My habit is to always shut down any AppVM’s that I am not using. Especially those that have network. Though even Vault AppVM’s I tend to shut down out of paranoia that some network enabled AppVM might somehow get access to it.
Is this a good idea? Am I wasting my time? What are best practices?
In case it’s not clear what I mean:
Right now I have two AppVM’s running. This one, and a Vault with no network. I just started both of those by opening apps via the app launcher.
When I’m done here, I’m going to shut down both of them. I will go into Qube Manager, highlight the AppVM’s, and click ‘Shutdown’.
And that is how I use Qubes for everything. My question is whether that is optimal.
If you need to worry about high level targeted attacks it’s a good idea, it will protect you against exploits that are able to escape the VM and read the CPU cache.
My habit is to always shut down any AppVM’s that I am not using. Especially those that have network. Though even Vault AppVM’s I tend to shut down out of paranoia that some network enabled AppVM might somehow get access to it.
I think this depends mainly on the vulnerabilities of the CPU. Check:
grep . /sys/devices/system/cpu/vulnerabilities/*
Is this a good idea?
If your CPU hardware is vulnerable to side-channel attacks which allow one VM to read/write the memory of another, then no software can save you from that.
If it is not vulnerable, then you rely on Qubes VT-d isolation. I don’t know if anything can break that. If it can, that would render Qubes useless from security perspective.
Am I wasting my time?
Perhaps.
What are best practices?
Use a non-vulnerable CPU.
Restrict qubes to what they actually need.
My question is whether that is optimal.
For evaluating whether something is optimal, you need to define the criteria for optimum.
I would add that I feel pretty confident with offline qubes, I prefer dispVMs whenever it’s possible and even when* online dispvm is left unattended, I don’t see any rational threat except side-channel attacks. The latter under condition one-domain-one qube when logged-in on domain. For non-logged-in online dispvms… I don’t know what I would care of (except side-channel attacks, of course, but that’s end game anyway regardless of attendance…).
*Note - I don’t use "IF"s but "WHEN"s, because the first one gives a hope and a false sense of security.
Two hours down this rabbit hole and I think I just discovered a reason not to buy old hardware. It’s going to have a bunch of vulnerabilities.
For evaluating whether something is optimal, you need to define the criteria for optimum.
I meant what is most secure. As in, what will keep data safest from threat actors. If you still need me to define ‘what’ ‘will’ ‘keep’ ‘data’ ‘safest’ ‘from’ ‘threat’ or ‘actors’, I am sorry but my feeble brain is not up to the task.
Why do you say ‘except side channel attacks’ and dismiss it?
To me that sounds like saying ‘I’m not wearing a bullet proof vest, it will only matter if I get shot’ and while true, that is exactly why you wear one. So…
I’m not saying you’re wrong, I’m saying I don’t understand. Why are you dismissing side channel attacks?
Security is evaluated in a particular context (e.g. against particular threats,considering the conditions etc). The times we live in require hybrid thinking. Some random Internet hackers trying to lure random victims into a mail-click ransomware scenario is one thing. A state-level actor is completely different. Or you may be very diligent in staying offline, yet connect some bad devices to your system.
So, there is no universal “most secure”. There is knowing your adversary.
Hypothetical example:
You can stop a networked AppVM but it is possible that it is infected in a way which will allow the malware to simply continue to work from the same point once it is online again. Yes - it is a form of security measure to time-restrict access to a resource only to what is necessary, but if the given example applies, it is a security theater.
Oh, and BTW: I may be wrong or wish to deceive you. Never assume anyone on a forum to be truthful An AI may be a mid-man trying to fool everyone
Beacuse nothing reasonable, even “reasonably secure system” like Qubes can’t help against them? Meltdown, Spectre, cross-VM cache side channel attacks. Maybe I’m wrong too, but ready to be relived about them if Qubes helps against them?
No shit. You’re not helping anyone when you completely avoid questions by repeating this meme. Everybody knows this already. But there really is no other way to ask the question besides revealing a bunch of personal information and writing a novel of all the hypothetical situations you’re worried about. And even then, pedants would do this.
That’s interesting because depending on the context, the response could be “get a new one” or “never use a phone for this special case” or something else. But let’s say it is correct.
I understand that the kind of answers you’re getting here are frustrating but it seems more honest to me, more than a helpful person saying “use Qubes OS and go read about computer security” If you’re not willing to write a novel about your context, why would anyone do it for you? And yes, at the end there will probably be no real answer and a lot of doubts…
Even if it’s so, and I suspect it isn’t, of those who “knows”, I again suspect, vast majority of “knowers” responds to it with “I have nothing to hide anyway”, or with “it’s a too complicated trade-off, is there any simpler/shorter/more specific answer/solution”
No shit. You’re not helping anyone when you completely avoid questions by repeating this meme. Everybody knows this already. But there really is no other way to ask the question besides revealing a bunch of personal information and writing a novel of all the hypothetical situations you’re worried about. And even then, pedants would do this.
Each of your initial questions received an individual answer, follow-ups too.
Nobody has requested from you to write novels or to reveal any personal information. All I said meant that you should consider your specific situation and act accordingly. That is the best practice.
Little kid says: ‘i want my phone secure’
A helpful person says: 'update your software and put a password on it and then go read about phone security;
An unhelpful person tells them their question doesn’t make any sense.
the response could be “get a new one” or “never use a phone for this special case” or something else
Yes, indeed. Hence why you tell them to go read more about the topic. As they didn’t provide enough information for you to give a full and complete, or perhaps even accurate, answer.
But it’s an attempt. It gives them something, gets them started, points them on their way. Which is much better than ignoring their question and admonishing them to ask better questions.
I just see people doing that on this forum and other similar places constantly and it drives me nuts. For whatever reason, this particular instance was the time I chose to say something about it.
When someone asks about security, it’s really not helpful to turn that into a lecture about what security means. The person is trying to solve a problem and framing questions in a way that appeases you, is not it.
An AI may be a mid-man trying to fool everyone 
If you’re not willing to write a novel about your context, why would anyone do it for you? And yes, at the end there will probably be no real answer and a lot of doubts…