Hi all. So Qubes has been around for more than a decade; it’s had some prominent endorsements and is generally highly regarded by security experts. So, the elephant-in-the-room question is: why hasn’t this paradigm/architecture become standard at least in the open-source OS world? Why hasn’t it become more widely adopted? Has linux’s security also improved so much during this time, that it’s “on about the same level”? Is it the lack of marketing resources? Why are orders of magnitude more dev-hours wasted working on systems with BS security design? What’s your answer?
(Qubes’ DistroWatch ranking: around 50-60th place.
Qubes’ usual ranking in “secure desktop OS” lists: 1st place. - who would want an “insecure OS”?)
(This blog post by Joanna mentions that she would remain a Qubes user, though she’s “recently also been embracing other systems”… Like, WTF, Joanna?! What else is there? OpenBSD? SeL4? Traitor! )
(As a nod to a recent thread, here’s an excerpt from an answer from one of the chatgpt-based LLMs out there (I removed some usual “padding”):
Keeping in mind that this question calls for a speculative answer, here’s a thought: It has, but in a different way. For example, iOS has strong app isolation, and Chrome has strong tab isolation. So the general principle of security-by-compartmentalization actually has become pretty standard. It’s just that the compartments are different. In Qubes, the compartments are entire OSes. That’s probably too hard for most mainstream users to grasp and work with effectively. But anything that can be compartmentalized behind the scenes without affecting the user experience probably has been.
I’ll use the infamous car analogy : how many buyers choose their car considering its Euro-NCAP result as their first and upmost requirement ?
I think chatGPT didn’t make things up this time, I agree lot of users are not security and privacy conscious. They’ve been “brainwashed” by convenience, people want “click-click-lets go” stuff. They don’t wanna know how it works (do you know how your car works, and do you care/need it ? I do, but very few of the people I know do. And it’s only a step to fixing it yourself).
And as much as I like Qubes, let’s be honest : it’s still has a steep learning curve.
Even plain Linux scares a lot of people. Related, people resist heavily to change.
It’s not any better for companies, look how many gov services are still using Windows.
Only in the recent (~2-5) years the french “Gendarmerie” (~ police) decided it would be a good idea to switch to Linux. I don’t remember if the article I read mentionned the considered OSes, but IIRC they started “blank” (and I would have remembered had they talked about Qubes).
Now imagine interpol and all police departments could provide man hours to the Qubes project, the same way Tor and the US Navy are related … Ok it may not be the best example ^^
It’s just uninformed and scary-looking political and technical choices.
But as adw said, the security-by-compartmentalization trend is here, and it can benefit back to Qubes. It already does, with f.e mirage-fw. I’m thinking about microkernel stuff here, where you can securely contain an app in a small OS, reducing overhead. But again, it will need implemantation, so man hours …
in my case, it is as simply as specific hardware.
16 gb ram is to small for majority of users.
also qubes still populated with people who care about privacy and security, as long as people aware about this. they would move to qubes os as “private” pc, but for work windows still the best.
I don’t think it’s brainwashing, wanting a simple and easy way to use your computer is a reasonable demand.
If all you do is a little web browsing, some email, watch netflix, and use facebook, which is how many use their computer, then you don’t need to learn how to use Qube OS and install the world’s most secure OS. There is also a large group of users who use their computer to play video games, which is impossible in many cases using Qubes OS.
The trade-off between security and usability is just too high for it to be the standard, and Windows and macOS seem to be going the sandbox route, which probably is the best solution for the average user.
Linux isn’t having much success on the PC desktop market, 3-5% are using Linux, if Linux was more used you would also see more Qubes OS users. Going from Linux to Qubes OS isn’t that difficult, going from Windows to Qubes OS is just too much for most people.
I consider myself a real noob / low skill user in Qubes, even though I’ve used it for 4 years now. But, from my lowly perspective:
Qubes architecture is inherently more complex than ‘normal’ computing. That makes is more difficult to do… pretty much anything. Connect a usb device, SSH, setup a VPN, etc. You don’t need any further explanation than that for poor market penetration.
If you get to play around with it - as a prospective buyer - then you bump into the interface. I think the interface is still clunky and step-wise and not refined. It isn’t intuitive enough, and intuition is all the more important when the structure of Qubes is more complex. (I think its maybe hamstrung by Linux here).
Qubes is still designed by geeks for geeks (welcome improvements by @ninavizz in 4.1 notwithstanding). Until that changes - if it can change - it will always struggle in usability and thus adoption. At least by non-geeks.
Finally, there’s hardware. Qubes takes a lot of computer to do basic things, and it has to be the right computer. And mouse and keyboard. You can’t do Qubes by halves and that’s a pain in the ass.
I wouldn’t recommend Qubes to anyone at the moment except the enthusiast and the geek. I get very close to ditching it myself all too often.
Since Qubes is the archetype for this compartmentalization security strategy, that’s what you get: Qubes is a whole bunch of headache for a security solution that’s not felt like its needed acutely enough. The ratio of driver:barrier is too low.
[Written all in a constructive spirit, and from an admittedly very low knowledge-base.]
People have been saying this for literally years - it wasn’t true then,
and it isn’t true now.
Of course, if you give someone a Qubes USB, and walk away, they may
struggle.
If you help them with install and configuration, then even completely
non technical users can be productive.
It’s easy to underestimate the grooming that has taken place for
familiarity with Mac and Windows, yet users struggle there too.
A part of the interface I don’t like is the Menu : it creates a focus on
the implementation - templates, qubes, disposables. Replace it with
focus on use. That is why I like KDE over Xfce.
Incidentally, I have no idea what your Mother is capable of - she may have
a lifetime’s experience with computers, and a professorship in CS. I’m
not sure why you brought her in to the picture.
Joanna put it well:
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
Look at Bromium - implemented micro virtualization to allow hardware
isolation. Shipped vSentry from Windows 7, now bought by HP and offered
in their products.
It’s definitely behind the scenes.
Actually, @unman, I edited out a reference to my mother. Its not there in my post. Save the lecture.
For the record, when I think of my mother, when I reference her in my words, I think of a non-technical user that would have enough spine to ask the question, “Why am I doing this?”. That’s exactly the figure I want to invoke. If I want to denigrate someone (by virtue of an attribute like gender) I’ll make it very clear.
I’m sorry, but I say this now, said this yesterday and will probably say this tomorrow.
I got a Qubes USB and no-one walked away, because there never was anyone there in the first place. Apart from relying on the good-but-not-always-perfect graces of a forum.
Forums are hit and miss. I’ve had great help, but I’ve also had none at all. Case it point - when my VPN stopped working, despite some well-meaning posts I didn’t get any practical help. I reinstalled my whole Qubes OS to get past the problem. Someone said that’s the “nuclear option” and its true - I was down to my nuclear option.
@tree - I’m glad you edited your post. Unfortunately, as an email
consumer of the Forum I don’t see such edits.
Equally unfortunately, other readers are not privy to your thoughts,
only your words: that’s why it’s important to choose them wisely.
My lecture was a reminder for all users of this.
Let’s leave it there.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
FWIW, even using the web UI, I had to check the edits he made (via the diff thingy) to make sense of your exchanges ^^ I was like “Why is he talking about his mother o_O ^^”
[rant] so this (redacted) forum software can’t send you a mail with the new post when people edit it ?! Pfff …[/rant]
About Joanna's "rant"
As much as I think I get her point (feminism, no finger-pointing), sorry but this is “puritanism vs language facility”. You can be the worst jerk talking/writing really well, and writing “bad” stuff without meaning it. It’s the mentalities we should change, not the language !
Two examples, “rant” may not be adapted to describe what Joanna wrote, but I used it to be fast and descriptive enough. I would use a more precise word in my mother tongue (FR). Also, I have a gay friend who sometimes talks about himself and other gays as “faggot” (I don’t know if it’s an insult in EN, but imagine it is).
And because we’re in those dumb times, or rather because of some uneducated idiots, I have to precise that man**==**woman (even if man !==woman ^^ For those who don’t know, in some computer languages like PHP, “==” does not mean the same as “===”).
But maybe philosophical/rhetorical stuff like that does not belong here ? ^^ In that case, sorry …
Back to Qubes, I think the missing doc is : “How I did that before → How to do it on Qubes”.
I’m thinking something like the Rosetta Stone for Unix, but more than just a table.
(I know -I- can start it, but for now I can only -test- Qubes, nested under another dom0).
Why this doc would be useful ? Because even as a seasoned sysadmin by trade (20+ yrs) and a Xen “power user (debatable^^)” (5+ yrs), I find it hard that Qubes is changing at the same time the USER experience, and the ADMIN experience !
I went concise, but can enhance.
I also agree with unman’s point “It’s easy to underestimate the grooming that has taken place for
familiarity with Mac and Windows, yet users struggle there too”. Like Windows changing its interface each version …
Imagine a user with no previous IT/otherOS experience starting with Qubes, this would become his “new normal” ! Let’s install Qubes in schools ! \o/
About that, still offtopic, sorry ...
Can Qubes be used from LTSP-like setups ?
Kinda related, is someone working on a new Live version of Qubes ? From a really short discussion with Marek in Feb 2022, I remember reading between the lines that he would be happy to have a Live version.
What makes Qubes OS so great? The ability to have many compartments on a single machine. But that requires one to be able / free to do so.
How many users can freely choose which computer they use for work?
How many can choose what OS that computer runs?
Not many. So there goes the ‘work’ domain. The vast majority of users are doomed to use a corporate issued Windows PC full of “endpoints” and without any administrator rights. Maybe they get a Mac. Same thing. No freedom to choose.
What about the ‘personal’ domain? … email, messaging, photos, web browsing, streaming, casual gaming. What are the stakes here for most people? Not very high. Follow the most basic principles and more than likely you’re OK: don’t share/reuse passwords, don’t store anything embarrassing in the cloud, lock your device with a pass code. For most people this isn’t even a PC. More likely their phone, tablet or Chromebook. Apple and Google do a reasonably good job of keeping the average Joe out of trouble. So there is little pressure here.
PC Gaming? VR stuff? Video-editing? Crypto-Mining? … all special use cases requiring direct hardware access or specialized hardware. Most people will have a dedicated desktop machine for these things. They are possible with Qubes OS but surely we can agree: non-trivial and just maybe not even a design priority.
So who needs or wants to use a reasonably secure desktop OS that enables compartmentalization?
people with a professional need to keep data separated, confidential and being able to choose their tools (military/government, lawyers, actual investigative journalists, security consultants…)
people at high risk of compromise (activists, celebrities, unlucky minorities in repressive regimes…)
enthusiast (because they can and enjoy the process)
So I don’t think Qubes OS will ever be “standard”. Because “standard” users don’t have the freedom to choose or the need for this level of compartmentalization. It’ll be a niche solution for specific groups of people and those people (except for the enthusiast) actually need it. And once the need is identified there really is not much choice. Qubes OS pretty much is it, except for specialized military solutions (e.g. SecureView).
However, if Windows qubes would integrate as seamlessly as Fedora/Debian qubes do. Basically as it once was with Windows 7 but maybe even more smooth and with USB and sound/mic/camera … then there would be a much better chance of capturing more of the professional users who have to use whatever corporate IT gives them. I don’t mean to start a thread about FOSS, Wine etc. – there just is a ton of existing Windows-only software tailored for specific business use cases that won’t run (well) on Linux without major investments. When Qubes OS is ready to run these business apps well, then I personally see a pretty juicy market for companies to offer support / maintenance / certification / training contracts and aid business in adopting Qubes OS. dream When we get there I might even join or start one myself.
I started using Linux when 1.x was the current version, you can’t even compare the difficulty in using early Linux and what Qubes OS is today. People were saying the same thing about Linux, it’s only going to be used by a small group of nerds and no one is ever going to take them serious, and here we are today.
Proton was able to find a lot of success with secure email, and I think Qubes OS has the potential to do something similar for the desktop.
Proton’s success shows that there are people willing to pay quite a lot of money for privacy and security focussed products, but they are not willing to give up much convenience.
Ubuntu was able to find success by making a clean and simple Linux desktop, and other desktop systems derived from Ubuntu were also able to find some success.
I also don’t think Qubes OS will be the desktop standard, but I do think there is a growing market for security and privacy focused product, and Qubes OS could become the standard in that segment.
Ah, many nights just to get the X window system to start… that’s when I walked away for ~15 years.
Proton is just another example of “feudal security”. They can get your keys anytime by sending malicious JavaScript.
I agree. Ubuntu helped users get their established workflows running with much less resistance then other distros at that time. I get @unman’s point too. You can get non-technical people to be productive on Qubes OS with proper assistance and some training at the beginning.
But for wider adoption I strongly agree with @GWeck we need to get better Windows integration (seamless GUI, robust USB, performant/robust audio/mic/webcam). It’s not a popular position to take, but this really is what holds us back the most with the general public. It’s not about learning to use FOSS software, it’s about availability of specific software the user has no real choice over but is forced to use.
That’s my point. In the niche of security focused desktop operating environments outside the military, it already is the standard (by virtue of being the only game in town). All other attempts are either abandoned or lofty promises without deliverables.
I agree, it’s even more than reasonable, it should be the default (do you remember General Motors Replies to Bill Gates ?). I agree that “brainwashed” was kinda extreme.
I don’t agree, why can’t “normal” users benefit from Qubes security ?
Sorry for another car analogy but that’s like saying “you use your car mostly for groceries, so no Turbo for you !”.
I somewhat agree with the second part, but disagree for the first part : most of the commands and principles used in Qubes are Qubes-specific (even Xen cmds and opts are wrapped). But maybe I’m too dumb or lazy ? ^^ That’s why I’d like a Rosetta stone for Qubes.
(another old ref: “wanna learn distro X, install distro X, wanna learn GNU/Linux, install Slackware”).
There are many different use cases but my point is, the IT depts of some companies -should- install Qubes by default, and their sysadmins can then teach the users. I’m thinking about press agencies, strategic corps, etc, you named a few. It would have many advantages for the project.
Aaaah the 90’s, I remember stuff in the RedHat manual, warning you to take extra care of your CRT monitor config, as you could really break/brick it ! (Just learnt why).
Thanks for the info, but then isn’t that true of all “secure mail” providers, and we’re back to PGP ? Is JS the only way to get pwned ?
I didn’t say they can’t benefit from Qubes OS, but not everyone needs Qubes OS.
If you are not getting targeted by skilled attackers, and just need to worry about malware, you can just use an immutable OS with basic sandboxing.
If someone asks which car is good for picking up groceries, you probably also doesn’t tell them to get a tank, not unless they are living in an active warzone.
There are some specific people out there who actively resist learning about computers for whatever reason. The response I’ve seen typically is playing helpless in various forms, but I’m sure there’s other responses to learning opportunities. In one case, even knowing which cable to plug in where can be a challenge, because the person refused to learn what shapes various ports are, and what they’re named.
Given that user caricature, we can make a statement about the size of Qubes’ audience: If Qubes requires any amount of learning/training/background knowledge to use, there will be people it is not a good fit for. The more learning/training you have to do in order for Qubes to be useful, the smaller the group of people who can use Qubes.
We can add precision to that idea: If using Qubes requires strictly more knowledge than using Linux (ie, anything you can know about using Linux is just as relevant/just as required/just as useful while using Qubes), then the people who can use Qubes will be a strict subset of the people who can use Linux.
With that chain in place, there’s now a couple of ways to counter the impact of the above. Unfortunately, I don’t know if any of those counters are true, so I’ll let the people who know better than I do mention them instead.
So that’s the barriers to entry. Does an outsider who doesn’t understand security understand what the benefits are to using Qubes? If not, or they only perceive minimal gain, why would they work through the barriers to entry?
Without a good answer to those questions being commonly known, the best we can do (as far as I know) is figure out how to remix flatpak to use podman containers, or train systemd to namespace/containerize services by default.