I'm curious as to why we aren't all running Qubes OS or something like it. Privilege escalation attacks are waaay too easy to carry out now. Even without the baddies getting root they can still view everything in your home directory. With Qubes you can spin up as many VMs as you have RAM for. The easy-to-use installer also ensures that even a complete noob can have proper full-disk crypto.
All VMs are Xen domains, each behind a FirewallVM. The dom0 does not connect to any USB or networking by default. Out of the box you are given network vm and a usb vm. The network vm acts as a gateway to the firewall vm.
It even comes with whonix vm that acts as a tor gateway for a client vm already configured to only send through tor. If tor is down, absolutely no traffic leaks.
Each AppVM can be based on a TemplateVM, meaning that only their home directory takes up space. When you update the software on the templates, all child vms will get the updates after a restart. All clipboards are segregated by VM unless you say to pass it on.
My favorite feature is the disposable VMs. You can spin up a vm in seconds that connects to your tor gateway and has Tor browser ready to go that gets deleted as soon as you shut it down.
I was also thinking of one day making something similar to Qubes OS, but I am pretty happy with Qubes now. I'll probably just maintain Gentoo and Arch templates for Qubes.
I'm not familiar with Qubes. How susceptible is it to people doing the equivalent of running shit as root willy-nilly thus negating the security they were meant to have in the first place?
William Collins
It's insane that this is needed in the first place. Anyway, with your your browser in a jail, accessed via a sandboxed x-server (no leaking via X) you are already doing well for 90% of everyday use I think.
Carter White
i've got nothing to hide qubes is only for pedos anyways
Alexander Kelly
The average user is not running Qubes because it's not Windows, and even if you managed to get them to switch their terrible opsec would make it all pointless: they would just whine when the Os tries to warn them against doing something retarded, and then whine when their retardation fucked over their system.
For an advanced user, Qubes is overkill in some areas and not good enough in others, and at the end of the day the biggest issue remains deciding what software to trust.
Very susceptible, because the easy way would be running everything in the same VM and that defeats the point. The only way you can stop idiot users is with an idiot Os that gives you no root and no freedom, such as iOs, but that's worse than the original problem.
Carson Davis
I've been meaning to try it out for quite some time now actually. I just would like to know if GPU passthrough works properly on it.
Bentley Williams
3.2 works just fine for me but I don't have the hardware that supports 4.0 yet. It's a pretty decent system all around even if it eats all of your ram.
Jason Clark
Qubes doesn't like GPU acceleration, so for now I don't have any real use for it.
William Thompson
...
Jaxon Gomez
This is true but in the case of anything computer related, nothing is completely safe. The best thing you can do is mitigate as much as possible.
Gabriel Evans
How would this case be handled in Qubes: I downloaded stuff from the internet and want to put the poz in my separate VM which has my personal data.
Does Qubes best practice say that's a no go? Or is there some kind of reconciliation. At some point the poz is touching a virgin butthole so what happens then? Otherwise just use a RAM resident distro.
Austin Ramirez
wut
Camden Richardson
So the stuff is now in the VM with your browser Depends on what the stuff is, and how the VM with your data is configured. If you downloaded notavirus.tar, you probably don't want to risk losing your data to it. If it's notspyware.deb and you really need to run it in your personal data VM, just config that l VM to have no internet access.
As I said above, the real problem is deciding how trustworthy any piece of software is.
Xavier Mitchell
Thanks. I understand your point about trust. At the end of the day I suppose Qubes would be better for people who are already paranoid/opsec-focused, but not to the point where they run everything in RAM.
Anthony Hughes
So that would be moving to a model akin to what you have on (rooted) smarthphones where you have control over which app can access which part of your device. Maybe they can add this functionality to systemdicks or something.
William Anderson
1. It's the definition of bloatware, it eats your memory for the half a dozen VM's that you apparently need for "security" 2. The lead developer is a tranny freak
Wyatt Young
If we just let systemd do everything we only have to worry about pid 1 which will increase security.
Ryder Phillips
Qubes avoids the real source of the problem, which is that UNIX processes suck. UNIX (and Windows) already have "domains" called processes which have their own address spaces and pretend to be the only program running on the entire machine. Processes don't have access to files, USB, networking, the keyboard, or anything else outside their address space. Everything is provided through system calls to the kernel. They can't view anything in anyone's home directory unless the kernel lets them. All of these exploits and privilege escalations are because the kernels give any program run by the user the ability to do anything the user can do. Multics separates what a user can access (through ACL and AIM) from what a process can do (through rings) and code run by the same user can run in different rings.
The most threatening thing I see in computing today is the"we have found the answer, all heretics will perish"attitude. I have an awful lot of experience in computing, Ihave used six or seven operating systems and I have evenwritten one. UNIX in my view is an abomination, it hasserious difficulties, these could have been fixed quiteeasily, but I now realize nobody ever will.At the moment I use a VMS box, I do so because I find that Ido not spend my time having to think in the "UNIX" mentalitythat centers around kludges. I do not have to tolerate ahelp system that begins its insults of the user by beinginvoked with "man".Apollo in my view were the only UNIX vendor to realize thatthey had to put work into the basic operating system. Theyhad ACLs, shared libraries and many other essential featuresfive years ago.What I find disgusting about UNIX is that it has *never*grown any operating system extensions of its own, all thecreative work is derived from VMS, Multics and theoperating systems it killed.
Adam Allen
unixhater have you ever posted any lisp code?
Parker Turner
Unixhater is the hero we need but don't deserve.
David Martin
so, no?
Jack Ross
the only true answer
Nathan Lewis
You're right, we don't deserve this shitter who doesn't understand the shit he preaches. Remember when segmented memory was his favourite thing of the month? He screeched regularly over how much better modern operating systems would be with this crucial innovation, only for another user to read the paper he was pushing. Turns out that not only did unixhater completely misunderstand the concept, he didn't even realize that Unix had the same shit for ages. As the saying goes, those who don't understand Unix are doomed to reinvent it badly.
Just fucking install xen on your distro of choice. Don't install redhat shit.
Michael Ross
oi, u got a loicense for that loli?
Levi Martin
Samefagging once was acceptable. But twice? You're flying on wings of wax my friend.
Joshua Diaz
nigger please
Sebastian Evans
proof? also, even if true, what does that change?
Oliver Morris
Assuming you're not a console autist, does Wayland have any way to easily configure the keyboard?
Joshua Morales
if it needs to be one only once, it's not a big deal if it's not easy
Ethan Baker
>if it needs to be done my gaybook keyboard begins to die apparently, sorry about that
Owen Myers
As long as it's possible. For my configuration, I use backspace swapped with caps lock. I have this line in my .xinitrc: setxkbmap -layout us -variant dvorak -option caps:backspace However, I have to (manually) run this script every time I restart X: #!/bin/sh xmodmap -e "keycode 22 = Escape" && xmodmap -e "keycode 9 = Caps_Lock" xmodmap -e "clear Lock" I've tried many things to get it to run on X startup, but it fails.
Because qubes fucking sucks and doesn't support a lot of the shit I'd like to set up. I just run vms on a dedicated vm machine and manage it from a laptop for all the shit I fuck around with since qubes doesn't let me configure it how I'd like
Henry Baker
Hate to tell you, faggot, but it's an actual honest-to-God woman. She's Polish and the trannyism wave haven't reached there yet back when the project was started.
Leo Ramirez
...
Ryder Campbell
My educated guess would be that your DE is resetting those settings during startup, well after .xinitrc is run. You would need a way to run the script later in the startup sequence. Have you tried a .desktop file in .config/autostart/ ?
Jason Roberts
For some reason that I cannot understand, it uses systemd.
Carson Wood
It's a massive resource hog. I don't have any computers that are capable of running it.
Nope. She's not one of the loud LOOK AT ME I'M A TRANNY types that seem to be everywhere in tech these days, and she's done a pretty good job of keeping her personal history off the Internet, but she's got a Y chromosome. I forget her "dead name" (as they like to call it) but there was a male Polish computer security researcher who was active in the early to mid 2000s who dropped off the face of the earth, a couple of years before "Joanna" started getting attention in 2006.
Actually, I found what her old name might have been:
You've been smoking something really mind altering, and I think you should share it.
Colton Morris
holy shit i cant tell if well-delivered satire or unironic retardation
James Hernandez
virtualization allows for more effective segregation of information on a single machine, which has many operational security benefits. have different identities on different virtual machines. a similar effect could be produced with multiple real machines instead of multiple virtual machines, but that seems far more expensive virtulization also means a malware has to at least break out of the virtual machine to be fully powerful instead of just a privilege escalation (which one could debate is almost trivial on windows or linux as they are so common and demanded), hence providing multiple layers of security there is also a slight 'security by obscurity' bonus for non-targeted attacks
Thomas Williams
Slackware is fine too, although you need to remove pulseaudio from it.
Charles White
That's a mark of well-delivered satire. Or unironic retardation
Anthony Fisher
Qubes is almost too good in its capabilities out of the box. I wonder how far it will be allowed to progress.
Blake Torres
You're almost as bad as Zig Forums with their Jew obsession
Dylan Walker
Only the competent ones. There are plenty of real women in tech, they just suck. That's how I was finally sure that "Isis Lovecruft" wasn't a tranny. I looked at her Tor commits.
Easton Peterson
Seems legit.
Xavier Perez
I will use Qubes when they replace Xen with seL4, Fedora with Alpine or Gentoo, and port it all to POWER9. Otherwise it's just useless masturbation.
Owen Gutierrez
Why can't you? Also, you can easily replace Fedora with whatever you prefer today, except in dom0 which has no network access.
Carson Miller
Segmented memory is still a good thing but not because it's my favorite. It's good because of the reduction in code complexity and memory usage. UNIX weenies hate whenever someone brings up actual numbers like speed and RAM usage.
The way Multics does it is after the "instead" in this paragraph, not before. He probably confused the old way other OSes do it with the way Multics does it.
These Multics innovations were ignored by UNIX. There are a few attempts at making UNIX more like Multics, but they're still hindered by the flat memory space of the "abstract" PDP-11 C runs on.
arxiv.org/pdf/1105.1811.pdf An allocated memory block can be very quickly extended orshrunk without having to copy memory – a feature which is veryuseful for the common operation of extending large arrays andwhich is also provided by the proprietary mremap() functionunder Linux. Kimpe et al. [31] researched the performancebenefits of a vector class based upon this feature and found a 50-200% memory usage overhead when using a traditional vectorclass over a MMU-aware vector class as well as extensiontime complexity becoming dependent on the elements beingadded rather than the size of the existing vector. While thetest employed was synthetic, a 50% improvement in executiontime was also observed thanks to being able to avoid memorycopying.
What will they copy from real OSes next? UNIX weenies are even saying hardware memory tagging is good now. 60s, 70s, and 80s commercially available technology is 2018 "research" for UNIX weenies. arxiv.org/ftp/arxiv/papers/1802/1802.09517.pdf Memory tagging will not eliminate all memory safety bugs; however, our analysis indicates thatmemory tagging, when widely supported by hardware, will help significantly reduce the numberof such bugs and is likely to complicate exploitation of the few remaining ones.
UNIX was made because "Those who don't understand Multics are doomed to reinvent it badly." Lisp machines and VME were made by people who understood Multics, not superficial parts like the name "ls" and the "-" argument syntax, but the structure of the OS and what the parts do. The only time someone reinvented UNIX badly was Plan 9.
"It's State of the Art!" "But it doesn't work!" "That ISthe State of the Art!"Alternatively: "If it worked, it wouldn't be research!"The only problem is, outside of the demented heads of theUnix weenies, Unix is neither State of the Art nor research!
Angel Wood
I have neither the skill/knowledge nor the time to undertake something of that magnitude. Particularly porting seL4 to POWER9 and proving it correct. Do you think everybody on this board are super systems developers who make 7 figure salaries?
Ethan Allen
I tired it. It was way too resource intensive for my 6 year old machine. Once I get a new 32 core AMD proc, 32 gigs or more of ram, and all SSD / M.2 storage, I may give it a whirl again.
Grayson Lewis
If you really want people to look into Multics and Lisp Machines' design decisions, learn how to explain topics without coming across as a giant, salty faggot. There's actually much less discussion of Lisp on Zig Forums since you came here because no one wants to be associated with or accidentally summon you, and there still isn't anyone discussing Multics when they aren't trying to make you shut up. Drop the constant blockquote spam, the "muh weenies" cancer (really, it makes you sound like a balding goon who still believes he's hip and edgy), stop trying to phrase every feature of stuff you like as a decisive blow against Unix, and maybe someone will actually listen to you someday.
Hey MULTICS nigger, what do you suggest people use, right now, that's available today, instead of UNIX based systems? You bitch and moan so much that you've become a parody, and you certainly aren't helping your cause.
alsa is ok but has it's limits i.e. recording desktop audio is impossible without a connecting your speaker-out to your mic jack (lmao wtf)
stuck here waiting for pipewire...
John James
Why do we need another Tails? heads GNU/Linux also fills the muh completely open source niche so there is no need to fracture the developer community even more.
Gavin Bell
...
Dominic Taylor
Why the fuck tails requires 2 usb sticks? Can't it be installed just with 1?
Nathaniel Wright
If you're going to post wrongthink on the internet, might as well invest into a console.
you can install with one flash drive if you install "tails installer" from ubuntu repositories (or whatever else distro if they have it in their repos). but it was very buggy on ubuntu so i just prefer using 2 usb sticks instead.
you can also just dd the iso (rufus for winfags) on a flash drive but you can't configure persistent storage and can't receive automatic updates in that setting.
Josiah Price
lrn2survey. you cant just browse a few directories and leave when its your fucking job half the fun of using a gov vulnerable system is being a stegenofag and hiding suspicious but legal content throughout your entire house of things. i even have a jpg of a larch tree on my smart-fridge's storage with hello.jpg LSB encoded in it. i even plant that shit on some particularly vulnerable devices in houses and shops i go to. my autistic hobby. my taxes go towards surveiling commies, not innocent civilians so if you see shitting dick nipples embedded in some landscape photography then get back to work you stalking doublenigger
Jace Ramirez
That's the thing, most of Zig Forums is nothing like that. We hate Windows and its design decisions, but we still know how to discuss other operating systems (mostly Unix-like) without transforming every post into a snarky tirade about how much we hate it. Let your favourite operating system's advantages speak for themselves. Almost no one uses that. Windows doesn't need a retarded nickname because its reputation here is already fucking abysmal: those are reserved for the newfags dumb or cucked enough to shill Windows.
just keep windows on a separate hard drive, problem solved.
two drives with windows and qubes are all I ever wind up using. if I were more autistic id use a customized bsd but default qubes install covers all the basics for tunneling, compartmentalization, etc. I'm quite happy with it.
Luis Bell
Speaking of BDS, do any of you guys know how to or if it is possible to create OpenBSD templates on Qubes? (I know it's possible with netBSD templates). The idea of it feels unimaginably amazing!!!!
I've never used BSD but you probably can. Might as well try. I'm sure someone would have asked already in a forum.
Bentley Lopez
I don't have hardware powerful enough to run it. Also systemdicks.
Carter Perry
It's cool, but a little bit slow on my x220. It's boring to wait 2 minutes each time I start my laptop. After 1 week, i returned to Debian, it JUST WORKS
