I had never considered more activities/desktops. Right now I have one for each color, and my colors roughly correspond to “what can this qube touch” (internet over wifi = red, storage not given to qubes OS but inside the physical box = gray, for example)…but some of those colors have eight appvms.
2 Likes
True, it sounds to me like a hue mistake … probably some guy out of League school deciding it would be cheaper, and selling it to the hierarchy (who probably don’t know shit about IT) for a quick saving
And the IT dpt now having the task to make it happen “securely” … yeah, as if they could.
I really don’t think the “Capitalization” of Qubes OS would be a great thing (as we all know by example) what happens in the end when corporation take over. And I honestly think it would be the death of Qubes OS in the end if this “Capitalization” happened. I believe a lot of people would bailout!!
2 Likes
Yes, if installed and never used, it is a strong security for sure.
As soon a weak user steps in … not so much, and it’s even worse if that user feels undoubtly secured.
That’s a novel idea. I color code my qubes according to function with an understanding of their role. My communications qube doesn’t browse, and my stateful browing vm doesn’t do email. That way if a browser session is compromised, the blast radius is minimized so really only cookies, sessions, and downloaded files (many of which are moved to other functional qubes depending on their role) are impacted.
2 Likes
Exactly why I carefully picked my words: no feelings, only security.
1 Like
To be sure, I do separate the functions you are talking about. Browsing and email both happen in completely separate qubes. They just both happen to be red. There are simply not enough colors available to cover all functions.
The original idea was to associate colors with levels of trust, and what I do very roughly corresponds to that…it touches the internet? Not very well trusted. It only touches things in the same box? Much more trusted. It’s completely isolated? Fantastic!
1 Like
I understand. Our coloring choices is different but our functionality is similar. I like your approach!
1 Like
I use colors to mark security domains - I use the same colors
as backgrounds for my Activities, with rules to keep major qubes ties to
the right activity. It is obvious if something is out of place.
I believe there are many different ways of using colors - I think this
was included in one of the surveys but I dont remember the results ever
being reported.
2 Likes
examples are of people who have a lot of resources, who can pay for a secure system. They don’t need qubes, honestly.
Unless they have in-house resources with the intelligence and grit to develop on top of OpenBSD for their company or a custom Linux distro with grsecurity patches, they are paying for an “endpoint protection” suite for Windows or MacOS which is almost always going to be snake oil. The former does exist, I have personally seen it. The latter is what happens 99% of the time with extremely high profile users, it’s rather sad really.
1 Like
If only you gnu how bad things really are…
This is the norm in a lot of places. To reverse this trend something not as frictionless but frictionless enough is needed.
1 Like
I use Qubes because I reasonably believe I have been targeted by a nation-state actor for being in the wrong place. The motivation isn’t enough to disappear me but enough to have some resources monitor me and disrupt my communications. Some of my new friends have very obviously been informants who I later found out agreed to be informants to get out of bogus drug possession charges. I have also caught people intruding on hotel rooms that others have booked for me. Then also in the counties in the area where I most recently stay, the requirements to become head of law enforcement are very lax. When these knuckleheads get elected they have access to very powerful tools. At the end of the day I just want to be left the hell alone and browse the web anonymously to the extent that I can do so. Linux’s approach to containers is still a total joke. So I use Qubes and OpenBSD in some places.
1 Like
Hi All, I’m a newcomer to Qubes OS coming from Ubuntu and I must say this is what I’m looking for. I use Qubes for privacy, security and most of all compartmentalization. I use it as my daily driver. Installation was easy, followed the guide and from there added apps that I need to do my work. Thanks and kudos to the developers and supporters of Qubes OS. 
7 Likes
What kind of solution is available to the president of Boeing to buy? The IT takes an existing OS, configures it correctly, and maybe hardens it. The IT doesn’t have a new private operating system.
There is MacOS (that the president most likely will use), ChromeOS and Windows. The latter is not secure. ChromeOS is cloud based and won’t be vetted by IT. Linux is not sandboxed properly. Android has SeLinux, yet still has so many zero days that easily scape the sandbox. iOS is hacked by NSO group and similar every so often, even with zero click.
The options are hardened android and iOS, but they are not desktop operating systems, and their sandboxing with SeLinux is not as strong as virtualization. MacOS is the only option, which makes no sense for non-US corporate presidents!
Anyone has more information about what computers or laptops the CEOs of large companies use?
1 Like
No concrete information, but I’d guess the non-technical ones probably don’t do much hands-on computer work themselves and mainly direct their subordinates to handle such things. If they actually need to use a device themselves, their IT department probably sets it up (i.e., locks it down, makes it appliance-like) and shows them exactly how to use it to perform only the desired tasks. If new needs arise, the process repeats, starting with IT. I don’t see the non-technial CEOs of large companies taking time out of their day to fiddle around with new software on their own, like a hobbyist would. Technical CEOs who actually are hobbyists (or were before they got to their current position) are another story, though.
2 Likes
I have a lot of experience in the domain of corporate IT. Unless a non-technical executive personally knows someone who qualifies as “hacker” and technology bypasses typically only known by hackers are demonstrated to the non-technical user, they are blissfully unaware and don’t care. The exceptions are those who have personally suffered an intrusion. In a corporate environment 99% of the time the IT people involved aren’t qualified to actually protect anybody, they’ll install something with a McAfee brand or some “endpoint protection” suite and sing the tune “we have one of the top IT teams in the world”. The temperament of users who can barely use a computer but demand what they know is at the root of why China and Russia are endlessly siphoning off USA’s corporate and government data. Many in the technology space believe USA has already lost the next world war due specifically to executives not keeping bratty users inline or being brats themselves. Dishonesty is rampant in the corporate IT space both on the part of the users and the IT teams involved. Even when the IT teams are honest, their assumptions (that using Windows is somehow “okay”) are simply wrong.
Qubes has all of the necessary pieces in place that Qubes can be thought of as a “platform” to build something very easy to use on top of. Developing something a non-technical CEO (even one who is kind of a moron) can use and be reasonably safe is possible.
On a more positive note, I personally know non-technical users who sought out Qubes because they knew they were going to be targeted.
This is where GrapheneOS really shines. GrapheneOS might not protect against all exploits but will protect against many. Hopefully someone out there is testing if vulnerabilities uncovered in AOSP can also be exploited either at all or to the same extent on GrapheneOS.
1 Like
little about security, and very often dont care about technology.
I knew one CEO who made it a point of principle not to touch a computer
- why would they? That was what staff were for.
Again, I knew another who always had the latest (and most expensive)
kit. I never saw it used, at least not by them.
Most IT departments in major companies wont see Qubes as a solution imo
- there’s no training or certification, which is hugely important in the
corporate world.
1 Like
I am the guy that uses the computer a lot but knows very little about how it works, I learn how to use apps I find useful but have no desire to spend tons of time learning how the OS does what it does. That said I care very much about security, I don’t have anything to hide, I’m not engaged in shady activities but I don’t like having my online activities mined and or monitored, and I find censorship very distasteful.
I have used linux since the 90’s these days it is much easier and faster to install Mint than Windows I just don’t like Windows.
I realize that I do not have the ability to lock down a computer as I would like for it to be but I try, then I bumped into Qubes.
An operating system designed to be secure, yes I have to pull my hair out to get it working the way I want it to and a couple of things still don’t work but I am willing to compromise, change the way I use my computer and learn a new mouse trap if I believe it will harden up my security.
Once I got it working it has been rock solid, very few issues and the forum guys help me out when I need it, thanks guys, really thanks.
I’m sure I’m not a typical Qubes user but here I am.
I use Qubes because it is an OS designed to be secure out of the box to a level I am not capable of providing myself, yes it’s quirky but I have gotten used to how it works and I like it.
5 Likes
I’ve been using QubesOS now for about 8 months. I like the idea of compartmentalising parts of my work/ life in the same way I use different phones and numbers. It’s becoming more normal and the forum is a great help with any issues I’ve had learning on the way. I still think it’ll take a while to get rid of my iOS devices fully but that is the goal.
I do quite like the fact it’s not easy and is a process. Thanks to everyone I’ve had advice from.
1 Like
Is there a resource with the vocabulary?
Other than what is already mixed into the current technical documentation like this,
Blockquote
Meanwhile, a Hardware-assisted Virtual Machine (HVM), also known as a “Fully-Virtualized Virtual Machine,” utilizes the virtualization extensions of the host CPU. These are typically contrasted with Paravirtualized (PV) VMs.
HVMs allow you to create qubes based on any OS for which you have an installation ISO, so you can easily have qubes running Windows, *BSD, or any Linux distribution. You can also use HVMs to run “live” distros.
By default, every qube runs in PVH mode (which has security advantages over both PV and HVM), except for those with attached PCI devices, which run in HVM mode. See here for a discussion of the switch from PV to HVM and here for the announcement about the change to using PVH as default.
The standalone/template distinction and the HVM/PV/PVH distinctions are orthogonal. The former is about root filesystem inheritance, whereas the latter is about the virtualization mode. In practice, however, it is most common for standalones to be HVMs and for HVMs to be standalones. Hence, this page covers both topics.
source:
As that lays out the differences of
• HVM
• PV
• PVH
As example of how it is currently “mixed in” rather than an appendix or something too
So is there a place that just has these QubesOS vocabulary words? Or is it all currently mixed-in?
1 Like