Anyone here try VMware in place of QUBES?

[Catacombs]

I have used VMware on a Mac. I do not the idea of OS X being the base of my security, however like they say about a lot of Apple, it just works.

[Steve Coleman]

On Wed, Apr 29, 2020, 11:03 PM Catacombs <ggg...@gmail.com> wrote:

I have used VMware on a Mac.  I do not the idea of OS X being the base of my security,  however like they say about a lot of Apple, it just works. 

I have to ask why you reject  OSX for being the base of your security? Because you can not audit the code? No way to be sure if you can trust it? Then there is no difference then between OSX and VMware.

Xen was chosen because it is both small in size (comparatively) and open source and is therefore auditable. You know what it will do when you use it. With VMware its just you trusting a black box, and you have no way to know what its doing under the hood without reverse engineering the binary code.

That is why Qubes uses Xen instead.

You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fc43c85d-4cde-4607-927d-5adc8d057b8e%40googlegroups.com.

[Catacombs]

On Thursday, April 30, 2020 at 11:09:59 AM UTC-5, Catacombs wrote:

My apple is from 2009.  Which I upgraded until I got to Mac OS 10 Lion.  One of the Apple tech support suggested to defer OS 10 updates as the features added were for Syncing between different devices like IPhone, IPad, ICloud, other Apple computers.  I would call them security holes.  Besides Apple uses Broadcom for internet connection.  Not Foss.  And TAILS says brooadcom  can not be spoofed.  

My thought being to use Linux distro as the host.  Perhaps, pen testing.  A Linux Distro that has an extensive outgoing Firewall.  Then put VMware on top of that, for $250.00.  

But I am not anxious to do so if VMware is the total black box suggested by poster.  

I recall several years ago, a huge security hole, created in open source, coding left to a group of enthusiasts, in Java.  A guy was begging not to be banned for writing the security hole.  Pointing out his Patch had been approved by very knowledgeable developers and he clearly had no intent to create a security hole.  

My point being open source and FOSS are not perfect.  Plus.  What no one every talks about.  The NSA is one of the largest employers of Mathematicians in the world.  I would guess the NSA is also one of the biggest employers of really well trained Linux programmers.  That is. They don’t, as Hollywood might suggests, hire their tech guys from script kiddies who are in jail or probation.  They hire first rate minds who had the work ethic to get a  Masters from places like MIT. USC.  First rate Computer Science  programs.  These NSA tech guys are likely spending some of their employers time in helping to fix Fedora, Debian, Perhaps Tails and Qubes as well.  

I am pretty sure China. China with the big C who is reputed to have a lot of their who used computers in some way the government did not approve. Such as, Telling the Truth of events.  Or just violating the big China Firewall.  Big China has a large group of Linux programmers, who might be helping Linux Distros as well.  Of course. In some small countries I suspect their security services are not well trained computer specialists.   Perhaps individuals who left schooling before middle school. But their interrogation is more blunt bruising instruments. Heated objects.  Ropes.  Cold water.   I might have gone to elementary school with some like that, here in the US.

Still China may have more qualified Linux programmers to pull apart Tor. Tails. Qubes. Than their are qualified Linux people trying to make it work.  

There is another group of security concerns we never write about on the Qubes site.  Our connection with the internet. Servers.  ISP software. Server software.  Well actually we now hear of the 5G hazards.  

How much more Secure is what I do with QUBEs versus something like VMware.  Also assuming I am careful of how I use it.  That I have a formula to use.  Reminding myself that “Encryption is more likely broken in Practice than in Theory.”  That is. If we use poor techniques. Then all the encryption available will not help us.  

All that said. I will continue to use QUBEs. Because at least they try.  

But another question obvious to many experienced QUBEs users.  Why Fedora is emphasized over.  Say CentOS. Which is supposed to be the same as Red Hat, CentOS having a delay in implementation?  Or a very limited hardened Debian?

 

[Sven Semmler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, Apr 30, 2020 at 09:09:59AM -0700, Catacombs wrote:
> How much more Secure is what I do with QUBEs versus something like VMware.

A lot. Xen is bare metal. Setting the BIOS/ME aside, as long as you keep
your dom0 clean and keep confidential information in qubes that are
always offline (have no netvm) all you have to worry about is people
with physical access including yourself and XEN virtualization escapes.

VMWare run on-top of another OS... game over. Anything that can happen
to your host OS whether it's FOSS or not happens to your VMs
(keyloggers, screen grabbers, network monitoring ... everything).

I am fully aware you can make the same argument about the ME ... but
usable security is never absolut. So you got to pick your battles and
think about what you are protecting against.

Qubes is definetly next level compared to everything else.

/Sven

- --
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl6rSiMACgkQ2m4We49U
H7ao8A//Tj7Hp+yJBmZquISu20qxnQUNA+sfJOTANvJRthpnnIdhmdg15pL6Ox9y
vbEdvo7C/ArHlN+DHIMmNZ8csyrjjM6BFm6ywJ35cy7VO18wrZV/qmhFbg18d552
xyTBUVEOVO5J4AYndRNruIOfJqnAE6+09EDz1sQWv8JiMvYy2C6f9q/P0oKpWhzO
1aMzM1lerN9W4U0vyIPahJG9vdGc2sWlKcvYwxmioCk9+nCtsmBl4E/TkMhX2qUd
2qlbpNj5K9eBiibOLtyL/VXy1pF2wlrQQ+Ydth+tRykOeBwPrXUqHjjeLtvBPhil
dtZf8deqzhpQpT2ZDV6XKs8oXH6b/kKpJDLZqERugkKfyKhjUuKzHSwVTfXDJv+R
y/826u0ZDyjjLg7An5Fo6vFq2sN1Li+MpBuzK4+3Dm0JymwEWD3fSDXQP3dvf6ey
q9Nqq55zw/HhhKcECdquZs0SvDHUCPKxxyoNnjAST1hWsDmn9s2T42PI7D8O4QfH
hMR4suZNomCpp4Da5C73HAnUiNgh89l1VgxliXDB53H1MgJdWG6EQXSdvx7TKf1l
P5qHDapidWma9Df3lGLDMFYMQjBJ5dZt7ixLdpjaPJ83u81cWVC/ioJHw0G93/Mq
hlslIgh1o9r5u2zhXU83C+yEYxGdSPGqfrr3tz7xfUc9J4UTOcY=
=ag77
-----END PGP SIGNATURE-----

[Catacombs]

Thanks for replying.