Qubes = bloat
Why don't they use KVM instead of Xen hypervisor?

Isn't KVM more secure then Xen?

>MASSIVE sudo *****, even after my warning
>using rm instead of shred
Should have made an OpenVMS virtual machine with its disks on an encrypted LUKS container.

P68957
GUIDE FOR ANTi FORENSIC DISP VM's WHEN?!
>with its disks on an encrypted LUKS container.
like encrypted swap or you mean no swap?

Just use modified Tails ISO as a VM case closed no?

P68961
chroot into it and change:
the tails homepage to about:config
the tca to not check for updates
the torrc to have:
https://wiki.gentoo.org/wiki/Tor

StrictNodes 1
NodeFamily {au}, {ca}, {gb}, {nz}, {us}, {dk}, {fr}, {nl}, {no}, {be}, {de}, {it}, {es}, {se}, {jp}
# Japan is a honeypot for anime lovers
ExcludeExitNodes {jp}

P68951
Qubes sux ass and haz no GPU support last time i checked

Unless you can enable GPU in qubes i would use it as a daily driver

P68960
Don't use a swap unless you really need it, and then you'd have to worry about it too.

>>>>>>admin add code tags>>>>>>>>>>
dd if=/dev/zero of=container.img count=40000
40000+0 records in
40000+0 records out
20480000 bytes (20 MB, 20 MiB) copied, 0.0551829 s, 371 MB/s

losetup -f container.img

cryptsetup --type luks2 --verify-passphrase luksFormat /dev/loop4

WARNING!
========
This will overwrite data on /dev/loop4 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /home/user/container.img:
Verify passphrase:

cryptsetup luksOpen /dev/loop4 ctexample
Enter passphrase for /home/user/container.img:

mkfs.ext2 /dev/mapper/ctexample
mke2fs 1.47.0 (5-Feb-2023)
Creating filesystem with 3616 1k blocks and 904 inodes

Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done

mount /dev/mapper/ctexample /mnt/hd

ls /mnt/hd
lost+found/

....

umount /dev/mapper/ctexample
cryptsetup luksClose ctexample
losetup -d /dev/loop4
>>>>>>>>>>>>>>>admin add code tags>>>>>>>>>>

Stay away from journaling filesystems. Bonus points for renaming your container so it looks like something innocent (/usr/bin/gifcrop ?).

shred -u -v -z container.img and the chance of anyone getting what's inside is approaching zero.

P68974
>dd if=/dev/zero
your just overwriting it that doesn't make it anti forensic
encrypted swap might as /dev/urandom looks no different then luks if you delete the luks header. depending on the system aka flash memory i think it would just hurt you in the long run and shorten your drives lifespan instead of just having it running in ram.

P68951
Why doesn't qubes come with a template for anti foresic vms?
all i see them say is just use muh tails as a vm inside qubes

P68974
>shred -u -v -z container.img and the chance of anyone getting what's inside is approaching zero.
>uses ssd
ITS OVER!

P68956
>Qubes = bloat
Qubes is dogwater w*gger un*x shit made by israeli boomers

>shred
>CAUTION: shred assumes the file system and hardware overwrite data in place.
wiggers cannot read

i remember the literal day qubes came out and the moment i read "disposable vms" i cringed and imagined some fag doing that gay limp wrist thing as he says it
imagine even thinking linux desktop can be secured, you cant even secure linux if it was only on the built in VT. even if 99% of the shit is in sandbox it wont help. yes it really is that bad.

>VM's
h*pa tier
P68956
>Qubes = bloat
>Why don't they use KVM instead of Xen hypervisor?
KVM is unbelievably more bloat than Xen.

>when Feds try to plant evidence on your hard drives

Just don't use hard drives. Boot to ram.

P68951
>blank page with javabloat enabled

P69012
This, so much this.

P68999
shred is ok but why would you want to do that when you could just mount something to tmpfs
ackually shred is gay and requires 6 gorillion writes to even be safe and effective on a flash memory aka SSD

P69105
If you want to get rid of the container at some point. It's locked anyway so shred is kind of overkill but that's the idea.

Trace this.

>using qubes
>leaving traces
not even once thanks you

>https://github.com/unman/notes/blob/master/Really_Disposable_Qubes.md
Is this really the best implementation for disposable antiforensic vms in qubes?

>Disposable VM's leave traces on your HDD/SSD
They aren't called anti-forensic VMs. *shrug*

Is it not possible to mount them in tmpfs or do they leave traces on / anyway?

P69646
people think they are tho

P69646
why not?

P69660
>people think they are tho
Who? No one I've ever seen.

P69665
***** i have seen *****s saying they use temp vms they safe
safe from malware but noit from forensics

>tmpfs
Will swap. Actually you want ramfs. Actually you don't want to use virtualization for this at all.

P69820
ramfs is outdated chuddy lit tmpfs is ramfs now if you look it up just have no swap partition like a real happa

P68951
So....admin spoilers this post but doesn't spoiler the soyjak spammer bait posts?

P69820
Will it swap if you have no swap partition?

Just set up ZRAM zstd swap and increase the minimum free memory sysctl to around 80MB, else the VM hangs when Qubes steals too much memory from it.
Do this for all templates and dom0.

P68956
>Qubes = bloat
>Why don't they use KVM instead of Xen hypervisor?
It's actually the opposite, KVM is bloat because it drags the entire linux kernel into your trusted computing base.
>In short: we believe the Xen architecture allows for the creation of more secure systems (i.e. with a much smaller TCB, which translates to a smaller attack surface). We discuss this in much greater depth in our Architecture Specification document.
https://www.qubes-os.org/faq/#why-does-qubes-use-xen-instead-of-kvm-or-some-other-hypervisor

P76682
>Will it swap if you have no swap partition?
Will a boat sink if there is no water?

its disposable like a condom
you cant just leave the condom at your neighbours daughters house after the act
just clean up after yourself and youll be fine

Qubes is BLOAT and there is no point of using it other then trying to be a w*gger hipster or wipster
Same could be achieved with a live cd that has different grub entries to boot into to different enviroments or operating systems
like next people will be saying gentoo is the most secure operating system or something else a low iq wh*toid would say

P77943
>people will be saying gentoo is the most secure operating system
Gentoo can be more secure than other distros.

You need to compile the whole system from source which means you can enable extra compiler flags which makes any vulnerabilities in the code harder to exploit (but also makes it slower which is why they are not enabled by default in other distros). Gentoo also lets you disable features inside packages which you don't need to reduce attach surface (for example disable all code relating to ipv6 or dbus). And no two gentoo systems are identical so that's another thing that makes it harder to write exploits. All debian 12 systems have exactly the same kernel and binaries so one exploit can pwn all debian installs without worrying about some ROP gadget being at a different address because the user disabled a USE flag or something. If somebody told you that gentoo is more secure then that is the kind of stuff they were talking about.

>Qubes is BLOAT
Bloat is subjective. Bloat means stuff [bold: you] don't need. But you are not me. Qubes also has some unique features you can't really implement any other way like driver domains. You can split up hardware drivers and run them in different unprivileged vms so a rootkit or firmware bug in your network card can't pwn the entire system. It's not really possible to do that without xen + vt-d.

P77944
>You need to compile the whole system from source
That includes the kernel. Since you know your own hardware you can compile out all the shit you don't need to minimize attack surface and then add extra hardening features like zeroing all memory before it enter/leaves kernel space and denying buffers spanning multiple page allocations and other stuff that makes low level exploitation harder.

P77944
>Gentoo can be more secure than other distros.
Can it be more secure than Qubes though? Qubes is a "meta distro", you can run Gentoo within it. There are templates available.

P77947
I don't know if qubes supports running gentoo as dom0. I expect that at the very least you'll have to figure out how to compile the various management tools from source. You can always try and report back.

Also a sufficiently de-bloated and security optimized gentoo system inevitably starts looking a lot like alpine so you can save some time and just use alpine without losing too much.

P77944
>for example disable all code relating to ipv6
why not just disable it system wide it is GAE
my biggest thing is i dont want to wait a whole year for it to compile or else i would use gentoo

>All debian 12 systems have exactly the same kernel and binaries so one exploit can pwn all debian installs without worrying about some ROP gadget being at a different address because the user disabled a USE flag or something
Yeah so use whonix or kicksecure that has hardened defaults

P68951
Just use tails in VM on qubes thats what i'm doing right now to test the new version 6.0

P82109
I would suggest only allowing a nordvpn qube to connect to tails qube
so it nordvpn -> tails -> arpanet
glowies seeth at this usage
what makes then seeth more is using discord this way
whonix gateway -> fedora -> discord

correction fedora would have nordvpn on it with a subscription u never connected to without the gateway

Hard isolation is better than soft isolation.

>Qubes
chipset backdoor gets order to download and run malware in the background, then starts sending all your ram data to attacker.

>hardware isolation
attacker sees you download and upload encrypted files, then move them to another machine they can't reach because you've isolated it from the internet, removed the wifi chip, no speaker/microphone.

There is a kind of USB hub/HDMI with a switch that allows you to rapidly switch between machines without removing the flash drive or whatever. So whatever you save to the flash drive and the screen and peripherals is transferred between machines with the press of a button, which allows you to use it like a second workspace, but with HARD isolation (assuming there's no kikery in the hub switch).

Does it scramble your external drives bad? If you're doing an operation on that drive at the time it surely can. You'll have to experiment.

And again, you can't do this on windows (and probably Apple) because it saves hidden mystery files on each drive.

P82126
>attacker sees you download and upload encrypted files, then move them to another machine they can't reach because you've isolated it from the internet, removed the wifi chip, no speaker/microphone.
>implying they can't pwn your other machine through malicious firmware on the device you use to transfer the files
nah, it's totally realistic that you'll be targeted with totally real chipset backdoors, but nothing like the latter exist, eh?

>chipset backdoor gets order to download and run malware in the background, then starts sending all your ram data to attacker.
what do you mean "chipset backdoor"? like *****U, drivers, or BIOS firmware?

>(assuming there's no kikery in the hub switch).
Can you buy these in stores if not assume kikery via chinese supplychain attacks or modified via kikery considering amazon = DoD

P82129
im really confused about where this post came from and what they mean exactly
I read some kind of POC rececntly but it was using a hardware switch

P68951
Why is OP's pic spoilered?

P82126
>kikery
u dont sound like u have to worry about hardware backdoors
also yes kvm switches are an insecure way of isolating

P82126
You mean something like this?

>Building an Affordable Data Diode to Protect Journalists
> https://pep23.com/assets/pdf/pep23-paper7.pdf

P82391
YES.

>>P82131

>Can you buy these in stores if not assume kikery via chinese supplychain attacks or modified via kikery considering amazon = DoD

You could probably make one yourself by just dissecting the cords and creating a switch for the wires to either connect to one machine or another without the wear and tear of unplugging stuff. But yeah, they are sold in stores, but probably mostly online.

>what do you mean "chipset backdoor"? like *****U, drivers, or BIOS firmware?

I meant chip. Sorry.

P82461
(YOU) w*\gger *****up

Why do you need GPU?

>>P87005

for 4 inches of graphics pixels fr

P87176
GPU cold be supported after GUI-vm implementation, which would contain graphics drivers and all their possible exploits.

P82126
Hardware isolation (actually, hardware+software isolation) would be desirable if there was some way to share clipboard contents including files between devices. Airgapped clipboard share is possible with generating on-screen QRs and scanning them, scanning a series of QRs if we need to transfer a lot of data. And there is such software.
Also I would prefer to isolate my whonix gateway on separate machine, obviously connected by eth so no airgap but still better then having actual clearnet connection to pc, one virtualization-escape and your IP is leaked.

I personally worry more about IntelME and same thing from AMD. Disabling and dismembering it is not enough.
Also yea chip backdoors.

>Airgapped clipboard share is possible with generating on-screen QRs and scanning them, scanning a series of QRs if we need to transfer a lot of data.

If you needed small text copy and pasting from one machine to another, maybe you could set up a one way video data (HDMI VGA, etc are two way and could carry data from one computer to another, you'd want to convert that to an analog video cord) from the computer you need to copy from to the one you need to copy to and have some text reading plugin for the stream player?

It's not that hard to just copy and paste text into a txt file, hit save to flash drive, and then switch to the other computer and open the file. It's probably easier and more reliable than some cam text reading program anyway.

P93972 brought me here and I have never used Qubes before.
How do you set up [bold: actually disposable Qubes-VMs?

Does Qubes have https://github.com/unman/notes/blob/master/Really_Disposable_Qubes.md built in as a template now?

>Gooba gooba goo shred
>Unga bunga woopa gop VMs files leftover bix nood
Shred does almost nothing useful on a SSD except waste some extra writes. On a HDD it's filesystem dependent and still worse than just encrypting a file irrecoverably then deleting it.
Encrypt your drive fully so that people don't find "leftover files" when you throw it away someday. Other than that I don't see your use case, if it's a shared computer you should be be running that VM bloatware in a container/jail setup to wipe itself at the end, or in RAM. I guess you could set up a gocryptfs directory to be the root of where the jail is, then close it at the end and delete it if this runs on a disk, most directory level encryption solutions are a bit shit so there's some metadata leftover. RAM encryption is some pricey hardware feature somewhere, good luck with that, but it is real.

HAS ANYONE USED THIS?

https://github.com/aforensics/HiddenVM

P97914
Looks like Tails with VirtualBox preinstalled. It's a nice idea but I wouldn't trust Oracle with anything security related. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=virtualbox