Revise text: general improvements and cleanup

This commit is contained in:
Andrew David Wong 2022-10-24 12:58:19 -07:00
parent 1522d7c8bb
commit 28c6932b25
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17

View File

@ -121,13 +121,12 @@ the other. Alice's setup looks like this:
request PGP operations (e.g., signing and encryption) in the backend vault.
Even then, no qube ever has direct access to Alice's private keys except the
backend vault itself.
- A password manager vault. This is another completely offline,
network-isolated qube where Alice uses her offline password manager to store
all of her usernames and passwords. She uses the [secure copy and paste
system](/doc/how-to-copy-and-paste-text/) to quickly copy credentials into
other qubes whenever she needs to log into anything.
network-isolated qube where Alice uses her offline password manager,
KeePassXC, to store all of her usernames and passwords. She uses the [secure
copy and paste](/doc/how-to-copy-and-paste-text/) system to quickly copy
credentials into other qubes whenever she needs to log into anything.
- Personal qubes. One of the things Alice loves the most about Qubes is that
she can use it for both work *and* personal stuff without having to worry
@ -166,7 +165,7 @@ his colleagues, his family, and himself; and he understands that computer
security is an important part of that. He has a Qubes laptop that he uses only
for work, which contains:
- One offline qube for writing. It only runs LibreOffice Writer. This is where
- One offline qube for writing. It runs only LibreOffice Writer. This is where
Bob does all of his writing. This window is usually open side-by-side with
another window containing research or material from a source.
@ -180,23 +179,24 @@ for work, which contains:
- Whonix qubes. He has the standard `sys-whonix` service qube for providing
Torified network access, and he uses disposable `anon-workstation` app qubes
for using Tor Browser to do research on stories he's writing. Since the topic
is often of a sensitive nature or might involve powerful individuals, it's
is often of a sensitive nature and might implicate powerful individuals, it's
important that he be able to conduct this research with a degree of
anonymity. He doesn't want the subjects of his investigation to know that
he's investigating him. He also doesn't want his network requests being
traced back to his work or home IP addresses. Whonix addresses both of these
he's looking into them. He also doesn't want his network requests being
traced back to his work or home IP addresses. Whonix helps with both of these
concerns. He also has another Whonix-based disposable template for receiving
tips anonymously via Tor, since some whistleblowers he's interacted with have
said that they don't want to risk using regular email.
tips anonymously via Tor, since some high-risk whistleblowers he's interacted
with have said that they can't take a chance with any other form of
communication.
- Two qubes for
[Signal](https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/signal.md).
Bob has two Signal app qubes (both on the same template in which the Signal
desktop app is installed). One is linked to his work mobile number for
communicating with co-workers. The other is a public number that serves as
another method of allowing sources to contact him confidentially. This is
especially useful for individuals who don't use Tor but for whom unencrypted
communication could be dangerous.
desktop app is installed). One is linked to his own mobile number for
communicating with co-workers and other known, trusted contacts. The other is
a public number that serves as an additional way for sources to reach him
confidentially. This is especially useful for individuals who don't use Tor
but for whom unencrypted communication could be dangerous.
- Several data vaults. When someone sends Bob material that turns out to be
useful, or when he comes across useful material while doing his own research,
@ -210,13 +210,14 @@ for work, which contains:
- A [VPN
qube](https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md)
and associated qubes for accessing work resources. The servers at work can
only be accessed via a VPN, so Bob has certain qubes that are connected to a
VPN qube so that he can upload his work and access anything he needs on the
local network without being there.
only be accessed from the organization's network, so Bob has certain qubes
that are connected to a VPN qube so that he can upload his work and access
anything he needs on the local network when he's not physically there.
- A password manager vault. Bob stores all of his login credentials in this
offline qube and [securely copies and
pastes](/doc/how-to-copy-and-paste-text/) them into other qubes as needed.
- A password manager vault. Bob stores all of his login credentials in the
default password manager that came with his offline vault qube. He [securely
copies and pastes](/doc/how-to-copy-and-paste-text/) them into other qubes as
needed.
A colleague helped Bob set up his Qubes system initially and showed him how to
use it. Since Bob's workflow is pretty consistent and straightforward, the way
@ -225,9 +226,10 @@ colleague told him to remember a few simple rules: Don't copy or move
[text](/doc/how-to-copy-and-paste-text/) or
[files](/doc/how-to-copy-and-move-files/) from less trusted to more trusted
qubes; [update](/doc/how-to-update/) your system when prompted; and make
regular [backups](/doc/how-to-back-up-restore-and-migrate/). Bob doesn't care
to try out new software or tweak any settings, so he can do everything he needs
to do without having to interact with the command line.
regular [backups](/doc/how-to-back-up-restore-and-migrate/). Bob doesn't have
the need to try out new software or tweak any settings, so he can do everything
he needs to do on a daily basis without having to interact with the command
line.
## Carol, the investor
@ -243,14 +245,14 @@ protection organizations only guarantee recovery in the case of a financial
institution *failing*, which is quite different from an individual customer
being hacked. Moreover, even though many financial institutions have their own
cybercrime policies, rarely, if ever, do they explicitly guarantee
reimbursement in the event that a customer gets hacked rather than the
institution itself.
reimbursement in the event that a *customer* gets hacked (rather than the
institution itself).
Carol looked into how thieves might actually try to steal her hard-earned
wealth and was surprised to learn that they have all sorts of ploys that she
had never even considered. For example, she had assumed that any theft would,
at the very least, have to involve transferring money out of her account. That
seemed like a safe basic assumption. But then she read about "pump and dump"
at the bare minimum, have to involve transferring money out of her account.
That seems like a safe assumption. But then she read about "pump and dump"
attacks, where thieves buy up some penny stock, hack into innocent people's
brokerage accounts, then use the victims' funds to buy that same penny stock,
"pumping" up its price so that the thieves can "dump" their shares on the
@ -276,18 +278,21 @@ for "most secure operating system." She read about how it's designed and why.
Although she didn't immediately understand all of the technical details, the
fundamental principle of [security-by-compartmentalization](/doc/architecture/)
made intuitive sense to her, and the more she learned about the technical
aspects, the more she realized that this is what she'd been looking for. Her
setup looks like this:
aspects, the more she realized that this is what she'd been looking for. Today,
her setup looks like this:
- One qube for each investment firm and bank. Carol has a few different
retirement accounts, brokerage accounts, and bank accounts. She treats each
qube like a "secure terminal" for accessing only that one institution's
website and saving any statements and confirmations she downloads in that
qube. She uses the [Qubes firewall](/doc/firewall/) to enable access only to
that institution's website so that she doesn't accidentally visit any others
in that qube.
website. She makes her transactions and saves any statements and
confirmations she downloads in that qube. She uses the [Qubes
firewall](/doc/firewall/) to enable access only to that institution's website
in that qube so that she doesn't accidentally visit any others. Since most of
what she does involves using websites and PDFs, most of Carol's app qubes are
based on a [minimal template](/doc/templates/minimal/) with just a web
browser (which doubles as a PDF viewer) and a file manager installed.
- One qube for all her credit card accounts. Carol considered making a separate
- One qube for all her credit card accounts. Carol started to make a separate
qube for each credit card account but ultimately decided against it. For one
thing, the consumer protections for credit card fraud in her country are much
better than for losing assets to theft or fraud in a bank or brokerage
@ -296,13 +301,18 @@ setup looks like this:
accounts or her old credit card statements, since online access to these
generally doesn't allow spending or withdrawing any money. So, even the worst
case scenario here wouldn't be catastrophic, unlike with her bank and
brokerage accounts. Finally, she has way too many credit cards! While she's
very frugal, she likes to collect the sign-up bonuses that are offered for
opening new cards, so she's accumulated quite a few of them. (However, she's
always careful to pay off her balance each month, so she never pays interest.
She's also pretty disciplined about only spending what she would have spent
*anyway* and not being tempted to spend more just to meet a spending
requirement or because she can.)
brokerage accounts. Third, she's not too worried about any of her credit card
company websites being used to attach each other or her qube (As long as it's
contained to a single qube, she's fine with that level of risk.) Last, but
not least: She has way too many credit cards! While Carol is very frugal, she
likes to collect the sign-up bonuses that are offered for opening new cards,
so she's accumulated quite a few of them. (However, she's always careful to
pay off her balance each month, so she never pays interest. She's also pretty
disciplined about only spending what she would have spent *anyway* and not
being tempted to spend more just to meet a spending requirement or because
she can.) At any rate, Carol has decided that the tiny benefit she stands to
gain from having a separate qube for every credit card website wouldn't be
worth the hassle of having to manage so many extra qubes.
- One qube for credit monitoring, credit reports, and credit history services.
Carol has worked hard to build up a good credit score, and she's concerned
@ -319,42 +329,56 @@ setup looks like this:
this offline qube is where she maintains a master spreadsheet to track all of
her investments and her savings rate. She also keeps her budgeting
spreadsheet, insurance spreadsheet, and written investment policy statement
here.
here. This qube is based on a template with some additional productivity
software, like LibreOffice and Gnumeric (so that Carol can run her own Monte
Carlo simulations).
- Various email qubes. Carol likes to have one email qube for her most
important financial accounts; a separate one for her credit cards accounts,
online shopping accounts, and insurance companies; and another one for
personal email.
personal email. They're all based on the same template with Thunderbird
installed.
- A password manager vault. A network-isolated qube where Carol stores all of
her account usernames and passwords. She uses the [Qubes global
clipboard](/doc/how-to-copy-and-paste-text/) to copy and past them into her
her account usernames and passwords in KeePassXC. She uses the [Qubes global
clipboard](/doc/how-to-copy-and-paste-text/) to copy and paste them into her
other qubes when she needs to log into her accounts.
The vast majority of Carol's assets are in broad-based, low-cost,
passively-managed indexed funds. Lately, however, she's started getting
interested in cryptocurrency. Although she's still skeptical of investments
that don't generate cash flows or that are associated with scams or wild
speculation, she finds the idea of self-custodying a portion of her assets
appealing. She's knows they're very volatile, but she likes the idea of having
a hedge against certain types of political risk, and she recognizes that high
volatility also carries the potential for high returns, so she's decided to dip
her toe in the water by allocating a small portion of her portfolio. This has
led her to add the following:
interested in cryptocurrency. She's still committed to staying the course with
her tried-and-true investments, and she's always been skeptical of new asset
classes, especially those that don't generate cash flows or that often seem to
be associated with scams or wild speculation. However, she finds the ability to
self-custody a portion of her assets appealing from a long-term risk management
perspective, particularly as a hedge against certain types of political risk.
She recognizes that cryptocurrency is extremely volatile, and she knows that
she has the self-discipline to invest only what she can afford to lose, so
she's decided to dip her toe in the water by allocating a small portion of her
portfolio. This has led her to add the following to her Qubes setup:
- A standalone qube for running Bitcoin Core. Carol finds the design and
security properties of Bitcoin very interesting, so she's experimenting with
running a full node.
- A standalone qube for running Bitcoin Core and an offline wallet vault. Carol
finds the design and security properties of Bitcoin very interesting, so
she's experimenting with running a full node. She also created a
network-isolated vault in order to try running a copy of Bitcoin Core
completely offline as a "cold storage" wallet. She's still trying to figure
out how this compares to an actual hardware wallet, paper wallet, or
physically air-gapped machine, but she's figures they all have different
security properties. She also recently heard about using [Electrum as a
"split" wallet in
Qubes](https://github.com/Qubes-Community/Contents/blob/master/docs/security/split-bitcoin.md)
and is interested in exploring that further.
- Whonix qubes. Carol read somewhere that Bitcoin nodes should be run over Tor
for privacy and security. She found it very convenient that Whonix is already
integrated into Qubes, so she simply set her Bitcoin Core qube to use
`sys-whonix` as its networking qube.
integrated into Qubes, so she simply set her Bitcoin Core "full node" qube to
use `sys-whonix` as its networking qube.
- Various qubes for DeFi and Ledger Live. Carol has also started getting into
decentralized finance and web3, so a friend recommended that she get a Ledger
hardware wallet. She downloaded the Ledger Live software in an app qube and
[set up her system to recognize the
- Various qubes for DeFi and web3. Carol has also started getting into DeFi
(decentralized finance) and web3 on Ethereum and other smart contract
blockchains, so a friend recommended that she get a Ledger hardware wallet.
She downloaded the Ledger Live software in an app qube and [set up her system
to recognize the
Ledger](https://www.kicksecure.com/wiki/Ledger_Hardware_Wallet). She can now
start her [USB qube](/doc/usb-qubes/), plug her Ledger into it into a USB
port, [use the Qubes Devices widget to attach it](/doc/how-to-use-devices/)
@ -366,8 +390,15 @@ led her to add the following:
- Various qubes for research and centralized exchanges. Carol uses these when
she wants to check block explorer websites, coin listing and market cap
sites, aggregation tools, or just to see what the latest buzz is on Twitter.
sites, aggregation tools, or just to see what the latest buzz is on Crypto
Twitter.
Carol makes sure to back up all of her qubes that contain important account
statements, confirmations, spreadsheets, cryptocurrency wallets, and her
password manager vault. If she has extra storage space, she'll also back up her
templates and even her Bitcoin full node qube, but she'll skip them if she
doesn't have time or space, since she knows she can always recreate them again
later and download what she needs from the Internet.
## Conclusion
@ -382,12 +413,18 @@ everyone will want to use the same email client. On the other hand, almost
everyone will need a password manager, and it pretty much always makes sense to
keep it in an offline, network-isolated vault.
As you're designing your own Qubes system, keep in mind some of the following
tips:
As you gain experience with Qubes, you may find yourself disagreeing with some
of the decisions our fictional friends made. That's okay! There are many
different ways to organize a Qubes system, and the most important criterion is
that it serves the needs of its owner. Since everyone's needs are different,
it's perfectly normal to find yourself doing things a bit differently.
Nonetheless, there are some general principles that almost all users find
helpful when they're first starting out. As you're designing your own Qubes
system, keep in mind some of the following lessons from our case studies:
- You'll probably change your mind as you go. You'll realize that this qube
- You'll probably change your mind as you go. You'll realize that one qube
should really be split into two, or you'll realize that it doesn't really
make sense for these two qubes to be separate and that they should instead be
make sense for two qubes to be separate and that they should instead be
merged into one. That's okay. Qubes OS supports your ability to adapt and
make changes as you go. Try to maintain a flexible mindset. Things will
eventually settle down, and you'll find your groove. Changes to the way you
@ -404,7 +441,7 @@ tips:
experience of others. Keeping good backups also allows you to be a bit more
free with reorganizations. You can delete qubes that you think you won't need
anymore without having to worry that you might need them again someday, since
you know you can always restore them from a backup if it turns out you do.
you know you can always restore them from a backup.
- Think about which programs you want to run and where you want to store data.
In some cases, it makes sense to run programs and store data in the same
@ -417,14 +454,14 @@ tips:
size of your installation. Templates, service qubes, and qubes that are used
exclusively for running programs and that contain no data don't necessarily
have to be backed up as long as you're confident that you can recreate them
if needed. This is why it can be useful to keep notes on which packages you
installed in which templates and which customizations and configurations you
made. Then you can refer to your notes the next time you need to recreate
them. Of course, backing up everything is not a bad idea either. It may
require a bit more time and disk space upfront, but for some people, it can
be just as important as backing up their irreplaceable data. If your system
is mission-critical, and you can't afford more than a certain amount of
downtime, then by all means, back everything up!
if needed. This is why it's a good practice to keep notes on which packages
you installed in which templates and which customizations and configurations
you made. Then you can refer to your notes the next time you need to recreate
those qubes. Of course, backing up everything is not a bad idea either. It
may require a bit more time and disk space upfront, but for some people, it
can be just as important as backing up their irreplaceable data. If your
system is mission-critical, and you can't afford more than a certain amount
of downtime, then by all means, back everything up!
- Introspect on your own behavior. For example, if you find yourself wanting to
find some way to get two qubes to share the same storage space, then this is
@ -454,16 +491,17 @@ tips:
- On the other hand, compartmentalization --- like everything else --- can be
taken to an extreme. The appropriate amount depends on your temperament,
time, patience, experience, risk tolerance, and expertise. In short, there
can be such a thing as *too much* self-imposed security! You also have to be
able to use your computer to actually do the things you need to do. For
example, if you immediately try to jump into doing everything in
can be such a thing as *too much* compartmentalization! You also have to be
able to actually *use* your computer efficiently to do the things you need to
do. For example, if you immediately try to jump into doing everything in
[disposables](/doc/how-to-use-disposables/) and find yourself constantly
losing working (e.g., because you forget to transfer it out before the
disposable self-destructs), then that's a big problem! Your extra
self-imposed security measures are interfering with the very thing they're
designed to protect. At times like these, take a deep breath and remember
that you've already reaped the vast majority of the security benefit simply
by using Qubes and performing basic-level compartmentalization (e.g., no
random web browsing in templates). Each further step of hardening and
compartmentalization beyond that is only an incremental gain with diminishing
marginal utility. Try not to allow the perfect to be the enemy of the good!
by using Qubes OS in the first place and performing basic
compartmentalization (e.g., no random web browsing in templates). Each
further step of hardening and compartmentalization beyond that represents an
incremental gain with diminishing marginal utility. Try not to allow the
perfect to be the enemy of the good!