True ZEN of Security. QUBES give you peace of mind.

QUBES: State of the art security

There is a operating system that you should use if you work with sensitive information and want to maintain a high security environment. 

It’s called Qubes.

True ZEN of Security. QUBES give you peace of mind.

Qubes is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen and Linux. It can run Linux applications and most Windows programs. 

My operating system is now a digital fortress.

Starting applications from different domains (AppVMs) is very easy.

In this example, the word processor runs in the “work” domain, which has been assigned the “green” taskbar. It is fully isolated from other domains, such as the “untrusted” domain (red) used for random Web browsing, news reading, as well as from the "work-web" domain (yellow), which is used for work-related Web browsing that is not security critical. Apps from different domains run in different AppVMs. Notice the different color frames (labels) and VM names in the titlebars. These are drawn by the trusted Window Manager.

Apps from different domains run in different AppVMs. 

Windows AppVMs are fully integrated with the rest of the Qubes OS system, which includes things such as secure, policy governed, file copy and clipboard.

Windows AppVMs are fully integrated with the rest of the Qubes OS system.

Qubes’ design is based off an important law of software: all programs contain bugs. Some of these are security vulnerabilities. Your computer can get hacked by viewing a Flash video or using JavaScript in your web browser. Your computer could also get hacked by opening a Microsoft Office document, a Acrobat PDF, or a JPG or GIF image. Most publicly known software vulnerabilities have been fixed if you're using the latest version, but there's always the possibility that there are vulnerabilities that have never been reported to the developers. These are called zero day vulnerabilities, and agencies like the NSA, the FBI, and criminal hackers spend lots of money to purchase information about them.

If any piece of software gets compromised, your whole computer is compromised. The attacker can look at your files, log your keystrokes, take screenshots, steal your encryption keys, and read the emails that you type before you even have a chance to encrypt them. This is how the NSA's QUANTUM / FOXACID programs hack people's computers. This is also how the hacker criminal bad guys get to take control of your computer.

Developers can (and should) try to make their software more secure, but software will never be perfect. Trying to not get hacked is difficult when you have powerful adversaries, yet still have to get work done. Short of never connecting your computer to the internet, the best way to stay secure is to minimize the damage caused when you do eventually get hacked and “sandbox” the most vulnerable programs away from the rest of your computer. Qubes makes this more straight-forward than any other operating system I've used.

 Xfce4.10 Window Manager running in Dom0.

Qubes uses virtual machines to let you manage separate “security domains”. A virtual machine (VM) is basically a tiny operating system running inside of your real operating system. If your VM gets hacked, the attacker is able to access the files and read keystrokes in that VM, but not in other VMs or on your host computer. In Qubes all software (besides the desktop environment) is running inside of VMs, and you can easily and efficiently make as many as you need for whatever purposes you need. It's also designed in such a way that if one VM gets infected with malware, the malware won't be there the next time you reboot that VM.

It is always clearly visible to which domain a given window belongs. 

For example, you may want to use an instant messaging application with  encryption to chat with people securely. But IM is notorious for its  vulnerabilities. Attackers can use a flaw in the program to take over your computer by sending you a weird-looking message. In order to use IM as safely as possible, you can create an AppVM that you use only for IM. If a  attacker sends you a weird-looking message that takes over your computer, all it will actually take over is your instant messaging AppVM. The worst that the attacker can do is spy on your chat conversations. Everything else on your computer, such as your work documents, your encryption key, and your passwords, will remain safe from the attacker.

Another example that would be useful: if you're writing an document about a sensitive subject, you can create an AppVM that contains these documents, and any files or drafts associated with the story. If you open a document in this AppVM that tries to phone home to alert someone that it's been opened, it will fail because this AppVM doesn't have internet access. And if you open a malicious document that hacks this AppVM, the malware won't be able to exfiltrate any of your files because it won't have internet access. And finally, if some other part of your computers gets compromised, like your web browser, the attackers won't have access to these sensitive work files.

Temporary AppVMs are ones that you create for a specific purpose and delete when you're done with them. You can use disposable VMs to open documents that you don't completely trust. If that PDF someone emailed you is actually malicious and tries to take over your computer, it will only take over the disposable VM. But if it actually contains something useful, you'll still be able to read it.

You can do this all on one computer using a single desktop manager. This is one of the most powerful features about Qubes.

In Qubes, you run all your programs in domains. Domains are also called AppVMs because they're implemented as lightweight virtual machines (VMs). Not every app runs in its own VM. Each VM represents a security domain. Each domain is based on a single, common TemplateVM. This means that when you create a new AppVM, you don't copy the whole root filesystem needed for this AppVM to work. Each AppVM shares the root filesystem with its respective TemplateVM. An AppVM has read-only access to the filesystem of the Template on which it's based, so an AppVM cannot modify a TemplateVM in any way. This is important, as it means that if an AppVM is ever compromised, the TemplateVM on which it's based will still be safe. This means that creating a large number of domains is cheap: Each one needs only as much disk space as is necessary to store its private files.

In addition to AppVMs and TemplateVMs, there's one special domain called "dom0," which is where the Desktop Manager runs. This is where you log in to the system. Dom0 is more trusted than any other domain. If dom0 were ever compromised, it would be Game Over. The entire system would effectively be compromised. Due to its importance, dom0 has no network connectivity and is used only for running the Window and Desktop Managers. Dom0 shouldn't be used for anything else. In particular, you should never run user applications in dom0. That is what your AppVMs are for.

If you install Qubes using the default options, a few domains have already been created for you:

work

personal

untrusted

Each domain has a distinct name, and is also assigned a color label. The trusted window manager uses these colors in order to draw window decorations (frames) around the windows of applications running in each domain. These allow you to quickly and easily identify the trust level of a given window at a glance. It's natural to associate red with that which is untrusted and dangerous, green with that which is safe and trusted, and yellow and orange with things in the middle. QUBE also extended this scheme to include blue and black, which I interpret as indicating progressively more trusted domains than green, with black being ultimately trusted.

At the moment you have to be pretty tech savvy in order to get the full benefits of Qubes. And it doesn't hurt if you're already a Linux nerd. I think this can be improved, but Qubes will never be a "turn on and forget" security tool. Which security domains each user needs is completely dependent on their preferences and security needs. But if you understand your needs and understand how to use and configure AppVMs to fit them, you'll be able to use your computer with much higher security than if you were using a traditional OS.

The most recent version of QUBES is available here:

http://sourceforge.net/projects/qubesos/files/Qubes-R2-rc1-x86_64-DVD.iso/download

Qubes is for staying secure while still being able to use a wide variety of software that might contain zero day vulnerabilities, but it's not for staying anonymous. Qubes supports cool networking tricks, like making an AppVM where all traffic is forced to go through Tor, but this doesn't incorporate most of the anonymity tricks that Tails excels at.

Bottom line

For maximum security, I would recommend that people use Qubes on their computer for all their everyday, non-anonymous needs: checking email, chatting, using social media and browsing the web, developing software, doing research, writing articles. Since you do all of this work in AppVMs that run Linux (and optionally some of it in AppVMs that run Windows), you get the latest and best tools to work with, and it's simple to install new software. For more sensitive needs where anonymity is important, you can use Tor Browser Bundle inside of an AppVM.

TAILS: The Privacy Tool: Critical to Journalists Reporting on the NSA

TAILS: The Privacy Tool: Critical to Journalists Reporting on the NSA

April 2, 2014

By Trevor Timm 

Tails is an Linux operating system that can boot up a computer from a DVD or USB stick. It solves many of the problems users have when setting up encryption by doing it right the first time by default:

•  Very little setup is required. 
• It allows users to encrypt sensitive documents.
• You don’t have to configure any of the settings on any program.
• It forces all of your web traffic through the Tor anonymity network.
• It uses GPG encryption and OTR encryption when you are sending an email or an instant message.

Critically, Tails never actually touches your hard drive and securely wipes everything you've done every time you shut it down. This serves two important purposes: first, it helps journalists who are operating in environments or on networks that may already be compromised by governments or criminals. As we learned last week, if you’re working at a big news organization, that’s almost a given. Second, it prevents journalists from leaving any trace of work that they don’t specifically opt-in to leaving. This prevents information leaks in case your computer falls into the wrong hands.

All of these qualities make it an ideal tool for journalists who are either steeped in security training or are coming to encryption for the first time and are a big reason why it won Access's 2014 Innovation Award for Endpoint Security. As always, everyone should remember that no privacy tool—including Tails—can guarantee you 100% security from all adversaries, and like all software, Tails may have vulnerabilities or weaknesses that could be exploited. But that's all the more reason to support the project, so those vulnerabilities can be found and fixed as quickly as possible.

Edward Snowden famously first contacted Laura Poitras using GPG email encryption, which eventually led to her, Glenn Greenwald, and Barton Gellman breaking the biggest story in decades. However, another tool has been even more critical to all of the main NSA journalists, and many people outside the digital security community have never heard of it: Tails, a ground-breaking operating system that forces privacy best-practices by default.

With assurances from the Tails developers and the main players in the NSA revelations, we feel it's safe to tell this story for the first time, and we hope this vital encryption and anonymity project can finally get the credit—and much needed support—it deserves. You can donate to the Tails project by going here.

We asked the three original NSA journalists about how important Tails was to their work. Here's what they had to say:

Laura Poitras:

"I've been reluctant to go into details about the different steps I took to communicate securely with Snowden to avoid those methods being targeted. Now that Tails gives a green light, I can say it has been an essential tool for reporting the NSA story. It is an all-in-one secure digital communication system (GPG email, OTR chat, Tor web browser, encrypted storage) that is small enough to swallow. I'm very thankful to the Tails developers for building this tool."

Glenn Greenwald:

“Tails have been vital to my ability to work securely on the NSA story. The more I've come to learn about communications security, the more central Tails has become to my approach.”

Barton Gellman:

"Privacy and encryption work, but it's too easy to make a mistake that exposes you. Tails puts the essential tools in one place, with a design that makes it hard to screw them up. I could not have talked to Edward Snowden without this kind of protection. I wish I'd had it years ago."

The NSA stories have been the biggest story in journalism in the past decade, yet the tool relied on by the reporters who broke the stories is incredibly underfunded. Tails’ 2013 expense report shows that they only had an operating budget of around 42,000 euros, which is less than $60,000. They have only a handful of core developers and none are able to work full-time because of the lack of funds supporting it.

If you’d like to help journalists uncover more stories like the NSA revelations, help them by helping Tails. You can donate to them right now on our front page, along with other free software projects like Tor, Open WhisperSystems, and the LEAP encryption access project. You can also support Tails’ Knight Open News Challenge proposal, which could also get the Tails team critical funding so they can stay ahead of the security curve.