

Introducing Qubes 1.0 ("a stable and reasonably secure desktop OS") - rbanffy
http://theinvisiblethings.blogspot.com.br/2012/09/introducing-qubes-10.html

======
greenyoda
Brief description from their web site: "Qubes is an open source operating
system designed to provide strong security for desktop computing. Qubes is
based on Xen, X Window System, and Linux, and can run most Linux applications
and utilize most of the Linux drivers. In the future it might also run Windows
apps." (<http://qubes-os.org/Home.html>)

~~~
darklajid
In fact, the version in development already runs Windows. The blog has a
screenshot showing Windows running in 'desktop mode' (as in, you currently
don't have single application windows for the Windows VM).

The extra requirements for this seem to be (ignoring that this isn't yet
released) that you're having vt-x support, for all I remember.

------
sbierwagen
Previously:

<http://news.ycombinator.com/item?id=1246990>

<http://news.ycombinator.com/item?id=2645170>

This story won't see much traction on HN. The cult of Mac is too strong, and
HN users generally aren't interested in secure operating systems.

~~~
ChuckMcM
Actually folks on HN _are_ interested in secure operating systems but they
recognize that creating such is a Hard Problem (tm) which someone who is an
unknown [1] in the field is unlikely to have achieved.

Now you can read up on Mark Miller's published papers [2] on Joule (actually
pretty secure) and some of the issues associated with making things secure and
get a much better feeling of solidity (for example).

So when the press release comes out that its passed the Defense department's
B1/B2 review, then I suspect it will get a lot of interest here and else
where.

[1] <http://www.linkedin.com/profile/view?id=10279027> LinkedIn profile, one
job CEO of this thing? A blog full of black hat sort of exploits but I didn't
see any peer reviewed work.

[2] <http://research.google.com/pubs/author35958.html>

[3]
[http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluat...](http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria)

~~~
tptacek
Joanna Rutkowska is famous in computer security circles and highly credible on
this particular topic.

The "black hat sorts of exploits" attributed to her tend to be things like,
"abusing odd, barely-documented corners of x86 chipsets to bypass hardware-
encrypted trusted boot roots". Thinking less of a professional in my field for
having exploits attributed to them tends to be a bad idea, but it's a
_uniquely_ bad idea in Rutkowska's case.

Outside of conference presentations, Rutkowska doesn't have much peer-reviewed
work in the literature. That's because Rutkowska is originally from the
malware/rootkit/virus part of the industry. For obvious reasons, antivirus
doesn't generate a lot of peer-reviewed academic research. One of those
obvious reasons is that they're too busy printing money hats to bother. (This
to my chagrin; I am very much _not_ from the AV/malware part of the field).

I'm not vouching for Qubes or even saying that I think the approach (of semi-
transparently allocating secure VMs for each application or trust domain on
the system) is viable. But Rutkowska is worth taking seriously.

~~~
viraptor
> Outside of conference presentations, ...

Almost on topic: I have to say the team is also really cool and approachable
at conferences - and for that I'm very grateful as a member of the
unexperienced audience. They can really adjust the explanations to the right
level for the general crowd, which must be quite hard considering the topic.

~~~
daeken
Generally security people are fairly approachable. If you're at BlackHat, all
you have to do is say "I saw your presentation -- neat work, but I have some
questions" or "want to grab a beer?" and you'll most likely have a good
conversation.

------
hazov
Not exactly a security guy (I'm actually a mathematician/statistician not
exactly a computer engineer) how do these compare in security terms to
sandboxing applications or using lxc from the linux kernel?

As far as I remember you could use different kernels for Xen VMs and the
physical hardware, then the only way to compromise the system would be if I
could escalate privileges on the hypervisor, right?

~~~
rdl
Right, but the point of this (I think) is to be able to be a "compartment mode
workstation" -- a single X server which runs x clients themselves executing in
multiple Xen VMs, with guarantees about isolation and how the windows are
managed.

There's a continuum of security and usability between having (a) N machines in
N rooms for N tasks to having (b) 1 machine on a single desk running N tasks.
You can have a KVM switch and multiple computers sharing a
keyboard/mouse/monitor, which gives you a high degree of isolation (very close
to (a)), or you can have compartment mode, where windows themselves have
security labels, but then you need an advanced system to protect apps in one
window from other windows, including window masquerading attacks. If you do it
well, it's ideally close to (a) as well.

The problem with virtualization on a desktop is that certain resources
(video/keyboard drivers) don't like to be virtualized, so you end up running
them in the system host area. Applications also tend to want pretty low-level
access to those resources. It used to be the performance overhead of all of
this was very high, but now it's not as big a deal (at least for normal 2d
type apps).

The last good Compartment Mode Workstation I remember was Trusted A/UX (built
on apple's first UNIX operating system) from the early 1990s. It wasn't
particularly good.

------
eckyptang
I genuinely can't think of anything else I'd rather use less than this.

I think MAC (Mandatory Access Control) applied to a desktop environment,
picking a better language than C and actually thinking about stuff is more
than sufficient to get around the existing problems...

Virtualization is just another pile of complexity and performance problems to
deal with. It's not a magic bullet. Consider the following as well:

[http://www.c0t0d0s0.org/archives/3651-Theo-de-Raadt-about-
vi...](http://www.c0t0d0s0.org/archives/3651-Theo-de-Raadt-about-
virtualisation.html)

I really don't want this solution.

~~~
tjoff
I really like the idea and I just can't wait for it to be more prevalent on
mobile devices.

I'm sick of the lack of control over my data I have on android (not to mention
iOS).

~~~
eckyptang
This is not a flame or a troll, but seriously try Windows Phone. It actually
gets this spot on.

~~~
glhaynes
Can you say anything more about this or provide a link? I'm not familiar with
this aspect of Windows Phone.

~~~
eckyptang
Every interaction that it makes to the network is controllable via user
preferences and is documented. It does not send data unless you allow it to.
Each application is fully isolated from others so applications cannot read
from each other by design as well.

Nice video here: <http://www.youtube.com/watch?v=pzviQLCPCG4>

An application can read the unique ID of the device (which is used for session
persistence between service calls) but not access any other information unless
allowed to.

Effectively there is no way for it to steal all the data in that list unless
you physically tell it that it's ok to do it.

It's the mobile platform that scares the shit out of me the least. They did
good here.

~~~
glhaynes
Thanks. That video seems to only show settings/confirmation-prompts for the
usage of location data, but if you can control whether individual apps have
access to the network, too, that's handy.

------
mike-cardwell
It doesn't seem to support using full disk encryption during installation. I
like the way it sandboxes things, but I'm not giving up full disk encryption
for it.

~~~
signifiers
Look again.

LUKS is used for all filesystems. Qubes was _specifically_ engineered to block
the Evil Maid scenario and similar vectors for notebooks. See pg. 31 from
<http://qubes-os.org/files/doc/arch-spec-0.3.pdf>:

"There are several things that all together make the storage secure in the
Qubes architecture:

1\. Confidentiality, understood as preventing one VM from reading other VMs
data

2\. Confidentiality, understood as preventing access to the data when the
machine is left unattended (full disk encryption, resistance to Evil Maid
attacks, etc)

3\. Integrity, understood as preventing one VM from interfering with the
filesystem used by other VMs

4\. Security non-critical role: a potential compromise of the storage
subsystem doesnʼt result in other system components, like other VMs,
compromise. Storage subsystem is not part of the TCB in Qubes OS."

See also, Section 7.1 System Boot Process, and 8.5 Resistance to Physical
Attacks (or just search for "disk encryption").

~~~
mike-cardwell
Strange. I went through the install process in a VM and quit out when it
started writing a filesystem without making any mention of disk encryption.

------
cyberpanther
Very cool! So how does this compare to Chrome OS and it's sandbox technique
for tabs. Yes I know it is only a browser, but with offline apps, executable
code (native client), and local APIs, it is more like a normal OS.

------
Torgo
I've been following this, even tried to buy hardware to support it. Fair
warning though, Version 1.0 does not support Ivy Bridge architecture. There's
an unsupported experimental branch that is supposed to work, though.

------
alberich
>So, we believe Qubes OS represents a reasonably secure OS.

>(...) But then again, I'm biased, of course ;)

At least, they are honest heh

------
dj2stein9
Wow, talk about being out of touch with the real world. Developers, especially
Linux developers, really need to give up on this whole "Desktop" operating
system idea. It's not going to work. It is already dead. And I can hardly
believe we are still using these ancient systems for many tasks even today.
There is no future in WIMP, and people really need to stop developing these
Windows clones already. It was lame 10 years ago. If you are still working on
desktop OS clones today, you so are terribly out of touch with the real world
there really is no hope for you or your product. Get over it.

Touch-based (and by extension, NUI-based) OS'es and mobile applications are
the future. Windows always sucked. Mac OS always sucked. Every desktop OS ever
built sucked because it is a horrible way to use a computer. Nobody ever
really wanted to use these terrible desktop metaphor systems... they only ever
did because they _had_ to.

~~~
SCdF
I'm sorry but none of that is even vaguely true, as true or false as something
can be when it is entirely opinion.

Touch screens are to desktops as push bikes are to tractors. You need both.
Some people even use both. Or just one. Or neither.

Maybe you feel this way because you've been driving a tractor around all this
time and you feel like you've been wasting your time, however some of us (I
imagine a lot of us on HN) like to do farming occasionally :-)

~~~
dj2stein9
That reminds me of the John Ford quote:

    
    
      "If I had asked people what they wanted, they would have said faster horses."
    

People do not desire better desktop operating systems. They want computers to
disappear. It simply does not matter how good this awesome new, secure,
desktop OS is because it's built for a world that doesn't exist anymore.

~~~
kingkawn
Henry Ford. And he appears to have never actually said it. And this attitude
cost Ford the early lead in market share.

[http://blogs.hbr.org/cs/2011/08/henry_ford_never_said_the_fa...](http://blogs.hbr.org/cs/2011/08/henry_ford_never_said_the_fast.html)

~~~
dj2stein9
Okay so I mistakenly wrote his first name... I don't see how that invalidates
what I've said.

~~~
mquander
What's there to "invalidate"? You just made an assertion, not an argument.

You say that nobody wants to use desktops and people want computers to
disappear. Unlike you, I don't believe that already, so do you have some
evidence for it?

