QUBES: State of the art security
There is a operating system that you should use if you work with sensitive information and want to maintain a high security environment.
It’s called Qubes.
|True ZEN of Security. QUBES give you peace of mind.|
Qubes is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen and Linux. It can run Linux applications and most Windows programs.
|My operating system is now a digital fortress.|
Starting applications from different domains (AppVMs) is very easy.
In this example, the word processor runs in the “work” domain, which has been assigned the “green” taskbar. It is fully isolated from other domains, such as the “untrusted” domain (red) used for random Web browsing, news reading, as well as from the "work-web" domain (yellow), which is used for work-related Web browsing that is not security critical. Apps from different domains run in different AppVMs. Notice the different color frames (labels) and VM names in the titlebars. These are drawn by the trusted Window Manager.
|Apps from different domains run in different AppVMs.|
Windows AppVMs are fully integrated with the rest of the Qubes OS system, which includes things such as secure, policy governed, file copy and clipboard.
|Windows AppVMs are fully integrated with the rest of the Qubes OS system.|
If any piece of software gets compromised, your whole computer is compromised. The attacker can look at your files, log your keystrokes, take screenshots, steal your encryption keys, and read the emails that you type before you even have a chance to encrypt them. This is how the NSA's QUANTUM / FOXACID programs hack people's computers. This is also how the hacker criminal bad guys get to take control of your computer.
Developers can (and should) try to make their software more secure, but software will never be perfect. Trying to not get hacked is difficult when you have powerful adversaries, yet still have to get work done. Short of never connecting your computer to the internet, the best way to stay secure is to minimize the damage caused when you do eventually get hacked and “sandbox” the most vulnerable programs away from the rest of your computer. Qubes makes this more straight-forward than any other operating system I've used.
|Xfce4.10 Window Manager running in Dom0.|
Qubes uses virtual machines to let you manage separate “security domains”. A virtual machine (VM) is basically a tiny operating system running inside of your real operating system. If your VM gets hacked, the attacker is able to access the files and read keystrokes in that VM, but not in other VMs or on your host computer. In Qubes all software (besides the desktop environment) is running inside of VMs, and you can easily and efficiently make as many as you need for whatever purposes you need. It's also designed in such a way that if one VM gets infected with malware, the malware won't be there the next time you reboot that VM.
|It is always clearly visible to which domain a given window belongs.|
For example, you may want to use an instant messaging application with encryption to chat with people securely. But IM is notorious for its vulnerabilities. Attackers can use a flaw in the program to take over your computer by sending you a weird-looking message. In order to use IM as safely as possible, you can create an AppVM that you use only for IM. If a attacker sends you a weird-looking message that takes over your computer, all it will actually take over is your instant messaging AppVM. The worst that the attacker can do is spy on your chat conversations. Everything else on your computer, such as your work documents, your encryption key, and your passwords, will remain safe from the attacker.
Another example that would be useful: if you're writing an document about a sensitive subject, you can create an AppVM that contains these documents, and any files or drafts associated with the story. If you open a document in this AppVM that tries to phone home to alert someone that it's been opened, it will fail because this AppVM doesn't have internet access. And if you open a malicious document that hacks this AppVM, the malware won't be able to exfiltrate any of your files because it won't have internet access. And finally, if some other part of your computers gets compromised, like your web browser, the attackers won't have access to these sensitive work files.
Temporary AppVMs are ones that you create for a specific purpose and delete when you're done with them. You can use disposable VMs to open documents that you don't completely trust. If that PDF someone emailed you is actually malicious and tries to take over your computer, it will only take over the disposable VM. But if it actually contains something useful, you'll still be able to read it.
You can do this all on one computer using a single desktop manager. This is one of the most powerful features about Qubes.
In Qubes, you run all your programs in domains. Domains are also called AppVMs because they're implemented as lightweight virtual machines (VMs). Not every app runs in its own VM. Each VM represents a security domain. Each domain is based on a single, common TemplateVM. This means that when you create a new AppVM, you don't copy the whole root filesystem needed for this AppVM to work. Each AppVM shares the root filesystem with its respective TemplateVM. An AppVM has read-only access to the filesystem of the Template on which it's based, so an AppVM cannot modify a TemplateVM in any way. This is important, as it means that if an AppVM is ever compromised, the TemplateVM on which it's based will still be safe. This means that creating a large number of domains is cheap: Each one needs only as much disk space as is necessary to store its private files.
In addition to AppVMs and TemplateVMs, there's one special domain called "dom0," which is where the Desktop Manager runs. This is where you log in to the system. Dom0 is more trusted than any other domain. If dom0 were ever compromised, it would be Game Over. The entire system would effectively be compromised. Due to its importance, dom0 has no network connectivity and is used only for running the Window and Desktop Managers. Dom0 shouldn't be used for anything else. In particular, you should never run user applications in dom0. That is what your AppVMs are for.
If you install Qubes using the default options, a few domains have already been created for you:
Each domain has a distinct name, and is also assigned a color label. The trusted window manager uses these colors in order to draw window decorations (frames) around the windows of applications running in each domain. These allow you to quickly and easily identify the trust level of a given window at a glance. It's natural to associate red with that which is untrusted and dangerous, green with that which is safe and trusted, and yellow and orange with things in the middle. QUBE also extended this scheme to include blue and black, which I interpret as indicating progressively more trusted domains than green, with black being ultimately trusted.