Skip to content

Commit

Permalink
Fix merge conflict
Browse files Browse the repository at this point in the history
  • Loading branch information
IkelAtomig committed Dec 27, 2022
1 parent dc689f1 commit 774c45b
Show file tree
Hide file tree
Showing 12 changed files with 103 additions and 47 deletions.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion docs/assets/img/qubes/qubes_os.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion docs/basics/common-threats.en.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ To minimize the damage that a malicious piece of software *could* do, you should

Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources.

Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as Qubes OS.
Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os).

<span class="pg-red">:material-target-account: Targeted Attacks</span>

Expand Down
32 changes: 26 additions & 6 deletions docs/linux-desktop.en.md → docs/desktop.en.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,11 @@
---
title: "Linux"
title: "Desktop/PC"
icon: simple/linux
---
Linux distributions are commonly recommended for privacy protection and software freedom.
Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions.

- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md)

If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions.

## Traditional Distributions

### Fedora Workstation
Expand Down Expand Up @@ -110,7 +108,7 @@ Nix is a source-based package manager; if there’s no pre-built available in th

![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right }

**Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](qubes.md).
**Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os).

[:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary }
[:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" }
Expand Down Expand Up @@ -139,6 +137,28 @@ Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qube

Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized.

Tails also installs uBlock Origin in Tor Browser by default, which potentially makes it easier for adversaries to fingerprint Tails users, and increases the attack surface of the browser. For all of these reasons, if your only goal is to browse the internet anonymously, Tails is not as good of a choice as using [Whonix](linux-desktop.md/#whonix) with [Qubes OS](qubes.md), which is much more secure and leakproof. If your goal is to use a computer without leaving any trace afterwards, Tails may be a good solution for you.
Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device.

By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/first_steps/persistence/index.en.html) can be configured to store some data between reboots.

## Security-focused Distributions

### Qubes OS

!!! recommendation

![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right }

**Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers.

[:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary }
[:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary }
[:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" }
[:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation }
[:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute }

Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*.

The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/).
2 changes: 1 addition & 1 deletion docs/os/linux-overview.en.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ Despite these drawbacks, desktop GNU/Linux distributions are great if you want t

Our website generally uses the term “Linux” to describe desktop GNU/Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here.

[Our Linux Recommendations :material-arrow-right-drop-circle:](../linux-desktop.md){ .md-button }
[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md){ .md-button }

## Choosing your distribution

Expand Down
53 changes: 53 additions & 0 deletions docs/os/qubes-overview.en.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
title: "Qubes Overview"
icon: simple/qubesos
---
[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/).

## How does Qubes OS work?

Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines.

![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png)
<figcaption>Qubes Architecture, Credit: What is Qubes OS Intro</figcaption>

Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser.

![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png)
<figcaption>Qubes window borders, Credit: Qubes Screenshots</figcaption>

## Why Should I use Qubes?

Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical use-case for Qubes OS is for opening documents from an unknown source.

Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control.

### Copying and Pasting Text

You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions:

1. Press **Ctrl+C** to tell the VM you're in that you want to copy something.
2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard.
3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available.
4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer.

### File Exchange

To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more security than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system.

??? info "AppVMs or qubes do not have their own file systems"

You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident.

### Inter-VM Interactions

The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/).

## Additional Resources

For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc).

- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/)
- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf)
- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html)
- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles)
19 changes: 0 additions & 19 deletions docs/qubes.en.md

This file was deleted.

28 changes: 13 additions & 15 deletions docs/tools.en.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ For more details about each project, why they were chosen, and additional tips o

## Operating Systems

### Android
### Mobile

<div class="grid cards" markdown>

Expand All @@ -79,7 +79,7 @@ For more details about each project, why they were chosen, and additional tips o

[Learn more :material-arrow-right-drop-circle:](android.md)

### Android Apps
#### Android Apps

<div class="grid cards" markdown>

Expand All @@ -93,24 +93,22 @@ For more details about each project, why they were chosen, and additional tips o

[Learn more :material-arrow-right-drop-circle:](android.md#general-apps)

### Linux
### Desktop/PC

<div class="grid cards annotate" markdown>
<div class="grid cards" markdown>

- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](linux-desktop.md#fedora-workstation)
- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](linux-desktop.md#opensuse-tumbleweed)
- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](linux-desktop.md#arch-linux)
- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](linux-desktop.md#fedora-silverblue)
- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](linux-desktop.md#nixos)
- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](linux-desktop.md#whonix)
- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](linux-desktop.md#tails)
- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](qubes.md) (1)
- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os)
- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation)
- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed)
- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux)
- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue)
- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos)
- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix)
- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails)

</div>

1. Qubes uses Xen to provide strong sandboxing between multiple Linux virtual machine installations, and can run most Linux applications. [Learn more about Qubes...](qubes.md)

[Learn more :material-arrow-right-drop-circle:](linux-desktop.md)
[Learn more :material-arrow-right-drop-circle:](desktop.md)

### Router Firmware

Expand Down
2 changes: 1 addition & 1 deletion docs/tor.en.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ Tor works by routing your internet traffic through those volunteer-operated serv

## Connecting to Tor

There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](linux-desktop.md/#whonix) on [Qubes OS](qubes.md), which provide even greater security and protections than the standard Tor Browser.
There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser.

### Tor Browser

Expand Down
Loading

0 comments on commit 774c45b

Please sign in to comment.