reply on: What is your favourite Linux distribution, and why? \ stacker news ~bitcoin

1070 sats \ 6 replies \ @richnost 18 Feb 2023 \ on: What is your favourite Linux distribution, and why? bitcoin

While not technically a "linux distro", I like Qubes. I heard about it by following Edward Snowden and Peter Todd.

Qubes has an interesting approach to security -- it uses the Xen hypervisor and some clever abstraction to help you sequestor different security levels of activity into different virtual machines.

So, for example, your password manager or secure documents archive would be hosted on a virtual machine that has no network access whatsoever.

Perhaps your activity requires a virtual machine which moves all internet traffic through tor that wipes all trace of activity after shut down -- theres a disposable anonymous browsing virtual machine for that.

In fact there are layers of vm's for networking -- the sys-net VM provides network and internet to a whonix (tor) VM or maybe a VM you configured to go through your VPN provider. Maybe you just want to raw dog the internet directly through your ISP for fast, non-critical traffic. Your client virtual machines can each be configured to use one of your many network vm's.

Inter-vm clipboard or file operations employ utilities that securely communicate between the virtual machines. Sussy PDF's, images, and whatnot can be safely transferred to an offline disposable virtual machine for safe viewing.

USB devices are accessible via a sys-usb virtual machine that you explicity manage device-by-device VM access to. Are you concerned about USB-port-HID-delivered attacks on your laptop? You can lock down keyboard and mouse usage to just your laptop keyboard and trackpad.

There's a lot more to qubes that I encourage people to look into, but I will caveat my enthusiasm for it briefly with these points:

be ready to read documentation or browse the Qubes community forums (which are very well-administrated and minimize much of the paranoia or social engineering that tends to plague other discussion platforms, like Matrix chat)
it's best that you are familiar with at least a moderate level of Linux administration, scripting, and troubleshooting
qubes is VERY finnicky with hardware: you will need an Intel core (or AMD equivalent) processor that supports specific virtualization functionality. It's best to check the Hardware Compatibility List (HCL) before starting the install process

20 sats \ 5 replies \ @petertodd 18 Feb 2023

This!

Though re: hardware, I haven't personally run into any issues with unsupported hardware in the past few years. The virtualization functionality that Qubes needs is widely available in modern desktops and laptops. Maybe if you had a really cheap one you'd run into issues.

The main annoyance re: hardware is that Qubes does want a lot of RAM due to the fact it's running multiple different OS's in parallel. The 8GB laptops many vendors want to sell you aren't really enough. 16GB is a good start; my laptop has 32GB and my desktop 64GB.

11 sats \ 2 replies \ @richnost 18 Feb 2023

Thanks, @petertodd!

I agree that 16GB is the floor.

I should have pointed out that Qubes virtualizing all the things wont be squeezing every ounce of performance out of the machine, but even mid-range laptops are serviceable. Recently installed on a Thinkpad with 6th gen Core i5 and 16GB of RAM, and it's running relatively well. Cold starting a disposable browsing session takes about 20 seconds (R4.1.1).

Re:Re: hardware, cheap laptops are my jam lol. Seriously, tho, of the handful of laptops I own, every one of them had some sort of Qubes suspend/wake or wifi issue that required troubleshooting. Referring to the HCL and the forums, prior to install, has been my most prudent predictor of success.

11 sats \ 1 reply \ @JustinGoldberg 18 Feb 2023

Thanks!

I have not used Qubes but I have used xcp-ng (newest xen) in a production environment. I do know that the nsa has recommended for gov agencies to not use vms for the most secure systems as the vm guests can potentially attack each other's memory. I'll look into Qubes to see how it protects the guests from each other.

41 sats \ 0 replies \ @richnost 18 Feb 2023

I believe the argument goes that Xen hypervisor bare-betal virtualization is a much smaller attack surface than a hypervisor hosted by an operating system reliant upon constant administrative patching and hardening.

10 sats \ 0 replies \ @JustinGoldberg 18 Feb 2023

deleted by author

2 sats \ 0 replies \ @Coinosphere 18 Feb 2023

Yep, I'm using 32 GB here, and have had to increase the memory allotment for my main qubes under settings->advanced many times. What's your biggest qube set to?

My main aggravation with it (being a noob) is local network. I have a NAS and a couple of RasPis that I use a lot, as well as other SATA drives on the same PC that all have to be found and mounted in different ways. Do you know of a quick way to do those or some kind of guide for interaction with them? Cheers.