Qubes OS is “A reasonably secure” OS?
What means reasonable in context?
Secure? by what definition?
What is “reasonably secure” hardware and TCB?
TCB means trusted computing base no?
Trusted by who? Why? Necessity? Impotence?
What happened to “Rootkowski”'s do not trust the infrastructure axiom?
Hardware not infrastructure? Is not x86 and Intel unreasonably insecure?
Assume Qubes team and contribs make best effort and succeed amazing ways with tiny resources! Not criticize, but love them and Qubes community.
Still very very confused what “reasonably secure” means? What it mean to you?
Comment
Outside Qubes community in hardware and firmware spaces seen many lol about qubes not reasonable or secure. Think they are stupid to say MS, Google, Apple, Redhat, etc all could say “reasonably secure” but cannot refute weasel claims. Must confess TCB sound like blind faith marketing term still hope wrong about “pass the buck” arguments. AND no know no OS better then Qubes OS. Do you?
Maybe missed it in the FAQ so please correct if wrong but
What benefit is a “reasonably secure” OS running on unreasonably insecure hardware e.g. ME, PSP, supply chain comprised hardware, questionable unauditable firmware, etc etc?
What do you consider TCB and root of trust on your machine? Why?
Only confused not seek to argue.
Repeat:
Missed this if in FAQ.
Specific links welcome and most grateful!
Well, here’s a quote on a topic sharing similarities with yours :
In the case of hardware, as most of it is closed source, we don’t have to just “hope” it does exactly and only what it advertise and analyze it, and we actually do that for closed-source software as well, and that’s often how we discover something fishy. Granted it’s easier to analyze something when you know exactly how it should operate, but we can already do a lot even without knowing all of the inner working, and it’s enough for a lot(most) of people.
I don’t think we ever found any evidence of Intel ME or AMD PSP being exploited (don’t quote me on this EDIT : link that contradict this statement are just below in this topic, this make this argument no really valid, it’s still easier to exploit software bug/vulnerabilities, but it’s far from impossible to do the same with hardware!), but we do have lots of evidence of 0-day, hack, honeypot in closed-source software.
In this regard, QubesOS is “reasonably” secure by being open-source, and focused on security (Security by compartmentalization).
The benefits are huge in terms of security, because using will allow you to compartmentalize anything in term of level of trust, for software, but also devices as it is the case by default for your NIC and USB-ports.
Well, Xen’s hypervisor and dom0 running on my computer.
I trust the software because I think I reviewed it enough and I trust the people who wrote it because they avoid taking unnecessary risk and they don’t make statement that are refutable.
Who is “we”?
Are you part of the Qubes or coreboot “team”?
I may be confused but I have some reverse engineering experience and know the extreme difficulties in reverse engineering black box code. If you or “we can already do a lot even without knowing all of the inner working” please provide links to those efforts.
A lot(most) of people are sadly completely ignorant of the present reality and I do not exclude myself from that statement. That’s why I’m here.
To respect your request to not quote you on the ME, PSP issues whether it is in the public domain or not, I respectfully suggest you do further research. Some breadcrumbs are in All Around Qubes and other info is available in public research papers I could dig up if you desire it.
Understand. But still question “reasonably”.
agree
Again agree but Xen’s hypervisor is software only. If you reviewed it that is admirable and impressive, but have you also examined the the hardware upon which it all depends? Perfect software run on imperfect hardware imo is foolish. But that is just my opinion (and as the saying goes opinions are like a$$holes, everyone has one…) Feel free to ignore me and mine.
Of course, but I didn’t mean reverse-engineering, but external test, observing the network, bandwidth usage and such. The point being, if it does something, it should emit/receive something that could be observed externally from the computer.
Yes that would be fantastic, but I don’t think it’ll change my point so much, it’s easier and more common to leverage software to spy/hack someone that it is to leverage hardware.
And you should ! And as the developers (and I think they do too, since they continue updating QubesOS).
Moving to open-hardware is a great idea, and I’ll look forward to it.
Depend where you draw the line. I also try to review my hardware and it took me years to finally choose something I was comfortable with, because this all there is. In my opinion, and according to my threat level, the software and hardware I choose fit my criteria of functionalities and trust.
This sums it up for me, a reasonably secure system on a somewhat unreasonable hardware is better than none at all.
OK. But anyone else may want to look more in the the Treck networking stack or whatever BS Intel is using in their CSME (or current marketing terminology they foist today).
No offense intended @qubes_user_95639 but you did open the door. Good luck and stay safe my fellow qubes user.
It’s pretty clear that some hardware shouldn’t be considered safe to begin with. In that case, choosing older hardware that don’t have these ““features”” is the way to go.
@Confused , so with the knowledge on how to avoid those hardware trap, can you think of any combination of hardware and QubesOS you would trust ? Isn’t it “reasonably secure” to use QubesOS on some older Intel CPU(or AMD) that don’t support ME/PSP and are patched for vulnerabilities ?
I think the idea behind using ‘reasonable’ is to eliminate the false promise of ‘ultimate security’ - As that is simply not exist.
Even ‘security’ alone is not a well defined term, but a process to address your threath model. As that should describe your goals and the things you want to ‘protect’ from different kind of threat actors.
And then you must understand what can Qubes OS can give you to help about this. As it is ‘just’ an operating system running on a consumer hardware, it is inevitable to trust your hardware. And this out of scope for Qubes OS - or any other OS out there.
As I would describe what Qubes can gives me:
Qubes OS allows you to be the weakest link - even if you are a highly skilled IT Security professional.
So it is reasonable secure, as there is no ultimate security. And because it is provides you the best available and feasible soultion to address a lot of security concers related to a desktop computer - but surely not all of them.
And just as a side note:
I’m using Qubes OS as my primary desktop since the very begginning of it’s existence. During that 10+ years I triend and evaluated every single ‘competitors’ out there… But I’m still believe that this is the best what you can get if you want a reasonably secure desktop working evnironment.
All this info is also valid for the other AMD coreboot-supported boards that I am maintaining: ASUS AM1I-A and ASUS A88XM-E. The only major difference are the flashing BIOS instructions: SPI flash BIOS chip of G505S laptop is SOIC8 shape while the desktop board chips are DIP8.
Requires a hardware flash of ROM. You know with opening box, wires.
The possibility of doing typical desktop workflows, which result in me processing untrusted attachments, scripts, etc., as well as working with sensitive data that should never be public, in a secure and comfortable manner simultaneously.
For me it would be a highly secure, but unreasonable and uncomfortable, to open each untrusted file as per, let’s say, a fresh live system session on a separate laptop. AFAIK, that was a sad reality for journalists, who had to mass-process untrusted documents from unknown sources.
Maybe some “agency” has something I might trust but that falls in the unknown unknown category for me at the moment. Should someone reading this care to share - please private message me, or provide their preferred method of contact. However if it’s just another flip the High Assurance Program (HAP) bit kind of answer please do not waste my time. TIA (and no I do not mean Total Information Awareness, but only thanks in advance).
Much much appreciate @mike_banon 's work but do not these boards suffer the same probs as Asus KCMA-D8 and KGPE-D16? Please correct if wrong @catacombs and thanks for options!
Uh, a google did not make what probs you are referring to, obvous. Lack of continuing support of CPU?
Perhaps, considering complete newcomers might be reading this thread, someone should add that how one uses Qubes can compromise security? Privacy (Surveillance Capitalism)? Anonymity?
agree
.
