Create a virtual machine (Qube) for Easy OS

[goblin]

In the last several years I have been around the Qubes OS. Which might be described as a tool kit. Qubes Developers create the base of Virtual Machines, each like a separate OS (each virtual machine is called a Qube) which has hypervisor (Xen) and share common internet connection, USB. The Qubes are usually minimized versions of - different OS's: Fedora, Debian, Whonix. Security by Compartmentalization. And some Qubes to handle some functions, like internet. USB.

The type of user of Qubes might be for one of several types of users. Such as, Businessmen, Journalists, Human Rights workers. Those who desire to separate their life from "Surveillance Capitalism."

Many of these are not folks who have several years of University level Linux classes and find installing third party software, creating easy to start buttons quite difficult. So don't ue Qubes. Sometimes refugees from Windows. I am thinking of the part of Windows is mostly easy point and click installs. and not very secure.

It would be beneficial to use Easy OS as a Qube, and one version of an temporary Qube of Easy OS. By temporary, it spins up a fresh copy of an particular OS each time, based on a Template. So that when that Temporary copy is shut down, all of any Malware, Spyware, and so on is eliminated. Security by Compartmentalization. The first version of Easy OS Qube can keep data that is put into it.

There is a tradition on the Qubes forum to provide a description of "How to do X' which is a bunch of steps which a total newcomer sees a lot of what looks like requiring what the beginner sees as Linux shorthand/knowledge and a problem of where everything in Qubes GUI. And then those threads go on and on with people who have difficulty following the list of instructions. Sometimes with issues with updates of programs, different versions of Qubes, Kernel.

I would prefer that this Easy OS of Qubes is directly downloadable and installable, like those listed in the (Qubes speak) "Qubes Template Manager"

I guess other puppy versions would be useful as well. Just with Easy OS, it already has most of the useful programs available. but Easy OS would have to use the common Internet manager. USB manager.

I am unaware of all the ramifications of trying to use containers when Qubes OS already uses hardware enforced Virtualization. I am after the easy to use applications already in Easy OS, and to avoid some of the third party software that is out there, that could compromise our Security. Easy OS seems to have a very good list of trustworthy apps

I realize building a Qube with Easy OS is a difficult project.

What do I need to add?

[rockedge]

What is the advantage of running EasyOS which can create multiple isolated containers itself, on a virtual machine?

Perhaps nesting the EasyOS containers within a virtual machine layer?

[goblin]

First I want to thank Barry for such an excellent Distro, Easy OS, that is an easy to use distro that provides much of the privacy and security needs I can think of.

Rockedge. Thank you for your reply.

"What is the advantage of running EasyOS which can create multiple isolated containers itself, on a virtual machine?

Perhaps nesting the EasyOS containers within a virtual machine layer?"

Perhaps you can add more illumination to the implications of some of the options.

Qubes uses Virtualization that is enabled by hardware Virtualization Options. In earlier versions of Qubes, the Qubes OS could be installed on hardware that did not use hardware enabled Virtualization. Not anymore.

Well. To quote the Qubes OS Installation documentation.

"Even on supported hardware, you must ensure that IOMMU-based virtualization is activated in the BIOS or UEFI. Without it, Qubes OS won’t be able to enforce isolation. For Intel-based boards, this setting is called Intel Virtualization for Directed I/O (Intel VT-d) and for AMD-based boards, it is called AMD I/O Virtualization Technology (or simply AMD-Vi). This parameter should be activated in your computer’s BIOS or UEFI, alongside the standard Virtualization (Intel VT-x) and AMD Virtualization (AMD-V) extensions. This external guide made for Intel-based boards can help you figure out how to enter your BIOS or UEFI to locate and activate those settings. If those settings are not nested under the Advanced tab, you might find them under the Security tab."

So there is a difference between Containers as used by Easy OS and Virtualization also enforced by hardware in Qubes OS.

Bringing up the question: Is What Qubes is doing in requiring Hardware Virtualization really an improvement, or is it "Security Theater?'

I am really not qualified to answer.

To obtain, what I hope is the Security reliability that Qubes offers in having creating a temporary Qube that downloads information from the Internet (then transferring that data to another Qube for reading, decrypting, preparing replies, and so on, preventing that information from starting other online connections, Like some emails, and documents do with links,

Then I would have to restart Easy OS, unless of course Containers are as secure as we could hope they are. then I could just copy data, possibly malware, into another container as I would another Qube.

The part of Qubes that is the Hypervisor, Xen, and the isolation of different Qubes, like Fedora, Debian Qubes, or Whonix Qubes, is what the Qubes Developers provide. Qubes OS relies upon those others who provide those distros, to do the maintaining of their own Distros. There is an ongoing discussion that the one browser pre-installed into the temporary Qube, by temporary, I mean the entirety of the Qube is presented as a clean, fresh OS (as defined by its Template) without any data or malware from a previous internet interaction. I am not contending that Containers do not intend to accomplish the same thing, or if they do or don't. I am trying to emphasize a different point.. The browser supplied in the main temporary (in Qubes speak, disp qube) is a basic Firefox, as it comes from Mozilla. Search Engine is Google, has the preinstalled trackers still there. Some have suggested that the basic browser should be modified for better Security, no trackers. Not only would that represent more work for Qubes Developers, it requires them to constantly consider how every update from Mozilla impacts all the goals of Qubes. While any change also offers a different browser Fingerprint. so the developers (I guess this is their reason) present it- as is. Qubes Developers Focus on keeping what they do secure. The Qubes distros offered are with the XFCE, minimized to keep RAM use less, (important in effectively running several OS's at the same time) with a considered "Attack Surface."

IMO, not a finished Operating System, but a 'Tool Kit' of an Operating System. Installing the kind of third party software that many use every day, can be time consuming, and would seem in-consequential to someone who had several years of Linux Classes at the University Level. And impossibly frustrating for a Journalist who is spending his time to earn a living. Much of information that was once gathered by "Investigative Reporting,' now falls to amateurs. I was told of the many thousands in jail in China for posting on the internet something the Chinese government did not like, made no attempt to use any secure software, but posted onto things like Facebook, Twitter (year, now X), TikTok--public media sites.

A Human Rights Attorney wrote to me and said he has spent hours with individuals -at risk- in trying to help them to implement Qubes. Often on Zoom, as they came from Windows and refused to consider another option for Video Chat. FYI. At that time, all Zoom Video went through servers in China. Even if I was using Zoom to talk to someone across the street. Chinese government made it clear, if any other government presented a request for information, or to start monitoring an individuals use of Zoom, the Chinese government would provide it. Would I feel better if the country which housed the video chat servers was in my own country, NSA?

Of little matter, a more accomplish-able aim- real question is how to keep out "Surveillance Capitalism," internet - annoyances that come with my choosing third party software, which is not just meant to help me accomplish my goals, but some other goals unsuspected by me.

A Human Rights attorney, needs to consider not just keeping the client safe who does not know what he is doing, but all of his clients, as he, his computer is the Nexus for all their contacts, information. I feel the attorney might be better to recommend to those who come to him for help, to use Easy OS.

Amnesty international (USA) is clear in not doing encryption. That is, I think, they are suggesting that whatever information one should send them, we should prepare for the idea it can become public. I think they intend to say, we don't keep secrets. I get them, Secrets are never actionable.

I still feel there is a need to change Qubes from at "Tool Kit" into a more finished, directly usable OS, for the non-geeky user.

While building a Qube for Easy OS, likely requires creating internet connections by way of the Qubes Sys-Firewall. and removing some of the way Easy does disk things, USB, and possibly Containers. Much of Easy OS is about already installed programs.

I write this thinking to put in the front of the mind of the reader, what I am thinking. I apologize if I seem to be talking down to those of you who are more knowledgeable in these subjects than myself..

I realize I probably left out a lot of stuff about internet Security, threat levels that some out there - think should have been mentioned. Can we rather focus on the possibility of finding some techie-geeky person here who can create the Qube of Easy OS?

[eric52]

Hi goblin. I'm pretty sure I'm well below you on the totem pole, but I admire creative speculation, especially when it's well written. Hardware and software levels of security isolation sounds like something twice as complex and twice as good, but I think it might be twice as complicated and conflicted. It's probably not like slapping on a software firewall when you're already behind a router. Sharing your concerns about the surveillance onslaught, I'm wondering if adding a higher software level might work better. As I understand it, EasyOS can only run Puppies in containers, but that's plenty, and the combination is peculiar to the rest of Linux. It works wonderfully, but not as expected. Perfect. Somewhere on this forum is a chap that can generate literally hundreds of puppy iterations on demand. If an automatic bait and switch protocol could be devised, I think security invasions could be confused until swamped. I run risks with puppies because I can use gparted and start over from scratch in about five minutes. It's a constant clean slate approach. EasyOS with unlimited puppy iterations could do the same thing every few seconds, handing off genuine user operations to the next iteration and wiping out the last. This might be possible with only two swapping containers. Latency lag would likely disrupt the user experience, but perhaps this could be smoothed or just plowed under by a powerful machine. If there is still a compromise concern, don't save. OK, it's a crazy idea, but I don't think there is such a thing as true security, and I don't recommend 'concrete' barriers. Razzle-dazzle is much more adaptive, and, when you can't aim at the enemy, use a shotgun.