better way for secure environment is mix topology than duplicate or clone them.
I think its more like you can never be 100% safe lol. sanboxes are jails is a form of isolation no? Qubes just takes it to the extreme level.
u can use apparmor with debian in qubes.
dont know if this have any sense bcs everything in qubes in default configuration is user accesible.Firstly to use this it should be configured user acces control wich qubes dont provide in default configuration.
I think you can make a root user during install i could be wrong. But it wouldn't make much of a difference anyways man.
but also apparmor works on root too.
ya but again, its more about what user wants to do on his computer that makes them vulnerable, and I'm sure there is 0 days out there for everyone, so big money gov'ts pwn us all, i mean if they that bored but at least we can stop the robots hopefully.
Microsoft phoning home? what?
debian is not default for qubes vms. Its a community package, But you can customize it how ever you want just like a bare metal debian.
whonix has instructions for how to install apparmor, which will also apply to a debian template. https://www.whonix.org/wiki/Qubes/Install I use it for chromium and hexchat.
VM separation means you don't go to a website that will upload your documents to a .ru site, in a vm that has documents you don't want there. Thats the whole point I think maybe your missing, and understandably what turns alot of people off.
You have to be able to strictly use different vms for diff tasks. Which also means you want alot of memory and hdd space. Its perceived overwhelming to those not used to it. but no different then having lots of file folders on a machine imo.
sys-net is considered untrusted as it is, consider your router too most likely. You really shouldn't presume anything not encrypted as private.
always make sure site is https if putting in a credit card, a tip i got on mailing list when using qubes is to go to the site in your normal appvm and look at the cert. Then load the same page up from a torvm and make sure the cert matches. You should also make that qube https only in firewall settings. and use https everywhere using the setting to block everything not encrypted.
1-2-3 is separated but its still the same so somoene exploit 1 then exploit 2-3 on recursive.
i mean by this vitrualisation same topology.
So what i mean is better way to multiple topology than avoid recursive exploits.
ubuntu (sys-net)-pfsense(sys-firewall)- appVM (debian or fedora)
again probably only making a real difference against a random or automatic qubes designed attack I guess? You can still do what you want yourself man. You don't have to use the default setup.
Tell me how to build pFsense (or something familiar) firewall on Qubes and set to default.
ya thats what i was talking about, nice I'll have to try it out.
Its too complicated for me to try, but have a look here maybe will point you in right direction https://www.qubes-os.org/doc/building-non-fedora-template/
realy sorry about that,i didnt think that someone get some emails.But this thing of system security is important.