01770f No.13651951
Qubes OS is a security-focused desktop operating system that aims to provide security through compartmentalization.[8] Compartmentalization is provided through the use of virtualization technology. This allows the segmentation of applications into secure virtual machines called qubes
https://www.theregister.co.uk/2012/09/05/qubes_secure_os_released/
Latest release 4.3.0[4] / 21 December 2025; 3 months ago
Update method DNF (PackageKit)
Package manager RPM Package Manager
Supported platforms x86-64
Kernel type Microkernel (Xen Hypervisor running minimal Linux-based OSes and others)
Userland GNU[a]
Official templates: Fedora, Debian
Community templates: Whonix, Ubuntu, Arch Linux, CentOS, Gentoo
Official website qubes-os.org
The minimum base system requirements[21] for Qubes OS are:
64-bit Intel or AMD processor with virtualization extensions[b]
6 GB of RAM
32 GB of disk space
Security and privacy experts such as Edward Snowden, Daniel J. Bernstein, and Christopher Soghoian have publicly praised the project.
"Endpoint Security Prize Finalists Announced!"
https://www.qubes-os.org/experts/
____________________________
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
9347ae No.13651952
its great if you are a dealer but works too slow for ordinary daily use
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
4fef3a No.13651956
You can't keep running you have to confront and stand. Government envy is real, you are being researched and presented and then law-makers will fuck everything up for you. They put age verification in systemd and then bought out grub.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
4fef3a No.13651957
Freedom and privacy is what human means.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13651974
>>13651952
>its great if you are a dealer but works too slow for ordinary daily use
Fake news. Been daily driving it for years. It helps to have something newer than a 15 year old EFI-reflashed stinkpad.
Here's a couple nickels kid, buy yourself a system with at least 128GB RAM.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652029
WARNING WARNING WARNING
Google sits on the peering interconnections between most ISPs and data centers, at minimum collecting netflow data.
YOU NEED SOMETHING LIKE MULLVAD DAITA, OR ANY OTHER MAYBENOT OBFUSCATION SYSTEM!
It needs to be installed onto a small dedicated device, ideally with two ethernet RJ-45 ports (though one could be used, with advanced router firmware like OpenWRT doing VLANing). Without DAITA or maybenot, Google sees your traffic hops nearly transparently. Tor has circuit padding, but plain VPN users (even multihop) are exposed without this on their WAN uplink.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652215
>>13651951
>FEDora
>soystemd
has anyone forked it yet? also what happened to headsOS, why did development stop
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
f91733 No.13652247
>Qubes
Install Gentoo, faggot.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
9441b9 No.13652250
>>13652247
>fingerprinting will stop if I use linux
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
f91733 No.13652251
>>13652250
If you use openrc instead of systemd what are they gonna do? Gentoo is a source-based distro. You can install it on a MilkV SBC and bypass the vendor level systemd checks.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
0ced7f No.13652255
>>13652251
>Shader precision doesn't fingerprint you
don't gay nigger obviously the only way to avoid fingerprinting is pic rel
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652256
>>13651951
I use debian. Im noob though.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652475
>>13652247
Qubes needs to be rebased onto Gentoo.
Qubetoo GNU/Linux.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
23ceef No.13652580
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652605
>>13651951
whatever happened to headsOS? did the dev get killed by glowniggers for not having systemd on the project? seems weird how there's no fork of tailsOS that uses a systemd-free init
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652608
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
484fe0 No.13652625
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
484fe0 No.13652627
https://youtu.be/NGUlPw2fX5s?si=I8yAJ6IYDJzji5Fm
I FUCKING WANT TO DIE COMEDY
•Terrorism Threats
•Rape / Rape Stories
•Violence On Women
•AntiSemitism / Wishing Death On Jews
•Racism / Hatred for Illegals
•Doxxing / Credit Card-Soc. Security Readoffs
•Online Fights / Hatemail / Fighting
•School Shooting Plots
•Synagogue/Church Shooting Plots
•Darkweb Market Deals
•Shoplifting / Stealing Tips
•Hatred For Women
•All Combined into Comedy
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652695
There was a Qubes thread on >>>4/g/ recently. It disgusted me how quick a glownigger hopped in and began a concern-troll campaign, gaslighting OP that he must be schizophrenic to want to use Qubes OS. Be safe out there, frens; they're trying to psyop you into avoiding good tools. AI-assisted security penetration is already growing at a quickening pace, Qubes OS is a prudent choice for your everything-but-gaming daily needs.
Anyone needing a Windows TemplateVM is implored to choose Windows Server Evaluation, which you will then convert to full Datacenter edition with the dism command, then use the massgrave KMS activator; follow the Qubes OS project's instructions for installing Qubes Windows Tools into the TemplateVM; open wf.msc and delete inbound and outbound all rules; open gpedit.msc and delete all inbound and outbound rules, set inbound and outbound to Block [All] for Domain, Public, and Private profiles in the Windows Firewall properties (in gpedit.msc), and while setting Block [All] settings be sure to click Customize right next to "Specify settings that control Windows Defender Firewall Behavior" and make sure both Rule Merging settings are set to No (SO STRONGLY IMPLORED, IT'S ALMOST A REQUIREMENT HERE!), then add the tab-separated rules I will paste below and make sure they are DISABLED; Enable "Turn Off KMS Client Online AVS Validation" under Administrative Templates in gpedit.msc.
Firewall rules (Tab Separated Values):
Name Group Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Authorized Computers Authorized Local Principals Local User Owner PolicyAppId Application Package
Core Networking [custom] - DNS (UDP-Out) (RESTRICTIVE) All Yes Allow No %systemroot%system32svchost.exe Any 10.139.1.1-10.139.1.2 UDP Any 53 Any Any Any None Any
Core Networking - Dynamic Host Configuration Protocol (DHCP-Out) Core Networking All No Allow No %SystemRoot%system32svchost.exe Any Any UDP 68 67 Any Any Any None Any
Core Networking Diagnostics - ICMP Echo Request (ICMPv4-Out) Core Networking Diagnostics All No Allow No System Any Any ICMPv4 Any Any Any Any Any None Any
Ping ICMPv4 +Administrator All No Allow No c:windowssystem32ping.EXE Any Any ICMPv4 Any Any Any COMPUTERNAMEAdministrator Any None Any
PowerShell ALL TCP +Administrator All No Allow No %SystemRoot%system32WindowsPowerShellv1.0powershell.exe Any Any TCP Any Any Any COMPUTERNAMEAdministrator Any None Any
PowerShell ALL TCP +User All No Allow No %SystemRoot%system32WindowsPowerShellv1.0powershell.exe Any Any TCP Any Any Any COMPUTERNAMEUser Any None Any
PowerShell ALL UDP +User All No Allow No %SystemRoot%system32WindowsPowerShellv1.0powershell.exe Any Any UDP Any Any Any COMPUTERNAMEUser Any None Any
PowerShell UDP +Administrator All No Allow No %SystemRoot%system32WindowsPowerShellv1.0powershell.exe Any Any UDP Any Any Any COMPUTERNAMEAdministrator Any None Any
Self ALL TCP +ALL All No Allow No Any 127.0.0.0/8 127.0.0.0/8 TCP Any Any Any Any Any None Any
Self ALL UDP +ALL All No Allow No Any 127.0.0.0/8 127.0.0.0/8 UDP Any Any Any Any Any None Any
SVCHOST 80+443 TCP All No Allow No c:windowssystem32svchost.exe Any Any TCP Any 80, 443 Any Any Any None Any
SVCHOST 80+443 UDP All No Allow No c:windowssystem32svchost.exe Any Any UDP Any 80, 443 Any Any Any None Any
SVCHOST ALL ALL All No Allow No c:windowssystem32svchost.exe Any Any Any Any Any Any Any Any None Any
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652696
>>13652695
You will also most likely need the following Powershell script in the TemplateVM, set in taskschd.msc to execute every 60 seconds from startup, in order to ensure your AppVMs based on the template configure proper network settings:
$newipAddress = (c:windowssystem32qubesdb-cmd.exe -c read /qubes-ip).Trim()
$newgateway = (c:windowssystem32qubesdb-cmd.exe -c read /qubes-gateway).Trim()
$newdns1 = (c:windowssystem32qubesdb-cmd.exe -c read /qubes-primary-dns).Trim()
$newdns2 = (c:windowssystem32qubesdb-cmd.exe -c read /qubes-secondary-dns).Trim()
$newdnsServers = @($newdns1, $newdns2)
$macAddress = (c:windowssystem32qubesdb-cmd.exe -c read /qubes-mac).Trim()
$macAddressDash = $macAddress.Replace(":", "-")
# Check if an adapter with the specified MAC address exists
$adapter = Get-WmiObject -Class Win32_NetworkAdapter | Where-Object { $_.MACAddress -eq $macAddress }
$config = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.MACAddress -eq $macAddress }
Write-Host "Check for adapter."
if ($adapter) {
# Get current IP configuration
$currentipAddresses = (Get-NetIPAddress -InterfaceIndex $adapter.InterfaceIndex).IPAddress
# Get current gateway configuration
$currentgateways = $config.DefaultIPGateway
# Get current DNS configuration
$currentdnsServers = (Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex).ServerAddresses
if ($newipAddress -ne $currentipAddresses -or $newgateway -ne $currentgateways) {
Write-Host "Address mismatch found."
Disable-NetAdapterBinding -Name $adapter.NetConnectionID -ComponentID ms_tcpip6
Set-NetIPInterface -InterfaceIndex $adapter.InterfaceIndex -Dhcp Disabled
# Remove existing IP addresses
foreach ($ip in $currentipAddresses) {
Remove-NetIPAddress -InterfaceIndex $adapter.InterfaceIndex -IPAddress $ip -Confirm:$false
}
# Set the IP address and subnet mask using WMI methods
$config.EnableStatic($newipAddress, "255.255.255.0")
# Set the default gateway using WMI methods
$config.SetGateways($newgateway)
}
Write-Host "Setting DNS servers."
# Set the DNS servers using WMI methods
$config.SetDNSServerSearchOrder($newdnsServers)
}
# Exit cleanly
Write-Host "Script execution completed."
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652697
>>13652696
Ultimately, the idea with this whole setup above is to ensure Windows has no network access by default when it comes up in an AppVM that does have network, because Windows Firewall is fascistly blocking everything. Any internet-using application you install into the TemplateVM must also have a corresponding default-disabled rule added in gpedit.msc that would give it outbound access to the internet, and when you start an AppVM you need to launch gpedit.msc, navigate to the outbound Firewall rules, and specifically enable DNS (line 1 in my rules list above) and whatever application rules you intend to immediately use. The only internet connected application I use is TradeStation, otherwise I have a second Windows TemplateVM I use for applications (CS6, Maya, SolidWorks, Maxwell Render, Wolfram Mathematica, and more) that sees no internet whatsoever, even from the Qubes OS netvm configuration perspective.
Follow standard Qubes guidelines for TemplateVMs, in DO NOT HAVE THEM CONNECTED TO THE INTERNET; there is one exception: the rare times you want to run Windows Updates. You will connect the TemplateVM using `qvm-prefs TEMPLATENAME netvm FIREWALLNAME`, then enable the DNS and SVCHOST rules, then run your updates, then disable the rules (do not forget this, or your AppVMs come up with those rules enabled), and then do `qvm-prefs TEMPLATENAME netvm none` to disconnect the TemplateVM. The only telemetry the update system could give is the state of the TemplateVM (installed applications, settings, etc), but *not* anything in your AppVMs unless you fucked up on the firewall settings (or Windows one day just disregards its own firewall). I have an idea for using a separate clean TemplateVM that would run WSUS configured to keep its data files on Q:, so that a combination of AppVM+disposable_template use (to get updates) and DispVM use (to apply updates to other Windows TemplateVMs, in a ratchet-way that would prevent any possible downstream telemetry being exfiltrated through WSUS, but is beyond the scope of this post.
Sorry I took forever to begin posting instructions for building a similar Qubes system to mine. I wanted to get the Windows TemplateVM post out of the way here first so the Windows-reliant can migrate away from native Windows and onto a safer environment.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652698
>>13652695
Fucking masonmoot fix your goddamn site, your [code] blocks are treating backslashes as escape sequences!
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652699
>>13652696
God damn I'm going to need to repaste everything like an idiot…
$newipAddress = (c:\windows\system32\qubesdb-cmd.exe -c read /qubes-ip).Trim()
$newgateway = (c:\windows\system32\qubesdb-cmd.exe -c read /qubes-gateway).Trim()
$newdns1 = (c:\windows\system32\qubesdb-cmd.exe -c read /qubes-primary-dns).Trim()
$newdns2 = (c:\windows\system32\qubesdb-cmd.exe -c read /qubes-secondary-dns).Trim()
$newdnsServers = @($newdns1, $newdns2)
$macAddress = (c:\windows\system32\qubesdb-cmd.exe -c read /qubes-mac).Trim()
$macAddressDash = $macAddress.Replace(":", "-")
# Check if an adapter with the specified MAC address exists
$adapter = Get-WmiObject -Class Win32_NetworkAdapter | Where-Object { $_.MACAddress -eq $macAddress }
$config = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.MACAddress -eq $macAddress }
Write-Host "Check for adapter."
if ($adapter) {
# Get current IP configuration
$currentipAddresses = (Get-NetIPAddress -InterfaceIndex $adapter.InterfaceIndex).IPAddress
# Get current gateway configuration
$currentgateways = $config.DefaultIPGateway
# Get current DNS configuration
$currentdnsServers = (Get-DnsClientServerAddress -InterfaceIndex $adapter.InterfaceIndex).ServerAddresses
if ($newipAddress -ne $currentipAddresses -or $newgateway -ne $currentgateways) {
Write-Host "Address mismatch found."
Disable-NetAdapterBinding -Name $adapter.NetConnectionID -ComponentID ms_tcpip6
Set-NetIPInterface -InterfaceIndex $adapter.InterfaceIndex -Dhcp Disabled
# Remove existing IP addresses
foreach ($ip in $currentipAddresses) {
Remove-NetIPAddress -InterfaceIndex $adapter.InterfaceIndex -IPAddress $ip -Confirm:$false
}
# Set the IP address and subnet mask using WMI methods
$config.EnableStatic($newipAddress, "255.255.255.0")
# Set the default gateway using WMI methods
$config.SetGateways($newgateway)
}
Write-Host "Setting DNS servers."
# Set the DNS servers using WMI methods
$config.SetDNSServerSearchOrder($newdnsServers)
}
# Exit cleanly
Write-Host "Script execution completed."
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
000000 No.13652700
>>13652695
Name Group Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Authorized Computers Authorized Local Principals Local User Owner PolicyAppId Application Package
Core Networking [custom] - DNS (UDP-Out) (RESTRICTIVE) All Yes Allow No %systemroot%\system32\svchost.exe Any 10.139.1.1-10.139.1.2 UDP Any 53 Any Any Any None Any
Core Networking - Dynamic Host Configuration Protocol (DHCP-Out) Core Networking All No Allow No %SystemRoot%\system32\svchost.exe Any Any UDP 68 67 Any Any Any None Any
Core Networking Diagnostics - ICMP Echo Request (ICMPv4-Out) Core Networking Diagnostics All No Allow No System Any Any ICMPv4 Any Any Any Any Any None Any
Ping ICMPv4 +Administrator All No Allow No c:\windows\system32\ping.EXE Any Any ICMPv4 Any Any Any COMPUTERNAME\Administrator Any None Any
PowerShell ALL TCP +Administrator All No Allow No %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Any Any TCP Any Any Any COMPUTERNAME\Administrator Any None Any
PowerShell ALL TCP +User All No Allow No %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Any Any TCP Any Any Any COMPUTERNAME\User Any None Any
PowerShell ALL UDP +User All No Allow No %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Any Any UDP Any Any Any COMPUTERNAME\User Any None Any
PowerShell UDP +Administrator All No Allow No %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Any Any UDP Any Any Any COMPUTERNAME\Administrator Any None Any
Self ALL TCP +ALL All No Allow No Any 127.0.0.0/8 127.0.0.0/8 TCP Any Any Any Any Any None Any
Self ALL UDP +ALL All No Allow No Any 127.0.0.0/8 127.0.0.0/8 UDP Any Any Any Any Any None Any
SVCHOST 80+443 TCP All No Allow No c:\windows\system32\svchost.exe Any Any TCP Any 80, 443 Any Any Any None Any
SVCHOST 80+443 UDP All No Allow No c:\windows\system32\svchost.exe Any Any UDP Any 80, 443 Any Any Any None Any
SVCHOST ALL ALL All No Allow No c:\windows\system32\svchost.exe Any Any Any Any Any Any Any Any None Any
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
