[qubes-users] Re: Is AIDE included in the installation iso?
On Sunday, November 6, 2016 at 11:07:43 PM UTC-5, raah...@gmail.com wrote: > On Sunday, November 6, 2016 at 9:27:04 PM UTC-5, David Renz wrote: > > Hello everyone, > > > > currently I don't have QubesOS installed unfortunately, so I can't check > > this by myself, and it might take some time until I'll be able to install > > it, therefore I'm asking about this on the list: > > > > I think that AIDE is the most sophisticated tool for checking file system > > integrity (and I believe that this approach might be one of the best in > > order to see whether a system got compromised or not), but obviously it > > could render this approach useless, if one would first habe to go online > > after having installed QubesOS and then AIDE from a Repo, which might be > > compromised. Therefore my question: Is AIDE included in the Fedora > > installation iso, so that those security issues couls be circumvented? > > > > By the way, doing so should not only be done before going online for the > > first time, but already before the system restarts after its installation > > (because otherwise ACPI or other firmware code might compromise the system > > during the first boot process). > > > > If it's not included in the installation iso, then I'd strongly suggest > > that it should be added. (The second best solution would be to download it > > and pray that this download is not compromised (probably I don't need to > > mention that there are various ways to compromise this download without > > someone being able to notice that), bur actually that doesn't even sound > > like a 'second best', but a rather careless approach.) > > > > Maybe manually hashing files by writing a script could be another approach > > (I'd rather do that than trust a security relevant tool I downloaded from > > somewhere), though AIDE is really great in its functionality and it would > > be really nice if doing so would be possible. > > > > > > Kind regards and all the best > > > > David > > You just install the package like any other linux. > > I still like tripwire the best, even though the opensource version is so > outdated. Some more modern solutions are OSSEC or Samhain, but they are > more like windows type all in one solutions and might be considered bloated. When using these type of programs on qubes though I found it too noisy and pointless. Just for dom0 might not be a bad idea. Just routinely wipe your other vms at the slightest anomaly haha. its so easy in qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c4311424-82d6-48a2-99a6-bde137b5d719%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Is AIDE included in the installation iso?
On Sunday, November 6, 2016 at 9:27:04 PM UTC-5, David Renz wrote: > Hello everyone, > > currently I don't have QubesOS installed unfortunately, so I can't check this > by myself, and it might take some time until I'll be able to install it, > therefore I'm asking about this on the list: > > I think that AIDE is the most sophisticated tool for checking file system > integrity (and I believe that this approach might be one of the best in order > to see whether a system got compromised or not), but obviously it could > render this approach useless, if one would first habe to go online after > having installed QubesOS and then AIDE from a Repo, which might be > compromised. Therefore my question: Is AIDE included in the Fedora > installation iso, so that those security issues couls be circumvented? > > By the way, doing so should not only be done before going online for the > first time, but already before the system restarts after its installation > (because otherwise ACPI or other firmware code might compromise the system > during the first boot process). > > If it's not included in the installation iso, then I'd strongly suggest that > it should be added. (The second best solution would be to download it and > pray that this download is not compromised (probably I don't need to mention > that there are various ways to compromise this download without someone being > able to notice that), bur actually that doesn't even sound like a 'second > best', but a rather careless approach.) > > Maybe manually hashing files by writing a script could be another approach > (I'd rather do that than trust a security relevant tool I downloaded from > somewhere), though AIDE is really great in its functionality and it would be > really nice if doing so would be possible. > > > Kind regards and all the best > > David You just install the package like any other linux. I still like tripwire the best, even though the opensource version is so outdated. Some more modern solutions are OSSEC or Samhain, but they are more like windows type all in one solutions and might be considered bloated. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/15c9ac4a-6fa7-424f-9d03-1373026a95f6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] R3.2, xfce, resume and changing resolution issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-11-06 14:34, yaqu wrote: > Hello, > > When I work on laptop with lid closed and external monitor connected, > and when I suspend Qubes, reconnect it to another docking station with > different monitor, and wake it up, then screen on external monitor has > old resolution, not matching resolution of currently connected monitor. > > Is it possible to force (or politely convince) xfce4 to autodetect > resolution after wake up from suspend? Just like it used to work on KDE? > > As a workaround I use custom script in /usr/lib/systemd/system-sleep/ > that executes on wake up: > > xrandr --output HDMI1 --auto --output HDMI2 --auto > > It works, but maybe there is a better solution? > Thanks for the report. Tracking: https://github.com/QubesOS/qubes-issues/issues/2420 > And there is a second issue with changing screen resolution. When I > change resolution from lower to higher, some icons in tray at the > bottom of the screen are not accessible - no tooltip on hoover, no > response to click. It looks like only icons of appVM apps are affected > (NetworkManager, Psi, Remmina, KeePass...), and icons of dom0 apps work > correctly (volume control, power manager, qubes manager). Tray needs to > be on bottom of screen, of course. > > I have found out that to make these icons work again, I have to switch > on or off any of connected displays. > > This issue can be reproduced even without external monitors. Assuming > laptop's LCD is on LVDS1, one needs to switch it to some low resolution > and then back to default: > > [user@dom0 ~]$ xrandr --output LVDS1 --mode "800x600"; sleep 3; xrandr > --output LVDS1 --auto > > Now icons are not accessible. To fix it one needs to turn LCD off and > on: > > [user@dom0 ~]$ xrandr --output LVDS1 --off; xrandr --output LVDS1 --auto > > > BTW now as I tested it, it looks that not only tray icons are not > accessible. The bottom half of the screen is not clickable for appVM > applications. > > Regards, > Thanks. Tracking: https://github.com/QubesOS/qubes-issues/issues/2421 For now, please try using the qubes-monitor-layout-notify tool as described in the comments on this issue: https://github.com/QubesOS/qubes-issues/issues/1599 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYH/ZFAAoJENtN07w5UDAw9oUP/i6rX0tN/H5jAuMghg3EpEXY zlZ47iFegNydCZvPm1sbdyfK8Ln3RWit+g6jmExwv0MoQUJBZH1hUScFpFx3UmZQ EEFxesnlZ3teQ7vfKy7GLyJ2wSlkNd2RnNd3tyYizAhTXMBkDhC5CRTRlgInk96T LAScY9IBgZ3JhDuLAHHQiJyg3fG1SjEGWCTiaDtuw3F5BPR8LbIPSGm5v9oMCXbr DUIRurhJXx+Zx5X+fAciZOqw0jWIvByGxie0TV1+2zkS4tnjL2kjvU4U81jFcdwp Ecw+SJWka0MbgwnIX7UYFcQnakkelj+/T8ytQna+kTeimF3AoO6bahvWMJZ2fHeK VTbjncvKC7m6bzR6/yBZnwrg5zwcERHSO5knP2WxfVlMus65S3JGy8N7O9diCuQy OL9OH4Z1XAYr20st3q7GyvQi3xbodSAx+kJ2VFp7xNYSL1SE3gCWBQZoTRZzdBOn AmmIpnpJcq8C8kKGBMr0KAKIIr5JSb2n/fC3zhSV3hFfILObHSqFFOtuEb45PDsJ cdCMIEWiY86PCD6Vi8hwAZPwqiwxI76uAfks8Cfph1iS+aIyruIXtg2F5vh7ehOB 64V6nW/Ckom3n23c7OQ8WNMDptr6N8H/zllEbWA1xBuyATfrUQirNtMCx04X5IGL 2lsL/k0r6PKBDYKlKW3E =7jtJ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7d510a82-7044-a53a-b980-ca3718cab0cf%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] recommendations on encrypted usb disk?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-11-06 04:43, pixel fairy wrote: > crypt setup has a lot of options. what do you recommend for a usb disk for > backups and file transfer between qubes and bare metal linux systems? > My personal favorite is: # cryptsetup -v --hash sha512 --cipher aes-xts-plain64 --key-size 512 --use-random --iter-time 5000 --verify-passphrase luksFormat - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYH/G1AAoJENtN07w5UDAw1WIP/ibxZofnfVbLfTBNNnOy+3ro E6GizuJqWEOoZ4Oq1z9tZGVrykCzjVSgWserDXMyVxm6FayIb/tza7DS6CaaTQi+ PHUXY7U7SLkaJiWqir5tfOUdj7bdmqQBWgqWaEy3/1GvLun2hx8KIwiON+WoDbsv YN/w5obBeZRBEOr3LLifs/3zlKD5ZcWX+jivROEskkWIceoqjJ4huh0g/MxfdFeF BqLQkdMxjxCSjmwtWToUtm5JfAqC1cEUAqUbfZ1LJxq+JXo+tGXSED681YFXrYUK SGKZWmrQh3wJp7jeXcOrYj+iC8TFk9Pa7fFalntuNKUbqBiUbdjM/l5Tj4SGQViu +Mdl2E5x6AVxGpt4TgPIGx4f7e8Vgeb5al+N2fnWbR4kVzg4C5D/hWoUvxe3bE5e Oc4LHjDdvEcQjM/zzkqgJ+5OSOeDWtgHQb7JeCabI4Yp/As6n83L/lN/TTq66is6 0rhHivZpVj1jnn5w6wn9ZawdgYJKsc1Hau6oEr3Q/zcSLw2xOZ7HQkIhR+XStLKn r1NaxgjsPIwfpp7ZNXioq7nkBcSxVwdlVDdxyRKjeqvNVjCcDrytQ3bJ+wgHaEpN xc8I/kuQC5F6jGpn6J7CYvKzJ8LJGITjbvFpaPbOmTqsHsECRGjxlwOb4WeRc6g9 72YIcLTQN1a/ePgNc6Au =sGgX -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8a322340-307e-c013-092d-428c3f282cba%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is AIDE included in the installation iso?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-11-05 01:32, David Renz wrote: > Hello everyone, > > currently I don't have QubesOS installed unfortunately, so I can't check this > by myself, and it might take some time until I'll be able to install it, > therefore I'm asking about this on the list: > I think that AIDE is the most sophisticated tool for checking file system > integrity (and I believe that this approach might be one of the best in order > to see whether a system got compromised or not), but obviously it could > render this approach useless, if one would first habe to go online after > having installed QubesOS and then AIDE from a Repo, which might be > compromised. Therefore my question: Is AIDE included in the Fedora > installation iso, so that those security issues couls be circumvented? > Do you want it in dom0 or in domUs (or both)? Which package would you like us to check for? > By the way, doing so should not only be done before going online for the > first time, but already before the system restarts after its installation > (because otherwise ACPI or other firmware code might compromise the system > during the first boot process). > > If it's not included in the installation iso, then I'd strongly suggest that > it should be added. (The second best solution would be to download it and > pray that this download is not compromised (probably I don't need to mention > that there are various ways to compromise this download without someone being > able to notice that), bur actually that doesn't even sound like a 'second > best', but a rather careless approach.) > This shouldn't be an issue, since the packages you download should be PGP-signed. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYH+y2AAoJENtN07w5UDAwxQsP/321HHZlTpEs9BI8mSNnhRqV o4+Lj2zl/AZtQvwyNjGgzOCmwPTozf/+JkkjlWp2RNkttsxAqrbca8w9Z3SQ6NnL iiH73RSfWSU1audnAAVMg0tfzpVfc1ari8oFobTS3omiCnxMdtU9fiMvIjQ7bs/4 tedCin5jbLp/arI047JMXI07grLByeOMH0sG3K/ogcSImyOTjylW95p4uCurnw7p iczvvF2VX8OdjxYdUcc0RTCmKiu8BFvIXVZJm+yrzjEA0OkXL3oLfstlBNXyW6r1 o4DyOar4qWwC8smZV2qKFBBKm/o7YTdVactKdBiaJVGh4cMCsbX5F7yQxh2Ncj5r abKuk1sK9hkOnPJk96r/p5wnlTquScxCP2d8PM6PjoB5XJs9lQY1A3MRq/CCcoiJ a1KwL55mokRLucnEb1kwUAOgfPj1/BDY1pmkIMYWV8qSWA1LSIuTFA/IXuGdufFu 9wTBjJenNJkF57VrEgvmDtJlmxefSwH550HLTi4S5UxEN04a5zWonCghk0TLgSdB lr0tuBCQymZ+Odqa4HJMGVSrkmuk2oq9rOQvctI36YMY45uDu6IokBwrFIbrjK3h hsWRAJwHxaaDHh2reFlwuEaqioeRf9Qx66M3Rjb316IgsCJJSmejudRD8IXutGO+ RXglnoxKwS6NdHiimor7 =TQCU -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/415002f9-b113-bd7f-23af-444ab864167d%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: questions about Qubes-os
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-11-06 11:36, trash wrote: > Good Evening > > The last week I've read something very interesting about Qubes-os in a French > magazine. I've tested it for several days and it remains some important > questions. > I sent a mail to benbaill...@idpresse.com who told me contact you for further > explanations. > That's what I'm doing. > Hello Dom, Thank you for your interest in Qubes! Just so you know, we like to have (non-private) Qubes discussions on our mailing lists. This allows other knowledgeable people from the community to chime in and allows information to be shared with everyone. It also makes the discussion searchable for other people in the future. So, I'm CCing our qubes-users mailing list in my reply (please keep this address CCed if you reply). You can read more about our mailing lists here: https://www.qubes-os.org/mailing-lists/ > > 1/ How could I use ssh to manage qubes-os ( not secure but may be useful > sometimes). > If you mean from dom0, then this currently breaks the Qubes security model, which entails that dom0 has no network access. (Remote management is planned for the future.) It might currently be possible, but it's not supported. This has come up on the MLs a number of times in the past, so you might consider doing some searches and reading through the results of others' attempts. > 2/ When I create a "black default vm, ican see in parameters that networking > is not allowed, but between a "green" one and a "blue " one I cant find any > differences. So Is it me who decide I will surf only on save sites with a > "blue vm" or are there some parameters modified by the system (iptables for > example). It's not very clear to me. > Yes, you ultimately get to decide what the colors means. When you create a new VM of any color (including black), there are no pre-configured differences based on that color. The color is merely a label. (I suspect that you examined the properties of an existing black VM, perhaps the "vault" created during installation.) By default, the assumption is that black is the most trusted color, while red is the least trusted. But you're free to overturn this assumption if you wish. > 3/ I can connect my synology and manage my shares directories via my web > browser but not via > nautilus (or others ) with the command smb://192.168.X.Y: > (I'm asking for login/password but after, I can't access my shared > directories/files ). > I'm not sure about this one, as I don't use a Synology product. This sounds like it's probably not Qubes-specific, but perhaps rather a Samba/Fedora issue. Maybe someone else can shed light here. > 4/ And the most important, about the firewall: > > One vm +"deny network access exept " no Internet link -->normal > > One vm +"deny..exept 192.168.X.Y: --> connection on the nas Synology > -->normal > > One vm +"deny.exept * -->openbar-->normal > > One vm + "denyexept phoenixjp.com --> I can connect the site but can't > reach the further links. It seems to be normal but not suitable for me. > > how coulld I solve this problem if I want to access http, https, ftp > > Be sure I've surfed on many sites trying to find clues, but without many > success. > It sounds like you want to allow connections on all protocols to the entire IP range or CIDR block associated with that domain. Take a look at the documentation here: https://www.qubes-os.org/doc/qubes-firewall/ The comments in this issue might also be relevant or helpful to you: https://github.com/QubesOS/qubes-issues/issues/879 > You're certainly the people able to help, It seems to me that a Qubes-os well > mastered could be very secured for my network. Actually I can see the amount > of possibilities but cant master the essential security parameters to use it > in "production" (my home network). > > At any rate, very good job > > Best regards > > Dom Courtiol > Thanks! Welcome to Qubes! - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYH+uPAAoJENtN07w5UDAw6KAQAMNG60VYyopHWlmZOxBVvzqg /v15OWnwzvM5Mr0QDlOYYwJLE2qUOWL2n91sQWt/5BQ2FeHhBwf8KlSZOpKjNJi0 oRmuXsxrhJczvEDrygdLY/cuqYPwCSHUJQhYgZQK1792D+lMcnea+xAmH8D4nrFZ Wr9xjCo7sGalijfrOY0tJpXCBsDc4uOzxJaE94yWtakK/vnK/Um5SfEx66wcT5xl HHcKNAwHWzWraIXItdP++VOH5997dmp8Z0KjefuLFm03CnTy51Jks3AcxvUpGf2A fLjzQEW1Yg19Rda7DJuP+u4RI9MKjZzPzrXzBRazzQaSc5nXoKj7TUgxJRfAwPsu G2KH2EhToK0djNpuQEFOXkBRxQ8InqvfQbaQuTN1NdUT3FoSJIYyCzwDMTjF7Q5Q +YuIpCVj9vCpYifkBWb4fTboia/2xkFRH+CQ31NguNC7hZYOq+RaWXtwyVWS3tq2 lKyq/JU04GrcRJ2l7XjyAMM91zerq14PUz4APO7fyZeI4UOTm++O98ySgfMwxMPj QXWdJzlbzOoyDfOIYoqx8du58AQ10hVVEvVhU+jEClEwI5Obi6CEW4b2shM7sZXp aCS047exJm9lhObnu2cbUOdwNkbO6j7lWx+Gqb4RFcGsCEbEL15Zh8a6tusyDWEB fqTi7K1kMSxo4DZZbLcI =ypJD -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group.
[qubes-users] Is AIDE included in the installation iso?
Hello everyone, currently I don't have QubesOS installed unfortunately, so I can't check this by myself, and it might take some time until I'll be able to install it, therefore I'm asking about this on the list: I think that AIDE is the most sophisticated tool for checking file system integrity (and I believe that this approach might be one of the best in order to see whether a system got compromised or not), but obviously it could render this approach useless, if one would first habe to go online after having installed QubesOS and then AIDE from a Repo, which might be compromised. Therefore my question: Is AIDE included in the Fedora installation iso, so that those security issues couls be circumvented? By the way, doing so should not only be done before going online for the first time, but already before the system restarts after its installation (because otherwise ACPI or other firmware code might compromise the system during the first boot process). If it's not included in the installation iso, then I'd strongly suggest that it should be added. (The second best solution would be to download it and pray that this download is not compromised (probably I don't need to mention that there are various ways to compromise this download without someone being able to notice that), bur actually that doesn't even sound like a 'second best', but a rather careless approach.) Maybe manually hashing files by writing a script could be another approach (I'd rather do that than trust a security relevant tool I downloaded from somewhere), though AIDE is really great in its functionality and it would be really nice if doing so would be possible. Kind regards and all the best David -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/n4aswxfhkcyqvwfnft22564e.1478334195110%40email.android.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: ANN: Qubes network server
On 11/05/2016 03:54 PM, Max wrote: > > Thanks for the response! > > I ran this and also ran 'sudo dnf install go' when I came across the > following error: 'go is needed by qubes-network-server-0.0.4-1.fc23.noarch'. A commit is now out which eliminates this dependency. > I then did the cd into the cloned folder and the 'make rpm' function has > appeared to have worked. > > I followed the steps to get this to Dom0 and then installed the RPM. It may > be better to add to the documentation 'sudo rpm -ivh qns.rpm' as I wasn't > initially sure that I actually had to name the file. It helps the noobs! > > The purpose for me for installing the network server was to be able to ping > my Debian VM from my Windows VM. > > These are the configuration steps I took subsequent to install: > > 1) Created a ProxyVM named server-proxy. > 2) Changed the NetVM on both work-apps (my Debian 8 VM) and windows-7 (HVM) > to the new ProxyVM Sorry, I should have clarified that HVMs are not supported at all. I am very, very sorry. I need to do more work to get HVMs to work properly ("more" is an euphemism for I have totally forgotten so far to support that use case). It is totally my fault that I did not explain this in the documentation. My bad. I have updated the documentation to reflect that. If you could help me, do report what happens when you ping between a Fedora and a Debian AppVM, or two Debian AppVMs. -- Rudd-O http://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2d0b8050-8aa1-6b4b-c952-2c054f147930%40rudd-o.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Whonix Gateway and normal AppVM behind?
On Friday, 4 November 2016 14:04:53 UTC+11, entr0py wrote: > Drew White: > > Hi folks, > > > > If I'm using the Whonix Gateway guest, and I have it as a ProxyVM, is it > > safe to assume that if I use a normal AppVM, (non-whonix) behind it, then > > that means that everything is still going through the Tor network? > > > > (Just wanting to make 100% sure) > > > > Sincerely, > > Drew. > > > > Drew, I know you only concern yourself with the most complex, technical > details; but every once in a while, you should come see how us small-minded, > non-dev "little people" live: I'm sorry, I don't easily understand lamens terms. It's a downfall of mine that I know about and I do work on, every day. > > Google "Whonix" > | > https://www.whonix.org/ > | > https://www.whonix.org/wiki/ > | > https://www.whonix.org/wiki/Documentation > | > https://www.whonix.org/wiki/Other_Operating_Systems Yes I searched it on the whonix website. Yes I searched elsewhere. As I said I wanted to be "100%" sure. So I wanted someone that knew and had every test done already to know if everything really did go through Tor OR whether there were things that didn't. And I mean ANYTHING. > BTW, all 20 of the questions in your qubes-devel thread (which incidentally > has nothing to do with qubes-devel) are also answered in the docs. Well, IF they are ALL answered in the docs, then why isn't the information that I require there? I did search the documents first. read EVERY page that had the word "Whonix" or "Qubes-TorVM"(and similar) in it. And the answers to my questions are not there. If the answers were there, then I would not have asked them in Qubes-Devel. It's that simple. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5146e003-01b4-4e8e-8cce-add8fef4af39%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] R3.2, xfce, resume and changing resolution issues
Hello, When I work on laptop with lid closed and external monitor connected, and when I suspend Qubes, reconnect it to another docking station with different monitor, and wake it up, then screen on external monitor has old resolution, not matching resolution of currently connected monitor. Is it possible to force (or politely convince) xfce4 to autodetect resolution after wake up from suspend? Just like it used to work on KDE? As a workaround I use custom script in /usr/lib/systemd/system-sleep/ that executes on wake up: xrandr --output HDMI1 --auto --output HDMI2 --auto It works, but maybe there is a better solution? And there is a second issue with changing screen resolution. When I change resolution from lower to higher, some icons in tray at the bottom of the screen are not accessible - no tooltip on hoover, no response to click. It looks like only icons of appVM apps are affected (NetworkManager, Psi, Remmina, KeePass...), and icons of dom0 apps work correctly (volume control, power manager, qubes manager). Tray needs to be on bottom of screen, of course. I have found out that to make these icons work again, I have to switch on or off any of connected displays. This issue can be reproduced even without external monitors. Assuming laptop's LCD is on LVDS1, one needs to switch it to some low resolution and then back to default: [user@dom0 ~]$ xrandr --output LVDS1 --mode "800x600"; sleep 3; xrandr --output LVDS1 --auto Now icons are not accessible. To fix it one needs to turn LCD off and on: [user@dom0 ~]$ xrandr --output LVDS1 --off; xrandr --output LVDS1 --auto BTW now as I tested it, it looks that not only tray icons are not accessible. The bottom half of the screen is not clickable for appVM applications. Regards, -- yaqu -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161106223414.10544103B33%40mail2.openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Issues after in-place 3.1.17 -> 3.2 upgrade
On Sunday, November 6, 2016 at 2:07:38 PM UTC-6, Marek Marczykowski-Górecki wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Sun, Nov 06, 2016 at 11:44:25AM -0800, Richard wrote: > > However, I noticed that the Qubes VM Manager is not reflecting the changes > > (i.e. it is still showing VMs running), even after I close and reopen it. > > This is expected (until system restart). Also, just closing the manager > window isn't enough to really restart it - if you want to, right click > on its icon and choose "exit". Then start it again from the menu. > > > I was going to use the 'shutdown now' command, but wanted to check if there > > is anything I should be doing, before I shutdown, to fix the above errors. > > Just restarting the system should be enough. > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJYH42JAAoJENuP0xzK19csLdIIAIAIwf1z3m8Jj1eim8obJCUj > QHC2UrgNTqvl0rFwx0JzsfGvh33ft/SPZoVPwhO8Y9Tp0rhgvjRZVpsN1zF8NQZi > 6J2zQg8nnT7AQLrF0WntDO/N8zb8C8lVLkpbr5NHSVveSyDmB1BqrGyLVW7K46py > TMBuhdfT0aEjNuUNBC1uCVknU7uOgIGce9KnWqDp59UmyKecIUhEyPvIZC3QoXmE > BrXuceoRUTj1REoa1FG1GTTlnZms9OL0zOl90wT3fbWcmyKBlCuQLolKKoUuTQIE > UgmnZCYSPMAM7l5fFJMcYpXW30y0O5KMIFGG1/ScRlFaCXAKJIjXF8/lar6QCwU= > =joII > -END PGP SIGNATURE- Thank you Marek -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/38d46f47-3329-404d-a213-24fc19f07c6f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Issues after in-place 3.1.17 -> 3.2 upgrade
On Sunday, November 6, 2016 at 11:24:55 AM UTC-6, Richard wrote: > I just finished doing an in-place upgrade to 3.2 following > https://www.qubes-os.org/doc/upgrade-to-r3.2/ > > However, I ran into a problem when I reached step "6. Update configuration > files." > > The system will not allow me to open Konsole (I can open run command, choose > Konsole and nothing happens). > > Also, now whenever I open Qubes VM Manager I receive the following message: > > libvirtError: internal error: client socket is closed > > line: if ret == -1: raise libvirtError ('virDomainlsActive() failed', > dom=self) > func: isActive > line no.: 1338 > file: /usr/lib64/python2.7/site-packages/libvirt.py > --- > line: if libvirt_domain.isActive() > func: get_power_state > line no.: 876 > file: /usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py > > and soforth. > > The only VMs that are running are sys-firewall and sys-net. I've tried to > shut down the firewall from the Qubes VM Manager and receive the following > message: > > AssertionError: > line: assert vm.is_running() > func: action_shutdownvm_triggered > line no: 1261 > file: /usr/lib64/python2.7/site-packages/qubesmanager/main.py > > I've tried to restart and shutdown my system and that is also not > possible...nothing happens when I click on shutdown or restart. > > I should be grateful if anyone can provide me the steps I need to do to > continue upgrading my system. > > Thanks, > Richard Update: I was able to open Konsole and complete step 6 I also used 'qvm-shutdown -all' to shutdown all VMs. However, I noticed that the Qubes VM Manager is not reflecting the changes (i.e. it is still showing VMs running), even after I close and reopen it. I was going to use the 'shutdown now' command, but wanted to check if there is anything I should be doing, before I shutdown, to fix the above errors. Thanks. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7436df3b-5662-43cd-baf1-dc901a8b0916%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Issues after in-place 3.1.17 -> 3.2 upgrade
I just finished doing an in-place upgrade to 3.2 following https://www.qubes-os.org/doc/upgrade-to-r3.2/ However, I ran into a problem when I reached step "6. Update configuration files." The system will not allow me to open Konsole (I can open run command, choose Konsole and nothing happens). Also, now whenever I open Qubes VM Manager I receive the following message: libvirtError: internal error: client socket is closed line: if ret == -1: raise libvirtError ('virDomainlsActive() failed', dom=self) func: isActive line no.: 1338 file: /usr/lib64/python2.7/site-packages/libvirt.py --- line: if libvirt_domain.isActive() func: get_power_state line no.: 876 file: /usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py and soforth. The only VMs that are running are sys-firewall and sys-net. I've tried to shut down the firewall from the Qubes VM Manager and receive the following message: AssertionError: line: assert vm.is_running() func: action_shutdownvm_triggered line no: 1261 file: /usr/lib64/python2.7/site-packages/qubesmanager/main.py I've tried to restart and shutdown my system and that is also not possible...nothing happens when I click on shutdown or restart. I should be grateful if anyone can provide me the steps I need to do to continue upgrading my system. Thanks, Richard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/67b95906-a85d-4df9-ba39-20e9ef1e2efa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] HCL - Lenovo Thinkpad T520 (4243WM2)
Hello, I have been using this Thinkpad T520 for 1.5 years with Qubes R2, R3.0 and now R3.2 without major hardware issues (not tested with R3.1). Well, I had a problem with Intel gfx and R3.2, but it's fixed now (details somewhere below). Long story short: it works. CPU: i5-2520M 2.50GHz VT-x: works VT-d: works SLAT/EPT: supported TPM: present, not tested RAM: it had only 4 GB in factory configuration, documentation says it supports max 8 GB, but in fact it supports up to 16 GB of RAM (2*8). GPU: integrated Intel HD Graphics 3000, works, but: Under R3.2, i915.enable_rc6=0 needs to be added to kernel parameters to prevent random reboots when external monitor is connected, as described there: https://groups.google.com/d/msg/qubes-users/DSFcUer3C7M/Rbno0VdfBQAJ Suspend/resume: works. Sound: works Microphone: works Ethernet: Intel 82579LM Gigabit, works Wi-Fi: Intel Centrino Ultimate-N 6300, works Card reader: Ricoh PCIe SDXC/MMC Controller, works Firewire: Ricoh R5C832 PCIe IEEE 1394 Controller, works Display: TFT 15.6" 1600x900, anti-glare Docking station: tested with Lenovo 4338, works Bluetooth: BCM2045B, detected as USB device, but not tested Camera: not present Fingerprint reader: not present Keyboard, trackpoint and touchpad: work There are additional function keys, most of them work, at least these used by me: volume control, mute, LCD dim and keyboard light. ExpressCard/34 port: works, but without hotplugging, as it is not supported by Qubes anymore: https://groups.google.com/d/msg/qubes-users/JVOpOrOPvZk/5Xar5LS8BwAJ USB: two USB 2.0 controllers. One with 2 ports and all internal devices (bluetooth, docking station and its USB ports), and second with just 2 ports. Controllers have shared RMRRs, but they can be assigned to different appVMs if these VMs have pci_strictreset=false. Note: since upgrade to R3.2 I'm no longer able to assign USB controller to Win7 HVM. For USB 3.0 I use ExpressCard adapter (on Renesas uPD720202 chipset) and it works well. AFAIR I had to disable power management for pccard in BIOS. All communication ports or devices can be disabled in BIOS: network cards, bluetooth, modem, USB ports, firewire, ExpressCard slot, eSATA port, ultrabay (CD/HDD), card reader, camera, microphone and fingerprint reader. Some of these ports/devices are not present in this model of T520. There is also the physical switch for disabling bluetooth and Wi-Fi, it also works. -- yaqu -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161106165033.B27892022D9%40mail.openmailbox.org. For more options, visit https://groups.google.com/d/optout. Qubes-HCL-LENOVO-4243WM2-20161002-222153.yml Description: application/yaml
Re: [qubes-users] Qubes 3 MacOSX
The current VMWare Fusion v8 allows to run multiple instances of OSX. They even advertise it on their website: http://www.vmware.com/products/fusion.html "macOS Sierra-Ready Launch virtual machines on Macs with macOS 10.12 Sierra, or safely test the new macOS in a sandbox on your current Mac without disruption." -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABHM76WhY%2BmXnrXHQbOhZOFOHf%3DFKQ80D%2BgXkwrK0fcJ5obzrA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] recommendations on encrypted usb disk?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06.11.2016 13:43, pixel fairy wrote: > crypt setup has a lot of options. what do you recommend for a usb disk for > backups and file transfer between qubes and bare metal linux systems? > Hi I would go with AES-256 as cipher and sha512 has hash for LUKS. Refer to https://docs.debops.org/en/latest/ansible/roles/ansible-cryptsetup/docs/defaults .html#cryptography-defaults for details :) - -- Live long and prosper Robin `ypid` Schneider -- https://me.ypid.de/ -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYHysSAAoJEIb9mAu/GkD4NhEP/1jZujyKK0RWUuqQKWNglE7n adRvP2fZlfCMzAOQfDdB5jnwIKCX3Ir0mWHisIVWww3+FsWP1ysMgEu4zTCcMpJd 3/SnIHF0sonBL6C6VIpIBUuyiRXe0Z3sjWcc4HeJMI7KdNNhH42Y6gJwjHumuiZr g4k5aDhp7wlZrHxEhRirMfoA3QiamdRrBb0+yHFjmBiHt9dbT0NuN4Z+3PxWggtj lMR/xiSxU8BDzM0KLD3iMLDIARcz8lSvxHrkij9aWdcVaUuaVkOkg729pHw/tBzV Y0/zDcVibnxDdcpsNZFiDdK76loJxGb/+WF9b2Pxjh3r7dAdoNmxAvlJGcB40sh0 X2huFy4CI+gU+lP0ZomD0fRMvCQhLrSTTA5ibjaLMY0rnvwfyZ8pXYDCtwkeh9EA VFvWvtQtvhNuA+agUXQoP334zh2tnJDbfFWZN/S/OWJY1/k7jTTuYSywFd5XH14X tYoBKu6fhDfy6ae01CNigrdAtx4YaOZzxpNogVhCrFEmb/1sGJqTSr3fwEC3LbTP CHKv9IkyWLxRKPTUnsKRxFEhWTegDEfYZMNX8QtjG46vsBvFskLXHc2Go3j91m86 HHSTjcG4Rb09ef6ykWIClwhb1APrEALoigilrraAcDcMcx+kAF1N6xxiDl6K6zQI mtyO0wcHDWOiP49oiusD =J+4d -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/32e3b70c-ce04-6f27-e52d-964e7ab8b703%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] recommendations on encrypted usb disk?
crypt setup has a lot of options. what do you recommend for a usb disk for backups and file transfer between qubes and bare metal linux systems? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2c7ad4b3-fefd-4ed1-9ff7-46ca0b1d3b1d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 3 MacOSX
Am 06.11.2016 um 10:42 schrieb Alex: > On 11/06/2016 10:31 AM, Jeremy Rand wrote: > Actually reading the license of OSX available at > https://store.apple.com/Catalog/US/Images/MacOSX.htm is very easy > because they are awfully short and simple, compared to a lot of other > software. > > And in 2.A. there is the actual permitted use: >> This License allows you to install and use one copy of the Apple >> Software on a single Apple-labeled computer at a time. > which means that you can own an Apple Mac computer, install > Qubes/Linux/what you want on it, install VirtualBox/VMWare/Xen on it, > and have an OSX virtual machine while still behaving according to the > license. There were other people who thought it would be that simple (mind you, I'm not talking about Mac OS X Server, a product that became a 30$ add-on later); does anyone remember a product called VMware Fusion version 4.10 which suddenly removed the artificial barrier against running non-Server Mac OS X on VMware and which had ot be replaced by version 4.11 only two weeks later with the only bug fixed being able to run Mac OS X on a VM? That must have ben one hell f a letter Apple sent, I guess I would pay for reading it. > The third point, "ensure your physical system is an Apple-labeled > computer", explicits the then-actual license conditions to run a > virtualized OSX within the license terms. And if you do, you can run VMware ESXi on a Mac Pro cluster and use it to virtualize multiple Mac OS-based machines, as long as they are installing Server.app on them. One of our customers is doing it to get the applications from his old Mac Servers running in a world where the most important customer is obviously the iPad Pro user... > AFAIK, by the link from the apple store reported above, these terms are > still valid - you can run a virtualized OSX and be within the license > terms if it is the only instance you run, and it runs on an > Apple-labeled computer. Point is: You can't buy a valid license without buying a machine with it. I guess you could buy *heaps* of Mac mini just to obtain licenses... Just like having to buy defective power supplies to get MagSafe connectors. And Apple does not attack the people breaking the licenses; they are usually aiming at those who enable others to break them (which I regard as a good thing). Achim -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b63a0115-312d-a809-8cad-62154112c7b0%40noses.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Secure Browsing - browserless?
Hallo, It looks like I was wrong, this kind of browserless security setup is might not be a part of the far future, it is up and running (in the testmode)... The Boing Black Phone... http://www.defenseone.com/technology/2016/11/nsa-chief-has-phone-top-secret-messaging-heres-how-it-works/132845/?oref=d-river http://www.boeing.com/defense/boeing-black/index.page - Can switch between a open and a secure network (2 SIMs) - Is highly encrypted - Is working like a DispVM and stores data at a faraway secure place (physical security) - Physical tamper proof and self-destructive (physical security) Nice would be a Qubes DispVM optimized for screen sharing (browser less security) with and App running on a second bank-sided DispVM behind the first banking-firewall, so all banking transactions become secure and secret. But sure this needs also a clever encryption embedded. Kind Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0da44ab-9c0b-4fcd-a64b-0afc005b2172%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Your Battery is syping on you...
Hello Rudd-O, many times technology can be used in both sides good and e* My first concern with this internet and lack of IT-security is, that in some main-stream browsers you have enough backdoors to book in the second you type in your credit-card information in parallel for you on another place with a another delivering-address of course... In my eyes a hard browser focused to the financial goals of the owner will be quite helpful in this crazy internet game. Tor, I'm afraid will be also a perfect tool to deliver a hidden command and control structure (e.g. my QR31 was not updating anything any more...). "Of the top twenty most popular Tor addresses, eleven are command and control centres for botnets, including all of the top five." https://www.technologyreview.com/s/519186/security-flaw-shows-tor-anonymity-network-dominated-by-botnet-command-and-control/ So Tor will be useful on a live-QubesOS DVD in a dual mode, if you need Whonix browser + Tor Features, e.g. for security-research without the tracing features of the network. It's so hard to get an coherent picture about the good and robust internet infrastructure. Perhaps a new kind of network will get this straight out of the box one day in the far far future... A how to do banking, shopping ans surfing-guide will be quite helpful to get a solid baseline towards a better safe internet-experience. Thanks and Kind Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3f8700ad-f2c2-49f5-9fe2-8f8fba1e2c61%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.