>> Only running VMs are vulnerable >> >> Since Qubes OS is a memory-hungry system, it seems that an attacker >> would only be able to steal secrets from VMs running concurrently with >> the attacking VM. This is because any pages from shutdown VMs will >> typically very quickly get allocated to other, running VMs and get wiped >> as part of this procedure.
IIUC this still seems fairly awful from a usability perspective if we think of the added cognitive load of watching what is running when and remembering or making choices on what to close / restart when (I'm reading between the lines and guessing this has had something to do with decision on reintroduction of Qubes manager?). sys-net is considered to be likely / easily compromised (such that there seems some real utility in making it a dispvm under 4). However, it will also be running for most users in most everyday cases for long periods. A common use case for open at one time for me for internet banking might be at minimum sys-net, sys-firewall, sys-usb, vault and a dispvm (as shitty banks here often loading things off marketing or even advertising network domains changing fairly regularly). If we're saying that in an ideal situation, sys-net and sys-usb (if it has had any untrusted devices attached to it) are started clean else the secrets vault is at risk, that seems to remain a very serious problem. The other approach seems to be to store the banking secrets in a banking vm, and do the browsing as well from there. Some sensitive tasks can no doubt be done with sys-net shut down, but by no means all. If we're considering that this will be the case for quite some time(?) due to Xen approach, do we need to offer some sort of recipe situation for vm-start (where I can ensure my "red" vms are shut down or cycled before my vault is started for example). I try to pay my Qubes dues by offering assistance in IRC, and I'm anticipating here the sort of user willing to put effort into thinking about how they need to partition their domains, and maybe even write some custom rules / scripts but after that needs the system not to overly get in the way of day to day tasks / require constant tinkering. Vince -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/y4JzRn90_0mDNiNrt3Hq_kPJY6KbTxstTz8z2KvR_8ORlcJ7thJC0zOZupxxEuewcc3TnhVx5Rrz400I1B6XLy9BYjNVHinu4kNHFRn7dIU%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.