Qubes OS Summit 2022: September 9-11 in Berlin
https://www.qubes-os.org/news/2022/07/29/qubes-os-summit-2022/
In conjunction with 3mdeb (https://3mdeb.com/), the fourth edition of our Qubes OS Summit will be held live this year from September 9 to 11 in Berlin, Germany! For more information about this event, including the CFP (which is open until August 29), please see: https://qubesos.3mdeb.com (https://qubesos.3mdeb.com/)
https://www.qubes-os.org/news/2022/07/29/qubes-os-summit-2022/
In conjunction with 3mdeb (https://3mdeb.com/), the fourth edition of our Qubes OS Summit will be held live this year from September 9 to 11 in Berlin, Germany! For more information about this event, including the CFP (which is open until August 29), please see: https://qubesos.3mdeb.com (https://qubesos.3mdeb.com/)
👍3
Qubes OS 4.0 has reached EOL
https://www.qubes-os.org/news/2022/08/04/qubes-4-0-has-reached-eol/
As previously announced (https://www.qubes-os.org/news/2022/07/04/qubes-os-4-0-eol-on-2022-08-04/), all releases in the Qubes 4.0 series (which includes the most recent 4.0.4 patch release) have officially reached EOL (end-of-life) as of today, 2022-08-04. We strongly urge all remaining Qubes 4.0 users to upgrade to Qubes 4.1 (https://www.qubes-os.org/doc/upgrade/4.1/) immediately. As always, the support statuses of all Qubes OS and template releases are available on the supported releases (https://www.qubes-os.org/doc/supported-releases/) page, and the latest release is available to download on the downloads (https://www.qubes-os.org/downloads/) page.
What should I do?
If you’re already using Qubes 4.1, then no action is required on your part. This announcement concerns only the 4.0 minor release series.
If you’re still using Qubes 4.0 (including the most recent 4.0.4 patch release), then you should upgrade to 4.1 immediately. You have two options:
Perform a clean reinstallation using the latest stable Qubes 4.1.1 ISO (https://www.qubes-os.org/downloads/#qubes-release-4-1-1), which was published on 2022-07-18 (https://www.qubes-os.org/news/2022/07/18/qubes-4-1-1/).
Perform an in-place upgrade (https://www.qubes-os.org/doc/upgrade/4.1/#in-place-upgrade) to 4.1.
Both of these options are covered in further detail in the Qubes 4.0 to 4.1 upgrade guide (https://www.qubes-os.org/doc/upgrade/4.1/). If you need help, please consult our help and support (https://www.qubes-os.org/support/) page.
https://www.qubes-os.org/news/2022/08/04/qubes-4-0-has-reached-eol/
As previously announced (https://www.qubes-os.org/news/2022/07/04/qubes-os-4-0-eol-on-2022-08-04/), all releases in the Qubes 4.0 series (which includes the most recent 4.0.4 patch release) have officially reached EOL (end-of-life) as of today, 2022-08-04. We strongly urge all remaining Qubes 4.0 users to upgrade to Qubes 4.1 (https://www.qubes-os.org/doc/upgrade/4.1/) immediately. As always, the support statuses of all Qubes OS and template releases are available on the supported releases (https://www.qubes-os.org/doc/supported-releases/) page, and the latest release is available to download on the downloads (https://www.qubes-os.org/downloads/) page.
What should I do?
If you’re already using Qubes 4.1, then no action is required on your part. This announcement concerns only the 4.0 minor release series.
If you’re still using Qubes 4.0 (including the most recent 4.0.4 patch release), then you should upgrade to 4.1 immediately. You have two options:
Perform a clean reinstallation using the latest stable Qubes 4.1.1 ISO (https://www.qubes-os.org/downloads/#qubes-release-4-1-1), which was published on 2022-07-18 (https://www.qubes-os.org/news/2022/07/18/qubes-4-1-1/).
Perform an in-place upgrade (https://www.qubes-os.org/doc/upgrade/4.1/#in-place-upgrade) to 4.1.
Both of these options are covered in further detail in the Qubes 4.0 to 4.1 upgrade guide (https://www.qubes-os.org/doc/upgrade/4.1/). If you need help, please consult our help and support (https://www.qubes-os.org/support/) page.
👍7❤1
QSB-084: Split GPG: GnuPG file denoscriptor confusion and file existence leak
https://www.qubes-os.org/news/2022/08/06/qsb-084/
We have just published Qubes Security Bulletin (QSB) 084: Split GPG: GnuPG file denoscriptor confusion and file existence leak (https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-084-2022.txt). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack) (https://www.qubes-os.org/security/pack/). More information about QSBs, including a complete historical list, is available here (https://www.qubes-os.org/security/qsb/).
---===[ Qubes Security Bulletin 084 ]===---
2022-08-06
Split GPG: GnuPG file denoscriptor confusion and file existence leak
User action required
---------------------
Users must install the following specific packages in order to address the
issues discussed in this bulletin:
For Qubes 4.1, in templates and standalones:
- qubes-gpg-split 2.0.63
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]
Summary
--------
Split GPG [3] is designed to isolate private keys from the application
using them in order to protect them from being extracted and to allow
the user to retain control over when they are used. This isolation is
implemented by forwarding calls from an application in a frontend qube,
where `qubes-gpg-client` is executed, to an instance of `gpg` in a
backend qube that holds the private keys, all while allowing only
specific `gpg` options. This option filtering mechanism is designed to
reject options like `--export-secret-keys` that might leak private keys
to the frontend qube. However, it has been discovered that certain
combinations of options allow the frontend qube to access data in the
backend qube in unintended ways.
Two separate types of attack were discovered:
1. Interaction via `--command-fd` allows the frontend qube to check for
the existence of arbitrary files in the backend qube, including files
unrelated to GnuPG.
2. Using the same `--*-fd` option several times allows the frontend qube
to redirect GnuPG input and output to the wrong file denoscriptor. This
can be used to:
- Corrupt files used by GnuPG. (We have confirmed this only in the
case of `trustdb`, but other files cannot be ruled out.)
- Issue arbitrary commands to `gpg-agent`, which can be used to
perform actions like generating new secret keys and deleting
existing keys.
- Set various environment variables for the `pinentry` process,
thereby providing an indirect avenue of attack against this
process.
However, our testing did not reveal any way to exploit this
vulnerability in order to read `gpg-agent`'s responses, which means
that certain actions, such as extracting secret keys, should not be
possible.
Impact
-------
An attacker controlling a Split GPG frontend qube can check for the
existence of arbitrary files in a backend qube, corrupt the `trustdb`
file in a backend qube, issue arbitrary commands to `gpg-agent` in a
backend qube, and issue arbitrary commands to a smart card daemon in a
backend qube. While this vulnerability can be exploited in order to
generate and delete keys in the backend qube (or on a smart card
attached to the backend qube), it is unlikely that it can be used to
exfiltrate private keys out of the backend qube (or off of a smart card
attached to the backend qube). If this vulnerability were to be chained
with a hypothetical vulnerability in `gpg-agent`, `scdaemon`, or
`pinentry` (or in one of the libraries they use), then arbitrary code
execution could be possible.
Credits
--------
This issue was discovered by Demi Marie Obenour.
References
https://www.qubes-os.org/news/2022/08/06/qsb-084/
We have just published Qubes Security Bulletin (QSB) 084: Split GPG: GnuPG file denoscriptor confusion and file existence leak (https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-084-2022.txt). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack) (https://www.qubes-os.org/security/pack/). More information about QSBs, including a complete historical list, is available here (https://www.qubes-os.org/security/qsb/).
---===[ Qubes Security Bulletin 084 ]===---
2022-08-06
Split GPG: GnuPG file denoscriptor confusion and file existence leak
User action required
---------------------
Users must install the following specific packages in order to address the
issues discussed in this bulletin:
For Qubes 4.1, in templates and standalones:
- qubes-gpg-split 2.0.63
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]
Summary
--------
Split GPG [3] is designed to isolate private keys from the application
using them in order to protect them from being extracted and to allow
the user to retain control over when they are used. This isolation is
implemented by forwarding calls from an application in a frontend qube,
where `qubes-gpg-client` is executed, to an instance of `gpg` in a
backend qube that holds the private keys, all while allowing only
specific `gpg` options. This option filtering mechanism is designed to
reject options like `--export-secret-keys` that might leak private keys
to the frontend qube. However, it has been discovered that certain
combinations of options allow the frontend qube to access data in the
backend qube in unintended ways.
Two separate types of attack were discovered:
1. Interaction via `--command-fd` allows the frontend qube to check for
the existence of arbitrary files in the backend qube, including files
unrelated to GnuPG.
2. Using the same `--*-fd` option several times allows the frontend qube
to redirect GnuPG input and output to the wrong file denoscriptor. This
can be used to:
- Corrupt files used by GnuPG. (We have confirmed this only in the
case of `trustdb`, but other files cannot be ruled out.)
- Issue arbitrary commands to `gpg-agent`, which can be used to
perform actions like generating new secret keys and deleting
existing keys.
- Set various environment variables for the `pinentry` process,
thereby providing an indirect avenue of attack against this
process.
However, our testing did not reveal any way to exploit this
vulnerability in order to read `gpg-agent`'s responses, which means
that certain actions, such as extracting secret keys, should not be
possible.
Impact
-------
An attacker controlling a Split GPG frontend qube can check for the
existence of arbitrary files in a backend qube, corrupt the `trustdb`
file in a backend qube, issue arbitrary commands to `gpg-agent` in a
backend qube, and issue arbitrary commands to a smart card daemon in a
backend qube. While this vulnerability can be exploited in order to
generate and delete keys in the backend qube (or on a smart card
attached to the backend qube), it is unlikely that it can be used to
exfiltrate private keys out of the backend qube (or off of a smart card
attached to the backend qube). If this vulnerability were to be chained
with a hypothetical vulnerability in `gpg-agent`, `scdaemon`, or
`pinentry` (or in one of the libraries they use), then arbitrary code
execution could be possible.
Credits
--------
This issue was discovered by Demi Marie Obenour.
References
❤6👍3
-----------
[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://www.qubes-os.org/doc/split-gpg/
--
The Qubes Security Team
https://www.qubes-os.org/security/
[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://www.qubes-os.org/doc/split-gpg/
--
The Qubes Security Team
https://www.qubes-os.org/security/
👍1💩1💯1
Qubes OS Summit: History from organizer's perspective
https://www.qubes-os.org/news/2022/09/07/qubes-os-summit-history/
Editor’s note: This is a guest article by Michał Żygowski from
3mdeb (https://3mdeb.com/) about the history of Qubes OS Summits.
Thanks for sharing with us today, Michał!
Introduction
The next Qubes OS Summit 2022 (https://www.qubes-os.org/news/2022/07/29/qubes-os-summit-2022/)
edition is upcoming. This year it will be held in Berlin from September 9th to
11th in hybrid format, in person and live-streamed for remote access. More
details here (https://qubesos.3mdeb.com/). Don’t miss the event and more
importantly how it started. In the article the history and organizer’s
perspective of the event will be described.
How did all of this start?
In May 2019 3mdeb funded Linux training for its employees, having no idea who
the instructor will be. At some point, it occurred that the mysterious
instructor will be none other than Marek Marczykowski-Górecki, the same person
who leads the Qubes OS project. As huge fans of Qubes OS and its approach to
security, as also fans of Joanna Rutkowska security research in the area of
firmware and computer architecture, we were delighted to meet him in person in
our office in Gdańsk, Poland. The time has come when the idea of a short event
focused on firmware impact on Qubes OS security has been born. We asked Marek
if he has some spare time to discuss firmware impacts on Qubes OS security and
he liked the idea. The event has been called humorously a “minisummit”. That is
how the first Qubes OS summit started, one day, in a small conference room,
with a tiny group of people passionate about firmware and system security,
nothing outrageous (in the meaning of scale). One may still read what topics
have been discussed
here (https://blog.3mdeb.com/2019/2019-08-07-qubes-os-and-3mdeb-minisummit/).
The main focus was on Qubes OS certification and ecosystem as well as the
firmware-related security technologies support like TPM 2.0 and DRTM (Anti Evil
Maid). The event helped 3mdeb realize how to get involved in Qubes OS project
and help to improve it with our expertise.
The past of Qubes OS Summits
Everyone enjoyed that one particular day so much, that we decided to repeat the
event next year. The environment we created together, bending and crossing the
event horizon between firmware and operating system, was something wonderful,
both to hear and to speak about. The potential we saw in that kind of event, to
bring various companies together and collaborate on the project on every
possible layer, has been pushing us forward to enlarge the community and
introduce more open-source firmware to the Qubes OS world.
Another May has come, the year 2020, the pandemic dominated the world. But it
didn’t stop us from holding the event again! It even gave us a better
opportunity to attract and gather more people virtually to attend the event.
Thanks to our 3mdeb colleagues, who set up the live recording and streaming of
the whole Qubes OS 2020 Summit, it is possible to see and listen to the talks
given by Qubes OS and 3mdeb experts on
Youtube (https://www.youtube.com/playlist?list=PLuISieMwVBpIwhPXcuYKtS50CHQOvt_BO)
over and over again. From 3mdeb side we continued firmware-related topics, for
example first time Qubes OS Anti Evil Maid on AMD platform. It was quite a
challenge for us because we have organized such a virtual event for the first
time. Fortunately, everything went smoothly and finished with success after 4
sessions 2.5 hours long.
In August 2021 we held yet another Qubes OS Summit together with the Qubes OS
team, still virtually, unfortunately. However, this year brought more speakers
from other companies and projects, which we were very happy about. There were 2
sessions almost 4 hours each and one may watch the talks at
Youtube (https://www.youtube.com/playlist?list=PLuISieMwVBpIoLQzpYeZnkupURheXky6r).
https://www.qubes-os.org/news/2022/09/07/qubes-os-summit-history/
Editor’s note: This is a guest article by Michał Żygowski from
3mdeb (https://3mdeb.com/) about the history of Qubes OS Summits.
Thanks for sharing with us today, Michał!
Introduction
The next Qubes OS Summit 2022 (https://www.qubes-os.org/news/2022/07/29/qubes-os-summit-2022/)
edition is upcoming. This year it will be held in Berlin from September 9th to
11th in hybrid format, in person and live-streamed for remote access. More
details here (https://qubesos.3mdeb.com/). Don’t miss the event and more
importantly how it started. In the article the history and organizer’s
perspective of the event will be described.
How did all of this start?
In May 2019 3mdeb funded Linux training for its employees, having no idea who
the instructor will be. At some point, it occurred that the mysterious
instructor will be none other than Marek Marczykowski-Górecki, the same person
who leads the Qubes OS project. As huge fans of Qubes OS and its approach to
security, as also fans of Joanna Rutkowska security research in the area of
firmware and computer architecture, we were delighted to meet him in person in
our office in Gdańsk, Poland. The time has come when the idea of a short event
focused on firmware impact on Qubes OS security has been born. We asked Marek
if he has some spare time to discuss firmware impacts on Qubes OS security and
he liked the idea. The event has been called humorously a “minisummit”. That is
how the first Qubes OS summit started, one day, in a small conference room,
with a tiny group of people passionate about firmware and system security,
nothing outrageous (in the meaning of scale). One may still read what topics
have been discussed
here (https://blog.3mdeb.com/2019/2019-08-07-qubes-os-and-3mdeb-minisummit/).
The main focus was on Qubes OS certification and ecosystem as well as the
firmware-related security technologies support like TPM 2.0 and DRTM (Anti Evil
Maid). The event helped 3mdeb realize how to get involved in Qubes OS project
and help to improve it with our expertise.
The past of Qubes OS Summits
Everyone enjoyed that one particular day so much, that we decided to repeat the
event next year. The environment we created together, bending and crossing the
event horizon between firmware and operating system, was something wonderful,
both to hear and to speak about. The potential we saw in that kind of event, to
bring various companies together and collaborate on the project on every
possible layer, has been pushing us forward to enlarge the community and
introduce more open-source firmware to the Qubes OS world.
Another May has come, the year 2020, the pandemic dominated the world. But it
didn’t stop us from holding the event again! It even gave us a better
opportunity to attract and gather more people virtually to attend the event.
Thanks to our 3mdeb colleagues, who set up the live recording and streaming of
the whole Qubes OS 2020 Summit, it is possible to see and listen to the talks
given by Qubes OS and 3mdeb experts on
Youtube (https://www.youtube.com/playlist?list=PLuISieMwVBpIwhPXcuYKtS50CHQOvt_BO)
over and over again. From 3mdeb side we continued firmware-related topics, for
example first time Qubes OS Anti Evil Maid on AMD platform. It was quite a
challenge for us because we have organized such a virtual event for the first
time. Fortunately, everything went smoothly and finished with success after 4
sessions 2.5 hours long.
In August 2021 we held yet another Qubes OS Summit together with the Qubes OS
team, still virtually, unfortunately. However, this year brought more speakers
from other companies and projects, which we were very happy about. There were 2
sessions almost 4 hours each and one may watch the talks at
Youtube (https://www.youtube.com/playlist?list=PLuISieMwVBpIoLQzpYeZnkupURheXky6r).
This time, the 3mdeb’s stage belonged to Piotr Król (CEO of 3mdeb) who presented
his adventures using Qubes OS as an everyday device, talking about USB camera
and cryptocurrency wallets. Of course firmware-related topics could not be
missing and Piotr also showed continuation of his previous year’s efforts of
securing the VMs with SRTM and Secure Boot.
The future of Qubes OS Summits
Finally, the time has come when we may meet together in person, after three
years! The Qubes OS Summit 2022 is fast approaching, with only a few days left
before the start of the event in Berlin. As it is no longer held only virtually
(but still possible to attend remotely for those who can’t be with us in
person) the organization is more complicated, both from the logistics and
presentations side. Every year we try our best to dig into hardcore security
topics on the verge of firmware and operating systems. All this time we have
been gradually building plans and ideas, and getting closer and closer to the
goal of improving the security of Qubes OS, especially in areas we feel best
at, i.e. SRTM and DRTM (AEM). In the upcoming event, we have prepared a few
interesting projects and ideas around Anti Evil Maid support and open-source
firmware on modern hardware.
Here (https://cfp.3mdeb.com/qubes-os-summit-2022/schedule/#) you may find the
full schedule. Among others we welcome the following speakers:
Wessel Klein Snakenborg from Novacustom with a story of open-source on modern
laptops as a candidate to Qubes OS certification
Brent Cowing from Protectli talking about security of his small form factor
computers also running open-source firmware
Jan Suhr from Nitrokey talking about how enterprise requirements tied to
Windows can be met with Qubes OS
Arthur Rasmusson from Arc Compute talking about GPU virtualization and its
possible benefits to Qubes oS
Puck Meerburg from Spectrum OS telling about the power of Wayland for GUI
isolation and how it benefits systems like Qubes OS or Spectrum OS
And everyone from 3mdeb, Qubes OS team, and others
We hope that the event and community around it and the Qubes OS project will
grow in the future, bringing reasonable trustworthiness and collaboration for
everybody. Definitely, 3mdeb will try its best to co-organize the event in the
upcoming years.
Summary
By a mere coincidence, meeting Marek Marczykowski-Górecki gave birth to a
fascinating series of Qubes OS Summits and led us to this day.
Together with Invisible Things Lab we (3mdeb) are very proud to be the
co-organizers of the 4th edition of the event. Looking forward to seeing each
other again, but most important to talk and share knowledge and passion with
everyone again after a long time.
Many thanks to the Qubes OS team for holding up the tradition with us. See you
all in Berlin!
his adventures using Qubes OS as an everyday device, talking about USB camera
and cryptocurrency wallets. Of course firmware-related topics could not be
missing and Piotr also showed continuation of his previous year’s efforts of
securing the VMs with SRTM and Secure Boot.
The future of Qubes OS Summits
Finally, the time has come when we may meet together in person, after three
years! The Qubes OS Summit 2022 is fast approaching, with only a few days left
before the start of the event in Berlin. As it is no longer held only virtually
(but still possible to attend remotely for those who can’t be with us in
person) the organization is more complicated, both from the logistics and
presentations side. Every year we try our best to dig into hardcore security
topics on the verge of firmware and operating systems. All this time we have
been gradually building plans and ideas, and getting closer and closer to the
goal of improving the security of Qubes OS, especially in areas we feel best
at, i.e. SRTM and DRTM (AEM). In the upcoming event, we have prepared a few
interesting projects and ideas around Anti Evil Maid support and open-source
firmware on modern hardware.
Here (https://cfp.3mdeb.com/qubes-os-summit-2022/schedule/#) you may find the
full schedule. Among others we welcome the following speakers:
Wessel Klein Snakenborg from Novacustom with a story of open-source on modern
laptops as a candidate to Qubes OS certification
Brent Cowing from Protectli talking about security of his small form factor
computers also running open-source firmware
Jan Suhr from Nitrokey talking about how enterprise requirements tied to
Windows can be met with Qubes OS
Arthur Rasmusson from Arc Compute talking about GPU virtualization and its
possible benefits to Qubes oS
Puck Meerburg from Spectrum OS telling about the power of Wayland for GUI
isolation and how it benefits systems like Qubes OS or Spectrum OS
And everyone from 3mdeb, Qubes OS team, and others
We hope that the event and community around it and the Qubes OS project will
grow in the future, bringing reasonable trustworthiness and collaboration for
everybody. Definitely, 3mdeb will try its best to co-organize the event in the
upcoming years.
Summary
By a mere coincidence, meeting Marek Marczykowski-Górecki gave birth to a
fascinating series of Qubes OS Summits and led us to this day.
Together with Invisible Things Lab we (3mdeb) are very proud to be the
co-organizers of the 4th edition of the event. Looking forward to seeing each
other again, but most important to talk and share knowledge and passion with
everyone again after a long time.
Many thanks to the Qubes OS team for holding up the tradition with us. See you
all in Berlin!
👍1🔥1
Qubes Canary 032
https://www.qubes-os.org/news/2022/09/14/canary-032/
We have published Qubes Canary 032. The text of this canary is
reproduced below.
This canary and its accompanying signatures will always be available in
the Qubes security pack (qubes-secpack).
View Qubes Canary 032 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-032-2022.txt
Learn how to obtain and authenticate the qubes-secpack and all the
signatures it contains:
https://www.qubes-os.org/security/pack/
View all past canaries:
https://www.qubes-os.org/security/canary/
---===[ Qubes Canary 032 ]===---
Statements
-----------
The Qubes security team members who have digitally signed this file [1]
state the following:
1. The date of issue of this canary is September 13, 2022.
2. There have been 84 Qubes security bulletins published so far.
3. The Qubes Master Signing Key fingerprint is:
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).
5. We plan to publish the next of these canary statements in the first
fourteen days of December 2022. Special note should be taken if no new
canary is published by that time or if the list of statements changes
without plausible explanation.
Special announcements
----------------------
We plan to create a new Release Signing Key (RSK) [3] for Qubes OS 4.2.
Normally, we have only one RSK for each major release. However, for the
4.2 release, we will be using Qubes Builder version 2, which is a
complete rewrite of the Qubes Builder. Out of an abundance of caution,
we would like to isolate the build processes of the current stable 4.1
release and the upcoming 4.2 release from each other at the
cryptographic level in order to minimize the risk of a vulnerability in
one affecting the other. We are including this notice as a canary
special announcement since introducing a new RSK for a minor release is
an exception to our usual RSK management policy.
Disclaimers and notes
----------------------
We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.
The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
that a series of canaries was not created in advance.
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.
Proof of freshness
-------------------
Tue, 13 Sep 2022 02:47:47 +0000
Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
Poland's Prime Minister on Ukraine War and Energy Crisis
Habeck's Meltdown: Nuclear Energy Standby Proposal Has Germany's Greens Seeing Red
European Commissioner Gentiloni: "The Coming Winter Could Be One of the Worst in History"
Russian Meddling in the Balkans: "Over and Over, Putin Says Kosovo, Kosovo, Kosovo!"
Laos and the New Silk Road: The Train to Dependence on China
Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Ukraine’s Sudden Gains Prompt New Questions for Commanders
Russian Critics Speak Out, Prompted by Ukraine Losses
https://www.qubes-os.org/news/2022/09/14/canary-032/
We have published Qubes Canary 032. The text of this canary is
reproduced below.
This canary and its accompanying signatures will always be available in
the Qubes security pack (qubes-secpack).
View Qubes Canary 032 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-032-2022.txt
Learn how to obtain and authenticate the qubes-secpack and all the
signatures it contains:
https://www.qubes-os.org/security/pack/
View all past canaries:
https://www.qubes-os.org/security/canary/
---===[ Qubes Canary 032 ]===---
Statements
-----------
The Qubes security team members who have digitally signed this file [1]
state the following:
1. The date of issue of this canary is September 13, 2022.
2. There have been 84 Qubes security bulletins published so far.
3. The Qubes Master Signing Key fingerprint is:
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
4. No warrants have ever been served to us with regard to the Qubes OS
Project (e.g. to hand out the private signing keys or to introduce
backdoors).
5. We plan to publish the next of these canary statements in the first
fourteen days of December 2022. Special note should be taken if no new
canary is published by that time or if the list of statements changes
without plausible explanation.
Special announcements
----------------------
We plan to create a new Release Signing Key (RSK) [3] for Qubes OS 4.2.
Normally, we have only one RSK for each major release. However, for the
4.2 release, we will be using Qubes Builder version 2, which is a
complete rewrite of the Qubes Builder. Out of an abundance of caution,
we would like to isolate the build processes of the current stable 4.1
release and the upcoming 4.2 release from each other at the
cryptographic level in order to minimize the risk of a vulnerability in
one affecting the other. We are including this notice as a canary
special announcement since introducing a new RSK for a minor release is
an exception to our usual RSK management policy.
Disclaimers and notes
----------------------
We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.
This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.
The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
that a series of canaries was not created in advance.
This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.
Proof of freshness
-------------------
Tue, 13 Sep 2022 02:47:47 +0000
Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
Poland's Prime Minister on Ukraine War and Energy Crisis
Habeck's Meltdown: Nuclear Energy Standby Proposal Has Germany's Greens Seeing Red
European Commissioner Gentiloni: "The Coming Winter Could Be One of the Worst in History"
Russian Meddling in the Balkans: "Over and Over, Putin Says Kosovo, Kosovo, Kosovo!"
Laos and the New Silk Road: The Train to Dependence on China
Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Ukraine’s Sudden Gains Prompt New Questions for Commanders
Russian Critics Speak Out, Prompted by Ukraine Losses
👍3
King Charles Pays Tribute to Queen Elizabeth on a Day Steeped in Tradition
Oppressive Blackouts Force Lebanese to Change Rhythm of Life
Ukraine Claims More Ground in Northeast and South
Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Ukraine war: We retook 6,000 sq km from Russia in September, says Zelensky
Ukraine war: What will Russia's losses mean for Putin?
Ukraine war: A successful surprise attack - but danger still looms
Sweden election: Result could take days as vote too close to call
Taoiseach: Queen's death 'reminder to nurture UK-Ireland relations'
Source: Blockchain.info
00000000000000000002fb0e59c723277069b5389aa2df4b8ff6dc8d80da6ad4
Footnotes
----------
[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]
[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/
[3] https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys
--
The Qubes Security Team
https://www.qubes-os.org/security/
Oppressive Blackouts Force Lebanese to Change Rhythm of Life
Ukraine Claims More Ground in Northeast and South
Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Ukraine war: We retook 6,000 sq km from Russia in September, says Zelensky
Ukraine war: What will Russia's losses mean for Putin?
Ukraine war: A successful surprise attack - but danger still looms
Sweden election: Result could take days as vote too close to call
Taoiseach: Queen's death 'reminder to nurture UK-Ireland relations'
Source: Blockchain.info
00000000000000000002fb0e59c723277069b5389aa2df4b8ff6dc8d80da6ad4
Footnotes
----------
[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]
[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/
[3] https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys
--
The Qubes Security Team
https://www.qubes-os.org/security/
❤2🖕1
The Qubes OS Project is now accepting donations on Ethereum!
https://www.qubes-os.org/news/2022/09/29/qubes-os-project-now-accepting-donations-on-ethereum/
We are pleased to announce that the Qubes OS Project is now accepting donations (https://www.qubes-os.org/donate/) on Ethereum (https://ethereum.org/) (Mainnet) at the following address:
0xDaa04647e8ecb616801F9bE89712771F6D291a0C
Warning: This Gnosis Safe (https://gnosis-safe.io/) Ethereum address supports ether (ETH) and all assets that fully comply with the ERC-20 (https://ethereum.org/en/developers/docs/standards/tokens/erc-20/) standard (e.g., USDT, USDC, and DAI), but only on Ethereum Mainnet (https://ethereum.org/en/developers/docs/networks/#ethereum-mainnet). Please do not send assets on any other network to this address, or else your donation may be lost. For example, please do not send assets on any Ethereum Layer 2 solution (e.g., Arbitrum, Optimism) or any sidechain (e.g., Polygon, xDai) to this address.
We have recently observed an increase in demand for an Ethereum donation option, both for ETH itself and for stablecoins like USDT, USDC, and DAI. As the largest smart-contract blockchain, largest proof-of-stake blockchain, and second-largest cryptocurrency by market capitalization, the Ethereum network and its native currency ETH are natural additions to our growing list of donation methods. Moreover, this new option allows users to donate any token they choose (including non-stablecoins!) so long as (1) the token fully complies with the ERC-20 standard and (2) the transaction is done on Ethereum Mainnet (as opposed to a Layer 2 solution or a sidechain). Please double-check that both of these conditions hold before sending anything to our Ethereum address, or else your donation may be lost!
As with our bitcoin (BTC) and monero (XMR) donation addresses, you can verify the authenticity of our Ethereum donation address via the Qubes Security Pack (https://www.qubes-os.org/security/pack/) in the fund (https://github.com/QubesOS/qubes-secpack/tree/master/fund) directory. We also provide detailed instructions for verifying the digital signatures (https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate).
As with all other donations, your donations on Ethereum will directly fund the Qubes OS Project (https://www.qubes-os.org/donate/#how-is-my-donation-used). Since Qubes is free and open-source software, we do not earn any revenue by selling it. Instead, we rely on your financial support. If you rely on Qubes for secure computing in your work or personal life or see the value in our efforts, we would greatly appreciate your donation. Thank you!
https://www.qubes-os.org/news/2022/09/29/qubes-os-project-now-accepting-donations-on-ethereum/
We are pleased to announce that the Qubes OS Project is now accepting donations (https://www.qubes-os.org/donate/) on Ethereum (https://ethereum.org/) (Mainnet) at the following address:
0xDaa04647e8ecb616801F9bE89712771F6D291a0C
Warning: This Gnosis Safe (https://gnosis-safe.io/) Ethereum address supports ether (ETH) and all assets that fully comply with the ERC-20 (https://ethereum.org/en/developers/docs/standards/tokens/erc-20/) standard (e.g., USDT, USDC, and DAI), but only on Ethereum Mainnet (https://ethereum.org/en/developers/docs/networks/#ethereum-mainnet). Please do not send assets on any other network to this address, or else your donation may be lost. For example, please do not send assets on any Ethereum Layer 2 solution (e.g., Arbitrum, Optimism) or any sidechain (e.g., Polygon, xDai) to this address.
We have recently observed an increase in demand for an Ethereum donation option, both for ETH itself and for stablecoins like USDT, USDC, and DAI. As the largest smart-contract blockchain, largest proof-of-stake blockchain, and second-largest cryptocurrency by market capitalization, the Ethereum network and its native currency ETH are natural additions to our growing list of donation methods. Moreover, this new option allows users to donate any token they choose (including non-stablecoins!) so long as (1) the token fully complies with the ERC-20 standard and (2) the transaction is done on Ethereum Mainnet (as opposed to a Layer 2 solution or a sidechain). Please double-check that both of these conditions hold before sending anything to our Ethereum address, or else your donation may be lost!
As with our bitcoin (BTC) and monero (XMR) donation addresses, you can verify the authenticity of our Ethereum donation address via the Qubes Security Pack (https://www.qubes-os.org/security/pack/) in the fund (https://github.com/QubesOS/qubes-secpack/tree/master/fund) directory. We also provide detailed instructions for verifying the digital signatures (https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate).
As with all other donations, your donations on Ethereum will directly fund the Qubes OS Project (https://www.qubes-os.org/donate/#how-is-my-donation-used). Since Qubes is free and open-source software, we do not earn any revenue by selling it. Instead, we rely on your financial support. If you rely on Qubes for secure computing in your work or personal life or see the value in our efforts, we would greatly appreciate your donation. Thank you!
👍1
XSAs released on 2022-10-11
https://www.qubes-os.org/news/2022/10/11/xsas-released-on-2022-10-11/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is not affected.
Therefore, no user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
(none)
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-409 (ARM architecture only)
XSA-410 (denial-of-service only)
XSA-411 (denial-of-service only; gnttab v2 is unused in Qubes OS)
XSA-413 (denial-of-service only; XAPI is unused in Qubes OS)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
https://www.qubes-os.org/news/2022/10/11/xsas-released-on-2022-10-11/
The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS is not affected.
Therefore, no user action is required.
XSAs that affect the security of Qubes OS (user action required)
The following XSAs do affect the security of Qubes OS:
(none)
XSAs that do not affect the security of Qubes OS (no user action required)
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
XSA-409 (ARM architecture only)
XSA-410 (denial-of-service only)
XSA-411 (denial-of-service only; gnttab v2 is unused in Qubes OS)
XSA-413 (denial-of-service only; XAPI is unused in Qubes OS)
Related links
Xen XSA list: https://xenbits.xen.org/xsa/
Qubes XSA tracker: https://www.qubes-os.org/security/xsa/
Qubes security pack (qubes-secpack): https://www.qubes-os.org/security/pack/
Qubes security bulletins (QSBs): https://www.qubes-os.org/security/qsb/
👍2👎1
New user guide: How to organize your qubes
https://www.qubes-os.org/news/2022/10/28/how-to-organize-your-qubes/
The following is a new how-to guide (https://www.qubes-os.org/doc/#how-to-guides) for users who are
starting out with Qubes OS. You can also find it in our documentation (https://www.qubes-os.org/doc/)
under How to organize your qubes (https://www.qubes-os.org/doc/how-to-organize-your-qubes/).
When people first learn about Qubes OS, their initial reaction is often, “Wow,
this looks really cool! But… what can I actually do with it?” It’s not
always obvious which qubes you should create, what you should do in each one,
and whether your organizational ideas makes sense from a security or usage
perspective.
Each qube is essentially a secure compartment, and you can create as many of
them as you like and connect them to each other in various ways. They’re sort
of like Lego blocks in the sense that you can build whatever you want. But if
you’re not sure what to build, then this open-ended freedom can be daunting.
It’s a bit like staring at a blank document when you first sit down to write
something. The possibilities are endless, and you may not know where to begin!
The truth is that no one else can tell you exactly how you should organize
your qubes, as there is no single correct answer to that question. It depends
on your needs, desires, and preferences. Every user’s optimal setup will be
different. However, what we can do is provide you with some illustrative
examples based on questionnaires and interviews with Qubes users and
developers, as well as our own personal experience and insight from using Qubes
over the years. You may be able to adapt some of these examples to fit your own
unique situation. More importantly, walking you through the rationale behind
various decisions will teach you how to apply the same thought process to your
own organizational decisions. Let’s begin!
Alice, the software developer
Alice is a freelance dev who works on several projects for different clients
simultaneously. The projects have varying requirements and often different
build environments. She has a separate set of qubes for each project. She keeps
them organized by coming up with a naming scheme, such as:
clientA-code
clientA-build
clientA-test
clientA-prod
projectB-code
projectB-build-test
projectB-prod
...
This helps her keep groups of qubes organized in a set. Some of her qubes are
based on Debian templates (https://www.qubes-os.org/doc/templates/debian/), while others are based on
Fedora templates (https://www.qubes-os.org/doc/templates/fedora/). The reason for this is that some
software packages are more readily available in one distribution as opposed to
the other. Alice’s setup looks like this:
https://www.qubes-os.org/news/2022/10/28/how-to-organize-your-qubes/
The following is a new how-to guide (https://www.qubes-os.org/doc/#how-to-guides) for users who are
starting out with Qubes OS. You can also find it in our documentation (https://www.qubes-os.org/doc/)
under How to organize your qubes (https://www.qubes-os.org/doc/how-to-organize-your-qubes/).
When people first learn about Qubes OS, their initial reaction is often, “Wow,
this looks really cool! But… what can I actually do with it?” It’s not
always obvious which qubes you should create, what you should do in each one,
and whether your organizational ideas makes sense from a security or usage
perspective.
Each qube is essentially a secure compartment, and you can create as many of
them as you like and connect them to each other in various ways. They’re sort
of like Lego blocks in the sense that you can build whatever you want. But if
you’re not sure what to build, then this open-ended freedom can be daunting.
It’s a bit like staring at a blank document when you first sit down to write
something. The possibilities are endless, and you may not know where to begin!
The truth is that no one else can tell you exactly how you should organize
your qubes, as there is no single correct answer to that question. It depends
on your needs, desires, and preferences. Every user’s optimal setup will be
different. However, what we can do is provide you with some illustrative
examples based on questionnaires and interviews with Qubes users and
developers, as well as our own personal experience and insight from using Qubes
over the years. You may be able to adapt some of these examples to fit your own
unique situation. More importantly, walking you through the rationale behind
various decisions will teach you how to apply the same thought process to your
own organizational decisions. Let’s begin!
Alice, the software developer
Alice is a freelance dev who works on several projects for different clients
simultaneously. The projects have varying requirements and often different
build environments. She has a separate set of qubes for each project. She keeps
them organized by coming up with a naming scheme, such as:
clientA-code
clientA-build
clientA-test
clientA-prod
projectB-code
projectB-build-test
projectB-prod
...
This helps her keep groups of qubes organized in a set. Some of her qubes are
based on Debian templates (https://www.qubes-os.org/doc/templates/debian/), while others are based on
Fedora templates (https://www.qubes-os.org/doc/templates/fedora/). The reason for this is that some
software packages are more readily available in one distribution as opposed to
the other. Alice’s setup looks like this:
👍1
Several qubes for writing code. Here’s where she runs her IDE, commits
code, and signs her commits. These qubes are based on different templates
depending on which tools and which development environment she needs. In
general, Alice likes to have a separate qube of this type for each client or
each project. This allows her to keep everything organized and avoid
accidentally mixing up any access credentials or client code, which could be
disastrous. This also allows her to truthfully tell her clients that their
code is always securely isolated from all her other clients. She likes to use
the Qubes firewall (https://www.qubes-os.org/doc/firewall/) to restrict these qubes’ network access
to only the code repositories she needs in that qube in order to avoid
accidentally interacting with anything else on her local network or on the
internet. Alice also has some qubes of this type for personal programming
projects that she works on just for fun when she has “free time” (whatever
that is).
Several qubes for building and testing. Again, Alice usually likes to
have one of these for each client or project in order to keep things
organized. However, this can become rather cumbersome and memory-intensive
when many such qubes are running at the same time, so Alice will sometimes
use the same qube for building and testing, or for multiple projects that
require the same environment, when she decides that the marginal benefits of
extra compartmentalization aren’t worth the trouble. Here’s where she pulls
any dependencies she needs, compiles her code, runs her build toolchain, and
tests her deliverables. In some cases, she finds it useful to use
standalones (https://www.qubes-os.org/doc/standalones-and-hvms/) for these so that it’s easier to
quickly install different pieces of software (https://www.qubes-os.org/doc/how-to-install-software/)
without having to juggle rebooting both the template and an app qube. She
also sometimes finds it necessary (or just convenient) to make edits to
config files in the root filesystem, and she’d rather not have to worry about
losing those changes during an app qube reboot. She knows that she could use
bind-dirs (https://www.qubes-os.org/doc/bind-dirs/) to make those changes persistent, but sometimes
she doesn’t want to get bogged down doing with all that and figures it
wouldn’t be worth it just for this one qube. She’s secretly glad that Qubes
OS doesn’t judge her this and just gives her the freedom to do things however
she likes while keeping everything securely compartmentalized. At times like
these, she takes comfort in knowing that things can be messy and disorganized
within a qube while her overall digital life remains well-organized.
code, and signs her commits. These qubes are based on different templates
depending on which tools and which development environment she needs. In
general, Alice likes to have a separate qube of this type for each client or
each project. This allows her to keep everything organized and avoid
accidentally mixing up any access credentials or client code, which could be
disastrous. This also allows her to truthfully tell her clients that their
code is always securely isolated from all her other clients. She likes to use
the Qubes firewall (https://www.qubes-os.org/doc/firewall/) to restrict these qubes’ network access
to only the code repositories she needs in that qube in order to avoid
accidentally interacting with anything else on her local network or on the
internet. Alice also has some qubes of this type for personal programming
projects that she works on just for fun when she has “free time” (whatever
that is).
Several qubes for building and testing. Again, Alice usually likes to
have one of these for each client or project in order to keep things
organized. However, this can become rather cumbersome and memory-intensive
when many such qubes are running at the same time, so Alice will sometimes
use the same qube for building and testing, or for multiple projects that
require the same environment, when she decides that the marginal benefits of
extra compartmentalization aren’t worth the trouble. Here’s where she pulls
any dependencies she needs, compiles her code, runs her build toolchain, and
tests her deliverables. In some cases, she finds it useful to use
standalones (https://www.qubes-os.org/doc/standalones-and-hvms/) for these so that it’s easier to
quickly install different pieces of software (https://www.qubes-os.org/doc/how-to-install-software/)
without having to juggle rebooting both the template and an app qube. She
also sometimes finds it necessary (or just convenient) to make edits to
config files in the root filesystem, and she’d rather not have to worry about
losing those changes during an app qube reboot. She knows that she could use
bind-dirs (https://www.qubes-os.org/doc/bind-dirs/) to make those changes persistent, but sometimes
she doesn’t want to get bogged down doing with all that and figures it
wouldn’t be worth it just for this one qube. She’s secretly glad that Qubes
OS doesn’t judge her this and just gives her the freedom to do things however
she likes while keeping everything securely compartmentalized. At times like
these, she takes comfort in knowing that things can be messy and disorganized
within a qube while her overall digital life remains well-organized.
Several email qubes. Since Alice is a command-line aficionado, she likes
to use a terminal-based email client, so both her work and personal email
qubes are based on a template with
Mutt (https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/mutt.md)
installed. The email qubes where she sends and receives PGP-signed and
encrypted email securely accesses the private keys in her PGP backend qube
(more on that below). To guard against malicious attachments, she configured
Mutt to open all attachment files in disposable
qubes (https://www.qubes-os.org/doc/how-to-use-disposables/).
Several qubes for communication tools, like Signal, Slack, Zoom,
Telegram, IRC, and Discord. This is where she teleconferences and chats with
clients. She uses USB passthrough (https://www.qubes-os.org/doc/how-to-use-usb-devices/) to attach
her webcam to each qube as needed and detaches it afterward. Likewise, she
gives each qube access to her microphone while it’s needed, then removes
access afterward. This way, she doesn’t have to trust any given video chat
program’s mute button and doesn’t have to worry about being spied on when
she’s not on a call. She also has a qube for social media platforms like
Twitter, Reddit, and Hacker News for networking and keeping up with new
developments (or so she claims; in reality, it’s mostly for feuds over
programming language superiority, Vim vs. Emacs wars, and tabs vs. spaces
crusades).
A GPG backend vault. Vaults are completely offline qubes that are
isolated from the network. This particular vault holds Alice’s private keys
(e.g., for code signing and email) and is securely accessed by several other
“frontend” qubes via the Split GPG (https://www.qubes-os.org/doc/split-gpg/) system. Split GPG
allows only the frontend qubes that Alice explicitly authorizes to have the
ability to request PGP operations (e.g., signing and encryption) in the
backend vault. Even then, no qube ever has direct access to Alice’s private
keys except the backend vault itself.
A password manager vault. This is another completely offline,
network-isolated qube where Alice uses her offline password manager,
KeePassXC, to store all of her usernames and passwords. She uses the secure
copy and paste (https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) system to quickly copy
credentials into other qubes whenever she needs to log into anything.
Personal qubes. One of the things Alice loves the most about Qubes is
that she can use it for both work and personal stuff without having to
worry about cross-contamination. Accordingly, she has several qubes that
pertain to her personal life. For example, she has an offline vault that
holds her medical documents, test results, and vaccination records. She has
another offline vault for her government documents, birth certificate, scans
of her passport, and so on. She also has some personal social media accounts
in a separate qube for keeping up with family members and friends from
school.
When she finishes her work for a given client, Alice sends off her
deliverables, backs up (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) the qubes
containing the work for that client, and deletes them from her system. If she
ever needs those qubes again or just wants to reference them, she can easily
restore them from her backup, and the internal state of each one will be
exactly as it was when she finished that project.
Bob, the investigative journalist
As part of his research and reporting, Bob is frequently forced to interact
with suspicious files, often from anonymous sources. For example, he may
receive an email with an attachment that claims to be a tip about a story he’s
working on. Of course, he knows that it could just as easily be malware
intended to infect his computer. Qubes OS is essential for Bob, since it allows
him to handle all this suspicious data securely, keeping it compartmentalized
to use a terminal-based email client, so both her work and personal email
qubes are based on a template with
Mutt (https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/mutt.md)
installed. The email qubes where she sends and receives PGP-signed and
encrypted email securely accesses the private keys in her PGP backend qube
(more on that below). To guard against malicious attachments, she configured
Mutt to open all attachment files in disposable
qubes (https://www.qubes-os.org/doc/how-to-use-disposables/).
Several qubes for communication tools, like Signal, Slack, Zoom,
Telegram, IRC, and Discord. This is where she teleconferences and chats with
clients. She uses USB passthrough (https://www.qubes-os.org/doc/how-to-use-usb-devices/) to attach
her webcam to each qube as needed and detaches it afterward. Likewise, she
gives each qube access to her microphone while it’s needed, then removes
access afterward. This way, she doesn’t have to trust any given video chat
program’s mute button and doesn’t have to worry about being spied on when
she’s not on a call. She also has a qube for social media platforms like
Twitter, Reddit, and Hacker News for networking and keeping up with new
developments (or so she claims; in reality, it’s mostly for feuds over
programming language superiority, Vim vs. Emacs wars, and tabs vs. spaces
crusades).
A GPG backend vault. Vaults are completely offline qubes that are
isolated from the network. This particular vault holds Alice’s private keys
(e.g., for code signing and email) and is securely accessed by several other
“frontend” qubes via the Split GPG (https://www.qubes-os.org/doc/split-gpg/) system. Split GPG
allows only the frontend qubes that Alice explicitly authorizes to have the
ability to request PGP operations (e.g., signing and encryption) in the
backend vault. Even then, no qube ever has direct access to Alice’s private
keys except the backend vault itself.
A password manager vault. This is another completely offline,
network-isolated qube where Alice uses her offline password manager,
KeePassXC, to store all of her usernames and passwords. She uses the secure
copy and paste (https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) system to quickly copy
credentials into other qubes whenever she needs to log into anything.
Personal qubes. One of the things Alice loves the most about Qubes is
that she can use it for both work and personal stuff without having to
worry about cross-contamination. Accordingly, she has several qubes that
pertain to her personal life. For example, she has an offline vault that
holds her medical documents, test results, and vaccination records. She has
another offline vault for her government documents, birth certificate, scans
of her passport, and so on. She also has some personal social media accounts
in a separate qube for keeping up with family members and friends from
school.
When she finishes her work for a given client, Alice sends off her
deliverables, backs up (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/) the qubes
containing the work for that client, and deletes them from her system. If she
ever needs those qubes again or just wants to reference them, she can easily
restore them from her backup, and the internal state of each one will be
exactly as it was when she finished that project.
Bob, the investigative journalist
As part of his research and reporting, Bob is frequently forced to interact
with suspicious files, often from anonymous sources. For example, he may
receive an email with an attachment that claims to be a tip about a story he’s
working on. Of course, he knows that it could just as easily be malware
intended to infect his computer. Qubes OS is essential for Bob, since it allows
him to handle all this suspicious data securely, keeping it compartmentalized
so that it doesn’t risk infecting the rest of his machine.
Bob isn’t a super technical guy. He prefers to keep his tools simple so he can
focus on what’s important to him: uncovering the truth, exposing the guilty,
exonerating the innocent, and shining light on the dark corners of society. His
mind doesn’t naturally gravitate to the technical details of how his computer
works, but he’s aware that people are getting hacked all the time and that the
nature of his work might make him a target. He wants to protect his sources,
his colleagues, his family, and himself; and he understands that computer
security is an important part of that. He has a Qubes laptop that he uses only
for work, which contains:
Bob isn’t a super technical guy. He prefers to keep his tools simple so he can
focus on what’s important to him: uncovering the truth, exposing the guilty,
exonerating the innocent, and shining light on the dark corners of society. His
mind doesn’t naturally gravitate to the technical details of how his computer
works, but he’s aware that people are getting hacked all the time and that the
nature of his work might make him a target. He wants to protect his sources,
his colleagues, his family, and himself; and he understands that computer
security is an important part of that. He has a Qubes laptop that he uses only
for work, which contains:
One offline qube for writing. It runs only LibreOffice Writer. This is
where Bob does all of his writing. This window is usually open side-by-side
with another window containing research or material from a source.
Multiple email qubes. One is for receiving emails from the general
public. Another is for emailing his editor and colleagues. Both are based on
a minimal template (https://www.qubes-os.org/doc/templates/minimal/) with Thunderbird installed.
He’s configured both to open all attachments in
disposables (https://www.qubes-os.org/doc/how-to-use-disposables/) that are offline in case an
attachment contains a beacon that tries to phone home.
Whonix qubes. He has the standard sys-whonix service qube for providing
Torified network access, and he uses disposable anon-workstation app qubes
for using Tor Browser to do research on stories he’s writing. Since the topic
is often of a sensitive nature and might implicate powerful individuals, it’s
important that he be able to conduct this research with a degree of
anonymity. He doesn’t want the subjects of his investigation to know that
he’s looking into them. He also doesn’t want his network requests being
traced back to his work or home IP addresses. Whonix helps with both of these
concerns. He also has another Whonix-based disposable template for receiving
tips anonymously via Tor, since some high-risk whistleblowers he’s interacted
with have said that they can’t take a chance with any other form of
communication.
Two qubes for
Signal (https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/signal.md).
Bob has two Signal app qubes (both on the same template in which the Signal
desktop app is installed). One is linked to his own mobile number for
communicating with co-workers and other known, trusted contacts. The other is
a public number that serves as an additional way for sources to reach him
confidentially. This is especially useful for individuals who don’t use Tor
but for whom unencrypted communication could be dangerous.
Several data vaults. When someone sends Bob material that turns out to be
useful, or when he comes across useful material while doing his own research,
he stores a copy in a completely offline, network-isolated vault qube. Most
of these files are PDFs and images, though some are audio files, videos, and
text files. Since most of them are from unknown or untrusted sources, Bob
isn’t sure if it would be safe to put them all in the same vault, so he makes
different vaults (usually one for each story or topic) just in case. This has
the side benefit of helping to keep things organized.
A VPN
qube (https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md)
and associated qubes for accessing work resources. The servers at work can
only be accessed from the organization’s network, so Bob has certain qubes
that are connected to a VPN qube so that he can upload his work and access
anything he needs on the local network when he’s not physically there.
A password manager vault. Bob stores all of his login credentials in the
default password manager that came with his offline vault qube. He securely
copies and pastes (https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) them into other qubes as
needed.
A colleague helped Bob set up his Qubes system initially and showed him how to
use it. Since Bob’s workflow is pretty consistent and straightforward, the way
his qubes are organized doesn’t change much, and this is just fine by him. His
colleague told him to remember a few simple rules: Don’t copy or move
text (https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) or
files (https://www.qubes-os.org/doc/how-to-copy-and-move-files/) from less trusted to more trusted
qubes; update (https://www.qubes-os.org/doc/how-to-update/) your system when prompted; and make
regular backups (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/). Bob doesn’t have
where Bob does all of his writing. This window is usually open side-by-side
with another window containing research or material from a source.
Multiple email qubes. One is for receiving emails from the general
public. Another is for emailing his editor and colleagues. Both are based on
a minimal template (https://www.qubes-os.org/doc/templates/minimal/) with Thunderbird installed.
He’s configured both to open all attachments in
disposables (https://www.qubes-os.org/doc/how-to-use-disposables/) that are offline in case an
attachment contains a beacon that tries to phone home.
Whonix qubes. He has the standard sys-whonix service qube for providing
Torified network access, and he uses disposable anon-workstation app qubes
for using Tor Browser to do research on stories he’s writing. Since the topic
is often of a sensitive nature and might implicate powerful individuals, it’s
important that he be able to conduct this research with a degree of
anonymity. He doesn’t want the subjects of his investigation to know that
he’s looking into them. He also doesn’t want his network requests being
traced back to his work or home IP addresses. Whonix helps with both of these
concerns. He also has another Whonix-based disposable template for receiving
tips anonymously via Tor, since some high-risk whistleblowers he’s interacted
with have said that they can’t take a chance with any other form of
communication.
Two qubes for
Signal (https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/signal.md).
Bob has two Signal app qubes (both on the same template in which the Signal
desktop app is installed). One is linked to his own mobile number for
communicating with co-workers and other known, trusted contacts. The other is
a public number that serves as an additional way for sources to reach him
confidentially. This is especially useful for individuals who don’t use Tor
but for whom unencrypted communication could be dangerous.
Several data vaults. When someone sends Bob material that turns out to be
useful, or when he comes across useful material while doing his own research,
he stores a copy in a completely offline, network-isolated vault qube. Most
of these files are PDFs and images, though some are audio files, videos, and
text files. Since most of them are from unknown or untrusted sources, Bob
isn’t sure if it would be safe to put them all in the same vault, so he makes
different vaults (usually one for each story or topic) just in case. This has
the side benefit of helping to keep things organized.
A VPN
qube (https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md)
and associated qubes for accessing work resources. The servers at work can
only be accessed from the organization’s network, so Bob has certain qubes
that are connected to a VPN qube so that he can upload his work and access
anything he needs on the local network when he’s not physically there.
A password manager vault. Bob stores all of his login credentials in the
default password manager that came with his offline vault qube. He securely
copies and pastes (https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) them into other qubes as
needed.
A colleague helped Bob set up his Qubes system initially and showed him how to
use it. Since Bob’s workflow is pretty consistent and straightforward, the way
his qubes are organized doesn’t change much, and this is just fine by him. His
colleague told him to remember a few simple rules: Don’t copy or move
text (https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) or
files (https://www.qubes-os.org/doc/how-to-copy-and-move-files/) from less trusted to more trusted
qubes; update (https://www.qubes-os.org/doc/how-to-update/) your system when prompted; and make
regular backups (https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/). Bob doesn’t have
the need to try out new software or tweak any settings, so he can do everything
he needs to do on a daily basis without having to interact with the command
line.
Carol, the investor
Carol works hard and lives below her means so that she can save money and
invest it for her future. She hopes to become financially independent and maybe
even retire early someday, and she’s decided that her best bet for achieving
this is by investing for the long term and allow compounding to do its work.
However, after doing some research into her country’s consumer financial
protection laws, she learned that there’s no legal guarantee that customers
will be made whole in the event of theft or fraud. The various insurance and
protection organizations only guarantee recovery in the case of a financial
institution failing, which is quite different from an individual customer
being hacked. Moreover, even though many financial institutions have their own
cybercrime policies, rarely, if ever, do they explicitly guarantee
reimbursement in the event that a customer gets hacked (rather than the
institution itself).
Carol looked into how thieves might actually try to steal her hard-earned
wealth and was surprised to learn that they have all sorts of ploys that she
had never even considered. For example, she had assumed that any theft would,
at the bare minimum, have to involve transferring money out of her account.
That seems like a safe assumption. But then she read about "pump and dump"
attacks, where thieves buy up some penny stock, hack into innocent people's
brokerage accounts, then use the victims' funds to buy that same penny stock,
"pumping" up its price so that the thieves can "dump" their shares on the
market, leaving the victims with worthless shares. No money is ever
transferred into or out of the victims' account; it's just used to buy and
sell securities. So, all the safeguards preventing new bank accounts from
being added or requiring extra approval for outbound transfers do nothing to
protect victims' funds in cases like these. And this is just one example!
Carol realized that she couldn't assume that existing safeguards against
specific, known attacks were enough. She had to think about security at a
more fundamental level and design it into her digital life from the ground
up.
After learning about all this, Carol decided that it was ultimately up to her
to take care of her own cybersecurity. She couldn’t rely on anyone else to do
it for her. Sure, most people just use regular consumer tech and will probably
end up fine, but, she reminded herself, most people also don’t have as much to
lose. It’s not a risk that she was willing to take with her future, especially
knowing that there’s probably no government bailout waiting for her and that
all the brokerage firms’ vaguely reassuring marketing language about
cybersecurity isn’t legally binding. So, Carol started reading more about
computer security and eventually stumbled upon Qubes OS after searching the web
for “most secure operating system.” She read about how it’s designed and why.
Although she didn’t immediately understand all of the technical details, the
fundamental principle of security-by-compartmentalization (https://www.qubes-os.org/doc/architecture/)
made intuitive sense to her, and the more she learned about the technical
aspects, the more she realized that this is what she’d been looking for. Today,
her setup looks like this:
he needs to do on a daily basis without having to interact with the command
line.
Carol, the investor
Carol works hard and lives below her means so that she can save money and
invest it for her future. She hopes to become financially independent and maybe
even retire early someday, and she’s decided that her best bet for achieving
this is by investing for the long term and allow compounding to do its work.
However, after doing some research into her country’s consumer financial
protection laws, she learned that there’s no legal guarantee that customers
will be made whole in the event of theft or fraud. The various insurance and
protection organizations only guarantee recovery in the case of a financial
institution failing, which is quite different from an individual customer
being hacked. Moreover, even though many financial institutions have their own
cybercrime policies, rarely, if ever, do they explicitly guarantee
reimbursement in the event that a customer gets hacked (rather than the
institution itself).
Carol looked into how thieves might actually try to steal her hard-earned
wealth and was surprised to learn that they have all sorts of ploys that she
had never even considered. For example, she had assumed that any theft would,
at the bare minimum, have to involve transferring money out of her account.
That seems like a safe assumption. But then she read about "pump and dump"
attacks, where thieves buy up some penny stock, hack into innocent people's
brokerage accounts, then use the victims' funds to buy that same penny stock,
"pumping" up its price so that the thieves can "dump" their shares on the
market, leaving the victims with worthless shares. No money is ever
transferred into or out of the victims' account; it's just used to buy and
sell securities. So, all the safeguards preventing new bank accounts from
being added or requiring extra approval for outbound transfers do nothing to
protect victims' funds in cases like these. And this is just one example!
Carol realized that she couldn't assume that existing safeguards against
specific, known attacks were enough. She had to think about security at a
more fundamental level and design it into her digital life from the ground
up.
After learning about all this, Carol decided that it was ultimately up to her
to take care of her own cybersecurity. She couldn’t rely on anyone else to do
it for her. Sure, most people just use regular consumer tech and will probably
end up fine, but, she reminded herself, most people also don’t have as much to
lose. It’s not a risk that she was willing to take with her future, especially
knowing that there’s probably no government bailout waiting for her and that
all the brokerage firms’ vaguely reassuring marketing language about
cybersecurity isn’t legally binding. So, Carol started reading more about
computer security and eventually stumbled upon Qubes OS after searching the web
for “most secure operating system.” She read about how it’s designed and why.
Although she didn’t immediately understand all of the technical details, the
fundamental principle of security-by-compartmentalization (https://www.qubes-os.org/doc/architecture/)
made intuitive sense to her, and the more she learned about the technical
aspects, the more she realized that this is what she’d been looking for. Today,
her setup looks like this: