PubesOS

How "good" is this to use?
I've been toying around with v3.2 and it doesn't require virtualization to work until v4.
My T500 has options to enable VT-x but for some reason it won't boot or install with them enabled.
It seems I've looked just about everywhere as to why that is, but have yet to find a reason.
I'm probably just blind or stupid.
Their "compatibility list" is such a mess of "yeah sure it will work trust me".
Their latest "Qubes Air" which is some cloud computing version of qubes even talks about how hard it is to find a compatible laptop to get everything working, especially since v4 is going to require virtualization.

Other urls found in this thread:

qubes-os.org/security/bulletins/
unix.stackexchange.com/questions/189412/defending-against-the-evil-maid-how-to-handle-removal-of-the-boot-partition
twitter.com/SFWRedditVideos

placebo

Can you go into more detail as to why it's placebo?
Are vms in general placebo?

vms are just as much subject to exploits as the host, just look at the implications of the cpu bugs.
it would be fine if everything worked perfectly, but as it stands it's security through obscurity.

Why do i see this attitude on Holla Forums so often? Does half of Holla Forums make all their passwords "password" because "well they could always brute force it or get around it some other way."?

I think because of these latest cpu exploits, it makes everything completely irrelevant when it comes to security.
As far as I've seen, it's not some exploit that only a government can use but rather anyone who can target a specific machine.
The patches for them are causing more bugs as well which begs the question, do these people even know how to fix a problem?
Of course we know that computer are never going to be completely bug free which also means that bugs can always be fixed, it's just the magnitude of this latest exploit that's got people worried.

That's exactly what it helps protect against. CPU exploits are obviously something it can't. But it can mitigate against software exploits that don't involve escaping the VM.

not at all, but i think openbsd's approach to security through simplicity instead of more complexity is more sensible

Checks out

Most people on this board are from other boards and don't know what they're talking about, and only exist to make shallow value judgments based on hearsay.

I am considering installing it on my laptop. One of the things keeping me away from it is any practical use for something this complex on essentially a tablet with a keyboard.

are you a nigger tbh?

are you dumb?
vm breakouts are extremely rare and most of them are qemu bugs (qubes uses xen btw)
the vms are also completely isolated so it contains intrusion pretty well

Good luck fixing all buffer overflows in all C programs by "careful reading" the code. Retard.

qubes-os.org/security/bulletins/
cool story bro

You really need to ask after reading
?

take this (You), you (((rust))) shill

Correct.

it's pretty much "xen, but it 'just werks',"

when I tried it, I liked how it flowed, but the developers (or just one of them) had a bad outlook on GPU passthrough, which turned me away from it. It's lust for your ram is fucking insatiable, I've literally never seen a single piece of software that used as much memory as xen under qubes. but really, if this project is truly as badly managed as it sounds, then it's fucked. If you want to use xen, you'd be better off installing it using a host that you know and use.

its*

please name a truly secure philosophy of security please.

Operational security is the best way, after that it's retroactive security which is when your security fails.

why not just host Xen on gentoo/freebsd then run openbsd/centos in virtual machines? keep systemd further away from the hypervisor.

Air gap

Why not just build everything from scratch? Portage-based system written in Python is not that minimal.

doesn't work if the computer is ever turned on

It works reasonably well. At least it would require expensive targeted attack. While in case of isolation/virtualization you one of the millions of users with the very same sandboxing tech so attack becames quite practical.

Qubes is great for casual users who want a secure desktop. Personally I use it for a combination of shitposting and managing cryptocurrencies. Being able to break your habits into different VM workspaces is surprisingly useful. The Fedora and Debian templates ITL provides work fine, I haven't had any issues with common programs inside the appVMs. It does soak up RAM though, on a T410 with 6gb RAM I'm limited to about two instances of chromium in two different VM's, with maybe ~10 tabs active in each.

I bounced around a buncha distros and now this and a copy of win10 on another hard drive are the only two systems I regularly use tbh. But I am pretty casual. ymmv.

also the lead dev is a qt who can rubberhose me any day she wants.

Improbable

It's annoying you have a pea for a brain Ivanka Rutschlovka

also OP the #qubes channel on freenode is surprisingly active, if you need help getting it running on your machine you'll probably find it there.


even better


ok

bumpin the qubes thread

Shit is only good for browsing with multiple vpns at once which isn't even offically supported, you have to set it up yourself

This, install xen and don't bother with this crap.

Get a load of this tryhard faggot.

I've used QubesOS as my daily driver for over a year, and for the most part have been impressed with it. Its killer feature, imo, is seamless desktop integration, which allows an application running in a VM to integrate with the desktop just like a native window. It makes using software in VMs a cinch, and there's no other solution anywhere near as good as Qubes implementation that I've found. It's unfortunate, really, because I don't like the direction Qubes is heading with the releases following 4.0. They plan to introduce "Qubes Air" which will introduce a whole slew of cloud integration stuff - way too much complexity into what is supposed to be a security OS. Hence I'm ditching it once Qubes 3.2 is EOL. It's a shame, because the 3.2 desktop integration is elegant and functional, and perfect for my workflow.

That blog post turned me away too, it is unbelievable how it seems to be made to use chrome, google docs and everything in the cloud. Why even bother with local isolation if you are giving away everything to remote servers? They even want you to access a qubes instance running on aws or whatever which is far less secure than any GNU/Linux distro running locally. The "Hybrid" thing still requires special hardware like the local version but also gives your data to Big Internet on a silver platter.

It's a crazy decision, user, and in complete opposition to the principles that Qubes was founded on. The only rationale I can think of is that Invisible Labs intends to get into the hosting game; i.e. they'll offer a 'trusted' hosting solution for customers that can't run Qubes locally, due to hardware requirements or whatever. Even then it doesn't make much business sense, because the users that are most interested in an OS like Qubes are the very same users that will balk at having their personal data hosted on infrastructure they don't control. It's sad when a project has reached maturity, and the developers - not realising that fact - begin adding features for features' sake that detract from the original vision.

Whoever says that probably says it in order to antagonize anyone who says anything relating to security.

What processor are you using in your t500? mine only has an option for VT-d

Pubes are hot :3

That's a man, baby.

when running complex software of any kind there will always be exploits simply due to their being a large attack surface (this is essentially the problem with systemd, its too big of a piece of software to keep from accumulating exploits). VMs are really nice since they are essentially security by compartmentalisation which is a really good concept. the really nice feature of this is if theres an exploit in say your NIC then it can't spread laterally across the system. theres much less chance for single point of failure.

Qubes is pretty well run as far as I can tell. They are small so the developers have a lot on their plate but are still responsive especially on something critical. 3.2 is stable and I have been using it as my primary daily machine. 4.0 is nearly there.
Just because Qubes Air might provide the ability to run VMs remotely does not mean it has to. It would also work on a local isolated network with no internet connection, so you could use all your computers in a Qubes farm.
They have a good track record of making the right security choices. Writing them off based on a single blog post about future plans is ignorant.

Well said.

I think the blog post is more of a highly technical "thinking out loud" thing than it is some sort of set-in-stone plan. They're inviting comment from knowledgeable people to critique their ideas and improve on them before they actually do implementation planning. This speaks well to their professionalism. Personally, I trust them to get this right.

It's not like they're pulling some Poettering-style "my way or the highway, don't you dare criticize my batshit crazy ideas or methods" nonsense.

Anyone happen to know if Qubes is compatible with GPU passthrough?

anybody who doesn't shill Qubes is a CIA nigger

Yep. I've been using Qubes for several years on an X230. You can go ahead and plan on 16GB of ram if you want to have multiple AppVMs with tabbed browsers and common linux apps running as a means of compartmentalizing your digital activity according to different security profiles. If you have less ram, at least install a browser extension to automatically unload idle tabs. It helps immensely until you can upgrade the ram.

It is.

bump

Qubes is great, OP is a brainlet and obviously just wants to shit on Qubes.

OP = NSA

It's surprisingly good to use. Even my oldish laptop can run it without much trouble.

I got the same impression. While I'm sure there's a number of nice bells and whistles that Qubes on it's own, I see no need to throw the baby out with the bathwater and ditch whatever OS you're already familiar with just to get something you can probably achieve elsewhere.

What other OSes have a chance at protecting you from a compromised hardware device?

autism

But in any case this OS is marketed towards high level risks, which is fucked because side channel attacks. IBM supposedly mitigates this with their POWER9 processors.

You mean evil maid attack?

here:
unix.stackexchange.com/questions/189412/defending-against-the-evil-maid-how-to-handle-removal-of-the-boot-partition

With Spectre exploits around it might all look very different.

No, I mean from a badusb type attack. Qubes isolates the usb controller in its own vm (and network in another) behind iommu so even if the controller itself gets compromised, it can't access the rest of the system. Due to its design, it could contain Meltdown attacks to the compromised vm even without any patches. Spectre is a longer discussion, look it up if interested.

snowden promotes qubes and come to find out hes 100 percent c eye ayyyylmao clown same with that safedrop dropsecure securedrop!!!!

That's for sure my fellow teen lol, we better stop using it right away! xD