-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 6/24/20 8:04 AM, Set Emeraude wrote:
> my assumption is that if its closed source, its backdoored by
> default
That really should be your assumption of all software unless you have
written or audited and compiled it yourself. And even then ... why do
you trust your compiler? It's not like that hasn't been done yet.
One of the many things I appreciate in the Qubes philosophy is that
you dramatically minimize the things you have to trust implicitly: the
XEN hypervisor, the HW virtualization and the Qubes team.
You should setup your qubes thinking that you are already thoroughly
compromised. How would you minimize damage then?
* email qube --> should contain only email and shouldn't be able to
talk to anything other than your email server (POP/IMAP and SMTP). You
might want to compartmentalize further (e.g. private email, work email)
* web --> this shouldn't contain anything valuable; compartmentalize
(e.g. banking --> https to bank only, stateful private, stateful work,
disposable for everything else) ... look into the "open in qube"
browser plugin.
* documents/photos/library --> there is no reason these qubes need to
be online ever; compartmentalize
* editing documents --> use disposable offline qubes for that
* firewall all online qubes ... only allow what you know is needed
(e.g. your dev qube might only need
github.com)
Mindset: the qube _is_ compromissed... how do I prevent anything
valueable from leaking? ... how do I minimize ways things could leak?
(offline is a great answer if it makes sense in the context)
And then after all of the above: do your best to not be compromised,
use apparmor, be smart, use disposable vms for view/edit, audit your log
s
Have fun!
/Sven
- --
public key:
https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl7zaQAACgkQ2m4We49U
H7YibBAA1UdiGCFOseQ3Vvu9WLcgnN8k3S03xzbf0m5qbbnV+Gdd4D4b5uTrInDY
3o0+8oX32CssJWLWv2DhOye/DiQBrzSBg9FEl+VUMLyum0lQ040ltRddzrfuZI+N
JH9yQ7efMwGej8ejYZur7kvHrS0o+djNKHZ2yL1hWoAy/d2cvsE13yQLcd3Ynfco
/1hJ09oakFTZ0ItgqLl5sNGCjlks0Il3OjpvjAwb/86vBYD54VJARZup9ZEhxfv9
crlqKte22IWi6lIG1GdU2EUilje7HPN/AZ3xADg6AwpIBU29GEtYy1r/93esuhqB
2S2OzouyLAU09JOOAbH+aKQwjNZkKnKXABBYDukN9/T/lZDU28hlsECFcpd1NOM3
buXRjV/66ExslCVZ4QST49ykXBbTS6pN9cSrpdaHp7hHwSgZwKJJi7NEiAI95pGp
2WNU6dNCugUB4x42ugle2cIPHJOv1rOFSySNIpy/s+ubtlyPr9B99bxYMtBz5j6g
YXdANIrVrg8ijyFXSPe8ORA4ydgj05LEmBa672+0BYzQnbyXITvRuZt4QZTcGUTJ
OLC/nsi/1E2o6gHVIC5HnPqu8jvHbbFy/DPcnuySgjLMw9CWjZXh7+m+E+zFwqcp
ZJXlwFvmiRgk/huHUBzNwWpsn6F8KflNKMiyHa/y8v9oYLuEGvY=
=VkeP
-----END PGP SIGNATURE-----