Qubes OS 3.1 Has Been Released

Burz writes: Invisible Things Labs has released Qubes OS 3.1. Some of the features recently introduced into this secure concept, single-user desktop OS are Salt management, the Odyssey abstraction layer, and UEFI boot support. The 3.x series also lays the groundwork for distributed verifiable builds, Whonix VMs for Tor isolation, split-GPG key management, USB sandboxing, and a host of others. Qubes has recently gained a following among privacy advocates, notable among them journalist J.M. Porup, Micah Lee at The Intercept and Edward Snowden. Embodying a shift away from complex kernel-based security and towards bare metal hypervisors and IOMMUs for strict isolation of hardware components, Qubes seals off the usual channels for 'VM breakout' and DMA attacks. It isolates NICs and USB hardware within unprivileged VMs which are themselves are a re-working of the usual concept, each booting from read-only OS 'templates' which can be shared. Graphics are also virtualized behind a simple, hardened interface. Some of the more interesting attacks mitigated by Qubes are Evil Maid, BadBIOS, BadUSB and Mousejack.

Re:

[Anonymous Coward]

Only if you want to boot a completely secure OS and then spend a lot of time doing absolutely nothing useful with it

Did it take many years of advanced training to reach your level of cluelessness, or did it come naturally for you?

Re:

[Burz]

OK, I'll bite... Yes, you probably could run Fallout 4 on Qubes IF you installed an additional graphics card on the system and assigned its PCI device to the VM were you installed the game. Qubes cannot yet virtualize 3d GPU access, so VMs either have to go through the shared virtual 2d mode or have a whole (additional) graphics card assigned to them via the IOMMU.

Its also possible you could run the game in the privileged domain where it would have access to the GPU, but I'm not sure if taking that risk wou

Re:

[PopeRatzo]

Yes, you probably could run Fallout 4 on Qubes IF you installed an additional graphics card on the system and assigned its PCI device to the VM were you installed the game. Qubes cannot yet virtualize 3d GPU access, so VMs either have to go through the shared virtual 2d mode or have a whole (additional) graphics card assigned to them via the IOMMU.

This is why I love Slashdot. Ask a stupid question and get a thoughtful, serious answer that might actually be useful.

Thanks, Burz. You're OK.

Re:

[Burz]

You're OK too, for a corrupt ex-Pope :P

Re:

[lhowaf]

This sort of acrimonious shite causes me to question the value of AC posts.

Maybe there should be a "Registered User Posting Anonymously" that gets a score of 0 while AC posts get a score of -1.

A word to the wise

[petes_PoV]

When announcing a new "thing" or a new version, it's often helpful to tell people WHAT IT IS and WHAT IT IS FOR.

Re:

[freeze128]

I agree with your sentiment. All too often, the summary says "Hey, there is a new version of XXXXXX that has just been released!", and that's it. Then, the reader has to do RESEARCH to find out what it is, and why they should care.

However, in this case, the summary has all the info you need, as long as you read ALL of it. It does indeed say that it is an "secure concept, single-user desktop OS".

Re:

[jwymanm]

What the hell is wrong with both of you? You clearly missed the summary that has all the info you need, as long as you read all of it. It clearly states that it is a secure concept single user desktop OS. Geez, what is wrong with this place. Yes, tongue in cheek.. :)

Re:

[Burz]

From the OP, it is a secure desktop OS.

Re:

[Bobo]

It's an operating system designed with security in mind. What part of the summary was unclear? The "OS" phrase, reference to moving away from kernel based security, hypervisors, VM based isolation of hardware devices, and list of attacks it claims to mitigate seemed like a dead giveaway.

"Invisible Things Labs has released Qubes OS 3.1. Some of the features recently introduced into this secure concept, single-user desktop OS"

Re:

[fisted]

Yeah, what coul

this secure concept, single-user desktop OS

possibly be?

In your defense, it's only the 2nd sentence of TFS, can't noone expect you to have that high of an attention span, as it would certainly take you half an hour to read all the way till there.

Re:

[Natales]

Really? has the IQ level in Slashdot gone downhill that much that you can't even do a Google search?

If you frequent this site, you will notice this community is big on privacy, and QubesOS has been for quite some time among the best options out there, since they are the only ones addressing very hard problems, like hard isolation of driver-level components in the OS, such as the USB or the Network subsystems for example. This is particularly good to mitigate against 'evil maid' type attacks and such. The

Re:

[petes_PoV]

you can't even do a Google search?

If you weren't so quick to scoff and had actually gone to the announcement page for this "thing" you would realise that there is no mention at all about WHAT IT IS or WHAT IT IS FOR. It dives straight in jargon about the new features.

It is plain to every professional that if you want people to engage - especially when writing publicity material (such as announcing a new release) that it will answer the readers' questions. The most basic question is WHAT IS THIS THING?

However it's typical of FOSS that th

Re:

[Anonymous Coward]

> So it's an OS?

What is QubesOS? [qubes-os.org]

> Is a Linux derivative?

Is Qubes just another Linux distribution? [qubes-os.org]

> Can it run software targeted as other OSes?

Managing Operating Systems withing Qubes [qubes-os.org]

> Does it has system?

???

> Is it targeting anything specific in terms of hardware.

Hardware Compatibility List [qubes-os.org]

> Or purpose (embedded, desktop, phone, server)?

How is QubesOS different from..? [blogspot.com]

Qubes 3.1 ?

[Anonymous Coward]

I'm waiting for 3.11 - Qubes for Workgroups.

Possible Changes to Qubes OS

[Anonymous Coward]

Just a few ideas for the Qubes OS...

Qubes OS needs to use the Mirage OS model for all its master (dom0) and utility VMs (network, VPN, firewall, usb controller/multiplexer, vault, storage, crypto, ...). If there was a way to use the Linux loadable module interfaced easily in the Mirage OS it would allow access a larger number of available/newly updated device drivers. Another possibility is to use minimal kernels like Atom or CoreOs and add the modules as required. Full OS VMs would still be allowed for t

Re:

[Burz]

Someone is already trying to get Mirage working with Qubes. Check out the dev mailing list.

Your UI ideas are interesting. Qubes' UI is already pretty special though. Its a great foundation for accurately portraying what's going on inside the system.

Qubes 3.1 already has some of the 'USB allocation' capability you mention: This release can pass through a USB mouse from a USB VM to the rest of the system... this means that an infected mouse cannot masquerade as a keyboard and start entering malicious commands

Raspberry Pi?

[ooloorie]

Could this run on Raspberry Pi or does that lack some necessary hardware support?

Re:

[Burz]

Qubes currently only runs on 64bit x86 CPUs, preferably with IOMMU support. ARM is not yet supported, however the Odyssey framework is designed to allow switching-out the hypervisor or hardware platforms, so it could be made to work.

Also, a big reason why Qubes runs x86 is that it was envisioned as a way to run Windows and closed-source apps safely under the control of a FOSS hypervisor and virtualized hardware.

Re:

[Bobo]

Also, a big reason why Qubes runs x86 is that it was envisioned as a way to run Windows and closed-source apps safely under the control of a FOSS hypervisor and virtualized hardware.

That's super cool. Are you associated with the project? Do you have any examples of use-cases in the wild, or anyone using it in production? I could imagine for example a journalism organization or a government body being interested in legacy support for closed-source/Windows applications being very interested in the added security here.

Re:

[Burz]

I'm just a user, though I have a small list of enhancements I want to make. The project is not actively documenting use cases, although people do discuss them on the mailing list. There is enough corporate and institutional interest in Qubes to have made the integration of Salt necessary.

Looks cool, but..

[subk]

..Can I run Enlightenment or XFCE (for example) or am I bound to KDE?

Re:

[Burz]

XFCE is an install option.

good

[tranvantri]

good