Qubes OS – My few weeks so far with using it.

This entry I will give some of my notes of using Qubes -OS. It has been a few weeks that I have been testing it on one of may laptops.

Laptop specs (2016)

Dell Inspron 17” model
i5-3337U CPU
16G memory
1T drive (Western Digital blue)

Qubes OS specs

OS version 4.0
Updated fedora 26 to fedora 28 on containers
Updated whonix from 13 to 14
Using debian 9

What is Qubes OS? The sites web page has a number of very well written sections that describe the system. I will let you do a deeper look for your self in that part, but here is a few things. From the Qubes OS (www.qubes-os.com) web sites introduction page it is described as:

Qubes OS is a security-oriented operating system (OS). The OS is the software that runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.
Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes.

This approach allows you to keep the different things you do on your computer securely separated from each other in isolated qubes so that one qube getting compromised won’t affect the others. For example, you might have one qube for visiting untrusted websites and a different qube for doing online banking. This way, if your untrusted browsing qube gets compromised by a malware-laden website, your online banking activities won’t be at risk. Similarly, if you’re concerned about malicious email attachments, Qubes can make it so that every attachment gets opened in its own single-use disposable qube In this way, Qubes allows you to do everything on the same physical computer without having to worry about a single successful cyberattack taking down your entire digital life in one fell swoop.

Moreover, all of these isolated qubes are integrated into a single, usable system. Programs are isolated in their own separate qubes, but all windows are displayed in a single, unified desktop environment with unforgeable colored window borders so that you can easily identify windows from different security levels. Common attack vectors like network cards and USB controllers are isolated in their own hardware qubes while their functionality is preserved through secure networking, firewalls, and USB device management. Integrated file and clipboard copy and paste operations make it easy to work across various qubes without compromising security. The innovative Template system separates software installation from software use, allowing qubes to share a root file-system without sacrificing security (and saving disk space, to boot). Qubes even allows you to sanitize PDFs and images in a few clicks. Users concerned about privacy will appreciate the integration of Whonix with Qubes, which makes it easy to use Tor securely, while those concerned about physical hardware attacks will benefit from Anti Evil Maid.

 

There are some key things I was looking to do for my testing, some so far have been mostly able to do some have not been able to do.

• Ease of installation and upgrades by me.
• Use of security-oriented web browsing.
• Install and usage of apps, from chat clients, word processing, email, openvpn, some general others special and etc.
• Usage of other OS’s like Ubuntu, Bsd, Windows, etc.
• Use of security and penetration testing apps, namely Kali and Parroit.
• Use of USB devices with different systems qubes. Things like external drives, mice, DVD, wifi systems.
• Ease of setting up qubes and new domains.
• Ease of usage day to day.

 

So to begin, here is what I have run across so far from using it for a few weeks.

Ease of installation and upgrades by me.

It took about 30 minutes to do the standard install of the OS on the laptop. The questions asked were straight forward and easy to understand. Much of the time to install was just waiting for the system to copy over the programs and creating of the default qubes. I did have a few questions that I needed to look up and make sure I understood what they wanted. For example the usage of multiple qubes for each USB devices. I selected to have one qube handle all the USB devices, so far seems to be working ok for me.

Qubes 4.0 has Fedora 26 not Fedora 28 and whonix 13 not whonix 14 as the default, so they needed updating after I installed the system. The upgrade from Fedora 26 to 28 was quick and relatively simple. The web site has a well explained steps on doing the upgrade, it was easy to understand and following the steps worked without any noticeable problem. Whonix upgrade on the other hand was a bit more problematic as of this entry. If you do not know about whonix, it is two separate sections. One is a Workstation and the other is a Gateway. The workstation qube seemed to upgrade mostly without any issues, I needed to attach a networking VM to get it to fully upgrade. After the upgrade the first time, I have been able to use the VM defined upgrade procedure with no discernible issue so far. The Gateway is still causing me issues in upgrading, many sites its asking for are not available to have app upgrades downloadable. Even with a network VM being connected it still does not fully upgrade all the apps. For now I am using the original Gateway VM, everything seems to be working ok for my tor services. I am hoping that when 4.1 ships it will have all the upgraded systems as default.

Debian 9 only needed the app upgrade and update from the Qubes Manager system, no issues or problems so far with that.

Upgrading the Dom0 went without a hitch, as stated before the command and steps required were well defined in the documentation. No problems so far in any of the upgrades.

 

Use of USB devices with different systems qubes. Things like external drives, mice, DVD, wifi systems.

So far most everything connected to any of the Qube VM’s with no problems. My USB HDD’s was using exfat, as its format, so I needed to add the extfuse utilities installed on to Fedora 28 Qube. It was easy to do with the yum install system, debian did not need any fuse installs for the HDD. My built in web cam even worked with skype. An issue I have been running into is my WiFi AlfA external usb device. It will not connect to any Debian VM qube, it connects fine to any Fedora MV qube. Still have no idea why yet so that is something to note. I am using am external USB mouse so that works fine so far as well. I am having issues with burning DVD/CD’s currently, to that effect I am not able to burn any using my system. There have been tips to add brasero to the Dom0 and burn that way but I have not given that a try yet. The need to add an external repository to Dom0 seems like a security issue so am going to hold off for now.

 

Usage of other OS’s like Ubuntu, Bsd, Windows, etc.

To get started from the documentation they say that Windows 7 is the only supported tools version that will allow individual screens for different apps. Windows 10 and other versions are not supported, per the documentation. I have not been able to get Windows 7 or Windows 10 running in a VM qube as of this entry. They seems to crash during the install or mostly install and not find any apps to load. So far I can get most of what I want to use by not using windows, but for people that need windows it may be something to note if you want to use Qubes. Maybe some time a patron will give millions so the people can hire a full crew and have it work.

I was able to get both Ubuntu 16.04 and 18.04 server installed and working. Ubuntu 18.04 uses a different netmask set up and needed to do a bit of googling for the fix. That is less of a Qubes issues and more of an Ubuntu issue, some time change is hard, like this was. 16.04 installed correctly the first time. Note, need to remember that DHCP does not work the same as you would think with Ubuntu. When you set up a VM it will give you the IP, Mask and Gateway and you need to manually add it to the installing system. Kali and Parriot accepted the DHCP entry with no manual entry.

Tried windows xp for a hacking machine test, no luck in full install, still going to try but not currently.

 

Use of security and penetration testing apps, namely Kali and Parroit.

Good news mostly on this front, bot both Kali 2018-2 rolling and Parroit 4.4 installed and seems to be working except Wifi not working because not able to get my ALFA USB Wifi device mounted to Parroit or Kali MV qube. Like all technology some things need work. Was able to use Fedora for my Wifi testing so maybe in time. Have not done a full test of all the pen testing apps, so far it looks good. Install went simple except the IP creation, but was able to manually add the IP address quickly and easy.

 

Ease of setting up qubes and new domains.

Creating VM’s, they are different than what I am use to. Programs like VirtualBox, VMware and Parallels are what I am use to doing, so it has taken a bit of a learning curve. It is getting easier to understand now that I have set up a few. It seems to be quicker to set up VM’s with they way they do it. For Qubes creating a usable qube you use what they call a template. Check out the glossary on their page for a deeper description. I set up a VM that I called debian-security that I am using for testing of other security browsing apps. What people may call the dark web apps called i2p and freenet. I made a clone of the default Debian-9 templet then made AppVM running the applications. Installing all the application that I want to run on the cloned templet so it is available in the AppVM. The application i2p install perfect and seems quite fast, freenet still has a few issues I am working on currently, connection to other users will work then crash, so may have to reinstall a few tines to work on the reason why. I also set up testing templets for first installing application then if working install to the main templet application. So far not many issues, all seem quite stable.

 

Install and usage of apps, from chat clients, word processing, email, openvpn, some general others special and etc.

Using and install of day to day apps like word-processing, chatting, video, mail, browsing, file-system usage. All so far I am happy with ease of installing. Most apps I use are in the repos for Fedora or Debian. When I have needed to load an external app by downloading the app and installing it that way there have not been any issues, so not much to say on this so far. Games are an issue, mostly not able to do. But not an issue for me anyway. Working on setting up a openvpn for my home, will keep you posted as I work with it. I am using Libreoffice for my documents, I will be trying softoffice as well soon. All the office apps seem to work fine and installing was simple, I downloaded the program and did the yum install. Currently I am use Fedora templet as my program templets. Will try Debian as well soon. I use Thunderbird and it works with no issues I have found. It defaults to firefox browser, for now I am happy with it, will be trying chrome and a few others. Working with both skype and Google hangouts, no issues found, I am able to use video and file exchange. A times hangouts has issues with exchanging desktops videos. But I have had that issue before. Using apps like blackboard also has a few issues with exchanging of desktops between people. Added softmaker freeoffice, but it does not work, also can’t seems to remove it. (still no luck on remove)

 

Ease of usage day to day.

Having separate AppVM’s for different usages and knowing they are functionally separate and seems secure is nice. And being a bit geeky, its cool to use. Booting up and shutting down take time. Booting up the laptop is slow because it needs to load into the background some VM’s like networking, gateways and USB devices. I have a mechanical HDD, a SSD would be faster. Shutting down is slow as well depending on how many VM’s are running.