Deployments of Qubes by entities with serious stakes?

Just curious to know about organizations that have deployed Qubes–I’d like to see how Qubes holds up in the high-stakes situations it’s built for. I know there’s SecureDrop that’s based on Qubes, but I haven’t really heard of its widespread deployment.

Alternatively, has there been any serious pentesting efforts (red team, blue team, CTF, etc.) I can read about?

2 Likes

Mullvad and Let’s Encrypt are the other major examples of which I’m aware.

1 Like

@fiftyfourthparallel Well, obviously Edward Snowden uses Qubes (or at least says he does). I would consider his situation fairly high stakes. One difficulty in naming certain users and groups is that true high stakes situations don’t make public disclosure very likely.

2 Likes

Having a major certificate authority as a user is definitely a confidence booster. I’m not sure if Mullvad is actually a user, based on that link–probably a mis-link.

Still, are there any plans for pentesting with some stakes? For example, an open competition to remotely hack a default/minimal configuration of Qubes in order to identify previously unknown issues, with real cash prizes? There are weaknesses that are undiscovered until they meet the real world, and this would go a long way in finding them IMO, and would provide a huge boost of confidence for organizations that might be looking to deploy Qubes but have observed the paucity of real-world examples.

1 Like

I can see the argument for that, but to any other observer, this is no different from having few examples of real-world deployments.

I’d happily set up the machines for this.

Just saying….

Mullvad is a great example. They provide a service to protect user privacy and they use Qubes for all of their operations. They are outspoken supporters of the Qubes project too. I believe they have made donations to support Qubes development.

Not a mis-link. There just isn’t (AFAIK) a public link available that states that Mullvad is a user, but they are. If anyone finds a better link, please let me know, as this statement is on the intro page.

I would love to see something like this.

2 Likes

I started this thread because I recently came across research by Blackberry that confirms what I’ve long suspected–Linux systems are especially prized targets since most important things run on, or are stored on, Linux devices.

Given the increasing prevalence of VMs on cloud machines, it wouldn’t surprise me if hypervisors like Xen are actually frequently targeted, or at least of a somewhat high priority, but it’s just that we don’t hear about it often.

I’ve glanced through the PDF but was unable to figure out what attack vector the actors described used to attack Linux systems–are these ‘zero-click’ attacks which require no action on the part of the target? Would appreciate it if someone enlightened me.

Also, if financing an open competition is an issue (though ITL really should be investing in proving to potential clients that Qubes isn’t just theoretically secure), are there alternative solutions that can involve crowdfunding? Or some special competition structure (like a sort of cash pot that grows as contestants pay into it)?

1 Like

My understanding is that there’s barely enough money to keep things running as-is and that a much higher priority for new funds would be hiring much-needed developers. This is not to say that financing an open competition is not considered important, only that there are even more important and urgent needs.

I’m sure there are, but I’m not an expert in this area. Perhaps @michael might be able to speak to the possibilities here.

hey folks!

re: open competition to hack a Qubes box, this was actually something drafted by Joanna in 2016:

https://github.com/QubesOS/the_game

not public but Andrew you should have access. I think it was always a capacity issue as soon as it tried to go from fun idea to making it happen. but you can ask the team if it’s something that might be of interest to re-visit.

re: public deployments, by individuals with high-stakes you have:

for organizations who are public about it Andrew mentioned them.

Qubes U2F Proxy was funded by Google’s Enterprise Infrastructure Protection Team (aka Google Security Team):

the Qubes-based version of SecureDrop (SecureDrop Workstation) is still in pilot mode I think. when complete it will be deployed in the following media organizations to protect communications with sources:

as part of the Qubes-based SecureDrop Workstation they funded a security audit of it, the results of which you can read here:

Experts: Isis Agora Lovecruft

This is a great name; if I were an enterprise programmer I’d love to be called Lovecruft. Triple points if I was working at HP.

To be honest, when I look at the endorsements on the site while roleplaying as a corporate security officer eyeing a potential new platform, I can’t help but notice that they’re just personal endorsements through Twitter that amounts to a one-time thumbs-up. On top of that, of the actual organizational deployments, Mullvad is eerily quiet about their Qubes usage (zero mentions from their side) while Let’s Encrypt’s tweet lacks details and reads like your typical PR platitude. I’m doubt anyone’s lying here, but it comes across as weak for someone who might want to tap ITL to secure their company.

Note that I am saying all of this as someone who is an avid Qubes user and would like to see the project succeed. With things like Log4Shell coming out of nowhere, it is increasingly obvious that compartmentalization is the way forward (setting aside the hypervisor as its single point of failure while being an increasingly juicy target in general). But right now, while Qubes is theoretically secure, it feels unproven in the real world.

“No plan survives first contact with the enemy”.

Thank you for taking the time to hear me out. Looking forward to hearing more about the_game at some point.

did you look at their twitter or… ?

https://twitter.com/mullvadnet/status/631010362083643392

and you ignore mention of Google Security Team and SecureDrop? the audit?

like i guess you are trying to motivate us to add some new blurbs from people from companies/orgs rather than people in their individual capacity? but rather than just suggest that you are questioning facts that you can verify yourself? why would a company give the Qubes project money and then not use Qubes?

anyways when i have time i will try collect some quotes from people from companies/orgs.

1 Like

Try Nitter

1 Like

thanks! that is beautiful, exactly what i needed. i’ll clean up my post with just a link. also will make less grumpy.

The link @adw provided seemed to be the best anyone in the thread before you was able to provide, so I made the assumption that there were no better proof. Thank you for the link.

I didn’t want to sound more antagonistic than I already do, as it is not my intention, so I tuned down and focused my message by ignoring them.

You mentioned the Google Security Team in the context of funding the U2F Proxy, not deploying Qubes. While it’s great that a group as distinguished as them has found Qubes worth funding, it is not the same as them deploying Qubes internally.

As for SecureDrop Workstation: While it’s passed two independent audits, which is great, it still hasn’t been fully subject to the rigors of real world deployments (only partially through the audits) as even you aren’t sure if it’s in pilot mode. The list of SecureDrop (non-Qubes) organizational users is a list of potential future users, though actual deployment of Workstation will add a list of some of the most well-known names in the journalism industry to the list of users of Qubes-based systems. Though I must note that for this use-case, the risk is mostly on the whistleblower side; not the organizations’.

Thank you for opening a Github issue for this though

yo i have no interest in discussing any of this with you as you continue from this antagonistic angle.

discuss the topics directly from the perspective of improving the project for specific audiences, suggest improvements, etc.

no one exists to think for you or justify stuff for you. the devil doesn’t need an advocate, just be a normal empathetic human - thanks

I disagree. The organization receiving tons of shady files from anonymous people definitely undergoes a great risk.

Latacora