alt.hn

1/12/2025 at 10:28:30 PM

Qubes OS: A reasonably secure operating system

 https://www.qubes-os.org/

by doener

1/12/2025 at 11:17:47 PM

Have used it for several months as my daily OS and dropped it because of bad graphics performance (only software rendering supported, many frame drops when watching HD videos on YT) and bad battery management. Due to software rendering the overall systems perfmance also dropped. So I cannot recommend it for people with high requirements on graphics and battery duration. Besides that it was an interesting and good experience.

I think it would be good to make it possible to deactivate certain security features such as strict graphics isolation so that users can adjust their settings to their risk acceptance level. It would also be interesting to be able to optionally replace Xen with lighter isolation mechanisms, even if the user would compromise on security here too.

by irundebian

1/13/2025 at 1:35:56 AM

> dropped it because of bad graphics performance (only software rendering supported, many frame drops when watching HD videos on YT)

Around Firefox 92 or 93 the new GPU-based renderer ported from Servo was made default and performance under Qubes became much worse. Unfortunately, it seems applications increasingly assume the presence of video acceleration and don't prioritize software rendering.

by dmm

1/13/2025 at 2:01:28 AM

Isn't it reasonable for applications to assume that, now that virtually all hardware has it, even super-cheap computers like the Raspberry Pi?

by josephcsible

1/13/2025 at 8:01:54 AM

The issue for Qubes is security. GPUs can be used to subvert basically all the otherwise hardware-enforced security protections.

by adastra22

1/13/2025 at 6:03:51 PM

In a desktop, couldn't you assign a GPU to one video machine and in that scenario would there still be a security problem when there is only one VM using it?

by creole_wither

1/14/2025 at 1:57:36 AM

It’s not about virtual machines. GPUs typically have direct memory access to pretty much all system RAM. There exist PCIe mitigations, but the review does not meet up to Qubes security standards.

by adastra22

1/14/2025 at 5:17:57 PM

Yes, this is what qubes would probably suggest as the solution.

by halJordan

1/13/2025 at 2:33:30 AM

The hardware may be there, but not necessarily the drivers.

by Narishma

1/13/2025 at 2:58:21 AM

The drivers are fine for GPU accelerated rendering of the app surfaces, even on the Pi. Hell, the drivers are even there >98% of the time for accelerated decode of the video format itself to boot.

Qube's unique choice in software only rendering for user applications is one born out of the isolation goals for security, not what the software/drivers/hardware could do.

by zamadatix

1/13/2025 at 6:05:00 PM

> even on the Pi

Only proprietary ones, so not for everyone...

by fsflover

1/14/2025 at 1:32:04 AM

Pi 1-3 https://docs.mesa3d.org/drivers/vc4.html

Pi 4-5 https://docs.mesa3d.org/drivers/v3d.html

by zamadatix

1/14/2025 at 12:26:02 PM

> Broadcom never released a public specification for the V3D 3.x or 4.x series.

So the support must be worse if you prefer free drivers?

by fsflover

1/14/2025 at 3:29:39 PM

No, as there isn't a non-free driver alternative to compare V3D to. For VC4 (Pi 1-3) there was a proprietary alternative driver... but it was a bit garbage.

It feels you may be conflating the "proprietary firmware blob on the GPU which is used to boot the Pi" story with the GPU driver itself.

by zamadatix

1/14/2025 at 4:17:38 PM

Yes, you are right, "proprietary firmware blob on the GPU which is used to boot the Pi" is what I recall as a big Pi problem. So my original wording is correct that you need proprietary blobs to run Raspberry Pi, isn't it?

by fsflover

1/14/2025 at 4:38:15 PM

"Yes" in that the above statement about needing proprietary blobs to boot the Pis is certainly accurate & true (ongoing science experiments notwithstanding). "No" in that we somehow went from talking about "how apps can safely assume to rely on accelerated rasterization instead of software rasterization" to "how the Raspberry Pi family needs proprietary boot firmware to do anything with app output at all" and I've missed the connection between the two points.

by zamadatix

1/15/2025 at 4:18:56 PM

> support must be worse if you prefer free drivers

by fsflover

1/13/2025 at 4:33:16 AM

Yes. Besides Qubes users, a big population of software rendering users is people who have old and/or buggy drivers that are blacklisted by Firefox.

by fulafel

1/13/2025 at 7:19:29 AM

I understand GPUs are a security nightmare. If you want to have some understanding of your security, don't use a GPU.

by usr1106

1/14/2025 at 3:19:02 PM

Yeah, if you really care about security, only use computer which use line printers as output mechanisms.

by irundebian

1/13/2025 at 11:25:40 PM

It's totally reasonable, just unfortunate for this use-case.

by dmm

1/13/2025 at 12:22:45 AM

Given the tendency for people to lower their unknowingly compromise their security for the sake of convenience, I can understand why a project wouldn't do that. Knowingly is different and is what you're requesting -- it's when someone is following some Stack Overflow post or some such and doesn't have the training (similarly with the SO commenter, potentially) to know the implications.

It kind of feels like a tradeoff between protecting users who are critically in need of something like Qubes or expanding its reach to people who are less at risk and won't use it if it's too inconvenient.

by NegativeK

1/13/2025 at 12:38:42 AM

QubesOS is best enjoyed with a hefty CPU, lots of SSD space and a multi-screen set-up (in my opinion). Have you tried using Freetube instead of Youtube? In my experience it works a little better.

by Etherdrake

1/13/2025 at 1:27:07 AM

The most annoying issue I had was that even using mpv would lead to audio samples being dropped. I think I fixed it eventually by increasing buffer sizes, but I would expect at least audio should work out of the box.

by jwrallie

1/13/2025 at 11:13:10 AM

>at least audio

I imagine audio and other realtime loads having problems the most on a heavily virtualized system like this.

by orbital-decay

1/13/2025 at 2:10:10 PM

Not sure what "mpv" means in this context, but this reminds me the one actual pet peeve I have with Qubes - video/audio calls just don't work for me. It either doesn't work or the audio quality is really poor. I've tried all kinds of stuff, without much success. I'm using phone/tablet as a fallback, but it's not very convenient.

by pgaddict

1/13/2025 at 3:06:48 PM

mpv is a free (as in freedom) media player for the command line. It supports a wide variety of media file formats, audio and video codecs, and subtitle types.[0]

https://mpv.io/

by dublinben

1/13/2025 at 4:18:52 PM

Thanks for the clarification.

by pgaddict

1/13/2025 at 1:22:41 AM

I could tolerate no graphic acceleration and battery issues as part of the virtualization overhead, but I had issues with sleep (it would sleep and wake up perfectly only with when plugged in) and other related problems such as Windows VMs crashing when waking up from sleep.

I was using it well at home but could not stand it when I travelled around with my laptop.

I think Xen is mostly at fault for the issues, but I’m sure using something like KVM would be insecure, or they would have migrated already.

by jwrallie

1/13/2025 at 1:39:26 AM

Does sleep and wake work for you with a standard Linux distro? If so a newer kernel might help,like the kernel-latest-qubes-vm package, might help:

https://www.qubes-os.org/doc/managing-vm-kernels/#installing...

by dmm

1/13/2025 at 3:26:52 AM

Yes, it works perfectly. It’s a Thinkpad X260, not exactly new hardware, and even Debian works just fine.

by jwrallie

1/13/2025 at 2:03:05 PM

Weird. Multiple people submitted HCL for X260, and not a single one mentions issues with sleep.

https://www.qubes-os.org/hcl/

When I had similar issues in the past, I posted a question either to the mailing list or forum, and people were helpful.

by pgaddict

1/13/2025 at 5:34:18 PM

> dropped it because of bad graphics performance (only software rendering supported

This is by design, to provide high security, which is the point of Qubes. It's planned to allow GPU for chosen, trusted VMs: https://github.com/QubesOS/qubes-issues/issues/8552

Alternatively, you could perform a GPU passthrough, https://www.qubes-os.org/faq/#can-i-run-applications-like-ga...

by fsflover

1/13/2025 at 10:47:05 PM

Your link concerning GPU pass through only links to a google groups discussion with last activity in 2020 and 2015. So.. I guess this is not possible nor recommended?

I've been using vms with passed through gpu for a while and it's great but I would love to switch to qubes. I wish this was prioritized.

by sureglymop

1/13/2025 at 12:29:49 AM

>bad graphics performance (only software rendering supported, many frame drops when watching HD videos on YT)

It might help if you used a computer with CPU horsepower that actually exists.

And in case this sounded facetious, any reasonable CPU from the past 15 years can handle software decoding of high resolution video just fine.

This all said however, if you do actually need full use of all hardware resources then being constrained to software is certainly a factor worth considering.

by Dalewyn

1/13/2025 at 1:29:01 AM

You have to do more than just decode the the video stream to display it as smoothly playing video without dropping frames or audio samples or loosing sync. It requires always scheduling the context switches correctly between different virtual machines when using Qubes OS, performing multiple copies across protection domains.

Brute force helps a lot, but do you want a ≥5GHz multi-core CPU burning 150W just to watch a single video stream with maximum paranoia settings?

by crest

1/13/2025 at 3:47:20 AM

>do you want a ≥5GHz multi-core CPU burning 150W just to watch a single video stream with maximum paranoia settings?

I mean, yes?

We're not talking about bloat here, you're deliberately imposing significant overhead load for a specific purpose.

You can't really subsequently complain about performance unless you bring sufficiently powerful hardware to compensate for that overhead.

by Dalewyn

1/13/2025 at 11:35:28 AM

Right, but in a discussion about Qubes, it's germane to explain why you stopped using it

by psd1

1/13/2025 at 5:06:34 AM

> any reasonable CPU from the past 15 years can handle software decoding of high resolution video just fine.

4k VP9 from youtube takes my 5950x around 20-25% CPU usage to handle with hardware acceleration disabled.

The fastest consumer CPU available 15 years ago could not handle that. Hell, even CPUs from 10 years ago couldn't do that. Add power & thermal limitations of a laptop CPU? Not a chance.

And that's just VP9! HEVC or AV1 would really put the hurt on.

by kllrnohj

1/13/2025 at 8:12:09 AM

>4k

To be pedantic, OP specified "HD" which is 720p. I gave him benefit of the doubt by saying "high resolution" in my reply, but I think 4K is unreasonable given the provided context. I'd wager 1080p ("Full HD") at most. There's also the question of frame rate, though we can probably safely assume either 29.976 or 59.952 fps since it's Youtube.

As an aside, software decoding performance can vary pretty significantly depending on the codec used for both encoding and decoding. Bit of a history lesson, CoreAVC was infamous for being very easy on the CPU compared to other h.264 decoders like ffmpeg.

by Dalewyn

1/13/2025 at 2:01:47 PM

Correction: I think I experienced noticeable stutters with Full HD videos not with HD videos.

by irundebian

1/13/2025 at 2:58:15 PM

I occasionally see stutters too, even with Full HD video. Or more precisely, mplayer complained about slowness and having to drop frames.

It often helped to actually give the VM more cores (not just the default 2), but sometimes it was due to some weirdo codec/quality setting, and recoding the video just solved it. Sometimes switching to vlc (from mplayer) helped. Other times it was simply due to the sys-usb vm being overloaded.

by pgaddict

1/13/2025 at 1:58:18 PM

I'm using an Intel i7-8850H with 6 cores so I think it's powerful enough. It's not that I couldn't watch HD videos but I was experiencing stutters and it left me with the feeling that the CPU is insufficiently utilised.

by irundebian

1/13/2025 at 3:47:23 PM

I certainly rescind my insufficient CPU horsepower accusation in that case. I'm not entirely familiar with Qubes's innards, but the overhead it imposes must be substantial.

by Dalewyn

1/13/2025 at 3:13:44 AM

> only software rendering supported

Isn't this something GPU Virtualization is intended to solve?

by em3rgent0rdr

1/13/2025 at 7:17:32 AM

I think you do have GPU acceleration in the Dom0 but I do not remember if you can use/install programs on it, it was the "coordinator" dom.

by samoit

1/13/2025 at 5:13:09 PM

Yeah, I could not do it without other computers to use, but after a year of keeping a system running it, I find myself mostly using my other systems for specific purposes like a windows machine for gaming (no web browsing ever lol), my macbook air for printing, managing photos, doing stuff with my iOS devices, etc.

by bobertlo

1/13/2025 at 3:22:15 AM

I'm using Qubes OS as my primary for years - I think I started with the 2.0 release in 2014 (I might have tried/used the 1.0 release, I don't recall.) and I was immediately hooked.

I understand the usual story is that the goal is security benefits, and the compartmentalization (or rather the implied inconvenience) is the price for that. But for me the compartmentalization turned out to be a benefit on it's own, and actually convenient.

I find it extremely convenient to have multiple isolated / virtual workspaces for different stuff, even if you assume attackers / malice do not exist. Having separate VMs is not the same as having separate folders. I also love the VM templates, which allow me to do all kinds of experiments (e.g. install packages in the app VM, which disappear after restart). Or run VMs with a mix of distros/versions/... Yes, I could do some of that with plain VMs, but Qubes integrates that in a way that I find very convenient. The commands for copying stuff between VMs are muscle memory at this point.

Yes, there are limitations, like the lack of GPU acceleration. But movies in 1080p play just fine without it, and I'm not a gamer, so I don't mind much. I can't play with CUDA etc. on these QubesOS machines, and scrolling web pages with large images is laggy, but I find this to be an acceptable price.

I went through multiple laptops / workstations over the years, and the situation improved a lot I think. Initially I had to solve quite a few issues with installer, some hardware not working (or requiring setting something special), or poor battery life on the laptops. But after a while that mostly either went away, especially once I switched to laptops with official Linux support (Dell Precision were good, I'm on Thinkpad P1 G7 now). The battery life is pretty decent too (especially once I disabled HT in BIOS).

Is it perfect for everyone? No, certainly not. But it sure is great for me, and I hope they keep working on it.

by pgaddict

1/13/2025 at 6:08:11 AM

I’m in the same boat.

Love the compartmentalization and being able to route VMs to different network backends and the ability to create ephemeral domains for quick tasks.

Thank you Joanna, Marek, Andrew, and all the wonderful contributors. I couldn’t live without Qubes.

by vigilans

1/13/2025 at 2:09:15 PM

> scrolling web pages with large images is laggy

Now that I've read this, I can also remember that I was also annoyed by jerks when scrolling web pages.

I also found the backup management too complicated. I didn't want to back up entire VMs, just the data within the VMs. In principle, I would have had to start up all VMs for backups and run a backup script for each individual VM.

by irundebian

1/13/2025 at 4:20:25 PM

I only noticed the jerky scrolling on pages with a lot of images, particularly hires + CSS effects (blur etc.). Everything else feels OK to me (I'm sure it could be smoother, but it's not too bad so I haven't noticed).

For backups, I don't them the qubes way, I do "regular" backups within VM using rsync/duplicity/... When moving to a new machine I prefer to setup everything from scratch (and then restore the data). And it gives me all the features like incremental backups etc.

by pgaddict

1/13/2025 at 3:00:17 AM

I've always wanted to switch to qubes, but it just feels so constraining. It's safer to never leave the house, but I don't want to live in a self imposed prison. On the other hand, the isolation provided by containers and flatpak is more accessible, but with a much larger attack vector.

Maybe we need immutable OS + an audit layer on anything that could allow exploits to persist (bashrc and the likes).

by tasn

1/13/2025 at 5:17:59 PM

I just really appreciate separating things like access credentials from things like web browsers without running multiple accounts. I do all my most and least secure activities on Qubes and use other computers for a lot of the other stuff in between.

by bobertlo

1/13/2025 at 2:13:50 PM

After Qubes OS I ended up using Fedora with Wayland, Flatpaks and running applications as different users but this introduced other problems.

The security profiles of many "flatpacked" applications are quite permissive (see https://flatkill.org/) so that they could be circumvented. Besides that I'm experience some convenience issues when accessing files on my drive. It's especially annoying when using "flatpacked" office such as onlyoffice.

by irundebian

1/13/2025 at 11:10:23 AM

[dead]

by flubbergusto

1/13/2025 at 12:04:24 AM

Even though I never used Qubes OS I used to really enjoy Joanna Rutkowska's passion for it.

Other women who's computing enthusiasm I enjoyed was Jessie Frazelle's writing and speaking about running everything in Docker on her laptop and Sacha Chua's love for Emacs.

by Crontab

1/13/2025 at 12:35:31 AM

There's a lot of awesome females in the infosec community. Check out the podcast Darknet Diaries for a glimpse. Some of the coolest red teaming podcasts were (IMO) with women.

In this context, I'd like to mention Dr. Melanie Rieback. She is 'the CEO/Co-founder of Radically Open Security, the world’s first non-profit computer security consultancy company.' Previously in the 00's known for her research in RFID security.

Or have a look at hack conferences such as recently 38C3.

by Fnoord

1/13/2025 at 12:21:59 AM

[flagged]

by oswalk

1/13/2025 at 12:34:03 AM

Why do you think you need to clarify that?

by NathanielK

1/12/2025 at 11:35:21 PM

With zero-click exploits that we certainly do not know of, Qubes OS offers some peace of mind.

by zvmaz

1/13/2025 at 12:30:18 AM

Unless there's a zero day in Xen in which case the entire security model falls apart. With all these cloud providers using Xen, I have no doubt that there's already one out there.

by armSixtyFour

1/13/2025 at 12:46:58 AM

This is true. But the code base of Xen is significantly smaller than that of a full operating system running bare metal, so the likeliness of a zero-day comprising Qubes is less likely (but possible).

by zvmaz

1/13/2025 at 2:37:55 AM

If there is a zero day in Xen, your attackers are probably also going to be having a very, very bad day.

by abtinf

1/12/2025 at 11:46:00 PM

QubesOS was my main driver for a couple of years, but I have to say that the low battery life compared to only software rendering got pretty annoying after a while. Depending on the hardware, you'll need to possibly disable certain options in the BIOS/UEFI, like for an t490 that I documented: https://groups.google.com/g/qubes-users/c/Z0Kfm53zMxQ/m/IV-A...

by DrWhax

1/12/2025 at 11:50:26 PM

What to use instead if one cares about privacy and security (what I call personal sovereignty)? It's a non-rhetorical question.

by zvmaz

1/12/2025 at 11:52:12 PM

You use qubes and eat the loss of battery life.

by llm_trw

1/13/2025 at 1:26:02 AM

Or maybe Tails?

by barbs

1/13/2025 at 5:10:18 AM

The only serious alternative to Qubes from a security perspective is to use multiple computers.

That alternative presumably has better security, but also generally worse usability (particularly if you're going to be mobile! -- two laptops in your bag might be acceptable but comparable isolation would require more than two).

by nullc

1/13/2025 at 2:04:56 PM

Since it doesn't look like Genode is going to be ready to be a daily driver for a while, Qubes looks like something ALMOST capabilities based that I could live with. Some day I'll just be able to run stuff without worry.... but it's not going to be any time soon.

Can I run old versions of stuff like MS-DOS or Windows 3.1 under it? Or my beloved Windows 2000? Windows 2000 with Office 2000 pro (with the patches to read the new office 2007 formats) would be awesome. I miss outliner mode in Word 2000.

by mikewarot

1/13/2025 at 2:33:33 PM

you can with dosbox/pcem or something similar (dont think modern xen handles 16bit virtualization) -- but you can definitely run Windows 2000 in a VM on Qubes, but the windows tools are not supported on anything under 7

by czk

1/13/2025 at 6:09:24 AM

It’s great for compartmentalizing the work, even if security is not important. The UI was surprisingly good when I used it.

by aborsy

1/13/2025 at 4:58:48 AM

I am a Qubes user for a couple years now, and I wish I'd switched to it years earlier.

Basically every criticism you hear is about correct-- principally worse graphics performance and battery life. But the performance issues for me were less bad than I expected, and the seamlessness of its usability was much much higher than I expected.

Like copy and paste, moving files between VMs, plugging usb devices into VMs, networking, etc. all pretty much just work. It's pretty impressive if you have any idea of the machinery under the hood needed to make that work.

And now I don't feel anywhere near as nervous that whatever vendor program I need to use to configure a device or browser zero day is going to compromise my system. I can read documents from adverse threat actor sources in a netless VM and feel reasonably confident that it can't phone home or steal my data, etc.

Obviously it doesn't replace real air gap security, but it's the closest thing you can get to a network of airgapped or firewalled per-application computers which you can fit into a laptop bag.

I also like that I can use software that really only works right on fedora/redhat along side software that really only works right on debian. (Or windows, for that matter, but it's not as seamless). I like that I can substantially upgrade my operating system while running--- like I went from fedora40 to 41 just by installing the template, and switching over appvms one at a time. If anything goes wrong it's trivial to roll back, and I can have some app vms that work fine on the new stuff while others are held back if there is a compatibility issue. I like that applications that go nuts and try to use all my memory only screw up the VM that they're in instead of my whole system.

It's so nice that when I want to get something working I can spin up a vm and scribble all over it until I get it working. Binary patch my libc, whatever. Then once I've solved it, I can apply the final clean solution to a persistent template. Any random experimentation just goes away when I close the appvm. Need some program just for a single thing? install it in the appvm rather than the template and it naturally is gone later. I can be intentional about changes being either ephemeral or persistent, and never have to worry that the removal of something temporary was incomplete.

Of course YMMV, -- if you're someone who is mostly doing text and low performance graphics and can run it on a fast computer then its costs will be small. If you'd find a ten year old computer perfectly usable chances are that qubes on a modern computer won't seem slow or poor battery lifed to you. Particularly if you have other computers for games, 3d gfx, full screen video, etc. If you are someone who has been subjected to targeted hacking attempts the increased peace of mind will be substantial.

by nullc

1/13/2025 at 5:44:22 PM

> Obviously it doesn't replace real air gap security

Depending on your use case, Qubes can be even more secure:: https://www.qubes-os.org/faq/#how-does-qubes-os-compare-to-u...

by fsflover

1/13/2025 at 7:23:09 PM

- There’s generally no secure way to transfer data between physically separate computers running conventional OSes.

- Malware which can bridge air gaps has existed for several years now and is becoming increasingly common.

Floppy disks

Hard disks used like floppies (especially plugged into a RAID controller with "auto run"-like features disabled)

Audio modem

Manual transcription via keyboard

by rkagerer

1/13/2025 at 7:52:05 PM

I would personally have chalked that up as usability-- because there are facilities for secure file transfer between computers, but I get the argument.

Particularly since the common tools like SCP give way too much access unless you go through special effort.

> Floppy disks, Hard disks

As you note there are 'auto run' like issues, also file systems are not historically very robust against against malicious data.

Hard disks themselves have host flash-able firmware and microcontrollers and get either DMA access (e.g. over SATA) to the system or get USB connected and the ability to pretend to be arbitrary usb devices like HID or exploit vulnerable usb drivers. So at least in theory a compromised system can turn your drive malicious such that it compromises other systems.

Though an attacker that sophisticated probably also has hypervisor escapes.

> Audio modem, Manual transcription

Personally I'm fond of just RS232 serial.

by nullc

1/13/2025 at 9:17:18 PM

Was there ever a case in the wild of malware being installed into a host by inserting a floppy disk, without entailing the user boot off it, run a program from it, open a datafile crafted to exploit existing software, etc?

I always thought if you insert a floppy (with any OS autorun crap turned off of course), open a textfile to read, then take it out, you'd be pretty safe. (It's unfortunate the same can't be said of a USB drive).

Thanks, I missed RS-232.

by rkagerer

1/15/2025 at 8:35:34 PM

It's been a decade but I have previously fuzzed multiple linux file system implementations and was able panic the kernel. I would be somewhat surprised if none had code execution vulnerabilities at some point, but I can't think of any publicly known ones off the top of my head.

Of course there absolutely have been auto-run vulnerabilities too. And modern Linux desktops have more auto-running auto-indexing stuff than ever. I've absolutely seen mounted drives being eagerly explore by gnome thumbnail generation stuff and likewise.

The challenge for modern security isn't avoiding vulnerabilities, it's avoiding whole classes of behavior that might be vulnerable because the attack surfaces are so huge that we'll inevitably miss vulnerabilities so long as they're not structurally impossible.

So for example, I'd always prefer to interact with a potentially malicious file system via an ephemeral read-only VM that reads the files and exports a network-fs like interface to my working system... It's just too hard to be certain there are no filesystem vulnerabilities-- they have huge surfaces and they're not usually tested against that. I can't even be sure latest genius systemd feature doesn't silently run stuff on removable media (just as it did stuff like given unprivleged users the ability to modify the system time without clearly documenting the change), if it's allowed to touch it. And if there issues are I'll be thankful that the malware payload would have also had to contain a VM escape for it to compromise my system.

by nullc

1/13/2025 at 12:27:07 AM

Related. Others?

Converting untrusted PDFs into trusted ones: The Qubes Way (2013) - https://news.ycombinator.com/item?id=42401904 - Dec 2024 (45 comments)

Why one would use Qubes OS? (2023) - https://news.ycombinator.com/item?id=42200987 - Nov 2024 (16 comments)

Counter argument against QubesOS more secure by being a type 1 hypervisor - https://news.ycombinator.com/item?id=41401318 - Aug 2024 (1 comment)

Qubes OS 4.2.2 has been released - https://news.ycombinator.com/item?id=40959109 - July 2024 (5 comments)

Working with Qubes OS at the Guardian - https://news.ycombinator.com/item?id=39949882 - April 2024 (74 comments)

Qubes OS 4.2.1 has been released - https://news.ycombinator.com/item?id=39833245 - March 2024 (11 comments)

A modest update to Qubes OS - https://news.ycombinator.com/item?id=39490264 - Feb 2024 (31 comments)

Qubes OS 4.2.0 has been released - https://news.ycombinator.com/item?id=38690597 - Dec 2023 (21 comments)

QubesOS – A reasonably secure operating system - https://news.ycombinator.com/item?id=36684946 - July 2023 (135 comments)

Qubes OS 4.2-rc1 is available for testing - https://news.ycombinator.com/item?id=36178205 - June 2023 (3 comments)

New user guide: How to organize your qubes - https://news.ycombinator.com/item?id=33396604 - Oct 2022 (15 comments)

Opsec considerations when using WiFi - https://news.ycombinator.com/item?id=32148920 - July 2022 (2 comments)

What Is Qubes OS? - https://news.ycombinator.com/item?id=32036899 - July 2022 (82 comments)

Automated OS testing on physical laptops - https://news.ycombinator.com/item?id=31281107 - May 2022 (4 comments)

Qubes OS: A reasonably secure operating system - https://news.ycombinator.com/item?id=30776103 - March 2022 (97 comments)

Qubes OS 4.1.0 has been released - https://news.ycombinator.com/item?id=30215210 - Feb 2022 (1 comment)

Ask HN: Qubes OS or just separate VMs for separating work and private files? - https://news.ycombinator.com/item?id=29537961 - Dec 2021 (6 comments)

Qubes OS 4.1-rc1 has been released - https://news.ycombinator.com/item?id=28856957 - Oct 2021 (5 comments)

Qubes OS 4.0 has been released - https://news.ycombinator.com/item?id=16699900 - March 2018 (39 comments)

Qubes OS: A reasonably secure operating system - https://news.ycombinator.com/item?id=15734416 - Nov 2017 (144 comments)

Reasonably Secure Computing in the Decentralized World - https://news.ycombinator.com/item?id=15566563 - Oct 2017 (44 comments)

Toward a Reasonably Secure Laptop - https://news.ycombinator.com/item?id=14743238 - July 2017 (100 comments)

“Paranoid Mode” Compromise Recovery on Qubes OS - https://news.ycombinator.com/item?id=14218504 - April 2017 (14 comments)

Qubes OS Begins Commercialization and Community Funding Efforts - https://news.ycombinator.com/item?id=13069615 - Nov 2016 (24 comments)

Qubes OS 3.2 has been released - https://news.ycombinator.com/item?id=12604417 - Sept 2016 (30 comments)

Security challenges for the Qubes build process - https://news.ycombinator.com/item?id=11801093 - May 2016 (17 comments)

Qubes OS 3.1 has been released - https://news.ycombinator.com/item?id=11260857 - March 2016 (44 comments)

Converting untrusted PDFs into trusted ones: The Qubes Way (2013) - https://news.ycombinator.com/item?id=10538888 - Nov 2015 (5 comments)

Intel x86 considered harmful – survey of attacks against x86 over last 10 years - https://news.ycombinator.com/item?id=10458318 - Oct 2015 (169 comments)

Qubes – Secure Desktop OS Using Security by Compartmentalization - https://news.ycombinator.com/item?id=8428453 - Oct 2014 (49 comments)

Introducing Qubes 1.0 ("a stable and reasonably secure desktop OS") - https://news.ycombinator.com/item?id=4472403 - Sept 2012 (59 comments)

Qubes: an open source OS with strong security for desktop computing - https://news.ycombinator.com/item?id=2645170 - June 2011 (16 comments)

Review: Qubes OS Beta 1 — a new and refreshing approach to system security - https://news.ycombinator.com/item?id=2504274 - May 2011 (1 comment)

The Linux Security Circus: On GUI isolation - https://news.ycombinator.com/item?id=2477667 - April 2011 (47 comments)

Qubes Beta 1 has been released (strong desktop security OS) - https://news.ycombinator.com/item?id=2439096 - April 2011 (3 comments)

Qubes Architecture - actual security-oriented OS - https://news.ycombinator.com/item?id=1796384 - Oct 2010 (1 comment)

Open source Qubes OS is ultra secure - https://news.ycombinator.com/item?id=1249857 - April 2010 (7 comments)

Introducing Qubes OS - https://news.ycombinator.com/item?id=1246990 - April 2010 (20 comments)

by dang

1/13/2025 at 6:07:26 AM

We wouldn't have to rely on security by hypervisor if linux had proper security measures, sandboxing and access controls OOTB. Qubes is still far from good although it's slowly getting there

by udev4096

1/13/2025 at 8:13:13 AM

what are you talking about? Of course we do?

We totally forgotten about mandatory access control systems?

AppArmor, SELinux? problem isn’t that they don’t exist; it’s that nobody knows how to use them properly.

You can even minimise the kernel attack surface these days with utilities like gVisor.

people just understand virtual machines easier. It’s easy to understand the isolation it gives and easier to reduce unnecessary potential attack vectors by having minimal images that don’t contain more than necessary.

by dijit

1/13/2025 at 2:25:34 PM

Am I wrong in thinking that Ubuntu has apparmor configured by default?

by i_love_retros

1/13/2025 at 6:19:12 PM

Yes, Ubuntu has AppArmor and Fedora (RHEL, et. al.) have SELinux.

The problem is that both systems are quite difficult to use properly. The out-of-the-box configuration is good for a base increase in overall system security against common threats.

However, if you want the real isolation benefits that these MAC systems are capable of providing, you'll need a full-time security team with years of training to manage your personal desktop.

by mmh0000

1/13/2025 at 9:51:23 AM

"OOTB" is the term you missed. Obviously, there are kernel features such as seccomp and other LSM but it's not easy to properly configure. Even if you do, it usually comes in your way of getting stuff done. Regarding gvisor, it's solid and I've been intending to use it on k3s

by udev4096

1/13/2025 at 2:44:41 AM

It does not matter in the real world whether the vendor declares it secure.

Did it help anyone pass any kind of security audit? In other words, do auditors recognize it as a valid environment for working with potentially malicious documents, or only as a toy?

by patrakov

1/13/2025 at 8:05:30 AM

Three points:

(1) Qubes is open-source.

(2) Qubes is written and maintained by security professionals.

(3) Most (all?) security audits are worse than useless.

by adastra22

1/12/2025 at 11:45:12 PM

A simple screenshot of the OS environment would have been nice. But generally, I don't think people adopt operating systems just by seeing new recommendations on Hacker News or different forums. Most people have settled on macOS and then Linux and then Windows. and within the Linux ecosystem most people just use Ubuntu or Fedora and that's it. I don't see anyone using these other esoteric operating systems as a daily driver. For servers it's a different story. We have OpenBSD and FreeBSD. and of course Linux. But that's about it. Even supercomputers run Linux. creating an operating system in 2025, aside from intellectual curiosity, isn't really pragmatic.

by behnamoh

1/13/2025 at 12:02:08 AM

CubesOS is the choice if you need a very high level of security, are willing to accept some workflow changes to achieve that, but still want a modern graphical operating system that runs all your normal software in a unified workspace.

Nothing else provides a similar mix of security and usability. The alternatives are either much less secure or have much worse usability.

Of course only few people have these kinds of requirements. I'd recommend Qubes OS if you are an investigative journalist or working in offensive or defensive IT security. Everyone else can safely ignore it.

Still, even if it's not made for most of us it makes interesting design decisions that are very much of interest to this forum. And a lot of the people it is made for are here too

by wongarsu

1/13/2025 at 12:18:23 AM

Qubes is far from esoteric in spaces where security is paramount. Your lack of familiarity with it doesn’t mean it’s obscure. It’s more a tool for a specific subset of people and purposes, rather than an OS meant for wide adoption.

by liamwire

1/13/2025 at 12:18:06 AM

FWIW, seeing Qubes on HN some weeks ago got me to try it out, and it's been my daily driver since. Good timing since I had holiday vacation to spend time with it before going back to $JOB on the machine.

PS Qubes is Linux. The base domain hypervisor is Fedora-based, and while it is possible to run Windows in a "Qube," the docs and tooling clearly concentrate upon Linux (Fedora and Debian) as the primary use case.

by cspeterson

1/13/2025 at 12:42:31 AM

Qubes is a Linux OS. It's like if you took Fedora and installed xen on it and booted up some VMs and the windows for them opened within the base OS instead of in individual system windows. Plus some cool magic with the file system to reduce redundancy and how many times you have to update things.

by mtreis86

1/13/2025 at 1:33:59 AM

And cooler magic to colour code your window borders. Effectively gives you a VM running Firefox and you only see the Firefox window.

This will let you run your email in one window, and click on a link to open it in another VM.

by accassar

1/13/2025 at 12:29:52 AM

I don’t think qubes is targeted at mainstream users— even mainstream developers— and I don’t think something has to be targeted at the mainstream to be interesting, especially here. There are probably a lot of people here that won’t ever use it that will still find the idea and ethos interesting.

by chefandy

1/13/2025 at 1:21:52 AM

Qubes is great as a development platform. The simple integration of VM's into a desktop is surprisingly useful and seamless for day to day development, testing and work.

I've used it for a number of years.

by accassar

1/13/2025 at 5:05:20 AM

It looks basically identical to fedora with XFCE, plus the window borders being different colors to indicate different VMs and some toolbar icons for VM management.

by nullc

1/12/2025 at 11:52:42 PM

Qubes was created in 2012!

It mostly runs Linux applications.

by schoen

1/12/2025 at 11:03:06 PM

I would say, a little more hesitantly, that it deeply depends on what you are doing.

When interacting remotely with untrusted services, apps, or documents, Qubes cannot be beaten.

However, if I was afraid of my laptop getting attacked with an evil maid attack, I’m sticking with my Mac, Secure Boot, and FileVault; so that my Lock Screen is less likely to be patched against me. If I’m afraid of persistent malware, I want a platform that isn’t necessarily game over if the malware gets sudo privileges once. If I’m afraid of PIN guessing attempts to break in by brute force, I want something like a modern iPhone where the guessing limit is hardware enforced, not a Linux phone where it’s software enforced.

Same for if I were in a country with a hostile government. Nothing screams “I’m hiding something and I’m malicious” like using GrapheneOS or Qubes in Russia or China. They might not see your work, but the uncommon choices by itself makes you suspect. An iPhone and Mac over there suggests wealth, and would possibly socially increase your benefit of the doubt due to white collar associations; GrapheneOS and Qubes would shred all benefit of doubt you may have enjoyed.

I sometimes think of the Tor incident at a US College. I’m not encouraging this behavior, but a college student sent bomb threats to his university. He was identified, arrested, and convicted because he was the only one using Tor on the university network. A perfect example of how the “more secure” thing used without strategy can shoot yourself in the foot.

The point is: If you are reporting on military activity in the Donetsk region, don’t be the only person in the area using Qubes and Tor. Don’t be the only person in the area with a phone pinging GrapheneOS update servers, or a laptop pinging Qubes package repositories. Heck, don’t be the only guy with a phone on the cell network identifying as Android that inexplicably never talks to Google.

by gjsman-1000

1/12/2025 at 11:19:19 PM

https://www.qubes-os.org/doc/anti-evil-maid/

by accassar

1/12/2025 at 11:26:20 PM

AEM is a little sketchy though, you need to trust a flash drive to hold it, and make sure that drive doesn’t get overridden by a malicious attacker. Your link goes more into depth about the disadvantages

by sudohackthenews

1/12/2025 at 11:47:51 PM

In some threat models, it's more feasible to protect a portable flash/SSD drive than an entire laptop.

In other threat models, laptops/tablets/phones could be physically secured in a safe, or kept under direct physical supervision.

by transpute

1/13/2025 at 11:05:43 PM

Yeah, that’s what I was alluding to. I think the OPs point still holds here- both of those are quite a bit harder than the built in Mac solution

by sudohackthenews

1/13/2025 at 12:24:53 AM

It's probably worth mentioning that secure boot is trivially circumventable given physical access on any Intel Mac (including T2 Macs), so you want at least an M1 to feel safer here

by mjg59

1/13/2025 at 12:10:05 AM

> When interacting remotely with untrusted services, apps, or documents, Qubes cannot be beaten.

Sums up WWW.

But I believe you could use a VM or container and use such. For example, with Whonix (which also works in Qubes!)

What I'd like is use such in macOS but alas Jobs & Cook ask premium price for RAM on Macs.

With regards to Donetsk example (I like the example). There is a good reason being hidden in plain sight is blending in with masses. It is difficult to get such OPSEC right, and you need to consider different techniques for if one gets burned.

by Fnoord

1/13/2025 at 1:30:32 AM

In China we have ways to obfuscate those unusual traffic into usual ones like WeChat video calling

by woctordho

1/13/2025 at 12:32:31 AM

There's an age old saying in Japan that if you want to hide a tree you should do so in a forest.

by Dalewyn

1/13/2025 at 12:23:43 AM

How stupid, if you’re going to send bomb threats do it from someone else’s computer…

by andy_ppp