Just curious to know about organizations that have deployed Qubes–I’d like to see how Qubes holds up in the high-stakes situations it’s built for. I know there’s SecureDrop that’s based on Qubes, but I haven’t really heard of its widespread deployment.
Alternatively, has there been any serious pentesting efforts (red team, blue team, CTF, etc.) I can read about?
@fiftyfourthparallel Well, obviously Edward Snowden uses Qubes (or at least says he does). I would consider his situation fairly high stakes. One difficulty in naming certain users and groups is that true high stakes situations don’t make public disclosure very likely.
Having a major certificate authority as a user is definitely a confidence booster. I’m not sure if Mullvad is actually a user, based on that link–probably a mis-link.
Still, are there any plans for pentesting with some stakes? For example, an open competition to remotely hack a default/minimal configuration of Qubes in order to identify previously unknown issues, with real cash prizes? There are weaknesses that are undiscovered until they meet the real world, and this would go a long way in finding them IMO, and would provide a huge boost of confidence for organizations that might be looking to deploy Qubes but have observed the paucity of real-world examples.
Mullvad is a great example. They provide a service to protect user privacy and they use Qubes for all of their operations. They are outspoken supporters of the Qubes project too. I believe they have made donations to support Qubes development.
Not a mis-link. There just isn’t (AFAIK) a public link available that states that Mullvad is a user, but they are. If anyone finds a better link, please let me know, as this statement is on the intro page.
I started this thread because I recently came across research by Blackberry that confirms what I’ve long suspected–Linux systems are especially prized targets since most important things run on, or are stored on, Linux devices.
Given the increasing prevalence of VMs on cloud machines, it wouldn’t surprise me if hypervisors like Xen are actually frequently targeted, or at least of a somewhat high priority, but it’s just that we don’t hear about it often.
I’ve glanced through the PDF but was unable to figure out what attack vector the actors described used to attack Linux systems–are these ‘zero-click’ attacks which require no action on the part of the target? Would appreciate it if someone enlightened me.
Also, if financing an open competition is an issue (though ITL really should be investing in proving to potential clients that Qubes isn’t just theoretically secure), are there alternative solutions that can involve crowdfunding? Or some special competition structure (like a sort of cash pot that grows as contestants pay into it)?
My understanding is that there’s barely enough money to keep things running as-is and that a much higher priority for new funds would be hiring much-needed developers. This is not to say that financing an open competition is not considered important, only that there are even more important and urgent needs.
I’m sure there are, but I’m not an expert in this area. Perhaps @michael might be able to speak to the possibilities here.
not public but Andrew you should have access. I think it was always a capacity issue as soon as it tried to go from fun idea to making it happen. but you can ask the team if it’s something that might be of interest to re-visit.
re: public deployments, by individuals with high-stakes you have:
Qubes U2F Proxy was funded by Google’s Enterprise Infrastructure Protection Team (aka Google Security Team):
the Qubes-based version of SecureDrop (SecureDrop Workstation) is still in pilot mode I think. when complete it will be deployed in the following media organizations to protect communications with sources:
as part of the Qubes-based SecureDrop Workstation they funded a security audit of it, the results of which you can read here:
This is a great name; if I were an enterprise programmer I’d love to be called Lovecruft. Triple points if I was working at HP.
To be honest, when I look at the endorsements on the site while roleplaying as a corporate security officer eyeing a potential new platform, I can’t help but notice that they’re just personal endorsements through Twitter that amounts to a one-time thumbs-up. On top of that, of the actual organizational deployments, Mullvad is eerily quiet about their Qubes usage (zero mentions from their side) while Let’s Encrypt’s tweet lacks details and reads like your typical PR platitude. I’m doubt anyone’s lying here, but it comes across as weak for someone who might want to tap ITL to secure their company.
Note that I am saying all of this as someone who is an avid Qubes user and would like to see the project succeed. With things like Log4Shell coming out of nowhere, it is increasingly obvious that compartmentalization is the way forward (setting aside the hypervisor as its single point of failure while being an increasingly juicy target in general). But right now, while Qubes is theoretically secure, it feels unproven in the real world.
“No plan survives first contact with the enemy”.
Thank you for taking the time to hear me out. Looking forward to hearing more about the_game at some point.
and you ignore mention of Google Security Team and SecureDrop? the audit?
like i guess you are trying to motivate us to add some new blurbs from people from companies/orgs rather than people in their individual capacity? but rather than just suggest that you are questioning facts that you can verify yourself? why would a company give the Qubes project money and then not use Qubes?
The link @adw provided seemed to be the best anyone in the thread before you was able to provide, so I made the assumption that there were no better proof. Thank you for the link.
I didn’t want to sound more antagonistic than I already do, as it is not my intention, so I tuned down and focused my message by ignoring them.
You mentioned the Google Security Team in the context of funding the U2F Proxy, not deploying Qubes. While it’s great that a group as distinguished as them has found Qubes worth funding, it is not the same as them deploying Qubes internally.
As for SecureDrop Workstation: While it’s passed two independent audits, which is great, it still hasn’t been fully subject to the rigors of real world deployments (only partially through the audits) as even you aren’t sure if it’s in pilot mode. The list of SecureDrop (non-Qubes) organizational users is a list of potential future users, though actual deployment of Workstation will add a list of some of the most well-known names in the journalism industry to the list of users of Qubes-based systems. Though I must note that for this use-case, the risk is mostly on the whistleblower side; not the organizations’.
Thank you for opening a Github issue for this though