On 09/10/2016 07:31 AM, Holger Levsen wrote:
Hi,
On Sat, Sep 10, 2016 at 04:08:53AM -0700, [email protected] wrote:
Qubes is insecure due to Xen exploits.
[...]
Considering that Snowden is literally advertised on the Qubes home page, I would suggest
the answer is "Yes".... The NSA is now very likely spending money buying up Xen
exploits and developing them themselves.
you are mostly right, but you also mostly miss the point ;-)
Of course Qubes is attackable via Xen exploits. Like all the other OSes
are attackable via *other* exploits, which attackers have been
targetting since almost half a century already.
The biggest and most valuable target is still Windows, then MacOS, and
then an attacker also want to own Redhat and Debian, preferedly via holes
in the source codes, to also catch all those other Linux distros.
And, yes, Qubes is attackable via Xen.
(And maybe, one would ignore all those OSes and just attack via Intel ME
or the AMD and ARM equivalents of that..)
So as said, you mostly missed the point. Security ain't binary.
That also misses the point.
Xen is far smaller and simpler than the kernels that protect Windows and
Linux, and it has fewer vulnerabilities as a result. Its also worth
noting that a large number of Xen vulns are either not serious or don't
affect Qubes... they affect Xen installations configured for maximum
features and convenience.
I think the problem Qubes has with the Xen project is that the latter
merely has a security "focus" (among others) instead of making security
their number-one priority (as Qubes does). It also doesn't help that
they publish additional bug-prone code which -- although secure
installations like Qubes won't trust it -- nevertheless gets reported as
simply "Xen vulnerabilities" when said bugs are discovered.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/37a4e30d-b4c6-0959-ce80-96abe96dbd6a%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
