Qubes vs. Mirimir's Isolation System

I’m sold on using isolation for online privacy. Brilliant approach. I’m considering 3 isolation methods: mirimir’s, or Whonix, or Qubes. Whonix looks most user-friendly, but Tor is too slow for me. I’m trying to decide between remaining two approaches.

Mirimir’s approach is genius. New eight guides at ivpn are phenomenal. But probably would be awfully complicated for me to try to set up. I prob have less experience than most of you. Haven’t seen that much about Qubes, but guessing easier set up since OS is somewhat or completely pre-configured.

Questions about these two systems:
(1) Is Qubes significantly easier to set up than Mirimir’s? Also easier to operate?
(2) Are mirimir’s and Qubes systems more or less equally effective at protecting privacy?
(3) Are there any significant downsides to Qubes?

Thanks for replies. Viva Wilders. Great resource.

 

All three methods use VMs. Both Whonix and my approach use VirtualBox VMs. And I use Whonix in my setups, because it's the most secure ready-to-go way to way to use Tor that I've seen.

Qubes is based on Xen. But it virtualizes individual apps, not entire machines. And so it uses far less disk space, because there aren't many copies of the same component.

Yes, using Qubes requires just one installation. But it's an operating system, so you must commit a machine for using it and nothing else. It also has more restrictive hardware requirements than generic Linux plus VirtualBox, because it interacts far more directly with hardware, being a bare-metal hypervisor (like ESXi).

It's easier to set up, at least for the apps that it includes. I played with the first release some, about two years ago. I found that adding new components, such as OpenVPN and Tor networking modules, required more programming skills than I had. But that has undoubtedly changed since then.

When I last checked, Qubes focused more on security than on privacy and anonymity. It undoubtedly provides better security, and isolation between workspaces, especially against malware and active exploits. I expect that it now includes solid networking modules for OpenVPN and Tor.

As I noted, you must commit a machine to it. As I recall, dual boot was discouraged. Also, because it's so customized, polished and optimized, changing anything about it requires some skill. But that may have changed.

I need to test Qubes again.

 

Thanks for the comparison Mirimir. I've been wanting to try out Qubes.

It does look like it's advanced quite a bit since two years ago. I was reading there's a pretty easy to set up TorVM component of Qubes now. http://qubes-os.org/trac/wiki/UserDoc/TorVM. And in general, I've seen other people say it's not that hard to use. I think if you have some general experience with Linux it should be okay these days. Supposedly the wiki is also not written for experts, so that's good. But I haven't actually tried it yet so I don't know for sure.

And I like the idea of the Xen hypervisor, now that I have a general understanding of what it does. Since it allows Qubes to isolate components of the system, even hardware components, in separate VMs, in principle your machine just can't been owned by gaining root, like on another system. There is no single kernel that has controls over every part of the machine.

The main dev on the project, Joanna Rutkowska, has a nice post here about what Qubes really is and how it differs from other systems: http://theinvisiblethings.blogspot.com/2012/09/how-is-qubes-os-different-from.html

I do think you're right that Qubes is about Security, not privacy. But with the TorVM and a VPN or two, it seems like there's no reason one could not readily add privacy on top of Security.

I suppose my biggest security concern is that the project seems to be run mostly by Rutkowska and a few other devs. And it doesn't seem to be catching on in any big way. Rutkowska looks pretty legit, but it does seem like with less people using it and involved in the project, there's more potential for bugs, security holes, etc., not to get caught--and fewer outside third party eyes verifying the security of everything. I also wonder how fast development will be and how long the project will survive, without a broader base of interest. I hate to set up a system and then have the project it's based on die (hello Fuduntu--and worried someday the cool CentOS based Stella Linux could meet its maker, though it's a bit immune to whether or not its dev drops the project, since it's not a fork).

I also wish there was a Mate version of Qubes.

 

Joanna ooh la la .. She knows what she's doing. I trust her.

 

Thanks from me, too. It helps reading about the different components and setups from someone who has a lot of knowledge and really seems to know what he’s talking about. I appreciate your assessments very much.

I also have to agree with you, cb474, regarding the wiki. It is very well written and of great use for those who understand the basics of Linux (or like you put it "have some general experience with Linux"). The other day I wrote that the wiki was "clearly for the advanced user" which I would say is not completely wrong but was rather written out of frustration (because I couldn’t get my network to work no matter what I tried -> hardware, now solved).

I installed Qubes in dual boot besides several other systems (2 windows, 4 Linux) on my laptop. I think for this reason there might have been some limitations regarding encryption but I really don’t know anymore. I installed Qubes R1 and didn’t get along with it (system crashes) and only recently has my curiosity been reawakened.

For me using Qubes means lots of reading and trying out without knowing the full meaning of everything I do. It’s like a big puzzle or mosaic and with each little step or progress I am getting closer to the big picture.

@mirmir
There’s a GUI for setting up the network including VPN. I didn’t have the time to test it, but it looks pretty easy now.

 

I was looking more at the system requirements for Qubes. It does look like if you don't have a machine with Intel VT-d or AMD IOMMU, it can't isolate the network adapter fully in a separate virtual machine. If I'm understanding correctly, it does still use the network VM, but it's vulnerabel to a DMA attack (had to look that up: https://en.wikipedia.org/wiki/DMA_attack). Qubes still does a lot of more isolation of system components than any other setup, as far as I understand. But the isolation of the network adapter does seem like one of the nice features of Qubes. Sadly, my machine only has VT-x. I still want to try Qubest though.

It does seem like most new Intel processors, these days, have VT-d (I don't know how common AMD processors with IOMMU are). So it should be less of an issue going forward.

 

How much space did you allocate to / and /home? I want to try installing R2 Beta2 on a system with other existing Linux installations. There's not really any info in the Qubes wiki that I can find about what size partitions are needed, if one does the partitioning manually.

Normally I just give / about 8 or 10 Gb and /home maybe 4 Gb, because most of my data is saved on a separate partition shared with my different systems. But I don't know if Qubes needs more space in / or /home for the VMs or something.

Thanks for any ideas.

 

I understand your concerns, however, you are jumping to conclusions and unfounded assumptions or fears about "less people using it and involved in the project" - i.e. they are easily one of the most competent security research teams on the planet with regard to OSes/hardware.

Also, there are guides with respect to system requirements and hardware compatiblity for using Qubes to help users select equipment on which to run it:

System Requirements - Qubes.

Hardware Compatibility List (HCL) for All Qubes OS Releases.

-- Tom

 

I mean no disrespect in saying this, and it's my impression that the Qubes team plans to go commercial, either through licensing or buy out by a major player. As with other such startups, they've promised continued support for a free version. I wish them the best in this. They have a great product, and they deserve to be rewarded.

 

I don' t think that really responds to my concerns. I don't doubt that they are as competent as people say. In fact, that's certainly part of the appeal of their system. But I still think a relatively small project, with relatively few eyes on it, and also perhaps with few or no independent third party eyes on it, is intrinsically less secure and more open to the possibility of compromise than a larger project, regardless of the competence of the core devs. You could have infinitely competent devs and a project would still be fundamentally more trustworthy with many different indpendent (and also competent) eyes on it. That being said, this is not a concern that is going to stop me from trying out Qubes, it was just a point I was making, in the context of discussing Qubes' benefits and weakness. But I think the point stands.

That aside, I saw those guides about system requirements already, as I said in my last post, they don't actually answer the question that I was asking.

 

That's a good point. I guess that could effect the nature of the system, if that happened.

 

My point, which wasn't made clearly, is that mass popularity isn't necessarily part of their plan. They might need to impress just a few people.

 

Ah, I thought you were suggesting that at the point they go commercial, if they do, it might have some impact on users of the free version. In any case, your actual point makes sense. I wasn't suggesting that they should seek mass popularity. It's their project and up to them. I was just suggesting the lack of mass popularity could be considered to have some affect on the relative security (vettedness, at it were) of the project.

 

What they're counting on, I think, is attracting the attention of skilled attackers, and developing a reputation for extreme security.

 

Hmm, does that suggest end users are putting themselves in the cross hairs?

 

OTOH, with extreme security, comes extreme cost to break into the system - hardly worth the effort, and since it should be expected that Qubes deployment will require some amount of expertise over and above the normally clueless computer user.

The real cross-hairs of attackers are the computer systems with the most vulnerabilities - i.e. Windows systems where the end-users are very vulnerable and represent the most profitable targets.

-- Tom

 

That's true.

But one of their goals is making extreme security very user-friendly.

And that's worth real money to companies that market to clueless users

(and to companies that employ clueless users)

 

Thanks for the thoughts, lotuseclat79.

I have to admit, for all the distros I've installed and configured over the years. I still often feel like a clueless user. Ease of use/"just works" is becoming more desirable to me. The fun of learning it and figuring things out has worn off a bit.

 

This is my first post and de-lurk. I have one machine. I am planning on going to linux. I use TOR a lot. I like Mirimir's isolation techniques regarding Whonix. Here is my question. If I install linux to bare metal and then install the Whonix Gateway and Workstation OVA is there vulnerability if I run third party apps on the bare metal linux install in conjunction with Whonix? Is there liability in surfing the clearnet on the bare metal machine. What about running a VPN on the bare metal? What implications does running the VPN have with Whonix? In order to get maximum privacy and anonymity do I need to run third party apps, surf the clearnet using another VM? Thank you for any help you can give me. I have only just today made an account on Wilders. I have read this forum for years.

Also, anyone have any recommendations on a specific linux flavor?

 

I'm sure mirimir can answer this better than me, but I have seen people say that if someone gains root access on your machine, then they effectively own anything running in a virtual machine as well.

I think an advantage of Whonix, aside from the privacy and security, is that if the Whonix machine gets compromised, your underlying machine is still okay. And you can just delete the Whonix instance you're using and go back to an earlier snapshot. But just because whatever happens in Whonix is isolated from your underlying machine, doesn't mean whatever happens in your underlying machine is isolated from Whonix.

I suppose if your hardware is fast enough, then you could only work in virtual machines. Use Whonix for Whonix stuff. Use some other OS of your choosing in a separate VM for whatever else. And never use the underlying main OS for anything.

Anyway, I'm prepared to be corrected by others who know better.

 

This is the classic security vs convenience debate.

If you go over to the Whonix site and read the documentation you will see the following recommendation: Do NOT use the host operating system for anything other than supporting the Whonix VM's ----- period! For absolute security and privacy the host system should not be used online for surfing, etc... Further it is strongly recommended that the host system's partition be fully encrypted for complete offline hardware security.

That said; many of us still do use our host for other things and with proper security procedures we are hoping there is no system compromise. It is obvious that as we use the host in any fashion we are introducing an elemental risk of "breach" of its security. There is no possible argument where someone can state an isolated supporting host is not likely to be more secure. A host OS used online all day long, with an occasional visit to Whonix, contains additional risk. Its a complete no brainer and we all know that.

Comes down to security vs convenience. Every user decides individually after assessing his/her risks.

 

Palancar: This confirms what I have been reading. So let's assume I do as I have stated. Bring up a linux distro and (suggestion please) install the Whonix gateway and worstation ova in vbox. I had assumed that using the host to surf the clearnet or even use third party apps was a security issue. I find a good VPN that doesn't log data to be an essential element. Are there any security concerns with running the VPN on the host bare metal machine? I am worried even running a VPN on the host machine. Now, since I am only using one machine, are you saying that in order to maximize security that if I am going to surf the clearnet that I should design another VM specifically for that purpose? I appreciate your feedback.

 

If you run a VPN on the host machine, Whonix and other VMs will connect through it. That's a good thing, if you want to hide Tor use from your ISP.

Rather than using the host machine for non-anonymous stuff, it's better to install another Linux VM. That way, there's more isolation from Whonix.

I've made peace with Ubuntu 12.04 (long-term release). If you want a lighter OS, I recommend Crunchbang (Debian with OpenBox window manager).

 

Can you explain what you mean when you say you have made peace with Ubuntu 12.04? Does it come equipped with Virtual Box and OpenVPN?

 

Thanks, Mirimir. I have read your IVPN articles. Pretty amazing. Are you a contributor to IVPN or staff out of curiosity? Please feel free to correct the following assertions if erred, but in order for an individual to justify going through what you have so precisely detailed they would either have to be a complete conspiracy theorist or running a full criminal enterprise to justify the complexity. It occurs to me that if an individual went to this level then they should probably build in tempest shielding as well for all secure computing. Be aware it is not my intent to mock you in any way. I am just saddened that the United States has come to a point that protecting ones self from government mass surveillance is now required for privacy and anonymity.