https://lug.mtu.edu/w/index.php?action=history&feed=atom&title=Minutes_2026-02-19Minutes 2026-02-19 - Revision history2026-04-06T15:28:16ZRevision history for this page on the wikiMediaWiki 1.39.10https://lug.mtu.edu/w/index.php?title=Minutes_2026-02-19&diff=8083&oldid=prevFreya: Created page with "=Meeting Minutes 2026-02-19= Qubes presentation by Simone * Traditional OS security is not ideal ** No isolation by default ** Assumes trusted kernel ** Only one compromised app can take over the system ** Easy lateral movement for hacks * Qubes: ** Type 1 hypervisor as desktop OS ** Everything is isolated in VMs ** 1 VM per ** This contains compromised apps within the part of the system they are used on ** Based on Xen hypervisor * Architecture: ** Xen hypervisor, hard..."2026-02-20T00:41:15Z<p>Created page with "=Meeting Minutes 2026-02-19= Qubes presentation by Simone * Traditional OS security is not ideal ** No isolation by default ** Assumes trusted kernel ** Only one compromised app can take over the system ** Easy lateral movement for hacks * Qubes: ** Type 1 hypervisor as desktop OS ** Everything is isolated in VMs ** 1 VM per ** This contains compromised apps within the part of the system they are used on ** Based on Xen hypervisor * Architecture: ** Xen hypervisor, hard..."</p>
<p><b>New page</b></p><div>=Meeting Minutes 2026-02-19=<br />
Qubes presentation by Simone<br />
<br />
* Traditional OS security is not ideal<br />
** No isolation by default<br />
** Assumes trusted kernel<br />
** Only one compromised app can take over the system<br />
** Easy lateral movement for hacks<br />
* Qubes:<br />
** Type 1 hypervisor as desktop OS<br />
** Everything is isolated in VMs<br />
** 1 VM per<br />
** This contains compromised apps within the part of the system they are used on<br />
** Based on Xen hypervisor<br />
* Architecture:<br />
** Xen hypervisor, hardened<br />
** Dom0: management VM<br />
** DomU: unpriveleged VMs<br />
* Dom0:<br />
** NOT HOST<br />
** Priveleged<br />
** Gets most hardware by default<br />
** Window Manager/GUI is in Dom0<br />
** No networking<br />
** Enforces color coding on<br />
* AppVMs:<br />
** Unpriveleged<br />
** Usually Debian or Fedora<br />
** Runs user applications<br />
** Video sent to Dom0<br />
** Input sent from Dom0<br />
** Stateless by default: /home persists but root filesystem doesn't<br />
* TemplateVMs:<br />
** Snapshot-based templates<br />
** Contains installed packages<br />
** No direct internet access (update by proxy, updates all AppVMs)<br />
* DisposableVMs:<br />
** Similar to AppVms, but self-destructs<br />
** Useful for viewing untrusted files or sites<br />
** Also useful to get a fresh environment<br />
** Automatic creation and deletion<br />
* Virtualization:<br />
** PVH by default<br />
** Can be fully virtualized (FVH) as an option<br />
** Qubes Windows Tools (QWT) to work with Windows better<br />
** Can use any OS<br />
* Networking:<br />
** Dedicated VM for network<br />
** Hardware passthrough<br />
** Firewall is between AppVMs and hardware<br />
** Impossible to sniff network activity from the VMs<br />
* Peripherals:<br />
** Dedicated USB VM<br />
** Can forward USB devices to Qubes<br />
** Isolates malicious USBs<br />
*** Can spin up a disposable VM to investigate<br />
** Audio/Bluetooth have similar systems<br />
* GUI:<br />
** Each VM renders own windows<br />
** Dom0 composites video together<br />
** Per-VM color coding (makes popups harder to fall for)<br />
** Each VM has an emulated GPU<br />
** Anything that requires a real GPU will need hardware passthrough<br />
* VM Communication:<br />
** qrexec lets Dom0 control VMs<br />
** &quot;Send to Qube&quot; to share files between VMs<br />
** &quot;Open URL in Qube&quot;<br />
* Whonix/TOR:<br />
** Whonix is built into Qubes OS<br />
** Whonix runs everything only through TOR<br />
*** Really slow<br />
** Whonix-gateway: runs TOR only<br />
** Whonix-workstation: routes traffic through gateway, disposable<br />
* Updates/Trust:<br />
** sys-whonix: updates over TOR<br />
** sys-net: updates everything else, managed by Dom0<br />
* Performance:<br />
** So many VMs has a cost<br />
** Most VMs are idle, and Xen reallocates unused memmory<br />
** Overhead with CPU performance, RAM, and I/O<br />
** Recommended at elast 32GB RAM, and an SSD<br />
** Requires hardware virtualization (VT-x/VT-d, AMD-V, IOMMU)<br />
** Qubes in VM is unsupported<br />
<br />
* Useful for journalists, developers, and the paranoid<br />
* Reduces risk<br />
* Trains visual/habitual security<br />
<br />
* NOT FOR BEGINNERS<br />
* Not meant for games<br />
* Firmware malware still a problem<br />
* Annoying and takes a lot of work to run<br />
<br />
* Demo:<br />
** Lots of VMs on the system<br />
** VMs for:<br />
*** Discord<br />
*** Work<br />
*** Personal<br />
*** Vault<br />
*** Untrusted<br />
*** USB devices<br />
*** Firewall<br />
** Disposable VM can be created to inspect a USB safely<br />
*** Popups, other sneaky things are both isolated and easy to see<br />
** All Qubes can be seen on the Qube Manager</div>Freya