T520 for Qubes 4.0 , can I / should I boot Win7 HDD, and Qubes 4.0 from an SSD?

[yre...@riseup.net]

T520 for Qubes 4.0 , can I / should I boot Win7 HDD, and Qubes 4.0 from
an SSD?

I'm looking at buying an i7 T520 that is listed as working on the HCM
list on a website, for like $250, I see them cheaper on ebay but , the
thing has 4GB ram , by adding a DVD tray / caddie for an SSD and an SSD
and 4GB ram, I add another $140 or so to the cost .... so am
wondering if this technically would not have the issue where dual
booting is considering insecure, if I'm actually booting from 2 separate
HDs ; and/or if doing the Qubes 4.0 install is going to be any
tricker or easier with 2 HD, assuming, I wasn't planning on doing
another dual boot off 1 HD again


thanks

[sevas]

Dual booting is only secure if you remove the HDD/SSD with the other operating system on it.

having two hard drives is essentially, no more or less secure than having one.

[awokd]

On Thu, March 15, 2018 7:47 am, sevas wrote:
> Dual booting is only secure if you remove the HDD/SSD with the other
> operating system on it.

Well, even then you are giving the non-Qubes OS unrestricted access to
your hardware/firmware so it could potentially open up the system to an
exploit at that level.

> having two hard drives is essentially, no more or less secure than having
> one.

That's true.

[Yuraeitha]

You're right that it's more secure to have two devices, but only very, very slightly. Though, it's a good idea to do even so, even if only slightly, if you must. I believe the partition table can be more exposed here if using the same drive? but I'm not sure.

- Generally you have to look at the security exploits, i.e. it may be worth reading the research and articles The Qubes OS Project has made, and other works that is being put forward. But in general, you need to be wary of firmware exploits, boot-loader exploits, never access your files from an insecure duaæ-boot, and weak or no encryption. Something along those lines. Generally firmware exploits/attacks, to my understanding, are more exotic today, BUT! that may change one day very quickly, and you can also risk being plain unlucky. There is also the consideration that it might not be possible to make an accurate picture of how many infected firmware's there are existing in the wilds, and/if possible to make research to get an idea, it might take years before it's detected on a large scale. So you may want to be wary of firmware attacks, they may some day be a threat quicker than you think, i.e. think for example A.I.'s that can automatically modify themselves to exploit different kinds of firmwares, rather than requiring a human hand to do so (intensive labor).

- Use a strong password, so that your CPU's own calculation power is insufficient to be used to crack your encryptions.

- Never leave anything unencrypted. While you can't protect your firmwares, at least you can protect all drives with encryption, except, for the bootloader, which is a very big weak spot. If you want to protect yourself here, (except you are still vulnurable to firmware attacks), then you need to move your boot-loader to a locked medium, preferably one that can't be editied, i.e. a CD/DVD. You can leave that CD/DVD in your system though, since what matters is that it can't be edited, it's not the fact that it can be read.

- Also you may want to consider at least 8GB RAM. Even 8gigs can feel limited, 4gigs will probably feel like a crap experience on Qubes.

[yre...@riseup.net]

well looks like both an argument For and Against buying a drive-cd
caddie

for:
can remove the HDD with win10 on it and just use it when needed

against:
keep a CD with a bootloader on it in the CDROM drive ( what % of users
of qubes are booting off a bootloader on a CD )


believe it or not, somehow I'm really not worried at all that someone
is going to gain access to my laptop, though it being a laptop and
travelling US-> INT'l I suppose it's possible ....



bigger issue now is what condition to buy a T520 eg "verygood" i7 (which
is listed on HCM , though not the submodel) and installing extra RAM to
12GB for double what I might buy

an i5 T520 with 12gb installed already which oddly seems To match the
submodel but not the cpu type ...

[sevas]

Im not for dual booting, but it seemed like a maybe. But thinking more on it,
you would be putting your files at risk. If you are running Qubes with the
Windows partition not running but attached, then it would be very vulnerable
with, hypothetically, lots of attack surface.

However if you are running windows with your Qubes partition encrypted and 'safe',
then Windows (and all of its rather large attack surface) would be like leaving
the screen porch unlocked so now the thief can come inside to look for a way in,
rather than standing in the road to look for ways in.

Rather, they could gain continued access to windows, and slowly chip away at
your Qubes OS while you are working in your Windows OS.

The only way to combat this (and do not consider me knowledgeable) would be to
switch HDDs every time you switch OS. These other users in this post definitely
know more than I do, but Im just trying to help where I can.

*This advice is only considering that you are trying to protect your data and takes no consideration for your privacy.

You are aware that you can install windows in qubes?

On the model of pc, I have the i7 with 16gb ram and an Intel SSD 545s Series
and it takes what seems like 15 minutes to boot the system. Ive attributed this
to the SSD. Go ahead and set +$100 aside for a NVMe m.2 SSD. What I currently have
is manageable, but sometimes becomes rather annoying. Mainly during startup and shutdown.