I usually use mint strong encryption. But even that i must do manually. Imagine ALL users trying to do this on their own. They wont. i use appendix A configs from links below, much stronger.
https://community.linuxmint.com/tutorial/view/2026 (bios)
https://community.linuxmint.com/tutorial/view/2061 (uefi)
2) Qubes face 2 problems nowadays for engaging new users with real security.
a) Qubes is a system for HIGH END computers with lots of RAM. Usually if for people that has WINDOWS and GAMES also, a good GPU, and wont waste their machine on a UNIQUE linux system at least without dual boot.
b) Nvidia spy on people, with their streaming @!^@^% they put in new gpus, network, etc, and people are suspicious amd too. But most consumers are from nvidia. nvidia now spy on hardware level. Does not matter the system security.
The solution? REAL windows virtualization with GPU PASSTROUGH. So, the high end computers can use windows for what they need and even play games. Plus, if you do use nvidia in dom-0, they WILL capture the screen on hardware level. Nouveau is not working right for a long time. Onboard or gpu 1 for dom-0 and nvidia or amd high end for windows VM. If the person doesnt have 2 monitors, it can change the vga adapter from 1 to other to use windows after starting the vm. that would be perfect.
So we give a finger to nvidia and the drivers problems they cause, and we isolate their spying inside windows vm, plus eliminating the need for a dual boot and for everyone not using their gaming gpus.
So, XEN is not good for that? consider passing to KVM.
- To create a real secure isolation OS, it`s primal to ensure best disk encryption avaliable, with CHOICE for speed/security, eliminate the windows host multi boot needs, and make good use and usability for windows and gpus. You will reach that when you direct the efforts to adapting the system for what the global user WANTS AND NEEDS, and not adapting the user to the system that 1 person in 1 chair dream for its personal needs. Ubuntu did not follow this lesson with their unity thing and they paid the price.
3) Consider offering PFSENSE as optional firewall vm installed out of the box. It`s very hard and time consuming to do that inside qubes system without studying all, for managing internal ip structure etc. It is the most perfect firewall for use inside a VM, qubes is a system for VMs, and i did use it even inside windows in virtualbox. But i was in WINDOWS, and that means, no real security at all.
I would like also to give 2 more suggestions for people to considerate, concerning whonix, since patrick is a developer here:
4) People need a pop-up window to explain them to NEVER use an existing normal vm trough the whonix proxy vm, just NEW ONES. Because they have already fingerprints, identifiers, browser behavior, browser plugins identification, aplication updates, specially in windows. If they connect that with once used real wan IP, game over for anonymity.
5) i will use this post to state that tor behaves differently to connect in windows tor browser, or linux tor browser, compared to whonix, and i dont know why. Whonix gets always same speed, 250 to 500 Kbps, (not KBps) with speed of 30 to 60 kB/s of downloads, and in tor browser outside whonix, i get 500 to 1 Mb kB/s downloads. Thats really strange and wasn`t expected. I get this behavior for almost 2 years, and i dont have the expertize to know why. after some googling, i saw i am not the only one getting different special routes in tor using whonix.
Sorry for my bad english, is not my main language, i hope people can understand what i wrote. And forgive me if i wrote stupid things.
1) qubes is a system for security and isolation. But when you install, you have no encryption options.
distros thinks that if a user wants some strong crypto thing, they must research themselves and do all manually. We dont even find nothing about qubes encryption in docs. That is wrong. First thing we must do out-of-the-box is to offer strong full disk encryption, like veracrypt ones, with options, iteractions, etc., and inform the user about that. Even tails for just a live browser with storage capability does that. Even distros like PARTED MAGIC for managing partitions now come with veracrypt installed as default in live-cds. To me, Qubes is neglecting what the user wants to read and do in encryption aspects.
I usually use mint strong encryption. But even that i must do manually. Imagine ALL users trying to do this on their own. They wont. i use appendix A configs from links below, much stronger.
https://community.linuxmint.com/tutorial/view/2026 (bios)
https://community.linuxmint.com/tutorial/view/2061 (uefi)
2) Qubes face 2 problems nowadays for engaging new users with real security.
a) Qubes is a system for HIGH END computers with lots of RAM. Usually if for people that has WINDOWS and GAMES also, a good GPU, and wont waste their machine on a UNIQUE linux system at least without dual boot.
b) Nvidia spy on people, with their streaming @!^@^% they put in new gpus, network, etc, and people are suspicious amd too. But most consumers are from nvidia. nvidia now spy on hardware level. Does not matter the system security.
The solution? REAL windows virtualization with GPU PASSTROUGH. So, the high end computers can use windows for what they need and even play games. Plus, if you do use nvidia in dom-0, they WILL capture the screen on hardware level. Nouveau is not working right for a long time. Onboard or gpu 1 for dom-0 and nvidia or amd high end for windows VM. If the person doesnt have 2 monitors, it can change the vga adapter from 1 to other to use windows after starting the vm. that would be perfect.
So we give a finger to nvidia and the drivers problems they cause, and we isolate their spying inside windows vm, plus eliminating the need for a dual boot and for everyone not using their gaming gpus.
So, XEN is not good for that? consider passing to KVM.
- To create a real secure isolation OS, it`s primal to ensure best disk encryption avaliable, with CHOICE for speed/security, eliminate the windows host multi boot needs, and make good use and usability for windows and gpus. You will reach that when you direct the efforts to adapting the system for what the global user WANTS AND NEEDS, and not adapting the user to the system that 1 person in 1 chair dream for its personal needs. Ubuntu did not follow this lesson with their unity thing and they paid the price.
3) Consider offering PFSENSE as optional firewall vm installed out of the box. It`s very hard and time consuming to do that inside qubes system without studying all, for managing internal ip structure etc. It is the most perfect firewall for use inside a VM, qubes is a system for VMs, and i did use it even inside windows in virtualbox. But i was in WINDOWS, and that means, no real security at all.
I would like also to give 2 more suggestions for people to considerate, concerning whonix, since patrick is a developer here:
4) People need a pop-up window to explain them to NEVER use an existing normal vm trough the whonix proxy vm, just NEW ONES. Because they have already fingerprints, identifiers, browser behavior, browser plugins identification, aplication updates, specially in windows. If they connect that with once used real wan IP, game over for anonymity.
5) i will use this post to state that tor behaves differently to connect in windows tor browser, or linux tor browser, compared to whonix, and i dont know why. Whonix gets always same speed, 250 to 500 Kbps, (not KBps) with speed of 30 to 60 kB/s of downloads, and in tor browser outside whonix, i get 500 to 1 Mb kB/s downloads. Thats really strange and wasn`t expected. I get this behavior for almost 2 years, and i dont have the expertize to know why. after some googling, i saw i am not the only one getting different special routes in tor using whonix.
Sorry for my bad english, is not my main language, i hope people can understand what i wrote. And forgive me if i wrote stupid things.
--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8efb8d91-de6b-4a6d-b215-65bca333a81f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Plus as a gamer myself, I always want the most fps the machine can dish, and that's definitely not by running games in a vm.
I have a separate machine for sensitive and daily tasks running qubes. Most people use consoles for gaming now anyways. Hardware industry has been dying for a decade and I never had any reason or thought I would ever build a custom pc again, until qubes! :)
Most people also dont' have two gpus in their machine, which you imply would be the most secure way to use this feature? Only people I know of that do are gamers. If you do graphic designing and need to use special professional programs that require gpu processing I would recommend using a separate computer. But it seems this might be a feature in the future on Qubes. I wouldn't call it a priority though.
I think Qubes is fine for normal everyday users doing everyday tasks for home and office use. I can still edit photos, watch movies, create greeting cards, view almost any webpage. Only thing I can't do is play video games. And thats fine I have another machine for that, since i consider playing video games one of the most dangerous things you can do online anyways.
Its nice that you have so much faith in Qubes and that it can stop all attacks, but that is unrealistic. There is still always danger when doing untrusted tasks even when using Qubes, even with its hardware isolation. People should realize what. Qubes themselves describe it as "somewhat" secure, meaning much better then a traditional os, but nothing is 100%.
I did not like your tone and i will take that as an insult. If you were happy with a TYPEWRITER, you should keep using it.
That is your way of thinking.
Sory to say, but you have a limited mind. If you failed to understand that gpu passtrough is a security problem, try to read again.
Noone cares, and should not care if it reaches YOUR personal needs as an IT user.
If you think that qubes is directed to provide security to a VERY SMALL AND RESTRICT group, congratulations. You failed again. At least as a thinker to direct the ship. You may even be good in isolated tasks, but you are unable to see the whole picture. i am sorry.
In the post i teached how to use TAILS, there are HUNDREDS of people that uses it now. Qubes? There were hundreds interested. The main question was FULL WINDOWS FUNCIONALITY. And that lack made almost all give up untill that funcionality is ready.
If you are happy with what you have, dont invent nothing else.
That is a real stupid way of thinking. You are someone destinated to work for others. a sheep.
Noone told you to PROVIDE A WINDOWS TEMPLATE. People install it. It is not forbidden.
If you are HAPPY WITH WHAT YOU HAVE, do not upgrade anymore. Do not use NONE of new funcionalities. Stop. Freeze your system to make it become like your brain.
SORRY PEOPLE I APOLOGIZE!!! i have a NVIDIA GPU. I failed to understand that if gpu spy is a security problem, i must not use my second monitor. I FAILED to understand that i NEED TO USE it in dom-0 and fail in security or throw it in garbage according to this guy. Virtualization of qubes is made to web browse and send e-mails.
Seems i failed to understand that GPUS FOR QUBES USERS IS TO USE IN DOM-0 without virtualization! THAT is the idea of security!!! Ah!!!
Remember to tell qubes developers to REMOVE windows tools! "Qubes is not made to use with windows", let them stay in their OS. Let EVERYONE stay in the OS they use.
Is that what you want people to reach? Your way of thinking?
One that is exclusive yours? ok.
HE IS HAPPY with what he has so you need not to improve nothing else on qubes, did you understand developers?
HERE!!! This is the perfect qubes solution according to this guy.
https://www.qubes-os.org/doc/install-nvidia-driver/
Install nvidia proprietary driver on dom-0 and be happy with the huge security it will provide!!!! And "BE HAPPY" like he is!!!
Dont forget to remove the security warnings about installing those drivers from the page. Oh, there is none. Cool.
I am glad someone so smart came to tell how to "be happy" now!!! Thats what you do when you have a gpu. Don`t isolate it to use, just use in dom-0! great!
http://www.online-literature.com/voltaire/4411/
"The Good Brahmin
DOES HAPPINESS RESULT FROM IGNORANCE OR FROM KNOWLEDGE?"
read it. And REMAIN HAPPY! I chose knowledge.
And you, about humans. You have such a limited mind...
If you wanna change to a "ad hominem", let`s see what you wrote here:
https://groups.google.com/forum/#!topic/qubes-users/tKOVanAupFE
=======================
feature request: luksAddNuke
How difficult would it be to implement Kali Linux's luksAddNuke patch to
Qubes, ideally on a per-VM basis?
https://www.kali.org/how-to/emergency-self-destruction-luks-kali/
Suggested operation:
password 1 -- decrypts drive, normal operation
password 2 -- nukes a predetermined list of VMs
password 3 -- nukes the whole disk
Laszlo Zrubecz
17/02/15
Re: [qubes-users] feature request: luksAddNuke
Just wonder what situation called this feature to reality?
The only one I can imagine is if your data worth much more than your life.
==================================
So, you CAN NOT IMAGINE a situation where someone would need to nuke a list of VMs? lol. There are DOZENS of situations. Anyone could name a lot BUT YOU. I had a friend that had to give his key in an airport... Noone did copy his Hard Drives lol. He just had to let them in to examine. Last Week, a good friend of mine.. His wife found some lipstick in his clothes and made him turn over his facebook password and his veracrypt full disk encryption password. If he was a qubes user, he would had a profile to speak with his lover. And would want a password to nuke some specific vms. In your short sized mind, common things are beyond your imagination. Just hollywood CIA scenes.
Dude, i think the only thing about isolation you proved to know is that you managed to have an isolated mind. Isolated from common sense. And, i am sure, isolated from the real world, since you have zero common sense.
If you think is better to let people install nvidia drivers in dom-0 to make the system work is better than provide gpu passtrough... Assuming that anyone will have onboard video too... And that think otherwise is to "have absolutely no clue about virtualization"... What can i say?
There are A LOT of people that ARE INTERESTED TO INSTALL QUBES but ONLY IF they can bring their windows with them... With their games, their working skypes, their capture screen devices... The world uses WINDOWS, there are not just GAMES using gpus inside windows. When you say "they are happy there, leave them there" with a lack of judgment of that huge size, i think to myself that the task is not to enlighten you about ONE subject, but to fix your mind kernel.
How to teach you that the WORLD that USES windows is LOOKING for security? How to tell you that there are Billions of people out there using android and windows and depends on them for a lot of things? You seem to know nothing about them.
Just to name ANDROID EMULATION... The best and safest one is in ISOS to be used inside a VM... But you will not find not even 10k people in the world using it. Someone made BLUESTACKS using the computer gpu power... They have HUNDREDS OF MILLIONS users now.
GPU passtrough would bring a flood of users bigger than what you imagine, would release them from the hands of closed source, would bring the WORLD an incentive to open source security.
If we have to trust intel, that doesnt mean we must trust nvidia or throw away
our gpus in garbage, dude. Gpu passtrough is the ANSWER.
You have ZERO capability of understanding social enginnering. You proved that in every comment you gave until now. You can not even realize that nvidia FORESAW and BLOCKED acess when it detects is being in a virtualized environment. Why your "isolated inside qubes" mind think they did that? They work in a cartel. In a single battle front. You dont even understand why Linus gave a finger to nvidia in public. Why the fight and what is the game.
If you not even with a bomb in your ears can understand that GPU is nowadays the ONLY bottleneck that stops the flood from people coming into linux world, and that qubes would be the answer...
i will tell you something. If people saw an easy to install system, self proclaimed with the best disk encryption of the world, and with the ease of use of a virtualbox, and they could pass usb devices and gpu to there, you coudnt imagine how many would flood and how larger qubes project would become.
Go check ORACLE virtualbox or even VMware statistics... People use virtualization for security uses, but there will be 1 installing them on linux for 10k installing in windows. IF YOU WERE inside oracle, for example, you would say "nah, dont make a windows version, they dont care about security" or something, and would make them bankrupt. rofl.
But u made me think.. Is that all just ignorance or are you in someone pocket? Because this is a game of BILLIONS and NSA money flows anywhere you see a security software that would be "the solution". Or you just think that 1 person inside xen is served better than 1k persons insite kvm? (IF kvm were the answer what i think it not)
https://en.wikipedia.org/wiki/Usage_share_of_operating_systems
here. keep fighting among all distros for the 1,46% of linux users.
Not to forget that ANDROID virtualization is still a need. And NEEDS passtrough. is not hard...
http://superuser.com/questions/895096/is-host-gpu-on-on-android-emulator-same-as-gpu-passthrough
wow... OUCH... 130 million users??? They did managed to pass the gpu INSIDE WINDOWS...
http://www.bluestacks.com/pt-br/index.html?__dlrd=1
Plus... Bluestacks is being PASSED BEHIND by other android viurtualization solutions... hummm... U know WHY?
Ima tell you: GAMES. GAMES made people go to bluestacks first and after to other solutions. See if people that WORKS with android virtualization will use the SAFEST solution inside like virtualbox for their work or if they will use a WINDOWS BLUESTACKS version that screws the hole system and makes the computer slow and filled with bloatware. Hmmm yes, that is right. They choose the SCREW YOUR WINDOWS version. Cause has gpu acceleration. ok.
In your mind, the 300 million people in the world using android virtualization should BE HAPPY there in their smartphones.
Plus, i had it. There is no point in enlightening you.
It is clear that you are against gpu passtrough. Not only you dont see the clear advantages, but you DO NOT SEE the security disvantages of not providing gpu passtrough. And EVEN IF you WERE right, what you are NOT, you wont never provide total security since intel has their microcode backdoors, since google and ISP tracks your different profiles, using the SAME IP, since NSA funds 70% of tor budget etc.
Maybe someone with vision appears and forks the qubes to a kvm and make it spread to the world. Maybe xen manage to do it. Those are maybes, but is clear that wont happen so soon. I also like to use skype, watch screens in conferences, and linux skype sucks and is full of limitations, plus i like my games, once in a while, so ima try kvm.
Ah, and dont forget to check this hundreds of windows aplications too. They all use gpu. Tell their millions of users to stay happy inside windows and to forget security or isolation. Nvidia needs to track what they do inside their computers too, imagine all those poor people using isolation, would be real bad for their security inside a dom-0.
https://www.nvidia.com/content/gpu-applications/PDF/gpu-applications-catalog.pdf
Duncan, nouveau is kinda bugged, new distros are starting to have this issues in their forums or add an NVIDIA or AMD option in their grub menu (nomodeset option), for example, check the small distro FATDOG 64 (puppy linyx) grub menu, for the problematic new cards that doesnt work with those old drivers anymore
Nvidia has a new "CAPTURE SCREEN AND STREAM" dedicated function to help people to stream their games without a drop in the FPS. I was VERY suspicious when i saw that function. Plus, they install nvidia network.
In the end, they started to FORCE people to use GEFORCE EXPERIENCE to deliver driver updates. Check in these comments how people reacted:
https://forums.geforce.com/default/topic/885587/forcing-us-to-use-geforce-experience-/
It is amazing how many enemies nvidia is doing with this "you do what i want i dont care if you like" posture. Thats why i do not trust nvidia at all.
Plus, i leave my windows comodo firewall in paranoid config, and nvidia try to communicate with several processes to several ips spread around the world all the time.
Thats the main reason i would NEVER let nvidia inside a linux host. Specially with their proprietary drivers and their "telemetry" terms of use that allows them to spy on you, thats important to remember too.
The only "most secure" approach is to run the host inside INTEL (we have to trust their intel hardware like it or not, since they can install ring-0 backdoors with deniability) to ISOLATE nvidia and let it see ONLY one virtual machine we choose to use with passtrough, but NEVER use the newer cards in the main system.
So, i would like to use a good GPU in my good desktop. But would not like to dedicate it to be spyed. And i do not recommend anyone to use nvidia inside qubes, not even with nouveau. UNLESS with a passtrough in a SEPARATED monitor.
Achim. Don't forget YOU are the homosexual, NOT ME. That's a mental disease, doesn't matter if for political reasons was removed or not from disease list.
By the way, you are not THAT secure, are you? Too bad for you there are no pills to heal your condition. That kinda porn can get you in jail, you know?
lol "pills"; right. Listen, communist: Do NOT forget that it is YOU that got medicated because of depression. If you have nothing to say about the matter, BE QUIET. Or get back to your pills. I never needed them.
And NO, i am not "trolling", this "security expert" noob got hacked by a friend of mine, and was discovered he is gay and communist. Back to YOUR pills, depressed noob. They record everyone that takes those pills, do you know that? pffffff
Thanks Marek, Andrew Wong, Chris Laprise, Niels, and Duncan, for your usefull and smart comments.
Achim, if you have nothing to say about nvidia in dom-0 and it's telemetry, just remain quiet. I do not like gay people anyway.
For Qubes, is a great and secure alternative for computers without nvidia gpu. Maybe the BEST. But i concluded that WITH nvidia, kvm passtrough is more secure than Xen.
Compared with the nvidia spy telemetry and the need to use proprietary drivers, the bigger kvm code poses a smaller treath.
We are FORCED to use USA hardware anyway. When USA forced companies to start using CLOSED source in hardware (yes, that was forced), IBM was against and they made a deal to boost it for the agreement. They changed the RIGHT and for the first time you buy a closed box without the right of being proprietary of all inside.
Since that, things went worst, until the LAVABIT incident where i saw and checked USA laws and saw that they are doing this with hardware companies too. And they must agree by the power of usa law. So, you will not escape usa spy if you usa usa hardware. But nvidia went too far.
I will still use a computer with nvidia, but isolate it. Can`t do it in qubes. Moving to KVM. Thanks to all.
I find the opposie. nvidia drivers on the latest de's have all sorts of screen tearing issues and fullscreen flickers due to compositing effects. the noueveau drivers have no issues though.
I should of said regarding my card 650 ti, which just might be too old now. But I've always liked linux distros because it didn't force me to ugprade my hardware all the time, maybe things are changing...
I've converted family members from windows to qubes, its not hard. They don't play games. Just had to teach them how to update, compartmentalize certain tasks to sepcific vms, how to attach usb block device. You don't even need command line to do anything in qubes.
You are right, happened to me once when I didn't realize I had onboard gpu on my system when I could of used it until it was too late.
Well I dunno man, I only would need gpu passthrough for gaming. Maybe thats my personal reasons, but I'm sure that is the reason for most people. Do I really live in a bubble? I'm not so sure. I guess the only other reason would be now that you mentioned the 3d printing and VR. Although I don't think many people are doing that even though its always interesting news. And imo, although I'm no expert, exposing hardware more to do that, even if isolated in some way, feels like more of a security risk to me.
I remember the reading the forum arguments pax team had with joanna online, and one was so what if the vm is isolated. The one actual fact besides spenders usual temper tantrum ranting, for claiming it was false sense of security, was when he talked about exploiting the gpu for persistent compromise. That was his only poc example he had. And thats not even considering the gpu passthrough and 3d rendering you are calling for.
And I know i'm very paranoid, but sometimes I think people ask questions on the forums on how to do things that qubes was not designed to do, or want certain features added, to make it easier for them to hack qubes users. LMAO. I know I will get flamed for saying that, but its how I feel sometimes. Maybe because I'm a noob, but I feel like the more abilities and features we give qubes the more attack surface we give it, which defeats the purpose of even using it. If people can't give up gaming to use qubes, then they don't care about serious security on the machine anyways, imo. But like i said I don't know the technicals really of how isolation works in qubes and I'm talking out of my ass, so maybe I'm wrong.
This conversation also reminds me of one of the devs that left the qubes-whonix team. Because he said the project "is becoming less about privacy and security, and more just about cool tech" I think this is thread is an example of that.