Qubes

Travel Laptop Tips in Practice

Kyle Rankin — Wed, 21 Nov 2018 13:00:00 +0000

It's one thing to give travel advice; it's another to follow it.

In past articles, I've written about how to prepare for a vacation or other travel when you're on call. And, I just got back from a vacation where I put some of those ideas into practice, so I thought I'd write a follow-up and give some specifics on what I recommended, what I actually did and how it all worked.

Planning for the Vacation

The first thing to point out is that this was one of the first vacations in a long time where I was not on call, directly or indirectly. In my long career as a sysadmin responsible for production infrastructure, I've almost always been on call (usually indirectly) when on vacation. Even if someone else was officially taking over on-call duties while I was away, there always was the risk that a problem would crop up where they would need to escalate up to me. Often on my vacations something did blow up to the point that I needed to get involved. I've now transitioned into more of a management position, so the kinds of emergencies I face are much different.

I bring up the fact that I wasn't on an on-call rotation not because it factored into how I prepared for the trip, but because, generally speaking, it didn't factor in except that I didn't have to go to as extreme lengths to make sure everyone knew how to contact me in an emergency. Even though I wasn't on call, there still was a chance, however remote, that some emergency could pop up where I needed to help. And, an emergency might require that I access company resources, which meant I needed to have company credentials with me at a minimum. I imagine for most people in senior-enough positions that this would also be true. I could have handled this in a few ways:

Hope that I could access all the work resources I might need from my phone.
Carry a copy of my password manager database with me.
Put a few select work VMs on my travel laptop.

I chose option number 3, just to be safe. Although I'm not superstitious, I still figured that if I were prepared for an emergency, there was a better chance one wouldn't show up (and I was right). At the very least, if I were well prepared for a work emergency, if even a minor problem arose, I could respond to it without a major inconvenience instead of scrambling to build some kind of MacGyver-style work environment out of duct tape and hotel computers.

Selecting the Travel Computer

As I've mentioned in previous articles, I recommend buying a cheap, used computer for travel. That way, if you lose it or it gets damaged, confiscated or stolen, you're not out much money. I personally bought a used Acer Parrot C710 for use as a travel computer, because it's small, cheap and runs QubesOS pretty well once you give it enough RAM.

Go to Full Article

Weekend Reading: Qubes

Carlie Fairchild — Sat, 17 Nov 2018 12:29:12 +0000

by Carlie Fairchild

Qubes OS is a security-focused operating system that, as tech editor Kyle Rankin puts it, "is fundamentally different from any other Linux desktop I've used". Join us this weekend in reading Kyle's multi-part series on all things Qubes.

Secure Desktops with Qubes: Introduction

In this first article, I provide an overview of what Qubes is, some of the approaches it takes that are completely different from what you might be used to on a Linux desktop and some of its particularly interesting security features. In future articles, I'll give more how-to guides on installing and configuring it and how to use some of its more-advanced features.

Secure Desktops with Qubes: Installation

This is the second in a multipart series on the Qubes operating system. In my first article, I gave an overall introduction to Qubes and how it differs from most other desktop Linux distributions, namely in the way it focuses on compartmentalizing applications within different VMs to limit what attackers have access to in the event they compromise a VM. This allows you to use one VM for regular Web browsing, another for banking and a different one for storing your GPG keys and password manager. In this article, I follow up with a basic guide on how to download and install Qubes, along with a general overview of the desktop and the various default VM types.

Secure Desktops with Qubes: Compartmentalization

This is the third article in my series about Qubes. In the first two articles, I gave an overview about what Qubes is and described how to install it. One of the defining security features of Qubes is how it lets you compartmentalize your different desktop activities into separate VMs. The idea behind security by compartmentalization is that if one of your VMs is compromised, the damage is limited to just that VM.

Secure Desktops with Qubes: Extra Protection

Go to Full Article

It’s Here. The March 2018 Issue of Linux Journal Is Available for Download Now.

Carlie Fairchild — Tue, 13 Mar 2018 15:08:24 +0000

by Carlie Fairchild

Boasting as many pages as most technical books, this month’s issue of Linux Journal comes in at a hefty 181—that’s 23 articles exploring topics near and dear to everyone from home automation hobbyists to Free Software advocates to hard-core hackers to high-level systems architects.

Besides making the magazine bigger overall with more articles in each issue on a wider range of topics, we’ve also added a new feature that explores a given topic in-depth: the Deep Dive—think of it like an ebook inside each magazine. This month contributing editor Petros Koutoupis dives deep in to blockchain. He explores what makes Bitcoin and blockchain so exciting, what they provide, and what the future of blockchain holds. From there, he describes how to set up a private Etherium blockchain using open-source tools and looks at some markets and industries where blockchain technologies can add value.

Subscribers, you can download your March issue now.

Not a subscriber? It’s not too late. Subscribe today and receive instant access to this and all back issues since 2010. Alternatively, you can buy the single issue here.

Go to Full Article

What's New in Qubes 4

Kyle Rankin — Thu, 01 Mar 2018 16:07:25 +0000

by Kyle Rankin

Considering making the move to Qubes 4? This article describes a few of the big changes.

In my recent article "The Refactor Factor", I talked about the new incarnation of Linux Journal in the context of a big software project doing a refactor:

Anyone who's been involved in the Linux community is familiar with a refactor. There's a long history of open-source project refactoring that usually happens around a major release. GNOME and KDE in particular both use .0 releases to rethink those desktop environments completely. Although that refactoring can cause complaints in the community, anyone who has worked on a large software project will tell you that sometimes you have to go in, keep what works, remove the dead code, make it more maintainable and rethink how your users use the software now and how they will use it in the future.

I've been using Qubes as my primary desktop for more than two years, and I've written about it previously in my Linux Journal column, so I was pretty excited to hear that Qubes was doing a refactor of its own in the new 4.0 release. As with most refactors, this one caused some past features to disappear throughout the release candidates, but starting with 4.0-rc4, the release started to stabilize with a return of most of the features Qubes 3.2 users were used to. That's not to say everything is the same. In fact, a lot has changed both on the surface and under the hood.

Although Qubes goes over all of the significant changes in its Qubes 4 changelog, instead of rehashing every low-level change, I want to highlight just some of the surface changes in Qubes 4 and how they might impact you whether you've used Qubes in the past or are just now trying it out.

Installer

For the most part, the Qubes 4 installer looks and acts like the Qubes 3.2 installer with one big difference: Qubes 4 uses many different CPU virtualization features out of the box for better security, so it's now much more picky about CPUs that don't have those features enabled, and it will tell you so. At the beginning of the install process after you select your language, you will get a warning about any virtualization features you don't have enabled. In particular, the installer will warn you if you don't have IOMMU (also known as VT-d on Intel processors—a way to present virtualized memory to devices that need DMA within VMs) and SLAT (hardware-enforce memory virtualization). If you skip the warnings and finish the install anyway, you will find you have problems starting up VMs.

Go to Full Article

Qubes Desktop Tips

Kyle Rankin — Mon, 26 Feb 2018 15:56:28 +0000

by Kyle Rankin

Learn a few tips for getting the most out of your Qubes desktop.

I've been using the high-security Qubes operating system for quite some time now, and I wrote a multipart series for Linux Journal in the past. While I've been using it, I've gathered a few useful tips for it, and in this article, I cover a few tips specifically tailored for Qubes. Even though these tips are for Qubes and assume a desktop full of VMs, you could adapt the overall ideas to other desktop environments.

Clock In, Clock Out

Generally speaking, it's a good idea to separate your personal and work environments completely on different machines. It's better for security, because if your personal machine gets hacked, you don't risk infecting your work environment and vice versa. Of course, if for some reason you don't have the luxury of two machines, or if you want to set up a travel laptop that's configured both with your work and personal settings (like I've mentioned in prior articles), you'll want some way to switch between work and personal modes.

Because Qubes does everything through many different VMs, this means writing a simple pair of scripts, clock_in and clock_out, that are stored in the dom0 VM. Both scripts define a list of personal and work VMs, and they will shut down or start up VMs depending on whether you are clocking in or clocking out. Here's an example clock_in script:


#!/bin/bash

PERSONAL_VMS="fb personal personal-web vault finance
 ↪writing sys-whonix"
WORK_VMS="work work-web stage prod1 prod2 vault-work"

for i in $PERSONAL_VMS; do qvm-shutdown $i; done
for i in $WORK_VMS; do qvm-start $i; done

Compare this to my clock_out script, and you'll see that the list of VMs is different:


#!/bin/bash

PERSONAL_VMS="fb personal personal-web vault"
WORK_VMS="work work-web stage prod1 prod2 vault-work stage-gpg
 ↪prod-gpg sys-vpn-stage sys-vpn-prod1 sys-vpn-prod2"

for i in $PERSONAL_VMS; do qvm-shutdown $i; done
for i in $WORK_VMS; do qvm-start $i; done

The reason the list is different is that in both cases I want to be comprehensive in the VMs I shut down, but need only particular VMs to start up when I clock in or out. By creating separate lists, I can make sure all the VMs that might be running are all shut down, and I start only the VMs I need.

Go to Full Article

Advice for Buying and Setting Up Laptops When You're Traveling or On-Call

Kyle Rankin — Sun, 28 Jan 2018 14:08:02 +0000

by Kyle Rankin

Why stress over losing that expensive personal or work laptop? Buy a cheap one for risky situations.

In a previous article, I wrote about how to prepare for a vacation so you aren't disturbed by a work emergency. As part of that article, I described how to prepare your computer:

Even better than taking a backup, leave your expensive work computer behind and use a cheaper more disposable machine for travel, and just restore your important files and settings for work on it before you leave and wipe it when you return. If you decide to go the disposable computer route, I recommend working one or two full work days on this computer before the vacation to make sure all of your files and settings are in place.

It turns out that this advice works not just for travel but also for a laptop you take with you while on call. So in this article, I elaborate on the above advice and describe some strategies for choosing and setting up an appropriate laptop to take with you while on call or traveling.

Why Choose a Different Laptop?

I was faced with the dilemma of choosing a travel laptop when I went on vacation a few months ago. I needed to be reachable while on vacation, just in case, but I knew I didn't want to lug around and cross borders with an expensive company laptop. There are a number of reasons why this is a good idea, and most of the reasons you would want to use a separate, cheap laptop for travel also apply for an on-call laptop.

Less Concern over Loss, Damage or Theft

Although it's true that your laptop might get lost, stolen or damaged while you commute to work, it's much more likely to happen outside your normal work routine. While you are on call, you might take your laptop to restaurants, bars, events or a friend's house, and because you are outside your normal routine, it's more likely that it will be stolen or that you might accidentally leave it behind. Also when you are commuting to work, you likely have some kind of backpack or case for your laptop, but outside work, you may be more likely just to throw your laptop in the trunk of your car.

Go to Full Article

Best of Hack and /

LJ Staff — Wed, 05 Apr 2017 11:40:59 +0000

by LJ Staff

Secure Server Deployments in Hostile Territory; Preseeding Full Disk Encryption; Own Your Own DNS; Learn How-to Secure Desktops with Qubes; What's New In 3D Printing

Secure Server Deployments in Hostile Territory
Would you change what you said on the phone, if you knew someone malicious was listening? Whether or not you view the NSA as malicious, I imagine that after reading the NSA coverage on Linux Journal, some of you found yourselves modifying your behavior. The same thing happened to me when I started deploying servers into a public cloud (EC2 in my case).

In this article, I discuss some of the techniques I use to secure servers when they are in hostile territory. Although some of these techniques are specific to EC2, most are adaptable to just about any environment.

Preseeding Full Disk Encryption
Usually I try to write articles that are not aimed at a particular distribution. Although I may give examples assuming a Debian-based distribution, whenever possible, I try to make my instructions applicable to everyone. This is not going to be one of those articles. Here, I document a process I went through recently with Debian preseeding (a method of automating a Debian install, like kickstart on Red Hat-based systems) that I found much more difficult than it needed to be, mostly because documentation was so sparse. In fact, I really found only two solid examples to work from in my research, one of which referred to the other.

Own Your Own DNS
I honestly think most people simply are unaware of how much personal data they leak on a daily basis as they use their computers. Even if they have some inkling along those lines, I still imagine many think of the data they leak only in terms of individual facts, such as their name or where they ate lunch. What many people don't realize is how revealing all of those individual, innocent facts are when they are combined, filtered and analyzed.

Go to Full Article

Secure Desktops with Qubes: Compartmentalization

Kyle Rankin — Thu, 13 Oct 2016 11:00:00 +0000

by Kyle Rankin

When you first start using Qubes, you may not be quite sure how best to divide up all of your files and activities into separate VMs. I know when I first started using it, I found inspiration in Joanna Rutkowska's (Qubes' creator) paper on how she used Qubes. In this article, I describe how I organize my activities into VMs on my personal computer. Although I'm not saying my approach is perfect, and I certainly could secure things even further than I do, I at least will provide you one example you can use to get started.

Summary of Qubes Concepts

In my previous article, I elaborated on overall Qubes concepts like the different VM types, trust levels and other features, but since I refer to those concepts in this article as well, here's a brief summary. (If you want to know more, read my column in the April and May 2016 issues.)

The first concept to understand with Qubes is that it groups VMs into different categories based on their use. Here are the main categories of VMs I refer to in the rest of the article:

Disposable VM: these also are referred to as dispVMs and are designed for one-time use. All data in them is erased when the application is closed.
Domain VM: these also often are referred to as appVMs. They are the VMs where most applications are run and where users spend most of their time.
Service VM: service VMs are split into subcategories of netVMs and proxyVMs. These VMs typically run in the background and provide your appVMs with services (usually network access).
Template VM: other VMs get their root filesystem template from a Template VM, and once you shut the appVM off, any changes you may have made to that root filesystem are erased (only changes in /rw, /usr/local and /home persist). Generally, Template VMs are left powered off unless you are installing or updating software.

Go to Full Article