Comment by fsflover
4 days ago
>> Give me your actual threat model.
> A vulnerability in the VM allowing exfiltration.
Thanks, now we can talk technically without accusations.
> Any data in the VM is vulnerable if the VM has a vulnerability allowing exfiltration.
Qubes OS has a possibility to open any file in a dedicated, offline, disposable VM, for reading or for editing [0]. The original VM will not get compromised because it never touches the file. The disposable VM will not allow exfiltration, since it has no network (with the correct configuration).
There is a reason why this OS is chosen for SecureDrop Workstation [1].
> Then why did you suggest Qubes as a 100% secure OS?
There is nothing 100% in this world. Qubes is as close to 100% secure as possible. People often use imprecise expressions for things they wish existed. This is what I expected from your comment.
> Security clearly isn't your area of expertise. Security through correctness is indeed a solution to many/most threats.
Indeed, it is not my area. However it is the area of well-known security professionals whose opinion I trust [2].
[0] https://doc.qubes-os.org/en/latest/user/how-to-guides/how-to...
[1] https://workstation.securedrop.org/en/stable/
[2] https://blog.invisiblethings.org/2008/09/02/three-approaches...
> Thanks, now we can talk technically without accusations.
That was always within your control.
> The disposable VM will not allow exfiltration, since it has no network
Sure, unless you're doing something in the disposable VM that requires network traffic, like browsing.
> Qubes is as close to 100% secure as possible.
No, it isn't. It lacks numerous protections. It serves a purpose against certain threatmodels, but it's far from being close to 100% secure. Like I said, it's essentially a workaround.
> There is nothing 100% in this world.
So you agree Qubes is not a 100% secure OS like the other poster was asking for, correct?
> However it is the area of well-known security professionals whose opinion I trust.
None of them are claiming it is as close to 100% secure as possible. No security expert would. Not even a security hobbyist would. It's a nonsense claim.
>> The disposable VM will not allow exfiltration, since it has no network
> Sure, unless you're doing something in the disposable VM that requires network traffic, like browsing.
This is called goal shifting. Anyway, in this case Qubes can also save you. You browse untrusted websites in a disposable VM, which doesn't contain anything sensitive. You move any downloaded untrusted files to a dedicated storage VM and never open them there without another, dedicated disposable VM.
You browse trusted websites in another, more trusted VM. More details: https://doc.qubes-os.org/en/latest/user/how-to-guides/how-to...
> It lacks numerous protections. It serves a purpose against certain threatmodels, but it's far from being close to 100% secure. Like I said, it's essentially a workaround.
I challenge you to provide me with a threat model that is not covered with Qubes. You couldn't yet. You can call it a workaround, but it's the only approach that actually works today and in the visible future.
> So you agree Qubes is not a 100% secure OS like the other poster was asking for, correct?
The poster is asking for a fairy-tale. I suggested something realistic that solves the problem instead.
> None of them are claiming it is as close to 100% secure as possible. No security expert would. Not even a security hobbyist would. It's a nonsense claim.
I also don't. But you seem to be seeking 100% security, don't you?
> That was always within your control.
I wasn't talking about my own words.
> This is called goal shifting.
Far from it. You claimed Qubes was a 100% secure OS. I'm pointing out that it's not. Plenty of people use Qubes for browsing.
You are the only person goal shifting, by giving a specific scenario where you think your claim might apply (it still doesn't). When I mention a more common scenario, you call it goal shifting. This is blatantly dishonest.
> You browse untrusted websites in a disposable VM, which doesn't contain anything sensitive. You move any downloaded untrusted files to a dedicated storage VM and never open them there without another, dedicated disposable VM.
Yeah, I know how Qubes works - you're continuing to miss the point. Sometimes, you may have to upload sensitive data, so you do it in a disposable VM. That disposable VM is protected from all your other disposable VMs, but it isn't protected if something manages to get access to that particular disposable VM. Do you get it now? Stop being obtuse, just admit your claim was bogus. Be honest.
> I challenge you to provide me with a threat model that is not covered with Qubes. You couldn't yet.
I already did above lol. Kernel level RCE that grants a remote root shell. Boom.
What you don't understand is that a secure OS could protect against that, and there are such secure OSs in existence - just not targeted at consumers.
Qubes can limit the damage, but it doesn't prevent it. It doesn't even really try.
> You can call it a workaround, but it's the only approach that actually works today and in the visible future.
That's just not true, and it's why institutions that actually need real, verifiable security are not using it. It's a hack mainly used like hobbyist tinkerers like yourself.
> The poster is asking for a fairy-tale. I suggested something realistic that solves the problem instead.
It doesn't solve the problem, it's a workaround.
You don't seem to have the ability to flat out admit you were wrong, but I suppose this is as close as you're capable of coming to doing so. I'll take it.
> I also don't.
You literally did so in your last reply.
> I wasn't talking about my own words.
Right, but I was. If you wanted to have a technical discussion, you could have responded with a technical argument in your first reply to me. You didn't, you chose to preach and be overly defensive instead.