Ed Snowden plugs Qubes OS

[Alex]

Kudos to ITL for a mention from Ed Snowden: https://theintercept.com/2015/11/12/edward-snowden-explains-how-to-reclaim-your-privacy/

[Axon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Alex:

> Kudos to ITL for a mention from Ed Snowden:
> https://theintercept.com/2015/11/12/edward-snowden-explains-how-
> to-reclaim-your-privacy/
>

Thanks for the pointer! And thanks to Micah for conducting this
interview and for his valuable ongoing work in security journalism.

For anyone who can't read the article, here's the Qubes-related excerpt:

> Lee: What sort of security tools are you currently excited about?
> What are you finding interesting?
>
> Snowden: I’ll just namecheck Qubes here, just because it’s
> interesting. I’m really excited about Qubes because the idea of
> VM-separating machines, requiring expensive, costly sandbox escapes
> to get persistence on a machine, is a big step up in terms of
> burdening the attacker with greater resource and sophistication
> requirements for maintaining a compromise. I’d love to see them
> continue this project. I’d love to see them make it more accessible
> and much more secure. [You can read more about how to use Qubes
> here[1] and here[2].]
>
> Something that we haven’t seen that we need to see is a greater
> hardening of the overall kernels of every operating system through
> things like grsecurity [a set of patches[3] to improve Linux
> security], but unfortunately there’s a big usability gap between
> the capabilities that are out there, that are possible, and what is
> attainable for the average user.


[1]: https://theintercept.com/2015/09/16/getting-hacked-doesnt-bad/
#qubes
[2]: https://freedom.press/blog/2014/04/operating-system-can-protect-
you-even-if-you-get-hacked
[3]: https://grsecurity.net/
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWR7NGAAoJEJh4Btx1RPV8SL4QAJi50UlV9yAPHI+59XXlTjNK
NIYQ7kEIWlastCuqZB6FmykbPhj0V0WrKhBVnOtDfr6BLmbv0rN9JaShZ6arSzdT
sr0nKUS3jsscFllyHHIUmoibRn42tnvfD4VzUmnbv/H7wbboewB9aliUu/5GUV8m
UsEuEutp2AIMnRGu10hWYRawUXXt1lQoftU4KEV/NoPuwRehmH7ZEm3ktBuyDP13
MhxZH7ixFzqwam21N1jdoAfiZnrS45PYBtauupwTIQH2GH5XwE0LHFig8fdshrtx
IEb4UQNJyD9lypT8xNxTU5kIrPBsTEInJvI0chAQmn3ixbQLoS1Mimk29N6sjj/Y
BEHa+jpBVDUCJGWN2dQmf7wcnRteExDlKD98dZUoGg9KFrANeTJ6j9mpoidAlprq
OEG0PM6eNQvDL56FUYH329bi1ncfle8v+MZ+PBBXGeU723NQTScvC6N+NnMGhTqg
JSh6jMQMoex/uYG187AyxiOOHC8wR4sovhlrBOsDdV0ra1mED6f/5EkcWg8JO6Dx
eWqAzm3Wp3/l6MxFFmtFIkeypiy0yLDYOQ/1Y9d75TaeD8OGMs9k4X4/HuWTsa8B
wrSL1/D2u7E7XnjDLdN55LflB/5A4yDXkTZUqvWmlxrnvX8PCziRoTchGHyRxs0R
uiRMBXhICIboXcAUcnHV
=2QnJ
-----END PGP SIGNATURE-----

[timwelter]

That should increase Qubes visibility and given the general opinion right or wrong a majority have of Snowden it should be positive.

One thing that struck me as sort of odd and maybe others could comment as maybe I am reading more into it.   Snowden made the comment about hoping Qubes got more secure.  It had a tone that sounds as if there were some real issues.  Maybe I am naive but I am not sure exactly what he is alluding to by that comment.  

It was this specific part of Snowden's comment: " I love to see them make it MUCH more secure."   

That comment makes it sound like its got ways to go from some standard he has in his mind.  What exactly is he implying there?

[Dave Ewart]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Monday, 16.11.2015 at 01:24 -0800, timwelter wrote:

> [...]

>
> One thing that struck me as sort of odd and maybe others could comment
> as maybe I am reading more into it. Snowden made the comment about
> hoping Qubes got more secure. It had a tone that sounds as if there
> were some real issues. Maybe I am naive but I am not sure exactly
> what he is alluding to by that comment.
>
> It was this specific part of Snowden's comment: " I love to see them
> make it MUCH more secure."
>
> That comment makes it sound like its got ways to go from some standard
> he has in his mind. What exactly is he implying there?

I've only seen this written down (is there audio/video anywhere?) but I
spotted that and wondered the same thing.

It's hard to get a real sense of some of these comments when only having
the transcript.

For instance, the stress in his remark could have been "make it much
MORE secure", suggesting that it's doing the right thing and there are
more things still to do. This is certainly a more positive spin ;-)

Dave.

- --
Dave Ewart da...@sungate.co.uk, http://twitter.com/DaveEwart
All email from me is digitally signed, http://www.sungate.co.uk/
GPG key updated Jan 2013 see http://www.sungate.co.uk/gpg
Fingerprint: CF3A 93EF 01E6 16C5 AE7A 1D27 45E1 E473 378B B197
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCgAGBQJWSac6AAoJEEXh5HM3i7GXXfcf/1fbR+/CSesakES7IbCBTxGt
84RbuGpU0oKxKff0ltXcYWLbDN6RQjXdi/3lTDU4wUUxddWwKSPUFz3wEvIlbExF
U0wdv+QTuOAq9fsTTmbRGajrgZ1x28c8CNfOWJndtDVfPOnhgAGYROkMVCb2z5kf
zRs+6E1HkyXDMMmRQdk4B79FiRuvQ5vBlnuVOxexy+orV+rgjLPlRYkdE4IiPehB
BgU8GONEFhCjqSrqBE5dzM8pzv9XHNO9jWhOyQoOWc72uIxS444n6p5ZuC4J1KmP
qK44ShUMNeq9+tsDAIDaqGEMc94m0jyw2mcUupK9z/B7teWkSDEwVsKQdN2yGU7U
VmB/5OnT9NS/ju7q7+VRnmXC3H7tIBeKQ8+9BWKLAbeQocuqytl0UavupTf5Erab
blS+patp8QcVUmsIvVSjSicywigp3JgMddTBZS/4/BLEqz6Jc0KM/4YE8lUVKCzK
0gPxpVNMtvB+J/F4bzYx1FycedVP77fFwMd0FW0GQQg3fLYCko6Ql4zwOGrJCeKS
4i1woIHS9S89FFi1Pze1gTDIfNgxNRniG7g6QjI3WnenhKL5n8/wkNgbp6737mBa
Ei4y0HshsxEUle9O0goFiM8BNAFgy9sUZ7p4z4/el8CTHmLIqwGOH1Kjc94ciRMF
A4/2Fb2EpRCnEJHhmjCsl2Qzqf/BzinMs3AFbH7qW9i301k2JPnUpejznt9kjd9p
YKoqZzbAyx4V2hp0DY3bne1UgWr3QOjoXnFEl8yTAGOdK3iqSVTle4+T/Lk8S2S6
rz5yu5coB5xkZ+zSQg2k6GxUHt5TRc+K/TC5Hu5Bkjc9Cu+tMOXzg3KT0LfFvnxY
rlBeTwXION3SxMpCh8zI5d6GjWZ+lwI0Rkgzrb8veYoRNIZM+EKOVA2Uv7kQ8iWb
N6ahl9Z6GIM2Qos0Dho3V5XlVm3QuOuMkTcOUj6nElTKBrmdph69kQnXJkVn76Ww
ruBCusAO3ekBBJN1YqSqTCnATa3FU8bdIZ5VivbQu9zEoCa/290gYDb2E0Du9Caw
A6dVHevqoBL6jJsBtwuNf4KTlf0hFoz6CLwiKOfgnXAs986tBhCx+wysOZz7+JRu
NXXTUeQYHuAAaHEXwwpSINfMeL7fIAI4aJYzcZ42qNO51cd84fodwhyO0u1QXOkT
s5LulxXU9foivhFStaqaWha4glcaP0fNLeb5KhKs/Pb30xMCe/X2p0U1KYZaunK4
nAwslbYIjgiUjpS/t0JJ0SYLTTGq/o8DjzNFjugp5BYizWL6n9/Iv/zFJZ311p+i
1Olig2GRnnPySrhT+ZtqNJfLY4s63ZoawaMAHcxIC5EZOUnoOkwtHfyTmeTsQfE=
=cbs/
-----END PGP SIGNATURE-----

[Axon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

timwelter:

> That should increase Qubes visibility and given the general opinion
> right or wrong a majority have of Snowden it should be positive.
>
> One thing that struck me as sort of odd and maybe others could
> comment as maybe I am reading more into it. Snowden made the
> comment about hoping Qubes got more secure. It had a tone that
> sounds as if there were some real issues. Maybe I am naive but I
> am not sure exactly what he is alluding to by that comment.
>
> It was this specific part of Snowden's comment: " I love to see
> them make it MUCH more secure."
>
> That comment makes it sound like its got ways to go from some
> standard he has in his mind. What exactly is he implying there?
>

The comment makes sense in light of things like QSB #22/XSA 148:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/
qsb-022-2015.txt

The security of Qubes depends heavily on the security of the upstream
software projects it currently utilizes (e.g., Xen, Fedora), most of
which are not primarily focused on security the way Qubes is. However,
there's been some promising discussion on the secure-desktops list
about working with various other security-oriented software projects
to improve this state of affairs.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWSbE4AAoJEJh4Btx1RPV8nUcQAMfrLhuFSWsFCdR6p0/0A9bW
DiM7ttapjjZn4mrj0fnBQSpZCYmd3NZYpoUFMiPkY0vYZC59VI+bl/VZzOHFmTlr
amGPIx2TGShTt04Ou08wIRtnP+pzo3Kc8HQ1qYoGMAYc0xBYxd4oVPdDkR5sHuDT
dsaXAIXnqzfdcW4ELUm+sPjeqK1zugGtTK9wJsnFVqHKR2DuLUK+WVqzJQJ/RQGR
C5WYzqqTWo0x2dXZXQxVDeatmYjxwqdsjYZq/u06jsZCctEk1R8fFZge4KeyAGwf
+XCnHB37jNdvuCKXAd/fGAG3W25+Ey/uyCQBYrjPlMeiW5K4HiCuVVLkovKHGWR/
hdRVsw6Rgiav9Cn5t7Q6blfEuMZKuML1JektEw4bZtcAIpTVexSraw3jFGXIERNu
hzQKrhZOUE6WV63LIzc5PFa3OyZQxADqFgOn6KyJdZNfQzANTLe2uFw2DSLGX+xp
VxxCsWFSODmLjeYfWtUKaKFx2XbctbVG5bgLxmJL56kvcJ+8t8+5Dd0GX96das6e
1JwhutTJ6URS7epen+NaNypCcsOG7ujPUJqFxj6AydBkLn7NsuNDs+KxvmJ+fvJV
d6OcC6vV8EQobxLo5j14lXNJeLXhtJwv/3tFck4kO49kI8o3PODF8aD6HYkeGw7Z
vm2VrccKjOAcealXN4hV
=vk93
-----END PGP SIGNATURE-----

[timwelter]

Axon,

I do agree with this.  I would say its applies best to Xen.   As I understand it is where the isolation security comes from. Comparing the severity and number of bugs compared to say the vanilla Linux kernel seems to be significantly lower.  Which for now seems to make sense even just looking in terms of lines of code.  I know xen has been creeping up with more and more lines of code but is it not still significantly smaller than say the Linux kernel?  With that said I have always wondered about hardening the linux or whatever OS used for Qubes.

IMO it would be a positive if we could have a completed audited kernel something similar to what has been done with Sel4 ( ARM focused AFAIK ).     Another example on the Linux side was the last distro I ran, Gentoo hardened kernel with the full GRCsecurity patches with PAX and using GrSec 's RBAC with gradm. 

My assumption why possibly using some of these patches or security modules has not been used in Qubes was redundancy or no addition security benefit.  I simply do not current have a deep enough knowledge of the underlying security code so I am somewhat ignorant to how much of a security benefit such things would be for the Linux kernels in Qubes , or not.

Anyways I am not trying to get this thread too off topic.  I just found it odd when you consider where Fedora stands and the layout of Qubes the way I took that one Snowden comment, which of course I could have misconstrued or read into it too much.



Dave,

Good point I did not consider reading it that way which would certainly change what was implied.

[Micah Lee]

On 11/16/2015 01:51 AM, Dave Ewart wrote:
> On Monday, 16.11.2015 at 01:24 -0800, timwelter wrote:
>
>> > [...]
>> >
>> > One thing that struck me as sort of odd and maybe others could comment
>> > as maybe I am reading more into it. Snowden made the comment about
>> > hoping Qubes got more secure. It had a tone that sounds as if there
>> > were some real issues. Maybe I am naive but I am not sure exactly
>> > what he is alluding to by that comment.
>> >
>> > It was this specific part of Snowden's comment: " I love to see them
>> > make it MUCH more secure."
>> >
>> > That comment makes it sound like its got ways to go from some standard
>> > he has in his mind. What exactly is he implying there?
> I've only seen this written down (is there audio/video anywhere?) but I
> spotted that and wondered the same thing.
>
> It's hard to get a real sense of some of these comments when only having
> the transcript.
>
> For instance, the stress in his remark could have been "make it much
> MORE secure", suggesting that it's doing the right thing and there are
> more things still to do. This is certainly a more positive spin ;-)

There's no audio or video available from the interview, only the text
published on The Intercept.

I believe that he meant that Qubes isn't perfect yet. It's still
possible for bugs like QSB #22/XSA 148 to completely break the security
of dom0, there isn't a lot of real hardening inside AppVMs yet, etc. I
don't think he believes there are currently serious issues, just that he
wants it to continue to get even better.

--
Micah Lee
OpenPGP: 927F 419D 7EC8 2C2F 149C 1BD1 403C 2657 CD99 4F73

[7v5w7go9ub0o]

On 11/16/2015 07:18 PM, timwelter wrote:
> Axon, I do agree with this. I would say its applies best to Xen. As I
> understand it is where the isolation security comes from. Comparing
> the severity and number of bugs compared to say the vanilla Linux
> kernel seems to be significantly lower. Which for now seems to make
> sense even just looking in terms of lines of code. I know xen has been
> creeping up with more and more lines of code but is it not still
> significantly smaller than say the Linux kernel? With that said I have
> always wondered about hardening the linux or whatever OS used for
> Qubes. IMO it would be a positive if we could have a completed audited
> kernel something similar to what has been done with Sel4 ( ARM focused
> AFAIK ). Another example on the Linux side was the last distro I ran,
> Gentoo hardened kernel with the full GRCsecurity patches with PAX and
> using GrSec 's RBAC with gradm. My assumption why possibly using some
> of these patches or security modules has not been used in Qubes was
> redundancy or no addition security benefit. I simply do not current
> have a deep enough knowledge of the underlying security code so I am
> somewhat ignorant to how much of a security benefit such things would
> be for the Linux kernels in Qubes , or not.

For the template VMs, a very significant benefit, IMHO.

(A benefit not for Dom0 - which seems well insulated - but for the
application vms/dispvms spun off of the template VMs, which might be
quietly invaded by an exploit, otherwise blocked by GRS/PAX - especially
with RBAC.)

For e.g: I daily start up a dispvm; then copy my TBird mail client
and downloaded mail into it; then within it process various mail
accounts for an hour or so.
During that operation, a bug could crawl into there and read my
mail/addresses/etc. and I wouldn't know about it.

At end of session I copy only the mail files back to vault and flush the
dispvm. So though there is not permanent damage to the box, and though
there is no lingering damage to the client, for the hour or more that
the mail client was in compromised operation I was under the microscope.

(heh...it gets worse! Most folks do not process, e.g. mail, in a dispvm
- but rather in an appvm - in which case the quietly compromised mail
client is not flushed, but is reused indefinitely!)

So protecting the template VMs with hardening very much makes sense.

> Anyways I am not trying to get this thread too off topic. I just found it
> odd when you consider where Fedora stands and the layout of Qubes the way I
> took that one Snowden comment, which of course I could have misconstrued or
> read into it too much.
>

I took the comment as you did - suggesting the hardening of the
(app/disp/template VM) kernel in the ways you mentioned


>
> Dave,
>

[timwelter]

Good to know Dave.   I actually did some searches and it looks like a couple people actually patched a Qubes Linux kernel with at least parts of GRSec.  I do not know if you could use all of it as my guess is some of it may break parts of Qubes functionality. But they seem to have complied their own GRC patched kernel.

https://groups.google.com/forum/#!topic/qubes-devel/l5mi2dklu18


Anything that can be done to secure the appvm the better I would think would be a benefit.  While I certainly do not want an attack to break out of a VM if it gets in (which is HUGE), at the same time, I want to do as much as possible to prevent hemorrhaging private data from any VM.   Anything that could make it harder for an attack and still keep functionality the better IMO.

Actually there are a few threads on GRSec and Qubes.

Cheers,

Tim

[cubem...@gmail.com]

I believe that he meant that Qubes isn't perfect yet. It's still
possible for bugs like QSB #22/XSA 148 to completely break the security
of dom0, there isn't a lot of real hardening inside AppVMs yet, etc. I
don't think he believes there are currently serious issues, just that he
wants it to continue to get even better.

Yeah ... I've been using and working in Linux since the .52 days, professional software engineer for decades, been contributing to open source for half as long, can count my technical advanced degrees on two hands and as a new user to Qubes am finding it barely usable. I've got three different laptops and systems to test it on too. It's a wonderful concept, and I have huge sympathy and appreciation for Johanna and Marek for their work, but unfortunately it's a step back a decade in Linux terms. Very picky about hardware, many broken things, lots of tweaking and it's fragile.

Just now, I'm trying a GnuPG smart card. Works fine in any other Linux I care to try, but fails in Qubes (gpg can't find a library, probably lobotomised for security, but then a smart card is used to enhance security, so ...) Ignoring the various little crashes and non polished gui, the main difficulty seems to be around GPU's.

Anyhow - DON'T GET THE WRONG IDEA - Qubes has my FULL support and love, but we have to be honest, it's no where near ready for even much of the technical community, never mind a more general public. I'm not confident I can get it satisfactorily working for me.

[cubem...@gmail.com]

Anyhow - DON'T GET THE WRONG IDEA - Qubes has my FULL support and love, but we have to be honest, it's no where near ready for even much of the technical community, never mind a more general public. I'm not confident I can get it satisfactorily working for me.

Ironic ... just after posting this the computer completely froze up. Frozen pointer, fan started spinning, required a hard reboot. A new one. 

[Pete Howell]

Qubes works perfectly for me.  I have zero complaints whatsoever -- never had a crash.

Linux in general is very finicky about hardware with a lack of support for advanced hardware on every front.  I personally find Qubes no more difficult than getting any Linux system to work with newer hardware, whether it's getting it to just see the device, or properly restore from sleep.  It takes me at least 10 times longer to get a Linux system working properly than Windows because of compatibility issues, and software that isn't installed by default, etc; so how is Qubes any different?

When Qubes is installed on compatible hardware it works like a dream, and I for one, am more than happy to build a system that works with Qubes because it's more than worth it, rather than fight to get it to work on incompatible systems.

Qubes is not just any old operating system.  It's worth the effort to build a system for Qubes and not the other way around.

[timwelter]

Some of the largest issues I think is from HW and other manf not sticking to the standards that are in place for compatibility.    Many only ensure the most popular parts work.  Unfortunately that many times does not include parts for security.  As example:  Bios not properly implementing VT-d Vt-x IMMOU TXT TPM.  They all have standards so there should be no issues yet their are.  Basically does it work for what most use MS Windows  for then that good enough.

Take my Lenovo T440p I have not had one freeze or lockup.  The only thing has to do with audio being muted on power cycle and sometimes the wifi symb in the taskbar not showing up occasionally.  But nothing at all that deals with performance or functional stability.  I find mainly because Lenovo T series markets to the business sector these kind of things are implemented properly.

In fact I just did a upgrade I think still in testing.  Going directly from Fedora 21 to Fedora 23 template.   Upgrade process went perfectly.  The only issue was the default terminal shortcut did not work.  Added a new one (just used the XFCE terminal for no special reason) but everything else works so far. 

So currently I am running Qubes with all sysvm and appvm using the Fedora 23 template using the 3.19-100.fc20_x86_64 kernel for all of Qubes.  If anything everything seems to running much quicker with this config for some reason.

I would point out that in that time I have had to power cycle my windows 8.1 a few times because it gets sluggish.  I will not even comment on the number of updates for everything under the sun.   But there is lies the catch.  Everything is made to function with Windows because its the most popular OS and thus it seems to work the best and that is why people go to it which again keeps it popular.   Its basically a full on uphill battle because the OS market has reached a certain level of maturity.  It makes new things much harder to get a footing.

This does not mean Qubes still does not have plenty of growing pains to go thru.  But looking at its path to where its at compared to others that offer so little in terms of security. It is certainly usable and stable enough with the proper hw for the main PC for me.