1 00:00:01,040 --> 00:00:04,845 This is the desktop of the Qubes operating system. 2 00:00:05,382 --> 00:00:09,786 This is the best desktop operating system to enforce security 3 00:00:09,876 --> 00:00:14,240 through isolation and compartmentalization, in my opinion. 4 00:00:14,519 --> 00:00:17,956 It is still in its early days for the operating system, 5 00:00:18,016 --> 00:00:20,811 but the concept behind it is excellent. 6 00:00:21,021 --> 00:00:24,208 Qubes is a free and open source operating system 7 00:00:24,451 --> 00:00:27,911 designed to provide strong security for desktop computing, 8 00:00:27,970 --> 00:00:29,507 not for servers. 9 00:00:29,603 --> 00:00:32,923 Qubes is based on the Xen hypervisor, 10 00:00:33,101 --> 00:00:36,021 the X-Windows system and Linux. 11 00:00:36,531 --> 00:00:40,482 It uses virtualization to enforce security domains 12 00:00:40,804 --> 00:00:43,436 through isolation and compartmentalization. 13 00:00:43,694 --> 00:00:46,149 This is good because virtualization 14 00:00:46,327 --> 00:00:49,506 reduces the interfaces between security domains 15 00:00:49,669 --> 00:00:54,095 but still allows the security domains to exist and communicate. 16 00:00:54,248 --> 00:00:58,792 Perhaps the best way to think of it is as if you're running on your laptop 17 00:00:58,846 --> 00:01:01,967 a Xen bare metal hypervisor 18 00:01:02,031 --> 00:01:04,686 with some Linux kernel added 19 00:01:04,800 --> 00:01:07,297 and additional code to handle communication 20 00:01:07,407 --> 00:01:09,119 between those virtual machines, 21 00:01:09,378 --> 00:01:13,055 plus some added security features, that's Qubes. 22 00:01:13,328 --> 00:01:16,840 The user environments or the individual VMs 23 00:01:16,920 --> 00:01:20,574 are based on Fedora, Debian, Arch Linux, 24 00:01:20,772 --> 00:01:23,106 Whonix, Microsoft Windows, 25 00:01:23,196 --> 00:01:27,086 and some others through what are called Qubes templates. 26 00:01:27,506 --> 00:01:30,508 It's an operating system like any other that you download 27 00:01:30,578 --> 00:01:33,979 and install on your laptop or desktop, 28 00:01:34,039 --> 00:01:37,916 although it does take about three hours to install, it's quite a beast. 29 00:01:38,194 --> 00:01:40,690 At the moment this is the latest version to download 30 00:01:40,953 --> 00:01:44,559 and there's also a live CD version that you can get, 31 00:01:45,140 --> 00:01:48,040 which you can download here if you want to try it out. 32 00:01:48,130 --> 00:01:50,560 The live CD currently, as I'm recording, 33 00:01:50,762 --> 00:01:54,462 doesn't have the latest features as the full install version, 34 00:01:54,513 --> 00:01:57,209 but at least with the live CD you can test it out 35 00:01:57,489 --> 00:01:59,841 and see whether it works with your hardware. 36 00:01:59,976 --> 00:02:02,626 Note, I haven't found this live CD 37 00:02:02,716 --> 00:02:05,837 or in fact installing it to work on virtual machines, 38 00:02:05,907 --> 00:02:10,395 on any virtual machine, so you'll have to try it on bare metal. 39 00:02:11,004 --> 00:02:13,222 Let's talk about kernel design for a minute. 40 00:02:13,277 --> 00:02:17,854 So most operating systems, Unix, Linux, BSD, 41 00:02:18,248 --> 00:02:20,856 use a monolithic kernel architecture, 42 00:02:20,946 --> 00:02:25,779 which means lots of code runs with high levels of privilege, 43 00:02:26,077 --> 00:02:31,428 or what is called the trusted computing base or TCB. 44 00:02:32,258 --> 00:02:37,439 The TCB is all the hardware, firmware and/or software components 45 00:02:37,519 --> 00:02:42,702 that are critical to a system's security, the trusted computing base. 46 00:02:42,944 --> 00:02:48,544 If security bugs or compromise occur inside the trusted computing base, 47 00:02:48,773 --> 00:02:52,686 it is very likely to jeopardize the security of the entire system. 48 00:02:52,862 --> 00:02:56,296 Vulnerabilities in the kernel are especially dangerous, 49 00:02:56,463 --> 00:03:00,582 so avoiding kernel vulnerabilities is especially critical. 50 00:03:00,782 --> 00:03:02,012 Now what you can see here, 51 00:03:02,062 --> 00:03:07,670 these are examples of monolithic kernel TCB components 52 00:03:07,826 --> 00:03:10,405 that you have to trust are good. 53 00:03:10,523 --> 00:03:14,658 These make up the attack surface of a monolithic kernel, 54 00:03:14,865 --> 00:03:17,686 so the smaller the trusted computing base 55 00:03:17,810 --> 00:03:21,527 the better for security, the smaller the attack surface. 56 00:03:21,617 --> 00:03:23,419 So why is this relevant to Qubes? 57 00:03:23,701 --> 00:03:26,351 Well, unlike VMware and VirtualBox, 58 00:03:26,441 --> 00:03:29,872 which runs directly on a host operating system 59 00:03:29,932 --> 00:03:32,532 like Windows or Debian, 60 00:03:32,961 --> 00:03:38,420 Xen, which Qubes is based on, is a type one or bare metal hypervisor. 61 00:03:38,703 --> 00:03:40,988 Qubes uses a microkernel 62 00:03:41,162 --> 00:03:43,574 as the isolation enforcing code 63 00:03:43,709 --> 00:03:45,811 reducing the attack surface. 64 00:03:45,901 --> 00:03:48,967 Less code equals less potential security bugs, 65 00:03:49,098 --> 00:03:51,325 equals less potential compromises, 66 00:03:51,491 --> 00:03:54,986 or at least that's the theory, a good theory though. 67 00:03:55,336 --> 00:04:00,287 An attacker must be capable of subverting the Xen hypervisor itself 68 00:04:00,402 --> 00:04:03,283 in order to compromise the entire system, 69 00:04:03,456 --> 00:04:05,362 which is more difficult to do 70 00:04:05,433 --> 00:04:08,659 than subvert the host on a type two virtual machine 71 00:04:08,749 --> 00:04:11,531 like VMware and VirtualBox. 72 00:04:11,923 --> 00:04:15,216 There is no full host OS to compromise 73 00:04:15,375 --> 00:04:19,785 with a type one hypervisor, like which Qubes uses. 74 00:04:20,190 --> 00:04:22,305 This is an advantage for security 75 00:04:22,425 --> 00:04:25,859 which Qubes has over VMware and VirtualBox. 76 00:04:26,480 --> 00:04:30,274 Let's talk through the system architecture and the various VMs. 77 00:04:31,051 --> 00:04:35,111 Qubes enforces security domains through different virtual machines 78 00:04:35,261 --> 00:04:39,128 that establish isolation and compartmentalization. 79 00:04:39,397 --> 00:04:42,977 Each of these boxes here represent different virtual machines 80 00:04:43,313 --> 00:04:45,089 and different security domains. 81 00:04:45,244 --> 00:04:50,186 No host operating system is used as Xen is the bare metal hypervisor. 82 00:04:50,427 --> 00:04:54,828 So first let's look at the Xen hypervisor and administrative domain, 83 00:04:55,017 --> 00:04:56,176 or the GUI domain, 84 00:04:56,236 --> 00:04:58,024 which is this one here, 85 00:04:58,608 --> 00:05:01,323 and this one here within the interface. 86 00:05:01,487 --> 00:05:08,197 The host domain or Dom0 is the interface or GUI to everything else, 87 00:05:08,277 --> 00:05:11,026 it's what you see when you are logged in. 88 00:05:11,197 --> 00:05:14,140 Dom0 controls the graphics devices, 89 00:05:14,439 --> 00:05:18,234 as well as input devices such as keyboards and mouse. 90 00:05:18,523 --> 00:05:22,437 Dom0 is what shows what you're seeing now, this desktop. 91 00:05:22,873 --> 00:05:24,955 It is used for running the X server 92 00:05:25,015 --> 00:05:29,654 which displays this user desktop and the Windows manager 93 00:05:29,754 --> 00:05:33,405 which allows the user to start and stop the applications 94 00:05:33,573 --> 00:05:35,272 and manipulate the Windows. 95 00:05:35,504 --> 00:05:39,460 Critically and for security, Dom0 has no network connectivity, 96 00:05:39,485 --> 00:05:43,876 it has as little communication as possible with other domains 97 00:05:43,926 --> 00:05:46,778 in order to minimize the possibility of attack 98 00:05:46,888 --> 00:05:48,670 from a compromised VM. 99 00:05:48,710 --> 00:05:51,553 As you can see, it uses KDE by default 100 00:05:51,707 --> 00:05:55,215 and even for example if there was a bug in this KDE, 101 00:05:55,474 --> 00:05:58,315 Dom0 isn't reachable for an attacker 102 00:05:58,383 --> 00:06:01,077 as there is no network connection to it, 103 00:06:01,226 --> 00:06:03,428 you can just view it in effect. 104 00:06:03,656 --> 00:06:06,026 Because the Dom0 doesn't have network access, 105 00:06:06,069 --> 00:06:09,014 only a few components need to be updated 106 00:06:09,064 --> 00:06:12,232 which the administrator can install the command line. 107 00:06:12,845 --> 00:06:16,513 To view applications running in each VM's domain, 108 00:06:16,752 --> 00:06:19,384 Qubes provides the application viewer. 109 00:06:19,532 --> 00:06:22,403 This provides a false impression for the user 110 00:06:22,543 --> 00:06:25,974 that applications execute natively on the desktop, 111 00:06:26,024 --> 00:06:27,225 as you can see here. 112 00:06:27,321 --> 00:06:31,213 But they are in fact applications running in separate VMs. 113 00:06:31,337 --> 00:06:32,637 Like this window here, 114 00:06:32,724 --> 00:06:35,853 you can see the yellow window with a yellow border, 115 00:06:35,949 --> 00:06:39,251 this is running in the personal virtual machine 116 00:06:39,683 --> 00:06:43,693 and the green window here is running in the work VM, 117 00:06:43,776 --> 00:06:46,607 but because of Dom0’s application viewer, 118 00:06:46,762 --> 00:06:48,427 you have the false impression 119 00:06:48,533 --> 00:06:51,691 that these are just separate windows within an operating system, 120 00:06:51,949 --> 00:06:55,380 but in fact they are entire separate operating systems 121 00:06:55,665 --> 00:06:57,415 as part of a virtual machine 122 00:06:57,573 --> 00:07:01,415 that are isolated from each other by Xen and Qubes. 123 00:07:02,360 --> 00:07:07,528 There is a network virtual machine or NetVM which you can see here. 124 00:07:08,664 --> 00:07:12,284 Also represented in this diagram here, NetVM. 125 00:07:12,747 --> 00:07:16,420 Networking is performed in a separate VM 126 00:07:16,713 --> 00:07:18,793 which is great as a network layer 127 00:07:18,853 --> 00:07:22,650 is a critical component for securing communication. 128 00:07:22,849 --> 00:07:25,850 This VM protects you against exploits, 129 00:07:25,983 --> 00:07:30,002 against things like your WiFi or Ethernet driver, 130 00:07:30,192 --> 00:07:33,718 protocol stacks, or maybe your DHCP client, 131 00:07:34,083 --> 00:07:37,913 and you could also use this to isolate your VPN 132 00:07:37,996 --> 00:07:40,727 and make it available for other virtual machines. 133 00:07:40,842 --> 00:07:46,032 So what I mean by that is the network VM enforces a VPN 134 00:07:46,221 --> 00:07:48,895 and your other VMs are tunneled through that. 135 00:07:48,949 --> 00:07:50,649 This prevents leakage. 136 00:07:51,050 --> 00:07:54,558 Remember the Nightstand from the NSA Ant Catalog. 137 00:07:54,698 --> 00:07:59,309 If as advertised, if we imagine this has some WiFi driver 138 00:07:59,359 --> 00:08:03,708 or protocol stack type exploit that it's able to perform, 139 00:08:03,748 --> 00:08:07,865 if you're using a normal operating system like Windows, Debian, 140 00:08:07,955 --> 00:08:13,270 OSX, Linux, it's game over if they have that type of exploit. 141 00:08:13,286 --> 00:08:17,291 With Qubes, because the network is isolated in the VM, 142 00:08:17,367 --> 00:08:21,641 only the network VM would be compromised by an exploit like that. 143 00:08:21,691 --> 00:08:23,721 The attacker would have to escalate his attack 144 00:08:23,821 --> 00:08:26,817 to get to the other domains or other VMs. 145 00:08:27,040 --> 00:08:29,337 So it's a great idea to have your network 146 00:08:29,397 --> 00:08:31,759 as a separate virtual machine as well, 147 00:08:31,897 --> 00:08:34,517 in fact it'd be great for all operating systems. 148 00:08:34,634 --> 00:08:39,268 This does require that your hardware has IOMMU, 149 00:08:39,395 --> 00:08:42,054 also known Intel VTD. 150 00:08:42,566 --> 00:08:48,466 There is a firewall VM which enforces firewall rules between the network VM 151 00:08:48,606 --> 00:08:52,659 and other domains so that you can configure the protocols, 152 00:08:52,729 --> 00:08:55,740 the sources, the destination etc, 153 00:08:55,937 --> 00:08:58,327 for the communication between the domains. 154 00:08:59,456 --> 00:09:01,674 There are disposable VMs. 155 00:09:01,724 --> 00:09:04,946 So adisposable VM, like the name suggests, 156 00:09:05,006 --> 00:09:08,989 will dispose of the VM once it’s been used. 157 00:09:09,243 --> 00:09:13,173 It is typically used for a single application like a viewer, 158 00:09:13,187 --> 00:09:14,726 an editor, or browser. 159 00:09:14,940 --> 00:09:17,076 You can open a suspicious attachment 160 00:09:17,146 --> 00:09:19,882 with complete safety or browse the web 161 00:09:19,992 --> 00:09:23,640 without storing any local history and preventing tracking. 162 00:09:23,875 --> 00:09:25,562 It's a nice feature, I like it. 163 00:09:25,597 --> 00:09:30,736 You simply just right click on a file and select open as disposable VM. 164 00:09:31,171 --> 00:09:34,832 But it's more to mitigate a threat like malware and stop tracking 165 00:09:34,945 --> 00:09:38,725 than to protect against local forensic examination, 166 00:09:38,897 --> 00:09:43,484 like you get with the Tails amnesiac operating system. 167 00:09:44,680 --> 00:09:47,852 You can use an optional Usb VM, 168 00:09:47,955 --> 00:09:51,727 this would protect the operating system from things like bad USB 169 00:09:51,871 --> 00:09:55,051 being plugged into the laptop or device. 170 00:09:55,175 --> 00:10:01,447 The Usb VM sandboxes all the USB drivers and stack, 171 00:10:01,547 --> 00:10:04,142 protecting you from bad USBs. 172 00:10:04,202 --> 00:10:06,640 Data can then be carefully exported 173 00:10:06,680 --> 00:10:10,967 from selected devices to other app VMs. 174 00:10:12,412 --> 00:10:15,721 Application virtual machines, or app VMs. 175 00:10:16,321 --> 00:10:20,368 App VMs are the virtual machines used for hosting applications 176 00:10:20,428 --> 00:10:24,689 like your web browser, email client, pdf view, etc. 177 00:10:25,562 --> 00:10:29,667 Each app VM is based on an operating system template, 178 00:10:29,777 --> 00:10:33,286 the default being Fedora, the minimal template. 179 00:10:33,389 --> 00:10:35,114 Others include, as you can see here, 180 00:10:35,214 --> 00:10:38,739 Debian, Arch Linux, Ubuntu, Whonix, 181 00:10:38,809 --> 00:10:42,540 that's the two gateway and workstation VM. 182 00:10:42,705 --> 00:10:46,366 Also you have Windows here, so you can run office apps, 183 00:10:46,457 --> 00:10:49,863 Word, Excel, or the things you can run in Windows. 184 00:10:50,906 --> 00:10:52,799 To enforce these security domains, 185 00:10:52,819 --> 00:10:58,123 applications are placed in separate application virtual machines, app VMs. 186 00:10:58,685 --> 00:11:01,481 Here you can see examples of security domains, 187 00:11:01,838 --> 00:11:06,981 banking, personal, untrusted, work, etc. 188 00:11:07,170 --> 00:11:10,321 Because of this, what you see here, this application viewer, 189 00:11:10,480 --> 00:11:15,018 there is an illusion that they are running on the same machine, 190 00:11:15,158 --> 00:11:18,353 but they are in reality separate virtual machines. 191 00:11:18,611 --> 00:11:22,267 You could be running a untrusted browser on hackme.com 192 00:11:22,437 --> 00:11:25,014 and the browser for banking at the same time. 193 00:11:25,168 --> 00:11:30,541 Any exploit from the untrusted browser wouldn't affect your banking VM at all. 194 00:11:30,617 --> 00:11:33,878 Any security domain is labeled by color, you can see here, 195 00:11:34,018 --> 00:11:38,593 each window is marked by the color of the domain it belongs to. 196 00:11:38,663 --> 00:11:40,552 So here is the yellow, 197 00:11:40,696 --> 00:11:42,832 which is personal, which you can see there. 198 00:11:42,951 --> 00:11:45,389 There is a green, which is work, 199 00:11:45,749 --> 00:11:47,115 so it's always clear, 200 00:11:47,201 --> 00:11:50,740 visible as to which domain a given window belongs to. 201 00:11:51,342 --> 00:11:53,603 They also allow for things like secure 202 00:11:53,723 --> 00:11:56,321 copy and paste operations between VMs, 203 00:11:56,574 --> 00:12:00,106 securely copying and transferring files between VMs, 204 00:12:00,290 --> 00:12:04,490 and secure networking between VMs and the internet. 205 00:12:05,764 --> 00:12:08,654 Qubes has inbuilt integration with TOR. 206 00:12:08,965 --> 00:12:11,609 The Whonix gateway and workstation templates 207 00:12:11,636 --> 00:12:17,944 come with Qubes and is a great option for using TOR and preventing leaks. 208 00:12:18,241 --> 00:12:22,354 You get the benefits of Whonix privacy and anonymity, 209 00:12:22,434 --> 00:12:27,998 and the host security isolation and compartmentalization of Qubes together, 210 00:12:28,105 --> 00:12:30,183 which is a very good solution. 211 00:12:30,392 --> 00:12:31,414 Hardware. 212 00:12:31,490 --> 00:12:36,559 Because of its design, Qubes has a level of resistance to malicious hardware: 213 00:12:36,709 --> 00:12:42,276 backdoor nicks, USB drivers, badBIOS, disks and SATA controllers. 214 00:12:43,363 --> 00:12:46,475 Qubes also has some other security features, 215 00:12:46,591 --> 00:12:48,582 sort of added bonuses. 216 00:12:48,605 --> 00:12:52,475 You can split your GPG private key to help protect it, 217 00:12:52,585 --> 00:12:54,846 some functionality to enable that. 218 00:12:55,971 --> 00:13:01,091 And there is a pdf converter to make pdfs trusted effectively. 219 00:13:01,271 --> 00:13:04,331 And I'm sure there'll be other added security features 220 00:13:04,432 --> 00:13:06,237 as the OS matures. 221 00:13:07,739 --> 00:13:09,436 So all of this sounds great, doesn't it? 222 00:13:09,472 --> 00:13:11,030 So what are the downsides? 223 00:13:11,140 --> 00:13:14,599 Why might you not just go out and install this now? 224 00:13:15,019 --> 00:13:16,623 Well, the first one, 225 00:13:16,761 --> 00:13:20,327 one of the big problems with Qubes is a lack of hardware support. 226 00:13:20,628 --> 00:13:24,968 I have a number of laptops and in order to get it to work on my Sony Vaio, 227 00:13:25,070 --> 00:13:26,789 I had to flash the BIOS, 228 00:13:26,944 --> 00:13:29,929 which is a pretty scary prospect for most people, 229 00:13:29,989 --> 00:13:33,558 even highly technical people, as it can break your laptop. 230 00:13:33,721 --> 00:13:37,335 To take full advantage of all the cool security features, 231 00:13:37,637 --> 00:13:41,574 you'll need a CPU that supports virtualization technology, 232 00:13:41,833 --> 00:13:47,264 including both Intel VTX or AMDV, 233 00:13:49,324 --> 00:13:51,156 which you can see here, 234 00:13:52,767 --> 00:13:56,817 and Intel VTD or IOMMU, 235 00:13:56,887 --> 00:13:58,629 which you can see here. 236 00:13:59,418 --> 00:14:02,619 Plus a BIOS with a trusted platform module 237 00:14:02,942 --> 00:14:05,438 to protect against the Evil Maid attack. 238 00:14:05,488 --> 00:14:08,507 You're also going to need a fast CPU 239 00:14:08,679 --> 00:14:12,430 and lots of RAM if you want to run a number of VMs. 240 00:14:12,685 --> 00:14:14,953 Another issue is with the manufacturers. 241 00:14:15,017 --> 00:14:18,876 They often make changes to the hardware of a computer 242 00:14:18,921 --> 00:14:21,993 or laptop or device throughout the life cycle 243 00:14:22,379 --> 00:14:26,941 of that laptop without notice, and yet it’s still called the same model. 244 00:14:27,004 --> 00:14:29,483 And the features Qubes takes advantage of 245 00:14:29,595 --> 00:14:32,705 are not features normally advertised by a vendor, 246 00:14:32,863 --> 00:14:36,590 so you're not quite sure whether the laptop you're going to buy 247 00:14:36,677 --> 00:14:39,237 is going to support the features you need it to support. 248 00:14:39,246 --> 00:14:44,980 This is a clear barrier to entry for any new user and turns people away. 249 00:14:46,021 --> 00:14:49,319 I recommend the live USB to test Qubes 250 00:14:49,409 --> 00:14:51,984 to see if it will work on your hardware. 251 00:14:52,701 --> 00:14:54,718 If you think about getting a laptop, 252 00:14:55,425 --> 00:14:58,080 then have a look at this hardware compatibility list 253 00:14:58,170 --> 00:15:02,425 for examples of devices that fully support Qubes 254 00:15:02,475 --> 00:15:04,783 or partially support Qubes. 255 00:15:04,909 --> 00:15:08,444 The list is growing and is actually much easier to understand now 256 00:15:08,484 --> 00:15:10,035 that they've cleaned up the list, 257 00:15:10,095 --> 00:15:11,605 because it used to be a bit of a mess. 258 00:15:11,816 --> 00:15:14,817 But it's actually pretty good now and you can see quite clearly 259 00:15:15,377 --> 00:15:17,444 what works and what doesn't work, 260 00:15:17,609 --> 00:15:21,095 and has also added commentary on what they needed to do 261 00:15:21,165 --> 00:15:22,666 perhaps to make it work. 262 00:15:22,808 --> 00:15:25,372 But notice, this is community supplied, 263 00:15:25,502 --> 00:15:27,726 so you know, it might not be 100% accurate. 264 00:15:35,873 --> 00:15:37,154 So there's actually quite a few in there, 265 00:15:37,178 --> 00:15:39,609 there's a lot more than there was the last time I looked, 266 00:15:39,709 --> 00:15:41,503 which was a few months ago. 267 00:15:41,561 --> 00:15:45,120 And actually, that's the model that I have with Qubes running on it. 268 00:15:45,135 --> 00:15:47,269 And yeah, actually as it says here, 269 00:15:47,403 --> 00:15:49,203 you had to flash the BIOS. 270 00:15:49,399 --> 00:15:52,871 Yeah, so I had to flush the BIOS on mine to get it working. 271 00:15:53,008 --> 00:15:57,051 But as you can see, there's quite a few that actually do work 272 00:15:57,170 --> 00:16:00,327 and some of the ones on here are not that expensive. 273 00:16:00,436 --> 00:16:04,520 You can get sort of an older laptop around $150, 274 00:16:04,673 --> 00:16:06,420 $200, something like that. 275 00:16:07,028 --> 00:16:09,753 There's also a Google Group for Qubes, 276 00:16:09,987 --> 00:16:13,805 that's useful for help on what hardware might work 277 00:16:13,915 --> 00:16:15,922 and getting your hardware to work. 278 00:16:16,143 --> 00:16:17,701 And I think I mentioned it before, 279 00:16:17,773 --> 00:16:19,877 it doesn't work in a virtual machine, 280 00:16:19,935 --> 00:16:22,666 or at least I've not been able to get it to work in a virtual machine, 281 00:16:22,690 --> 00:16:25,795 so you will need to install it on bare metal 282 00:16:25,845 --> 00:16:30,175 or try the live USB, live CD option. 283 00:16:31,086 --> 00:16:34,454 There is one current Qubes certified laptop, 284 00:16:34,587 --> 00:16:38,007 which is the Librem 13, which you can see here, 285 00:16:38,107 --> 00:16:40,550 which you can get Qubes preinstalled onto. 286 00:16:40,640 --> 00:16:44,674 This was a crowdfunded privacy focused hardware, 287 00:16:44,905 --> 00:16:48,465 I remember seeing it, this is where it was crowdfunded here. 288 00:16:50,434 --> 00:16:53,659 And you can go and buy them from here, 289 00:16:53,796 --> 00:16:59,243 but they're not that cheap, as you can see here, $1,499. 290 00:16:59,305 --> 00:17:03,249 But obviously, that is because the laptop is niche built 291 00:17:03,318 --> 00:17:07,289 to be privacy focused and sourced to be privacy focused. 292 00:17:07,369 --> 00:17:09,184 Check that out if that interests you. 293 00:17:09,432 --> 00:17:11,231 But from the hardware compatibility list, 294 00:17:11,351 --> 00:17:13,525 you'll find laptops that are much cheaper 295 00:17:13,625 --> 00:17:16,770 if you really want to try and get Qubes working. 296 00:17:17,696 --> 00:17:19,846 Another issue to consider, 297 00:17:20,047 --> 00:17:24,030 performance and compatibility could be a problem with Qubes, 298 00:17:24,120 --> 00:17:26,694 especially if you're only going to have one device. 299 00:17:26,875 --> 00:17:31,513 You're not going to be able to run games and high demand software 300 00:17:31,816 --> 00:17:35,208 in virtual machines unless you've got a very very powerful machine, 301 00:17:35,372 --> 00:17:39,003 or it's simply not going to be as good as a native machine 302 00:17:39,113 --> 00:17:41,972 or the same native machine without VMs. 303 00:17:42,082 --> 00:17:45,543 So this will probably just be for work, personal, 304 00:17:45,653 --> 00:17:47,038 and a security laptop, 305 00:17:47,098 --> 00:17:50,400 not a performance laptop or a performance device. 306 00:17:51,288 --> 00:17:52,896 So what are my general conclusions? 307 00:17:53,026 --> 00:17:55,911 Well, this is an operating system still in the early days, 308 00:17:56,084 --> 00:17:57,676 but with the right hardware, 309 00:17:57,744 --> 00:18:00,545 offers some unrivaled security features 310 00:18:00,624 --> 00:18:03,324 for anyone technical enough to take advantage of them. 311 00:18:03,422 --> 00:18:07,648 It is not designed like Tails to prevent local forensic examination, 312 00:18:07,742 --> 00:18:12,289 it is for those most concerned about vulnerability exploitation. 313 00:18:12,427 --> 00:18:15,035 Although it does have disposable VMs, 314 00:18:15,164 --> 00:18:20,323 these are more to remove a threat than to mitigate local forensic examination. 315 00:18:20,499 --> 00:18:26,637 It is a platform for security and exploitation prevention and isolation. 316 00:18:27,002 --> 00:18:29,054 It is arguably the best security platform 317 00:18:29,094 --> 00:18:32,183 for hosting another secure operating system. 318 00:18:32,335 --> 00:18:35,859 Hopefully, the hardware compatibility issues will get easier 319 00:18:36,080 --> 00:18:39,230 and I think they will, and Qubes has got a bright future. 320 00:18:39,340 --> 00:18:41,998 I recommend you try it out and I recommend you use it, 321 00:18:42,137 --> 00:18:46,905 especially if you have high security, privacy, and anonymity needs. 322 00:18:47,202 --> 00:18:51,225 And to finish off, literally a few days ago of me recording this video, 323 00:18:51,265 --> 00:18:54,459 this has been released by the Qubes guys. 324 00:18:54,507 --> 00:18:57,626 This is tutorials on using Qubes, 325 00:18:57,676 --> 00:19:00,815 so check that out, they're also on YouTube as well, 326 00:19:00,875 --> 00:19:03,542 there’s quite a few of them and they're quite good, 327 00:19:03,631 --> 00:19:07,064 thanks to Qubes team for a great OS, keep up the good work.