Description of default qubes for beginners

I don’t really understand what you’re looking for, but the qubes that are created by the installer by default (unless the user opts out) are briefly described here:

  • Service qubes: sys-usb , sys-net , sys-firewall , and sys-whonix

If you mean this, it does not look very helpful for Qubes newbies unfortunately…

Well, I still don’t know what kind of description you’re looking for, so I don’t know what would be helpful.

I was more referring to things like this:

It’s a good idea to start out with the qubes created automatically by the installer: work, personal, untrusted, and vault. If and when you start to feel that some activity just doesn’t fit into any of your existing qubes, or you want to partition some part of your life, you can easily create a new qube for it. You’ll also be able to easily copy any files you need to the newly-created qube.

I was looking for explanation, why exactly you need all those many qubes in the beginning and what you expect to do with them. For example:

Sys-net contains drivers for your WiFi card and connects to the network, so it’s untrusted by default (don’t run Firefox there!). Sys-firewall protects you from DMA attacks (if I’m not mistaken) and allows to use the “Firewall rules” in the Settings of other qubes. Sys-whonix provides Tor connection to anon-whonix (in which you should run Tor browser). All connected usb devices go to sys-usb qube by default, to protect you from badUSB attacks. If you need to connect them to other qubes, use Qubes Devices. Vault qube has no network by default, making it a good place to store your secrets. With personal and work qubes you can separate your private and working lives by running related things in them. See this for an example.

1 Like

Sounds like it could be a good addition. Mind submitting a PR?

Unfortunately, I do not have an account on Github and have no desire to register there with Microsoft… (I’m afraid you could loose some contributors due to this.)

rather than not using it, why don’t use dispvm on this ? the easiest how to connect lan are only through this.

Github has such condition:

you may not have more than one free Account

It means that if I need to use it for something else, e.g., my work or other personal projects, I cannot separate my identities, because then technically it would break the ToS. Given how much resources Microsoft has, I am afraid that at some point I make a mistake and they might recognize my two identities and I loose both my privacy and both accounts.

In addition, given how Microsoft collects personal data in their OS, I expect that these ToS on Github will become even worse with time.

He it’s weird. i’m sure that i quoted this. Sorry if it make’s you missunderstand.

Then it goes here

You indeed replied to my pre-last above post, but I did not understand which part of it you meant, so I was a bit confused.

Do you mean that one should use dispVM for sys-net? This is of course a right thing to do, but it may be too complicated for newbies. Also, AFAIK this will be the default in 4.1.

Also, even if your sys-net is a dispVM, you still should not run Firefox in it, because it has no protection from the outside world or firewalling, or defense from the DMA attack.

While we are aiming for highest security, we should provide some flexibility to beginners, the more they learn, the more they grow. I can’t even imagine if beginners being targeted with people that has ability to doing that.

I’ve use qubes almost 2 years and can’t count how many i’d reinstalling system, don’t put too much into my words. Qubes Team is doing great, and i believe community will help

too complicated for newbies

things work.

And I like qubes because it have good gui, while aiming flexibility would sacrifice security, I don’t care. I love my dekstop :heart_eyes:

Running Firefox in sys-net is removing all Qubes-specific protections, making Qubes almost as secure as Linux. Nobody will stop you from doing that (you have all the flexibility you want), but I suggest to explain to beginners that it’s a bad idea.

Unfortunately not everyone has enough time to try every wrong configuration and perform many reinstalls. See the link above. I believe that decreasing the number of required reinstalls would greatly increase the Qubes OS user base.

Yes, definitely. The explanation of design decision behind the default qubes is exactly how the community can help.

Not sure what you mean.