I love Qubes and what we have is excellent already! But you and I and many others in the community are the few privileged ones who happen to be technically inclined. But many others also need this level of secuity (probably even more than us), but unfortunately can’t because they find obstacles in the usage that may prevent them from doing their work properly on Qubes (today). So I think usable security will be key to making this system more secure overall.
Yes, the Qubes team is small. And I think in part that’s good for security, but this topic should not be overlooked. And in fact it isn’t being overlooked.
Also, there’s this article on the importance of usability for security that I recommend: Aligning Security and Usability (just the first two pages)
Find the design proposals, related discussions and other usability improvements / issues on GitHub:
This sort of thing gets said over and over, and it probably makes
people feel good about being the “few privileged ones”.
I’ve yet to see any hard evidence for it.
It’s perfectly possible for a non technical user to use Qubes
effectively - perhaps with some initial set up and advice.
In fact, imo some of the people who find Qubes most difficult are those
with a slight technical inclination. (If anyone doubts this there’s a
YouTube video of someone installing Qubes, without having read or
understood anything. Good for comedic value.)
So let’s not overestimate the problems. The current UI redesign may, or
may not, help new users.
I think you shouldn’t judge people’s motives so quickly. I brought this discussion because I feel its an important issue since I’ve struggled myself (with the basics as well) and seen others struggle too.
I think the opposite, but only user research will answer those questions. Anything other than that will just be anecdotal evidence.
I’d love to see that! (do you have a link, perhaps?). But the fact that it has comedic value only goes to show that we’re not yet there – why else would it be funny?
I’d argue there are still a few rough edges. Here are some examples:
GUI-only
Terminals are not beginner-friendly, so I think eventually will need to have GUIs for at least:
I don’t mean to say that regular people can’t use the terminal. It’s just that they’d rather not - and if forced to, many may be driven away.
Discoverability
It is know that users don’t like reading manuals. Most would like to jump straight into qubes without reading any documentation. So it’s important that the OS leaves out clues that let users adjust their mental model of how Qubes works into a more accurate one.
Just to give two examples:
software installation - users will likely come from windows or mac where, to a great extent software is installed by downloading a binary. On Qubes (or linux in general) it is through repositories (most of the times). One way of going about might be by including a “Install software” icon on each VM (it currently exists but leads into a broken application).
clipboard copy - this is a trivial thing. But not coming across this knowledge can be very frustrating for users (it happened just a few hours ago to a user here). So there should be a way to make the user find this feature.
Of course, we’d have to define the average user and their abilities. For the sake of argument let’s assume the average user has grown up with using Windows, like myself.
I’ve just read an article on Microsoft closing large numbers of accounts apparently at random and people couldn’t access data (Onedrive, Office 365) and other Mircosoft services anymore. Disregarding the fact that one could learn and backup data in the future another point came up in the discussion that followed the article: move away from Microsoft and try out a Linux distribution or at least try out open source & free software alternatives to Microsoft (the basic stuff like firefox, thunderbird, libre office etc.) on Windows.
The discussion quickly fell back into the old patterns of Windows vs Linux which is so boring because many people don’t seem open anymore for a discussion free from any bias, exchanging arguments that are based on real experiences and trying to listen to well-founded opinions. Instead there were those who claimed that “Linux” (yes, they weren’t able to name a distribution) wasn’t usable because it was too difficult to install and it wouldn’t work and anyhow everything was better on Windows anyway.
I don’t want to go into details - there hardly were any. My point is that I think that in large parts of affluent societies people have become lazy and impatient when it comes to most things technical like computers, smart phones etc. In our throwaway society it is easier to dispose of something that doesn’t work like it used to anymore instead of investigating and trying to repair it or learn something new that could help making something useful again.
I don’t think that it is too hard to install almost any Linux distribution not to mention Qubes. Of course, you’d need to consult some basic stuff like Hardware Compatibility List and other documentation.
Most people don’t know much about or just don’t care about security and privacy in general and that is why they won’t use Linux or any other system than the one they are offered while shopping. It doesn’t matter what happens in the background as long as the stuff works.
I guess, the few people who really need a special kind of security because maybe even their lives depend on it will take the time and read a few pages of documentation in order to achieve that and at least ask some questions in a forum should need be. Wouldn’t you?
To add to this: When you make technology too intuitive and easy, people will start treating it like magic and expect it to work like magic (this is where people typically quote Arthur C. Clarke), and this is problematic because they’ll act as though they’re protected by magical infosec armor.
For whatever my opinion’s worth, I don’t think Qubes is for the masses (at least, not in this form–maybe integrated as background magic in a mainstream OS). I think making Qubes too magicky leads to laxness and people sliding back into bad habits. Some reasonable amount of friction is needed as a constant psychological reminder of why the user is on this OS. This especially applies to the at-risk non-technical people like whistleblowers and journalists who depend on Qubes. That being said, I’m not against a smoother experience–just against the experience being too smooth.
Better education in the form of well-designed and delivered tutorials and videos would go a much longer way, in my opinion, and offer more bang for the proverbial buck. The official documentation isn’t bad, but can be much more streamlined and accessible. The Whonix Wiki should serve as a good example to follow, as it also covers important security concepts and general defensive posturing beyond the OS in a comprehensive yet accessible manner that’s not too overwhelming.
This should be far less demanding for the devs to work on (or delegate and approve).
I totally agree with you both. In my first post I was not referring to the average unmotivated windows user. I was specifically referring to people who, due to the nature of their work, require extra security (so they have motivation). But the intended audience probably needs to be scoped down.
What we want to achieve here, is to provide easily usable default environment for all those users who are not comfortable with changing any of this. Something that doesn’t require going through all the documentation to even start using it. Maybe a 5-10min intro video, but that’s top. Like it or not, forcing using console is a big usability issue
This gives me an idea: why not create a course for a well-known site like EdX? The Linux Foundation has an intro to Linux course on there–if they’re willing to take on Qubes (this part I’m not sure of), then it’s a good way to achieve goals and increase exposure.
Potential issues: Some might consider increased exposure a bad thing; I’m not sure how much manpower is needed to maintain these (e.g. forum moderators); there’s an issue of anonymity, but on EdX at least, you can create anonymous accounts.
I think the expectation that the typical non-technical user whose life experience with PCs can be summed up as “some combination of clicking on stuff in Windows and Apple” can effectively use Qubes with at most a 5 to 10 minute video means turning the Qubes experience into Windows. You aren’t going to get them to meaningfully understand VMs and /rw and disposables in that timeframe–this, I’m certain of. But maybe my idea of a ‘typical user’ is different from yours and I’m wildly underestimating their technological savviness (mine thinks ‘onion circuits’ is another name for onion rings).
It’s true that you don’t need to know how a car works in order to drive it, but to reach that point of intuitiveness you have to create a UX that’s basically a replica of typical desktop experiences–this means hiding the system and proxy VMs, turning QubesOS into background security magic. Basically, you have to force isolation down users’ throats.
A rough sketch of what I think it’d look like (for fun):
Qubes are only allowed one program and/or website
The only way to access websites is via a GUI interface that takes a website you type in and automagically creates a qube that can only connect to that site, or via a desktop icon that this program has created (entering a website that already has an icon creates another one for account segregation).
The qube created above has all the needed firewall settings and a preconfigured Firefox (hardened?) that resists fingerprinting and blocks tracking in a way that the layperson wouldn’t have to fuss over (i.e. nothing that breaks sites).
Thunderbird only allows for one account per qube, etc.
Firewall(s) automagically configuring themselves is an absolute must (there’s probably something out there that whitelists automatically for a given website)
Downloaded files get automagically copied to a pooled offline storage vault that uses dispVMs to execute content (all presented as though it’s a normal desktop, of course) by default. Active documents that need to be saved are automagically passed back.
All this implies a higher hardware hurdle and a far more limited range of actions to protect users from themselves.
Since all of this would massively annoy the existing and more proficient users, an option to revert to the classic (current) setup during installation and later is a must
I may have overdone it with ‘automagically’. Not sorry.
Automagic Security can Reduce Trust (and undermine security)
For security to be effective the user’s needs some awareness that it is in place in order to increase trust. To illustrate this point, in a paper called "Confused Johnny: when automatic encryption leads to confusion and mistakes” (Ruoti et. al, 2013), the authors get to the following conclusion.
Users were unsure whether to trust the system because security details are too transparent.
Even though it’s just a single study, many more exist. And in the particular case of Qubes I think It’s important the user understands how to manipulate the system, namely for choosing what goes in which compartment and giving access to hardware devices and chaining network Qubes, which leads me to the next section – Mental Models and Discoverability.
Mental Models and Learnability
@fiftyfourthparallel I think you’re assuming that all the knowledge the user gets in that video is all the knowledge the user will ever have. And that’s could never be true for Qubes – though it must be enough to start using it (as Marek said). But in order to use it effectively, it will take some more time using the system.
Learnability
considers how easy it is for users to accomplish a task the first time they encounter the interface and how many repetitions it takes for them to become efficient at that task. (source: nngroup)
And I’m convince on of the key component achieve that learnability is by making those features more discoverable.
In the specific case of Qubes, those discoverable features, should steer the user toward getting a more accurate mental model of the architecture (even without noticing).
There’s probably an ‘uncanny valley’ of transparency. Ultimately I think it depends on the user’s ability to make use of the transparency too. There’s also the feeling versus the knowledge of trust–that is, is the user’s feeling of mistrust warranted given the facts?
I think we have differing views on what is considered ‘using’ the system. For me, that involves doing the high-risk activities Qubes is designed to protect. It doesn’t involve feeling your way around the system, since that’s risky. I’ve been actively toying with Qubes for two months now and I still haven’t really ‘used’ it (I know my way around tech but I’m not a technical person). Whereas in your case ‘using’ means being able to do basic tasks on the OS without regard for how secure the new user is.
This seems to involve a lot of groping in the dark and stumbling on previously unknown obstacles for new users–not ideal for at-risk people doing sensitive work (doubly so for Linux CLI newbies and the technologically illiterate). This is especially true when you won’t get an achievement popping up notifying you that you’ve graduated and is now a proficient Qubes operator. I’d probably choose a combination of good ol’ air-gapping, solid encryption, and analog methods instead of taking the risky path for a solution that, from my perspective, has high uncertainty, complexity, and cost (time, effort, equipment).