too much for you there is also a 'for dummies' guide,
https://12bytes.org/articles/tech/firefox/the-firefox-privacy-guide-for-dummies.

The above guides are linked full of very useful information, tips and
tricks, proper configuration methodology, and plain good old advice.

 

I'm using Chrome, but this might come in handy for when I use Firefox. Thanks

 

I find it a bit funny that you are paranoid about some unknown adversary
tampering with your hardware in transit but you seem to use Google
products a lot.

There's a difference between privacy and security. Chrome OS provides security (near-absolute security, some might say) but obviously little privacy is to be expected.

 

[Qubes]

> There's a difference between privacy and security. Chrome OS provides
> security (near-absolute security, some might say) but obviously little
> privacy is to be expected.
>

Yes a big difference, but the two are intertwined in ways that it is
impossible to separate them. If you believe an operating system from
Google, Microsoft, Apple, or any other tech giant, provides
"near-absolute" security I think you have been wholly misguided.

[54th Parallel]

On Saturday, 22 August 2020 at 17:37:24 UTC+8 Qubes wrote:

Yes a big difference, but the two are intertwined in ways that it is
impossible to separate them. If you believe an operating system from
Google, Microsoft, Apple, or any other tech giant, provides
"near-absolute" security I think you have been wholly misguided. 

I think you're being uncharitable about my judgments. I don't want to get into an argument with you, so all I'll say is that you should probably read up more on ChromeOS. 

[Sven Semmler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 8/22/20 5:11 AM, 54th Parallel wrote:
> I don't want to get into an argument with you, so all I'll say is
> that you should probably read up more on ChromeOS.

Here are my thoughts: security is on a spectrum, here are two extremes:

a)
- - completely offline
- - in a locked room at a secure location
- - completely shielded
- - I never leave that room

b)
- - always connected to the internet
- - running on proprietary hardware
- - software is partly or completely closed
- - data lives "in the cloud" (aka other peoples computer)

Security is also about what I want to be secure from.

a) keeps me pretty secure except from the government of the location

b) keeps (maybe) some script kiddies away if the provider knows their
stuff, but any skilled criminal / company / state actor own you in no ti
me

... which is why I have no understanding at all for all those
companies moving their stuff into office365 ... what are they thinking?

/Sven

- --
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl9Fzl0ACgkQ2m4We49U
H7ZixRAAvXHCkPILxo/pAZbeZVa5ULpfq8+RB5nqP8JYnOWne0I8lJINK+uMpC31
h7/7I1MRaI2Y37BqjrIQrx0AMtBn9lDb59kUcDMKqpWjC+ISaVfM/m8n2mbt5hkD
CTQsex9gfesxcet/krybXZyj4GWAyjSe8AMtKbvWH7yZVEgE1ZoZD8zKHUzErz4/
xr1QnJLWbrsI3ThqgREAfw7PJhvrsV8Onr/u5lQo1V41Qup/uXvE3Kkxk/fERw7A
5fZZ/Ndw2AHhKZc+MnV6RNSjC5QJjvsyScAGpq0RqpgrACfdiCiHnOg+F06W7oFG
sIGwsaSs26rgbct9IU8UxrTsKz530BJlbp+bMMCReAfy+w88OxpafaJhPUGCjF37
emzvn1C/1ZPwz5PEDOf2p5siXu48O5a8kYS5vV48YqDDUw5bF2cj+WIq3YsfGZH8
hSE/yCYyuKb7pE+GywLU0miiF2eMfddsoIwpi0VtkIvixBUXMoFeKf9QMcFtGhnk
HEDWPNSmsb0p6bAyV0Wdr8O3R4rj7UG3m5ZTcdm8t2A1Bp0NZJhPevUMYRx2g7A5
9dX/extGXoXGEYiQipWh+rheAIF3tnN7s5RRcWYBkUPElJ/fkwooKwthIcZCnso1
1Q5R52UCk1xQDSjAhDOAudQHmvjcfqKFlCKLQDIKicpxMYaK2oI=
=7B+m
-----END PGP SIGNATURE-----

[54th Parallel]

On Wednesday, 26 August 2020 at 10:52:47 UTC+8 sv...@svensemmler.org wrote:

Here are my thoughts: security is on a spectrum, here are two extremes:

a)
- - completely offline
- - in a locked room at a secure location
- - completely shielded
- - I never leave that room

b)
- - always connected to the internet
- - running on proprietary hardware
- - software is partly or completely closed
- - data lives "in the cloud" (aka other peoples computer)

Security is also about what I want to be secure from.

a) keeps me pretty secure except from the government of the location

b) keeps (maybe) some script kiddies away if the provider knows their
stuff, but any skilled criminal / company / state actor own you in no ti
me

... which is why I have no understanding at all for all those
companies moving their stuff into office365 ... what are they thinking?

/Sven

Well, if this is a criticism of me using Chrome OS for certain tasks, may I politely suggest that you take some time to read about Chrome OS as well. The assumption that my data lives in the cloud is not necessarily true and my threat model (which is basically what your post is about) is different, but the wider point I want to make is that people jump on Chrome OS simply for being an OS by Google. 

Qubes (the user in the thread) isn't wrong when he said that privacy and security are two sides of the same coin, but, provided you're aware of the potential risks (e.g. profile-building, keystroke deanonymization, and much more), Chrome OS is cheap and sufficient enough for this particular set of low-stake needs I have. That said, I bought two new laptops just for Qubes and have sunk months into understanding it, so I'm not shilling for Chrome OS here.

Security overview for the open-source Chromium OS (Gentoo-based) which forms the base for Chrome OS:

https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview

[Sven Semmler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 8/26/20 3:07 AM, 54th Parallel wrote:
> the wider point I want to make is that people jump on Chrome OS
> simply for being an OS by Google.

Well, that is a bit understandable. Google earns almost all their money
by selling user data / presenting advertisements. They dominate the web
and push their ideas through Chrome and Android in a way Microsoft could
have only dreamed of.

Even if the engineers working on their products have good motivations,
as a publicly traded corporation Google's goals are ultimately
maximizing "shareholder value"... which you can see by them making
compromises for suppressive states (China et al). The same is true for
any corporation including Apple.

> Chrome OS is cheap and sufficient enough for this particular set of
> low-stake needs I have.

That's perfectly fine. None of the above is a criticism of your decision
to use anything. I have a Windows 7 qube (to run some business software
in isolation) and my wife uses a Mac because that's the best compromise
(Qubes in it's current form would be too much hassle for her).

What I want to provide is an explanation why people in this forum -- who
care a lot about both security and privacy -- have a particular dislike
for surveillance capitalistic superstars like Google, Microsoft and
Facebook. The basic (lack of) trust argument can be made about all
non-open technology.

> That said, I bought two new laptops just for Qubes and have sunk
> months into understanding it, so I'm not shilling for Chrome OS
> here.

Understood. I didn't mean to imply otherwise.

/Sven

- --
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl9Ghx8ACgkQ2m4We49U
H7bJZRAAxO3NtPCGs3SXiJsRftOEVzEWuamfhWXNqt8rcrWVA2RjI9zMyWiTbuB7
qA+JT28gWA3TLOSB/7Wo4w3i00zIn3fFNLzZsGVoudD313fcD/wGalghwsM38+0H
9agwFhSgIBSyZo4TLl8C6VyUHeIg4XeHY1ewdsbST3KV9IMI0+l2y+wkgHwSAdwx
aoszb+uLekxqRSnavDlPb/jsENW+afch1tDlSceUwpGwTmMkQw+UJXmeGg7s093r
73T3ypJBUNIjexB63gRut53xUH9s1BUG2BnPTWKIpzkYDpybxYd6cNvIvFP1jayc
daVrj2xhtZeumvPR7Yxl790yg1HFRA3nT0wsfcrLQFBPXgBghLRvPIRPJhoDhPsU
p8AxBrDLO6OCzUDFzEDejoD1VU5hmhpEjuoroEAjfj1974FHKNgtfdAaLpZlh0Nd
OIEmKshtQle1alwUD9rxT1w+dE8njzh3HFVi2z2+kLLRFAZgjLVMQNXYkIozkAud
NqfsxjeWc/51bMBnhjsKWuD1yBc7vJK03m49ZgtbfG/3eeXAYEaTnlP5+SgeM9O+
Tday1lHnzCImdrxENuFNwU7XXpDehVkiE7cxcggCD1gpTFlOSqIDh7ibO0tuJLZD
3yDJ9pFzV40ZS4O0PWx0uAVsyJZKzp2ugBZ5SRhq66yhXeZEo3E=
=ilFv
-----END PGP SIGNATURE-----

[Mark Fernandes]

On Wednesday, 26 August 2020 at 17:01:20 UTC+1 sv...@svensemmler.org wrote:

... Google earns almost all their money
by selling user data / presenting advertisements. ...

Even if the engineers working on their products have good motivations,
as a publicly traded corporation Google's goals are ultimately
maximizing "shareholder value"... which you can see by them making
compromises for suppressive states (China et al). The same is true for
any corporation including Apple.

I'm not so clued-in about the mechanics behind publicly traded corporations, but I would have thought that maximising profits (which perhaps is what you are implying) is the only goal. Some businesses can sacrifice profits for a certain set of ethics...

 

> Chrome OS is cheap and sufficient enough for this particular set of
> low-stake needs I have.

That's perfectly fine. ...

 

What I want to provide is an explanation why people in this forum -- who
care a lot about both security and privacy -- have a particular dislike
for surveillance capitalistic superstars like Google, Microsoft and
Facebook. The basic (lack of) trust argument can be made about all
non-open technology.

Whilst there is a relationship between privacy and security, increasing security doesn't necessarily mean that you increase privacy. Your arguments against Google seem to be significantly in relation to privacy, but sometimes security can be increased at the cost of losing privacy.

The cloud-based aspect of Chromebooks means that in those situations where you don't consider you have much local on-site security, you can gain extra security by keeping things in the cloud, and using cloud software. I cover some of the reasons why this is the case, in the "Sandboxing and cloud computing" section I wrote in the End-user Computer Security book hosted on Wikibooks (which can be accessed here).

Otherwise, Chromebooks can have security advantages because they use an open-source secure custom BIOS/UEFI known as Coreboot. Vendor-supplied OEM pre-installed closed-source BIOS/UEFI firmware can pose a security vulnerability--they can also be hard to replace with a custom firmware (which I'm particularly finding at the moment). Some info on the security aspects of custom BIOS/UEFI firmware can be found here.

That said, I definitely have security concerns over using the cloud. Keeping things on-site would probably be ideal in the case that you have strong on-site security.

Kind regards,

Mark Fernandes

/Sven

[54th Parallel]

On Tuesday, 15 September 2020 at 01:13:13 UTC+8 m.fernande...@gmail.com wrote:

The cloud-based aspect of Chromebooks means that in those situations where you don't consider you have much local on-site security, you can gain extra security by keeping things in the cloud, and using cloud software. I cover some of the reasons why this is the case, in the "Sandboxing and cloud computing" section I wrote in the End-user Computer Security book hosted on Wikibooks (which can be accessed here).

Otherwise, Chromebooks can have security advantages because they use an open-source secure custom BIOS/UEFI known as Coreboot. Vendor-supplied OEM pre-installed closed-source BIOS/UEFI firmware can pose a security vulnerability--they can also be hard to replace with a custom firmware (which I'm particularly finding at the moment). Some info on the security aspects of custom BIOS/UEFI firmware can be found here.

That said, I definitely have security concerns over using the cloud. Keeping things on-site would probably be ideal in the case that you have strong on-site security.

Hi Mark,

I've read your wiki entries and enjoyed them--thanks for taking the time to share the information. I just want to clarify that Chromebooks do have local storage and that this can be completely isolated from the cloud (and usually is). This means I can choose not to be at the mercy of the cloud and the condition of my internet connection. 

Also, I've been looking for evidence that Chromebooks generally have Coreboot installed several years ago before using Chromebooks and now after reading your article. I've failed to find any so far, aside from sites like MrChromebox that mentions older devices. I know that there are ARM Chromebooks, but from a business point of view I don't really see why Google would feel the need to replace ME with Coreboot for the wide variety of CPUs in their devices (though I wish it were true).