The major problem with current sys-
tems is their inability to provide effective isolation between various programs running on one machine.
I hear bits and pieces about both Windows and Mac getting a lot better at this, but I don’t know either the details or the big picture. 10+ years after this was written, is this still a key advantage of Qubes over both? Are there architectural problems that they’re stuck with or are they likely to reach a “good” state in the future?
If the isolation has improved, then what exactly could Win/Mac users reasonably worry about today, but mitigate by moving to Qubes? Say they’re enterprise users with a decent network architecture and sysadmin team.
Programs are getting sandboxed in major operating systems, but Qubes OS goes way beyond that.
I think this documentation page will do a better job than me at showing how far Qubes OS separate things : Introduction | Qubes OS
On Windows/Linux/MacOS, you still have all your files available to all your programs, they can all do networking and they all share the same system.
On Qubes OS, everything can be separated in virtual machines (processes, data), network access can be given on a case by case basis, and stuff like USB or network are running in dedicated systems.
This is really vague, but a simple example would be to prevent your users from opening emails with malware and having your network drives being crypto-locked.
Users could have a disposable qube for reading emails, so if they do something wrong with a malware, just quit the disposable and start a new one. The network drives accesses could be done through a qube that can not do any networking but connect to the network drive.
This is just a simple use case though, and depending on a lot of other factor, it may be better or worse than the current setup in the company.
My opinion would be that Qubes OS does not scale to big companies as the IT service will just lose control, it is better suited for smaller teams.
And it is not about the threat model…
While they might see the advantages, they still have to provide usable working environment for the mass. And they must provide support for such environments!
given the fact that the average enterprise users are barely able to use their Mac/Windows - they still need support for very straight forward things on those platforms!
the support also trained only on those platforms.
just to support any normal Linux OS, you need a completely new (better qualified, and much more expensive) team…
To support Qubes OS?! you simply can’t find enough people to do so, and even if you do, you will certainly not want to pay them.
So even if you ignore the political influence - which alone would prevent such change - it is simply not feasible to do so.
In addition, I know 2 companies wanting to experiment Qubes OS to maybe switch to it later, but they are very small teams of developers, not really a corporate environment.
Qubes OS implements isolation using hardware virtualization, which was broken last time in 2006 by the Qubes founder. No other OS relies on that. Mac and Windows will unlikely implement such approach, because it requires users to significantly change their usage patterns (i.e., think what you should open where all the time).
What is it about hardware virtualization that restricts the usage patterns? From what I’ve seen, you get more access control dialogs with Windows now, so there’s some extent they’re willing to make the UX less smooth.
Imagine a user wants to open a website. There are no critical security prompts on Mac or Windows when you do it. On Qubes, before doing it, you have to evaluate the expected security level of the website and from that decide if you should open a browser in Personal, Untrusted, Disposable, OnlineBanking VM or maybe some other VM…
OK. So, here’s an example. A major corporation IT team has an installation of Qubes OS, with a disposable Qube. The Qube has one application, the email tool. If a dodgy email is received, the email can be opened. If malware runs, the Qube can be closed.
Can the malware escape from this situation? The malware will almost certainly be MS Windows, not Linux, and the malware has to dial out somehow. But what do you think? Can we stop the malware escaping, but at the same time allow emails to be sent in?
What does an “email tool” mean here? A huge all-in-one application like Outlook or Thunderbird? Or a bunch of small programs following the Unix philosophy, e.g. mpop3, mutt, msmtp and some other programs for viewing attachments?
What does “escape” mean here? I think it’s wise to clarify my question above about that “email tool”, and then I’ll be able to answer.
Nevertheless, I can already say that it’s possible to fetch, process and send emails despite a domain having no Internet connectivity, as that’s how my setup works.
The benefits are stright forward, once you (or your company) understand what Qubes can give you…
Other obstacles we have identified:
very low (5-10 times less) ‘battery time’ comapred running windows on the same hardware.
hardware compatibility. They simly can’t use the latest modells from the used vendors, but have to pre-test/certify every new model by our own. - this also brings in a huge political conflict with the hardware wendors.
nearly all of the endpoint management software/systems out there is for Mac/Windows. - and again a huge political question to move out from the current ‘partners’
But frankly, the biggest obstacle is the human (the user) factor. They simply don’t like to use (and learn!) such exotic desktop. They are obsesses with the ‘fancyness’ of using a Mac, or they simply stick to the windows no matter how terrible it is in practice.
and just for the context:
I’m personally using Qubes since the very firts beta release. That’s 10+years now. means this is my main desktop for work (where allowed) and at home.
you simply can’t find enough people to do so, and even if you do, you will certainly not want to pay them.