I wish I had known that one before. It would have made my transition a little easier. Finally got to playing around with the whonix templates. Very very cool. I now have a whonix gateway setup so that my traffic runs through TOR and VPN (In separate gateway VMs). The speed is not that bad for browsing, a slight decrease in my normal VPN speeds. The way that Qubes handles networking, by modularization, makes it easy to run different layers of security. I also have found my knowledge of networking and privacy increased as a result.
Hi miauzon, You might want to subscribe to The Invisible Things Lab Blog at: http://theinvisiblethings.blogspot.com/ which should have links to other articles from its author(s) et.al (follow the older posts link at the bottom). -- Tom
Cubes developer https://twitter.com/rootkovska New paper: "Software compartmentalization vs. physical separation (Or why Qubes OS is more than a bunch of VMs)" http://www.invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf https://thehackernews.com/2015/10/secure-operating-system.html
The VPN is running in a separate debian 8 ProxyVM as Qubes refers to it as. The VPN is in a completely separate VM. The same is true for the Tor gateway, however this is setup as a whonix gateway. https://www.qubes-os.org/en/doc/vpn/ I have started to take a similar approach with my server. While Qubes does not run on my server, I have used compartmentalization to limit access of my sensitive information to the outside world. It is not perfect, I still need external access to my files. To reduce the risks I have the external facing point in an isolated VM with only one port open.
driekus, I downloaded Qubes primarily for the use of Whonix OS/gateway function. What kind of set up in Qubes have you liked using? Found any info regarding any DNS leaks?
I found it very effective at Whonix OS/Gateway/VPN I am not sure on the DNS leak part, have not paid much attention to it.
It would be worth trying out when they finally get it to work properly with NVIDIA GPUs, especially mobile for those of us with laptops.
Well cool. I've been testing Qubes 3.1 RC2 on and off for a couple of months. I found it to be quite an improvement over 3.0. The inclusion of Debian and Whonix VMs made a huge difference.
I've recently started using Qubes and while it is indeed a learning curve, I must say I don't find it too difficult.(And I've been a Windows user all my life, with only a little Linux experience.) What does help is general knowledge of software and hardware and experience with VM's. Also it looks like Qubes 3.1 is a lot more preconfigured than older versions, which helps a lot of course. I'm using a laptop, but connected to separate monitor and external mouse/keyboard(USB) most of the time. The documentation from Qubes makes it look like you have to choose between BadUSB protection through a USB Qube or using external usb keyboard/mouse. You can also use the USB VM and proxy the keyboard/mouse input to Dom0, but that means untrusted USB VM will be able to control them so it doesn't add much security. My laptop however has 4 external USB ports, 2 USB 3.0 ports and 2 USB 2.0 ports. The 2 USB 3.0 ports are using another USB controller than the USB 2 ports. So I've created a second USB VM that is linked to one of the controllers and is allowed to passthrough keyboard&mouse input to Dom0, while the original USB VM is linked to the other controller to protect against untrusted USB devices on those ports.
Security challenges for the Qubes build process https://www.qubes-os.org/news/2016/05/30/build-security/ Shows how much you're depending on the security consciousness of developers. Also, for those interested: preliminary work for a Subgraph OS template on Qubes. Since this will also involve getting Grsecurity to run inside Qubes it is not only interesting for Subgraph OS itself. https://github.com/subgraph/subgraph-os-issues/issues/153
Qubes OS is a great thing and i am dreaming of OS basing on type 1 hypervisior for a long time but unfortunately it is crappy on hardware side, was never able to enable network even if it is detected, the device is not there even with linux_firmware installed. Neither wifi or wired network works, so at the end of the day the linux is again kicked off the workstation. I will try in few years if it becomes stable at the basic things that normally come out of the box on windowses. Does someone knows if there is some other distribution which is based on type1 hypervisor (the security is not that important, but i need a thin os capable of running virutal machines for desktop usage (i am doing cross platform development and it would be great to not waste resources for windows running vmware workstation, but for now this is the only working solution that i have found )
@Spodletela - Qubes is already working on hypervisor-agnosticism, so that it won't be so dependent on Xen. They do have an HCL as I guess you'll have seen, though this is principally populated by laptops. I haven't had your experience of basic things like networking not working, most laptops I've tried work out-of-the-box; the bigger hardware issues for me are the graphics adaptor compatibility and that it's hard to get a decent desktop setup with VT-d. For me, the ideal rig with any multi-virtual machine setup (including Qubes) is oodles of ram & cores and multi-monitor, which is not easily achieved with laptops.
Qubes 3.2 RC1 has been released with greatly improved hardware compatibility: https://www.qubes-os.org/news/2016/06/18/qubes-OS-3-2-rc1-has-been-released/
I am running mine on a Lenovo P50 with an Nvidia Quadro M2000, Intel Xeon processor, 32 Gb Ram, 512Gb PCIe NVMe SSD. I am currently running Qubes on it without too many problems. I havent checked multi monitor but the laptop has both hdmi and displayport. The nouveau drivers in 3.2 are supposedly far more recent which should improve the performance, although with this hardware Qubes runs pretty quick .
Qubes Security Bulletin #24 https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-024-2016.txt Qubes 4 will ditch paravirtualization in favor of hardware-enforced memory virtualization: https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/ Qubes 3.2 RC2 has been released: https://www.qubes-os.org/news/2016/07/28/qubes-OS-3-2-rc2-has-been-released/
Qubes OS 3.2 rc3 has been released! https://www.qubes-os.org/news/2016/08/31/qubes-OS-3-2-rc3-has-been-released/ Minimum requirements for Qubes OS 4.x and extended support for Qubes OS 3.2 https://www.qubes-os.org/news/2016/09/02/4-0-minimum-requirements-3-2-extended-support/ Qubes OS 3.0 reaches EOL on 2016-09-09 https://www.qubes-os.org/news/2016/09/02/qubes-os-3-0-eol-on-2016-09-09/
Qubes Security Bulletin #26 https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-026-2016.txt
Thoughts on the "physically secure" ORWL computer by Joanna Rutkowska dated September 3, 2016 Related: ORWL - The First Open Source, Physically Secure Computer Note: Optional OS: Qubes OS (no version specified) -- Tom
No doubt about that ! And it's very refreshing to see a woman blazing a new trail , in an area so dominated by men . I am way behind with my Qubes testing ( v2.x ) so I'm eager to get 3.2 and see if some of my previous headaches have been resolved . This sounds good :- "In Qubes 3.2, we’re also introducing USB passthrough, which allows one to assign individual USB devices, such as cameras, Bitcoin hardware wallets, and various FTDI devices, to AppVMs. This means that it’s now possible to use Skype and other video conferencing software on Qubes! " I'm guessing that everyone here is talking about Qubes installed in a VM and not running "Live " in VM ..... is that right ?
Probably installed bare metal, since the Xen hypervisor doesn't like running in a VM, though it can be made to work afaik. Regarding "Live", the ISO doesn't support a Live mode. There is a Live USB image, but it is still in Alpha and is based on an older version of the 3.1 release.
