[qubes-users] Re: Severe Lagging after latest dom0 , seeking backup solution

[--]

cooloutac:
> On Wednesday, April 26, 2017 at 5:06:42 PM UTC-4, Mike ru q fed wrote:
>> *hope this isn't dup, tried via gmane, but dont see that it appeared
>>
>> ---
>>
>> Update of qubes.foo.* and Xen-4.6.4-26.fc23 x86_64 packages in Dom0 -> 
>> slow lagging mouse and window behavior  ; luckily  I new qube user and 
>> just kept reinstalling,  which fixed the behaviour,  I've update debian 
>> and fedora and whonix now  and all is well,  however,  I'd like to 
>> update dom0  but  don't trust it, after  specifically updating only the 
>> packages labeled  qubes-xxx and Xen-xxx   , rebooting and confirming the 
>> problem.
>>
>> I have the installation on a standalone SSD , and I have another HD with 
>> Fedora OS in the same machine.
>>
>> I'm wondering can I clone the SSD of Qubes  as a backup in case I try to 
>> update dom0 again . or is there any alternative, suggestion , I 
>> don't have the logs from the bad dom0 updates because I reinstalled over 
>> the top ...
>>
>> I was told on reddit that this is a known issue, however, reviewing the 
>> newsgroup  I don't see any mention of lag after dom0  updates,  I not 
>> expert level with linux , but used Debian back in the day , so can 
>> handle a certain level of tweaking only
>>
>> thanks in advanc
> 
> probably. might be just easier to reinstall since you said its brand new 
> system anyways.
> 
> I have had some appvms freeze on me since dom0 don't know about mouse lag.  
> You get this in hvm or dom0? maybe the new kernel conflict with your hardware 
> in some way.  What is your pc specs?
> 

Well, I guess it's dom0 , opening VMs , seemed particularly bad when I
moused over the taskbar area 

It IS a newest CPU, but works fine on the pre dom0 Qubes install now

--

Intel Core i3-7100 7th Gen Core Desktop Processor 3M Cache,3.90 GHz
(BX80677I37100)

Motherboard ASRock H110M-STX (Mini-STX)
Chipset Intel H110
Graphics Intel HD Graphics

SSD

2 of Crucial 8GB Single DDR4 2133 MT/s (PC4-17000) DR x8 SODIMM 260-Pin
- CT8G4SFD8213

--

Its not brand new now, I've been modifying it  ; really prefer not to
reinstall yet again to solve this .. I did see that thing about a
future backup system, however I imagine I'd have to update to get it,
which would defeat the purpose.

I don't mind waiting if this is a known issue, as some intimated, if
it's not a known issue , then I'm not sure what to do 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3e347eb9-2a11-e4af-1bd1-a9610e5d517a%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] Compromise recovery on Qubes OS

[cooloutac]

On Wednesday, April 26, 2017 at 9:27:11 AM UTC-4, Chris Laprise wrote:
> On 04/26/2017 07:40 AM, Joanna Rutkowska wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Hello,
> >
> > Just a FYI that we have recently implemented a so called "Paranoid Mode" 
> > backup
> > recovery for Qubes OS. Arguably this is a new approach to dealing with full
> > system compromises (thanks to Qubes architecture (TM)).
> >
> > The packages for Qubes 3.2 that bring this functionality are currently in 
> > the
> > qubes-dom0-current-testing repository [1]. Note that you need these 
> > packages on
> > a fresh system where you want to restore to, and only there.
> >
> > I also wrote a post [2] explaining the rationale for this, as well as how 
> > it is
> > implemented, and what are still the limitation in 3.2, and how these will 
> > gone
> > in 4.0. The post also touches on AppVM compromise recovery challenges and 
> > how
> > Qubes OS might help here also.
> >
> > Of course I wish we all didn't have to use this feature too often... :/
> >
> > Cheers,
> > joanna.
> >
> > [1] https://github.com/QubesOS/qubes-issues/issues/2737
> > [2] https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/
> 
> 
> Its good to see a detailed exploration of recovery from compromised 
> state. As News items go, its a doozy (quite large)! Maybe the document 
> could be migrated to docs?
> 
> Some initial thoughts about paranoid mode and recovery:
> 
> 1. Its not clear from the news item whether TemplateVMs are restored (I 
> would guess they are not).
> 
> 2. Dom0 files could be restored into a 'quarantine' or 'old' 
> subdirectory. I always wanted restore to do this for dom0 anyway, by 
> default or via an option.
> 
> 3. Good that forensics VM is shown as a thing that's potentially 
> worthwhile. Of course, I half expected the usual warning about 
> corrupted/exploited filesystem.
> 
> 4. A more accurate term for the option would be 'precaution' mode or 
> similar. 'Paranoid' is a loaded word.
> 
> 
> On Prevention:
> 
> Its worth noting the uncertainties that exist in #3 (cleaning scripts) 
> largely apply to #2 (qvm-copy then analyze). This is because 
> clean/protect scripts such as in Qubes-VM-hardening [1] are a natural 
> place to run verification procedures as well -- and I expect to have 
> this implemented in Qubes-VM-hardening by next week. The user will be 
> able to create file lists with SHA hashes, and mismatch will trigger 
> popup and log events. Of course, a manual analysis can utilize a wider 
> array of tools vs what can be used inside of a startup service.
> 
> Also note the prevention issue is not limited to the home directory 
> If an attacker succeeds in privilege escalation, then they can alter 
> /rw/config and other root-owned parts of the private.img volume. In that 
> case, it could be advantageous to have some/most VMs automatically 
> disable or even reset /rw files, assuming those VMs don't need special 
> configuration. Unlike home scripts protection, such a countermeasure is 
> a leveraging of templates' non-persistence.
> 
> Lastly, there is some distinction between whatever apps could 
> (inadvertently) launch malware code /sometime/ in the runtime of the VM, 
> and what apps could launch malware when a VM has just finished booting. 
> In the latter case, an aware user knows the attack surface expands 
> greatly once more apps are run.
> 
> 
> 'Qubes OS vs conventional systems?' ...could have mentioned that Qubes 
> holds out the promise of being able to sanitize at least some data 
> formats after a restore.
> 
> 
> In the FAQ, it seems like AEM could be mentioned as firmware protection. 
> IIUC, AEM should be especially effective against remote attacks (against 
> BIOS/firmware) and I think remote is what most of the document is 
> addressing.
> 
> --
> 
> Chris Laprise, tas...@openmailbox.org
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

only templates I ever backup are cloned ones. I wouldn't even mind default 
templates being disposable lol.

I wouldn't even know what programs to "clean" anything with anymore.  Is anyone 
really going to use a virus scan? What is even out there for linux thats worth 
anything thats not enterprise?

I think only secure boot is going to stop any remote attacks on bios, still 
think it would be nice to have to add to trust chain measure and compliment 
AEM, which only notifies if attack happened, hopefully.  I don't see them as 
two diff things I see them as completing more of the whole picture together.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2e33c25d-d542-4ed

[qubes-users] Re: Installing qubes -hard drive detection problem

[cooloutac]

On Wednesday, April 26, 2017 at 11:43:35 AM UTC-4, Mystic Buyer wrote:
> I am trying to install Qubes on to my xps 15 9560 but having problems with 
> detecting the hard drive on my computer.
> 
> 1. I burned the image as DD on my usb with Rufus
> 2. Turned off secure boot in BIOS
> 3. Booted successfully from the usb
> 4. Proceeded with the installation
> 5. While choosing the installation device there was no device detected.
> 
> Am I missing anything here that I have to do before installation. Really 
> having a hard time solving this issue.

what hdd you installing to? how is it attached, shows up in bios?  whats your 
pc specs? what is hdd settings in bios? legacy boot mode?  you dual booting?

Did you do a integrity check from the qubes menu before installing?  Check key 
sigs before burning iso?

Maybe try this program instead of rufus: 
https://www.netbsd.org/~martin/rawrite32/

even better use dd from a linux machine if possible.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/65156256-84f5-4816-a3e3-3b6c2b0e6773%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Severe Lagging after latest dom0 , seeking backup solution

[cooloutac]

On Wednesday, April 26, 2017 at 5:06:42 PM UTC-4, Mike ru q fed wrote:
> *hope this isn't dup, tried via gmane, but dont see that it appeared
> 
> ---
> 
> Update of qubes.foo.* and Xen-4.6.4-26.fc23 x86_64 packages in Dom0 -> 
> slow lagging mouse and window behavior  ; luckily  I new qube user and 
> just kept reinstalling,  which fixed the behaviour,  I've update debian 
> and fedora and whonix now  and all is well,  however,  I'd like to 
> update dom0  but  don't trust it, after  specifically updating only the 
> packages labeled  qubes-xxx and Xen-xxx   , rebooting and confirming the 
> problem.
> 
> I have the installation on a standalone SSD , and I have another HD with 
> Fedora OS in the same machine.
> 
> I'm wondering can I clone the SSD of Qubes  as a backup in case I try to 
> update dom0 again . or is there any alternative, suggestion , I 
> don't have the logs from the bad dom0 updates because I reinstalled over 
> the top ...
> 
> I was told on reddit that this is a known issue, however, reviewing the 
> newsgroup  I don't see any mention of lag after dom0  updates,  I not 
> expert level with linux , but used Debian back in the day , so can 
> handle a certain level of tweaking only
> 
> thanks in advanc

probably. might be just easier to reinstall since you said its brand new system 
anyways.

I have had some appvms freeze on me since dom0 don't know about mouse lag.  You 
get this in hvm or dom0? maybe the new kernel conflict with your hardware in 
some way.  What is your pc specs?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1715fb5e-e490-471a-96e9-b1b4d32d7fe4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Severe Lagging after latest dom0 , seeking backup solution

[cooloutac]

On Wednesday, April 26, 2017 at 5:06:42 PM UTC-4, Mike ru q fed wrote:
> *hope this isn't dup, tried via gmane, but dont see that it appeared
> 
> ---
> 
> Update of qubes.foo.* and Xen-4.6.4-26.fc23 x86_64 packages in Dom0 -> 
> slow lagging mouse and window behavior  ; luckily  I new qube user and 
> just kept reinstalling,  which fixed the behaviour,  I've update debian 
> and fedora and whonix now  and all is well,  however,  I'd like to 
> update dom0  but  don't trust it, after  specifically updating only the 
> packages labeled  qubes-xxx and Xen-xxx   , rebooting and confirming the 
> problem.
> 
> I have the installation on a standalone SSD , and I have another HD with 
> Fedora OS in the same machine.
> 
> I'm wondering can I clone the SSD of Qubes  as a backup in case I try to 
> update dom0 again . or is there any alternative, suggestion , I 
> don't have the logs from the bad dom0 updates because I reinstalled over 
> the top ...
> 
> I was told on reddit that this is a known issue, however, reviewing the 
> newsgroup  I don't see any mention of lag after dom0  updates,  I not 
> expert level with linux , but used Debian back in the day , so can 
> handle a certain level of tweaking only
> 
> thanks in advance,  Pimm

Funny you bring this up cause I seen a tweet today by Joanna Rutkowska that 
they will be introducing a paranoid backup and restore mode feature or 
something soon which sounds interesting.

https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a82c6217-aa2e-4308-abb1-8f9b3034d543%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Problem accessing 'qvm-usb'-associated SmartCard reader as non-root user

[Johannes Graumann]

Hello,

As I am transitioning all aspects of my evolving setup into qubes, I'm
stuck at making a SCR3310 smartcard reader (used to store my gpg secret
key) usable in an AppVM based on fedora25-minimal (had tu upgrade, as
evolution-functionality I require is not in fedora24) and dedicated to
run Evolution as the email/group ware client.

1) I have sys-usb running
2) qvm-usb on dom0 shows the reader and I can connect it to the appvm
using the same tool.
3) ROOT on the appvm can issue gpg2 --card-status just fine, but I have
so far failed to make the reader accessible to the qubes-used user
'user'.

There's neither a debianish plugdev nor an usb group to add the user
to.

I have provided an appropriate udev rule in the template vm that should
associate the device with the group 'user', but that doesn't work
either ...

Furhter tips? Any insight into where I err?

Joh

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1493273612.3133.1.camel%40graumannschaft.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Installing windows-tools in template

[Reg Tiangha]

On 04/26/2017 05:25 PM, Franz wrote:
> My win7-x64-template is up, network-connected and even already
> received and installed security updates. It is also fast enough to be
> really usable. So many thanks for the hard work.
>
> What puzzles me is windows tools installation. I installed it in dom0
> using testing rep (it did not work for normal rep), but the command
>
> qvm-start win7-x64-template --install-windows-tools
>
> just starts perfectly the template, but no mention or error or
> whatever sign of life is made for the windows tools option. So it
> seems that even after many tries and reboots windows tools is not
> installed.
>
> This impression is confirmed by
>
> qvm-prefs win7-x64-template
>
> that gives False for both qrexec_installed and  gui_agent_installed.
>
> Trying to find a solution in old threads found no answer, but instead
> found lots of users (the usual permanent crying Drew above all)
> complaining that windows tools has serious bugs or that reverting to
> old releases is better. So wonder if it is worth fighting to install
> windows tools at all.
>
> But perhaps windows tools will allow a larger screen? If yes it would
> be of critical importance to find a way to install windows tools.
>
> Any help?
> Best
> Fran
> -- 
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
> qubes-users+unsubscr...@googlegroups.com
> .
> To post to this group, send email to
> qubes-users@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups..google.com/d/msgid/qubes-users/CAPzH-qAXPb-cnBhQUaCgGJsTaiLTW7v3NcpqnDBhi7BhO3%2Bq%3Dg%40mail.gmail.com
> .
> For more options, visit https://groups.google.com/d/optout.


When you invoke qvm-start like that, the Windows Tools ISO gets mounted
in a virtual Windows CD-ROM drive. Access that as you would a normal CD
in Windows Explorer and then double click on the installer.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/odrvdn%2447s%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Installing windows-tools in template

[Franz]

My win7-x64-template is up, network-connected and even already received and
installed security updates. It is also fast enough to be really usable. So
many thanks for the hard work.

What puzzles me is windows tools installation. I installed it in dom0 using
testing rep (it did not work for normal rep), but the command

qvm-start win7-x64-template --install-windows-tools

just starts perfectly the template, but no mention or error or whatever
sign of life is made for the windows tools option. So it seems that even
after many tries and reboots windows tools is not installed.

This impression is confirmed by

qvm-prefs win7-x64-template

that gives False for both qrexec_installed and  gui_agent_installed.

Trying to find a solution in old threads found no answer, but instead found
lots of users (the usual permanent crying Drew above all) complaining that
windows tools has serious bugs or that reverting to old releases is better.
So wonder if it is worth fighting to install windows tools at all.

But perhaps windows tools will allow a larger screen? If yes it would be of
critical importance to find a way to install windows tools.

Any help?
Best
Fran

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qAXPb-cnBhQUaCgGJsTaiLTW7v3NcpqnDBhi7BhO3%2Bq%3Dg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Mounting folder from one VM on another?

[Unman]

On Wed, Apr 26, 2017 at 02:13:52PM -0700, wordswithn...@gmail.com wrote:
> I'm looking for a solution similar to qvm-copy-to-vm, but without all the 
> copying.
> 
> I'd like to mount /home/user/foo from Secure appvm at /home/user/foo on 
> Personal appvm. The folder would be mounted as read only.
> 
> Rather than copy the files and waste space, I'd like to just have them 
> accessible.
> 
> Is this possible?
> 

Obviously you could use samba or sshfs to share the files. sshfs in
particular would take very little set-up , other than enablng ssh
between the two qubes, and this is well explained in the docs on the
firewall page.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170426223630.GA3441%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Mounting folder from one VM on another?

[wordswithnemo]

On Wednesday, April 26, 2017 at 5:13:52 PM UTC-4, wordsw...@gmail.com wrote:
> I'm looking for a solution similar to qvm-copy-to-vm, but without all the 
> copying.
> 
> I'd like to mount /home/user/foo from Secure appvm at /home/user/foo on 
> Personal appvm. The folder would be mounted as read only.
> 
> Rather than copy the files and waste space, I'd like to just have them 
> accessible.
> 
> Is this possible?

Never mind... this is done by mounting the image of the Secure appvm in the 
Personal appvm

In dom0:

qvm-block -A --ro Personal dom0:/var/lib/qubes/appvms/Secure/private.img
qvm-run -p Personal 'sudo mkdir /media/Secure'
qvm-run -p Personal 'sudo mount /dev/xvdi /media/Secure'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3bd0aaaf-9e82-48f6-9f4b-1da26841f2b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Mounting folder from one VM on another?

[wordswithnemo]

I'm looking for a solution similar to qvm-copy-to-vm, but without all the 
copying.

I'd like to mount /home/user/foo from Secure appvm at /home/user/foo on 
Personal appvm. The folder would be mounted as read only.

Rather than copy the files and waste space, I'd like to just have them 
accessible.

Is this possible?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4045dccf-036c-4993-b0af-69359e5292c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Severe Lagging after latest dom0 , seeking backup solution

[Mike ru q fed]

*hope this isn't dup, tried via gmane, but dont see that it appeared

---

Update of qubes.foo.* and Xen-4.6.4-26.fc23 x86_64 packages in Dom0 -> 
slow lagging mouse and window behavior  ; luckily  I new qube user and 
just kept reinstalling,  which fixed the behaviour,  I've update debian 
and fedora and whonix now  and all is well,  however,  I'd like to 
update dom0  but  don't trust it, after  specifically updating only the 
packages labeled  qubes-xxx and Xen-xxx   , rebooting and confirming the 
problem.


I have the installation on a standalone SSD , and I have another HD with 
Fedora OS in the same machine.


I'm wondering can I clone the SSD of Qubes  as a backup in case I try to 
update dom0 again . or is there any alternative, suggestion , I 
don't have the logs from the bad dom0 updates because I reinstalled over 
the top ...


I was told on reddit that this is a known issue, however, reviewing the 
newsgroup  I don't see any mention of lag after dom0  updates,  I not 
expert level with linux , but used Debian back in the day , so can 
handle a certain level of tweaking only


thanks in advance,  Pimm

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/015ab2c2-7c70-1012-9920-07e6c25e7d53%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL - Surface Pro 3 (i5-4300U 4Gb)

[lamhussain]

On Saturday, April 8, 2017 at 8:48:22 PM UTC-4, jimmy@gmail.com wrote:
> On Saturday, November 19, 2016 at 9:48:31 PM UTC-5, Johannes Zipperer wrote:
> > I tested Qubes 3.2 with the Fedora 24 template for about 5 hours intensely.
> 
> I have been using Qubes 3.2 for about two months on a Surface Pro 2 (8GB 
> RAM.) Most of my observations have been in line with yours. Overall, it works 
> quite well and has become my full-time portable setup. Nice to see someone 
> else trying Qubes on Surface Pro!

Could you describe how you got Qubes to install on your Surface Pro 2? I'm 
having the same booting problems as the poster above (installer stalls at 4 
penguins screen with "EFI_MEMMAP is not enabled" etc. message).

I followed the instructions from the Qubes website, using Rufus and dd mode to 
prepare the bootable USB but not working so far.

Help?!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/96098762-8256-46eb-a303-c1adfaa654e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] No bootable device neither in BIOS or UEFI after Qubes R3 fresh install

[Mystic Buyer]

On Thursday, January 14, 2016 at 9:56:22 PM UTC-5, Marek Marczykowski-Górecki 
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Thu, Jan 14, 2016 at 11:30:24AM -0800, pag...@gmail.com wrote:
> > On Sunday, August 2, 2015 at 7:00:33 PM UTC-4, raf...@elitemail.org wrote:
> > > On 08/02/2015 11:08 AM, len...@gmail.com wrote:
> > > > Hi guys, I'm having issues with a fresh Qubes os install.
> > > > I'm booting the installer from an usb drive, created(on windows) with 
> > > > rawrite.
> > > > The installer boots correctly.
> > > > On the disk setup page i've tried different combinations of settings, 
> > > > but nothing seems to work.
> > > > After setup is done, the "reboot" button on the bottom right is 
> > > > enabled. After reboot, i'm stuck in BIOS with a "No bootable device 
> > > > found". Both BIOS and UEFI.
> > > > Any ideas where to start?
> > > > Thank you.
> > > >
> > > 
> > > You could boot from live media and try reinstalling grub2.
> > 
> > I had the same issue as the OP on a dell laptop. I tried to reinstall grub 
> > via the qubes install rescue mode, but it did not have the x86_64-efi 
> > target file. This may be the issue with the install not working. I didn't 
> > try another live media to restore grub2. I just did a reinstall with it set 
> > to BIOS, which is working fine for now.
> 
> In UEFI mode grub is not used at all, xen.efi is loaded directly.
> Example line to configure EFI boot manager would be (assuming /dev/sda
> being the disk with Qubes installed):
> efibootmgr -c -d /dev/sda -l '\EFI\qubes\xen.efi' -L Qubes
> 
> Anyway if you've managed to get it working in legacy mode, that's fine
> :)
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJWmF/QAAoJENuP0xzK19csT0sH/1PnnZCwLklP1PLm21cTO6QG
> d+vlqlk18xNo+7YnZlO+z3vKS7QLLh4xLqPH1VHp/yr+XhKexEK9vtKpoqGOs89b
> wJ4uyUijY+5SNHK3dyMXLpjO3rRIoHDZ1oN9a+k5Gk31ng4Gsx3JhPFKQ+kBqqCL
> RJNcv9u0RuQ6qsZS9+mOSCAQ3hYpGBFDLsEWPVfTMxSvtjqoYs1/cF/HmRyFKqbQ
> Q0KEGAIHezJi2SuXvFybZE2IST6SC7o+B8wcUktkUwFmldMBWIEBkALGSf0EDp57
> MHVAd+Nk9xubPTUl3JJMHYUi6KnE0wuFcg423IKHuEBcZA0I/h7YkE/GuTSDvXc=
> =1Rei
> -END PGP SIGNATURE-

I am trying to install qubes on my xps 15 9560 but for some reason at the 
installation destination page the internal ssd is not detected any suggestions? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9ebb2a32-68e5-4904-8a62-fc7857359c8e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Installing qubes -hard drive detection problem

[mysticbuyer01]

I am trying to install Qubes on to my xps 15 9560 but having problems with 
detecting the hard drive on my computer.

1. I burned the image as DD on my usb with Rufus
2. Turned off secure boot in BIOS
3. Booted successfully from the usb
4. Proceeded with the installation
5. While choosing the installation device there was no device detected.

Am I missing anything here that I have to do before installation. Really having 
a hard time solving this issue. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3cd20c7b-c21c-4f28-9db4-4cb2bb646944%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: AppArmor denying Thunderbird/Enigmail from executing Split-GPG on Whonix

[Nuno Branco]

I had problems with enigmail and split GPG before and the only
workaround I found was downgrading it to 1.8.2


On 04/24/2017 05:14 PM, cooloutac wrote:
> On Monday, April 24, 2017 at 11:54:49 AM UTC-4, cooloutac wrote:
>> http://wiki.apparmor.net/index.php/QuickProfileLanguage
>>
>> You can try adding  /usr/bin/qubes-gpg-client-wrapper Uxr,  
>>
>> and see what happens. The gpg stuff might be more complicated then that 
>> though.  You can also ask the guy who made your profile.
> I put wrong command its aa-enforce *not enable.
>
> Also I believe where you put the line in the profile matters try put it high 
> up.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a66f0700-f397-50f2-4701-18cd013aeadd%40neomailbox.ch.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Win7 template serial number activation

[Dominique St-Pierre Boucher]

On Wednesday, April 26, 2017 at 9:00:27 AM UTC-4, Francesco wrote:
> @Zrubi
> 
> 
> 
> On Wed, Apr 26, 2017 at 9:51 AM, Dominique St-Pierre Boucher 
>  wrote:
> 
> 
> On Wednesday, April 26, 2017 at 2:19:24 AM UTC-4, Laszlo Zrubecz wrote:
> 
> > -BEGIN PGP SIGNED MESSAGE-
> 
> > Hash: SHA256
> 
> >
> 
> > On 04/26/2017 01:44 AM, Franz wrote:
> 
> > > Hello friends, I need to install Win7 for the first time after
> 
> > > years and wonder if it is possible to activate a template Win7 with
> 
> > > the proper serial number and then have child VMs that are already
> 
> > > activated and keep so over time.
> 
> >
> 
> > Short answer: No, you better create a HVM
> 
> >
> 
> >
> 
> > Details:
> 
> > Depends on your licence - but in general the activation are bound to
> 
> > your hardware - Virtual Machine in case Qubes.
> 
> >
> 
> > If you activate your template, that will be permanent. And at least you
> 
> > will be fine with updating windows.
> 
> >
> 
> > However if you create an AppVM using this template, windows will see
> 
> > another hardware and asking for an activation. Even if you activate this
> 
> > instance you will lost that state by rebooting it.
> 
> >
> 
> > In practice this will not limiting you using template based Windows VMs.
> 
> > At least technically.
> 
> >
> 
> > Not sure how long you can run an unactivated windows before start poking
> 
> > you about this fact.
> 
> >
> 
> 
> 
> Many thanks Zrubi for your very detailed answer. Reading your explanation I 
> remembered that once was able to use a non-Qubes windows installation even if 
> it was not activated. So imagine that the same may be done with template 
> childs, particularly if they are somehow created anew after every reboot. So 
> this may be an acceptable compromise.
> 
> 
> 
> 
> > For a legal solution - ask your windows licencing expert ;)
> 
> 
> 
> 
> I imagine that even Microsoft representatives do not know the reply 
> 
> 
> >
> 
> >
> 
> > - --
> 
> > Zrubi
> 
> >
> 
> >
> 
> > -BEGIN PGP SIGNATURE-
> 
> > Version: GnuPG v2
> 
> >
> 
> > iQIcBAEBCAAGBQJZADvgAAoJEH7adOMCkunmB7UQAJk68yVp2oNfIWDs/NsZyliY
> 
> > r8mftxdcZFiqzr6MlCyu/QGR4lKeV5DxjMoXoIx3Ms9IXM2DBE6tM/i7t0pT4bds
> 
> > gYgQ749LuzOYN7wa4c9aYK0Q2K6+0yJs/Oykhqpyjb8M3MAXmUuISu/6bnt4KyHJ
> 
> > yuIeTbEeLY+xuAI/nYJCP0WMfZDbmjQPsFuimDnxcXyB8xPdEOJ1kJp6TQ2soML9
> 
> > bdETCO4G/9Dzrl2dbfK/Rfz3r/Z5TbvvWTWegyezRkLriaj/xgLtBZEGtFVAsRHR
> 
> > gamESfnXB5LHW/nOKYJYhS4j0nZrcfL6vfvgonAOZTTxWf4tZrZKsgC2kYOiOIU6
> 
> > zUyx4Fw7qjj3RM08gGtV+lKLkouebmgFWYIxfrbuRWsTT41w1+WXoYQIG3UR6W0r
> 
> > kYIbNeAGIwaZXrlwvjUk4cFfqLGErUr7S8BoV66NqoQQ7aniNbOphZ2IeBnYpmrc
> 
> > O/Ir9vaEzH0zU4isn3mx78dzG350PgcMd1K0UicdyDpblh5q2aqHaFtgbYxd4sYl
> 
> > wF+aNOOG5i3RQN3AckdbA/BlPRf4UDXd7Evv1nf03h0M0N9jkhC4VhgNm0OF39f/
> 
> > 3ENYu8qTJ7PYdzhORe8rSeBckpJuUcByGAgTcflvrf5DLTC7q0s6UZqbr2iF0zqj
> 
> > j5bBTix3j3fNX1k4IkpQ
> 
> > =J5AW
> 
> > -END PGP SIGNATURE-
> 
> 
> 
> Is there really such thing as a Micro$oft licensing expert? License term 
> change all the time. Refering you to a website that can be change after 
> you've accepted the EULA...
> 
> 
> 
> In theory, when you reboot your VM, it should look like a new install so 
> every time you reboot, it should work?!?!?!
> 
> 
> 
> I just finished installing a Windows 7 template. I will do some test!
> 
> 
> 
> 
> 
> Yes, let us know Dominique, thanks 
> 
> 
> Dominique
> 
> 
> 
> --
> 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users...@googlegroups.com.
> 
> To post to this group, send email to qubes...@googlegroups.com.
> 
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/222af6be-b129-4eb8-a482-d652f0fd3eda%40googlegroups.com.
> 
> 
> 
> For more options, visit https://groups.google.com/d/optout.

Preliminary test with Windows 7 Pro and a MAK key installed in the template:
- when I start the appvm, it activates with the proper MAK key with no issue
- I think that retail or OEM are different.

Can someone confirm?

Dominique

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f5715477-7ae6-4ead-b560-b02ee1f79766%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] Compromise recovery on Qubes OS

[Chris Laprise]

On 04/26/2017 07:40 AM, Joanna Rutkowska wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

Just a FYI that we have recently implemented a so called "Paranoid Mode" backup
recovery for Qubes OS. Arguably this is a new approach to dealing with full
system compromises (thanks to Qubes architecture (TM)).

The packages for Qubes 3.2 that bring this functionality are currently in the
qubes-dom0-current-testing repository [1]. Note that you need these packages on
a fresh system where you want to restore to, and only there.

I also wrote a post [2] explaining the rationale for this, as well as how it is
implemented, and what are still the limitation in 3.2, and how these will gone
in 4.0. The post also touches on AppVM compromise recovery challenges and how
Qubes OS might help here also.

Of course I wish we all didn't have to use this feature too often... :/

Cheers,
joanna.

[1] https://github.com/QubesOS/qubes-issues/issues/2737
[2] https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/



Its good to see a detailed exploration of recovery from compromised 
state. As News items go, its a doozy (quite large)! Maybe the document 
could be migrated to docs?


Some initial thoughts about paranoid mode and recovery:

1. Its not clear from the news item whether TemplateVMs are restored (I 
would guess they are not).


2. Dom0 files could be restored into a 'quarantine' or 'old' 
subdirectory. I always wanted restore to do this for dom0 anyway, by 
default or via an option.


3. Good that forensics VM is shown as a thing that's potentially 
worthwhile. Of course, I half expected the usual warning about 
corrupted/exploited filesystem.


4. A more accurate term for the option would be 'precaution' mode or 
similar. 'Paranoid' is a loaded word.



On Prevention:

Its worth noting the uncertainties that exist in #3 (cleaning scripts) 
largely apply to #2 (qvm-copy then analyze). This is because 
clean/protect scripts such as in Qubes-VM-hardening [1] are a natural 
place to run verification procedures as well -- and I expect to have 
this implemented in Qubes-VM-hardening by next week. The user will be 
able to create file lists with SHA hashes, and mismatch will trigger 
popup and log events. Of course, a manual analysis can utilize a wider 
array of tools vs what can be used inside of a startup service.


Also note the prevention issue is not limited to the home directory 
If an attacker succeeds in privilege escalation, then they can alter 
/rw/config and other root-owned parts of the private.img volume. In that 
case, it could be advantageous to have some/most VMs automatically 
disable or even reset /rw files, assuming those VMs don't need special 
configuration. Unlike home scripts protection, such a countermeasure is 
a leveraging of templates' non-persistence.


Lastly, there is some distinction between whatever apps could 
(inadvertently) launch malware code /sometime/ in the runtime of the VM, 
and what apps could launch malware when a VM has just finished booting. 
In the latter case, an aware user knows the attack surface expands 
greatly once more apps are run.



'Qubes OS vs conventional systems?' ...could have mentioned that Qubes 
holds out the promise of being able to sanitize at least some data 
formats after a restore.



In the FAQ, it seems like AEM could be mentioned as firmware protection. 
IIUC, AEM should be especially effective against remote attacks (against 
BIOS/firmware) and I think remote is what most of the document is 
addressing.


--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f38ca89-d77f-0253-cba1-ebd2a0bf9cb1%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Win7 template serial number activation

[Franz]

@Zrubi

On Wed, Apr 26, 2017 at 9:51 AM, Dominique St-Pierre Boucher <
dominiqu...@gmail.com> wrote:

> On Wednesday, April 26, 2017 at 2:19:24 AM UTC-4, Laszlo Zrubecz wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > On 04/26/2017 01:44 AM, Franz wrote:
> > > Hello friends, I need to install Win7 for the first time after
> > > years and wonder if it is possible to activate a template Win7 with
> > > the proper serial number and then have child VMs that are already
> > > activated and keep so over time.
> >
> > Short answer: No, you better create a HVM
> >
> >
> > Details:
> > Depends on your licence - but in general the activation are bound to
> > your hardware - Virtual Machine in case Qubes.
> >
> > If you activate your template, that will be permanent. And at least you
> > will be fine with updating windows.
> >
> > However if you create an AppVM using this template, windows will see
> > another hardware and asking for an activation. Even if you activate this
> > instance you will lost that state by rebooting it.
> >
> > In practice this will not limiting you using template based Windows VMs.
> > At least technically.
> >
> > Not sure how long you can run an unactivated windows before start poking
> > you about this fact.
> >
>

Many thanks Zrubi for your very detailed answer. Reading your explanation I
remembered that once was able to use a non-Qubes windows installation even
if it was not activated. So imagine that the same may be done with template
childs, particularly if they are somehow created anew after every reboot.
So this may be an acceptable compromise.

> For a legal solution - ask your windows licencing expert ;)
>

I imagine that even Microsoft representatives do not know the reply

> >
> >
> > - --
> > Zrubi
> >
> >
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v2
> >
> > iQIcBAEBCAAGBQJZADvgAAoJEH7adOMCkunmB7UQAJk68yVp2oNfIWDs/NsZyliY
> > r8mftxdcZFiqzr6MlCyu/QGR4lKeV5DxjMoXoIx3Ms9IXM2DBE6tM/i7t0pT4bds
> > gYgQ749LuzOYN7wa4c9aYK0Q2K6+0yJs/Oykhqpyjb8M3MAXmUuISu/6bnt4KyHJ
> > yuIeTbEeLY+xuAI/nYJCP0WMfZDbmjQPsFuimDnxcXyB8xPdEOJ1kJp6TQ2soML9
> > bdETCO4G/9Dzrl2dbfK/Rfz3r/Z5TbvvWTWegyezRkLriaj/xgLtBZEGtFVAsRHR
> > gamESfnXB5LHW/nOKYJYhS4j0nZrcfL6vfvgonAOZTTxWf4tZrZKsgC2kYOiOIU6
> > zUyx4Fw7qjj3RM08gGtV+lKLkouebmgFWYIxfrbuRWsTT41w1+WXoYQIG3UR6W0r
> > kYIbNeAGIwaZXrlwvjUk4cFfqLGErUr7S8BoV66NqoQQ7aniNbOphZ2IeBnYpmrc
> > O/Ir9vaEzH0zU4isn3mx78dzG350PgcMd1K0UicdyDpblh5q2aqHaFtgbYxd4sYl
> > wF+aNOOG5i3RQN3AckdbA/BlPRf4UDXd7Evv1nf03h0M0N9jkhC4VhgNm0OF39f/
> > 3ENYu8qTJ7PYdzhORe8rSeBckpJuUcByGAgTcflvrf5DLTC7q0s6UZqbr2iF0zqj
> > j5bBTix3j3fNX1k4IkpQ
> > =J5AW
> > -END PGP SIGNATURE-
>
> Is there really such thing as a Micro$oft licensing expert? License term
> change all the time. Refering you to a website that can be change after
> you've accepted the EULA...
>
> In theory, when you reboot your VM, it should look like a new install so
> every time you reboot, it should work?!?!?!
>
> I just finished installing a Windows 7 template. I will do some test!
>
>
Yes, let us know Dominique, thanks

Dominique
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/222af6be-b129-4eb8-a482-d652f0fd3eda%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qCHnS-XX%2B-iFCqpzS7a6kU99PZpd-tEqa8%2BEPt7vfBKnA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Win7 template serial number activation

[Dominique St-Pierre Boucher]

On Wednesday, April 26, 2017 at 2:19:24 AM UTC-4, Laszlo Zrubecz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On 04/26/2017 01:44 AM, Franz wrote:
> > Hello friends, I need to install Win7 for the first time after
> > years and wonder if it is possible to activate a template Win7 with
> > the proper serial number and then have child VMs that are already
> > activated and keep so over time.
> 
> Short answer: No, you better create a HVM
> 
> 
> Details:
> Depends on your licence - but in general the activation are bound to
> your hardware - Virtual Machine in case Qubes.
> 
> If you activate your template, that will be permanent. And at least you
> will be fine with updating windows.
> 
> However if you create an AppVM using this template, windows will see
> another hardware and asking for an activation. Even if you activate this
> instance you will lost that state by rebooting it.
> 
> In practice this will not limiting you using template based Windows VMs.
> At least technically.
> 
> Not sure how long you can run an unactivated windows before start poking
> you about this fact.
> 
> For a legal solution - ask your windows licencing expert ;)
> 
> 
> - -- 
> Zrubi
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJZADvgAAoJEH7adOMCkunmB7UQAJk68yVp2oNfIWDs/NsZyliY
> r8mftxdcZFiqzr6MlCyu/QGR4lKeV5DxjMoXoIx3Ms9IXM2DBE6tM/i7t0pT4bds
> gYgQ749LuzOYN7wa4c9aYK0Q2K6+0yJs/Oykhqpyjb8M3MAXmUuISu/6bnt4KyHJ
> yuIeTbEeLY+xuAI/nYJCP0WMfZDbmjQPsFuimDnxcXyB8xPdEOJ1kJp6TQ2soML9
> bdETCO4G/9Dzrl2dbfK/Rfz3r/Z5TbvvWTWegyezRkLriaj/xgLtBZEGtFVAsRHR
> gamESfnXB5LHW/nOKYJYhS4j0nZrcfL6vfvgonAOZTTxWf4tZrZKsgC2kYOiOIU6
> zUyx4Fw7qjj3RM08gGtV+lKLkouebmgFWYIxfrbuRWsTT41w1+WXoYQIG3UR6W0r
> kYIbNeAGIwaZXrlwvjUk4cFfqLGErUr7S8BoV66NqoQQ7aniNbOphZ2IeBnYpmrc
> O/Ir9vaEzH0zU4isn3mx78dzG350PgcMd1K0UicdyDpblh5q2aqHaFtgbYxd4sYl
> wF+aNOOG5i3RQN3AckdbA/BlPRf4UDXd7Evv1nf03h0M0N9jkhC4VhgNm0OF39f/
> 3ENYu8qTJ7PYdzhORe8rSeBckpJuUcByGAgTcflvrf5DLTC7q0s6UZqbr2iF0zqj
> j5bBTix3j3fNX1k4IkpQ
> =J5AW
> -END PGP SIGNATURE-

Is there really such thing as a Micro$oft licensing expert? License term change 
all the time. Refering you to a website that can be change after you've 
accepted the EULA...

In theory, when you reboot your VM, it should look like a new install so every 
time you reboot, it should work?!?!?!

I just finished installing a Windows 7 template. I will do some test!

Dominique

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/222af6be-b129-4eb8-a482-d652f0fd3eda%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Compromise recovery on Qubes OS

[Dominique St-Pierre Boucher]

On Wednesday, April 26, 2017 at 7:40:24 AM UTC-4, Joanna Rutkowska wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Hello,
> 
> Just a FYI that we have recently implemented a so called "Paranoid Mode" 
> backup
> recovery for Qubes OS. Arguably this is a new approach to dealing with full
> system compromises (thanks to Qubes architecture (TM)).
> 
> The packages for Qubes 3.2 that bring this functionality are currently in the
> qubes-dom0-current-testing repository [1]. Note that you need these packages 
> on
> a fresh system where you want to restore to, and only there.
> 
> I also wrote a post [2] explaining the rationale for this, as well as how it 
> is
> implemented, and what are still the limitation in 3.2, and how these will gone
> in 4.0. The post also touches on AppVM compromise recovery challenges and how
> Qubes OS might help here also.
> 
> Of course I wish we all didn't have to use this feature too often... :/
> 
> Cheers,
> joanna.
> 
> [1] https://github.com/QubesOS/qubes-issues/issues/2737
> [2] https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCAAGBQJZAIceAAoJEDOT2L8N3GcYGxgQAKMdaO/1VBOXh8RD4kMmiS7K
> KTHvQuU+V0iP20KHSEh9kt/QSM2DV9ru7hIfNNo44LlU2dxDLJ6NFtykC6bZvdjN
> Vk93f2iOaRSrKclwEXRaa/Bo399ZE0pMXOO4alHHaMerYkFCn4WEtwYQB8mclgyI
> TvaF9X+EUdpa7DZsO4wHONYqLu722wvjprDHnAyQjYwyrhdiRXEmABCr6FkT5Dx/
> isRJR7JIOTyt1Fa80oqwjyaA+6RxCoBjM4IjqIhxHs6ebAgnNd7vRpbZglqnEVi7
> CWYMqYxm83F1mO/W+GqufIXw2UvRF1RyHl4hRVfEtjltwZpvsgFUMofHcTAQzM2X
> 1GGMXM+8Di+1lYmPJf4rM4FzkYvUL/DlA+BMPRWRw05hCsBvn+t0AjLUOa7RgSlH
> Vr3fLAdpFCSAvkunc/tM9DHcR7UyWiRU/4WS9Fdl2U1ekaqPxMToNLF/FFfYT2y1
> HTMkhX9rAgZvIynmbpH1yjaKVJgGSfLI/U9Il/1OETWO4p0b+iXuEM2HZQ/Oqwz3
> qYf+LCWAJRWokf46E7YIPmO4OhMD29EjgUyCEX6nFJWGI4Lx7EBB+coRlm7Nm6P1
> mNZM5wnkCLVF47l6RL5+uiHQjvDaOxNefIchMAiLY4yeERdgoJJlo+DGdbdsX5KC
> spbT/xcjj1p2DkLbIWDK
> =deyL
> -END PGP SIGNATURE-

Wow!!! Just incredible. Excellent work. What a nice feature that I hope I will 
never have to use.

Dominique

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5422398c-388a-46fc-9ad5-0f6979d0e400%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Compromise recovery on Qubes OS

[Joanna Rutkowska]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello,

Just a FYI that we have recently implemented a so called "Paranoid Mode" backup
recovery for Qubes OS. Arguably this is a new approach to dealing with full
system compromises (thanks to Qubes architecture (TM)).

The packages for Qubes 3.2 that bring this functionality are currently in the
qubes-dom0-current-testing repository [1]. Note that you need these packages on
a fresh system where you want to restore to, and only there.

I also wrote a post [2] explaining the rationale for this, as well as how it is
implemented, and what are still the limitation in 3.2, and how these will gone
in 4.0. The post also touches on AppVM compromise recovery challenges and how
Qubes OS might help here also.

Of course I wish we all didn't have to use this feature too often... :/

Cheers,
joanna.

[1] https://github.com/QubesOS/qubes-issues/issues/2737
[2] https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/
-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJZAIceAAoJEDOT2L8N3GcYGxgQAKMdaO/1VBOXh8RD4kMmiS7K
KTHvQuU+V0iP20KHSEh9kt/QSM2DV9ru7hIfNNo44LlU2dxDLJ6NFtykC6bZvdjN
Vk93f2iOaRSrKclwEXRaa/Bo399ZE0pMXOO4alHHaMerYkFCn4WEtwYQB8mclgyI
TvaF9X+EUdpa7DZsO4wHONYqLu722wvjprDHnAyQjYwyrhdiRXEmABCr6FkT5Dx/
isRJR7JIOTyt1Fa80oqwjyaA+6RxCoBjM4IjqIhxHs6ebAgnNd7vRpbZglqnEVi7
CWYMqYxm83F1mO/W+GqufIXw2UvRF1RyHl4hRVfEtjltwZpvsgFUMofHcTAQzM2X
1GGMXM+8Di+1lYmPJf4rM4FzkYvUL/DlA+BMPRWRw05hCsBvn+t0AjLUOa7RgSlH
Vr3fLAdpFCSAvkunc/tM9DHcR7UyWiRU/4WS9Fdl2U1ekaqPxMToNLF/FFfYT2y1
HTMkhX9rAgZvIynmbpH1yjaKVJgGSfLI/U9Il/1OETWO4p0b+iXuEM2HZQ/Oqwz3
qYf+LCWAJRWokf46E7YIPmO4OhMD29EjgUyCEX6nFJWGI4Lx7EBB+coRlm7Nm6P1
mNZM5wnkCLVF47l6RL5+uiHQjvDaOxNefIchMAiLY4yeERdgoJJlo+DGdbdsX5KC
spbT/xcjj1p2DkLbIWDK
=deyL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170426114015.GF7540%40work-mutt.
For more options, visit https://groups.google.com/d/optout.