Re: [qubes-users] XScreenSaver for dom0 pops up

2016-11-02 Thread Jean-Philippe Ouellet 
On Thu, Nov 3, 2016 at 12:50 AM, Andrew David Wong  wrote:
> So, the fact that you're allowed to see your screen content from yesterday 
> doesn't constitute any violation of the security model. You're still the same 
> trusted user as you were yesterday. (If I've misunderstood your concern, 
> please let me know.)

This is concerning from the perspective of one who expects a lock
screen to protect the confidentiality of your activities from
untrusted people who may temporarily have limited access to your
machine while it is locked.

But perhaps more seriously, if I understand the report correctly, this
also suggests to me the potential existence of some code path which
renders stale content from untrusted appvms in a full-screen
undecorated context? If that is true, and if it is reliably
triggerable from an appvm, then this would be a useful tool for one
attempting to trick a user with fake UI. This is purely theoretical,
and standard mitigations apply as normal (e.g. trusted window-manager
actions to differentiate true windows) but this still does cause some
concern.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_Bnez%3DCfW78d%2BDpASduCNQ3APrXP-b_D%2BMVii42tSUOfA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Your Battery is syping on you...

2016-11-02 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-02 15:46, Marek Marczykowski-Górecki wrote:
> On Wed, Nov 02, 2016 at 02:49:23PM -0700, '109384'019834'09128'340932189 
> wrote:
>> Hello,
> 
>> in Q the Firefox battery fingerprinting is enabled.
> 
>> https://blog.lukaszolejnik.com/battery-status-readout-as-a-privacy-risk/
> 
>> Manual you might disable it:
> 
>> 1. start Firefox
>> 2. open the URL about:config 
>> 3. scroll down to dom.battery.enabled and disable this feature
> 
>> It would be nice if the DispVM has running a Firefox, which don't support 
>> the fingerprinting (or even better, a real secure-browser...)
> 
> Whatever Firefox provides there, it has no access to actual (hardware)
> battery information.
> 

Furthermore, you should *not* expect privacy when using vanilla Firefox, even 
in a DispVM. For that, you should use Whonix.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYGsLrAAoJENtN07w5UDAw2t0QAMBA3lgsCzRlMaCjXIE2b6wN
kVG5ILojLp82bRMTf54PL5608CutuZ09EWkZJRx2H74Q46xj3U2SaOK3DXPqVH1w
YYBdkw7pE9wvzi8ixONO3iS44IX/MR6s8e9IQZ7YvQHNXz+KSHgt4QqUVzpy9Mj5
P7Lqkk1tk020DGFee/rwZHxUQFbMmlWh2QvwOTdKdDHjBxe4MQRC42RGj2FuF1u+
V9kKE2Tt61/roCNbRJVQigb1/wW8fl5DXr12MPZb5ov3i1HG6AMXGOh7GaXWmb/J
5BmiWmjsY0ysq2+1hVeKXN5OWrrHCOCF5fxjBsuiSbQNLJBc2vuEj+L/b3FkZYm2
6uWe8WXZ14PzqygfiOS2p+REhx9KT6YT2fbME09P7PWuWaxZfxLeU+iEi3/N3tnc
RlyEoOfogP/bOQGYTnK/+MAvuNbqbRUd23lrGiVtNE1oHiVddj+BrT1NRl2JVWEs
icJorJjMCVkeKnIyaA1SJ2o636Mvxo9bqBTsgUvXRMLfRQH2MgWo/ebnLX7EVLvV
/9JsHuM/pdj3XLR6zew3AZbq85r0S8ICwwgLAok8zFMbT9+eT2vAHmQUDRwkyjCP
KzWLSN/VZ4g5Yo+1iJMupfX0Qnydc1CR25nRqEv229JBEO/EOTqWcZVemnfsuNRw
In2pOaLu1M7M7u62n0P3
=LPBb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7aab3e6e-516f-bf54-97f0-298cf894e7e7%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] XScreenSaver for dom0 pops up

2016-11-02 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-02 08:56, John Maher wrote:
> On Thursday, October 27, 2016 at 12:42:18 AM UTC-4, Andrew David Wong wrote:
> On 2016-10-26 15:53, Gaijin wrote:
 On 2016-10-26 13:38, John Maher wrote:
> On Wednesday, October 26, 2016 at 9:05:48 AM UTC-4, Gaijin wrote:
>> On 2016-10-26 12:43, John Maher wrote:
>>> I'm getting the strangest thing on my screen. I'll be working and the
>>> XScreenSaver dialog pops up (indicating the screen is locked) and the
>>> screen goes black. However, the screen is not locked. I have to move a
>>> window around to redraw my screen. This has always happened since I
>>> started using Qubes about 3 weeks ago. There appears to be no pattern
>>> that prompts this response. Bizarre! Any thoughts?
>>>
>>> Thanks.
>>>
>>> John
>>
>> Yeah. I had the same thing happen when I upgraded to R3.2 as well. I
>> asked the same thing but nobody replied.
>> https://groups.google.com/forum/#!topic/qubes-users/xjHi2TcYBAQ
>>
>> It still happens from time to time. Seems to happen less if I have a lot
>> of free memory. Closing down some memory hungry AppVMs seems to lessen
>> it, but I haven't been able to specifically replicate it.
>
> Interesting, because I think I have more than enough memory (32 GB). 
> Thanks.

 I've got 16GB myself. It's not that the memory is full, but it seems to 
 happen more when I have a lot of VMs open in one desktop. That may just be 
 a coincidence though.

 I'm glad to see it wasn't just me though. I never had this happen with 
 earlier versions of Qubes on the same hardware. Not sure if it might be 
 the XFCE or a video driver issue. (I've never installed the nVidia 
 drivers.)

> 
> Thank you both for reporting this. Gaijin, I'm sorry I missed your thread.
> 
> Just to confirm: Are you both using Xfce4?
> 
> Tracking the issue here:
> 
> https://github.com/QubesOS/qubes-issues/issues/2399
> 
> 
> Sorry for the delay in responding. I used the default install for 3.2.
> 
> I also just noticed that it appears that memory is not being purged when apps 
> are closed. Today when I "woke up" the screen from one of these odd screen 
> saver like issues, it very briefly displayed a browser window with a site I 
> was on yesterday. I looked carefully and confirmed that I did not actually 
> have that window open on my system. It's as if something from yesterday's 
> memory was sent to the screen and then closed. Rather disconcerting.
> 
> John
> 

I don't think that should necessarily be disconcerting. The Qubes security 
model does not include or rely upon purging memory at any particular time 
interval. It assumes that you, the authentic single user, should be the only 
one with access to dom0's screen content. So, the fact that you're allowed to 
see your screen content from yesterday doesn't constitute any violation of the 
security model. You're still the same trusted user as you were yesterday. (If 
I've misunderstood your concern, please let me know.)

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYGsH3AAoJENtN07w5UDAwKtIP/2vblyc4Rf9uwU3M+WGv2K7V
T7VoTDfGjB8XWyX6LZW/TrtameFmAj/Rb0bINOrIWpkrP9RdNUm+0/BR10NkcLul
FqaxMOcl2u2Tk775VjYtC+Z7y1ycJDQjaMvtqrdDQkeGhMumzcDOHD9RufTFSIRm
8ke7GxfMQBH7R0DJ5E26B7HZJg73k1RKFT5BbpmKrfHxBBEaJTUALeNFZnp2ekl+
HrRV4u8+T/Tbwzha5e/iTvJEVTMcMxzD4uziaN+TfiK2Iwp40w0W8IdmRjPzdkLI
+PDhAfjpQCEcZIPT/V+u6GsMhUDJo5ABPs/as17YY4b8VMwm9F7/J2Oo6nfwl/Rh
gOnwVLFQKUtq3iaNbORDzAjBSEny6wYKlfvpL3IWGAHhH0mbP5j1ivSJoF+navuD
qPMvMyAuhFh7hSsTPJ0CTMrDZYTGVlSryLrvXUwl5Lf6zplXRxO6uGu3ruUnepxR
9izVXApPBv/Cc41G3wrCUGN3deE1OpzNSxhQS+NK4B3kJSGAm4+Zi/F/B8yiR6Lt
L/DiLI04X1LZ/XW+ZrKKiQbqVKAzeDqkDPW1D4POEckQnEfPqMcc32LzQVf6ORvX
Xzjn+UhUcdTzINAuISwYeBdvBTk6Wk80T80nChZJdnSdWi6klvbcof96UNdD3sja
swBLAb3aU4hobRxFAcL7
=Fv0E
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c29437d-e257-e0a1-7c24-13fb8e5f5dac%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Lenovo x260

2016-11-02 Thread Myron Weber 
-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d7227afc-3a56-492d-bce8-01f9fdf1d643%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-20F6CTO1WW-20161102-203013.yml
Description: Binary data

Re: [qubes-users] Special (Secure) Browser Frontend for Qubes?!

2016-11-02 Thread Chris Laprise 

On 11/02/2016 01:38 PM, mara.kuens...@gmail.com wrote:

And that's why you can use many appVMs in the first place. You share the

But that is not the point. First of all, unless your life depends on it, it 
will be very unlikely that you are actually paying enough attention to where 
you use which identity.


On this point, the fact that you are entering your username+password on 
the website (because the "wrong" VM you're using doesn't have that 
cookie/ID on file) should be a strong cue that you may be in the wrong 
VM. Plus, Qubes is constantly displaying the VM name at the top of the 
window... you should be checking it whenever you start a new activity.


OTOH, robust whitelisting (taking third-party sites into account) in 
general would be a nice feature to have. But I'm thinking this needs to 
be a browser-level feature, not OS-level, because the problem is mostly 
specific to web browsing.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/18bae3eb-1839-0454-5c44-cc83a8bfced7%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Your Battery is syping on you...

2016-11-02 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Nov 02, 2016 at 02:49:23PM -0700, '109384'019834'09128'340932189 wrote:
> Hello,
> 
> in Q the Firefox battery fingerprinting is enabled.
> 
> https://blog.lukaszolejnik.com/battery-status-readout-as-a-privacy-risk/
> 
> Manual you might disable it:
> 
> 1. start Firefox
> 2. open the URL about:config 
> 3. scroll down to dom.battery.enabled and disable this feature
> 
> It would be nice if the DispVM has running a Firefox, which don't support the 
> fingerprinting (or even better, a real secure-browser...)

Whatever Firefox provides there, it has no access to actual (hardware)
battery information.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYGmzEAAoJENuP0xzK19csDN4H+QG4jQFTZ5wYQR1o0Cx3mQOl
ffntx7o5ak4to29M476mLz3OxK8cNmtb9S9ZjfPN8lQ8XY5f5wILdFXkTCmoyJND
hPAjCLhARdCHtJ4Q5a0ulSkzZ1k0X/89Mmbk8YgVl11PDod/Q3D0whDu2Mqlofgj
++m40KV+ju2E+LmHkwtR4abC5G9kPq8+8nvnxCsD0PdPhTdBCeb0cpRNZCg9LYCR
FTLIAeZYZhBrlmuk7DKK9TbMeaZEBUmbJlBg87EHSFlkd7G+LhXoBxBruRHeMaVI
Og9ecbny7w8nkZBfgI7qY+mbZlrjEaUols7/xyvm+XIB1LBEiEyi7Bvp7FJXQnw=
=MfmD
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161102224625.GT7073%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Your Battery is syping on you...

2016-11-02 Thread '109384'019834'09128'340932189 
Hello,

in Q the Firefox battery fingerprinting is enabled.

https://blog.lukaszolejnik.com/battery-status-readout-as-a-privacy-risk/

Manual you might disable it:

1. start Firefox
2. open the URL about:config 
3. scroll down to dom.battery.enabled and disable this feature

It would be nice if the DispVM has running a Firefox, which don't support the 
fingerprinting (or even better, a real secure-browser...)

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3fd3757b-10bc-4d50-aa83-eedf1f95c2ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Wine start program via nautilus/filemanager?

2016-11-02 Thread p0918'3204918'023948'1092438019 
Hello,

yes it works, I must just install nautilus:

sudo apt-get update
sudo apt-get install nautilus-open-terminal

nautilus

I can move to .wine/Program Files and execute the *.exe via the right Mouse 
context menu.

Can I show the Windows Icons on the Q-Desktop, so I can launch the Windows Apps 
more seamlessly like on a windows desktop?

Great would be, if all the windows icons are collected inside one of the 4 
Linux Dektop Screens (so the Linux don't looks to much messed up).

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d182ba06-581e-4af5-abb6-72f10e45589c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Wine start program via nautilus/filemanager?

2016-11-02 Thread kersten . vogel 
Hello,

yes it works, I must just install nautilus:

sudo apt-get update
sudo apt-get install nautilus-open-terminal

nautilus

I can move to .wine/Program Files and execute the *.exe via the right Mouse 
context menu.

Can I show the Windows Icons on the Q-Desktop, so I can launch the Windows Apps 
more seamlessly like on a windows desktop?

Great would be, if all the windows icons are collected inside one of the 4 
Linux Dektop Screens (so the Linux don't looks to much messed up).

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8be8d841-94d5-4339-a40c-572a01d3f544%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] D8 Wine Kleopatra?

2016-11-02 Thread Torsten Grote 
On 11/02/2016 07:03 PM, 08173'204918'023948'1092438098 wrote:
> I could install Kleopatra, but it will not start.

`sudo dnf install kleopatra` should work without wine.

Kind Regards,
Torsten

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df24294c-267a-0ad2-8f55-2d832d59647d%40grobox.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] D8 Wine Kleopatra?

2016-11-02 Thread 08173'204918'023948'1092438098 
Hello,

to generate some certificates Kleopatra (e.g. a Frontend for GPG, S/MIME 
certificates) has a much better usability than the OpenSSL command line toolkit.

Under Knoppix Kleopatra is running fine...

How can I install and run Kleopatra with Wine inside a D8 VM?

https://www.gpg4win.org/get-gpg4win.html

I could install Kleopatra, but it will not start.

What must I do?

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f11cfd51-8fcc-43a4-99f7-a34e2701e418%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Mouse Wheel crashes the Screens...

2016-11-02 Thread 1'03948'1092438'01943'809143 
Looks similar ...

https://groups.google.com/forum/#!topic/qubes-users/X8olk-wSlxM

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f5c6e171-ff74-4803-91f7-d90ba1ad30c8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Mouse Wheel crashes the Screens...

2016-11-02 Thread '091834'09183'409183'409184'0398 
Hello,

I have 2 HD TFT under Q32 and if I touch the mouse-wheel many parts of the 
screen turn black. Sometimes it looks like the logon-screen, if Q is in the 
sleep modus.

If I move the wheel on different black parts of the screen, that the screens 
wake up again. And I always must do it on both screens.

The mouse is just a very old wired one, nothing high tech...

How I can switch off this disturbing feature?

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e3e25398-c2c5-4202-9702-ee5e8e76ec02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Wine start program via nautilus/filemanager?

2016-11-02 Thread 14378'109438'091384'093184098 
Hello,

I installed wine in a D8 VM...

sudo dpkg --add-architecture i386

sudo apt-get update

sudo apt-get install wine32

dom0
sudo qvm-sync-appmenus vmname

cd /notetab

I can start NotTab7 via:

wine NoteTab.exe

Here with this Wine-Tutorial it is shown that normally I can start some *.exe 
just via a right mouse click, start with wine, inside nautilus.

https://www.linux.com/learn/how-install-and-use-wine-run-windows-applications-linux

What I must do, that it works also inside a QVM?

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7d0d9827-02bb-45c9-8361-792d4da76cfd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Special (Secure) Browser Frontend for Qubes?!

2016-11-02 Thread mara . kuenster 
> Does your proposal really harden agains a real threat, or is it
> something that should be done only because it could be done?
> 
> Btw, thank you for taking the time to write us your proposal and
> replying to our e-mails.

Well honestly "proposal" is probably too much credit for the time I spent on it 
so far and I mainly wanted to probe for the idea more. I think I am going to 
write a true proposal that can actually be reviewed and your input definitely 
helps to guide that effort, which is also why I asked that question in the 
first place.

And I am not actually sure I will address a threat model, since it doesn't 
really do more than you can do manually. It is really more about regaining the 
convenience while maximizing the additional privacy and security Qubes OS 
technically provides, you see... But I agree that it is required to be much 
more specific and clear but I can't do that so quickly in a mail, so I will 
take this conversation and address the issues raised in a more structured 
manner ^^.

Thanks & Cheers

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4c300108-99c2-46db-b68d-981ce97cea1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Special (Secure) Browser Frontend for Qubes?!

2016-11-02 Thread Alex 
On 11/02/2016 06:38 PM, mara.kuens...@gmail.com wrote:
> [...]
>> to one another (i.e. amazon does not ask facebook for your info,
>> nor does this happen the other way around)
> 
> Um, that is a bold statement, do you have any data to back that up?
> Maybe Amazon indeed doesn't talk to Facebook (yet), but no one is
> stopping them either. Facebook definitely has an interest to read
> your Amazon visits because this way they can link your true identity
> to your fake profile... for instance.
And that's exactly why they spam their single-sign-on solution
everywhere, and that's why I don't like to use it. Otherwise, beyond
compromising each and every client computer, I don't see how a
big-ass-company could pose the threat you try to shield against.

> [..let's skip the branded identity thing..]
>> TL;DR: first, do you really actually need to separate each and
>> every identity you use? second, once you realize that many
>> identities can co-exist (and indeed, sometimes you would like this
>> to happen) do you
> 
> What do you mean by "co-exist"? If I use them at the same time in the
> same browser/VM I might as well just use one single identity because
> there is no way to know if either of them wasn't compromised or
> linked in ways I didn't want. I don't see how identities can co-exist
> (I am also not talking about sign-in data, I am talking about fake
> "me"'s, fake people so to speak who consume services to protect the
> real identity; I simply see no use case of why you ever want to share
> identities within the same AppVM or browser/site).
Still, your threat model has not been fully described. Let me clarify:
you are saying "there may exist a site which, compromising my AppVM,
gains intelligence on my identity on other sites". Which is a nice
assumption, and as me and Simon said, is exactly the meaning of AppVMs:
isolating failure. If I'm using a "dangerous" site or clicking a
"dangerous" link, I'd better use a different AppVM to make sure that any
malware infections I may encounter don't steal any sensitive data.

But then you propose to go full-nuclear on this threat model, arguing
that "every appvm is compromised" and "every website is malicious",
which I think are a little stretched tinfoil-hat assumptions.

While your proposal can technically be done, this does not automatically
create neither a threat model that fits the defense nor a compelling
reason to implement that.

Somebody, earlier this year, suggested to encrypt the image file of the
virtual hard disks of any AppVM; while this can technically be done, he
failed to provide a sound threat model this proposal would shield
against, because dom0 cannot be "telepiloted" into doing anything,
lacking networking, and having a standalone agent that does that many
things, with all the possible variables, is really really hard (and then
you have the cheaper thermorectal cryptanalysis). He did not account for
increased slowdown, which can already be felt with many AppVMs open
without single-machine encryption, and ultimately his proposal did not
gain traction.

I'd like you to reconsider your submission, better describing the threat
model you have in mind, so we (casual readers) can better understand why
we should sponsor your proposal.

Last, reading your answer to Simon's e-mail, I feel that a reasonable
incarnation for your threat model could be aggressive online
advertising; and I'm sorry to inform you that your proposal would not
protect against that, unless one uses a different TOR circuit for each
"dom0 browser tab", since big ad networks already track users without
any assumptions on the client, but by approximate ip geolocation, time
fingerprinting (both latency and time-of-day), and other techniques that
don't necessarily rely on client cooperation.

Does your proposal really harden agains a real threat, or is it
something that should be done only because it could be done?

Btw, thank you for taking the time to write us your proposal and
replying to our e-mails.

-- 
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5398b074-1ad6-f7da-636c-c6510b2a132c%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Display Calibration and Audio Equalizer for Dom0 ?

2016-11-02 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Nov 02, 2016 at 05:55:37PM +0100, Zrubi wrote:
> On 10/28/2016 01:19 PM, Zrubi wrote:
> > On 09/03/2016 12:49 AM, Connor Page wrote:
> >> I have calibrated my yellow screen using argyllcms. 
> >> I don't attach usb devices to dom0 so installed it in sys-usb as well. 
> >> used 
> >> https://encrypted.pcode.nl/blog/2013/11/24/display-color-profiling-on-linux/
> >>  as a rough guide. 
> >> to get the calibration done you just need to run dispcal and then transfer 
> >> the calibration file to dom0.
> >> then test it with "dispwin xxx.cal" in dom0. if happy, create an autostart 
> >> item with that command (probably,
> >> using the full path to the calibration file) and you're done.
> > 
> > I just started to experiment with display color correction things.
> > 
> > I wonder how it is workig in Qubes because as far as i know:
> > 
> > - the display profile is used only the programs are aware of icc profiles.
> > 
> > - the X server runs in dom0, the apps are in AppVMs - but no
> > communication about display prifiles (colord) because of the qubes gui
> > protocol.
> > 
> 
> @Marek:
> Do you have any idea what to look for in order to be able to calibrate
> my screen under Qubes?

I have no idea how such software works... Especially at which stage
calibration is applied. Is it something that application does
"internally", or adjust display driver options?

> What I already tried:
> 
> - the standard gnome color management tools runned in (sys-usb)
> But it is complaining that there is no display to calibrate.
> 
> running the same calibration software directly complains about there is
> no colord available (masked)

Try unmasking colord (systemctl unmask should do).

> (gcm-calibrate:1459): Gcm-WARNING **: failed to connect to colord: Error
> calling StartServiceByName for org.freedesktop.ColorManager:
> GDBus.Error:org.freedesktop.systemd1.UnitMasked: Unit colord.service is
> masked.
> 
> 
> 
> - diplayCal is happy with the dummy display seen by the AppVM, and do
> not depend on colord - but it fails on some X calls(?)
> 
> Debug: window wxComboBox(0x561c58c3a230, ) lost focus even though it
> didn't have it
> X Error of failed request:  BadMatch (invalid parameter attributes)
>   Major opcode of failed request:  42 (X_SetInputFocus)

Strange...

> Or I should connect the calibration device to dom0 and start the
> calibration from dom0?
> (Also noted that there is no colord running, so I may have to apply the
> profile viea diplaycal cli)
> 
> 
> Thanks.
> 
> 




- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYGjA2AAoJENuP0xzK19csta0H/3gzSmBCwRg/XRsUl+R0LDLU
0BA9pOHVDYzVL4pcSeqkmV3fr1WghRaBM6x6qQ/YjNDD3UJTCqg0RlKgBg6Rb1Z2
8GKQIb8ydwH6CbFOaHjzESx7ltE3yQ/E6X2v9EgZj4XDIDA0qLRFl4M+h7TWk/Kh
e5wup2M6R7o3jPofMlZJi2F8uIp5W3wMGZWBE+4ImLWKjmXrTNNh1u4/eOOHfi3K
j3rkvqyzPmXs1j9LttHoizm2rDljKOYFe5Yj976WmXwA441ZdJFb57APWnruLRh1
Z1dJ/fKuwcmUW/Ch1cZqgIA57bv7dkcrByUUk/1bcvWBRM8OzNRx4WISQ//NyVw=
=8E8F
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161102182803.GQ7073%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Special (Secure) Browser Frontend for Qubes?!

2016-11-02 Thread mara . kuenster 
Hi Simon,

> several AppVMs, each one dedicated to a different activity, or as I 
> prefer to refer it myself: to different sensitivity levels.

See my reply to Alex, maybe that explains why this is exactly what I was 
talking about ;).

> - You may have a dedicated Firefox instance still having the infamous 
> Flash plugin installed when you need to access some websites requiring 

Yes but this could and would be all included in this dom0 browser interface.

> - Use (X)KeePass in a separated, isolated and dedicated AppVM. I suggest 
> you to create a "Web" or "Firefox" group, and then create a different 

I am using UNIX pass, but it has the same flaw. If you copy passwords this way 
they won't automatically get purged from the AppVM, which under the assumption 
that any AppVM is completely compromised at all times, is not much of a big 
deal, but still it would be nicer if the password was cleared or even better 
never copied to the clipboard...

Which is why my idea would be to host Mozilla Sync Service in each AppVM and 
the let the dom0 browser fill this Sync Server with the passwords belonging to 
the corresponding identity... 
 
> website: you will *not* open this link in the same AppVM but instead 
> copy/paste it in your "Random surf" AppVM. Would this site be malicious 

Yes but people WILL click the link. It's not a sane assumption to make. Besides 
it is incredibly annoying to operate this way. I am not some prime target of 
the NSA ^^, and I doubt many of the people using qubes will be... So you want 
to be safe, but you still want the convenience... The right way is to block the 
link, unless it refers to a white-listed domain for this identity. Or even 
better, pipe it back to dom0 and open it in a new tab & AppVM under the right 
identity... (this kind of integration is what I am proposing)

> password database is to first hack the forum, and use it as a pivot to 
> then be able to hack your computer and get access to your file system. 

How he does it is basically immaterial to me as I assume that all AppVMs are 
evil all the time. The point is to separate them properly so only one identity 
gets compromised. I want to add that it is generally unlikely that a disposable 
AppVM with the right configuration will actually be compromised, but it helps 
to assume them to be to get a better picture of the impact it would have and to 
minimize that impact.

> (https://addons.mozilla.org/en-US/firefox/addon/secure-login/) so 
> Firefox does not dumbly automatically fill any password field without 

Yes this looks good.

> like uMatrix or NoScript which allow to better control third-party 

Thanks for uMatrix, I didn't know that one. But yes this is pretty much what I 
imagined also to happen, just in dom0 (which is more trustworthy to me), not in 
an AppVM.

> It *may* be possible to implement a way to handle different AppVM in 
> different tabs instead of different windows, but I'm not sure to see any 
> real advantage of this.

The advantage is the same as going back to IE6 times when each tab was its own 
window and having windows with several tabs in addition to this madness. I 
don't see how you can not see the advantage of having all browser tabs over all 
AppVMs organized in a dom0 browser interface as tabs in comparison to having 
tons of floating windows with sub-tabs each ;).

> instance, personally I set it to not display reduced windows in the 
> Alt-Tab menu, so I can focus on the window I am currently working with.

I don't think any of those suggestions really helps with the problem. All in 
all I think Qubes OS in general lacks a good UI for what it is doing, but I 
also understand that you have to start somewhere. But in the end the way Qubes 
does AppVM and identity management at the moment is truly terrible, but it 
works. All I want to do is to come up with a plan to improve it ^^.

> be useful to have them volatile on a day-to-day basis, and turn them 
> non-volatile only to update Firefox's modules or save a change in its 

I think the Mozilla Sync Server could be of help here...

> To be honest I did never investigated this, I'm not sure what the 
> concrete threats there are. 

Are you so sure that your AppVM doesn't have an unique fingerprint that 
potentially could be exposed via a malicious website, browser extension or the 
browser? In that case, even using the same base template for disposable VMs 
could be a privacy disaster (I am not sure Qubes OS has taken any steps, like 
maybe "Tails", to actually mitigate fingerprinting in disposable VMs)

On top of that have you ever tried to use Panopticlick? Even tails gets more or 
less uniquely fingerprinted primarily via the non-standard browser window size 
when it is maximized and also because it seems to apply some uncommon browser 
settings that maybe only tail users have...

> UUID you really should just use the same UUID as a lot of other people 

That requires you to know the UUID, also UUID was more a token for

Re: [qubes-users] Special (Secure) Browser Frontend for Qubes?!

2016-11-02 Thread mara . kuenster 
> And that's why you can use many appVMs in the first place. You share the

But that is not the point. First of all, unless your life depends on it, it 
will be very unlikely that you are actually paying enough attention to where 
you use which identity. A click on the wrong link can already screw it up 
because then site X read the tracking data placed on site Y and site X 
shouldn't know about what you were doing with Y... So you need some sort of 
white-listing to technically prevent those mistakes. Yes this can be done in 
different AppVMs and that is exactly what I am proposing here. It's about 
making what you describe much more convenient without a single drawback in 
security.

> There's little actual reason to use a hard-separate identity for each
> and every web service you visit; first because they don't usually talk


> to one another (i.e. amazon does not ask facebook for your info, nor
> does this happen the other way around) 

Um, that is a bold statement, do you have any data to back that up? Maybe 
Amazon indeed doesn't talk to Facebook (yet), but no one is stopping them 
either. Facebook definitely has an interest to read your Amazon visits because 
this way they can link your true identity to your fake profile... for instance.

> are, in fact, the very same entity (fb and whatsapp, gmail and youtube).

True, and for those you will want to use the same identity (it get's 
complicated quite quickly which is why I am proposing to aid the user with this 
chore).

> Third because you usually want to present a "brand" identity of yourself
> around the web. Think of your personal blog or github account presented
> on your linkedin profile: this is a reinforcement of your "brand"
> identity, so you would like to share the connection between your github
> and your linkedin identities.

Maybe, but here we have the same issue again. I have other things in my head 
than trying to remember which sites shares what data with whom and which 
idenity I have to use where and which AppVM to start for it, it's just 
insane... This needs to be much simpler.

> And that's actually the point why I'm replying to your e-mail; this is
> an idea as bad as it gets. The main reason why dom0 does not have
> networking, and should not have, is to prevent exposing data on *all* of
> the VM at once. As a side effect of this, the less software there is on
> dom0 the better.

I think you entirely misunderstand my proposal or maybe I wasn't clear enough. 
My proposed "dom0" browser has no network at all. In fact, it can't do anything 
you couldn't do manually already. The point is to automate it. This dom0 
browser frontend will know which identity belongs to which domain and which 
AppVM should be used for each identity and what your passwords & cookies were. 
It also feeds this data to each AppVm on startup so they can completely be 
disposable... The "real" browsers still run in AppVMs.

> TL;DR: first, do you really actually need to separate each and every
> identity you use? second, once you realize that many identities can
> co-exist (and indeed, sometimes you would like this to happen) do you

What do you mean by "co-exist"? If I use them at the same time in the same 
browser/VM I might as well just use one single identity because there is no way 
to know if either of them wasn't compromised or linked in ways I didn't want. I 
don't see how identities can co-exist (I am also not talking about sign-in 
data, I am talking about fake "me"'s, fake people so to speak who consume 
services to protect the real identity; I simply see no use case of why you ever 
want to share identities within the same AppVM or browser/site).

> really need that many isolated VMs? third, why would you need to move
> this complexity in dom0?

Because dom0 is the only place where this can meaningfully exist. Think of it 
as a different way of organizing the AppVM windows (not in the XCFE panel's, 
but instead as real tabs in a dom0 browser) and a lot of infrastructure code to 
help you with identity management.

Cheers

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1f43fe6b-39dc-4898-ba5b-b066c4e1be84%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Display Calibration and Audio Equalizer for Dom0 ?

2016-11-02 Thread Zrubi 
On 10/28/2016 01:19 PM, Zrubi wrote:
> On 09/03/2016 12:49 AM, Connor Page wrote:
>> I have calibrated my yellow screen using argyllcms. 
>> I don't attach usb devices to dom0 so installed it in sys-usb as well. 
>> used 
>> https://encrypted.pcode.nl/blog/2013/11/24/display-color-profiling-on-linux/ 
>> as a rough guide. 
>> to get the calibration done you just need to run dispcal and then transfer 
>> the calibration file to dom0.
>> then test it with "dispwin xxx.cal" in dom0. if happy, create an autostart 
>> item with that command (probably,
>> using the full path to the calibration file) and you're done.
> 
> I just started to experiment with display color correction things.
> 
> I wonder how it is workig in Qubes because as far as i know:
> 
> - the display profile is used only the programs are aware of icc profiles.
> 
> - the X server runs in dom0, the apps are in AppVMs - but no
> communication about display prifiles (colord) because of the qubes gui
> protocol.
> 

@Marek:
Do you have any idea what to look for in order to be able to calibrate
my screen under Qubes?

What I already tried:

- the standard gnome color management tools runned in (sys-usb)
But it is complaining that there is no display to calibrate.

running the same calibration software directly complains about there is
no colord available (masked)

(gcm-calibrate:1459): Gcm-WARNING **: failed to connect to colord: Error
calling StartServiceByName for org.freedesktop.ColorManager:
GDBus.Error:org.freedesktop.systemd1.UnitMasked: Unit colord.service is
masked.



- diplayCal is happy with the dummy display seen by the AppVM, and do
not depend on colord - but it fails on some X calls(?)

Debug: window wxComboBox(0x561c58c3a230, ) lost focus even though it
didn't have it
X Error of failed request:  BadMatch (invalid parameter attributes)
  Major opcode of failed request:  42 (X_SetInputFocus)



Or I should connect the calibration device to dom0 and start the
calibration from dom0?
(Also noted that there is no colord running, so I may have to apply the
profile viea diplaycal cli)


Thanks.


-- 
Zrubi

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9c23f28-57a0-e380-2a71-781795825e8c%40zrubi.hu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] XScreenSaver for dom0 pops up

2016-11-02 Thread John Maher 
On Thursday, October 27, 2016 at 12:42:18 AM UTC-4, Andrew David Wong wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2016-10-26 15:53, Gaijin wrote:
> > On 2016-10-26 13:38, John Maher wrote:
> >> On Wednesday, October 26, 2016 at 9:05:48 AM UTC-4, Gaijin wrote:
> >>> On 2016-10-26 12:43, John Maher wrote:
> >>> > I'm getting the strangest thing on my screen. I'll be working and the
> >>> > XScreenSaver dialog pops up (indicating the screen is locked) and the
> >>> > screen goes black. However, the screen is not locked. I have to move a
> >>> > window around to redraw my screen. This has always happened since I
> >>> > started using Qubes about 3 weeks ago. There appears to be no pattern
> >>> > that prompts this response. Bizarre! Any thoughts?
> >>> >
> >>> > Thanks.
> >>> >
> >>> > John
> >>>
> >>> Yeah. I had the same thing happen when I upgraded to R3.2 as well. I
> >>> asked the same thing but nobody replied.
> >>> https://groups.google.com/forum/#!topic/qubes-users/xjHi2TcYBAQ
> >>>
> >>> It still happens from time to time. Seems to happen less if I have a lot
> >>> of free memory. Closing down some memory hungry AppVMs seems to lessen
> >>> it, but I haven't been able to specifically replicate it.
> >>
> >> Interesting, because I think I have more than enough memory (32 GB). 
> >> Thanks.
> > 
> > I've got 16GB myself. It's not that the memory is full, but it seems to 
> > happen more when I have a lot of VMs open in one desktop. That may just be 
> > a coincidence though.
> > 
> > I'm glad to see it wasn't just me though. I never had this happen with 
> > earlier versions of Qubes on the same hardware. Not sure if it might be the 
> > XFCE or a video driver issue. (I've never installed the nVidia drivers.)
> > 
> 
> Thank you both for reporting this. Gaijin, I'm sorry I missed your thread.
> 
> Just to confirm: Are you both using Xfce4?
> 
> Tracking the issue here:
> 
> https://github.com/QubesOS/qubes-issues/issues/2399
> 
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCgAGBQJYEYWaAAoJENtN07w5UDAwvq8P/1hFm/owsEasSXroxzK9JnTn
> DSBZ9udjO+TWQypb4Hh4RO48MtJnQhKfdgJJWWJwf9dTp62LUBkVWskKDtvOfyo+
> aoVFGRBexb7yzRT90kBsjHiVPeysA4bTBftQZEZzTQBz/UzRzMkcBWj7/vbYrTkL
> zeG42ZCuM75jzOv2dhrG2TeP+OlTfdnFIyFQFmdaRJyHTOBtf7Mjauuj4gFEiKNr
> ztMO4jE/kn+/E79cGu33VfrxITmiH7Z5tqZQuAS0Mud9YnBuCDumIugPuSleV3IL
> xARHjYjui+yPOzB66yZiDlQhTMRaEhEEQVR6UWMU+SC/nec+dTpWq/b7EgktXdud
> NpJr+jIDfaoNdVBtDFIXRBo6vbR05dtWQFfLIeewGIhIC9VwLJSwEW2TvCTWFOcO
> kXWV4xsg1xAJNbNBm9V42yZ6M1P+ClXlAcJYPVqrk+xisLtlWAweqT4yKw3zq5HW
> rlgkLYoNAjU3ZvTHYa/2JtyQZKbUUw+ck8nRRuLUp0jqM/2TlZfQ7tmfsfb5z1HS
> mzNe6UHhg5ZtoV0HKbyMIWa5ePVZaMJCkhNOMAuAQ9QBpJgqE7dWZx28S5eqnAno
> WTFQI9nT6JCQz7YvmIkrxQDCUmG5JQqZlqIXArRS0WNjAzNMraKBsWeHTOqha4he
> HiI1LB04rOraNysdPTpj
> =MANy
> -END PGP SIGNATURE-

Sorry for the delay in responding. I used the default install for 3.2.

I also just noticed that it appears that memory is not being purged when apps 
are closed. Today when I "woke up" the screen from one of these odd screen 
saver like issues, it very briefly displayed a browser window with a site I was 
on yesterday. I looked carefully and confirmed that I did not actually have 
that window open on my system. It's as if something from yesterday's memory was 
sent to the screen and then closed. Rather disconcerting.

John

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/196229af-8c96-463f-9918-bae76a454d57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Trying to do an in-place upgrade from 3.1.17 to 3.2

2016-11-02 Thread Richard 
On Sunday, October 30, 2016 at 12:00:08 PM UTC-5, Richard wrote:
> I'm trying to upgrade my Qubes 3.1.17 to 3.2  I've followed the steps 
> outlined here: https://www.qubes-os.org/doc/upgrade-to-r3.2/  However, when I 
> run...
> 
>sudo qubes-dom0-update --releasever=3.2 qubes-release
> 
>   I receive:
>   Loaded plugins: yum-qubes-hooks
>   Nothing to do
>   No packages downloaded
>   file:///var/lib/qubes/updates/repodata/repomd.xml: [Errno 14] 
> curl#37 - "Couldn't open file /var/lib/qubes/updates/repodata/repomd.xml"
>   Trying other mirror.
>   Nothing to do
> 
> So of course running... sudo qubes-dom0-update --clean also provides a 
> similar error:
> 
>   Errno 14] curl#7 - "Failed to connect to pubmirror1.math.uh.edu port 
> 443: No route to host" 
>   Trying other mirror.
>   No new updates available
>   No updates avaliable 
> 
> Is anybody able to advise me what I need to do to be able to do an in-place 
> upgrade to 3.2?
> 
> Thanks,
> Richard

Just wondering if anyone has any ideas as I would really like to do an in-place 
upgrade to 3.2.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4599dae8-a2a4-460a-a09d-9a9b0ec1a132%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Special (Secure) Browser Frontend for Qubes?!

2016-11-02 Thread Simon 

mara.kuens...@gmail.com wrote:

Not only do you have to assume that all sites you visit within the
 same VM knows everything you did in there, but also you have to
assume they know all the passwords for all the other sites you visit
there and basically have full control over that VM
[...]

I think what would solve this dilemma is a custom dom0 browser layer.
The way this can work is as follows:


Hi Mara,

While I agree with you on your assumptions, I completely disagree on 
your conclusion. What should actually solve this dilemma is to use 
several AppVMs, each one dedicated to a different activity, or as I 
prefer to refer it myself: to different sensitivity levels.


This way indeed, you can consider that a website at some sensitivity 
level may have access to full information belonging to this same 
sensitivity level, but if you design this correctly this should not be a 
major issue.


So, first make a list of your different on-line activities and the 
sensitivity of information stored / transmitted in each cases (if you 
need some ideas, there was a very interesting article from Joanna 
describing the process: you should quickly find and recognize it thanks 
to the spaghetti-like diagram it contains ;) ).


Then, you may want to apply different setups to Firefox depending on the 
needs and the trust level.


For instance:

- You may want to apply maximum paranoia on your random surf AppVM,

- You may want to be a bit more permissive in your shopping AppVM so 
NoScript will not break a payment process right in the middle, leaving 
you uncertain about how many times you will be charged.


- You may have a dedicated Firefox instance still having the infamous 
Flash plugin installed when you need to access some websites requiring 
it.


- Etc.

Decide how you may want to store your logins and passwords. Here are two 
possible solutions, but there are other ones of course:


- Use (X)KeePass in a separated, isolated and dedicated AppVM. I suggest 
you to create a "Web" or "Firefox" group, and then create a different 
sub-group for each of you AppVM so everything stays clean and organized.


- Use Firefox integrated password management.

  Before you scream, do not forget that all activity in this Firefox 
will be limited to the same sensitivity level. For instance, you are in 
your "Public forums" AppVM, someone posts a link to a third-party 
website: you will *not* open this link in the same AppVM but instead 
copy/paste it in your "Random surf" AppVM. Would this site be malicious 
and steal your password database, it would miserably fail (without 
mentioning Firefox "paranoid" settings in this AppVM).


  The only way for someone to actually gets its hand on your Firefox 
password database is to first hack the forum, and use it as a pivot to 
then be able to hack your computer and get access to your file system. 
At this point, installing a keylogger or a malicious Firefox extension 
becomes just trivial, so avoiding to use Firefox password store will be 
of no help and if you design your AppVMs correctly then all the efforts 
deployed by the attacker will be done quite in vain since he will not 
actually gain any new valuable information.


  If you use Firefox password management, I would however still 
recommend you to use the Secure Login extension 
(https://addons.mozilla.org/en-US/firefox/addon/secure-login/) so 
Firefox does not dumbly automatically fill any password field without 
requiring any human intervention (I find it a shame it still acts this 
way by default): this prevents you against online stealing of your 
password store content and require the attacker to either exploit the 
browser or get his hands on your file system.


The two are not exclusive. Actually, if you use Firefox password store 
(and I find it really more convenient than doing a dozen Ctrl-Shift 
thing each morning just to identify myself on random public websites, 
but YMMV), I would strongly recommend to keep at least a backup of these 
passwords in some password safe like (X)KeePass.


There are still a some other points you mention in your bullets I did 
not addressed until now:



* Trying to visit a non-white-listed website


Basically, you are responsible of what you do with your own computer. 
There are several Firefox modules (plus Qubes' firewall) which should 
help you to ensure that you do not use an AppVM from a certain 
sensitivity level to access websites belonging to other ones. Modules 
like uMatrix or NoScript which allow to better control third-party 
requests seem like a must here.



* You always use a new VM for each tab


It *may* be possible to implement a way to handle different AppVM in 
different tabs instead of different windows, but I'm not sure to see any 
real advantage of this.


If you have too many windows opened (which indeed happens very quickly 
with Qubes), do not hesitate to use your windows manager feature to 
handle them:


- Assign specific activities to your workspaces (or

Re: [qubes-users] Special (Secure) Browser Frontend for Qubes?!

2016-11-02 Thread Alex 
On 11/01/2016 11:02 PM, mara.kuens...@gmail.com wrote:
> Hi,
>
> I am using Qubes daily for a while now. One thing I think is really
> missing is some sort of identity management. This is most visible
> when browsing. You shop something on Amazon, then go to check some
> Facebook updates and look at WhatsApp. Then you browse Hacker News
> click on this link and that link, end up on Wikileaks by accident
> then look at which club to visit in the evening... Yes this is shit.
>
And that's why you can use many appVMs in the first place. You share the
same identity on the same AppVM, and then you can create another in
another AppVM. If the identity can be discarded safely, then you can use
a DispVM.

There's little actual reason to use a hard-separate identity for each
and every web service you visit; first because they don't usually talk
to one another (i.e. amazon does not ask facebook for your info, nor
does this happen the other way around) and second because many of them
are, in fact, the very same entity (fb and whatsapp, gmail and youtube).
Third because you usually want to present a "brand" identity of yourself
around the web. Think of your personal blog or github account presented
on your linkedin profile: this is a reinforcement of your "brand"
identity, so you would like to share the connection between your github
and your linkedin identities.

> But convenience often wins over security/privacy. Not only do you
> have to assume that all sites you visit within the same VM knows
> everything you did in there, but also you have to assume they know
> all the passwords for all the other sites you visit there and
> basically have full control over that VM. If you don't assume that,
> then why are you using Qubes in the first place...
And that's why you should disable keeping passwords in-browser and use
something like keepassx. Using it moves the security bar from 2 to 3 on
a scale to 10... It's better than nothing, and you can have a separate
keepassx AppVM for extremely sensitive passwords (and extremely
frustrating user experience, but still..).

>
> I think what would solve this dilemma is a custom dom0 browser layer.
> The way this can work is as follows:
And that's actually the point why I'm replying to your e-mail; this is
an idea as bad as it gets. The main reason why dom0 does not have
networking, and should not have, is to prevent exposing data on *all* of
the VM at once. As a side effect of this, the less software there is on
dom0 the better.

Your proposal flies straight in the face of this architectural
principle. While I agree that your proposal makes sense from a
user-experience point of view, I solved my multiple-identity problem
simply with many appVM, that share some identities that can be shared
together - say, the 5 e-mail accounts I have to use for work.

TL;DR: first, do you really actually need to separate each and every
identity you use? second, once you realize that many identities can
co-exist (and indeed, sometimes you would like this to happen) do you
really need that many isolated VMs? third, why would you need to move
this complexity in dom0?

-- 
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/60dabd54-6ffa-ca65-256f-a1e1a7c44a33%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: ANN: Qubes network server

2016-11-02 Thread Max 
On Thursday, 13 October 2016 01:31:01 UTC+8, Manuel Amador (Rudd-O)  wrote:
> Update:
> 
> I have dramatically enhanced the documentation of the project:
> 
> * https://github.com/Rudd-O/qubes-network-server
> *
> https://github.com/Rudd-O/qubes-network-server/blob/master/doc/Setting%20up%20your%20first%20server.md
> *
> https://github.com/Rudd-O/qubes-network-server/blob/master/doc/Setting%20up%20an%20SSH%20server.md
> 
> This project is now ready and documented enough to be useful to users of
> Ansible Qubes who want to remotely manage clusters of Qubes OS machines:
> 
> *
> https://github.com/Rudd-O/ansible-qubes/blob/master/doc/Remote%20management%20of%20Qubes%20OS%20servers.md
> *
> https://github.com/Rudd-O/ansible-qubes/blob/master/doc/Enhance%20your%20Ansible%20with%20Ansible%20Qubes.md
> 
> I strongly welcome anyone who tries this and shares their experiences. 
> It is my goal to get this to be a key part of the Qubes OS strategy.
> 
> -- 
> 
> Rudd-O
> http://rudd-o.com/

For the "make rpm" command you refer to the local directory of your clone, is 
there a tutorial you recommend I should follow for doing this?

Thank you

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/273b72c4-0da2-4215-a28a-2325149a8294%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: ANN: Qubes network server

2016-11-02 Thread Max 
On Thursday, 13 October 2016 01:31:01 UTC+8, Manuel Amador (Rudd-O)  wrote:
> Update:
> 
> I have dramatically enhanced the documentation of the project:
> 
> * https://github.com/Rudd-O/qubes-network-server
> *
> https://github.com/Rudd-O/qubes-network-server/blob/master/doc/Setting%20up%20your%20first%20server.md
> *
> https://github.com/Rudd-O/qubes-network-server/blob/master/doc/Setting%20up%20an%20SSH%20server.md
> 
> This project is now ready and documented enough to be useful to users of
> Ansible Qubes who want to remotely manage clusters of Qubes OS machines:
> 
> *
> https://github.com/Rudd-O/ansible-qubes/blob/master/doc/Remote%20management%20of%20Qubes%20OS%20servers.md
> *
> https://github.com/Rudd-O/ansible-qubes/blob/master/doc/Enhance%20your%20Ansible%20with%20Ansible%20Qubes.md
> 
> I strongly welcome anyone who tries this and shares their experiences. 
> It is my goal to get this to be a key part of the Qubes OS strategy.
> 
> -- 
> 
> Rudd-O
> http://rudd-o.com/

For the "make rpm" command you refer to the local directory of your clone, is 
there a tutorial you recommend I should follow for doing this?

Thank you

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e2ca70bd-ee20-40fc-9f65-298e58c3718d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.