The Case Against QubesOS
Promoting Qubes is a Misunderstanding of the Problems
The Case Against QubesOS
Time
a. If you don’t have time to read this article, you don’t have time to read QubesOS documentation.
Profit
b. Data collection is profitable, and gives the collector power over the collected.
Power
c. Because surveillance is linked to power and money, it’s in both corporate and government interests to deeply embed it into the widely used infrastructure, tools, and platforms. And to purposefully make it difficult to get privacy outside that.
d. The biggest problem with privacy is cultural (and NOT technical).
Not only does the person have to motivate themselves to learn new technical ways of doing things, but on top of that, they still have to figure out how to interact with people in the legacy systems, such as SMS, email, and bloated Big Tech services.
Society
e. A huge problem is converting enough people to freedom systems, and not targeted hacks of those systems. There is a lack of businesses accepting cryptocurrency, lack of Linux software/motivation, and a lack of famous people on Nostr. There is rampant and widespread use of browser fingerprinting and speed measuring services on CDNs such as Cloudflare. And even if you’re using an encrypted messenger, if the people you’re talking to are on Microsoft Windows or iPhones, then there’s an OS leak.
Therefore, a huge obstacle to privacy is burn-out.
It’s POSSIBLE to get privacy, but difficult emotionally, technically, and can overwhelm or exhaust the end-user facing all of these cultural, technical, legal, and financial obstacles.
Burn-out
f. If burn-out is the number one problem, it is NOT logical to herd users into the most technically difficult, time exhaustive, and semi-permanent solutions.. which have massive downsides and don’t even fully solve the CDN-fingerprint problem. Therefore, recommending QubesOS over HydraVeil for privacy is negligent.
Breakout
g. QubesOS offers better security against malware breakout, but I do not acknowledge this is a real threat for the vast majority of privacy-seekers. Do you even know of a single real-world case of web-browser breakout targeting a Linux user that actually harmed them? Outside of an academic study or a security vendor promoting their patch?
CDNs
On the other hand, CDNs such as Cloudflare are rampant and invasive, and EVERYONE has to deal with them on a DAILY BASIS. They see all data, all passwords, all browsers, all IPs, and all website load speeds. Given that there is NO privacy advantage of Qubes over HydraVeil for dealing with these rampant common obstacles, it’s absolutely ridiculous to promote Qubes as the preferred solution, for obscure unlikely problems of extreme edge situations.
In fact Qubes is so ignorant of these issues, their own website for OS distribution is on Cloudflare.
How can you mouth out your holes that Qubes opsec protects you from obscure US-government attacks, when you’re downloading the software itself from a US-controlled man-in-the-middle?
How can you say the software’s opsec doesn’t matter, when all you’re using this for is extreme opsec of software downloads?
As opposed to Simplified Privacy using Russian-friendly Moldova hosts, expensive Iceland DNS, with self-host forjea, and 2nd-source SHA256-hash verification across Nostr, Tor Onion, and Bastyon.
Isolated
h. HydraVeil gives you just as good of a screen display isolation, and a fairly good filesystem isolation to prevent the browser from seeing your system-wide files. HydraVeil not only has it’s own isolated networking stack, but giving you new IP addresses solves the widespread CDN speed measuring problems. As opposed to remembering and coordinating on your own which IP goes to which service, VM, or browser.
VPN Subs
i. And even better, HydraVeil gives you isolated and effortless crypto burner subscriptions right in the app with QR codes or copy-paste.
What’s even the point of doing different QubesOS virtual machines, if you got the same Mullvad VPN billing ID on all of them? How is that isolating?
Tor/Mullvad Browser makes every browser the same. If it’s all the same, what’s the purpose of different Qubes?
Qubes is NOT a browser distribution,
so you’ve got to waste time downloading and setting up browsers. I’m disputing the Tor/Mullvad browser works with all these massive Javascript bloat websites. If the websites work with minimal (or no) Javascript, then what’s the point of QubesOS security isolation to begin with?
The whole point of Qubes is to let websites run wild with Javascript, which means NOT Tor Browser.
And Firefox by default has massive telemetry and Google spyware baked into it.
So you’re far better off with HydraVeil having a properly configured Firefox, than a new Qube distro with it sending it straight back to Google/Mozilla.
Even more frustrating, as we discussed previously, LibreWolf and Brave are fingerprinted immediately. So now you’re wasting your entire life just to get privacy, when burn-out itself is the problem for dealing with CDNs.
Qubes has a slower performance from being a virtual machine.
You’re waiting for them to load every day. Potential issues with video/audio calls having echo loopback or performance issues, for your meetings. Your laptop battery life dies sooner. And the VMs are wasting disc space for an entire operating system, which is limiting the number of profiles/new identities you can have. As opposed to HydraVeil has zero speed effect, no disc space, and instant load (other than connecting to a new IP).
QubesOS setup is time consuming. While HydraVeil is one command and an AppImage
I hope you don’t have problems, because, Qubes technical support is random people on public forums, who might volunteer to answer you. Good luck! While Simplified Privacy has dedicated staff, with rapid replies through your favorite private encrypted messenger.
USB & Android
l. Qubes has USB problems, you’re in for some pain. Not only will some devices give you issues, but you’ll really struggle with Android USB. I hope you like having no USB access to your phone.
Issues Changing
m. Unless you’re booting into a 2nd OS, you’re forced to use slow Qubes all the time, it’s your base PC operating system. While as HydraVeil is a one-click AppImage to turn off if you like.
20 Year Old Tech
o. Qubes is not cypherpunk. People act like they are part of some elite cool club, you’re not. It’s Xen hypervisor which is over 20 years old, from mainstream bluechip companies such as Intel, Citrix, Arm Ltd, Huawei, Amazon/NSA AWS, Alibaba Cloud, AMD, Bitdefender and EPAM Systems.. You’re telling me you got the newest greatest tech, when it’s older than Jeffery Epstein’s girls? Xen is so mainstream, it’s used by the very cloud companies who I’m screaming are fingerprinting you.
Summary QubesOS,
Half-solves CDN fingerprinting.
Tor/Mullvad Browser Defeats the Purpose.
JavaScript Restrictions Defeats the Purpose.
Wastes time, not a browser distro.
It doesn’t solve Cloudflare, it’s on Cloudflare.
Fails to solve CDN load speeds.
Fails to solve VPN centralization.
Fails to solve Tor exit IP blocks.
Fails to isolate VPN identities.
Fails to solve burn-out, it makes it worse.
The number one problem is burn-out from society’s overwhelming Big-Tech use, and NOT extremely unlikely security breakout risks. So anyone who recommends QubesOS over HydraVeil for fingerprinting and web browsing, is outright negligent.
