Qubes OS

Question

Qubes OS

Colton Cooper

Is it actually secure? Should I use hardened gentoo instead?

May 9, 2017 - 19:57

Other urls found in this thread:

cvedetails.com/vulnerability-list/vendor_id-6276/XEN.html
cvedetails.com/vendor/97/Openbsd.html
qubes-os.org/doc/vm-sudo/
aboutthebsds.wordpress.com/2013/01/25/20/
wiki.gentoo.org/wiki/Hardened_Kernel
cvedetails.com/vendor/5632/Windows.html
cvedetails.com/product/32238/Microsoft-Windows-10.html?vendor_id=26
cvedetails.com/product/17153/Microsoft-Windows-7.html?vendor_id=26
twitter.com/NSFWRedditVideo

Xavier Lopez

No, why would you even think that?
Its like you're begging to get hacked my dude.

Here, it wounds like you need some help on personal computer security, so let me help you out bruh because I love you. What you need is Windows 10 Enterprise Edition. I also recommend upgrading your processor because modern Intel chips have what we in the industry call "AES instructions" If you don't know what that means, its just a fancy way of saying it has anti-virus built into the chips.

For additional security while browsing, I also recommend masking your identity with Google Chromes Incognito Mode.

Stay safe out there dude

May 9, 2017 - 20:12

Angel Reed

...

May 9, 2017 - 20:21

Jackson Rodriguez

cvedetails.com/vulnerability-list/vendor_id-6276/XEN.html

May 9, 2017 - 20:31

Grayson Morgan

Virtual machines provide isolation which is a definite improvement of security.
At the same time, they enable VM escapes which are another attack surface for privilege elevation. The VM escapes may be difficult to discover and fix because of the complication of modern processors.
So it is very possible that you are only moving the problem rather than fixing it.
Linux has isolation mechanisms which does not create additional attack surfaces. These include NSA SeLinux and various other linux security modules.

May 9, 2017 - 20:52

Chase Price

98% of VM escapes require root privilege to work, it's crazy that Qubes give free privilege escalation to guests.

May 9, 2017 - 21:34

Jacob Gomez

An adversary capable of a VM escape can easily find a privilege escalation bug in the linux kernel.

May 9, 2017 - 21:40

Isaac Hernandez

Is it really trustworthy? My understanding is that they actually use it internally.

May 9, 2017 - 23:07

Matthew Morris

Thanks for this helpfull advice!

May 9, 2017 - 23:49

Brandon Davis

cvedetails.com/vendor/97/Openbsd.html

May 9, 2017 - 23:50

Xavier Thomas

Call me crazy, but i compile my hardened gentoo kernel without it

May 10, 2017 - 00:05

Kayden Wood

VM escapes are expensive so yes.

May 10, 2017 - 04:13

Adrian Powell

I don't understand why then used Xen instead of KVM.

May 10, 2017 - 04:19

Dominic Bell

It's probably more secure but maybe not. If you don't want the hassle of compiling all your code with the hardening options turned on, you could try Alpine as an alternative to hardened gentoo, but it is more for servers that do only a few tasks (e.g. NAS).

May 10, 2017 - 11:46

Cooper Hughes

Doesn't alpine use apks or something like that?

May 10, 2017 - 13:21

William Robinson

Yes, its a binary package manager, instead of compiling like gentoo.
Also, it uses musl instead of glib.
But it uses OpenRC just like gentoo because it was originally built from gentoo.

May 10, 2017 - 14:19

Justin Jackson

I forgot to add that it uses busybox instead of gnu core utils.
The whole idea with using musl and busybox is to have a simpler code base I believe. Add to it the fact that it uses a hardened kernel and packages and it should be pretty secure.
Maybe not as secure as qubes though.

May 10, 2017 - 14:21

Isaac Butler

Xen is more minimal since KVM requires a full linux kernel running at lowest level.
At least that's my guess.

May 10, 2017 - 14:32

Aiden Hernandez

Nah. Any downstream distribution barely cares about the code in a piece of software unless they have to patch it to work their way, or because the maintainers are not there/dicks. It'd be way easier to package gnu tools, since everything's compatible with them, and they wouldn't need to patch a bunch of programs to work with busybox/musl.
The reason they use busybox/musl is because they generate smaller binaries, which is kind of required in the environments they want to use alpine in the first place.

May 10, 2017 - 15:01

Michael Gomez

Amusing bait.

May 10, 2017 - 15:18

Colton James

qubes-os.org/doc/vm-sudo/

May 10, 2017 - 16:00

Owen Hall

If you're so concerned about security, I would rec OpenBSD

May 10, 2017 - 17:25

Isaac Murphy

aboutthebsds.wordpress.com/2013/01/25/20/

May 10, 2017 - 18:49

Christopher Wood

Yes.

May 10, 2017 - 18:51

Gabriel Rivera

Alpine has same problem as OpenBSD in my eyes. It lacks extended access control. Can't really understand why they couldn't just adopt AppArmor or something like that.

May 11, 2017 - 02:15

Kayden Sanchez

OpenBSD zealots spout that crap every fucking time. They are the most brainwashed group in tech that I know of.

May 11, 2017 - 02:19

Thomas Reyes

Don't they have SElinux or something?

May 11, 2017 - 04:02

Brody Ramirez

proof?

May 11, 2017 - 04:45

Sebastian Morales

This had better be satire.

May 11, 2017 - 05:52

Parker Martin

What do you mean by "extended"? Isn't grsec enough for you?

May 11, 2017 - 06:01

Owen Moore

Alpine doesn't use RBAC.

May 11, 2017 - 06:52

Connor Perry

No. No SELinux, no RBAC, no TOMOYO, no AppArmor, no Smack. They don't use anything like that.

May 11, 2017 - 06:54

Michael Young

What happens to hardened gentoo now that grsecurity is no longer free?

May 11, 2017 - 08:40

Isaiah Russell

I think they are going independent and branching off with their own patch sets.
wiki.gentoo.org/wiki/Hardened_Kernel

May 11, 2017 - 08:53

Daniel White

That's pretty awesome.

May 11, 2017 - 14:01

Cameron Watson

So is Hardened getting full RAP, or is it just going to be the neutered kernel-only version that's available with free grsec? Because the table on that page lists RAP, but it doesn't mention if it will be for all programs or just the kernel.

Grsecurity really is a great hardening patch. If only spender wasn't such a fucking autist and didn't have a meltdown about some chink company doing what all chink companies do and ripping off his product, we wouldn't even be in this mess in the first place.

May 11, 2017 - 16:44

Nathaniel White

It's fairly secure.

May 11, 2017 - 17:43

Christopher Baker

I am a total obsd fanboy, since the 90s. That paragraph is not that far off. I don't know about physical abuse but everything else is in the ballpark. Theo is famous for ripping into people, is definitely of the dictatorial management style, and misc@ is not the friendliest of places places if you are new (to anything.) You'd better have rtfm and done your homework.

Personally I don't see it as bad. When you approach dragons you should do so with appropriate respect, fear and preparation.

May 11, 2017 - 21:23

Ian Rogers

It's not really bait, it's just sarcasm.

May 11, 2017 - 22:01

Adrian Powell

Only GrSec faggets are attacked this way, because they're faggets and deserve it.

May 11, 2017 - 22:43

Nathan Parker

Which company was it?

May 12, 2017 - 04:10

Wyatt Morales

cvedetails.com/vendor/5632/Windows.html

May 12, 2017 - 06:45

Easton Lopez

cvedetails.com/product/32238/Microsoft-Windows-10.html?vendor_id=26

cvedetails.com/product/17153/Microsoft-Windows-7.html?vendor_id=26

May 12, 2017 - 08:15

Carson Clark

most of these don't even affect qubes

May 18, 2017 - 08:03

Christian Clark

The cathedral development model doesn't make the project nonfree though.

May 18, 2017 - 08:15

Michael Fisher

Wow, this is retarded. You can use SELinux with Qubes, and isolation like chroot jails often share proc,gui,dev,kernel, etc. meaning there is huge attack surface per process compared to Qubes (Which would primarily be hypervisor attacks and hardware level like rowhammer).

May 20, 2017 - 07:11

Noah Richardson

you could just change the templates to not use "user ALL=(ALL) NOPASSWD: ALL" if it really bothers you.

May 20, 2017 - 07:14

1 2 ... 5 Next

Qubes OS

Last threads