Thank goodness for and appVM firewalls.

Nice try Westpac (my bank), trying to connect to google ad services after I’m logged in 🙄

It should not take a highly skilled I.T expert using a fringe OS and diligent opsec to adequately self-protect banking activity from an advertising conglomerate.

@mig5 My T480s is retiring this month, I'll try Qubes again. Last time I found the UI a bit too fiddly, but these things advance.

How did it save you, firewall denied all outbound connections on that VM? How did you get alerted something was trying to call out?

Apparently iOS has a similar model to Qubes, so Apple fans have been telling me, but I guess the key difference is the app developer controls what the container does, so unless you're compiling your own binaries for open source apps...

@greg_harvey yeah, each VM gets its own outbound firewall GUI. So I literally allow only port 443 to the destination IPs of my bank(s) websites, and outbound DNS to my DNS resolver, and block the rest.

I observed it because the page was blocking for a long time and Firefox shows the ‘connecting to’ in the bottom part of the page.

Yep, iOS does sandboxing and there are other things than Qubes eg those trying a ‘containers’ approach, but I like its heavy-handed Xen VM approach

@greg_harvey the Qubes GUI hasn’t probably changed since you last tried it ;) still old school XFCE. You have to give up your expectations a bit. Qubes 4.1 might be a bit fresher, we’ll see when it comes out. I doubt it, though.

@mig5 I did research GNOME on Qubes a little. There were some fundamental architectural problems nobody wanted to fix, last time I looked. Pity, I mean XFCE is OK, but GNOME have really nailed the desktop experience now, IMHO. It's not impossible, it's just dependent on cleverer people than me to make it happen.

I'll definitely kick the tyres again anyway! 😎

@mig5 OH! "We are currently migrating towards using GNOME."


I guess they decided XFCE was a bit of a blocker to take-up, so they should just fix GNOME.

@greg_harvey I suspect that’s old docs, still think they shelved GNOME for now and went with XFCE. Mostly because it was easier, and not enough sponsors.

@mig5 Awww, right, that's what I'd heard too. I guess it's a whole different ballgame pulling together something like Qubes, vs maintaining a "normal" Linux distro like Debian. Not that the latter is easy, but it's a lot easIER.

@greg_harvey exactly. Anyone can run multiple VMs on any GUI eg via Virtualbox. But the magic of Qubes is the IPC between VMs using the Xen dom0 control plane, the various rules and security policies in place, and the exposing of the apps inside VMs to the main UI’s menus, etc. A real can of worms

@mig5 Anyway, day "off" today and too much shit to take to the tip already to consider doing any gardening, so FINALLY reformatting my NAS drives with ext4 (currently ZFS, which is a pita) and, once that's done, copy everything back on to them from the various machines I've used to temporarily store the files. THEN I can clean down the T480s and put Qubes on it. 😅

@greg_harvey Qubes should run well on T480s assuming you have a decent amount of RAM. I run on an X1 Carbon now, but it ran great (maybe even better, e.g suspend actually worked) on my T450s (which is now a disk-less machine I use to run Tails on)

@mig5 Hehe, I love my T450s. It's my favourite computer. That's why it's also my music computer, it's running Debian with a low-latency kernel and the KXStudio repos for music tools. The T480s is almost as good, but the battery life has been dismal. Performance wise it'll be fine though.

@mig5 I may have to take this back, I happen to be on my old X1 Carbon (now NAS) to format these disks and the keyboard is lovely. Just only 8GB RAM. Pity.

@greg_harvey either way - XFCE or not, I find it very hard to use anything other than Qubes these days. Once your ssh keys, your git repos, your mail client and your browser(s) are all on totally separate VMs and file systems, properly isolated and with their own firewalls as well, it’s very hard to go back to a single instance. Most of my web browsing is done in entirely ephemeral ‘disposable’ VMS (dispVMs) - they only live as long as the browser stays open.

@greg_harvey dependent on clever people but also mostly money. There are more clever people than there is money. Believe it or not, worlds collide - I think an Argentinian guy we know was going to work on it a few years back (via work with Purism) but funded was pulled

