Qubes OS

Is it actually secure? Should I use hardened gentoo instead?

Other urls found in this thread:

cvedetails.com/vulnerability-list/vendor_id-6276/XEN.html
cvedetails.com/vendor/97/Openbsd.html
qubes-os.org/doc/vm-sudo/
aboutthebsds.wordpress.com/2013/01/25/20/
wiki.gentoo.org/wiki/Hardened_Kernel
cvedetails.com/vendor/5632/Windows.html
cvedetails.com/product/32238/Microsoft-Windows-10.html?vendor_id=26
cvedetails.com/product/17153/Microsoft-Windows-7.html?vendor_id=26
twitter.com/NSFWRedditVideo

No, why would you even think that?
Its like you're begging to get hacked my dude.

Here, it wounds like you need some help on personal computer security, so let me help you out bruh because I love you. What you need is Windows 10 Enterprise Edition. I also recommend upgrading your processor because modern Intel chips have what we in the industry call "AES instructions" If you don't know what that means, its just a fancy way of saying it has anti-virus built into the chips.

For additional security while browsing, I also recommend masking your identity with Google Chromes Incognito Mode.

Stay safe out there dude

...

cvedetails.com/vulnerability-list/vendor_id-6276/XEN.html

Virtual machines provide isolation which is a definite improvement of security.
At the same time, they enable VM escapes which are another attack surface for privilege elevation. The VM escapes may be difficult to discover and fix because of the complication of modern processors.
So it is very possible that you are only moving the problem rather than fixing it.
Linux has isolation mechanisms which does not create additional attack surfaces. These include NSA SeLinux and various other linux security modules.

98% of VM escapes require root privilege to work, it's crazy that Qubes give free privilege escalation to guests.

An adversary capable of a VM escape can easily find a privilege escalation bug in the linux kernel.

Is it really trustworthy? My understanding is that they actually use it internally.

Thanks for this helpfull advice!

cvedetails.com/vendor/97/Openbsd.html

Call me crazy, but i compile my hardened gentoo kernel without it

VM escapes are expensive so yes.

I don't understand why then used Xen instead of KVM.

It's probably more secure but maybe not. If you don't want the hassle of compiling all your code with the hardening options turned on, you could try Alpine as an alternative to hardened gentoo, but it is more for servers that do only a few tasks (e.g. NAS).

Doesn't alpine use apks or something like that?

Yes, its a binary package manager, instead of compiling like gentoo.
Also, it uses musl instead of glib.
But it uses OpenRC just like gentoo because it was originally built from gentoo.

I forgot to add that it uses busybox instead of gnu core utils.
The whole idea with using musl and busybox is to have a simpler code base I believe. Add to it the fact that it uses a hardened kernel and packages and it should be pretty secure.
Maybe not as secure as qubes though.

Xen is more minimal since KVM requires a full linux kernel running at lowest level.
At least that's my guess.

Nah. Any downstream distribution barely cares about the code in a piece of software unless they have to patch it to work their way, or because the maintainers are not there/dicks. It'd be way easier to package gnu tools, since everything's compatible with them, and they wouldn't need to patch a bunch of programs to work with busybox/musl.
The reason they use busybox/musl is because they generate smaller binaries, which is kind of required in the environments they want to use alpine in the first place.

Amusing bait.

qubes-os.org/doc/vm-sudo/

If you're so concerned about security, I would rec OpenBSD

aboutthebsds.wordpress.com/2013/01/25/20/

Yes.

Alpine has same problem as OpenBSD in my eyes. It lacks extended access control. Can't really understand why they couldn't just adopt AppArmor or something like that.

OpenBSD zealots spout that crap every fucking time. They are the most brainwashed group in tech that I know of.

Don't they have SElinux or something?

proof?

This had better be satire.

What do you mean by "extended"? Isn't grsec enough for you?

Alpine doesn't use RBAC.

No. No SELinux, no RBAC, no TOMOYO, no AppArmor, no Smack. They don't use anything like that.

What happens to hardened gentoo now that grsecurity is no longer free?

I think they are going independent and branching off with their own patch sets.
wiki.gentoo.org/wiki/Hardened_Kernel

That's pretty awesome.

So is Hardened getting full RAP, or is it just going to be the neutered kernel-only version that's available with free grsec? Because the table on that page lists RAP, but it doesn't mention if it will be for all programs or just the kernel.

Grsecurity really is a great hardening patch. If only spender wasn't such a fucking autist and didn't have a meltdown about some chink company doing what all chink companies do and ripping off his product, we wouldn't even be in this mess in the first place.

It's fairly secure.

I am a total obsd fanboy, since the 90s. That paragraph is not that far off. I don't know about physical abuse but everything else is in the ballpark. Theo is famous for ripping into people, is definitely of the dictatorial management style, and misc@ is not the friendliest of places places if you are new (to anything.) You'd better have rtfm and done your homework.

Personally I don't see it as bad. When you approach dragons you should do so with appropriate respect, fear and preparation.

It's not really bait, it's just sarcasm.

Only GrSec faggets are attacked this way, because they're faggets and deserve it.

Which company was it?

cvedetails.com/vendor/5632/Windows.html

cvedetails.com/product/32238/Microsoft-Windows-10.html?vendor_id=26

cvedetails.com/product/17153/Microsoft-Windows-7.html?vendor_id=26

most of these don't even affect qubes

The cathedral development model doesn't make the project nonfree though.

Wow, this is retarded. You can use SELinux with Qubes, and isolation like chroot jails often share proc,gui,dev,kernel, etc. meaning there is huge attack surface per process compared to Qubes (Which would primarily be hypervisor attacks and hardware level like rowhammer).

you could just change the templates to not use "user ALL=(ALL) NOPASSWD: ALL" if it really bothers you.