Nostr Web Client

If your doing extremely "sensitive" stuff and your threat model involves the likelyhood of forensics, a second laptop + tails is a very good option for those activities. It's not really designed for daily driving like Qubes.

It is best OPSEC practice to always turn off and OS, including a hardened one like QubesOS when not in use. Qubes sys-usb VM protects against evil-mail attacks and the like, but as with any OS...

If an adversary has the ability to perform forensics and has access to your daily driver, compromise should be assumed.

Use Luks for encrypting QubesOS drive with a strong passphrase (remember though people could torture you or family members until you give it up).

Store sensitive files using Veracrypt + hidden volume (you could even go so far as to bind folders that leave forensic footprints to this volume) to provide "plausible deniability". Veracrypt works on both QubesOS and Tails.

It's all about layers and multi-layered encryption (i.e. encrypt the encryption decryption with layers of encryption). The more layers you can put between an adversary and your data, the more time and money or criminal risk it will have to be worth for them to get to your data.

Ava 1y ago

Also, the second laptop should be new and NEVER associated with your identity in any way WHATSOEVER.

Reply to this note

Please Login to reply.

Discussion

Hanshan 1y ago

if I follow correctly

you mean rather than just using Qubes vms for everything?

Ava 1y ago

Yes, for very sentitive situations/activities where anonymity is of the utmost importance.

Qubes is freaking awesome, but I still recommend a 2nd brand new device that has never been associated with your actual identity in any way, including having never logged in from your home network.

This is way overkill for most threat models. For the overwhelming majority of people, Qubes offers more than enough security via isolation and compartmentalization, including the ability to virtually airgap VMs, anti-evil maid, and anonymity via its Whonix integration and so much more--it's leaps and bounds over any other daily driver OS.

However, if you are performing extremely sensitive activities or are in extremely sensitive situations and you must use technology, and the likelihood of hardware forensics is in your threat model, then I recommend taking the isolation and compartmentalization to another level by using a completely separate device with an OS like Tails.

There is still the risk of having that 2nd device in your posession, so this is where an OS like Tails shines since it leaves no trace on the computer when shut down.

Hanshan 1y ago

the thing i never understood about Tails practically,

you then need a yubikey right? gotta keep your priv key somewhere...

I used Qubes as my daily for a while but i got tired of hacking around withirt.

so now I have several devices instead lol

it was easier to just have a few old laptops/multi boot setups.

forensic analysis isn't in my threat model

but curious

Ava 1y ago

Big fan of Yubikeys. Tails would need persistent storage to use one, but you can airgap keys with Veracrypt + hidden volume.

Here's a fun tutorial for generating and airgapping PGP private keys using GnuPG, Tails and YubiKey :)

https://github.com/sunknudsen/privacy-guides/blob/master/how-to-generate-and-air-gap-pgp-private-keys-using-gnupg-tails-and-yubikey/README.md

Old-school with multiple devices does the job too. How long has it been since you used Qubes? There's been a lot of upgrades recently that have improved the UI/UX just over the past year.

Honestly can't imaging daily-driving anything else at this point unless Joanna builds something cooler, but IMO it's going to be hard for her to top Qubes.

Hanshan 1y ago

this was my setup on my previous daily driver.

do you have any critiques?

starp 1y ago

Have you heard of any progress on her "State considered harmful" laptop design?

7f90170d... 1y ago

For men who wear dresses like you, this is useful to remove your child porn

GHOST 1y ago

JC wat a dk head