Invisible Things Labs has released Qubes OS 3.1. Some of the features recently introduced into this secure concept, single-user desktop OS are Salt management, the Odyssey abstraction layer, and UEFI boot support. The 3.x series also lays the groundwork for distributed verifiable builds, Whonix VMs for Tor isolation, split-GPG key management, USB sandboxing, and a host of others.
Qubes has recently gained a following among privacy advocates, notable among them journalist J.M. Porup, Micah Lee at The Intercept and Edward Snowden.
Embodying a shift away from complex kernel-based security -- and towards bare metal hypervisors and IOMMUs for strict isolation of hardware components -- Qubes seals off the usual channels for 'VM breakout' and DMA attacks. It isolates NICs and USB hardware within unprivileged VMs which are themselves a re-working of the usual concept, each booting from read-only OS 'templates' which can be shared. Graphics are also virtualized behind a simple, hardened interface. Some of the more interesting attacks mitigated by Qubes are Evil Maid, BadBIOS, BadUSB and Mousejack.
(Score: 1, Funny) by Anonymous Coward on Monday March 14 2016, @01:17AM
Hey, if Edward "I'm still relevant" Snowden is on board, then you'd be a dick not to be yourself.
I'm dying to know what brand of antiperspirant he uses. I'm really afraid I might be using the wrong one.
(Score: 5, Funny) by takyon on Monday March 14 2016, @01:23AM
Here it is... [images-amazon.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Monday March 14 2016, @01:57AM
I'm more interested in Pubes OS myself.
(Score: 2) by tibman on Monday March 14 2016, @01:43PM
Updates are too hairy for me. I prefer a smoother update system.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by Gaaark on Monday March 14 2016, @04:49PM
I can't wait to get my fingers on it and really work at it. My tools are just buzzing to get on it. I'm vibrating with joy.
Gonna put on 'The Razor's Edge', put my head down and see if i can get under the hood. Man, hope i don't drool too much and get it too wet.
Is that enough?
"Poifect!"
--'Curly'
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by frojack on Monday March 14 2016, @02:10AM
The tour page https://www.qubes-os.org/tour/ [qubes-os.org] has a pretty good description of how this OS differs from others. Its basically a type 1 (bare metal) hyper-visor.
No, you are mistaken. I've always had this sig.
(Score: 5, Informative) by Marand on Monday March 14 2016, @06:02AM
The tour page https://www.qubes-os.org/tour/ [qubes-os.org] has a pretty good description of how this OS differs from others. Its basically a type 1 (bare metal) hyper-visor.
And by this, frojack means that it actually is a type-1 hypervisor -- Xen, specifically -- but with extra work to make it act as a more integrated experience, akin to what you expect when using a distro like Debian. You can manually do something similar by making a barebones Xen install and then a bunch of separate VMs for different tasks, such as "banking" "work" "browsing" "chat" "video", and only running specific applications within the appropriate VM, but then you have to deal with all the management manually. The Qubes advantage (vs. rolling your own) is integration and convenience for doing the same thing. It does things like, for example, display different titlebar colours for different VMs so you know at a glance whether a window is coming from a trusted or untrusted source.
The integration features and easier setup means it might be a good option to create and provide images for end-users, since you can create an environment that has separate internal and internet-facing applications but still provide it in a more coherent way than a cobbled-together pile of VMs. Especially since it also has support for Windows VMs [qubes-os.org], so you could possibly integrate required Windows applications into the mix while limiting the security risks of doing such.
(Score: 1) by Burz on Monday March 21 2016, @12:12AM
Its really more than the convenience, though.... Graphics and clipboard are a particular weakness on Linux, for instance. Qubes has special drivers that virtualize both, elevating the UI to the role of a Trusted Window Manager which constantly gives you info about which VM is displaying which content. Also, the OS templates are a pretty nifty way to help keep VMs malware resistant. Then there is anti-evil-maid and split-GPG and PDF sanitizing. And a lot of work has gone into Whonix integration. Qubes has emerged as a lot more than what a roll-your-own configuration could achieve.
(Score: 2) by hemocyanin on Monday March 14 2016, @02:19AM
I like this idea.
The other day I was thinking about how uncontrollable computers are mostly because of the mass any os or program has, and sort of wondering what it would look like if instead of general purpose machines, I had a bunch of small machines, arduino sized, that do just one thing along with some sort of interface to share a single monitor or set of monitors simultaneously. I could just plug in my calculator and calculate, then physically unplug it when done. Plug in a text editor, etc. Ultimately, not really very realistic but I was a little drunk.
Anyway, grouping things into different VMs with differing security levels is an interesting idea and much more workable. I'm definitely going to check this out.
(Score: 1, Redundant) by Gravis on Monday March 14 2016, @02:53AM
The other day I was thinking about how uncontrollable computers are mostly because of the mass any os or program has
that word does not mean what you think it means. also, you are wrong.
(Score: 2, Informative) by RedIsNotGreen on Monday March 14 2016, @04:44AM
You either actually lack the little bit of imagination to see how the word "mass" could apply to the size of software or you are pretending so to be a pedant. Either way, it is not making you look more interesting.
Overlooking that, however, could you please elaborate on how "lots and lots of software piled on top of each other" does not equal "hard to control what's going on inside"?
(Score: 2) by Gravis on Tuesday March 15 2016, @11:04AM
i refuse!
interesting quotes you invented there.
here's an actual quote
computers follow the instructions they are given with a rare instances of memory corruption. it does exactly what you tell it, it's in total control. the fact that you have blindly trusted someone else to instruct your computer what to do has nothing to do with your computer's willingness to follow instructions because it has no will. if anything is out of control in this situation, it's the humans. do not blame machines for the failings of humans.
(Score: 0) by Anonymous Coward on Monday March 14 2016, @04:15PM
I would like to suggest that we establish a group of like-minded people who can expand this idea into a cluster OS, based on the VM concept. This will make it a lot more resilient against hardware failure, scalable (so calcumalator number three broke, pitch it and buy two more to replace it) and probably ground-up secure.
(Score: 0) by Anonymous Coward on Monday March 14 2016, @05:29AM
And threw in Linux-libre, now that'd be security rock'n'roll!
(Score: 0) by Anonymous Coward on Monday March 14 2016, @01:40PM
1. They need faster mirrors or something download speed is dialup-levels.
2. Why base it on Fedora? That's already backdoored to heck and gone.
(Score: 0) by Anonymous Coward on Monday March 14 2016, @04:27PM
dea5db22a496d9e0be3447405c0eef7bc951610f Ssseeeeeeeeed it!