Sorry for picking the wrong smiley! My bad! I wanted to pick the sad one as a sign of confirmation.
No problem.
1 Like
It is exactly what you read - isolation - without contact to the outside world - access to the outside only on grant.
No - it is not.
No you will not.
VirtualBox is a type2 hypervisor - that means it requires an operating system to function.
QubesOS is built using the Xen hypervisor which is a type-1 which runs on bare metal.
What QubesOS does is rather unique. You need to use it to understand it. The developers has completely isolated the virtual machines from accessing other vms address space and diskspace. Of course if your hypervisor running on domain0 is compromized there is only one thing to do - reinstall.
Roughly it is a bare-metal hypervisor and everything you do is to create virtual machines - which runs totally independent of each-other - isolated.
You define and assign zones in which they operate - allowing them access to network - you can even restrict the virtual machines by firewalling e.g. your banking vm to only access your banking site.
You can create temporary vms which are spun up once and removed when closed - only the definition persist.
So QubesOS is - to paraphrase - a reasonable secure system - because no system can be as secure as the user.
The OS is resource heavy compared to other systems but the advantages are many if your wear your tin-foil-hat.
6 Likes
It costs more than money, it takes time, effort and a willingness to incur inconvenience.
If qubes is more secure, how come everyone doesnât run it? Because it is a pain to have everything separated in containers. They arenât only isolated from an attacker, they are isolated from each other.
When it comes to security, you have to decide which risks are the most important to you and how do you protect yourself from those things. Creating a âcompletely secure systemâ is a myth unless it is air-gapped.
5 Likes
And only if itâs operated by yourselfâŚBUT
Can you trust yourself?!
2 Likes
Its not that I canât tolerate inconvenience. From the moment I applied the arkenfox user.js & added Noscript I am well aware what inconvenience feels like. Other than that I am using the hardened kernel. I just want a way to isolate my personal data so that even if an attacker manages to penetrate Nftables he/she fails to access any of my personal stuff.
Edit : I forgot to mention that I am running all Internet facing app like Firefox, Thunderbird, Pidgin inside a Firejail sandbox. As you know Firejail too creates isolation to a certain level. For example while using Firefox I cant access any folder other than Downloads.
Technically even âair-gappedâ systems can be compromised by using an external device to induce abnormal behaviours upon traditional hardwired electronics and in doing so can infer data from the system remotely.
Russian scientists have already shown that you can use speakers to transmit data in an encrypted format from an air-gapped device even when the speakers themselves produce no sound and are switched off, simply having a AUX cable connected is enough.
Similar concepts also apply to USB cables, Serial Cables, etc.
In extreme cases you can even use modified firmware inside of the microcontrollers themselves at production time to cause the traces on a PCB to operate as antennas and constantly leak data on command.
Computers cannot be secure to ALL threats, you can only attempt to secure yourself against the most common threats to a limited extent.
If you donât want your data to be stolen, donât store it digitally.
1 Like
What about wrapping case, cables, monitors in Tin-Foil ? 
HA! Get this russian h4xXx0rs!!! 
Well most people donât have access to tin-foil these daysâŚ
Usually itâs aluminium foil, and even then it is often not 100% pure aluminium, primarily to save cost and modify certain properties.
AnywayâŚ
On a serious note, you could use surface materials to reduce interaction with or modify the behaviour of your cables, but ultimately the end result will be the same, techniques will be developed to circumvent whatever defenses you have implemented and youâll be back to square one all over again.
Computers are by their design, insecure, and no matter what you do, you cannot overcome that flaw.
If you want absolute security & privacy then operating a computer is out of the question.
I wouldnât worry too much though, because unless youâre a well known political activist, journalist, reporter, investigator, or, seen as a traitor to a particular nation, youâll not be of interest to anybody in the intelligence sector, and so your biggest threat will be script kiddies & so-called professional hackers who intend to damage your reputation or your financial situation for their own gain.
Defending against common criminals and actors is easily enough done, use good multi-factor security, donât share information unless you genuinely need to, think about what you share and who you share it with, keep out of trouble, and, use common sense when securing or hiding information that you donât want others to see (Financial Information for example, Personal Documents, etc).
Theoretically speaking, can Whonixâ gateway get compromised/ (hacked) ? I know I have to read up on Whonix but the thought just passed my mind.
Theoretically of course, itâs still maintained by humans, but if you do everything right and follow their news stream / forums (itâs a bit like Arch in that sense) - youâll be fine 
Most vulnerable part of Whonix is VirtualBox, but you can Virtualize it somewhere else or through Qubes-Whonix (itâs just a bit harder for newcomers)
1 Like
You can just encrypt your data, no?
1 Like
Is Veracrypt a good choice ?
Encryption isnât a magic security pill. Your data canât be encrypted all the time. There is no doubt that encryption is super important but people shouldnât think âMy data is encrypted so I have nothing else to worry about.â
Encryption isnât an alternative to the type of isolation provided by Qubes in most cases.
A good choice for what? There are lots of different places and ways encryption can be used.
1 Like
Yup I agree, but for local data it should be enough to make it ânot worthwhileâ?
I am using Veracrypt in two ways :
-
I have encrypted the external USB drive that I use for backups. I am not using an encrypted container. The whole device is encrypted.
-
I have created an encrypted container & copied all my important data & finally uploaded the container to Mega.
But none of my data which resides on my SSD & HDD are encrypted.
I guess it depends what kind of encryption we are talking about.
If we are talking about full disk encryption, all that protects you against if physical loss. It has no real benefit against the types of attacks that qubes would protect you against.
Again, I think it is important and almost everyone should do it but it is protection against a completely different attack vector.
Those are reasonable applications of veracrypt.
You should consider encrypting all your local drives. But with luks, not veracrypt.
Before I do that let me explain. This is a desktop so chances of it getting stolen is negligible. I am the only person in my house who knows how to use a computer.
Do you still think I should encrypt ? I will have to reinstall EO. If its important I will do it.