| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by tholdem 522 days ago
	QubesOS is great if you need to do work and personal stuff on the same computer. I do most of my stuff in the browser and have a separate computer for work. I am mostly interested in making initial access as expensive and difficult as possible. You are still just as vulnerable or more vulnerable to malware stealing browser sessions, passwords, and everything you have on the AppVM the browser is running on than you are on a regular Fedora Workstation. Unless you only use disposable VMs, which you probably don't. If QubesOS had hardened templates, I would use it. When I used it, SELinux was not enforced, and I believe it still has passwordless sudo. Not sure what other mitigations are disabled in the default templates compared to regular, non-QubesOS Fedora Workstation.

1 comments

fsflover 522 days ago

> QubesOS is great if you need to do work and personal stuff on the same computer

This is significantly underestimating the benefits of Qubes. Are you using your online banking in the same browser that you use for random web surfing? I do it in separate VMs with hardware isolation. Same compartmentalization with all other things.

> You are still just as vulnerable or more vulnerable to malware stealing browser sessions, passwords, and everything you have on the AppVM the browser is running on than you are on a regular Fedora Workstation

This is not true. I'm not using the same VM for everything but dedicated VMs for bank, email, HN, instant messaging and so on. A malware on a random website would only get the access to an empty VM, nothing more. Passwords can be securely saved in the related single-purpose browsers and in a plain text file (in an offline VM).

> If QubesOS had hardened templates, I would use it.

You misinterpret the Qubes' approach to security. If your VM is compromised, no hardening will save your data (https://xkcd.com/1200/). On Qubes, you should compartmentalize your digital live into security domains, such that you never run anything untrusted in trusted ones and never have anything valuable in untrusted ones. With such approach, hardening is irrelevant. More examples: https://www.qubes-os.org/news/2022/10/28/how-to-organize-you...

> Unless you only use disposable VMs, which you probably don't.

I don't understand why one wouldn't use them for everything not requiring saving the data. Of course I do use them and wrote this comment from one.

More benefits: https://forum.qubes-os.org/t/how-to-pitch-qubes-os/4499/15

link

tholdem 522 days ago

> This is significantly underestimating the benefits of Qubes. Are you using your online banking in the same browser that you use for random web surfing? I do it in separate VMs with hardware isolation. Same compartmentalization with all other things.

What about NetVM? All AppVMs us that so what if that get's compromised? Since the templates are not hardened at all, could the attacker jump from NetVM to AppVM?

> I'm not using the same VM for everything but dedicated VMs for bank, email, HN, instant messaging and so on. A malware on a random website would only get the access to an empty VM, nothing more.

So how many Templates and AppVMs do you have? Each of those dedicated VMs would need their own AppVMs at least. You have Domain: Bank, Domain: Email (do all email accounts get their own domain?), Domain: HN, Domain: Github, Domain: Stackoverflow, Domain: Signal and so on.

> If your VM is compromised, no hardening will save your data

So that means layered security is totally meaningless and instead of keeping it default, let's remove mitigations?

> you never run anything untrusted in trusted ones and never have anything valuable in untrusted ones.

In practice, this is close to impossible.

> I don't understand why one wouldn't use them for everything not requiring saving the data

Disposable VMs were the best part of QubesOS, but unfortunately, it's is pretty common that you need to login to something or save something, which means you can't use DisposableVMs for everything.

link

fsflover 522 days ago

>> If your VM is compromised, no hardening will save your data

> So that means layered security is totally meaningless and instead of keeping it default, let's remove mitigations?

Security in depth is definitely important, but it would provide a smaller improvement compared with the virtualization. Don't throw the baby out with the bathwater by refusing to use Qubes without hardening. Also, Qubes developers do have plans to implement more hardening: https://github.com/QubesOS/qubes-issues/issues/5294, https://github.com/QubesOS/qubes-issues/issues/5461, https://github.com/QubesOS/qubes-issues/issues/8823 etc.

> Each of those dedicated VMs would need their own AppVMs at least.

This would provide more security in depth but if you never run installed software in your AppVMs, it would still be reasonably secure.

link