Qubes OS: Security By Isolation | LAS 317

Qubes OS: Security By Isolation | LAS 317

Qubes OS, you could call it Linux for the truly paranoid. This system offers a unique isolated approach to keep you and your data safe, we dive in to show you how this system works!

Plus: The big Red Hat news, Docker goes 1.0, a Linux port done right…

And so much more!

All this week on, The Linux Action Show!

Thanks to:




HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Qubes OS:


Brought to you by: System76

Qubes OS Homepage

  • Qubes Release 1 was released in September 2012. Qubes Release 2 is almost complete, with rc1 having been released in April 201

  • On February 16, 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security Solution.

Built on top of Xen:

Qubes Architecture Overview

Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers.

  • Qubes implements a Security by Isolation approach.
  • Qubes utilizes virtualization technology in order to isolate various programs from each other and even to sandbox many system-level components, such as networking and storage subsystems, so that the compromise of any of these programs or components does not affect the integrity of the rest of the system.

  • Qubes lets the user define many security domains, which are implemented as lightweight Virtual Machines (VMs), or “AppVMs.”

Example App isolation

For example, the user can have “personal,” “work,” “shopping,” “bank,” and “random” AppVMs and can use the applications within those VMs just as if they were executing on the local machine. At the same time, however, these applications are well isolated from each other.

  • Qubes also supports secure copy-and-paste and file sharing between the AppVMs, of course.

Key Architectural features

Qubes Odyssey Framework

  • The network mechanism is the most exposed to security attacks. This is why it is isolated in a separate, unprivileged virtual machine, called the Network Domain.

  • Disk space is saved thanks to the fact that various virtual machines (VM) share the same root file system in a read-only mode.

  • Separate disk storage is only used for userʼs directory and per-VM settings. This allows to centralize software installation and updates. Of course, some software can be installed only on a specific VM.

  • Some documents or application can be run in disposable VMs through an action available in the file manager. The mechanism follows the idea of sandboxes: after viewing the document or application, then the whole Disposable VM will be destroyed.

Qube OS Desktop Screenshot

  • Based on a secure bare-metal hypervisor (Xen)
  • USB stacks and drivers sand-boxed in an unprivileged VM (currently experimental feature)
  • No networking code in the privileged domain (dom0)
  • All user applications run in “AppVMs,” lightweight VMs based on Linux
  • Centralized updates of all AppVMs based on the same template
  • Qubes GUI virtualization presents applications as if they were running locally
  • Qubes GUI provides isolation between apps sharing the same desktop
  • Secure system boot based (optional)

Not just for Linux, Qubes can run Windows app seamless too:

Qubes Seamless

— Picks —

Runs Linux

Mini-drones jump, flip, fly, climb, and and run Linux

Desktop App Pick


SnapRAID is an application able to make a partial backup of your disk array. If some of the disks of your array fail, even if they are completely broken, you will be able to recover their content. It’s only a partial backup, because it doesn’t allow to recover from a failure of the whole array, but only if the number of failed disks are under a predefined limit.

Weekly Spotlight

magpie —

Basically, magpie is just a web tool for managing text files in a git repo. In it, you can create notebooks (which are just folders); create, edit, and delete notes (which are just files). That’s pretty much it. However, when you make any of these changes, they are automatically committed to git.

Thanks to haliphax for submitting this link

— NEWS —

A big step forward in business Linux: Red Hat Enterprise Linux 7 arrives

As for the features, RHEL 7 boasts many stability and performance upgrades. Red Hat claims that, depending upon the load, RHEL 7 is 11 to 25 percent faster than the previous iteration of the software, RHEL 6.

Red Hat Logo

It’s Here: Docker 1.0

On March 20, 2013, we released the first version of Docker. After 15 months, 8,741 commits from more than 460 contributors, 2.75 million downloads, over 14,000 “Dockerized” apps, and feedback from 10s of 1000s of users about their experience with Docker, from a single container on a laptop to 1000s in production in the cloud … we’re excited to announce that it’s here: Docker 1.0.

HP bets it all on The Machine, a new computer architecture based on memristors and silicon photonics

memristor die wafer

In the words of HP Labs, The Machine will be a complete replacement for current computer system architectures. There will be a new operating system, a new type of memory (memristors), and super-fast buses/peripheral interconnects (photonics). Speaking to Bloomberg, HP says it will commercialize The Machine within a few years, “or fall on its face trying.”

Some of our favorite bullshit headlines:

On top of that, HP is working on a brand new operating system for The Machine based on Linux. And another one based on Android, Fink continued:

“We are, as part of The Machine, announcing our intent to build a new operating system all open source from the ground up, optimized for non-volatile memory systems.

We also have a team that’s starting from a Linux environment and stripping out all the bits we don’t need. So that way you maintain … compatibility for apps.

What if we build a version of Android? … We have a team that’s doing that, too.”

Aspyr Media Comments On Linux, More AAA Games In Future

Aspyr Media have quite clearly proven themselves at porting to Linux with a port that works this well, but the bigger news is that they may have more to come.

— Chris’ Stash —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

— Find us on Google+ —

— Find us on Twitter —

— Follow the network on Facebook: —

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

Question? Comments? Contact us here!