Why are you here?

After more than a decade of OS X use I decided that I needed to start using Linux as my main OS, forcing me to get familiar with it. This was motivated by the observation that in my area of expertise more and more projects moved from proprietary OSes like QNX, VxWorks and the like to Linux, as well as my company actively joining into an “automotive Linux” effort.

What followed was a quick succession of distributions (Mint and OpenSUSE being the ones I used the longest) until one day I searched for the “most secure Linux distribution”. This brought me to a post by Joanna on a “secure desktop” mailing list and then to the Qubes OS website, where I saw Snowden’s endorsement. I came here looking for an OS that would give me more security from viruses, script kiddies, cyber-criminals, ransomware and other pitfalls that await online. Of course I found much more then that. Qubes OS is a meta-OS and a whole new and different way of using my computer and there is also this community!

But then something happened. I am not sure what exactly it was: the constant discussions about APTs, esoteric risks, VPNs, TOR, Whonix, anonymity … I lost sight of what my actual use case was. A not so minor case of Paranoia built up to a point where I spent thousands of hours obsessing about tracking, fingerprinting, surveillance, targeting etc. There are plenty of threads here that document that. This also resulted in a “purism” where I started to use somewhat inferior tools (e.g Firefox) for ideological reasons instead of using what would work best.

Then one day @adw wrote this:

A virus of quite another kind. Resisting it at first, it kept working away in the back of my head until I realized that I am wasting tons of energy and time on something that isn’t all that relevant to my life, while I could use that energy to concentrate on my actual personal and professional goal: learning more about security and how to engineer for it.

I don’t want or need to be invisible or untraceable. I hate what companies like Google, Facebook, Amazon, Microsoft etc. do but that can be addressed by legislation and efforts like the EFF. Me obsessing about not leaving a trace online won’t change anything at all. What it did though was keeping me from actually learning about IDS, finishing several courses I started and studying books like “Security Engineering”.

I post this as a cautionary tale. Stop from time to time and evaluate whether the things you are spending a lot of time and energy on are indeed what you intent to do with your life. This is also a public and detailed thank you to @adw for much needed perspective.

Was an all time Windows user… erm let’s say ‘Fanboy’ with little knownledge about Linux since 2002/2003 and this more or less followed my Windows use over the years in job and in private life.
Then -in 2019- I’ve read Snowdens book “Permanent Record” and althrough I knew the story back from 2013/2014, this completly changed my internet behaviour.
First was trying out Tails and worked with it (and still do from time to time) I read articles and news about QubesOS. Immediately was forcing me to get into all this and want to learn, how this OS is working and what’s possible with all this.
This brought me to here (and some other QubesOS places).

Thank you, @Sven. This means a lot!

“How ought we to live?” isn’t an easy question, but it’s one that’s important to think about from time to time. When life gets busy, it can be easy to lose the forest for the trees. Then, one day, you wake up and say, “Wait, what am I even doing?!”

I don’t want anyone to get the wrong idea, though: I don’t mean to suggest that I know how anyone ought to live (including myself) or that anyone else should live their lives the way I do. I’m just trying my best to figure things out and sharing some thoughts along the way. In particular, I don’t think it’s necessarily a mistake for someone to try to achieve optimal privacy or security. It all depends on you: your goals, values, personality, and life situation.

As the saying goes, “It takes all kinds to make the world go 'round.” At the extremes, the variation among different types of people is staggering (especially across history). I would never want to say that “everyone” or “no one” should be or do anything. That would be far too broad of a generalization. We’ve all benefited immensely from focused specialists relentlessly pushing the boundaries of their areas of human endeavor, for example. Extreme people show us what’s possible for humanity, even if most of us will never go there.

Sven and I have engaged in some reflection and introspection in an attempt to better know ourselves, and we’ve arrived at the conclusion that being maximally hardcore about privacy and security isn’t for us right now (which can always change as the world and our lives change), but that doesn’t necessarily mean anything for you. You have to do your own reflection and introspection. Know thyself!

I’m here since 3d printed firearms is illegal in my home country. It’s not as much about being paranoid but addressing the risks we know exist. Even before taking that up as a hobby I was making an effort to minimize windows which was becoming increasingly becoming bloated with crappy software I had no control over and couldn’t remove. I also wouldn’t hold my breath for legislators to fix anything since they are frequently the root cause of the problem (see: the patriot act) As Snowden has also pointed out we have completely given up all power to an unaccountable entity that gets to decide what is wrong and what isn’t. On top of that everything goes on your permanent record so even if what you are doing today is considered completely fine that might change in 5, 10 or 20 years down the line

I am here (the forum) to learn Qubes.

But if the question was why I learn and use it, then my answer refers to an @adw’s post @Sven quoted. We are not biologically immortal like lobsters and some jellyfish might be so that’s why I made some clear goals for my humble, finite life.
And one of them is that my children will start with the Qubes and tor(-alike), since I would be naive to believe that after so many decades without Qubes I’m still not compromised, one way or another.

And until then, I’m using Qubes to preserve my digital memories as a second ultimate goal, while reasonably invest effort to preserve recoverable goods, like money is for example.

The motto that leads me is - the goal must be measurable. Hiding from Google, or an adversary isn’t, because simply my threat model might not be, and so far it isn’t interesting enough for them, but they do profiled me for sure.

At the end, or should I say at the beginning, I always keep in mid that saying:
If on your way to the destination every time you stop and bend down to pick up the stone to throw it on the dogs barking at you because they might bite you, you’ll never reach the destination.

And I find this directly applicable to an excessive OS, but especially to a Qubes hardening.

I started using Qubes OS to upgrade my technical skills in fields of system, network and security.

It is a lot for fun & also for job more than a necessity.

I believe all of this is just tooling but nothing much deeper…we all are aware of instrument bias.
“Give a boy a hammer and everything he meets has to be pounded.”

Also as an engineer & tech worker I reflect about our technological fix tendencies.
"I have so many solutions but what was the problem ?"

If the social impact of technology is in your interest there is some great source of thinking at Logic Magazine and Usbek & Rica…

Why am I here? I am here because of users like @Sven and @adw and many others who have taken the time to share their expertise so that normal users like me can get Qubes OS up and running and use it for my day-to-day work.

As a regular user whose threat level is not that high, my biggest challenge is to overcome complacency. I keep opting for an operating system such as Windows to allow me to do productivity, entertainment, and gaming. Unfortunately, it seems easier to use Windows than get used to Qubes and find ways around some issues. Plus, my skill as a Linux user is at best at a lower intermediary level, so any solutions provided within the Qubes forum would often force me to refresh my command line ability. However, the more I force myself to use figure things out, the more useable Qubes OS is for me. Apart from gaming, in which I still use a Windows system, I am now using my Qubes laptop to do most of my research and corresponding.

I have just upgraded from version 4.0.4 to 4.1.0, and I must congratulate those behind in creating and supporting the system. Now it somehow feels more manageable, and dare I say, the battery management seems to be slightly better. Sure Zoom is not 100 percent there yet, but I keep another Linux distro on a separate hard disk where I can boot into it if I have to jump into an important call. With cloud storage, this is not a big deal at all. It’s more critical for me to know that I can browse the web safely and open any attachments while feeling that Qubes has my back.

I am here because I want a safer internet and computing experience. In addition, I want to learn more about how I can be more proficient with Qubes so that I may one day also help others who are starting to venture into this operating system.

As an older person, I have learned the above quoted lesson over and over again, and have been preaching it myself a long time. For example, I still enjoy online MMO games, but instead of min/maxing every possible thing like others OBSESS with, I just do the best I can in a reasonable amount of time, and for me, that’s good enough. I don’t need to be top dps, just good enough to be invited into groups, and enjoy playing the game.

I’ve been around computers and technology since the 70’s. Back then, it was running COBOL on IBM mainframes, and UNIX on mini computers. When the 80’s came, so did the Intel 80386, and 32-bit UNIX was born on Intel pc’s. SCO UNIX was awesome back in the day. This was before Linux or even Windows. Naturally, when the first linux distro’s began to appear, I tried them all. I joined a small user group in North Carolina, the guys called themselves “Red Hat”. This was before they went into business. No laptops back then. People would bring in their pc, and we would help them install linux, and get all the hardware working. Getting x-windows working was the ultimate achievement. Modem was a must, it was dial-up BBS’s back then.

Fast forward to today, I’m here because Qubes is the latest natural progression of technology. I too am appalled at how intrusive governments and hackers alike (is there a difference?) have become, but from a pragmatic standpoint, it is often easier to hide in plain site. My main pc is windows, playing games mostly. Sure my ISP sees every site I connect to, and that’s okay. I’m just one of thousands of customers doing the same thing. I blend in. Anyone examining me will quickly bore and move on.

I do love technology still, and thankfully linux is still a large part of my life, I still use it professionally as an engineer. Qubes is the natural progression in technology, for those of us that like to keep up.

Qubes does have a steep learning curve though, especially for younger people that just aren’t used to command line linux, multi-user systems, and virtual machine technologies. But thankfully, the community here is very helpful. After all, we’re all on the same grand adventure!

Ah, a kindred spirit! I still struggle to apply the lesson when it comes to MMOs, but at least I (usually) manage to have fun in spite of my nature.

That must’ve been an amazing time to live through. Thank you for sharing these recollections. Sometimes people talk about the phenomenon of feeling nostalgia for a time you never knew. I think this era in computing fits the bill for a lot of us. (By the way, for anyone else who feels this way, Halt and Catch Fire is a great show.)

This is a great discussion. I’ve had my own much shorter phase of paranoia when I didnt know.that intel ME’s full capabilities only applied for businesses. I had other scares too. Although privacy is a shield for other human rights and a powerful tool against mass surveillance, I decided to loosen my threat model. I still want to text people even if SMS is unencrypted. I still like to use Discord even though I hate it. I still need to enjoy life and nourish the other parts, like connecting to people and using necessary but dubious platforms for work. When i see people who barely protect their digital.privacy, and.lead happy and successful lives, Im tempted to reconsider how much optimization i do.

But I still want to contribute to privacy because I’m passionate about it and i want to say “fuck you” to mass surveillance. As we all know, it kills and controls people. All that location data for air strikes… For a little over a year, I’ve strongly considered working in the privacy field from a software angle. For example, security/privacy engineering or analysis for businesses as they incorporate more machine learning. Ive had interest in software for years.

Besides privacy potential, im here and willing to spend money to use this OS smoothly because it’s a good learning opportunity for security, i love customizability, ive used linux before, and im stubborn about getting over learning curves in general.

I started yesterday and im.still on.the fence, but ill see.how things change with more ram.

Right, it’s all about finding the right balance for your life situation, personality, and values. Care too little about privacy and security, and you risk having your life ruined by the malicious. Care too much, and you risk sacrificing other parts of your life in overcautious Sisyphean exercises. It would be easier if life were only about one thing, and we could live the good life simply by optimizing for that one thing, but alas, that’s not how it works.

I’m here because I just want to be left alone

I doubt. It would be unbearably boring.

It would probably be easier and more boring.

How did I come here?

For more than 20 years, I have been (and still am) teaching IT security and privacy to IT professionals and lawyers. Since about 2010, I became more and more frustrated: having to tell and show ever more sophisticated attack methods and telling of increasing damages. At the same time, the IT used (in my environment, mainly Windows systems) has become more fragile and error-prone, not at least by being overwhelmed by lots of more or less faulty updates.

I would have liked to point out viable alternatives, allowing to build a more robust IT infrastructure. But: Windows is rapidly deteriorating due to facts widely discussed, e.g. Microsoft relying on telemetry for analyzing software faults and more and more focusing on their cloud business. Switching to Linux is often not possible, due to vendor lock-in because of missing software solutions able to replace applications used exclusively on Windows systems. Apart from that, I am not really convinced that Linux is so much more secure than Windows, as it is based on the ancient Unix security model and is, like Windows, a monolithic system, where one successful attack may mean game over. (In the eighties and nineties, I worked mainly on OpenVMS systems, which provided an extremely robust and reliable environment, which I – like many VMS users, still am sadly missing in today’s Windows and Linux world.)

About in 2015, I came upon some papers and blog posts written by Joanna, and there I saw a possibility to change the game: Unlike many more academic approaches, Qubes OS is based on the assumption that most software is faulty and thus can be successfully attacked. So here is a system trying to mitigate the consequences of such attacks by compartmentalizing the technical basis and by providing a means to contain the damage. I tried to install and test it, somewhere around R3.1 or R3.2, and found that it fulfilled its promise of providing a “reasonable security” and still stay usable.

Where am I now?

Currently, Qubes OS is the system that I regularly use for the laptop that I use for teaching, and there I can show my students a viable alternative to the insecure environments most of them are struggling with. It is also easy to show many alternatives to a vulnerable environment, like switching from Microsoft Office to LibreOffice, from Windows to any of quite a number of different Linux flavors, from running Microsoft Ofiice under Windows to running it under Wine on Linux, and so on.

Occasionally, I am still providing support for a security tool based on a Windows environment. Without Qubes OS, I could not do this on this laptop, because Windows 10 ceased to run on this laptop, due to (documented) driver conflicts. As templates and AppVMs running Windows 10 and even 11, there are no problems, and I can even simulate the use of the security tool in a distributed network environment.

Building such a somewhat tricky software structure under Qubes was possible, even for me, who has never really worked with Unix or Linux and thus has only very basic knowledge about this. (In the OpenVMS community, from where I come originally, there was a joke like: “Who thinks, bash was a command language, might even believe Unix was an operating system.” ) Especially the possibility to quickly clone a template in order to have a clean test system was of immense help. Even the migration of my Qubes installation from R4.0.4 to R4.1 went rather smoothly, even for the Windows VMs. The only larger problem came from a Windows 7 VM which was originally created under Qubes R3.2.1 – the jump from there to R4.1 was a bit too long.

Where could / should we go from here?

Currently I see mainly three areas of concern, in ascending order of difficulty:

• In order to get a wider acceptance, Qubes OS must help Windows users, who need it most, to migrate from Windows, perhaps via Windows qubes, to a different environment. In the last year, mainly thanks to @jevank and @elliotkillick and several others, great progress has been made in this area. If the current work on providing an rpm installation kit for QWT 4.1 and documenting installation and use of QWT is finished, most problems currently causing cries for help will be gone.

• Flatten the learning curve for installing and using Qubes OS: In order to get used to the environment provided by a meta operating system like Qubes OS, the user has to understand the concepts of using separated virtual machines. While most of the documentation currently provided is extremely good – much better than most of the Linux documentation I have found so far – one has still to read it. The old RTFM saying is something ignored by many (most?) current users. Using preconfigured tools, like @adw proposed, may be helpful, but will need a development effort whose size I cannot estimate. Perhaps some video tutorials might help to gain users not able or willing to read documentation??? Wrinkling out some edges of the UX, like @ninavizz and @marmarta are doing now, might also help a lot.

• The third and, in my opinion, most important difficulty obstructing a wider spreading of Qubes OS use is simply that many people do not know that it exists or what it is. If described at all in some PC publications, it is often called “the most secure Linux distribution”. So the reader just thinks: “Why, just one more of the zillion Linux versions – that’s nothing new!” and probably will not have a second look. But how could we reach a larger audience and get them to grasp the idea of a meta operating system and its advantages? I really have no idea, and what I experience in my teaching, even with a security aware audience, makes me rather skeptical.

So far, my two cents. What do you think about it?

… and things like 33-year old vulnerability in the so called most reliable OS like OpenVMS is claimed for, and that was discovered only in 2017, just assure us how much we actually need Qubes.

But took some 33 years until someone found out

You answered that in your second point:

Every day, I find myself wanting to make videos, but I’ve never made one. I don’t even own a video camera. Every day, I’m tempted to buy one from Amazon, and learn how to make videos, but then I back off, because no matter how well you make the video, somebody will always complain about something “you can never please all the people all the time”. Nobody likes getting kicked in the teeth “no good deed goes unpunished”. I’m still tempted though. It will be a huge time sink.

Qubes needs videos IMHO, to break out of the hidden gem basement.

In addition, videos go out of date when the software changes, and it’s not as easy to update a video as it is to update a text document. We’ve had some community members make really high-quality video walkthroughs in the past, but you’ve probably never seen them if you weren’t following Qubes back then. We had to remove them from the website because no one wants a walkthrough for an old, unsupported release that no one is using anymore.

I tried to make the idea of compartmentalization more clear :-): Meme about an unsinkable raft