[deleted] I'm aware it was touched upon, but I haven't found any well-founded evaluations that actually answer the question of which should be considered more secure. It mostly goes "Qubes best for desktop, GOS best for mobile" followed by an opinion not supported by arguments, especially not factoring in the scope that's needed.
However, I stand to be corrected on this, and I'm sorry if I created this topic needlessly. If someone could point me to an existing answer, I'd be grateful:)
When it comes to the topic of "MOST" secure, x64 systems just don't really enter into the equation for most threat models. There's no x64 platform that gives you the hardware-based security you get running GOS on a Pixel. The discussion pretty much ends there unless you have a specific threat model or use case that warrants debate, and I don't think there are many.
Albatross That's interesting, and I definitely see your point. Do you think there's anything that Qubes does better, excluding cases of "I just have to use a desktop"? Are there important security or privacy features not currently available for GrapheneOS, for which Qubes or any x64 platform might be worth using?
Qubes isn't really even an OS as the average user thinks of an OS, it's a building block for running other OSes/applications in an isolated environment. With that in mind, I would say, no, it doesn't inherently have security or privacy benefits, it all depends what you put on top of it, and how you do it.
iustitia Qubes is good at isolating with the type 1 Xen hypervisor. It's far more secure than most desktop operating systems if used correctly.
However, GrapheneOS has security benefits that cannot be replicated on Qubes. Features like full verified boot, bootloader locking, separate encryption keys per user profile, etc makes GrapheneOS superior. Qubes has none of those features and the virtual machines are not encrypted with separate keys either, which is important in case of a physical adversary.
It is also worth noting that Qubes is very inefficient and uses a lot of power. It is also not user friendly, unlike GrapheneOS which is easy to use an even improves battery life compared to the stock OS.
It's difficult to compare two different operating systems designed for very different uses.
Please note: The Off topic tag should be used instead of General for highly off-topic threads like this.
In my opinion, Qubes OS does have several critical drawbacks:
Outdated Hardware: Many of the Qubes-certified hardware and community-favored models, such as the Lenovo X230, have reached their end-of-life and cannot receive security updates from their vendors. relying on hardware that's a decade old raises security concerns.
Lack of Secure Boot Support: Qubes OS does not provide out-of-the-box support for secure boot, and users often have to resort to solutions like HEADS, which may not be compatible with newer hardware.
Absence of Newer Security Technologies: Qubes OS lacks support for or equivalents of newer security technologies like hardware-enforced stack protection and System Guard (though Trenchboot partially addresses this, it lacks SMM protection).
Comparatively, I believe that Qubes OS may excel in terms of compartmentalization when compared to Graphene.
However, it's worth noting that Windows has made significant improvements over the years, offering various isolation methods such as virtual machines, Windows Sandbox, and Win32 AppContainer isolation to sandbox Win32 applications.
Upstate1618
I also dont know if Qubes is good at memory safety like CFG, ASLR etc.
Upstate1618 it's worth noting that Windows has made significant improvements over the years
I have to wonder why you don't think this is negated by all the telemetry collected and the increasing lack of user control with every new version of Windows. Or maybe you do. Hopefully you do.
router99
Yeah you're right. Apart from that Windows requires Microsoft account at first launch; Windows defender uploads unencrypted files to cloud; Microsoft edge and office also send telemetry data etc. But they are all configurable and my point is security not privacy.
Well you don't have to create a MS Account to login. You can skip that if already researched or printed out a webpage (s) but have to be ready to go first to bypass that ( don't remember, but I don't on my Win11 Pro new laptop ).
The telemetry in Windows 10,11 is bad. You can lock down and harden Windows 11 Pro very good now with 22H2 however it's a PITA, Win10 and Home versions are much, much harder to do. Again really need to a fresh clean install from the start with Win11 Pro as you will have driver issues and have to work around those to implement these hardened things. I don't know for sure, but I know Intel 12th Gen and higher and AMD 7th Gen quality for the Secure boot and all the other high end lock down methods deployed, there are actually quite a lot after a fair bit of reading and staying up all damn night for 2 nights troubleshooting !! ( Even after all this, this laptop will have Debian 12 on it 98% sure, but until then, on backup one now that had Win10 that kept getting too many BSOD's, Debian 12 - no problems ).
First and foremost, for Windows Security for Anyone you need to setup a limited account ( Local User ), I did right away, or almost IIRC.
Need to try to enable all the Core Isolation ones for sure and use Edit group policy a bit.
https://www.qubes-os.org/hcl/
There are very, very, very few laptops that work with Qubes OS. Problem is, to get your laptop to be certified, you need to send two laptops in to them and they work on it for up to a year and fully harden it and then it is certified and ready to go. This is a list of laptops and hardware that people have made work, and what versions and what issues they have. Others can try to make a bootable USB, I like YUMI, but with the new 4.2.0-rc4 (r101323). I should make Rufus or other stand alone one as that isn't really the best way to do it for such a finicky OS. Still with people trying them out, there are still almost none that work. That's why if I won the big lottery, I'd throw them many multiple groups of laptops from different price points with and without video cards (AMD, Intel) and submit them to them (plus funds for more qualified people, same for GrapheneOS). That way people can update to 32GB of ram or 64GB of RAM, but not laptops with that LPDDR crap. Hell I bought 64GB for this laptop even though have 32 GB ( Prime Days, not installed yet ) I'm typing on it now and just doing Prime Days research and some other things almost ran out of 32GB, that's with no VM's running, I couldn't imagine running something like Qubes OS being as it could be on an older laptop.
If you read enough in the forums or even the troubleshooting the Hardware compatibility list (HCL) you really do need to know your way around Linux, no way around that. But if it's your second PC and you know it will work with Qubes OS it will make you learn Linux very quickly.
Unless someone is a very good ( sandbox ) Linux virtual machine and android virtual machine hacker then there is no way to truly answer that question. Not just a run of the mill. I've been watching a lot of YT videos on this stuff over the last 10 months, A LOT (175-200 hours). Have been watching them for over 20 years.
You can search the Hardware compatibility list (HCL) list wiki for laptops, desktops and motherboards; i5-12, 17-12 ( 12th Gen Intel ) for instance and not find many. There was an Asus ROG Zephyrus G14 (GA402RJ) Ryzen 9 6900HS AMD Integrated Graphics (Rembrandt) & RX 6700S that was on the list that was new in early 2022 for $1,500 at Best Buy I think. They had a clearance at $1,100 a little over a month ago but a few open box's around $750 but I had car problems. Now that could of been upgraded to 64GB of RAM IIRC and been a very nice computer. Wanted a 14" for my 2nd laptop too, still do. As of right now only 2 i7 13th Gen have Intel integrated graphics.
It all depends on how much time/energy you're willing to put in... On Windows - a lot, on Linux - a lot, on MacOS - some, on GOS - minimal.
Almost any OS can be made reasonably secure/private but the effort that goes into it can be a deal breaker
Actually, your right. GOS, is locked down very, very well from the start. Lack of sleep last 7 days. Windows takes a ton of time to lock down, a ton of time. To be honest, the more I think about it, they should N O T even offer the Home version and only have the PRO version with some of the hardened things already enabled. That would force some of the driver & software companies to follow suite. Or eventually, you would have to give them like 3 to 9 months though to get their code in order as I don't think it would be too easy for the smaller ones and or open-source free ones. You almost need a small IDS - EDR type system on your Windows PC too or a pfSense, OPNsense type firewall box for your home network, not bad idea in general for all devices but especially for Windows environments. Plan on doing sometime in the future here, probably get a dual lan Mini PC on Black Friday.
Linux is better out of the box, but still isn't bullet proof right away. More I think about it, GOS probably is the most locked down, has newest security updates for Android. Qubes OS if you look at the Hardware compatibility list (HCL) many of those are running on an old kernel and no way to know for sure if updating causes a problem, assume it does not, but haven't read tons and tons of their forums yet. Have some eBay laptops saved that work with it, but Not even close to a priority right now. If get a great deal on one (probably no HD or power supply type, so super cheap). I would just check maybe once to make sure motherboard work and it is ok, assuming get one with option to return, but that's it. I wouldn't have time to install & mess with until next year probably, as I know Qubes OS could take like 6 to 10 + hours trying to troubleshoot or reinstall and set it up again a better way (?). Sorry for previous post, don't know why that one github Local User thing is sooo Huge.
