How to pitch Qubes OS?

I can assure you that it isnt.
There has to be initial onboarding, but the level of support required
is not extraordinary.

Nice to hear there is going to be better enterprise support. I could think out a few places where I could try to give it a spin.

Well, I am not very concerned about security but it does not mean I am THAT reckless to run Windows without templates and isolation!

iirc, installing Windows on Qubes requires stand alone VM,
if not mistaken, we cannot use Windows as template VM.

if we concern about security,
then imo, should consider these things about Windows:

  • 2021 statistics - Desktop Windows users 75%, Desktop Linux user 2%. imo, It means the “malware industry”, mostly will target Windows user (75%), rather than targeting Linux user (2%). and if not mistaken, Qubes is not even Linux, so I’m not sure Qubes percentage.
  • considering the 1st fact, most of Windows user will decide to use anti virus, which actually, based on some references, anti virus actually will increase the attack surface, rather than decreasing it, also it is possible that anti virus does not only scanning the files, but also uploading the files to the cloud.
  • i read about calea and prism in Wikipedia, maybe it can make us re-consider about using big tech product, if we concern about surveillance (massive or active).
  • last time i read in privacy tools , it mention about privacy nightmare, related to Windows, if not mistaken Windows 10, but they took it down already, i’m not sure the reason.
  • also, by using big tech product, i.e. Windows, it means indirect support to big tech, imo it’s not a good thing, if the future of IT is under big tech monopoly and control.
  • but by using open source product, it means indirect support to open source and market, imo it’s a good thing, if the future of IT is defined and controlled by the market.
1 Like

I’d better clarify this before someone sees this and gets the wrong idea.

Malware exists for EVERY OS. Anyone who managed a Linux server back in the day will remember dirtycow :unamused:

Malware is written for a specific purpose. Most Windows malware is wide-net stuff. Linux malware is usually extremely targeted, designed for a specific machine. Like, the victims will often know the attackers.

I mean, if someone had a free weekend and the Windows XP leaked source code, you could probably come up with a Windows template… But no, you can’t make a template out of regular Windows that you get from Microsoft.

EDIT:
It turns out you actually CAN make a Template VM from Windows (and any other OS). See @unman’s post below for more info.

Because monkey see, monkey do…

It depends on what the developers have programmed the software to do. If you know what you’re doing, you could use it to your advantage as an attacker.

What’s for certain is that it will use CPU cycles :stuck_out_tongue:

Ah yes, the proverbial “cloud”. In all seriousness, when did the term “cloud” become a thing? Before that, people just called them “servers”… :yum:

If big tech were actually honest and upfront about how they actually make money, nobody would use their services, and would avoid them like the plague! They know this. That’s why they have a very talented marketing department…

Do you know how to use wireshark? Have it monitor network packets for a Windows machine from cold boot, don’t interact with it, and leave it for about an hour. When you look at what comes out of the machine, you’ll probably feel a little sick… :woozy_face:

Have a read of this:

It’s a research paper about exactly what you’re talking about. It’s actually a good read, if you’ve got the time…

Well, we’re trying to achieve it without compromising the Qubes ethos, which is easy in some areas, but a little more difficult in others… (enterprise don’t really like giving users full control of their machines)

Schools? Startups? Accounting firms? Cybersecurity? Do tell :slight_smile:

You can easily create a Windows template - create a qube of Class
TemplateVM, with the settings you would use for a standalone.

qvm-start the new qube with a Windows installer, and install on to xvda.

You can now create qubes using the Windows template - as it is, they
will effectively be named disposables.
If you move the user directories to xvdb, then you will have persistent
user directories across reboots.

The procedure is the same for making a template of any HVM.

3 Likes

I stand corrected, and amend my previous statement.

See, THIS is the stuff I’d love to see in these videos I was talking about.

I’d make them myself if I could get someone else to do the voiceover (trust me. My voice isn’t made for narration…)

1 Like

The best way to pitch Qubes OS is on an Intel NUC since it has the least air resistance.

 

 

Sorry.

P.S. What’s the smallest possible PC form factor you can install Qubes on? Originally I was going to say “Intel Compute Stick”, but I doubt the CPUs support IOMMU.

2 Likes

Sounds like fun, I’d definitely be interested in working on that but I don’t really have a lot of time atm… But please do count me in for a few videos :slight_smile:

1 Like

A post was split to a new topic: What’s the smallest possible form factor for a Qubes PC?

Here and there. I am a cybersecurity consultant and I always try to see if Qubes would fit any of my customers (also, as a dogfood effort, I would try to use it within my startup which has pretty tight security requirements). Yet, so far I do not feel it is ready for “regular people”, as I could derive from my everyday experience with Qubes.

1 Like

that’s why I said “mostly”. I didn’t say there is no malware for Linux.

imo, It means the “malware industry”, mostly will target Windows user (75%), rather than targeting Linux user (2%).

But the chance for Linux user, to be infected by malware, is much much smaller than windows user.
(75% : 2%)

Logically, it is much much harder for the virus to spread, if the human population, is only 2 % from the current population, and scaterred all over the world.

You emphasized it. Indirectly you said, Linux malware is not wide-net stuff. Definitely, I talked about the wide-net stuff malware, because i relate with the statistic.

But if one is personally extremely being targeted, then that’s already different case, out of the point I mention.

I had been a windows user for yearss, before Qubes. I remember, I decided to use anti virus, not because I saw others using it, but because I was infected.

Anti virus actually will increase the attack surface, rather than decreasing it.
It has been said multiple times by others in this forum in other discussion. Other References:

Cloud = serverss, both are common term,
i see there is no problem for using the term “cloud”, it is a common term.

There are many references emphasizing that Windows 10 is a privacy nightmare, such as:

France hits microsoft with windows 10 privacy complaint

  • Windows has security flaws and collects user data without permission, the French government said.
  • ordered Microsoft to make changes to Windows 10 within three months or face sanctions.
  • Windows Store collects data without permission on all the apps users download and the time spent on each one.
  • Windows 10 installs an advertising identifier by default, allowing Microsoft to monitor browsing and offer targeted advertising without consent.
  • Windows Store authentication method presents a security risk.

Windows 10 disregards user choice and privacy

  • Windows 10 sends an unprecedented amount of usage data back to Microsoft,
  • list of data sent back: location data, text input, voice input, touch input, webpages you visit, and telemetry data regarding your general usage of your computer, including which programs you run and for how long.
  • disabling some of these settings, it is not a guarantee that your computer will stop talking to Microsoft’s servers.

Windows 10 is a privacy nightmare

  • Windows 10 joined the race with Apple and Google in collecting increasing amounts of customers’ information
  • Windows 10 gives itself the right to pass loads of your data to Microsoft’s servers, use your bandwidth for Microsoft’s own purposes, and profile your Windows usage.
  • Windows 10 end-user license agreement uses some scary broad strokes: “Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary.”
  • Microsoft may upload your local data to its servers arbitrarily

eff rips microsoft for blatant disregard of user choice and privacy in windows 10

electronic frontier foundation (eff) blasts windows 10 telemetry

Windows 10 has caused controversy over its many privacy fails

even after tweaking your privacy settings windows 10 is still a privacy nightmare

  • Microsoft’s generosity was actually a thinly-veiled excuse to track users and collect data with its most invasive operating system yet.
  • CheesusCrust did a little test to Windows 10 Machine:
    First, He disabled every single tracking and telemetry feature,
    then leave it to run overnight and monitoring network traffic.
    8 hours later, he found over 5,500 connections to 93 different IP addresses.
    30 hours later, additional 113 non-private IP addresses, which is akin to placing a sign on your network saying “now open to main in the middle (MiTM) attacks.”

Agreed. You definitely didn’t say this.

Agreed. Linux machines usually get infected because of human error (although zero-days do exist, too…).

Valid point. Agreed. :slight_smile:

I feel for you. That would have been a horrible experience. Hopefully you didn’t suffer too much damage :frowning:
(not sarcasm. Most of us have been in that situation at some point in time, and it’s not very pleasant)

Agreed.

It’s not exactly a “problem”. I just think it gives people who aren’t tech-savvy the wrong idea of what it actually is, and that impacts the decisions they make, especially when it comes to privacy and security. I also think this scenario could easily be avoided if it was defined in a little bit more detail than just “It’s a cloud that runs the internet. You don’t need to know anything more…”

But I still agree with you :slight_smile:

I agree with all of this, too. Plus, you’ve definitely done your research. I like it :smirk:
(not sarcasm. I genuinely like it)


I guess I’ve had one too many conversations that go something like this:
A: So then I uploaded your files to the cloud, and it’s all good.
B: What do you mean by “uploaded them to the cloud”? Where did my files go?
A: What are you talking about? THE CLOUD! I just said it!
B: Yeah, I heard you, but that still doesn’t explain where the files actually went…
A: What, are you stupid or something? It went to the CLOUD! How many times do I have to explain this to you?!?!?! :rage:
B: So, who owns and operates this “cloud”?
A: :roll_eyes: Oh my god, why do you insist on asking such dumb questions?!?! It’s IN THE CLOUD, and that’s all you need to worry about! I don’t have time to explain such basic stuff to you… :expressionless:
B: I still don’t know where my files are… :sleepy:

It’s people who have conversations like this that are often the first to get pwned, and it all could be avoided if they just understood things in a bit more detail :frowning:

No offence intended at all :slight_smile:

4 Likes

i’m so lucky that i never infected by any viruses
sometime i so bored that i intended downloading virus and test it on a virtual machine :grinning_face_with_smiling_eyes:

Good thing is, typically a Linux malware is aeons behind its Windows counterpart in sophistication.
Bad thing is, as of now we do not consider even this to instrumentalize those detection capabilities our architecture could offer. If someone invests into making a working exploit chain for Qubes with persistence/hypervisor escape/whatever, the chances we detect it (even if it would be quite basic in techniques to hide its presence) are slim, because the current Qubes threat model does not focus on detection at all.

I actually don’t agree with the idea that somehow linux faces less danger because, while it is true that linux isn’t really a big thing in the consumer os market it’s the go-to operating system for servers and enterprise architecture. Thus some of the most valuable information is stored on linux and I’d definitely say the cracking community has it’s eyes on linux. While there might not be as much maleware as on windows because those mostly rely on the user installing them there definitely is no lack in effort to compromise linux nonetheless, just that it is in the form of ressources on the web that explain how to do a privilege escalation etc… The server os market, I think, is what really draws attention to linux (at least for those adversaries that passed the low-skill mark). So while malware might be less sophisticated for linux the crackers are definitely not.

3 Likes

You need this in your life:

1 Like

However, I think that infosec industry is responsible for a major misunderstanding.

There is no such thing as a “malware threat”.
There are software vulnerabilities, configuration flaws, and human behavior flaws. There are attackers, and there are automation tools that exploit vulnerabilities, configuration, and human flaws that need to be there in the first place. When a system is compromised, its integrity is violated and there are certain IoCs to watch for,

Thus, you should not need to “fight malware”. You need to fix your vulnerabilities and watch for indicators of compromise. Some of IoCs may be attributed to “malware” (rootkits/RATs/whatever), but it is not a “threat”, it is a symptom to watch for. What I was trying to emphasize is that typically Linux IoCs are much easier to identify.

That has made my week! :rofl:

You’re absolutely right about this. Unfortunately, every industry does this. Make your job sound more complicated than it actually is, and convince everyone else that they couldn’t possibly do it themselves, so that people will value what you have to offer more and pay you more accordingly.

I mean, it’s great for the economy, but it kinds of forces people considering a “career change” or a hobby to basically forget everything they’ve previously learned about that subject area, as it’s mostly useless in application…

My point is that this becomes painfully obvious when you put users in charge of all aspects of their electronic devices.

“Um…I never had to do any of this on Windows, and I survived…Why do I need to do this now???”
Bet you’ve heard that one too many times… :laughing:

I found this extremely interesting topic. It gives me a distancing from my view points and perspectives, and hopefully broaden new ones.
And the new one I got reading this topic is: is it really about OS for ordinary people? Or is it about my routines, conformity, software that I’m used to use? Is it why I always tend to create Windows-like environment from the OS I currently use?
And, actually, was Windows sold to me first, or was it Word actually who sold it 30 year ago?
I assure you my neighbor doesn’t care which OS he’s being using until he succeeds to reach his Pinnacle, and that is the only software he can use. Those few clicks until he enters Pinnacle is only necessary evil to him. Give him CyberDragon or LibreELEC-like Pinnacle OS and he’s all yours. Not to tell you how he reacts when realizing that I’m using cabled keyboard with some “weird purple ending”.

So, I’m afraid that “stealing” users from other (Windows and Mac) OS’s isn’t a go.

Here is what Qubes OS has done for me:

  1. Mental calm
    I used to reinstall my systems very frequently (every 2-3 months). There was no evidence of intrusion, but I had this underlying feeling that nothing on my computer was safe and I could be monitored all the time by pretty much any script kiddie. I have no reason to believe that ever happened, but knowing that it was possible made me nervous. It was also a great trap to fall into when procrastinating on something else. Qubes OS along with Coreboot/Heads is my cure. Now I am reasonably sure ME is no danger to me and all my important stuff is stored in offline qubes. All my online qubes are highly compartmentalized and contain nothing that didn’t come from the internet in the first place. I could still be compromised, but it wouldn’t matter very much. There is great calm in this. Of course: nation states, virtualization escapes … that’s residual risk I can live with.

  2. Fast recovery
    I like to tinker and try things out. Sometimes things break. Now they break inside of a qube and I have the backup or clone of that qube right here. Recovery takes minutes, this really takes the edge off. Freedom to play and make mistakes and nothing bad can happen. No matter how big the disaster… reinstalling Qubes OS and restoring everything from backup takes me 4-5 hours tops.

  3. One laptop
    Because of the above, there is no reason anymore to maintain separate machines for work and play. It can all be on one laptop.

4 Likes