Doubts
60 views
Skip to first unread message
jrsrrs33
Sep 14, 2019, 11:41:02 AM9/14/19
to qubes...@googlegroups.com
It is because I need help.
So, I am worried about privacy in the world of electronic communications. I heard about the existence of the NSA mass surveillance software, and from other countries (prism-break.org). I also usually read privacy policy and terms and conditions of what I am using.
-----------------------------------------------
So, I am worried about privacy in the world of electronic communications. I heard about the existence of the NSA mass surveillance software, and from other countries (prism-break.org). I also usually read privacy policy and terms and conditions of what I am using.
-----------------------------------------------
A little of my history, it is not necessary to read -----------------------------------
So I decide to use protonmail and tutanota for email services
I decide to navegate in invite mode on google chrome.
To install other mobile application in my phone that organize my email other than gmail.
I discover thunderbird.
I discover criptext. (https://criptext.com/)
Run a vpn (reading terms and conditions & privacy policy: because there are someone that keeps logs and do not accept bitcoin)
I used to think my communications where private doing this changes, until I started to realize that It was not.
I discover a few articles saying that protonmail was not enough private. (https://eprint.iacr.org/2018/1121.pdf)
This page says tutanota is not secure. (https://prxbx.com/email/)
I read privacy policy of thunderbird saying they transfer clients data to the US. (https://www.mozilla.org/en-US/privacy/thunderbird/)
I read criptext privacy policy and there is a lot of transfer data about each client outside the country Panama.
I contacted with two organizations of mobile phone apps: mailbird and mymail asking why they have the same privacy policy and a few questions of their privacy policy
I discover this article against windows, my OS. (https://www.gnu.org/proprietary/malware-microsoft.en.html)
-----------------------------------------------------------------------------------
So I decide to install qubes os, to improve my security (I also read Edward Snowden recommendation and Edward Snowden case).
First I saw three videos of people talking about qubes and their characteristics, one in livestream and two in youtube.
Then I decide to follow step by step your instructions, but I have a lot of problems. I read that the website is hosted on github, but I discover in readme file that there is another website with other instructions.
I decide to verify the ISO (4.0.1) that I download of your canonical webiste qubes-os.org, so I have a windows program called md5 & sha Checksum utility and it says it all right (open digest and confirm that iso sha256 is the same as in the hash sha 256 of website (https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.0.1-x86_64.iso.DIGESTS)).
So I decide to use protonmail and tutanota for email services
I decide to navegate in invite mode on google chrome.
To install other mobile application in my phone that organize my email other than gmail.
I discover thunderbird.
I discover criptext. (https://criptext.com/)
Run a vpn (reading terms and conditions & privacy policy: because there are someone that keeps logs and do not accept bitcoin)
I used to think my communications where private doing this changes, until I started to realize that It was not.
I discover a few articles saying that protonmail was not enough private. (https://eprint.iacr.org/2018/1121.pdf)
This page says tutanota is not secure. (https://prxbx.com/email/)
I read privacy policy of thunderbird saying they transfer clients data to the US. (https://www.mozilla.org/en-US/privacy/thunderbird/)
I read criptext privacy policy and there is a lot of transfer data about each client outside the country Panama.
I contacted with two organizations of mobile phone apps: mailbird and mymail asking why they have the same privacy policy and a few questions of their privacy policy
I discover this article against windows, my OS. (https://www.gnu.org/proprietary/malware-microsoft.en.html)
-----------------------------------------------------------------------------------
So I decide to install qubes os, to improve my security (I also read Edward Snowden recommendation and Edward Snowden case).
First I saw three videos of people talking about qubes and their characteristics, one in livestream and two in youtube.
Then I decide to follow step by step your instructions, but I have a lot of problems. I read that the website is hosted on github, but I discover in readme file that there is another website with other instructions.
I decide to verify the ISO (4.0.1) that I download of your canonical webiste qubes-os.org, so I have a windows program called md5 & sha Checksum utility and it says it all right (open digest and confirm that iso sha256 is the same as in the hash sha 256 of website (https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.0.1-x86_64.iso.DIGESTS)).
I decide also to try to do it with gpg4win program, but I do not know how to do it because is an iso, I do it with exe.
I also try with the instructions of your website, but I do not know how to follow.
How will be the process? Did I do it good or bad verifying the ISO with checksum utility?
Another question: what do you recomment to clone github and then run a localhost server?
Another question: what do you recomment to clone github and then run a localhost server?
I only know a program that you install with npm commands that is called: litte server.
I read readmd from github, and
with docker you can not do it because you have to have windows enterprise or pro (I only have windows home).
If I have an ISO, and I have check with sha256, why do I want to verify with signatures of the others repositores? Where do I have to write all that commands?
Do you need that someone host the website with url qubes-os.org? It is because I do not understand one thing: I verify a software that could be manipulated by third parties, but the signature key too; isn´t it?
So It makes sense verify the software when downloading only of third website, isn't it?
Why do I have to verify Qubes Repos if I had verify the iso? Are Qubes Repos different from the iso, or complements for the software?
Qubes was created in September 3, 2012. What has happened with the other developers of 2012 (I do not see in your web)?
All the instructions are for apple users? It because it is writed "sudo" in the steps.
"Untrustworthy firmware. (Firmware can be malicious even if the drive is new. Plugging a drive with rewritable firmware into a compromised machine can also compromise the drive. Installing from a compromised drive could compromise even a brand new Qubes installation.)"
with docker you can not do it because you have to have windows enterprise or pro (I only have windows home).
If I have an ISO, and I have check with sha256, why do I want to verify with signatures of the others repositores? Where do I have to write all that commands?
Do you need that someone host the website with url qubes-os.org? It is because I do not understand one thing: I verify a software that could be manipulated by third parties, but the signature key too; isn´t it?
So It makes sense verify the software when downloading only of third website, isn't it?
Why do I have to verify Qubes Repos if I had verify the iso? Are Qubes Repos different from the iso, or complements for the software?
Qubes was created in September 3, 2012. What has happened with the other developers of 2012 (I do not see in your web)?
All the instructions are for apple users? It because it is writed "sudo" in the steps.
"Untrustworthy firmware. (Firmware can be malicious even if the drive is new. Plugging a drive with rewritable firmware into a compromised machine can also compromise the drive. Installing from a compromised drive could compromise even a brand new Qubes installation.)"
I read article of badusb, but what usb do you recommend (because I do not find)?
Curious question: what the people is normally asking when sending an email to business inquiries?
Curious question: what the people is normally asking when sending an email to business inquiries?
Thank
Sent from ProtonMail Mobile
awokd
Sep 14, 2019, 6:19:20 PM9/14/19
to qubes...@googlegroups.com
'jrsrrs33' via qubes-users:
> I used to think my communications where private doing this changes, until I started to realize that It was not.
The IT security rabbit hole is pretty deep. I believe at the bottom it
ends with securely disposing all your electronics, but I'm not prepared
to do that quite yet. :) Try to find a balance between realistic threats
to you and counter-measures to oppose them.
> I decide to verify the ISO (4.0.1) that I download of your canonical webiste [qubes-os.org](http://qubes-os.org/), so I have a windows program called md5 & sha Checksum utility and it says it all right (open digest and confirm that iso sha256 is the same as in the hash sha 256 of website (https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.0.1-x86_64.iso.DIGESTS)).
hasn't been tampered with, but the only way to be sure is to verify
signatures per
https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-qubes-iso-signatures.
If you can't figure out how to do that with gpg4win, you might want to
get some practice with a GNU/Linux distribution instead. You can live
boot Mint for example, and I think Debian 10 too
https://www.debian.org/CD/live/#choose_live. Then you can use native gpg
to verify the ISO. You could also install Virtualbox in Windows and run
Debian or whatever in a VM to get familiar with it first.
> Why do I have to verify Qubes Repos if I had verify the iso? Are Qubes Repos different from the iso, or complements for the software?
You do not have to verify the repos if you've verified the ISO.
> Qubes was created in September 3, 2012. What has happened with the other developers of 2012 (I do not see in your web)?
https://www.qubes-os.org/team/
> All the instructions are for apple users? It because it is writed "sudo" in the steps.
Apple runs BSD, which also uses sudo. Instructions are for Linux users
which is why it will be helpful if you practice first before committing
to Qubes.
> "Untrustworthy firmware. (Firmware can be malicious even if the drive is new. Plugging a drive with rewritable firmware into a compromised machine can also compromise the drive. Installing from a compromised drive could compromise even a brand new Qubes installation.)"
This is one of those rabbit holes. You need a secure machine to build a
secure machine. If you suspect yours is already compromised, get one
that isn't. Here's where you have find a balance against realistic
threats to you.
> I read article of badusb, but what usb do you recommend (because I do not find)?
Name brand in factory packaging, not something you found laying on the
street.
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
> I used to think my communications where private doing this changes, until I started to realize that It was not.
ends with securely disposing all your electronics, but I'm not prepared
to do that quite yet. :) Try to find a balance between realistic threats
to you and counter-measures to oppose them.
> I decide to verify the ISO (4.0.1) that I download of your canonical webiste [qubes-os.org](http://qubes-os.org/), so I have a windows program called md5 & sha Checksum utility and it says it all right (open digest and confirm that iso sha256 is the same as in the hash sha 256 of website (https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.0.1-x86_64.iso.DIGESTS)).
>
> I decide also to try to do it with gpg4win program, but I do not know how to do it because is an iso, I do it with exe.
> I also try with the instructions of your website, but I do not know how to follow.
> How will be the process? Did I do it good or bad verifying the ISO with checksum utility?
Verifying the SHA256 hash is good. You can be pretty confident the ISO
> I decide also to try to do it with gpg4win program, but I do not know how to do it because is an iso, I do it with exe.
> I also try with the instructions of your website, but I do not know how to follow.
> How will be the process? Did I do it good or bad verifying the ISO with checksum utility?
hasn't been tampered with, but the only way to be sure is to verify
signatures per
https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-qubes-iso-signatures.
If you can't figure out how to do that with gpg4win, you might want to
get some practice with a GNU/Linux distribution instead. You can live
boot Mint for example, and I think Debian 10 too
https://www.debian.org/CD/live/#choose_live. Then you can use native gpg
to verify the ISO. You could also install Virtualbox in Windows and run
Debian or whatever in a VM to get familiar with it first.
> Why do I have to verify Qubes Repos if I had verify the iso? Are Qubes Repos different from the iso, or complements for the software?
> Qubes was created in September 3, 2012. What has happened with the other developers of 2012 (I do not see in your web)?
> All the instructions are for apple users? It because it is writed "sudo" in the steps.
which is why it will be helpful if you practice first before committing
to Qubes.
> "Untrustworthy firmware. (Firmware can be malicious even if the drive is new. Plugging a drive with rewritable firmware into a compromised machine can also compromise the drive. Installing from a compromised drive could compromise even a brand new Qubes installation.)"
secure machine. If you suspect yours is already compromised, get one
that isn't. Here's where you have find a balance against realistic
threats to you.
> I read article of badusb, but what usb do you recommend (because I do not find)?
street.
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
Reply all
Reply to author
Forward
0 new messages