Xen-Based Secure OS Qubes Hits 1.0

Orome1 writes "Joanna Rutkowska, CEO of Invisible Things Lab, today released version 1.0 of Qubes, a stable and reasonably secure desktop OS. It is the most secure option among the existing desktop operating systems — even more secure than Apple's iOS, which puts each application into its own sandbox and does not count on the user to make security decisions. Qubes will offer users the option of using disposable virtual machines for executing tasks they believe could harm their computer. These VMs will be lightweight, easily and extremely speedily created and booted, and would be just as easy to discard." First covered back in 2010. See some screenshots of the X11 part in action (and they say displaying clients from multiple "hosts" isn't useful...)

And I feel so safe downloading it..

[R_Growler]

Because the first thing I see is:
Note: Be sure that you use a modern, non-handicapped browser to access the links below (e.g. disable the NoScript and the likes extensions that try to turn your Web Browser essentially into the 90's Mosaic).

Oh goodie...

Think I'll go with this one ;) : ... or you might try to download the ISO via bit torrent:

Re:And I feel so safe downloading it..

[0123456]

Because the first thing I see is:
Note: Be sure that you use a modern, non-handicapped browser to access the links below (e.g. disable the NoScript and the likes extensions that try to turn your Web Browser essentially into the 90's Mosaic).

Real men use wget. Or telnet.

Re:

[thePowerOfGrayskull]

Because the first thing I see is:
Note: Be sure that you use a modern, non-handicapped browser to access the links below (e.g. disable the NoScript and the likes extensions that try to turn your Web Browser essentially into the 90's Mosaic).

Real men use wget. Or telnet.

Definitely telnet. It's the most secure.

Re:

[Big Hairy Ian]

Definitely telnet. It's the most secure.

Putty Putty Putty

Green Green Putty

I found in my armpitty

One midsummers morning

Re:

[Zontar The Mindless]

Real men use wget. Or telnet [google.com].

TFTFY

Re:

[mattr]

Real me use curl. Or ssh.
updated that for you

Re:And I feel so safe downloading it..

[fm6]

I haven't visited the Qubes web site, But the fact that No'Script breaks it is not a big issue, NoScript breaks half the sites on the web. NoScript assumes that all scripting is evil and that you should never allow it unless you absolutely have to — after multiple warning from NoScript as to how dangerous it is.

If you think this is a sane approach to security, you should consider abandoning graphical browsers altogether. I think Lynx is still being maintained.

Re:

[0123456]

NoScript breaks half the sites on the web.

No, it doesn't. But thanks for playing.

Re:And I feel so safe downloading it..

[Black LED]

If your site breaks because the client doesn't have JavaScript enabled, then you are doing it wrong. The site should gracefully degrade so that anyone can use it.

Re:

[smash]

should, yes. most of the web does not.

Re:

[forkazoo]

should, yes. most of the web does not.

Thankfully, most of the web that does not, isn't useful. Seriously, after adding necessary exceptions for a few days, the overwhelming majority of the web that I care about works just fine with NoScript installed. Most of what doesn't work is stupid, and the vanishingly small remainder is easy enough to whitelist with a click or two. Anything that requires clicking through whitelisting 37 domains to make it work properly, usually just turns out to be an adcrap laden

Re:

[Seahawk]

Isn't that like saying: "Your application shouldn't break because a windowing system isn't available, but instead fall back to curses"?

Sometimes, IMHO, it's just not worth it to have a non-js enabled fallback.

Re:

[Black LED]

I would say it's more akin to someone sending you an HTML formatted email without an option for a plain text version.

Re:

[TheRaven64]

NoScript assumes that all scripting is evil and that you should never allow it unless you absolutely have to — after multiple warning from NoScript as to how dangerous it is.

Given the number of security holes in JavaScript implementations and the lack of adequate sandboxing in modern browsers, that's not too much of a stretch. Even if you trust the site, do you trust the guy who paid $10 to put an advert on it?

Re:

[Lennie]

Really how many Javascript security holes have their been the last 10 years ?

In 99 of the 100 cases it was the Java or Acrobat Reader plugin which was the real problem. They just use Javascript to deliver it, but didn't have to.

Re:

[TheRaven64]

There have been no JavaScript security holes. There have, however, been a number of security holes in V8, in SpiderMonkey, etc. Just look up the numbers yourself if you're interested. The exact number depends on whether you are limited just to the JavaScript JIT, or if you include the DOM and related components.

Re:

[Lennie]

Yes, I know that. I'm just saying it is a much smaller problem than the plugins.

Especially with rapid release like Chrome and Firefox use to keep your browser up to date.

Re:

[Hatta]

NoScript assumes that all scripting is evil and that you should never allow it unless you absolutely have to

Is that not actually the case? The fact that NoScript breaks half the sites on the web is a problem with the web, not a problem with NoScript.

Re:

[sjames]

I have no idea why it says that, the links appear to work fine with noscript in full force.

Re:

[Lennie]

You are probably saver just disabling plugins like Java, Acrobat Reader and maybe Flash (or at least use the lastest version).

The Javascript is almost never the vulnerable part, it just used by many bootstrap it. But they don't have to do that.

X startup failed, aborting installation

[WD]

Apparently Qubes can't be installed in VMware Fusion. This occurs with both the default boot mode and the "failsafe" VESA mode. I supposed that does indeed make it the most secure operating system possible.

Re:

[cpghost]

Let me guess (correct me if I'm wrong: I didn't check out Qubes yet...): Qubes may be something like a Dom0 platform with its own hypervisor, and isn't supposed to run in DomU environments, i.e. in yet another virtual machine. Try it on the bare metal, and it may work. Joanna Rutkowska is a well-known master in Hypervisor-related "black magic." I wouldn't expect anything less than a hypervisor-based OS (or Meta-OS?) from her. And this means always that it MUST run on the bare metal.

Re:

[WD]

Possibly. In this case, however, it failed due to not having video drivers. It appears to require an Intel GPU. (or nVidia with some trickery)

Re:

[WD]

Thanks. That's good to know. But it surely eliminates the majority of people who may wish to try it out.

Re:

[Wolfrider]

--The site/article also mentions that it can be installed to a USB drive... ;-)

Re:

[sjames]

It is possible in some cases to run a VM in a VM [wordpress.com]. It's been done for decades on mainframes. It just happens that this particular VM won't run in a VM, but it's not an unreasonable thing to try.

Re:

[smash]

Workstation can also run ESXi, and HyperV - expecting this OS to work under a hypervisor isn't necessarily unreasonable. Sure, it doesn't work, but it's worth a shot these days - nested virtualization has been available on X64 for some time now.

Not quite true about iOS...

[EGSonikku]

Would just like to point out iOS does in fact give user control over Privacy:

https://p.twimg.com/Avd_bj2CEAAokCD.jpg [twimg.com]

The same pop-up occurs when an application wants to access your photo's, location, etc.

And you can also set up Provacy controls for apps in Settings:

http://i.imgur.com/LvImi.jpg [imgur.com]

Re:

[PopeRatzo]

Would just like to point out iOS does in fact give user control over Privacy:

Is there a way to use iOS without iTunes, because iTunes does, by default, require personal information. Is there a way to set up iTunes and purchase apps for iOS without giving up any personal information?

If not, then aren't those "privacy" setting in iOS a little like closing the barn door after your mule has been kidnapped and gang-raped by a biker gang and sold into white slavery?

Re:

[SuricouRaven]

No. iOS devices are shipped in a locked state, and revert to locked when the erase feature is used. They can only be unlocked by connecting them to a computer running iTunes, and associating to it. I don't know if you need an iTunes account too, or just the software installed. The latter won't get you apps (Baring jailbreak) but you can at least put music and media on.

Re:

[EGSonikku]

Older iOS devices. The iPhone 4S, and the new iPad don't require a connection to iTunes at all for activation. You can take it right out of the box and turn it on and be on your merry way.

Re:

[PopeRatzo]

You can take it right out of the box and turn it on and be on your merry way.

Unless you want to run an app on it.

Re:

[EGSonikku]

Then, as I said, you make an account as John Smith and make up an address and use gift cards or throw away credit cards. I mean, you can't blame Apple that purchasing things requires money. That's hardly an issue with iOS.

Re:

[PopeRatzo]

I mean, you can't blame Apple that purchasing things requires money.

Not just money, but traceable, personally identifiable money.

If Apple cared about anyone's privacy, they would accept PayPal payments.

Re:

[EGSonikku]

How do you intend to purchase apps without giving Apple your address and a method of payment? You could just use free apps, or use Apple gift cards for making purchases, and provide a fake name and address.

At least as of the iPhone 4S, and 3rd Gen iPad you aren't required to plug into a computer or use iTunes to activate. All setup is now done on device.

Re:

[Shadowmist]

How do you intend to purchase apps without giving Apple your address and a method of payment? You could just use free apps, or use Apple gift cards for making purchases, and provide a fake name and address.

At least as of the iPhone 4S, and 3rd Gen iPad you aren't required to plug into a computer or use iTunes to activate. All setup is now done on device.

That's true of any device running iOS 5 or later.

Re:

[PopeRatzo]

That's true of any device running iOS 5 or later.

It's also true that if you happen to want to actually use your iOS device by running an app on it, you've got to give up that personal information.

Re:

[Mista2]

Or you can lie.
Just like the personal security questions, I lie to them too.
Many services i use think I live at 1 Infinite Loop, including Apple 8)

Re:

[PopeRatzo]

How do you intend to purchase apps without giving Apple your address and a method of payment?

That's my point. There are methods of paying without giving personal information. Paypal comes to mind. Apple won't allow those.

That's why any "privacy" setting in iOS is just marketing BS.

Re:

[marcello_dl]

Who should be interested in who I am? Apple or the credit card processor?

I should only enter the CREDIT CARD personal details on the page of the credit card processor, and leave no trace on the pc itself, no reason for it.

Re:

[jbolden]

Is there a way to use iOS without iTunes, because iTunes does, by default, require personal information. Is there a way to set up iTunes and purchase apps for iOS without giving up any personal information?

Unless you are on an enterprise account there is no tracking between accounts and what you buy. The only company with that information is Apple and Apple doesn't sell data. Its sort of like worrying about privacy from the bank that's running your credit cards.

Re:

[PopeRatzo]

The only company with that information is Apple and Apple doesn't sell data. Its sort of like worrying about privacy from the bank that's running your credit cards.

And when Apple is regulated the way banks are supposed to be regulated, I'll be OK with that.

Re:

[jbolden]

I think Paypal and iTunes are broad enough that they should fall under banking laws. The FDIC so far is of the opinion that if you don't hold customer money you don't need to be chartered like a bank.

Re:

[PopeRatzo]

Paypal certainly "holds customer money".

My account balance, as of 5:10pm CST, was about the same size as my personal checking account.

My small business' PayPal accounts often holds as much or more than the business checking.

Re:

[girlintraining]

Would just like to point out iOS does in fact give user control over Privacy

Apple uses a different definition of privacy than other people do; they define it as "giving information to anyone other than us." So your data is private, as long as you don't mind Apple having all of it.

Re:

[EGSonikku]

Apple's own apps have the same pop ups, and though you are asked for your name and address to create an AppStore account, nothing stops you from providing a fake name and address, or using Apple Gift Cards or throw away credit cards for purchases.

Re:

[LocalH]

Funny, I have an Apple ID without a credit card attached.

What a specimen

[TummyBanana]

Blimey, have you checked her out? She has is now my third favourite woman (after my mother and the Queen).

Re:What a specimen

[spasm]

And people wonder why women avoid IT..

Re:

[Zero__Kelvin]

Yes. It is a well known fact that women hate it when guys think they are hot.

Re:

[geminidomino]

Don't feed the butthurt feminist trolls...

Re:

[serviscope_minor]

Don't be a mysoginist douche.

Re:

[geminidomino]

Ah, "misogynist," (note spelling) another word that has lost pretty much all meaning save to serve as a shibboleth within the ranks of the True Believers, thanks to overuse. How lovely.

Protip, white knight: There's a difference between hating women and not buying into feminist bullshit.

Re:

[serviscope_minor]

There's a difference between "not buying into feminist bullshit" and being a misogynist douche.

Protip: excessive use of "protip" also makes you sound like a regular douche.

Re:

[Robert Zenz]

There's a difference between "Telling a woman that she looks good/hot/awesome" and "being a total jerk".

Re:

[Zero__Kelvin]

I must have missed the part where he claimed that the OS was or wasn't secure based on her appearance. Basically you are saying that we can't observe that a woman is good looking in any context other than a beauty contest, since - for example - if I make such an observation at Starbucks I am an asshole since it has nothing to do with coffee. Get a life. Seriously.

Re:

[serviscope_minor]

The article is about lightweight virtualisation containers (interesting).

Some prat thought this would a good time to start making off-topic and irrelevent comments about the appearance of one of the people involved. Notice how this only ever seems to happen with women. Noone ever points out if a guy involved is ugly or not or bald or whatever (most guys can spot an ugly bald guy, so why no comments? Why no comments if the guy is good looking too?).

Basically what happens is that for a small but annouyingly v

Re:

[serviscope_minor]

At was first I was thinking you might be gay, but then I realized that isn't possible because you're a straight moron.

Not sure how you deduced either of those, but whatever.

On websites most frequented by women you will sometimes see a comment that I am hot.

Well, I hope you won't be offended that I do not take you at your word on that one.

I don't take offense anymore than a psychologically healthy woman would take offense.

And what websites are these?

Actually who cares?

The fact of the matter is that every t

Re:

[serviscope_minor]

I like the sound and solid rebuttal of my claim that technical threads degenerating into "hot or not" for female technical people is somehow bad. Your rhetoric is really improving.

Learn to follow directions next time.

What on earth makes you think that I would pay even the slightest attention to your directions. You're clearly not a very logical person, so it stands to reason that your directions would not be very sound either.

Re:

[capedgirardeau]

I don't see anything in the comment you replied to that indicates poster meant she was attractive or was in any way objectifying or sexist.

In fact quite the opposite when you read who is other two top females are, his mom and the Queen, women he presumably respects for reasons other than sexist reasons.

It read to me like he checked out her significant credentials in her chosen field and was very appropriately impressed.

Re:

[macraig]

I don't share your particular preferences for (pheno-|geno-|whatever-) type. Competitors - 1. Lucky you!

Re:

[PsychicX]

In all seriousness, it is nice to see that a perfectly normal looking woman (ie not "ugly" or "manly" as is often the norm for acceptability into male-dominated circles) is also a brilliant hacker and presumably successful businesswoman. Wait, not nice -- fantastic. Amazing. Wonderful.

Re:

[LocalH]

Why do you care?

Security Concerns

[polyp2000]

"even more secure than Apple's iOS"

Wow ... thats the benchmark is it ?

Re:secure you say?

[R_Growler]

"It is the most secure option among the existing desktop operating systems"

what about OpenBSD?

Yes? What about it?

You know, the headline for all the sec related news should read: "New Secure OS (Not being OpenBSD) Rleased!" or "The Sky is Falling, We'll all be cyber-robbed real soon now (unless you are using OpenBSD)" or "New virus, be very afraid! (OpenBSD users, well.. you're fine)"..
You know it just does not make good press ;)

HTH, HAND.

-RG.

Re:

[0123456]

what about OpenBSD?

Or Solaris?

Re:secure you say?

[0123456]

Actually, it looks somewhat similar to the secure version of Solaris, running different processes in different VMs. I wonder if I have a crappy old machine lying around somewhere that I could test it on.

Re:

[Anonymous Coward]

"I wonder if I have a crappy old machine lying around somewhere that I could test it on."

No. You almost surely don't.

I've been fooling around with Qubes for six months now, looking for a good solution to the Bitcoin offline wallet issue. Qubes is perfect - you don't need to be offline, and yet you can manipulate your 'offline' wallet using Armory in a ("Black") Qubes VM with zero network contact; but you can use (secure copy/paste) file transfer to the online component of your wallet in a different VM wit

Re:

[0123456]

Just run it in a VM.

You seem to have missed the comments further down about it not running in a VM.

Re:secure you say?

[MichaelJ]

You are correct about Zones. They're even lighter-weight than paravirtualized VMs, which in turn makes them ideal for some things, and not others. Solaris also has Logical Domains (LDOMs) which are very much like VMs. They see only the hardware that has been mapped into them. If you need something to be visible to multiple LDOMs (like your network interface) you have to have a control LDOM which owns that particular piece of a hardware and virtualizes it for any other LDOMs that want to see it. They're not the easiest thing in the world to set up, but work well (on larger hardware) and are nicely isolated.

Re:

[Tapewolf]

I'm not sure, but it seems to have a Fedora base. Talks about KDE a lot. See also: http://wiki.qubes-os.org/trac/wiki/InstallNvidiaDriver [qubes-os.org]

Re:

[Tapewolf]

Actually, it seems to be something like a modified version of Fedora running inside their own hypervisor, with Fedora modified to run some processes inside sandboxes provided by the hypervisor. I think that's what it is, but I'm not completely sure.

I Use Words Good

[fm6]

A JVM is called a virtual machine, but it isn't virtual machine in the same sense as the one provided by Xen. The JVM is a simple bytecode interpreter/compiler. It sort of emulates a machine, but not a complete machine. It runs in user space on top of the native OS and cannot run an OS of its own.

Xen is a hypervisor [wikipedia.org] whose virtual machines emulate a complete system. It doesn't just run the application program, it runs the whole bloody OS. The virtual machine has virtual disks, virtual memory, a virtual processor, even a virtual reset button, Support for this virtualization is built into modern processors, so it occurs at a very low level.

I imagine a sufficiently clever hacker could think of a way to bypass the guest OS and the hypervisor and do wacky things, But it's one hell of a lot harder than breaking out of a JVM sandbox.

Re:I Use Words Good

[LordLimecat]

I imagine a sufficiently clever hacker could think of a way to bypass the guest OS and the hypervisor and do wacky things

Someone who could figure out how to do that would rent a private virtual server from Rackspace and go to town. I imagine there would be far more lucrative targets than a desktop.

Re:

[fm6]

Not at all. You could put a Xen-breaking package in a trojan or virus and create virtual zombies for your botnet. But your malicious Rackspace VM would be limited to penetrating VMs that happened to live on the same physical server.

But.... I used to be the documentation lead for the Sun Fire X4600, a server that could have 8 quad-core processors and half a terabyte of RAM. You could run hundreds of VMs on the thing. Discontinued, alas.

Re:

[LordLimecat]

What im saying is that if youve cracked through to the hypervisor, they have some serious problems. If you manage to get root access to the box, all bets are off, especially if they have some kind of clustering-- you could potentially provision scads more VMs, and they would be loadbalanced.

Re:

[Bert64]

Your VM could be clustered, and could get migrated to another server, giving you another target to attack.
Having root on one cluster node might give you the ability to access other nodes, depending on configuration... At the very least you could probably force a vm to be migrated, and then use that to root the other node.
You would have access to all the other vm images running on the same host, some of which may have access or common passwords to other images running on other physical hardware...

Re:

[NormalVisual]

I used to be the documentation lead for the Sun Fire X4600

Want. I could only afford a lowly X2100, which is still running 10 or so VMs quite comfortably even now, almost four years later.

Re:

[gbjbaanb]

I imagine there would be far more lucrative targets than a desktop.

while the bad guys like hacked servers due ti the bandwidth they bring, they also are a single point of failure - and an admin is more likely to be taking note of what that box is doing (or the hosting facility network guy is).

so a single server is like getting a general, but... once you've broken 1 copy of Windows, you have an army of foot troops ready and waiting to follow your commands.

Re:I Use Words Good

[blueg3]

I imagine a sufficiently clever hacker could think of a way to bypass the guest OS and the hypervisor and do wacky things,

Can and has. The sufficiently clever hacker that has been behind most incidences of piercing the guest-hypervisor veil is one Joanna Rutkowska, CEO of Invisible Things Lab.

Interesting how that works, don't you think?

Re:

[fm6]

Good thing she uses her powers for good!

Re:

[blueg3]

You didn't know what I was referring to, so you went and found something, assumed that's what I was referring to, and then criticized me for that thing not being relevant? I hope you see the error in logic here.

Re:

[cerberusss]

I imagine a sufficiently clever hacker could think of a way to bypass the guest OS and the hypervisor and do wacky things, But it's one hell of a lot harder than breaking out of a JVM sandbox.

No, it's not:
Script Error Opens up Security Hole in Xen 3.0.3 [linux-magazine.com]

It's an easy trap to fall for, I grant you that. I was on the same line of thinking until my server got hacked with exactly the above mentioned bug.

Re:I Use Words Good

[lindi]

That bug was found by Rafal Wojtczuk who is also an author of Qubes: https://groups.google.com/forum/?fromgroups#!topic/qubes-devel/JIpZoQUP6dQ [google.com]

Re:

[fm6]

Learn basic coding, dude:

If (insideVM()) {
            If(vmHost==exploitableVersion) {
                        doBreakOutRoutine( );
            }
}

Re:

[erroneus]

It's just made-up crap code written so that the point is clear. Adding as many lines as possible was the point.

The point is that breaking out of VMs is done often enough that it's trivial once an exploit is identified.

Yes, no doubt simplified code compiles smaller and runs faster. Get the point, and stay out of details. Look around yout. It's a DISCUSSION FORUM.

Re:

[fm6]

Crap code offends me. Sorry, it's a personality flaw.

Re:

[binarylarry]

It's funny because your response was also crappy.

Re:

[fm6]

Oh yeah? Well, your mother wears Army boots!

Re:

[Zero__Kelvin]

"I've looked through the docs, and can't tell what distro this is based upon."

You should have stuck with the main page. From the linked page: "And what good is saying that our microkernel is formally verified, if we continue to use a bloated and buggy X server as our GUI subsystem?" It is an OS with its own microkernel. So you can reasonably expect to have difficulty determining which distribution it is based on, since it is not based on a distribution.

Re:

[ThorGod]

I'm not sure you're correct on that. I've read comments elsewhere suggesting it's a modified Fedora. Further, the statement you listed does not say anything about Qubes itself. It says there are microkernels that are verified as "secure", but that X itself is not.

Funny that my honest question gets modded down. This is not an obvious question that's readily apparent from the blog post nor project website.

Re:lacking documentation or lack of focus

[Aaron B Lingwood]

I have been using Qubes for some time and have used it as the starting point for my own desktop. Qubes is a customized Xen kernel booting a customized linux kernel as Dom0 (or Host). It currently uses a modified Fedora for the Dom0 as Fedora has best support for various Xen tools, comes with a scriptable installer (Anaconda), and plans adoption of Wayland to replace the unsecure X protocol.

Re:

[ThorGod]

Thank you! That's what I was trying to figure/find out!!

(I'm sure it's readily apparent somewhere in the documentation, I just had a difficult time finding it yesterday.)

Re:

[myxiplx]

Riiiight. Because requiring every single programmer in the world to design perfect software with no errors is sooooo much easier than adding extra security to the OS.

People make mistakes, it's why the term human error exists. In the real world people accept this and work with it. It isn't something you can eliminate.

Re:

[hobarrera]

So maybe we should surround all roads with foam as well, instead of expecting people to drive cars properly. Humans will make mistakes, and it isn't something you can eliminate.

Re:

[hobarrera]

I hate to tell you this, but the BSD community has found a better alternative to certification, and it's been around for about 30 years: let others review the code (regardless of if it is or isn't free-software).

Re:

[gl4ss]

here's their faq, it does seem sensible. however lack of opengl apps makes it a bit unfeasible for daily driver.

Home
Architecture
Screenshots
FAQ
Press
Resources

BulletIsn’t Qubes just another Linux distribution after all?

Well, if you really want to call it a distribution, then w

Re:

[hobarrera]

I know applicaiton I use have access to my network, just in the same way that physical products have access to the enviroment around me. It's still my responsability to use the right tools in the right way.

Re:New OS or glorified shell script ?

[lindi]

The way Qubes shares composition buffers of X applications over xen shared memory is much nicer than VNC. It is rootless unlike VNC and there is no extra copying of data over a socket so you get nice performance. They also do sound so you can actually watch youtube in a web browser that runs in a disposable VM.

Re:

[lindi]

Do these really work for desktop use? The links that you provided don't seem to mention graphics, sound or clipboard handling. Perhaps you have some more information that I didn't find when I quickly browsed those?