New QubesOs wannabe user, please advice

anon13425142 · February 26, 2025, 1:59pm

Good day!

Probably open doors to most of the forum members, but would like to use that to my own advantage for now. I don’t need details, I’m already aware I need to learn a lot, but would like some more general meta advice to get started.

I decided to buy a Qubes certified hardware. To be able to get started learning, I’m considering ordering hardware with Qubes pre-installed. After a familiarization period I will re-install FW and Cubes before using it seriously. I don’t have any compatible hardware already to play with Qubes and getting 2 pieces of hardware is inhibited by cost.

Is it possible to verify Qubes post installation? I guess not. Maybe partly through heads, but that already is a weak point in this scenario I guess where a third party delivers the initial reference.
Is it possible to re-install everything to correct all silly mistakes I make in the learning period?
I’m aware of the opsec risks that are introduced by the learning period, but think security risks are mitigated by the re-install. Identity leaks are more serious and need careful attention. (?)

I’m inclined to not use wifi and not to request it. But I’m afraid that at some point I will need wifi anyway. In that case, what is more secure, internal interface that maybe can be guarded by heads or an external (Usb) one that can easily be removed but not guarded?
Intel management engine (HAP) disabling. This will happen through Heads that I will order. If I decide to use a more normal distro, maybe with Uefi, can this be undone? I.e. no hardware changes?
Other points worth considering?

Edit:
5. Screen resolution. How bad is the QHD resolution with Qubes and can it be bypassed?

Cheers!

parulin · February 26, 2025, 5:11pm

Definitely. You can use Qubes backup tools to keep the desired qubes (templates, appvm or disposables) after reinstalling Qubes OS, or if you haven’t done anything weird in dom0 you can just delete some (or all!) qubes and recreate them. It’s very easy to play with Qubes OS, unless you do something weird inside dom0.

fsflover · February 26, 2025, 7:00pm

Hi @anon13425142, welcome to the Community! I’m glad you’re interested in using Qubes OS.

Novacustom offer anti-tamper feature and Purism (not certified but with preinstalled Qubes) offer anti-interdiction services. I’m not sure about the former, but the latter ship the hardware key for Heads independently, before shipping the laptop and, optionally, to another post address, so tampering on the way is almost impossible without detection.

As @parulin mentioned, Qubes Backup tool allows easy reinstall without loosing any data with just a few clicks. Also, every time you reboot a VM, an automatic snapshot is created, which you can use to revert it to a state before the last run.

Yes: Compromise recovery in Qubes OS | Qubes OS

You should tell us more about what you mean here. Note that Qubes provides privacy via Whonix.

Heads protects your BIOS and possibly the /boot partition. It doesn’t protect the userspace or drivers.

Wifi with the internal interface is more secure on Qubes, because you connect it to a dedicated VM (sys-net) and it doesn’t have any access to the rest of the system. You can always shutdown that VM, and it won’t be connected to anything at all.

In case of the USB Wifi, you will have to combine the sys-usb qube with sys-net, which potentially allows malicious USB devices (on the same USB controller) to access the Internet.

Apart from that, some laptops, including Librem 14, have a kill switch for the WiFi.

AFAIK you don’t have to undo it to use UEFI, although I might be mistaken here.

There are a couple of good guides explaining how to organize your qubes for security and convenience: one, two.

catacombs · February 26, 2025, 9:02pm

Uh, Question one. What is your threat assessment?

Are you expecting to be targeted by someone who has major resources, with major Tech skills?

I share the desire to purchase a maxed out hardware from a company that offers Qubes certified hardware. It is not needed for me, who never travels through immigration controls. I don’t. Or stay in motel rooms where someone might tamper with my computer when I am not there. I don’t travel at all.

I can guess that if one were a business person, I might have some apprehension about some rival who wanted to spy on my computer. and could purchase some technical expertise . . .

If one only wanted to learn Qubes, and was not highly apprehensive about your ISP realizing what you are doing. Then there a lot less expensive hardware options available. Altho, one can implement a fairly maxed out level of security on ones own. By doing a hardware Flash of ROM, and carefully getting Qubes installed on your own, on the without your ISP knowing. One would need to install Qubes oneself. There are several means to verify the download is correct.
One by verifying the hash of the Qubes ISO you have downloaded. More trustworthy is to verify the Key Signature of the ISO with PGP. Explained how in the documentation. Then after creating your own USB of the Qubes install ISO, the ISO can optionally verify itself before installing.

Likely as soon as it is installed, you will want to update the Qubes Operating System, (one can select to update over Tor, not always fastest, but feels more secure, and keeps ISP (Internet Service Provider) from knowing what the IP of what you are downloading.

Is WiFi needed? Qubes is a rolling release, it frequently needs updates. Lots of things to update. Keep in mind the updates for Qubes were carefully arranged to be safe. You can leave WiFi turned off, as you desire.

One might want to install some programs, apps, and likewise, one needs an internet connection for that.

If one is to install Qubes on ones own. I install Qubes after changing the computers BIOS/EFI to Legacy, Not saying one can not Install with UEFI, I have never tried.

If I won a big lottery. I would buy a Qubes Certified computer.

but Operational Security, OpSec, how I used computer, is likely a far more likely way for my computer/my personal information to be compromised than “Intel Management Engine” that part of IME that allows my computer CPU firmware to be modified without my knowledge.

As someone said on a blog, “What Hunts you?”
Do you have a dollar limit you are willing to tell us?
Are you a geeky person who would be willing to open a laptop and put a connector onto your MOBO and hardware flash the ROM? Because that is one way to get Heads, other security options, on a less costly $$$ computer.

If you need to send out a secure message before doing all this, get a laptop, with Qubes on it, Learn about it. Then look at the Tails OS to accomplish that.

Best Wishes…

anon13425142 · February 27, 2025, 8:31am

I will dive further into to re-install options, but at some point I will want to do a complete fresh installation. I will definitely do weird thing while familiarizing.

anon13425142 · February 27, 2025, 8:59am

That means I will get an internal option.

Yes, but there probably is a trade-off between safety and loosing functionality, hence any new situation could have a different decision to disable or not.

Thanks!

I’m not hiding from any government agency. For most cases, a good Vpn would be sufficient. And in cases where I would want to use Tor just in case, it would be better to hide that from the endpoints. In all cases my user profile should be as normal as possible. But I was thinking that the Qubes architecture would support both options in a safe way and would allow options like for instance Vpn over Tor more easy configurable. Still studying these concepts, but the idea is that in any case Qubes would have the best architecture to set up these kind of things. So yes, maybe Qubes is overkill, but I’m not sure what technical direction I will go hence overkill to be flexible …

Edit: Lets not go into religious details of combining Vpn and Tor, a different subject. Just mentioned it because I think Qubes would be the best environment for these kind of configurations. Lets keep it at that for now.

anon13425142 · February 27, 2025, 9:12am

See previous post.

It is both technical nerdiness and necessity. But Qubes is probably overkill. See also post above. But I think that chossing Qubes would also mean to run it on certified hardware if affordable. A chain is as strong as its weakest part and by going the certified route I’m confident there are less weak parts without looking into all the details.

My choice is wifi or wired. Or mostly wired and wifi for couch patato and travel conveniance.

alzer89 · February 27, 2025, 4:13pm

Seriously? Your current daily driver can’t boot the Qubes OS installer ISO? You’re kidding…

You’re either daily-driving an Apple Silicon machine, or a 32-bit CPU from the 90’s…

The HAP bit, is exactly what it sounds like: a bit. It’s a switch that can be turned on and off. If you want it on, you turn it on. If you want it off, you turn it off.

Here are some guides for you:

https://forum.qubes-os.org/t/tor-vpn-reflections-on-popular-advice/10783

What do you mean by this? Can you be a little more specific?

anon13425142 · February 28, 2025, 7:51am

Certainly not. Are you?

The point is that most or even all documented use cases found for QubesOs, Tor, Whonix, Tails and what not are about hiding from an almost omni-present state or law enforcement actor as primary vector. My use case is different. I would like to leave it at that and find more resources.

Thank you all.

unman · February 28, 2025, 8:46am

I do not think that you should group Qubes like this. Qubes provides a
measure of security that depends on separating your normal activities
in to security domains. (Most users already do something like this.)
There are enough online threats to worry about without thinking of state
or law enforcement actors.

If you’ve decided not to use Qubes, fair enough. But make sure that you
make that decision for the right reasons.

Whatever your decision, thanks for the interesting questions.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

anon13425142 · February 28, 2025, 9:02am

I still think I will use Qubes. Exactly for the support of security domains. But the uncertain factor is the balance between needing privacy and detectability as such at the server side which would raise suspicion. Not going in further detail.

This is a good forum, but has a very technical nature, For instance the fact that I describe properties of a use case and get a reply about judging a technology. This is the reason to look further. I’ll be back!

alzer89 · February 28, 2025, 9:38am

If you are talking about conducting a cyberattack, you’re doing a terrible job at being subtle and discrete about it…

And the fact you’re getting defensive about it isn’t helping your case, either…

Well, we value accuracy and coherence of our parlance here. We believe that mutual exchange of knowledge betters everyone, and that gaslighting is to be abhorred.

I have more than 80 x86_64 machines, many of which are 10-20 years old. Out of all of them, the only machine that was unable to boot the latest Qubes OS testing ISO was a Compaq Evo n150, because it has an Intel Coppermine CPU which is 32-bit (and I would never expect this machine to be able to, either).

But on all others, it boots as expected. On some of them, the installer flags missing CPU instructions, which is fine, but the ISO booted nonetheless.

This is why I said I was genuinely shocked when you said your computer couldn’t boot the ISO.

And point of order:

You have a very interesting way of “describing a use case”…

This is more like “this is the only thing you can do with Qubes OS”, which couldn’t be further from the truth.

anon13425142 · March 2, 2025, 7:18am

Again, certainly not. There are plenty use-cases that fit this concept. This is getting a bit weird.

Nice to know, I just don’t. But I guess admitting I’m a mac user would not help …

Ok. The fact that the use case I try to describe does not ring any bell, except “you must be a hacker” is very remarkable then. I even said that I think Qubes would be the best platform “for these kind of setups” but that the lack of documentation inhibits a new user to inform before buy. And in case you are in need of giving a smart ass reply about that again, yes, I need to buy a new PC and the question is whether the cost of a Qubes certified one is warranted or that I just should get something cheaper with any other security oriented Linux.

Edit: Btw., goodbye.

corny · March 2, 2025, 9:08am

This is a weird thread

OvalZero · March 2, 2025, 11:13am

Just in case you’ll try again … (I would hope so)

github.com/selfteaching/How-To-Ask-Questions-The-Smart-Way

How-To-Ask-Questions-The-Smart-Way.md

master

## How To Ask Questions The Smart Way

### Eric Steven Raymond

[Thyrsus Enterprises](http://www.catb.org/~esr/)


```<esr@thyrsus.com>```


### Rick Moen


```<respond-auto@linuxmafia.com>```


Copyright © 2001,2006,2014 Eric S. Raymond, Rick Moen

| **Revision History**                                         |             |      |
| ------------------------------------------------------------ | ----------- | ---- |

This file has been truncated. show original

anon13425142 · March 2, 2025, 11:48am

Yes, that was what I also was thinking.

The point is also that, if one is searching, a top-down approach is needed with inevitably expression of more meta and abstract thoughts. That does not seem to optimally fit the nature of this forum and which unfortunately results in misunderstanding.

Edit: It is also not a fundamental Qubes issue, but more related to Tor entry and exit point security. Another reason this is the wrong place.

alzer89 · March 2, 2025, 1:57pm

Ok, so I will be direct this time.

You clearly have no idea what you’re talking about, which would not be a negative thing if you were actually willing to learn, but you don’t seem to be, doubling down and digging that hole deeper and deeper
You don’t fact-check, and try to cover it up by saying “I don’t need details” and “what not” (YOUR words, not mine)
- And you’ve already been pulled up on it
I offered you help, and you threw it back in my face
Harassing me via private messages just makes you look immature

Another example of you trying to sound smart by using unnecessary jargon in a word salad (very badly, I might add). This will not work in this forum…

Do you see the words “Apple Silicon” in my original post?

There’s nothing wrong with being a Mac user…

Having difficulty absorbing basic information? Now that’s just plain sad, but it also explains a lot.

I’d love to see you ask legitimate questions, but it does not seem like you’re interested in learning absolutely anything, persisting in pretending to be knowledgeable, when clearly you’re just talking word salad, laying bare your lack of maturity, and degrading this entire forum in the process…

fsflover · March 2, 2025, 10:51pm

I don’t think that the OP actually demonstrated what you say, and I also don’t think this is a good way to speak even if that were true.

Plexus · March 3, 2025, 11:29am

I don’t think that the OP actually demonstrated what you say, and I also don’t think this is a good way to speak even if that were true.

Have to agree with this assessment @alzer89 .

While I see both side here, we also need to be inclusive to new members of any level of understanding and/or openness to discuss the reasoning for their needs/level of question. I think its a reach to say someone asking for help doesn’t want to learn - as well as a bit of a reach to imply someone is planning cyberattacks because they are not being full transparent in answering you over their motives.

Its great you reached out to help in this thread, and really appreciate that. Not sure the back and forth after was super constructive.

@anon13425142 i think its also fair to say its always better to try to help those that are helping you and give people the best tooling to give you the best answers. If your threat model or personal reasons preclude that, its understandable. I think some of your replies did come over as a bit obtuse and that can be difficult for people to try to help,especially if people are used to being able to give precise answers. The post here is super helpful for engaging with technical teams online New QubesOs wannabe user, please advice - #15 by OvalZero

I will link the account anonymisation process in your other thread where you asked for deletion