Hi! I recently sold my old computer and got a “better” one. The problem is that this new computer is not compatible with QubesOS virtualization technology.
What desktop operating system should I use then? I have a decently high threat model, and regularly communicate with people in heavily speech-restricted countries.
The obvious answer is tails, but I would strongly prefer not to use an amnesic system.
Specific traits I’m looking for are:
Low as possible attack surface
Damage minimization if penetrated.
Some OSs I was looking into:
OpenBSD. Not that big of a dev team (so bugs may go unpatched for a while), but incredibly secure defaults
Kicksecure. Don’t know too much about it, but may use it because tight integration with rest of Debian ecosystem
Whonix. Is it even possible to use it in this way? Not sure, but otherwise very experienced with it due to QubesOS usage.
Also, before @Lukas says “use secureblue!” I would prefer to use a bigger project with more than one backer. It does potentially sound nice though.
Despite both Whonix and Kicksecure being Debian, they are both recommended in PrivacyGuides under Anonymity for Whonix and Security for Kicksecure. So there must be some merit or value for using them even though they are Debian based. And unlike Secureblue it is an already established Linux distribution.
Secureblue is definitely a worthwhile project to keep a look at, especially since by default it uses GNOME or KDE Plasma which are Wayland based rather than X11. Since although Kicksecure can be merged into any Debian install with any desktop environment, it by default uses XFCE which is X11, and I believe it X11 is no longer maintained or at least is slower on updates, and it has some security issues. Though correct me if I’m wrong. And that’s not mentioning the Atomic/Immutable nature of Fedora Silverblue and Kinoite.
I can’t comment on OpenBSD. And I am not recommending anything, I don’t know your threat model, I don’t know if your or anyones lives depend on it. Qubes is obviously the best choice for this, so it’s unfortunate it’s not supported. I hope you can come to the next best answer.
Instead of trying to use Whonix as your full OS, Whonix inside a virtual machine on a mainstream Linux distro would be a good option. This would meet both of your points:
Low as possible attack surface: The attack surface is a privacy/anonymity distro inside a virtual machine.
Damage minimization if penetrated: If your Whonix install is penetrated, the penetration is limited to the virtual machine (in all but the most extreme cases). You can just delete the virtual machine and start over with a new Whonix install inside a new virtual machine.
I’d suggest a distro with either point releases or rolling releases, as you get the security updates faster than the LTS (long-term support) distros (like Debian).
Unfortunately, most Linux content creators don’t focus on security or privacy, but they still have some interesting information sometimes, so I follow a few anyway. The Linux Experiment is something to check out.
You haven’t mentioned how much experience you have with Linux apart from Qubes, or anything other than Windows or MacOS. If you can tell us your Linux experience, it would help us to give you better guidance.
first I wanna say that I love OpenBSD, and it is a great system to make your device is secure, i wouldnt advice you to use it though, simply because you might not always find the tools you need like you do on linux (OpenBSD is a bit different from Linux systems) and learning to use it might take time (again, because it is different to linux)
you can use Pop_os and use virtual machines for separate tasks, but to be honest with you, if you can , buy another computer dedicated for your work that is compatible with Qubes os (simply because Qubes Os is unique)
Another great idea from HauntSanctuary is to buy a pixel tablet, you can install grapheneos and create multiple profiles for your needs
Traces of your Tails session are likely to be left on the local hard disk. For example, host operating systems usually use swapping (or paging) which copies part of the RAM to the hard disk.
Only run Tails in a virtual machine if leaving traces on the hard disk is not a concern for you.
Last I checked default Fedora uses ZRAM (compressed RAM for paging) so a reboot should clear it up. This also shouldnt be a problem for systems with 32 GB RAM or more for a more normie use case (web browsing, media playback and games).
I hope my response isn’t perceived as aggressive, but Pop!_OS is a horrible choice from a security perspective. It lacks Wayland by default, is based on an old Ubuntu LTS release, and you’re trusting not just Debian, and then Ubuntu, but also System76 as well to not do anything malicious.
What one should (preferably) be avoiding is point release distributions since they receive far slower updates than those such as Arch or Fedora. AFAIK, all LTS distributions fall into the “point release category” and thus should be obviously avoided as well.
What are the capabilities of your adversary? Are they most likely going to try to phish you with infected files, are they a state-level adversary that can infect your computer with a 0-day through your browser? Would the adversary be willing to forcefully take your computer and compel you to reveal your disk encryption password?
Are you more concerned with being targeted with malware, leaving traces on your on hard disk, your communications not being attributed to you, communications not being decrypted? Are your priorities based on anonymity, security, both?
What else do you want to use your computer for? Gaming, blogging, internet surfing, programming? Or only for dangerous tasks?
I would personally lean into Kicksecure as a host and running Whonix in your scenario, if Qubes isn’t an option. To avoid compromising the host, it may be wise to never run risky software like browsers or anything that communicates with the internet, and running different amnesic KVM VMs for different activities. As a former Qubes user, you should be familiar with this compartmentalization mindset
A choice of non-security-focused linux distro (i.e. fedora over debian) is incredibly unlikely to stop someone from getting infected with malware, especially targeted malware. If there’s a bug in a browser that gets exploited, you’re probably hosed, and you won’t know it, whether or not you have Linux Mint or Parrot, unless the browser was virtualized or sandboxed.
A user running Whonix (debian/kicksecure) on live-mode is far better off against an adversary that can deliver browser or media-file based 0 or 1-day exploits, than a user running Fedora and a raw-dogging Firefox or Chromium.
If you have a “decently high threat model”, the best ways to minimize damage if penetrated are with virtualization or preferably with an air-gapped or otherwise physically isolated machine. With the former you’re betting on your adversary not employing a vm-escape exploit, which is very unlikely. To my knowledge, there have been publicly known no reports of a VM-escape actually being used by any threat actor in the wild.
Having a low attack surface is largely dependent on you not installing extra unneeded applications, and uninstalling what you don’t need if you’re using Linux. That’s the beauty of Linux - you can make it and harden it as you want mostly.
Whonix can be used with most operating systems through virtualbox or QEMU/KVM (reccomended). You can even use physical isolation with Whonix if you’re worried about VM-escape exploits and have multiple computers to spare. Just head over to the Whonix wiki to find out more.
I use OpenBSD on the server very frequently for my job, so I know my way around it pretty well, except for virtualization. Is OpenBSD good for this at all? The tools I need are mainly a web browser and a VM, and that’s basically it.
Thank you so much for your help by the way, this summed up my issues perfectly!
They are pretty good. They probably will be trying to phish me with infected files, and infect my browser. They don’t have jurisdiction where I live, nor are they friendly with my government, thank God.
I am pretty concerned with making sure my communications are attributed to me, because that would put my families life in jeopardy, so mainly anonymity.
Just blogging and internet surfing.
I already settled on QubesOS for this, which is something I am sure you would agree with. Thank you so much for you help, you have been nothing but helpful!
