Why don't more Cybersecurity Professionals use Qubes

Starting a thread on why relatively little cybersecurity professionals use Qubes or at least that’s my perception and experience.

Indeed, I do think that those working on cybersecurity research field should use it.
Im on the same side and I use it for more than 1 year now (Q4.1.2).
I was very eager to start using Q4.2 on a new and very powerful research machine but I have some issues hopefully I will solve them because I can’t return the laptop.

Pro DevSecOps / DevOps / Tech writer here, I’m using Qubes OS despite it’s cumbersome sometimes. I’d prefer using something else but it’s the only OS that make sense for me, security wise (and I say this even though I’m an OpenBSD developer )

Lack of support, many bugs etc

That’s why most developers use Mac.
Way less hassle.

I am a pentester using QubesOS for years as a main driver at home and about a year in my company. As of today i am the only one tho.

I don’t think that security professionals particularly dislike QubesOS, most of my colleges are interested in it and would love to try it. IMO this is mainly a problem of using QubesOS in a corporate environment. So here are my takes on this from my POV.

For example

Hardware issues

personal: Qubes does not run? → Send back laptop and buy another one.

corporate: You have your hardware, deal with it.

Spending a week trying to get it to run, installing over the main OS in the evening and restoring it from backup over night because i need a working system the next morning, may not be something others would happily do.

Stability

If your system does not work at home it is annoying but no big deal.

However it is a big deal if you are at a clients location and cannot do the work you are hired for! So i can see why many pentester choose a more conservative OS for sake of simplicity and stability.

My personal experience with qubes is, that it is more stable than anything else as you mainly only destroy VMs and not the host/adminVM.

Lack of experience

Most of my colleges use the same OS privately and on work because they have experience with it and can fix stuff more easily/quickly.

Without some experience it adds overhead to translate every documentation to qubes, costing time.

Added complexity

I think it is undeniable that qubes adds a bit of complexity if you set up split systems and so on.

They don’t know about QubesOS

Simple as that. Somehow many of my colleges have never heard about it or assume that this must be some sort of experimental software that cannot be used in a corporate environment. Maybe that was true 4 years ago, but not anymore once it is running.

Never change a running system

All the pentesters have a working system already, maybe with many hours of customization already. I can’t talk for other employers but i am not sure i would get a few weeks of payed time to change the OS, even if the new system is objectively better in many ways and will amortize itself.

So most stick with their system because of time restraints.

You are (not) alone

If nobody in your company uses the OS you use (and such a special one), you might be on your own figuring out problems.

Bugs

There are some.

Somewhat speculative:

QubesOS is great for compartmentalization, but I’m not sure how relevant that is for most cybersecurity workflows, with a couple of exceptions. For example, if you’re monitoring a corporate network for threats, you have a trusted machine plugged into that network. You don’t need a separate compartment for personal email, banking, etc - the machine is dedicated to the compartment of network monitoring.

There are cases where you want a separate compartment. For example, when pentesting the attacking machine should be a separate compartment. Similarly, when investigating and eradicating malware that has infected your network, the machine interacting with the infected systems (or the malware directly) should be a separate compartment. But in these cases there are only 2 compartments, and it is a high risk situation, so it makes sense to have a separate physical machine.

That said, some of the above answers assume that the professional is a consultant. And if I was handling multiple clients simultaneously (or even serially, to a lesser degree) then I would want separate compartments for each client. Not only does this help protect the clients it makes it easier to clean up after an engagement is over (delete the relevant VM). In this case I would want to use QubesOS. There are other professions where I actually think that QubesOS is more relevant. For example, if I was involved in a court case I would feel more confident if the firm I used was using QubesOS to compartmentalize their clients from each other.

Also, if we move more towards BYOD setups (which is a more efficient use of resources available to society) then QubesOS becomes more relevant.

So if your network is suddenly compromised, you can’t trust your “trusted machine”, can you? In case of Qubes, you would reset your VM to be sure.

it could be a live CD

Thanks a lot for the detailed breakdown. I think this thread could well be a starting point of understanding the hurdles for using Qubes in more environments. Breaking into mainstream in this crowd would be an interesting challenge.

Maybe they not as l33t as they claim to be?

I was disappointed the book “Extreme Privacy” makes no mention of Qubes. It’s good he’s pushing people to linux, but to use Ubuntu, and I guess kept all recommendations at a basic level, made me wonder the extent of experience. Maybe he didn’t want to overwhelm, but I got the impression he’s a bit light on multiple topics. I didn’t agree with a number of his suggestions, but that could just be a preference difference. Still a good book though, I recommend it as a starting point.

First of all, maybe i assumed everybody to knows this stuff. This is obviously wrong and stupid of me, sorry. So here is some extra information:

You get a laptop without OS, an externals HDD and a couple USB sticks when onboarding. Go build your system
I see, that this is vastly different from other corporations. That is why i mention it here. Usually the OS and most configuration is dictated by the employer. We have the privilege to build our own system.

Regarding time: There is none. In an ideal world (for my boss) we have 0 days where we have some slacktime to do some housekeeping on our systems. Not having a gig “costs” multiple k $ on revenue a day (for the company, but i get his point).

Regarding virtualization: We have the context bounds of clients. Ideally you want one context per client obvsly. One context can include multiple vm’s, usually two: AttackVM and ReportVM. Sometimes more. AttackVM should only be able to access the defined scope of the test, the ReportVM should only be able to access the corpo network.

In the end i think that the minimal usage of qubes is not because of qubes but because change is hard. And it is even harder in corporations, however cool they might be with you going your own way and install your own systems, there are external factors that hinder you.

Think of a switch from windows to linux in a corpo environment. Mostly the same problem.

Maybe the problem is OS agnostic and is called “change”.

To be honest: I know some ppl that use windows at home as a main driver, have minimal linux experience and will absolutely destroy any webapp thrown at them. Linux or qubes knowledge != being a good professional in the infosec sphere per se. Use the tools you are familiar with (in a secure way), the end result matters.

To be honest: I know some ppl that use windows at home as a main driver, have minimal linux experience and will absolutely destroy any webapp thrown at them. Linux or qubes knowledge != being a good professional in the infosec sphere per se. Use the tools you are familiar with (in a secure way), the end result matters.

This.
This is why I use OpenBSD more than QubesOS for security and other work-related stuff. I’m simply more familiar with OpenBSD, it’s easier for me to use and configure for my needs and to be comfortable with it.
What HardcodedNonce said. The end results mater, and that’s the OS that allows me to make the best results.

It would be helpful to name some examples of “best end results”, so we could judge it through Qubes OS security concept prism.

I’ve been asking myself the same question. In my opinion there are two main reasons:
(1) It is inconvenient to try Qubes OS, because it requires bare metal to run.
(2) If one has a bare metal machine to try Qubes OS, chances are that the experience won’t be good. It is already challenging to find a laptop with good Linux support and even harder to find one with good Qubes OS support.

“cybersecurity professionals” is broad, they could be people trained to use some tooling in a given environment, I know many of those who don’t really care about security, they just got a training and a job and they’re done with IT outside this scope. (I’m not blaming anyone here, to be clear).

In my opinion, Qubes OS is more appealing to security enthusiasts who actually care about security in general, and usually care about their own data.

I can’t agree more. It’s said very accurately.