How to pitch Qubes OS?

alzer89 · October 18, 2021, 2:08am

We humans are typically averse to change and try to minimize our brain’s workload when possible.

This is so true. When you hear people say things like “Oh, I just use Dropbox for that. lol…Why are you doing things in such a complicated way?”, it clearly shows that the general population (and even some people who claim to be tech-savvy) has no idea how networking or the internet actually works.

“No, you’re wrong. Isn’t it just ON THE INTERNET, and that’s all it is!!! You’re not making sense…”

The Dunning-Krueger Effect at its finest…
(not meant to be offensive to the general population, but unfortunately it is somewhat the reality)

These apply doubly when it comes to something perceived as sophisticated, like
computers, and when there aren’t any explicit cues that something’s amiss

Not to mention, if they don’t perceive it as relevant to them “achieving their desired outcomes”, they will often perceive it as a waste of their time, and get very grumpy if you try to explain it properly to them.

(hackers typically don’t cover screens with laughing skulls, so everything seems to be smooth sailing–until its not).

No, they don’t. They cover their screens with cmatrix, xmonad and rice

@fsflover
I do like the idea of more GUI tools for the dom0 terminal commands, such as template installing, upgrading, removing, etc.

It would definitely increase the usability for users who “don’t like to get their hands dirty” (which is DEFINITELY none of us, and I mean that as a compliment ).

@newbie

Sven: Many are lazy in their thinking and fall for simple fallacies like “you have nothing to hide, if you are not doing anything wrong” and “if you don’t want everyone to know about it, you probably should not do it”.

This is what most people say, but they will then open Instagram on their phone and upload a selfie. This is because of their gross misunderstanding (through no fault of their own) of how things like that actually work. This is not their fault. These businesses have been very successful at not only making people think that there are no alternative ways to achieve what the user wants to do except them, but that it’s ok to not know how things work behind the scenes. The user still gets the same result, they get what they wanted (a way to share photos with their friends), so why would they bother looking into it any further?

If you want to get non-tech-savvy and non-privacy-aware people onboard with Qubes OS, you have to show off its cool features that are not related to security, hacking, pwnage, or anything technical.

Turn your laptop into multiple laptops
Keep parts of your life safe with more than just a password
Better than antivirus
Get more out of your computer
Keep your kids safe online
Protect yourself and those you care about from nosey stickybeaks

BUT…If you’re interested in going deeper:

TECH JARGON
BUZZWORDS GALORE

In terms of usability for people who are less Linux-inclined:

Lots of GUI and automation (that is transparent). The current Qubes OS installer does a decent job of doing this, but it would be nice to see more GUI things in the Qubes Tools menu (I’m sure the devs are way ahead of me on this).
Simple options in GUI (How much privacy do you want? None, a little, a lot, or Edward Snowden?). Complete control in the CLI.
Allow (and maybe even encourage) the user to “pop the hood” of their computer to tinker with the engine, if they so choose. BUT make sure they can safely and effectively do what they need to do from the dashboard and steering wheel (if you know what I mean)

It would be easier to get a Linux user to give Qubes OS a go than a Windows or MacOS user…

unman · October 18, 2021, 11:24am

Where is “stickybeak” used?
It is not a common term.

Quser59 · October 18, 2021, 2:51pm

If I can comment:
I think the biggest hurdle qubes has is keeping it simple.
Case in point:
Look at how the standard UI for Windows has changed from
XP/Vista → 7 → 10 → 11
MS is actually making it harder and harder for you to do things, by making the interface easy for anybody and everybody to use.

Qubes will never be that simple to use - it cannot be, because it is essentially an operating system that controls other operating systems - it is a new level of abstraction. This will exclude a large portion of the ‘general population’, (MSWindows and linux users), as learning a new abstraction is a high cognitive load - and people get comfortable with what’s familiar.

My personal viewpoint is to actually keep the threshold for ‘targeted/intended users’ of Qubes ‘relatively’ high. I.e: somebody who knows what a terminal is and isn’t afraid to try and use it.

Because, however much you try - if the user isn’t invested in learning the skills AND sticking to them, then Qubes is wasted.

There’s some great work going on right now regarding UI & UX. But if I had to comment on how to improve/optimise that UI & UX work I would actually say forget the new interfaces - focus on fixing the major pain points, (of which R4.1 has a few), AND THEN focus on fixing the death by 1000 cuts. (As mentioned in the recent minisummit).

Because even if we had the budget to copy google, make our own Qubes font and have ‘qubes design’ - it would actually be counteractive/detrimental. It would make people comfortable and so familiar that there would be a false sense of security (that is the entire purpose of spending millions on fonts and psychological placement/web-page-design, it is to keep you spending your time/money).

I see other Linux ‘distributions’ wasting alot of time/money on ‘fancy’ UI which copies MSWindows (in that it removes functionality/speed). Given that even Ubuntu & Debian have quite a few issues which are death in ‘100 cuts’ (compared to Qubes 1000) -

I think the mainstream USP of Qubes is not even the security aspect - it is that it just works.

Maybe somebody will meme these:
Did you type in ‘rm -rf /*’?
Don’t worry - Qubes Disposable VM’s have you covered.
Qubes Secure Backup has you covered.
Visited the ‘wrong site’?
That’s ok - just close the browser and it /all/ goes away.

Most people simply don’t care, (and many aren’t even aware, hence don’t understand), the following:
Qubes - pin your CPUs to VMs
Qubes - we use ‘zshen’
Qubes - virtual machines

In Summary:
Focus on making it just work - within the user competency/talent threshold. Then focus on building upon it. Then once the budget is blown focus on fancy schmancy UI.

alzer89 · October 19, 2021, 12:01am

It’s fairly common among mothers in Australia, New Zealand, and the Pacific Islands, especially when saying it to their kids.

newbie · October 19, 2021, 1:18pm

“you have nothing to hide, if you are not doing anything wrong”

imo, we keep some things private, mostly is not because it is wrong,
but mostly, is because for some other reasons,
such as, there are some things, that we don’t want people:

attention, interference, judgment, comment, etc from public,

also for some other reasons, i.e. :

magician need to keep their magic secret in private.
in culinary, there is what is called secret recipe.
writer or producer, keep their product in private / secret, before release.
public speaker, keep their content in private / secret, before event.

so imo, it doesn’t make sense to limit the logic into a simple equation:
hiding something = something wrong

besides, doing something wrong, doesn’t always mean wronging others,
so imo, there are no problem with doing something wrong,
but then, it doesn’t mean i encourage people to do wrong things.

“if you don’t want everyone to know about it, you probably should not do it”

imo, the statement is incomplete, because it doesn’t explain,
why we should not do things, that we don’t want people to know

adw · October 20, 2021, 3:24pm

That’s cute. I hadn’t heard the term before either, but it makes sense.

Synonyms include “busybody,” “meddler,” and “nosey parker.”

arkenoi · October 25, 2021, 1:05pm

Unlike others, I mainly stay with Qubes due to usability, not security reasons. It is the only system that helps me to maintain a tidy environment without typical clutter.

I wish I could pitch Qubes for enterprises. Unfortunately, I cannot.

Two problems: lack of proper Win10 support and high maintenance. Mostly high maintenance. Supporting Qubes even within a small company would become a living hell. It is like Linux in 90’s. Yes, I used Linux in 90’s

newbie · October 28, 2021, 4:54pm

imo, if your concern is not security, maybe it’s not necessary to run Win10 on top of Qubes.
but i think, it’s a good thing too, if you want to run it on top of Qubes,
so the community also can have a chance to improve the Win10 support.

arkenoi · October 28, 2021, 9:17pm

Well, I am not very concerned about security but it does not mean I am THAT reckless to run Windows without templates and isolation!

alzer89 · October 29, 2021, 12:28pm

I’d have to say that I’m the same. I mean, the security is nice, but it’s not just the only reason. Qubes OS actually has a really nice workflow for daily use.

There are people working on it. It soon might become a reality. LDAP PAM integration for work qubes, remote wipe, unattended upgrades, “cloud” VMs (also useful for game-streaming, anyone?), tools for an IT department to remotely “assist” anyone with Qubes OS (we’ve all had a coworker who simply refuses to learn how to do even the most basic tasks on a computer), all of that is possible.

Yes, I know a lot of those things absolutely go against our definition of “privacy” and “security”, but employers have their own definition too, and they wouldn’t even consider Qubes OS unless it was flexible enough to meet their needs.

unman · October 29, 2021, 12:47pm

I can assure you that it isnt.
There has to be initial onboarding, but the level of support required
is not extraordinary.

arkenoi · October 29, 2021, 1:22pm

Nice to hear there is going to be better enterprise support. I could think out a few places where I could try to give it a spin.

newbie · October 29, 2021, 3:09pm

Well, I am not very concerned about security but it does not mean I am THAT reckless to run Windows without templates and isolation!

iirc, installing Windows on Qubes requires stand alone VM,
if not mistaken, we cannot use Windows as template VM.

if we concern about security,
then imo, should consider these things about Windows:

2021 statistics - Desktop Windows users 75%, Desktop Linux user 2%. imo, It means the “malware industry”, mostly will target Windows user (75%), rather than targeting Linux user (2%). and if not mistaken, Qubes is not even Linux, so I’m not sure Qubes percentage.
considering the 1st fact, most of Windows user will decide to use anti virus, which actually, based on some references, anti virus actually will increase the attack surface, rather than decreasing it, also it is possible that anti virus does not only scanning the files, but also uploading the files to the cloud.
i read about calea and prism in Wikipedia, maybe it can make us re-consider about using big tech product, if we concern about surveillance (massive or active).
last time i read in privacy tools , it mention about privacy nightmare, related to Windows, if not mistaken Windows 10, but they took it down already, i’m not sure the reason.
also, by using big tech product, i.e. Windows, it means indirect support to big tech, imo it’s not a good thing, if the future of IT is under big tech monopoly and control.
but by using open source product, it means indirect support to open source and market, imo it’s a good thing, if the future of IT is defined and controlled by the market.

alzer89 · October 29, 2021, 4:14pm

I’d better clarify this before someone sees this and gets the wrong idea.

Malware exists for EVERY OS. Anyone who managed a Linux server back in the day will remember dirtycow

Malware is written for a specific purpose. Most Windows malware is wide-net stuff. Linux malware is usually extremely targeted, designed for a specific machine. Like, the victims will often know the attackers.

I mean, if someone had a free weekend and the Windows XP leaked source code, you could probably come up with a Windows template… But no, you can’t make a template out of regular Windows that you get from Microsoft.

EDIT:
It turns out you actually CAN make a Template VM from Windows (and any other OS). See @unman’s post below for more info.

Because monkey see, monkey do…

It depends on what the developers have programmed the software to do. If you know what you’re doing, you could use it to your advantage as an attacker.

What’s for certain is that it will use CPU cycles

Ah yes, the proverbial “cloud”. In all seriousness, when did the term “cloud” become a thing? Before that, people just called them “servers”…

If big tech were actually honest and upfront about how they actually make money, nobody would use their services, and would avoid them like the plague! They know this. That’s why they have a very talented marketing department…

Do you know how to use wireshark? Have it monitor network packets for a Windows machine from cold boot, don’t interact with it, and leave it for about an hour. When you look at what comes out of the machine, you’ll probably feel a little sick…

Have a read of this:

It’s a research paper about exactly what you’re talking about. It’s actually a good read, if you’ve got the time…

Well, we’re trying to achieve it without compromising the Qubes ethos, which is easy in some areas, but a little more difficult in others… (enterprise don’t really like giving users full control of their machines)

Schools? Startups? Accounting firms? Cybersecurity? Do tell

unman · October 30, 2021, 12:55am

You can easily create a Windows template - create a qube of Class
TemplateVM, with the settings you would use for a standalone.

qvm-start the new qube with a Windows installer, and install on to xvda.

You can now create qubes using the Windows template - as it is, they
will effectively be named disposables.
If you move the user directories to xvdb, then you will have persistent
user directories across reboots.

The procedure is the same for making a template of any HVM.

alzer89 · October 30, 2021, 8:34am

I stand corrected, and amend my previous statement.

See, THIS is the stuff I’d love to see in these videos I was talking about.

I’d make them myself if I could get someone else to do the voiceover (trust me. My voice isn’t made for narration…)

fiftyfourthparallel · October 30, 2021, 12:15pm

The best way to pitch Qubes OS is on an Intel NUC since it has the least air resistance.

^{^Sorry.}

^{^{P.S. What’s the smallest possible PC form factor you can install Qubes on? Originally I was going to say “Intel Compute Stick”, but I doubt the CPUs support IOMMU.}}

S9qPsAMNuW4ax5EF5 · October 30, 2021, 3:03pm

Sounds like fun, I’d definitely be interested in working on that but I don’t really have a lot of time atm… But please do count me in for a few videos

fiftyfourthparallel · October 31, 2021, 12:14am

A post was split to a new topic: What’s the smallest possible form factor for a Qubes PC?

arkenoi · October 30, 2021, 6:56pm

Here and there. I am a cybersecurity consultant and I always try to see if Qubes would fit any of my customers (also, as a dogfood effort, I would try to use it within my startup which has pretty tight security requirements). Yet, so far I do not feel it is ready for “regular people”, as I could derive from my everyday experience with Qubes.