Qubes OS. A System for Those Who Have Something to Protect.
You have probably read news about vulnerabilities, for example in office suites, where opening a document allows attackers to gain access to the entire computer and all documents, or vulnerabilities in browsers, where visiting a malicious site opens the hacker access to the victim's device.
There are no corners of security; this is how macOS, Linux, Windows, iOS, Android get compromised, and dozens of such threats are discovered every year. Shortly before writing this article, a critical vulnerability was found in Libre Office, a more secure, as it is commonly believed, open-source alternative to Microsoft Office.
Each of us has valuable data that we want to protect. This could be drafts of a doctoral dissertation, access to the admin panel of a project, or intimate correspondence, and you have surely thought that it would be good to somehow isolate significant information from potentially dangerous activities.
A good option would be to have several devices: use one for browsing, another for working with documents, a third for storing files, and so on. This is called hardware isolation, and as you understand, it is only good in theory and is not very applicable in practice.
But can we programmatically isolate running processes? Yes, but it requires considerable skills in working with so-called containers and will be difficult for the average user. However, there is a ready-made solution – an open-source Linux-based operating system where process isolation is built into its core. It is called Qubes OS.
We have already told you about virtual machines, that they are an effective mechanism for opening files and links, and that even if a file or link turns out to be malicious, the main system will not face any problems, as the malicious software will not escape the boundaries of the virtual machine (although there can be exceptions).
Qubes OS is an operating system where you can create a virtual environment for each process or group of processes. Imagine: you work with banks and for this, you have created a virtual machine, while from another virtual machine, you visit questionable content sites. Even if you "catch" malware on the second machine, it will not be able to escape beyond that virtual machine and will never reach the virtual machine with banking sites and applications.