Kind of fun to watch the zealots twist themselves up over this. Started out as strident "apple would never do this".
Then when Apple itself came out and said "Yep, we're gonna scan your phones, ipads, laptops and desktops... Um.... For the children!!!! Yeah, that's it. For the chiiiiiildren!!".
Now the zealots are all gushing and weeping with joy that Apple is policing them. "Scan me harder, Daddy!!! For the children!!!"
It is kind of heart warming that there's starting to be a bit of push back over in the apple subreddit. I'm tempted to venture over there and tell them about qubes OS.
That's correct. If a MITM attack directed you to a website with a download and hash, they could just as easily change the hash (to the hash of the malicious download) as they could the download.
To mitigate this, a developer can sign their download and hash with their PGP key. A MITM attacker would not only have to inject a malicious download and hash, but they'd have to sign those items with the PGP key of the developers of whatever you're downloading.
If you trust the developer to keep their PGP signing key secret, and you know the fingerprint of their key, then there's no way for a MITM to deliver a malicious download/hash.
See more about signatures and hashes in this documentation from the Qubes OS team.
Almost any linux distro is good for privacy, but if you want something secure as Tails then there's Qubes.
QubesOS is based on Fedora, routes your whole traffic through Tor (Like Tails), every app you use is going to be isolated from the others (They run in individual VMs). But to be able use Qubes, you need pretty strong PC. Link: https://www.qubes-os.org/
Or you can use linux distro as Fedora, Debian, Gentoo..., and install Whonix (On VirtualBox, Qemu...)
If you don't know what is Whonix, it's like Tails but made for virtualization programs.
Qubes. Integrates multiple seperate VMs, to isolate workflows (e.g. personal banking in one VM, business contracts in another, web dev in another, ...). very diiferent idea, although containers are now kind of going there.
From their site:
> designed to provide strong security for desktop computing using Security by Compartmentalization approach
EDIT: added some additional info, now that I'm not on mobile
>Jeden tag arbeiten, dann die Daten auf ne externe festplatte schieben
Gar nicht notwendig
https://tails.boum.org/doc/first_steps/persistence/index.de.html
Würde aber fast sagen dass für einen tagtäglichen Gebrauch eher sowas wie Qubes sinnvoller ist
Aber das muss am Ende jeder für sich entscheiden
Disclaimer: ich habe qubes noch nie ausprobiert.
Operational security wise, your best bet would be using Qubes on the physically tiniest USB drive you can find, this makes it easy to hide any "evidence" Qubes will handle a lot of the operational security for you so you are less likely to make a misstep. And IIRC Qubes does have ways of masking itself for additional stealth IIRC
​
Interesting: > How does Qubes OS provide security? Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated virtual machines (VMs). A VM is basically a simulated computer with its own OS which runs as software on your physical computer. You can think of a VM as a computer within a computer.
While nothing will be 100% there are steps one can take to reasonably secure their operating system. They range from installing an antivirus to going to some significant lengths in disabling features and using a bootable OS from a DVD or following DISA stigs or a similar hardening guide.
The mean reason why this hasn't become commercially viable is because people increase the threat vector with every program, browser plugin, and service they use. If one can be compromised, it becomes relatively trivial to escalate Privelege and persist. People like ease of use... They are comfortable with internet explorer, and things start to break when you disable features or block services.
If you are comfortable with Linux, I recommend Qubes OS.
Sorry for lacking detail, I'm on mobile and way past my bedtime.
Time for mom to bring me tendies and tuck me in.
> Anything else I should be careful about?
Depends how paranoid you are. For your browser using firejail is ja good idea - this prevents e.g. stealing your private GPG oder SSH keys from a hijacked browser. You maybe want to read up on Qubes to get an idea how insecure you are.
> however if I pay close attention to browser and plugin (Flash) updates, are there any other major security risks involved with using testing packages?
If you use Flash you are basically rendering everything else useless. Lot's of exploits - especially for the very old 11.2.x version Firefox supports. Consider stop using Flash, enable click to play (also for Java) and consider using Pepperflash - e.g. with the freshplayerplugin.
> "Guardian settings are not vulnerable unless your machine is compromised, in which case, every app and file on your computer is also susceptible," said an Oculus spokesperson.
Someone who's compromised the OS can already make whatever they want appear on the 2D monitors and take over non-VR cameras. Of course the VR stuff is the same. Once the OS is compromised, it's pretty much game over. If users are concerned with OS security, they can use Qubes.
Besides, someone with access to my computer isn't going to be fucking with my Rift settings. They are going to look for any financial information / passwords, or maybe install some mining software to profit from my GPU.
Also:
> Researchers weren't able to alter Oculus' Guardian.
I think that if this happened that within 6-12 months that a few particular notebooks would become the preferred platform for QubesOS. This potential would immediately unleash a small army of the most skilled developers to work out any bugs in the AMD VT-d equivalent. As of this moment AMD systems are pretty much ignored because there are some issues that need a lot of attention.
Not sure why you're downvoted, but I feel the same way. Initially I only thought "I'll wipe Windows 10 and never look back...but I'll probably still use Windows 7 or 8" - and days later this news come out, and I decided screw it - time to use Ubuntu or Linux Mint (or perhaps Qubes OS, likely the most secure client operating system right now).
Apparently he uses Qubes OS.
It's an operating system that essentially allows you to spin up a separate, lightweight VM for different tasks and programs, like work, entertainment, communication etc. You can then delete that VM and spin up a new one based on a template once you need it again.
It keeps your set up consistent. If any part of the system is compromised it will be contained to that VM which will likely be deleted and overwritten anyway.
Qubes OS might be a nice way to handle this; it allows you to install applications as their own VM on a hypervisor environment. It's been on my to-do list for a while to try this.
edit: scrolled down and saw there's already a post about Qubes in /r/sysadmin, heh.
The Qubes Jessie template is available too! I use it almost exclusively vs. the Fedora and Whonix Templates.
I would seriously check out Qubes too if you haven't had the chance to yet.
QUBEs OS is the only one I know of that comes packaged in a "easy" to use baremetal hypervisor OS. (It uses Xen as the baselayer) It has some very specific hardware requirements related to I/O virtualization that you need to know when installing.
If you have any questions, send me a message, I use it as a daily driver work laptop.
Update reads:
>Unman has generously agreed to bring the Qubes Tor onion services back and maintain them. He has considerable experience in hosting and infrastructure management, including running onion services. He is working on it now. We’ll have another update for you soon. Thank you, unman!
TorBrowser has a lot of tools that inhibit the functionality of online trackers, including those that use javascript. I would just recommend never using the same browser for your anonymous browsing as you do for your non-anonymous browsing, as you'll undoubtably end up caught in an edgecase somewhere that ends up linking the two.
The biggest danger with javascript is that the javascript interpreters provide an attack surface against which to run exploits that expose your real IP.
While cumbersome, a good solution I've found is running Qubes for my OS. It provides isolated bubbles for my applications so even if the javascript stack is exploited in one of my VMs, the whole VM is routed through Tor and they'll find nothing. Also, if they hack into an anonymous VM, they won't be able to access anything in my non-anonymous VMs. It provides wonderful isolation, but the tradeoffs of running it as your desktop can be significant. It eats up RAM fast and you won't be doing any gaming with it.
What kind of hacking? What do you need to do? What OS? Are you concerned about the Intel ME?
I like older ThinkPads, since this is /r/privacy you should look at something that is compatabe with QubesOS
I'd say go with Qubes + Whonix for a persistence, highly compartmentalized / sandboxed, hardened Linux distro, while using a combination of a trusted 'no log' VPN paid for anonymously with crypto connected to a second VPN and finally through Tor via Whonix for redundancy. This gives you three layers of prospective anonymity. Also encrypt all of your data and/or messages if necessary, using at least two open-source and thoroughly audited encryption utilities. That way if one is compromised/backdoored or cracked, you have a second as another redundancy measure. Or, you can just use Tails if you prefer a more 'user friendly' live environment, albeit without persistence or the ability to save the state of your OS (unless used in a VM, with a trusted host OS).
... If you seriously have issues using GRUB to dual boot, all you're doing is proving my point. Waving your dick around like it matters. That's elementary level shit there.
Also really TAILS is a Linux distro? who fucking knew?! (No shit it's a Linux Distro, it's also non persistent which means that none of your data is going to be stored on the device that you're using. I figured I'd do you a favor and explain it to you since "you're super serious about security blah blah blah" )
And I'll notice you sidestepped my point about Qubes, but hey you can't get GRUB to work, so I'm not surprised
Here, I'll help you with finding it. https://www.qubes-os.org/
in short, your setup isn't secure as you claim it is, you're like that kid who learned a few things and then proceeded to try and sound more important/capable than they are.
​
​
​
Also you don't need "Spectre" level vulnerabilities to infect the UEFI.
You do know what a UEFI is right?
​
Qubes OS is one of the most private and secure operating systems and is used by Snowden. Still it had to deal with fatal bugs: > XSA-213 is a fatal, reliably exploitable bug in Xen. In the nearly eight-year history of the Qubes OS project, we have become aware of four bugs of this calibre
Those four bugs were in Xen, a separate project which they use but have little control over and an operating system is obviously much more complex etc., but I guess similar to monero's recent case only a handful of experts knew about it and had to keep it a secret for a while.
From Xen Security Problem Response Process: > Computer systems have bugs. Currently recognised best practice for bugs with security implications is to notify significant downstream users in private; leave a reasonable interval for downstreams to respond and prepare updated software packages; then make public disclosure.
Perhaps something like Qubes OS can be useful.
It is a Linux distro based in security by compartmentalization, beasically every environment you (Qubes) run is isolated from the others via virtualization.
Encrypting your disk twice has a significant performance penalty and it won't prevent an evil maid attack.
QubesOS has done some work to defend against evil maid attacks:
https://www.qubes-os.org/doc/anti-evil-maid/
One way to prevent evil maid attacks is having a completely measured boot, one project doing work on starting this at the bios level is heads:
https://github.com/osresearch/heads
Another interesting way to defend against physical tampering is having nailpolish with visible features on all of the screws:
E: Maybe a shorter title and details in the self post itself would have been more appropriate.
Long term: Either Qubes OS or Subgraph. These virtual-machine(Or container) centered systems make extensive use of sandboxing to help keep you more safe from applications that might be exploited. Additionally, Qubes takes steps to protect you from when hardware can turn malicious with virtual machines to isolate your Network and USB devices to keep these kinds of exploits from damaging the Host system. Subgraph doesn't do that, but it does provide limited protection from USB attacks by way of GRSecurity. Subgraph is, IMO, less good than Qubes, but not so much I think it's invalid.
Live Boot: TAILS TAILS stands for The Amnesiac, Incognito Live System. Amnesiac means that it doesn't leave a record of being run on your computer. Incognito means that it attempts to anonymize all traffic by default. Live means that it is intended to be booted from a CD with all the information for the system to run self-contained. This gives you a sort of self-destructing computing session. How you move the files out of the TAILS session and into cold-storage is up to you.
> Since everything is running on Xen and there is some latency, will games be able to run on this?
You should check this answer from their FAQ:
https://www.qubes-os.org/doc/user-faq/#can-i-run-applications-like-games-which-require-3d-support
The same study also recommended qubes. What is qubes? I just went to find out. Apparently, it's a custom OS, based on Fedora but with it's own kernel, designed specifically to spin up everything in a VM, and gives you color-coded windows to tell you what VM any application is running in. More here
I'm curious, where are you hearing Tails in a VM is better?
A compromised host OS/Hypervisor which Tails OS is running within could compromise the booted ISO image. It could be leaving traces on the host of your activities, i.e. saving the VM's state in VirtualBox. Furthermore you're also increasing the overall attack surface as now you're also trusting the entire code base of your host OS to not be vulnerable to attacks.
You'd be running a Amnesic OS within a Persistent OS, which doesn't make Tails 100% amnesic.
If you're looking to running Tails in a VM, I'd recommend looking at Whonix. It's actually designed to run with persistence inside of a VM. If you're interested in running Whonix Workstation but wanting to keep some of the Amnesic properties of Tails, then I recommend looking a Qubes OS's Disposable Whonix WS VMs.
Good point about the workstation/laptop caveat.
Android is also a bit less like a traditional Linux distribution in the sense that it doesn't have a standard way to run Linux GUI apps. GUI apps have to be written using an Android-specific system, whether directly or via some toolkit that uses the Android GUI system under the hood.
Another point which people tend to miss when hearing "but Linux apps on ChromeOS run in a VM!" is that it's not a traditional VMware or VirtualBox VM, where the VM has its own window and all apps run within that window. Ordinary Linux GUI apps run unchanged on ChromeOS, directly on the host OS UI, which underscores the Linux nature of the host OS.
One of the most obvious ways in which ChromeOS is unlike a traditional Linux is that its security model constrains where you can run apps. In that sense, it's like something like Qubes OS, except that Qubes is not at all widely used, whereas ChromeOS is in the hands of large numbers of consumers already.
In that sense ChromeOS represents a major change in the architecture of consumer OSes, one which has huge security benefits that don't yet seem to be as widely appreciated or understood as they should be. If ChromeOS evolves towards support for multiple user VMs, more like Qubes, that will be even better.
Technically, yes. In reality, I don't recommend it too much, unless you have a USB 3.2 Gen2 or Thunderbolt connection, because anything other than that will make things incredibly, ungodly slow.
https://www.qubes-os.org/doc/installation-guide/#installing-to-a-usb-drive
I'd like to see an additional six months of critical security fixes for things like bash, openssl, openssh and the kernel. Does your team push this stuff out on occasion even though its not official supported?
I'm thinking about this in regards to distributions/setups like Qubes which do a lot of work to setup Linux "templates" and sometimes they lag behind. It would be great if Debian officially supported 5-10 key packages for extended security updates.
Not at all official. The only official venues are the ones listed as official on this page:
https://www.qubes-os.org/support/
Also, please note our remarks about unofficial venues here:
I'm no expert but a laptop that supports, or comes with open source firmware such as Coreboot/Libreboot is a good start.
System76/Clevo machines or a supported Thinkpad.
The network manager is in the sys-net VM and should be installed by default. The debian 9 vm will connect via a virtual network if you use sys-firewall as the netvm. Have you read this page? https://www.qubes-os.org/doc/networking/
They do mention this on their website. https://www.qubes-os.org/doc/system-requirements/#qubes-release-4x
The issues you're having appear to be because of your CPU not supporting the required things. Try Qubes 3.2.
> Hardware support may be another. CPU features may be another.
I'll take this a step further and say a Chrome Book will almost certainly not be able to run Qubes 4. Those machines are usually made with inexpensive, low-power chips and those sorts of chips won't have the virtualization technologies Qubes 4 requires.
A used X series Thinkpad is definitely the way to go.
This is a security measure to avoid parsing complex input and to protect against homograph attacks (discussion). You can control it by modifying <code>/etc/qubes/guid.conf</code>. The setting you want is allow_utf8_titles
: "allow the use of UTF-8 in window titles; otherwise, non-ASCII characters are replaced by an underscore."
VT-d is pretty damn nice if you want to do elite things like running Qubes OS. In the case of the Win 2 the wifi card would get put into its own light weight VM and the wifi would be passed through into it at the hardware level. Then that VM communicates with the Firewall VM. The disk gets its own VM. Then there is a root VM (whatever they call it) and over that is the user VM. Then each program like Firefox can be run its own security domain in VMs (blue, green, red). They've been working on it for many years and are now on the much improved version 4. I like it a lot but my current Thinkpad doesn't allow for easy drive replacement and so I can't afford to fuck with it. However the GPD Win 2 looks to have an M.2 SSD that can be swapped out with two easy screws via the outside flap. So I'll buy an approved 256GB M.2 for dual booting Windows and normal Linux and then I'll have the OEM 128 GB one for playing with Qubes and different versions of Linux. The selling point for this is then you have a 1 pound mobile device with industry best security (that really is wildly better than anything else out there). So then I would just need to find a nefarious life purpose and I'd have the hardware side of that all taken care of. Plus women love that sort of thing, Super Mario Bros. 3 I mean.
> firefox forks or old/ESR firefox builds (need to run in VMs because security, also questionable trustworthyness)
So we're back to domain separation as a solution, in which case... might I recommend Qubes?
> I spend a lot of time on Tor personally.
Same, but inside a immutable browser VM tunneled through a Whonix Gateway VM for that 50 ~~Stalins~~ Stallmans level of paranoia.
Using an OS built with security in mind certainly makes it much less likely that a vulnerability would be possible, but not impossible. Just look at Qubes' security bullitins. They focus about as heavily on security as possible and yet there are still problems discovered. Modern operating systems are built on top of millions of man hours of development. It's highly, highly unlikely that an organization with the expertise and funding of the NSA would be unable to get into a device if they really want to get into that device. It will certainly take more time if you're using a security focused OS, but that may also make it more likely that they're actively targeting it.
All of that is not to say that it's not worthwhile to use a security focused OS. Most of us will never be directly targeted by an organization like the NSA and these certainly provide a lot of protection from your average attacker.
Seeing the title I was thinking that we live in really "interesting" (read as bad) times when journalists need this. Then I read the text of your question.
I see people claim Chromebooks are pretty secure, but I am not entirely sure how safe they would be against FBI level of attack. Maybe Google has way to get inside it (so they could be compelled by government), but then again, most stuff on chromebooks lives in the cloud.
As far as ThinkPad goes for Qubes OS - you want to check for HW compatibility - basically read all links in the "Choosing Your Hardware" section of documentation at https://www.qubes-os.org/doc/ especially the Hardware Compatibility List (HCL) specifically "Laptop Devices". You want most columns on https://www.qubes-os.org/hcl/#hardware-laptops to be "Yes" (green), "Unknown" might be ok but has not been verified. I personally would go for refurbished ThinkPad of the x20 generation but that is because I don't like chicklet keyboard (and would hope that the Unknowns in the SLAT column turn out to actually to work).
Depending on the level of your paranoia and how much sensitive work it is, you might be consider if getting refurbished devices is safe - you could be targeted by one of the programs which intercept HW deliveries to select targets and modify it.
Any that use OpenVPN will work, I can't speak for other protocols.
The provider doesn't need to offer disconnect-on-vpn-dropout if you use a setup like https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts
Yes.
I don't believe so. there are email lists https://www.qubes-os.org/mailing-lists/
While /r/qubes does have /u/andrewdavidwong (qubes community manager) as a mod, it is not an official channel for support, but like most places on reddit you'll hopefully get some sort of help.
The only official channel at the moment is the user and dev mailing list. Here and IRC are unofficial.
> I see many people posting questions but hardly getting any help including myself.
It's a relatively new OS so the number of people capable of helping or who have run into similar quirks are low. It also does not help, when for example you ask for help, someone gives suggestions of a direction to take to troubleshoot and you don't reply.
People have to understand that the more details you give the better chance of help.
The first thing I would for is find a processor that's compatible with Qubes 4.x,
It seems latest AMD processors offer great multi-threading performance, but I'm not sure if they satisfy the criteria above, I'll ask in the AMD sub.
For Ram depending on needs I would look at 16Gb-32Gb.
I would also wait for Qubes 4.0-rc (release candidate) before doing any final decision.
There is not an installer, but there are very thorough set-up instructions on the Qubes website. I would suggest setting up your VPN on what is called a ProxyVM.
The only other thing you will need is the OpenVPN configuration files for PIA (you'll be using the OpenVPN client, instead of PIA client). The config files will be in a ZIP file in the Client Support Area on PIA's website--you'll first need to select the level of encryption that you want, then the server you want to connect to.
As for your general questions at the end, Qubes is not a "variant of" Fedora--it's really more of a virtual machine environment, and by default, most of the virtual machines run Fedora. (They can also run Debian, Windows, or other Linux distros.)
Step one of any situation is consider your security profile, for most people who do nothing more high risk than traveling internationally, a properly configured system with Execution controls, Full Disk Encryption and a VPN is enough. I would suggest something like Fedora Linux for that. But, if you want to take it a step up, this is what I would consider, depending on what security I need. Remember, all security decisions should start with a threat analysis.
There are 2 things I would suggest, they are very different options.
1) If you don't need much for specs (ex. running tails and burning everything on every reboot), I would suggest a Chromebook flashed with Coreboot. This gives you an open source firmware on rather basic hardware.
2) If you want a more persistent, reasonably secure system, I would use Qubes with older, well documented hardware (Check the HCL). Thinkpads are popular, but also consider off lease Dell Precisions/Latitudes. Look for something with lots of ram, Intel graphics, well documented teardowns and verified IOMMU support. Fair warning, Qubes is a bit more work to learn than OS X, Windows 10 or Ubuntu, because instead of one system, you are running a Virtualization Host, a hypervisor and multiple virtual machines.
> If you have a relatively high-end pc you can use https://www.qubes-os.org/
Not necessarily the case, just a two core chip with 8Go or more of RAM (and ideally an SSD) will be quiet sufficient. However for Qubes 4 it will need certain strict requirements for the CPU due to the no longer presence of paravirtualization.
I see what you are describing but that is not Qubes. Qubes is a step further than what you are describing, making the usage of Windows as host in those circumstances impossible without just going full circle and turning Windows into Qubes. Which is pointless, since we can just use Qubes. Windows application usage with Qubes is described here.
Disclaimer: I have not actually used Qubes, myself but this is my understanding of how it works.
It looks like Qubes does not support GPU passthrough for app containers, so one would have to run another full virtual OS for each game, if they wanted to segregate them.
Qubes looks pretty cool but I'm trying to figure out exactly what is provides that Xen can't other than a more user-centric interface.
Its probably one of the safest ways of using Tor, it forces ALL traffic through Tor, if it doesn't go through Tor it doesn't go, its a live cd/usb which leave no traces of data on a hard drive and securely wipes your ram on shutdown, it also uses Linux which is far more trustworthy than alternatives (aside from BSD perhaps)
There are even more secure ways, the most would be Qubes OS which is more secure due to the vm isolation design (its Linux/XEN based)
I should note it is Edward Snowden's OS also.
A review (of an older version) is here
http://www.tomshardware.co.uk/qubes-os-3.0-whonix-integration,news-51395.html
It is far more complex to setup though than tails, tails is a ready to go live system
And another review
Personally, I read a lot of the docs https://www.qubes-os.org/doc/ but then still had problems so I went to the community forum https://qubes-os.discourse.group/ and got help there. My system is great now and I love it.
There is also an unofficial IRC channel on freenode and a Matrix chatroom. Both good if you need further assistance.
What do you mean by “learning-by-doing”, it sounds good but do you have any examples?
You haven't given us nearly enough information about your setup to be of assistance.
I'd suggest comparing your CPU model to the ones listed here https://www.qubes-os.org/hcl/. You should check if yours even has the features you listed before asking how to enable them.
> Has anyone encountered this, is this by design? Is the application selection tab just for adding shortcuts to but all domains have access to all of the TemplateVM apps?
Correct, the all applications are loaded into the domain that are from the template. Selecting the application in the domains setting is only apply a shortcut to the menu.
You can check out this guide to see if this will help with what you want. I use it to have links from my email open in a DispVM.
> What are the best machines for it?
Look at 4.x on https://www.qubes-os.org/doc/system-requirements/ and specifically at https://www.qubes-os.org/hcl/
I use Qubes OS on desktops rather than notebooks, YMMV.
disposable vms are very well discussed at https://www.qubes-os.org/doc/dispvm/ please note that it's not a template vm that becomes a template for dispvm, but an appvm. create an appvm based on debian template, configure it to your liking an then enable using it for dispvms. then set it either as systemwide dispvm or just selected vms.
Today it means virtualization. On this blog post, Joanna describes a vision for the future of Qubes were things are compartmentalized also in other ways, so we don’t depend as much on the hypervisor, but today it means virtualization.
From Qubes page on Multibooting
> One problem is that when you dual or multiboot, even if you are using encryption on your Qubes installation, /boot is still unprotected and could be maliciously modified by the other OS, possibly leading to Qubes itself being maliciously modified. > >The other problem is firmware security - for example the other system could infect BIOS firmware, which might enable compromise or spying on the Qubes system.
First off, Qubes OS.
You state that your main motivation for switching is Microsoft's "locking down" the OS but then, unironically, bring up OS X in the next breath. The cherry on top is that you're running Ubuntu. Given, it's still more open than Windows or OS X, but Canonical have had problems with user privacy in the past. But then you add whip cream when you talk about how you use Google apps for the majority of your work. You are not going to achieve privacy and freedom by using Google software on an Ubuntu machine. Full-stop.
Also, you seem to think that installing software on Linux requires you to recompile from source. You're not entirely wrong. You can compile from source on any distro. You don't have to compile everything from source on most distros. Linux is not Rocket Surgery. Fortunately, you'll figure this out the longer you use Linux.
I'm recommending Qubes OS for a couple of reasons. The first being that it compartmentalises your computing which makes your system less vulnerable to malicious code. The second reason is that you can become largely platform agnostic by just running the non-linux apps that you have in a VM that is completely separated from the rest of your machine. It's a little bit more straight-forward than dual booting. in the case of games, it can be considerably more complicated though.
At any rate. . . Ubuntu is a good first step, but probably not your last given the goals that you laid out at the beginning of your video.
Mostly, yes. Here's the rough state of things as of Qubes 3.2, the most recent version.
The best resource for these types of questions is the Qubes Hardware Compatibility List. Looks like the T460s and T460p are both well supported, as are most Lenovo laptops. You'll probably be fine.
A somewhat reasonable option is to use https://www.qubes-os.org/ on a laptop that is compatible with it. Properly setup that OS is probably the safest you could get without having your wallets completely offline.
You can do it in Qubes-OS by using a non-usb (PS/2) keyboard. Set up a sys-usb vm and you can selectively mount it using USB passthrough.
From their own FAQ:
> Can I run applications, like games, which require 3D support?
> Those won’t fly. We do not provide OpenGL virtualization for qubes. This is mostly a security decision, as implementing such a feature would most likely introduce a great deal of complexity into the GUI virtualization infrastructure. However, Qubes does allow for the use of accelerated graphics (OpenGL) in Dom0’s Window Manager, so all the fancy desktop effects should still work.
Also, the more I read about this OS the more it looks like a non-standard Linux distro managing Xen VMs (but I only checked it for around 10 minutes, so I may be missing a lot of additional info).
The isolation of environments (via encrypted VMs) however is a really good feature, but honestly, for a better isolated environment for gaming, I'd consider PCI-passthrough under Linux a better alternative (fyi, here are some performance results against Windows installed in bare-metal).
Should be pointed out, just having Linux doesn't make you invulnerable to the FBI or NSA. Also, over the past couple of years some major, catastrophic Linux bugs and exploits have been uncovered....with some being in the system for years and years. Even though it's "open source" doesn't mean that people are actually looking at the code. With the "dirty cow" kernel shenanigans being the latest.
But even with that, it's still more secure than Windows, though Windows has come a loooong way. I would say that ChromeOS is even more secure than plain Linux too (in terms of exploits to the machine...not in the "cloud" data which it so heavily relies on)...but you have to be part of Google and that gets conspiracy people's jimmies all rustled.
EDIT: Forgot to mention that if you're ultra paranoid, there's a distro that's even a step-up from the Tails distro, and that's Qubes OS. Take a look at it.
> If I dual boot Windows and Linux Mint, is it possible for Windows to see what I'm doing on Mint?
If Windows can access the linux partition it could have access to your data / usage history
While it is /r/qubes specific this doc gives some insight into why it can be a risk
> Similarly, is Chrome aware of what I do in Firefox or in other windows while it is open?
No, but if someone were to leverage a bug in one of the browser to gain access to the file system they could access your browsing history of the other browser
Nope, die meisten Exploits sind im Firefox des Tor-Browsers und Firefox ist so dermaßen löchrig, dass man davon ausgehen kann dass es da immer was gibt was man ausnutzen könnte. JavaScript deaktivieren könnte aber helfen das abzulindern. Es gibt auch "hardened" Builds - aber nur für Linux dort sind ein paar Compiler-Features aktiviert, die das ding eher crashen lassen, wenn es einen Exploitversuch gibt.
Ansonsten ist man eher auf der Sicheren Seite mit Tails (https://tails.boum.org/) dort müsste eine Seite mit Exploits zum einen den Browser knacken und zum anderen noch lokal root werden um die Firewall-Regeln, die alle über Tor leiten zu umgehen. Leider ist der Linux-Kernel auch ziemlich löchrig, wenn FBI/NSA hinter dir her sind, haben die eventuell da auch noch entsprechende Exploits.
Andere Variante wäre getrennte VMs zu nutzen - z.B. Whonix - https://www.qubes-os.org/doc/whonix/ - das müsste am sichersten sein, weil ein Angreifer noch den Hypervisor der VM knacken muss.
Wenn du also richtig paranoid bist, solltest VPN+Tails/Whonix unter Linux nutzen.
To me using Tails would be most useful when you want to use it only one-time or perhaps one-week at most - like if you want to do something . Because then you have to keep up to date and write the new version on a new CD.
Subgraph and Qubes are more for long-term use. I know there was some discussion about making Subgraph a VM on top of Qubes as well, but I think that would mean disabling some Grsec features to make that happen.
>What does the first sentence imply?
A lot of what one installs on Linux require other package installations.
>I dont know about qubes os
> I think you are confused.
I am not confused.
> The microcode updates are applied automatically by the OS, If you are using Windows or a mainstrean linux OS.
From my above response:
> My problem is some of these fixes require microcode updates to access the decreased but safer performance which Intel won't do even if they could because "FU eol deal with it."
Intel must release the microcode updates so that OSes can release them to their users. For example, the Qubes QSB on one such error states:
> Intel has provided a microcode update that mitigates the issue. Please note that Ivy Bridge processors are considered retired by Intel and no longer receive microcode updates. This means that Ivy Bridge processors will remain vulnerable to this issue. To mitigate the problem, we are masking out RDRAND availability to VMs on those affected platforms.
Source here. In this case the problem was fixed not by Intel but instead by the Qubes developers themselves. Users are lucky this was possible, and its uncertain whether this is possible with most Linux distros or with Windows. According to the Spectre-Meltdown checker script, Fedora is as of this time on Ivy Bridge and earlier platforms still vulnerable, for example.
> All affected hardware is covered. But haswell, ivy bridge and sandy bridge still suffer a lot more.
As evidenced above, this is incorrect. The problem is not solved on Ivy Bridge except for the almost infinitesimal number of Qubes OS users in the world, and thats only because of luck.
Please note that workarounds can in many cases be worked around i.e. microcode and software provisions. I'm not sure on MacOS, but I know that Linux and derivatives is much better at providing these patches.
As it is now, my laptop has one permanent speculative side-channel attack because Intel has decided that it is end of life. I switched to Qubes OS before this happened and largely because I expected stuff like this to happen. Consider this snippet from the Qubes QSB on this matter:
> Intel has provided a microcode update that mitigates the issue. Please note that Ivy Bridge processors are considered retired by Intel and no longer receive microcode updates. This means that Ivy Bridge processors will remain vulnerable to this issue. To mitigate the problem, we are masking out RDRAND availability to VMs on those affected platforms.
Intel has not said that Ivy Bridge (or prior) will not get microcode updates for this CVE because it cannot be done- in fact they haven't said shit beyond "haha poor: eol on your processor that was 7 years old at the time."
In this case I simply assume that there are side-channel attacks on my laptop that are unknown/unresearched because "eol" and thus even with something like Qubes am not going to trust it with my bank statements, personal documents and copies, etc.
I know for a fact my desktop has multiple permanent vulnerabilities of this form so...
And also to the extent that you are right, it is a very extreme version of diminishing marginal returns on complexity. Think about how incredibly complex modern processors are-- all the energy and resources used to produce and ship them... wasted as "woops sorry guys PERMAVULNERABLE BECAUSE OUR BAD" waste heat and pollution. A literal conduit of entropy both in production, utilization, and in being discarded.
> I’m assuming that they aren’t that common, since Xen doesn’t seem to be very widely used compared > to things like Windows or MacOS, but the known examples of it have been patched already, right?
They aren't common for at least a couple of reasons.
1) Xen is reported to be quite small compared to for example the kernels of Linux/Mac/Windows. Xen's size is also mentioned in the design choices described here https://www.qubes-os.org/attachment/doc/arch-spec-0.3.pdf
2) Much work has gone in to trimming down Xen as it's used in Qubes. For example, the PV mode that has been a source of multiple escapes has been deprecated in favor of PVH.
Yes, the known examples have been patched.
A custom version of Xen was the backbone of AWS up until recently. AWS is reported to be moving to KVM, although I don't think they are deprecating Xen entirely https://xenresources.com/does-aws-use-xen-hypervisor/
For that reason I think it is safe to say Xen gets a fair amount of attention and usage.
Check Removing noexitboot and mapbs
On https://www.qubes-os.org/doc/uefi-troubleshooting/#removing-noexitboot-and-mapbs
This helped to fix it for me...well the screen is going Black after some log lines are displayed after start....but some seconds later the screen Shows up again....and it continues ....
> if it is possible with GPU pass-trough is it mandatory to have > a second graphics card or will integrated graphics be sufficient for the desktop/other > parts of the OS while running a game?
Provided you can get the passthrough to work, integrated graphics should be fine for the rest of the system.
> just a few clicks or is it very in depth like on most linux distros with KVM
Closer to "very in depth". For more details, see https://www.qubes-os.org/doc/how-to-use-pci-devices/
> . and last how would one go about installing software? i assume this is not done with a normal package manager?
In a given guest, you would install software as on a non-qubes guest.
Only difference is that you would install a package in a template in
order to make it available to all VMs based on that template.
Great summary!
One pitfall >Intel CPU with support for VT-x/VT-d
Firmware support is needed on the motherboard in addition to the CPU. MSI for example has VT-x but spotty VT-d implementation on some firmware and skipped it on one of my machines. You'll need to check with the vendor first and confirm if vt-d is supported. I've noticed it varies on models and may be left off public spec sheets.
The unofficial reports here have some motherboard info that may help: https://www.qubes-os.org/hcl/
Re:AEM, if you're very savvy, safeboot.dev project and TPM2 leveraging secureboot may be a future route if you're comfortable. Its not really a fully user facing project yet and Qubes support looks tricky, Ive only tried Ubuntu with it. Pointing it out as an alternative to AEM or Heads (safeboot.dev is also led by Trammel Hudson) if you're interested in recent hardware and a DIY approach.
You mean custom built as in a desktop computer ?
If so, the easiest route for the basic requirements would be
If you want to take advantage of stuff like Anti-Evil-Maid your will run into challenges. Then you need to find a motherboard that can accommodate a TPM 1.2 chip as well as the actual chip (difficult) or you can roll the dice and get a TPM 2.0 supported system (easy) and hope the motherboard can emulate TPM 1.2 (I haven’t tried).
If you want to match the certification requirements you’d need to find a Coreboot-supported motherboard. Those are limited and far between (and none are “new” AFAIK).
Purism are fairly “recent”, all in all.
EDIT: I should preface this with saying I’m relatively new to Qubes too. I went for a maxed out ThinkPad T420 myself.
Librems are listed on the Qubes HCL.
They're not listed on Qubes' Certified Hardware list because Purism for any reason doesn't pay the monthly rate requirement in order to have the Qubes seal of approval.
But for reasons already stated (Disabled iME, HEADS Firmware, Librem Key, Hardware Kill Switches), they're still one of the best for security.
lenovo thinkpad series have a good compatibilty with qubes. but in all cases you can find a solution.
for exemple i have a dell with some inside component from alienware with an i7 and an rtx. did take some times to install because of a bug from the graphic cards driver, but you need solid knowledgs of linux before trying to debug an install of qubes.
and try to look for your computer in this list : https://www.qubes-os.org/hcl/
hope you a nice experience with qubes.
​
ps: sorry if my english is not perfect, not a native speaker
> So this is just a file being digitally signed by developers stating that they aren’t being coerced or blackmailed by a third party?
Basically, yes. You can read more about the concept here:
https://en.wikipedia.org/wiki/Warrant_canary
> How do we verify the signatures?
That's documented here:
https://www.qubes-os.org/security/pack/#how-to-obtain-verify-and-read
The short answer is no. The long answer why not and what could be possible is here
“However, we can be pretty sure there will never be a GPU passthrough solution that works on every system. It is not just about the complexity of the problem and the multitude of GPU products available. As mentioned above, some manufacturers intentionally obstruct GPU passthrough in their graphics cards, so it is likely that some hardware configurations will never have full support. This is why the compromise solution will be available as a fallback even once more robust GPU passthrough is developed.”
It's a known issue with compositor, just disable it.
The short answer is... don't do that.
The longer answer is.. No. Really. Don't do that.
​
You didn't really specify what the USB device is. Outside of keyboard and mouse, USB should never ever touch dom0. If you need to transfer files in, (also heavily not recommended but you do you), attach the drive to an AppVM, transfer files to the AppVM, then use dom0 command to copy them in.
If it's an external keyboard you need, in dom0:
sudo qubesctl state.sls qvm.usb-keyboard
See: https://www.qubes-os.org/doc/usb-qubes/ for more info.
(Seriously.. don't do that.. it's Bad, mmmkay?)
Should be possible by editing your RPC policy appropriately:
https://www.qubes-os.org/doc/rpc-policy/
https://www.qubes-os.org/doc/qrexec/
Excerpt from second link:
> work-mail work-archive allow
> [...]
> The first rule allow call from work-mail
to work-archive
, without any confirmation.
You can simply use qubes os. The main features of this distribution is that it uses virtualization to isolate different instances from each other. Eg. If you want to start Firefox qubes os starts a vm and only shows you the Firefox window, so you can simultaneously start Libreoffice (automatically in another vm and it shows only the application window) and they are isolated from each other, even copy and paste is not possible. But you could also start them in they same instance (vm) so they can communicate with each other.
The closest thing to what you are asking for was Citrix XenClient but that has been discontinued.
You're next best option might be QubesOS
Otherwise build a Linux hosts and use KVM, stick with Windows and use Hyper-V
The most private distros are ones that take special measures to protect privacy at the expense of usability, Tails, which runs from memory and routes all connections through tor, and Qubes, which runs everything in VMs.
All the mainstream distros except Ubuntu are pretty much the same when it comes to privacy. In general, Debian takes the strongest stance on ethical issues like this, so I'd recommend it it privacy is your top concern.
Short answer is yes, but I will say depends a lot on what are you going to do in that vm and most part in how you are going to configure it. (i.e. if you use google in the vm there is no point)
If you want a similar approach you should try https://www.qubes-os.org/ the image is heavy but provides anonymity.
Sorry, I read too quickly.
Debian Stable stays up to date with security fixes, and little beyond that by default. I don't have any info that says either react to upstream security updates faster. Fedora is on a 6 month point release cycle, though with daily feature updates as well.
In an otherwise unqualified "somewhat high risk threat model", I would probably look at qubes-os first.
You had mentioned Arch had no security article, try this: https://wiki.archlinux.org/index.php/Security
Good luck and hopefully others will weigh in.
RTFM: https://www.qubes-os.org/doc/pentesting/kali/
https://www.qubes-os.org/doc/pentesting/
Opinion (old, possibly still relevant): https://medium.com/@securitystreak/living-with-qubes-os-r3-2-rc3-for-a-week-1a37e04c799e
Ubuntu has been fine since October 2017 release (17.10) when they swapped the bundled Amazon app to just bookmark for Amazon. Also that one's gone too with the 20.04 released a week ago. It's a great starter distro. Once you get familiar with Linux, https://www.qubes-os.org/ is the only one that offers a noticeable difference in security architecture.
For the security minded and since everyone is posting suggestions for Linux distros:
Easy GUI based installer, FOSS, encryption out of the box, Whonix bundled with it (for anonymity), GUI updater, XFCE4, i3 available, and uses Fedora and Debian AppVMs. Not for the feint of heart (requires rethinking how you use the computer) and doesn't work on all hardware, but worth a look.
I finally got it to work, after having removed whonix templates and vm's, by doing this:
sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=install qubes-template-whonix-ws-15
and
sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=install qubes-template-whonix-gw-15
Then manually created whonix vm's from manager. I also added this one manually:
qvm-create whonix-ws-15-dvm --class=AppVM --template=whonix-ws-15 --label=red
Then in 'whonix-ws-15-dvm' from advance settings, tick Allow starting DisposableVMs from this qube
, from there you can set anon-whonix its DispVM to whonix-ws-15-dvm.
Nix. I quite like the idea of a totally declarative system configuration.
Not exactly a Linux distro, but I would like to give Qubes a spin at some point. I have yet to feel adventurous enough for that, though...
Hi,
While brainstorming and doing more reading on the Qubes OS docs, I came across this section.
I made a new VM called uni-net that could be called a "subnet" for the three other uni-related VMs (uni-campus, uni-home, uni-shared). In uni-net, I followed those iptables commands and I was able to achieve successful pinging between uni-campus to uni-shared and uni-home to uni-shared. Following that, I setup a samba share on uni-shared and I was successfully able to mount that share and able to read-write data into it.
Problem solved!
Qubes is going to be wonky no matter what printer you go with just because Qubes is so locked down. If you are setting up the printer as a network printer, this might help. The degree of support would depend on the template VM you're using.
>Note: We don’t recommend installing Qubes in a virtual machine! It will likely not work. Please don’t send emails asking about it. You can, however, install it on an external USB hard drive (at least 32 GB) and run from it, at least for testing. Bear in mind, however, that such disks are typically orders of magnitude slower than even the slowest internal hard drives.
At least some of the templates can be installed using the salt system. It's possible all of them have salt configurations. That said you'd need to have all of the installation files already stored locally since you don't even have sys-net or sys-firewall yet.
If you literally only have a dom0 and nothing else configured I'd just redo the the install system from scratch.
Have you followed the instructions here? https://www.qubes-os.org/doc/multiboot/
Some question which might help pinpoint your problem, as it isn't really very clear from your OP:
What boot mode is your BIOS set to operate: legacy or UEFI?
Have you installed the GRUB bootloader? Is it on the MBR?
Are you getting a GRUB bootloader screen at all? If so, does it list Windows?
Does Windows boot?
When you say you can't see the Qubes partition, where can't you see it, that you would expect to do so?
What USB do you want to wipe? If you want to just re-copy the installation media, then using whatever utility you used to write it in the first place should work (eg dd). If you want to (non-cryptographically) wipe it anyway, then dd if=/dev/zero of=/PATH/TO/DEVICE/
(eg of=/dev/sdb
) should do it.
Two final thoughts:
A. Read the link above, and in particular the security warnings about dual-booting with Qubes, and make sure you understand the risks and that the outcome is what you want to achieve.
B. If you haven't already, back up your Windows partition, or at a minimum any data you want to save, and make sure you have access to usable Windows installation media in case things go very wrong.
C. You could install to a flash drive, if you have a big enough one (~32GB IIRC). But from experience, this can be slow to run. YMMV. A compromise might be a separate internal HDD, all the better if it's one where you can physically disable the power whilst using Windows to avoid potential for contagion. Still not ideal, but better.