Why does Qubes OS not get more attention from big players?

Qubes OS is the only OS that achieves acceptable security on desktop. However, no big player (Red Hat, Google, etc.) seems to be interested to support its development or even just fund it. Why is that? My picks:

1. They don’t believe Qubes-like approach is the future for an average user, and instead think that sandboxes like Flatpak will be enough (but they are not!)
2. They simply don’t care about end-user security. They only care about server security (like SELinux).

Qubes should have a LOT more traction than it has.

If you are talking about RedHat, their focus is really on servers, containers, etc. They have desktop/laptop computer projects that exists but this is not their main focus. Also they have the silverblue version of Fedora witch is, according to the website, reliable, safe, dev-friendly, atomic, containerized, private, trusted, open source.

Google focus is all about data. on the about google page you can read: Our mission is to organize the world’s information and make it universally accessible and useful. My opinon, I doubt they would back a project that will hide information from them.

I wish Qubes OS would get more attention. I love the concept, the project and the result. I use it everyday. But I doubt a big company would be interested in a project that could get their profit down.

HP picked up Bromium, and it’s now incorporated in to many of their
machines, so there is no deep seated resistance to virtualization and
security by compartmentalization in consumer machines.

Basically just joined this very forum. Also just got started with Qubes OS. Actually I did have a look at this OS for a while, yet lacked a dedicated machine for the sake of a PoC without blaming any hypervisor in the background.

Design of Qubes OS is quite elegant yet powerful. It takes some skills to handle it. However I think an OS like this one will get more attention eventually. Regardless of data-mining companies or whatsover big players, cyber-security has become more important. Many breaches, leaks, compromised systems, multitude of attack vectors on the rise and so on. Oh, and AI trying to get your local habits/data. Currently I am testing examples provided by docs of Qubes. Examples are quite easy to understand and adapt to a custom system. So my point is. I doubt easy-going people will be attracted by Qubes OS (yet?).
Security-Companies, IT-departments, security-audits, will easily regard this operating system to be way useful.
e.g. Example of journalist can be easily applied. Dealing with important tasks, information loss is crucial, attempts to compromise is a daily threat → sounds like many mainstream clients to me.
Security aint visible usually. People dont talk about it. Everyone else knows better. Ads of big “players” are quite effective. I guess people who are aware of security concerns will have to spread the word. Also raise awareness.
Anyway, Qubes OS is quite fun. Hopefully it catches more attention indeed.

Using Qubes requires a lot of sacrifices for the added security. No graphics acceleration so no games, hyperthreading disabled by default so you get something like half the laptop you paid for, battery life is like 20% of a “normal” OS on the same laptop, …

That’s a tough sell to all but the most security conscious.

Any advanced security technique requires a significant amount of sacrifice, which is in contrast to 1-for-all solutions. I can see that Qubes is no gaming platform. I cant see any battery issues. However I could identify that certain requirements have to be taken into account prior to get a Qubes (or Qubes like) machine, which doesnt have to be as expensive by far.

If a dedicated purpose needs to be addressed, a dedicated machine might be necessary. or is mandatory. Gaming, CAD and so on. Anyway, this is quite the complex topic.

Just by taking a look at the documentation Qubes is quite powerful, very advanced. Advanced security takes advanced users or coaching for the sake of onboarding. I can see many companies who introduce trainings of awareness.

Sure there is NDR, EDR, XDR, log-collectors (add more words here), off-/on-site access control. However Qubes starts by stressing primary level at the very beginning which is the client. Zero-Trust has become quite popular for a while. Do not trust the infrastructure has become quite popular too. What about dont trust the target. Unfortunately audience is quite limited though. Advanced tech-companies, critical infrastructure, enforced ones. Very expensive.

Qubes is free.

I think Qubes community basically has to check lists of recommended hardware only. Additionally raise awareness of XEN-NVMe issues maybe
Get QWT back online.

Happy community, spread the word.

pressed enter by accident, still writing

Qubes is awesome. But not a plug-and-play one size fits all. A user has to put lots of cerebral activity into it just to make it work, even without capitalizing on its security features. Most end users do not have the time or skill set(s) required to master Qubes enough to make it a daily driver. The support documentation is very good. But I will never get my printer to work, or use secure email/thin Qubes; both are beyond my return on investment for time allocated event horizen, i.e. it will never happen. On the bright side, almost nobody will ever hack Qubes for profit because there is not enough of a userbase to make it even marginally profitable. I think Qubes is the best os in existance at this time.

There’s quite a difference between Qubes and conventional systems like Windows: With Qubes, you have to learn a lot in order to fit it to your needs, but then you may have a system that fits quite well to perfectly. With a system like Windows, you just install and run it and will get something that may be quite different from what you need. Making it work as you need it may be even more complicated than with Qbes, or even not possible at all - but many users, especially managers in big firms, seem to be quite content with this situation.

Installation and configuration of Qubes could be made more user-friendly, but this would require much work from the developers and surpass the available capacities. On the other hand, big players could easily afford this work. So the question arises, why they don’t do it.

The answer is probably quite simple: Helping to spread the usage of Qubes simply would not generate profit for them. As long as many users are content to buy inferior systems, there is no motivation to help provide something better. Furthermore, selling insecure systems that need permanent support, and additional snake oil (like Crowdstrike ) allows to generate permanent profit. In the old days of the Mafia, this was called “protection rackets”. It is still working; so why should it be changed?

The users are getting what they are willing to buy! Everything is fine … until something happens which is not so fine …

You can’t expect Qubes OS to work on modern hardware, you can’t except any USB device to just work, you can’t play video games that require a GPU, it’s difficult to use if you or someone you know doesn’t have Linux knowledge.

Other systems are inferior in terms of security, but vastly superior in terms of usability, and usability is more important to the average user.

Qubes OS is the only OS that achieves acceptable security on desktop.

I also agree that Qubes OS is the best choice by far. Maybe OpenBSD, but thats not all to practical imho. I’d love a OpenBSD qube from the community though and like the efforts with kicksecure in Qubes

Qubes should have a LOT more traction than it has.

I think Qubes OS can absolutely have MUCH more traction that it currently has. It not having that is due to several aspects not being addressed correctly:

Technical complexity keeps non-technical users and businesses away

Once setup, Qubes OS is easy to use even for end users. I can show my girlfriend how to use my laptop in five minutes - like open a browser, write an email and take a note (when I switch it from i3wm to xfce lol). The issue is the initial setup, and understanding how Qubes works exactly and how to setup Qubes OS securely. For this documentation and (some) youtube videos exist, but you just have to be “good at Linux” to setup Qubes so you can use it every day.

I think solutions to tackle that have been discussed extensively in the forum. A common approach is “an app store”. I am actually working on a “sort of config management system” - basically something where you write “apt-get -y install firefox” into a BASH script and then say something like qubes-os-manager-thingy install firefox. I will publish that within the next weeks, its cli only though. If we had a guy like that (much like an app store), that would help a lot. (PS: Salt is WAY to complicated - even I don’t use it and I have a LOT of experience with Saltstack).

Removing the technical complexity for “installing firefox” is very important for further adoption I think. I think that should not be the task of the qubes team but of the community.

Marketing concept of Qubes OS

I just googled “most secure desktop OS” and there is a list of OS’s, and qubes is first (yay :)). Sadly after that, the qubes-os.org page doesn’t show up in the search results on the first page. A good shot of SEO for the main page qubes-os.org would fix that. The main page qubes-os.org has been looking like it does for a good while now. It also doesn’t really explain what Qubes is (exactly), whom it is for, maybe link to a yt video that shows “how it looks” and so on.

If you look at this from a sales / makreting perspective, thats very bad (no offense intended, just my humble opinion). Imagine a CTO browsing around for a new OS to use in his company and finding qubes-os.org. From tehre on you have about 30 seconds before he makes up his mind “lets try that or not”. The website should be optimized for this usecase I think - it should not start with “what others are saying” but “what is qubes”, “this is how it looks like”, “these are the problems it solves” and then “look this is snowden, he likes it too”. These texts should be SEO optimized as well as being nice to read for businesses that are interested.

Another important aspect is articles in newspapers and videos from popular youtubers / social media influencers and alike. This should be better organized, currently all those are listed in a thread here in the forum - connecting with other businesses that have a commercial interest in qubes, be it in using it themselves or offering consulting for it, to organize the effort would be helpful. They should be promoted on Qubes OS own social media channels as well I think, in order to gain more traction (as in: Qubes OS should (not financially, but from a management side) support marketing efforts that the community takes, and offer more organization for it).

Is there currently someone in the Qubes team that is tasked with marketing for Qubes OS?

PS: I know when you guys hear SEO you think scam, and you are generally right - I’ve tried to do SEO for my own company for the last 6 month and 95% of companies that offer SEO are scam. I hence tought myself some SEO and managed to significantly rank up my page for the keywords I want. There is nothing bad about SEO itself, just about most of those fishy companies that sell it

Comparison to kali’s marketing strategy

I’m rather active on the linux.org forum, a forum mostly for Linux endusers. We have about 50 requests per month about nonsense like “gaming on kali”, and I’m LITERALLY the only one posting about qubes OS. Thats very sad. “Understanding kali” and its tools is obviously much more complex than being able to setup and run Qubes in a reasonable way - endusers hear kali, want to be mr. robot as well and install it (and then only 1% of them actually learn about it), but they talk about it, generate traction on social media and alike. Thats not the case with Qubes (or not even close to as much).

What kali did correctly here was target the masses with its marketing. Every tech noob knows kali as “the hacking distro”, but nobody knows Qubes OS as “the secure distro”. While it may seem irrelevant that noobs know about Qubes, or start spamming our beloved forum with “how to g4m1ng on qubes”, it is this broad knowledge in society that the distro exists, as in this popularity, that gives it more traction in the end. After all, humans are much more likely to “buy” (use) something if they have heared of it before.

For example think of the TV show Mr. Robot (Kali Linux + Mr. Robot ARG Society | Kali Linux Blog). Qubes OS could have easily made an appearance in that show, and it would have brought in more users, amongst which companies that can fund Qubes OS development.

Long story short - I feel like marketing for Qubes OS should be enhanced.

State of consulting services for Qubes OS

This is actually similar with Linux itself (on servers). I run a Linux consulting company and have MANY very technical customers (coders that built large and now popular websites), but the complexity of Linux makes them search for a Linux consulting company (if they dont fall for the aws “cloud trap”). With Qubes OS this is similar. Right now there are two Qubes OS consulting companies (google Qubes OS consulting) - nitrokey, which also sells Qubes OS certified hardware Consulting and Support for Qubes OS, NitroPhones, IT Security | shop.nitrokey.com and Blunix Qubes OS Consulting and Support for High Risk Environments. I know of one freelancer who is very active here in the forums who also sells Qubes consulting (not sure if the person want’s to be linked, hence not linking).

This should definitely be more, as in there should be more choice here, and I don’t want to nag the Qubes team but this has to be on the start page of qubes-os.org. I’ve started a large thread here in the forum to help make the three consultants I know of more visible.

If you have a company and you evaluate “secure OS’s”, then you will inevitably find Qubes, and if you’ve never heared of it before you will assume its more of a small project that hasn’t got traction yet, because you can’t find consulting for it. No large company would (should?) take on implementing Qubes without proper consulting. The big(ger) players that have the cash to support Qubes OS development don’t use Qubes because the support for it, as well as the marketing, is done wrong (I say that with the upmost respect for the Qubes team, I really really love Qubes OS, but from a business perspective I’m right about this one (imho)).

Imagine you run a coding company and you have issues with industrial espionage, but you are not (to much) into Linux administration. Or you are a journalist, or a human rights lawyer, and you are looking to implement Qubes OS. The chance that you can do so yourself is close to zero (in case of the coding company: if you want to do it soon and not invest time to learn about it). Everyone else will google for consulting.

There are positive aspects as well:

Pro: It runs Windows

One big aspect is being able to use Windows, which many companies (very sadly) can’t live without. I have recently tried qvm-create-windows-qube and managed to get a windows 11 running - but I haven’t tried to much on it, will do in the near future. From what I understand Windows is usable, it worked for me, so this isn’t critique but a plus

Pro: Existing customers

About seven years ago I saw Qubes OS used widely in a large government intitution (incorrecly, ironically, lol, I showed them how to use it better) where I did some consulting. From the Qubes OS main website there are a few listings of large companies like letsencrypt - I’m not sure if they donate or not.

Sadly there are only very few (Endorsements | Qubes OS) this small number seems unrealistic… The list here should be much longer to convince new companies to try it. Also (as a CEO) I can not understand why there is no backlink to the company (wouldn’t hurt to link to mullvad, letsencypt and some security researchers no?).

Summary

I want to sell Qubes OS consulting with my company because I find it fascinating and something that actually helps companies be more secure. If the Qubes OS team would help my company, as well as the other companies that are interested in growing Qubes OS (novacustom, nitrokey, freelancers that offer Qubes OS consulting), manage and support marketing efforts, we all would win from this.

Back when I was younger, I made a post asking about Qubes’ lack of deployments by actual entities:

That thread wasn’t as pleasant as I expected.

Three years later, I think I have a better answer, thanks to the most well-known cybersecurity company of this decade: Crowdstrike.

The reason why so much went so wrong for so many is because of homogenization, and while some of this is driven by the natural consolidation of things (e.g. how corporations naturally merge into megacorps, why the wealthy get richer, and why a few products have almost all the market share), another major factor is insurance.

In this age of breaches and liability, companies need cyber insurance to make sure one bad breach won’t sink the company. If I remember correctly, insurers have specific requirements on what they will insure and under what circumstances. This is how a large chunk of the corporate world ended up with Windows protected by Crowdstrike.

A company running Qubes is unlikely to get underwritten, partly because few if any insurers are familiar with the system, and also because there’s no extra assurance via Crowdstrike or some other EDR. That, and Linux is gaining a reputation as being less-secure, which I can see the argument for, so a system made up of Linuxes doesn’t exactly make insurers comfortable, despite the reality of Qubes’ situation (Linux’s security is underwritten by both Xen and compartmentalization).

A lot of the above is speculation based on what I’ve gathered from Hacker News posts and elsewhere. I would love to learn more about this if anyone has any insights.

You mean, to the general non-technical public, right?

You’re defintely right, though. I guess it’s because of the selective hearing of the public. It does have a lot to do with marketing and spin.

It goes along these lines:
“Linux has already had 420 CVEs this year alone! That’s almost 5 times more than Windows!”
“But most of them were minor and pre-emptive, and were fixed before anyone even knew about them. And the entire process was transparent. Meanwhile Windows CVEs were not necessarily disclosed completely and truthfully, and many of their CVEs were massive.”
“Er-hem. FIVE TIMES MORE THAN WINDOWS!”
“You’re a doorknob…”

And this perfectly explains the motivation of most large corporations: It is a means to an end. Meet the criteria so that they can be insured against risk, so they can keep making money.

I can tell you that is exactly the conversation that I had with an insurance broker. I couldn’t believe what I was hearing. It was almost like she was shilling for a cybersecurity company.

All I heard was: “If you want us to certify you if something bad happens, you need to give up control of your machines to people you don’t necessarily know or trust. Oh, and you also need to pay them for the privilege of using your assets as labrats…”

Honestly, I was getting vibes similar to the insurance companies who convince their customers to install a tracker in their cars to “prove” that they’re safe drivers, and meanwhile the insurance company is profiting off their data collection, but I digress…

However, the end goal to them is making money. They’ll happily have someone else they don’t know/trust manage their stuff if they can be used as a scapegoat, especially if a third party views this as desirable.

I mean, it’s evil, but it kind of makes sense when you look at it through that lens…

I guess some of the reasons why Qubes OS hasn’t taken off in the corporate world (yet) is because:

• People can’t see any improvement over their current situation to get their tasks done (I’m talking about people who just want to use their computer as a tool, and not care how it works. As long as they can click a button and their thing shows up on the screen, it doesn’t matter how much crypto mining and spying has gone on that the user isn’t aware of, this has met their definition of being functional for their desired outcomes)

Another example would be trying to convince everyone to wear driving gloves every time they drive a car. Yes, gloves make driving more fun and you have better control of your car, but so many people would see it as “extra work”. These are the people you are trying to convince to use Qubes OS…

• The complexity of Qubes OS compared to other methods of computing (yeah, that’s a nice term, let’s just call it that ) tips the BCR (benefit-cost ratio) not in our favour

  • The reward you get out has to outweigh the amount of work you put in, otherwise you are no longer in business…

• Qubes OS, in its current form, is a nightmare challenging to centrally manage without sitting in front of every machine one-by-one and typing commands

  • Yes, Saltstack does make it possible somewhat to remotely provision, but even then, it requires a lot of extra work in comparison to the other options out there
  • Bring your own device jobs have gained popularity over the last couple of years, and that’s probably added to the reluctance of “learning new ways”…
    • Companies that force things on their employees will have difficulty retaining talent, especially when those things are perceived by the employees as “unnecessary”…

• Employees are given a Qubes OS, they are trained on how awesome it is, and how to do things in a way that they don’t get compromised.

  • So what do they do? They do everything inside the Windows VM, even when they were explicitly told not to.

Some type of remote management solution would make Qubes OS suddenly look a lot more attractive to entities that would likely hand out hundreds/thousands of Qubes OS machines to personnel.

@deeplow’s qubes-onboarding-tutorial is also an excellent step in the right direction.

But, a balance would need to be found where the management functions wouldn’t take away the best things about Qubes OS.

In any case, I remain a firm believer that the solution is out there. We just haven’t found it yet.

That image they have on their website of penguins stacked as cubes is probably the best thing I’ve seen this year. I love it

much apprechiated curtosy of chatgpt’s dalle

There’s also this cover-your-ass dynamic at play where a manager can’t really be faulted getting breached after installing Windows and Crowdstrike (WC), since that’s what most Fortune 500 companies are using–i.e. the industry standard. When something like the recent outage or a breach happens, leaders are unlikely to punish CSOs who installed WC; especially because of how widespread the outage was. Misery loves company, and this is doubly true for CSOs.

On the other hand, a CSO who installs Qubes and then gets compromised is likely to face some sort of penalty; big or small, on top of higher cyber insurance premiums assuming they can get insured at all.

From the perspective of the insurers and the companies, Qubes is riskier because its complexity and itsniche status means it’s basically a black box to them in terms of how it would behave in a wide range of environments and under targeted attack, while Windows and the like are extremely well-understood thanks to their ubiquity. As far as they’re concerned, Qubes is untested and unproven.

tl;dr We might feel that Qubes works fine, or even great, based on our daily usage of the system, but would any of you bet millions of dollars it will hold up to the world’s most motivated and professional hackers in a wide range of environments? Because that’s what’s being asked of the companies and the insurers.

A Qubes hacking competition would help with this issue, and the Qubes Team knows this. Three years ago they didn’t have the resources to pursue this; I wonder if this is still true.

Edit: Clarity. Also, I don’t have privileged insight into how managers and insuerers deal with these issues so this is all speculation

Having the world’s most secure desktop systems doesn’t help if your entire server infrastructure has gaping security holes.

Weak password, not using MFA, social engineering, and so on, there are lots of other attack vectors, hacking a desktop computer is rarely the end goal.

The problem Qubes OS solves, is not the main problem for most companies.

Some employees with special sensitive tasks could possibly benefit from using Qubes OS, but I don’t see why companies would make it their primary OS.

This fatally reminds me of a conference about IT security for CEOs that I attended some years ago: The main and nearly only question that was discussed there was not how to achieve security but how to be able to deny any responsibility in case of a security breach.

I am afraid that, as long as this is regarded as the most important aspect of IT security for decision-makers, the original question of this thread is answered. If those users responsible for setting the direction of corporate IT are not interested in security at all, there is no motivation for the big players to provide such a feature, which will not produce significant profits. Security is just something that costs money but does not provide any return on investment.

It’s just like the situation with fire extinguishers: They are just red bottles hanging on the wall, doing nothing. So, why should we have one? (Or did I miss something? Hey, what’s that smoke coming out of that cupboard there???)

I’d like to add: Security is neither a product nor a state. It is a process. Unfortunately, this idea cannot be integrated into the thinking of business economists. And it is also difficult to include in a budget. Especially if it is drawn up in a planned economy. (And that’s why using Qubes or hardened and encrypted ZFS filers or tripwired networks as such won’t do. In that sense, the question of this topic is already part of the answer.)

how to be able to deny any responsibility in case of a security breach.

there are two problems with security: neglect, as in not really caring, and the western governments approach towards IT security, where security flaws are collected to spy on citizens for no good reason instead of fixing them.

If somebody breaks into servers that my linux consulting company hosts, and we did the best we could to secure them (as in industry standards, which we commonly exceed a bit, for example by using qubes, having all services that are customer-internal only reachable via VPN and so on), and the customer used our solutions (didn’t force us to have all internal apps not only reachable via the vpn but also public for example), then its nobodys fault. thats force majeure. Our insurance also sees it like that, as well as the customers, and if something breaks which wasn’t preventable they pay for it. Thats why we have insurance. Or at least thats the idea, if they pay is another story.

The idea is not to prevent security breaches but to make the target as annoying to attack as possibe.

I get your point that the tech is not all there is to security–as @OvalZero has also pointed out, it’s also the process. A quick glance at cyber-insurer’s criteria show they do pay a lot of attention to op-sec too. My point is that, all else equal, a company with WC is massively more familiar to both your typical corporation and insurer compared to Qubes.

I feel that what qualifies as the primary OS for a company depends on many variables, like what the company does. I can imagine cases where most if not all front-office employes handle tasks that can be described as sensitive in the sense where a loose thread can unravel the entire spool.

Also, if we take your scenario where employees with special sensitive tasks are the only ones using Qubes, wouldn’t their machines be the most valuable targets, therefore the biggest liabilities for both that company and its insurer, making Qubes once again the focus for underwriting?

Cybersecurity is like disaster preparation in that sense (floods, tornadoes, earthquakes, emu herds, etc.). I’d also add that since any sufficiently complex system cannot be 100.0% secure (there’s probably math out there proving this), and modern systems are insanely complex, so you just do what’s feasible and get insured.

In this sense it’s like preparing for natural disasters. You can’t protect yourself against everything; what you can do is manage your risk and control the damage. You can go out and get a disaster pack for a couple hundred dollars, or build an earthquake-resistant home, or live somewhere tornadoes don’t strike, but those who seek 100.0% protection will have to fend off meteorites, gamma ray bursts, surprise black holes, and other cosmic events. (‘Surprise black hole’ is my personal favorite way to go).

Similarly, at some point you get diminishing returns on your investment in security. The first $100 you spend on security might get you 50% secure, the next $1,000 might get you to 75%, the next $10,000 to 85%, and so on, with the cost of going from 98% to 99% costing tens of millions of dollars. Nobody goes from 99.9999% to 100.0%–not even the US government utilizing the full capabilities of all US tech companies. On top of this, from a risk-management perspective, cybersecurity is worse than natural disasters because there’s human intellect and intent behind its events… unless there’s a God and either you, one of your in-groups, or humanity really pissed it off, because then you get natural disasters with superhuman intellect and intent and that’s when you should really get down and pray.

This is my guess as to what’s going on with the corporate calculus for cyber security. There will be cases where some corporations just don’t care and aren’t in a position where they have to, like Equifax, but I think what I wrote makes sense for everyone else. All this is why also I’m attracted to Qubes’ “Reasonably Secure” tagline–it’s honest and sensible.