More practical security for Qubes (and more realistic threat model)

Or to reliably prevent anything. We are all doomed, let’s just give up and lay dead.
Well, if anyone is interested, I would try to sketch what a good “Qubes-internal” IDS should look like.


No, never give up and just (regularly) use the compromise recovery linked above.

I’m probably not technically advanced enough to understand that yet, but I’m sure there are people who would be interested.

It is better than nothing, but there is hell a lot of space for improvement.

Maybe a choice in GRUB menu for a “recovery mode without sys-usb” ?


This would make much sense already!


someone going full mental because of some hardware glitch that triggered a paranoid breakdown.



mostly snake oil, better addressed by Qubes OS architecture (templates, compartmentalization, disposables)

Also: this


Yes, let’s make this thread about that please!

1 Like

Ok - my guess is that almost every one who contributes to Qubes has a
“day job”. Very few people are paid to work on Qubes: the rest of us do
it anyway.
If you have time to spend on the forum you have time to contribute imo.

User scenarios is something that has been discussed a number of times,
and there are some moves in this direction.

As to whether these things impact the user experience, imo the dom0
prompt becomes trivial click through like the Vista experience.
AppArmor is enabled by default in 4.1 - I suspect this will impact
user experience, particularly new and naive users, but we’ll have to

This just isn’t so. People have been saying this for years, and there
are always people who take the opposite view.
In my experience, “normal” users can use Qubes perfectly well - they
don’t need expert understanding.
Sometimes they need support, but I don’t find this much different from
normal support requirements.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

That’s what they said about Linux in 90’s, and see how it changed today! :))

Strongly disagree here (as a guy who, in the 90’s and more recently, tried to have normal people use Linux desktops – though not in a professional setting). Normal people there are scared of what they don’t know, most of them do not even care to understand how the bloody thing works, they just want it to work without getting in the way.
Paradoxically the fact that Windows gets in the way of getting things done does not bother them as much, and I guess that’s just because “if MS does it that way they probably know better because you know, they’re everywhere, they must know what they’re doing”.

So maybe you rather meant “normal people in a professional setting”, where the tasks to be done are more well-defined, and support is readily available when needed ? That target would be easier to reach, and definitely the right direction IMHO.

Not in RC, probably – at least I had to turn it on manually in my Whonix templates. Did not notice any visible difference (which means it works as it should!)

Ok let’s start! (others are more interested in participating in endless rant about hardening)

Basically we need to

  • collect information
  • process it.

Both parts require a lot of thinking.

Collection: Can we make Windows VMs part of the process? (it is important, many people run Windows and they will continue to). Even if we stick to Linux, what exactly do we audit? Probably it is auditd and some integrity checks – how do we implement integrity checks? What is our baseline? What are things to watch on the private volume in general? What is the difference in approach to system VMs, templates and regular VMs? Do we need to check template integrity via digital signatures or is it out of the scope?

Processing: where do we store the collected information? How do we run analysis? What would be useful log retention? Most important, WHAT TYPE OF EVENTS are clear indicators of an attack, how do we keep SNR ration high enough? How we monitor changes (what type of changes) and how do we approve that the change was “normal” without creating huge management overhead?

Those questions may constitute WAY more complex challenges to manage one-user-environment than managing all this stuff in a corporate network with a dedicated security team.

And I am just barely scratching the surface. Should we do anything or everyone is busy discussing the hypothetical ME backdoor for last 10 years?

1 Like

Where we could leverage the Qubes infrastructure, would be to setup a host IDS from outside of the VM to be audited. That is, audited VM offline, mount its volumes in IDS VM – at least for a first step, running an IDS test targeting a running VM would be cool but more complicated.


i hope this will fast and not something we need to wait for qubes 5.0 (probably 6 year or more :slightly_smiling_face:)

No, I meant what I said - normal users.
Yes, it helps if support is available when needed - I have said before
that giving someone Qubes without preparation, and without providing
support, does no favors, to them or to Qubes.
I’ve also said before that I don’t find the users on the forum a representative
sample. :slight_smile:

I absolutely agree that it’s important to be able to use Qubes without
it getting in the way.

I’m not sure what you are “strongly disagreeing” with? My experience
against your experience? With my view (based on experience) that users
can use Qubes without expert understanding?

In any case we have wandered far from the subject in this thread, and
if we are simply going to trade opinions and experience, it doesn’t seem

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

to do most common stuff? lot of stuff are difficult to do or understand for new people and i had issue with qubes every week (yes, but i never ask anyone for help)

Please do not drag me into a flame war over this but it does need to be at least hinted at here.

In response to

“unless you have a USB keyboard” means any non-laptop configuration

is not entirely well-informed/accurate (trying not to offend but it simply may not be possible).

I build from scratch & am familiar with enough motherboards (even new, recent vintage) to know. True it is extra difficult to discover them but… Rare yes, unavailable no.

Sadly the same cannot be said for proprietary builds like 99.9% of laptops that have no PS/2 jacks and no plan to change either.

This message will self-destruct before the forces of darkness can assault me, much.

That last one. Normal users around me have trouble realizing what risk they incur when downloading random games from the net. In other parts of the world, students, which should be “above” the “normal user” level don’t even have a concept of files and folders.

1 Like

yes - although your view of “common” may vary from mine.
I mean, browse the web, read email, stream shows, play music, write
documents, use a printer, connect phone, store pictures.

Well there you are - exactly not what I said.
Qubes needs support but (in my experience) for most users the level of
support isn’t that different from using Linux or Windows.
And for most users I never talk about templates, AppVMs, or Qubes

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

this is just my thinking, not related to what you sad

No wonder they get confused with all that leaky/mixed abstraction layers. First, they are introduced to some services that try to hide the inner machinery like files and folders behind data object-driven UX, and then turns out there are still “files and folders” underneath they should learn about! All modern information management UX is a sad joke. But let’s not get distracted.