You probably have read more than once news about vulnerabilities, for example, in office suites, when opening a document leads to the fact the malefactors get access to the entire computer and all documents, or vulnerabilities in browsers, when opening a malicious website opens to the hacker the access to the victim's device.
There are no security corners here, so macOS, Linux, Windows, iOS, Android break down in the same way, dozens of similar threats are found every year. Shortly before writing this article, a critical vulnerability was discovered in Libre Office, a more secure, as it is commonly believed, analogue of Microsoft Office with open source.
Each of us has valuable data that we want to protect. These could be sketches of a doctoral thesis, access to the administration panel of a project or intimate correspondence, and you probably had the idea that it would not be so bad to somehow isolate significant information from potentially dangerous activity.
A good option would be to have several devices i.e. use the browser on the one, work with documents on the other, store files on the third one, and so on. This is called hardware isolation, and, as you understand, this is good only in theory and it is hardly applicable in practice.
Is it possible to isolate running processes with program? It is possible, but it requires considerable skills in working with so-called containers and will be difficult for the average user. However, there is a ready-made solution, which is an open source Linux-based operating system, which is based on process isolation. It is called Qubes OS.
We have already told you about virtual machines that this is an effective mechanism for opening files and links and that even if a file or link turns out to be malicious, the main system will not have any problems, since malicious software will not go beyond the limits of the virtual machine (although there may be exceptions).
Qubes OS is an operating system where you can create a virtual environment for each process or group of processes. Imagine that you work with banks and you have created a virtual machine for this, and you visit sites of questionable content from another virtual machine. Even if you “catch” malware on the second machine, it will not be able to get out of this virtual machine and will never reach the virtual machine with banking sites and applications.
Or take for example the mail where you receive various documents. For ordinary users, opening a file carries a high risk, because infection through mail still remains one of the most popular and effective tools of targeted attacks both on companies and on individuals. Just isolate the mail securely and the problem will be solved.
Qubes OS users for mail have a separate virtual system, beyond which malware will not be able to get out. At least in practice, since in theory there will always be the likelihood of vulnerabilities in Qubes OS itself.
Data exchange between systems occurs through a special secure clipboard, which is also a plus to the security of Qubes OS, I'm not talking about an integrated sandbox, which allows you to open any file in an isolated environment in a couple of clicks.
At the same time, Qubes OS is not difficult to use, otherwise I would not introduce it to you. Instructions make it difficult that are posted on some sites, do not read them. Basically, they are written by people who work freely with the command line, for the same people.
Why Qubes OS did not get into the list of main course systems? Since the project is still largely experimental, no comprehensive audit of the solution has been carried out yet. Although I cannot hide that I do like this operating system.
In the next chapter on Qubes OS, I will provide instructions for installing the system on an external storage device and initial setup.