? Editing: Post:21.body Save Delete Cancel
Initial sync in progress...

Newest topics

Follow in NewsfeedFollowing
+ Start new topic
Loading...
stickied

Title

Body
^1 ^2 added ━ started by user_name
More topics

 

Follow in NewsfeedFollowing

ZombieLoad - microarchitectural data sampling (MDS) vulnerability of Intel chips

Yet another great failure of modern computer architecture :(

https://zombieloadattack.com/

^7 ^8 diff posted on May 15, 2019
Please sign innew comment
Sign in as...
Submit comment
You are running out of your allowed space, please contact the site's admin at unknown to raise your limit.
user_nameadded ^1 ^2
Reply
Body
insurgoon May 16, 2019 ^2 ^3
Reply

Small blog post on why x86 is rotten and why QubesOS running on top of it is the transition to newer, open architectures.

insurgoon May 16, 2019 ^1 ^2
Reply

duck0: This is a fully functional Linux distribution? Does it utilize systemd or what is the general working environment? [...]

kropptyler: It looks like it's not based on another OS or something. From the website it says:"Can't decide which Linux distribution you prefer? Still need that one Windows program for work? With Qubes, you're not limited to just one OS. Learn more" [...]

Read a bit, seems like I picked your curiosity, which is all that is required to learn :)

I won't answer what is already covered here

See architecture

It's a Xen based hypervisor, for which AdminVM(dom0: management, graphics) is based on Fedora.
The default VMs are Fedora based, but Qubes delivers 4 templates by default: Fedora, Debian, Whonix-WS, Whonix-GW.
Here are the other templates, on which other software distributions can be installed

What is interesting in the QubesOS architecture is that you can switch templates for a specific qube (VM) at any time prior to starting it, excluding Windows that cannot mount ext4 partitions by default. This means that you can switch between Debian/Fedora/Arch/Whonix/Ubuntu/Kali/BlackArch templates underlying your data anytime you want. You data cannot infect the templateVM, which are instantiated in read only. You can ephemerally install a software in a qubes (as opposed to in the TemplateVM) for testing, and it will vanish on reboot.

Qubes internet traffic goes through tor by default, but you can define any VPN ProxyVM you want, and define, for each qube, how it reaches the outside world. In practice, it means that you can create a captive-portal that exits to the firewall into your local network. While having your disposable qubes leaving through tor, passing though your VPN if required per your threat model.

QubesOS is LVM based, which means that you can clone without additional disk cost a VM, revert changes if you made a mistake, etc.

But the best thing is the compartmentalization.

It's XFCE based, but you can choose your own (with window decoration patched in).

Check their main documentation section, most of your other questions, like nvidia and others.

It's a workstation based solution, that I also use on my PoC server

kropptyleron May 16, 2019 ^2 ^3
Reply

duck0: This is a fully functional Linux distribution? Does it utilize systemd or what is the general working environment? [...]

It looks like it's not based on another OS or something. From the website it says:
"Can't decide which Linux distribution you prefer? Still need that one Windows program for work? With Qubes, you're not limited to just one OS. Learn more"

Hard to tell based on their GitHub...

duck0on May 16, 2019 ^3 ^4
Reply

insurgo: You can build it yourself, if that is your question, yes.To tell you more about it, I already referenced the most comprehensible article made to date in previous comment. [...]

This is a fully functional Linux distribution? Does it utilize systemd or what is the general working environment?

I see: rpmdevtools, debootstrap, dpkg-dev, rpm-sign.

Is this Debian based? RPM (is that Fedora/Redhat? not sure which utilize that)?

How well does it work with proprietary Nvidia drivers?

What kernel is shipped?

Default WM/DE, pick your own?

Is this a base (server) distro?

insurgoon May 16, 2019 ^2 ^3
Reply

duck0: Could you tell me more about QubeOS? Is it forked? Is it RYO?

You can build it yourself, if that is your question, yes.
To tell you more about it, I already referenced the most comprehensible article made to date in previous comment.

Security goals can be found here

duck0on May 16, 2019 ^2 ^3
Reply

insurgo: QubesOS enforces the best mitigations for all those threats, mainly by deactivating preventively hyperthreat (pun intended) through "smt=off" since around September 2018 [...]

Could you tell me more about QubeOS? Is it forked? Is it RYO?

insurgoon May 15, 2019 ^2 ^3
Reply

QubesOS enforces the best mitigations for all those threats, mainly by deactivating preventively hyperthreat (pun intended) through "smt=off" since around September 2018

EDIT: They just released a security bulletin

A really good article landed yesterday that explains why you need preventive protection and switch perspective about security and taking responsibility upon your threat model and limiting risk exposition.

This page is a preview of ZeroNet. Start your own ZeroNet for complete experience. Learn More