Picking a system for selecting colors/security labels for qubes

ddevz · September 6, 2021, 4:43pm

(Got good feedback already, so information from comments responding to this post have been added to this post)

Definition of “security labels”: For this document, I’ll refer to all the types of important security related information that would be good to be known about a qube when making decisions about it as “security labels” (colors will be one way of expressing that information)

What we want to express:
Some information we might need to convey through the security labels is

How vulnerable the qube is (example: expressing that it has full network access, restricted network access (which depends on the level of trust of who you are connecting to),no network access, untrusted printer drivers or not, trust level of the applications in that template, etc)
How valuable the information in the qube is. (a example could be “this qube is used for banking” vs “this qube is used for general web browsing” vs “this qube contains my gpg and ssh keys”) (“value” can be alternatively phrased as how costly disclosure of that information would be)
Identity (examples: personal vs work vs secret identity)

So first question is: What other types of security related information might be good to know about when one is making decisions related to a qube?

To help people get ideas, a example of one attempt at categorization is:

For the important stuff: Classified information in the United States - Wikipedia
But a much more detailed categorization system for the “not as important” stuff: CUI Categories | National Archives

Many other attempts (by other countries) are listed here as more examples(with a large amount of overlap from one country to the next):

Classified information - Wikipedia

Options for how we could express it:
Currently, the information from the above security labels could be expressed by several channels:

Qube color
Qube name
Display location (I.E. what workspace it’s on or what monitor it’s on)

So second question would be: Are there any other channels of expressing the security label information that we have not listed above?

Some examples of proposals for possible other channels to express the security label information discussed in github issues are:

Everything after this line is old stuff from the original version of this post (that should probably be removed now):

Any proposals for extending the qubes label/color system to handle this?

I’ll kick things off with the following initial proposal, and see if it inspires anyone with a better proposal:
(Here I had put a proposal that had already been proposed in the github issues)

As I said. I’m hoping for people to improve on this idea. What other options can people think of?

joe.blough · September 6, 2021, 6:56pm

I use a traffic red light / green light scheme. Red for least secure - sys-net, Orange sys-firewall, Yellow, Green sys-vpn for most secure. It doesn’t mean I trust vpn. It’s just the endpoint. Purple (Tor color) for Whonix. An Untrusted qube is red. Anything else like Banking or Work becomes a color of preference. Sometimes I break the traffic scheme and use blue for Fedora and red for Debian, purple for Whonix.

adw · September 6, 2021, 11:05pm

Some related issues:

github.com/QubesOS/qubes-issues

Support for user-created groups of VMs

opened 05:19PM - 08 Jun 21 UTC

ninavizz

T: enhancement C: core C: desktop-linux C: manager/widget ux P: default

_This is a child issue within the epic #6665_ --- **The problem you're addre…ssing (if any)** Users from #6573 overwhelmingly supported and asked for the ideas of user-created groups for both VMs and Apps. This Issue is to focus on the development of that capability on the backend and in the GUI, for just VMs. **Describe the solution you'd like** The [Bessie](https://www.qubes-os.org/attachment/survey/tour-bessie.webm) prototype suggests what an already created group of qubes might look like in the App Menu. The interaction and visual design for how users might create those groups, feels like the strongest outstanding challenge. I've looked into doing this, lightly, in Qube Manager. Not sure if that's the right place, though. EDIT: This issue is not for discussion around more conceptual needs for which _qube grouping_ might be a solution, or more advanced features grouping could serve w/in a new appmenu. Those discussions obviously should happen though, should contributors feel compelled—just, in the forums, not on this specific issue. This specific issue is only to address: 1. Facilitate intuitive user creation and curation of "Grouped" VMs 2. Display those groupings in the app menu, and consider where else they might be valuable—as a secondary point of value. **Where is the value to a user, and who might that user be?** Can pull quotes into here from survey. TL;DR "Make sense of the chaos of too many VMs, rather than just have fewer VMs" **Describe alternatives you've considered** Looong, scrolling lists. :) **Additional context** The "solution" to the need surfaced in #5677, is #6665

github.com/QubesOS/qubes-issues

Organizing large numbers of VMs

opened 04:34AM - 23 Feb 17 UTC

closed 10:43PM - 08 Jun 21 UTC

andrewdavidwong

T: enhancement help wanted R: invalid C: other P: major ux

The discussion in #2523 revealed that a rather severe UX problem arises when the… user has a large number of VMs. Eight colors isn't enough to sufficiently distinguish them all. However, that discussion also led to the conclusion that simply adding more colors isn't the correct solution, since it's likely to backfire and ultimately harm the user instead. A more creative solution is needed.

qubes-kernel-5.8 · September 7, 2021, 1:19am

I trust connecting to my home nextcloud server and downloading files from it more than I trust downloading a pdf from a random webpage, so if a qube only connects to my nextcloud server, it gets a different color than if I use it to access the rest of the internet.

So Orange is for any networked VM that could make untrustworthy connections (rss queries to news websites; school for everything school-related). And Yellow (getting colder in colors) is for networked VMs which only connect to my Nextcloud server (productivity,backups). Then Green, Blue, etc are no networking at all. Of course since all traffic goes through sys-firewall, presumably, then you could even sort qubes by which firewall VM they were connected to, and thus which traffic is allowed to enter.

Red is not used for networking, but rather anything untrusted (Whonix DispVMs, sys-net, untrusted, fedora-dvm).

But at the same time defining trust is difficult. For example, using a Whonix DispVM to read documentation is fairly safe, because it is difficult to compromise the entire Tor network and because I have Tor set to block javascript, mitigating many browser attacks. I could, however, use a Whonix DispVM to download experimental software from the DaRk NeT, in which case I would be doing an unsafe activity with the same VM. I could make a DispVM for safe activities, and give it a different color, but I feel like this is way too granular.

I guess I don’t know how useful a fine-grained, riced border system would be (i.e. colors, stripes, polka-dots, emojis) simply because trust is difficult to define for the wide variety of activities that I use my computer for. I’d prefer to have the ability to “tag” certain VMs with the things I trust them with, and have those tags appear written in the border.

If I tell myself I will only access nextcloud with my orange productivity VM, I tag it with traffic: Nextcloud, and then the border appears as: [productivity] -- Nextcloud traffic, or something like that, to remind me what I’ve delegated this qube to handle.

anon93834559 · September 7, 2021, 1:23am

Interesting idea about data value. I guess in the meantime you could simply rename the relevant qubes with -gold, -silver, -bronze text label suffixes.

And instead of value one could consider consequence levels of disclosure borrowing ideas from such Classified information - Wikipedia

Also that proposal about adding 7 new colors… Hope UX people consider colorblind people

airelemental · September 7, 2021, 1:29am

Are these actually orthogonal dimensions? “general web browsing” ~ full network access, “this qube is used for banking” ~ whitelisted network access, “this qube contains my gpg and ssh keys” ~ no network acesss (e.g. split-gpg). So seems like you only need one dimension here.

An orthogonal dimension instead might be identity (personal vs work vs secret identity i…). But then you can use workspace as the second dimension (with colors as the first).

degree of internet access x identity , ~~loosely~~ ~~mapped~~ to colors x workspaces

adw · September 7, 2021, 4:23am

They do. It has been brought up many times.

ddevz · September 7, 2021, 4:28pm

Note this is actually difficult in qubes due to everyone using CDN’s with many IP addresses nowdays. (if you’d like to discuss this topic please post in one of the following threads)
One example of the problem:

One proposed solution:

ddevz · September 7, 2021, 4:32pm

Note: I have updated the original post with information from comments from many users.

fsflover · September 7, 2021, 5:05pm

I wonder what happened to the results of this survey:

ddevz · September 7, 2021, 10:07pm

I have updated the original post (again) to integrate links from comments from users

fsflover · September 9, 2021, 5:16pm

3 posts were split to a new topic: Updating the original post is a problem for email users

ddevz · September 12, 2021, 10:35pm

@newbie posted a outline of threat types in another thread and it got me thinking. Just like we have a need to express the identity being used, we may also need to express the threat types that are allowed for a specific qube. I.E. it’s not really a linear dimension