My thoughts on QubesOS
Recently I have been experimenting with QubesOS and securing my digital life. Although I really do like the idea of Qubes and see it as a real option but to me, its not at a level I want right now, but it does provide a way of thinking I'm willing to work with.
What is Qubes OS
Qubes is a security-oriented operating system based on Linux but instead of having everything in one place like most other distributions, it is based on virtual machines on top of the Xen Hypervisor.
Using virtual machines (Qubes) you can package up your computer usage in to different areas like Personal, Work, Untrusted, etc. and keep each of these areas completely separate from another. This provides a “secure” system because opening a malicious email attachment in one Qube will only infect that single Qube and you can simply bin that and create a new one as required.
Even though these Qubes are separate machines, because they are on top of Xen they all share a display so they work together as one system to the end user. The caveat of this is that depending on the “Qube” the application belongs to, it will have a pre-determined colour associated with its window borders so you know exactly what your threat level is within these Qubes.
Each Qube is based on a TemplateVM and Qubes comes with a set of default qubes out of the box to get you started and even integrates Tor with Whonix if you require it.
My impression of QubesOS
Qubes does a lot of things right and is a great place to start the process of working in a secure way but I find some things just don’t feel right for my out of the box to make me want to use this every day without feeling pissed off that its not a smooth experience.
This is a pain of mine from before time began, or just as soon as I installed QubesOS. Everything feels great in the lead up to the login but the default theme they pump out with the OS just sucks and I don’t think its unreasonable to have a bit more of a thought process about the User Interface to attract a larger user base (which would only be a good thing).
Aside from the zero percent modified default theme I also hold a big issue with the implementation of the coloured containers and the default menu layout and while I don’t have a complete solution I think the colourisation of the windows could be pulled off a lot better with a dedicated theme to suit the OS. Instead is feels like a last minute thought input that you need to somehow determine which window you are actually using.
On top of the theme and the colour issues I have, I’m also not a fan of the Qubes software dialogs. They feel like a bunch of different components thrown together without much thought about how they feel to use to the end user. This could be coming from the same issue I have with the theme where it just feels uninviting but on the whole it just feels like I’m using Windows 95 and that’s not good enough for me any more.
While I have these issues with the UI its not a deal breaker but I have issues with other areas of the operating system as well.
This one is purely because I’m not a fan of interpreted languages, especially ones that are meant to be interfacing my already resource heavy OS with all the VMs it is running on top.
I’m quite sure I’ve missed a bunch of really important things but the source I have looked at is in Python and I just have a real deal feeling that this is simply going to be the wrong choice in the long run for an operating system that should have something more robust in place.
I would look at languages like Go or Rust in these areas and work on replacing the Python code with one of these.
Templates & VMs
Here lies my biggest issue with this setup or solution, whatever you want to call it. I find myself clogged up with different templates, holding different apps, just because I don’t want access to some on the other VM. Keeping track of different Templates is a really large annoyance when in reality I want to isolate the applications instead. At least this is how I feel now.
I’m also feeling that having a choice of base template allows for for an excessive amount of bloat on the host computer and I’m a fan of keeping things streamlined and working as smoothly as possible and with that in mind, I want to strip this system down to the absolute basics.
My thought process here is to have one VM only per “container” and base all of these on Alpine linux or something similar and only install the apps that are required. No sharing of apps from a base VM and trying to contain VMs on top of this… It makes no sense to me to do this extra layer. This also means that the whole system is contained within the VM and would allow for a greater lock down on the information shared out of this system as a whole.
The one problem this opens up though is the same apps will be installed in multiple places and you “might” want to sync your accounts on them… Firefox is a good example to use here. Where you might want to use the same account but some traffic you simply don’t trust and other you do. I understand this would cause some bloat for the overall system but I actually don’t think this would happen. If you are unlikely to use the same profile for various types of traffic unless you are some kind of mad man. You would split yourself up in to trusted profile, untrusted, work, etc. so my original vision is a valid one for the main case I see.
Copying and moving between VMs should stay and allows the same usage as Qubes has at the moment.
As a continuation of the subject about base VMs and Templates I think the question of custom installs (Templates) is one that does have an answer that I’m OK with. While I have said I want to strip things down and work with just a small base system and individual machines based on one distribution. I would be open to the idea of allowing custom images for development purposes only.
For example: I’m a software developer on a legacy version of code which compiles on Debian but not on Archlinux.
Here it’s only logical to install a Debian system to do your development on. While this wouldn’t be ideal it does solve an issue that many people will suffer with and seems like the right solution when using VMs. It could probably do with a guide as to emphasizing keeping this for dev only and for people to not abuse to develop a whole range of different situations and set-ups.
The other option is Docker.
This one really got me annoyed very recently when I tried to install a distro in a Stand-alone VM (HVM in Qubes) and I had no idea where it was installing to in the partition options, and I could not boot it after I thought I got it right. It’s simply not good enough to have these issues and when I looked at the documentation it was still geared for 3.x instead of 4.x which is the stable version.
I would fix this right away because for some aspects of life you just need Windows or MacOS. Prime example is any kind of design work, you’re going to use either Sketch or Photoshop and both those product owners hate Linux.
All of this leaves me with a lot of loose thoughts about what I’m really looking for and how I would solve the problems and annoyances I currently have with Qubes. While I don’t have the skill set to implement any of the changes, I do have enough to keep me going with developing my theory of improvements required and possibly looking at ways they could be implemented.
There are obviously things that could play a big part in this. For example, Docker has a userspace runtime now that could remove the need for XEN and Virtual Machines completely but I have no idea of the security implications with that and it is worth investigating more.
One option I am thinking about would be to fork the Qubes project. Rip out what I don’t want or see as useful and see if there is a way to implement a docker option in to the setup. Heck, maybe I’ll just start implementing Qubes modules on my currently installed OS and as I read more XEN and Docker appear to work well together if only we remove the root requirement to run docker containers then we are one step closer to a vision I think I’d be comfortable with, except I don’t want it to be obvious to the end user how the OS is working.
I understand that most of what I describe will probably be seen as lowering the security side of Qubes but I’m not sure that’s completely true while it will also bring in a nice usability to a system that is clunky to get started with in the first place and I found I often had applications become so slow they just stopped working or accepting input from my keyboard which is one of the main reasons I had to leave it behind.
A Final Word
While Qubes isn’t for me right now, it has opened up my thought process on security in general even more so that had already been happening and with that I have started to reshape my online life. I will write a post about these new practices and software options soon.
Now my thoughts are written down I can move on and think about other things and forget I ever wrote about this until about a years time.