[qubes-users] Re: heads up, qubes 3.2 still vuln to cve-2016-4484 (minor severity)

[pixel fairy]

On Wednesday, July 12, 2017 at 7:32:07 PM UTC-7, pixel fairy wrote:
> reported here, https://github.com/QubesOS/qubes-issues/issues/2907
> 
> wanted to give users without AEM or sed a heads up to fix their grub file or 
> add a boot password if this concerns them.

to fix it with grub, (adapted from https://www.qubes-os.org/doc/usb/)

1. Open the file /etc/default/grub in dom0.
2. Find the line that begins with GRUB_CMDLINE_LINUX.
3. Add rd.shell=0 to that line.
4. Save and close the file.
5. Run the command grub2-mkconfig -o /boot/grub2/grub.cfg in dom0.
6. Reboot.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/554a51e8-ae5d-41c3-9aa7-43e79edf5457%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes USB Installation Error

[M]

Receive this error booting from live USB:


   Incompatible license
   Aborted. Press any key to exit.


Qubes image written to USB with:


   dd if=Qubes-R3.2-x86_64.iso of=/dev/sdb


USB drive is SanDisk 64GB USB formatted via GParted

Same error message when using another 8GB generic USB drive.

Any ideas what's going wrong?

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af12a513-f687-4b02-9455-481957e3bab3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] heads up, qubes 3.2 still vuln to cve-2016-4484 (minor severity)

[pixel fairy]

reported here, https://github.com/QubesOS/qubes-issues/issues/2907

wanted to give users without AEM or sed a heads up to fix their grub file or 
add a boot password if this concerns them.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1c613b32-1e25-425b-afc8-8d38bdcf60cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] adding an SSD storage cache

[motech man]

On Saturday, December 12, 2015 at 4:08:10 PM UTC-6, Marek Marczykowski-Górecki 
> 
> Thanks! I've added a link to your message in our documentation.
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJWbJq+AAoJENuP0xzK19csuBAH/1+JLBAPOYFaQpV5RHnp+qzx
> S1SjTknZlX4UnZTcT+9lpNndmm988MtE9qGDL78tRgK+e9HLy8ZR+h7FVLQooR3P
> /uNTt6Fb8sHUJKS18v4zxcFSjEv+DyaSaXP+/CZZLfkIEz+xF8TM2P+v9CLN5EDx
> oiuNws8+drw5DxXwX8IyPgEzZtxIeisij9BBr3HsXhG/vKBJcc25DAOqFu5BHnTC
> 3X9e9Ch4EJNgLFmH0yApXXDD0m8A3+G/4WBvKaT2hR3NQsW3r93tY3I9wPp3yChC
> HeqNaVKaMINbSb1t0vlCxQXejHhUVwsqMEKGSFEGO2zbi6BAlMI2uVSj4jhjM+A=
> =8OmO
> -END PGP SIGNATURE-

This all went perfectly smoothly until the last bit about updating grub. Now 
I'm in the middle of this conversion and there is no such grub.cfg file as 
stated in this guide (looks like an older MBR style partition scheme and 
standard grub2 config, there is no /etc/default/grub on my 3.2 UEFI system)

It's not easy finding info on the qubes UEFI boot process, or how to add the 
required kernel options. No manpage for efimanager in qubes either,

How do I update the boot process so it will use the cache? This guide was easy 
enough to follow until the very last step 6. What is the equivalent EFI process 
to grub2-mkconfig in Qubes?

Here's what I did, which "appears" to work, but I'm not sure as performance is 
about the same as it was before the cache was added. I hope it is only due to 
it being the first use, and subsequent uses will get progressively faster.

I noticed the kernel options in /boot/EFI/efi/qubes/xen.cfg. I added the line 
described in step 3 into the existing list, between the rd.luks for root and 
the one for swap. I also noticed the above process (specifically step 5) does 
not update the initramfs image in that folder. I had to copy it from /boot.

The BIOS on my system requires an /EFI/efi/BOOT folder, so I replicated the 
files from /boot/EFI/efi/qubes, renaming xen.* to BOOTX86.*

I sure wish there were a way to easily tell if this is working properly. Time 
for more googling it seems :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3bea77f6-da13-491b-8a4c-dbef721e1908%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Working with a BTC hardware wallet on Qubes

[Franz]

On Wed, Jul 12, 2017 at 6:17 PM, Thomas Jefferson 
wrote:

> I also forgot to mention, if ultimately the sys-usb will have internet,
> then what's the difference between the sys-net or sys-usb? Why using two
> separated SysVMs if both can be used as a NetVM?
>
>
>
What I noted is that when you install Qubes you are given an option to
install sys-usb or not.  I suspect that if you select "not" then what
happens is that USB controllers are assigned to sys-net. So making it a
single sys-vm.

Also I wonder which place may a firewall have with that. I assigned my
expresscard USB controller to a TrezorVM which uses the standard firewall,
but sys-net has no firewall.

>
>
> On 12 July 2017 at 22:52 Franz <169...@gmail.com> wrote:
>
>
>
> On Wed, Jul 12, 2017 at 4:09 PM, Thomas Jefferson 
> wrote:
>
> Hi,
>
> I'm trying to use my ledger nano s and trezor with Qubes. I think the best
> approach, since I need to attach the entire USB controller for this to
> work, would be to use the existing sys-usb. However by default the sys-usb
> is not connected with any NetVM, hence I don't know if this would increase
> my attack vector.
> What's the safest way to use trezor or ledger nano s with Qubes?
>
> Should I use the sys-usb or should attach the USB controller to a
> different AppVM and use my HW wallet there? (The latter option will
> invalidate the use of my mouse, so if any other option is available, I'd
> glad hear it)
>
>
> I had to buy a working expresscard usb controller and then reboot. But if
> you do not have the slot or do not want the extra hassle/battery
> consumption probably the best way is to connect sys-usb to sys-net. At the
> end they are both considered compromised, so which is the risk of
> connecting them? That sys-usb can spread its malware using  sys-net? Unless
> you use usb block devices for strategic/important things, which is not
> advised, then it seems an acceptable risk.
>
> Regarding specifically Trezor and I suppose also Ledger, they are supposed
> to be safe even if the hardware on which they are mounted is compromised.
> So even a compromised sys-usb may be acceptable.
> Best
> Fran
>
> Thanks
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/qubes-users/37511761.234.1499886552897%40office.mailbox.org
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qAUfdwgw%3D9LKB-f2T-Aaz-zko7R5NtA5rNSNXPf5E%3D%2BJQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: cognitive issues when default is to use tor

[Oleg Artemiev]

On Thu, Jul 6, 2017 at 5:24 AM, cooloutac  wrote:
> On Wednesday, July 5, 2017 at 10:19:32 PM UTC-4, cooloutac wrote:
>> On Tuesday, July 4, 2017 at 1:34:17 PM UTC-4, Oleg Artemiev wrote:
>> > Hi.
>> >
>> > I'm not very glad w/ defaults provided in Qubes OS.
>> > Are there any chances the situation 'll get fixed?
>> >
>> > Details:
>> > I've no real trust to https - this is reputation scheme.
>> > I've no real trust to tor - exit nodes sniff.
>> >
>> > I've installed new instance w/ tor as default.
>> > I've two network VMs w/ diffrent networking defaults.
>> >
>> > I'm switching my work VM to get run w/o tor.
>> > Ooops - my work VM has now no firewall VM attached.
>> > This is bad default - isn't it?
>> >
>> > Why should I go via tor w/ work VM even when sitting in the office?
>> > Tor exit nodes should not know anything about my work.
>> > Also tor makes things run slower.
>> >
>> > Shouldn't we have have a trigger transparently applying firewall VM
>> > when network VM has changed?
[]
> also I should add,  they have new feature to update with tor.  but I also 
> wonder how better that is because it seems to me tor is attacked with fake 
> keys more then anything.  And all it takes is for the user to hit y one time.
Qubes team keys for Dom0 updates should be preinstalled  - aren't them?

> I can count dozens upon doznes of times i had to make sure i hit n.  and kept 
> trying till I got a verified key. I've mean i posted so much about it on 
> whonix I pissed the guy off.  not just wrong keys but servers going out.   
> But I can only count 1 or 2 times that happened through my regular connection.


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6O3z60xMZUDO1q0oHUoxU66fEYnWSout8JXYV9OAQTE0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: cognitive issues when default is to use tor

[Oleg Artemiev]

On Wed, Jul 5, 2017 at 2:35 PM,   wrote:
> My understanding is that you shouldn't be accessing Tor through anything but 
> anon-whonix or a copy of that VM (this might be wrong). I'm not sure what 
> metadata your work applications may leak that will compromise the anonymity 
> of your Tor connection. You should do some reading up on whonix.
>
> But if you don't trust Tor more than https, when are you using it?
Just to test how it works. W/o using I've no experience - do I?

>
> If you want to create a secure connection to your office, I think the best 
> tool to use is VPN.
>
> I'm not sure what kind of trigger you're looking for, but I'm sure that you 
> could write a script that will make it happen.
Yep. Though scripting for everything sooner or later becomes annoying.
Low in time - give up and use it as it goes .


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6M9Pjp-kjVdH2jrkDsmyEZsCOTo7f%3DNtLxOa4khCZ%2B8Mw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: cognitive issues when default is to use tor

[Oleg Artemiev]

On Thu, Jul 6, 2017 at 5:25 AM, cooloutac  wrote:
> On Wednesday, July 5, 2017 at 10:24:32 PM UTC-4, cooloutac wrote:
>> On Wednesday, July 5, 2017 at 10:19:32 PM UTC-4, cooloutac wrote:
>> > On Tuesday, July 4, 2017 at 1:34:17 PM UTC-4, Oleg Artemiev wrote:
>> > > Hi.
>> > >
>> > > I'm not very glad w/ defaults provided in Qubes OS.
>> > > Are there any chances the situation 'll get fixed?
>> > >
>> > > Details:
>> > > I've no real trust to https - this is reputation scheme.
>> > > I've no real trust to tor - exit nodes sniff.
>> > >
>> > > I've installed new instance w/ tor as default.
>> > > I've two network VMs w/ diffrent networking defaults.
>> > >
>> > > I'm switching my work VM to get run w/o tor.
>> > > Ooops - my work VM has now no firewall VM attached.
>> > > This is bad default - isn't it?
>> > >
>> > > Why should I go via tor w/ work VM even when sitting in the office?
>> > > Tor exit nodes should not know anything about my work.
>> > > Also tor makes things run slower.
>> > >
>> > > Shouldn't we have have a trigger transparently applying firewall VM
>> > > when network VM has changed?
>> > >
>> > > --
>> > > Bye.Olli.
>> > > gpg --search-keys grey_olli , use key w/ fingerprint below:
>> > > Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
>> > > Blog keys (the blog is mostly in Russian): 
>> > > http://grey-olli.livejournal.com/tag/
>> >
>> > I agree I don't use tor for anything I type a password into.  I use tor 
>> > for random untrusted webpages only.  Sometimes I just use tor to compare a 
>> > key or cert,  a trick I learned from Qubes forums.
>>
>> also I should add,  they have new feature to update with tor.  but I also 
>> wonder how better that is because it seems to me tor is attacked with fake 
>> keys more then anything.  And all it takes is for the user to hit y one time.
>>
>> I can count dozens upon doznes of times i had to make sure i hit n.  and 
>> kept trying till I got a verified key. I've mean i posted so much about it 
>> on whonix I pissed the guy off.  not just wrong keys but servers going out.  
>>  But I can only count 1 or 2 times that happened through my regular 
>> connection.
>
> I don't let my family update dom0 anymore.
haha. Nice )

anyway - all defaults bound on idea of one netvm and one firewall vm.
This is not good for a custom scheme. I miss a network map feature.
Finally when I'm busy I giveup and leave defaults. I currently use tor
w/ whonix blindly trusting them made all right. This is damn slow.
This makes my google and yandex search engines (and lots of other
sites) ask me "you're not a robot". Very annoying. No easy GUI fall
back to non-tor defaults. Hrrm. Next time I'll start w/o Tor layer as
default - the setting finally makes me loose my time.


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Pj2eKOtsK10HxKV%2BWave56nuN9NsZz1qX8qa2oODtkug%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Paranoid Recovery Error

[horacio]

Have tried unsuccessfully to recover a backup file using Paranoid-Mode. I get 
the following message:
ERROR: paranoid-mode: error loading VM from qubes.xml QubesAppVM: invalid 
kernel 4.4.67.12.

I've checked the default kernel from Qubes VM Manager > System--->Global 
Settings and its 4.4.67.13.
When I restored the backup files by conventional means [i.e. VM Manager] the 
kernel for all Apps is 4.4.67.13

Anyone any idea why paranoid mode fails?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/828855847.57715.1499894565548%40ichabod.co-bxl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Working with a BTC hardware wallet on Qubes

[Thomas Jefferson]

I also forgot to mention, if ultimately the sys-usb will have internet, then 
what's the difference between the sys-net or sys-usb? Why using two separated 
SysVMs if both can be used as a NetVM?




> On 12 July 2017 at 22:52 Franz <169...@gmail.com> wrote:
> 
> 
> 
> On Wed, Jul 12, 2017 at 4:09 PM, Thomas Jefferson  mailto:myd...@mailbox.org > wrote:
> 
> > > 
> > Hi,
> > 
> > I'm trying to use my ledger nano s and trezor with Qubes. I think 
> > the best approach, since I need to attach the entire USB controller for 
> > this to work, would be to use the existing sys-usb. However by default the 
> > sys-usb is not connected with any NetVM, hence I don't know if this would 
> > increase my attack vector.
> > What's the safest way to use trezor or ledger nano s with Qubes?
> > 
> > Should I use the sys-usb or should attach the USB controller to a 
> > different AppVM and use my HW wallet there? (The latter option will 
> > invalidate the use of my mouse, so if any other option is available, I'd 
> > glad hear it)  
> > 
> > 
> > > 
> I had to buy a working expresscard usb controller and then reboot. But if 
> you do not have the slot or do not want the extra hassle/battery consumption 
> probably the best way is to connect sys-usb to sys-net. At the end they are 
> both considered compromised, so which is the risk of connecting them? That 
> sys-usb can spread its malware using  sys-net? Unless you use usb block 
> devices for strategic/important things, which is not advised, then it seems 
> an acceptable risk.
> 
> Regarding specifically Trezor and I suppose also Ledger, they are 
> supposed to be safe even if the hardware on which they are mounted is 
> compromised. So even a compromised sys-usb may be acceptable.
> Best
> Fran
> 
> > > 
> > Thanks
> > 
> >  
> > 
> > --
> > You received this message because you are subscribed to the Google 
> > Groups "qubes-users" group.
> > To unsubscribe from this group and stop receiving emails from it, 
> > send an email to qubes-users+unsubscr...@googlegroups.com 
> > mailto:qubes-users+unsubscr...@googlegroups.com .
> > To post to this group, send email to qubes-users@googlegroups.com 
> > mailto:qubes-users@googlegroups.com .
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/qubes-users/37511761.234.1499886552897%40office.mailbox.org
> >  
> > https://groups.google.com/d/msgid/qubes-users/37511761.234.1499886552897%40office.mailbox.org?utm_medium=email_source=footer
> >  .
> > For more options, visit https://groups.google.com/d/optout 
> > https://groups.google.com/d/optout .
> > 
> > > 
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1433568070.1489.1499894270570%40office.mailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Working with a BTC hardware wallet on Qubes

[Thomas Jefferson]

Thanks for the update.
I was trying to attach a NetVM to sys-usb however it seems that sys-usb is 
already a NetVM in itself, hence I cannot add it to the sys-net.
Do you have any idea how can I have internet on the sys-usb ?


Thank you again


> On 12 July 2017 at 22:52 Franz <169...@gmail.com> wrote:
> 
> 
> 
> On Wed, Jul 12, 2017 at 4:09 PM, Thomas Jefferson  mailto:myd...@mailbox.org > wrote:
> 
> > > 
> > Hi,
> > 
> > I'm trying to use my ledger nano s and trezor with Qubes. I think 
> > the best approach, since I need to attach the entire USB controller for 
> > this to work, would be to use the existing sys-usb. However by default the 
> > sys-usb is not connected with any NetVM, hence I don't know if this would 
> > increase my attack vector.
> > What's the safest way to use trezor or ledger nano s with Qubes?
> > 
> > Should I use the sys-usb or should attach the USB controller to a 
> > different AppVM and use my HW wallet there? (The latter option will 
> > invalidate the use of my mouse, so if any other option is available, I'd 
> > glad hear it)  
> > 
> > 
> > > 
> I had to buy a working expresscard usb controller and then reboot. But if 
> you do not have the slot or do not want the extra hassle/battery consumption 
> probably the best way is to connect sys-usb to sys-net. At the end they are 
> both considered compromised, so which is the risk of connecting them? That 
> sys-usb can spread its malware using  sys-net? Unless you use usb block 
> devices for strategic/important things, which is not advised, then it seems 
> an acceptable risk.
> 
> Regarding specifically Trezor and I suppose also Ledger, they are 
> supposed to be safe even if the hardware on which they are mounted is 
> compromised. So even a compromised sys-usb may be acceptable.
> Best
> Fran
> 
> > > 
> > Thanks
> > 
> > --
> > You received this message because you are subscribed to the Google 
> > Groups "qubes-users" group.
> > To unsubscribe from this group and stop receiving emails from it, 
> > send an email to qubes-users+unsubscr...@googlegroups.com 
> > mailto:qubes-users+unsubscr...@googlegroups.com .
> > To post to this group, send email to qubes-users@googlegroups.com 
> > mailto:qubes-users@googlegroups.com .
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/qubes-users/37511761.234.1499886552897%40office.mailbox.org
> >  
> > https://groups.google.com/d/msgid/qubes-users/37511761.234.1499886552897%40office.mailbox.org?utm_medium=email_source=footer
> >  .
> > For more options, visit https://groups.google.com/d/optout 
> > https://groups.google.com/d/optout .
> > 
> > > 
> 
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/895966372.1441.1499893709055%40office.mailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Working with a BTC hardware wallet on Qubes

[Franz]

On Wed, Jul 12, 2017 at 4:09 PM, Thomas Jefferson 
wrote:

> Hi,
>
> I'm trying to use my ledger nano s and trezor with Qubes. I think the best
> approach, since I need to attach the entire USB controller for this to
> work, would be to use the existing sys-usb. However by default the sys-usb
> is not connected with any NetVM, hence I don't know if this would increase
> my attack vector.
> What's the safest way to use trezor or ledger nano s with Qubes?
>
> Should I use the sys-usb or should attach the USB controller to a
> different AppVM and use my HW wallet there? (The latter option will
> invalidate the use of my mouse, so if any other option is available, I'd
> glad hear it)
>
>
I had to buy a working expresscard usb controller and then reboot. But if
you do not have the slot or do not want the extra hassle/battery
consumption probably the best way is to connect sys-usb to sys-net. At the
end they are both considered compromised, so which is the risk of
connecting them? That sys-usb can spread its malware using  sys-net? Unless
you use usb block devices for strategic/important things, which is not
advised, then it seems an acceptable risk.

Regarding specifically Trezor and I suppose also Ledger, they are supposed
to be safe even if the hardware on which they are mounted is compromised.
So even a compromised sys-usb may be acceptable.
Best
Fran

> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/37511761.234.1499886552897%40office.mailbox.org
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qCVVrw8My1TjZKDrq5F-uHahZP-kcYWZr-H5w8PyyCLng%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: certified laptop delivery to Russia

[Oleg Artemiev]

On Sun, Jul 9, 2017 at 6:13 AM, cooloutac  wrote:
> On Saturday, July 8, 2017 at 12:40:31 PM UTC-4, tai...@gmx.com wrote:
>> On 06/26/2017 10:41 AM, cooloutac wrote:
>>
>>
>>
>>   On Saturday, June 24, 2017 at 12:30:48 AM UTC-4, tai...@gmx.com wrote:
>>
>>
>> Ah the smell of disinformation.
I'm sorry. But Qubes is reasonably _SECURE_ for me. I just want all my
QA related stuff be tested and reported on fully compatible certified
hardware. This means no ARM and no AMD. Only Intel. Just because AMD
ignores Qubes OS. Certified laptop is preferable. I've no choice
really. Sorry. I'm glad there's critics around purism. My level of
understanding chip tech is not that deep. :( Finally I'll receive
laptop and ask nearest hardware tech person to review it for covert
things.. Then I'll just install Qubes myself.

>> On 06/23/2017 10:28 AM, cooloutac wrote:
>>
>>
>>
>>   On Thursday, June 22, 2017 at 6:51:27 PM UTC-4, tai...@gmx.com 
>> wrote:
>>
>>
>> On 06/21/2017 10:57 PM, cooloutac wrote:
>>
>>
>>
>>   I agree they are super overpriced  But i'm not sure we can 
>> have 100% libre hardware, at least not for desktops.  I heard the guy Chris 
>> from thinkpenguin talk about on a radio show once,  how there is really only 
>> a couple manufactures that dominate the world.  You would have to make every 
>> single part from scratch.
>>
>> I don't know anything about coreboot or libreboot. Though I know I'd 
>> actually would like to have secure boot,  but I guess I'm crazy.
>>
>>
>>
>> Of course you can, see the TALOS project for libre 
>> hardware/firmware
>> concepts and the KGPE-D16/KCMA-D8 for actual production libre firmware,
>> there are some POWER computers as well.
>>
>> If someone tells you otherwise they don't know what they are talking
>> about, there is nothing stopping a company from making a libre computer
>> even a small company as long as they have the cash, purism could have
>> they just didn't want to.
>>
>> Secure Boot is a marketing term for kernel code signing enforcement and
>> grub already does this, MS "secure" (from you) boot is a way for them to
>> eventually stop people from running linux.
>>
>>
>>   I searched talos project and see stuff about body armor?
>>
>>
>> The TALOS project from raptor engineering was a 100% libre firmware 
>> and
>> hardware PC project that did not meet crowdfunding goals.
>>
>>
>>   The guy from think penguin who sells libre laptops doesn't know 
>> what he is  talking about? I agree he is a little extreme and paranoid,  but 
>> The radio show was focused on wireless devices at the time and the dangers 
>> of the fcc ruling to lock them,  and why purism, nor anybody, truly has a 
>> 100% libre machine.  There is many firmwares integrated and attached to a 
>> mobo, but you are acting as if there is only one.
>>
>>
>> Thinkpenguin and system76 are good honest companies FYI, I would 
>> suggest
>> supporting them if you are interested in a new intel machine for linux.
>> He is not extreme nor paranoid, the fcc thing could mean the end of open
>> source linux drivers and firmware for wifi chips.
>>
>> There is not "many firmwares attached to a mobo" there really is only
>> one most of the time, I know what I am talking about as I am involved in
>> the coreboot project and I own several libre firmware machines.
>> The KGPE-D16 and KCMA-D8 have full functionality with libre firmware and
>> zero blobs, I even play the latest games on mine so that excuse from
>> purism that "oh no one has this" doesn't fly moreso because they haven't
>> even "struck a compromise for the latest hardware" or what not as again
>> their "coreboot" has entirely blobbed hw init making it pointless.
>>
>> The exception to this rule would be a device with for example an
>> integrated storage device, FullMAC (not the SoftMAC AGN atheros types)
>> wireless chip, or a laptop/mobile board with an EC.
>>
>>
>>   I don't know what you mean secure boot is a way to stop linux. It 
>> is supported by all major linux distributions.  Even after that myth is 
>> proven wrong you still perpetuate it?   Even after Richard Stallman himself 
>> says its ok to use secure boot?
>>
>>
>> "supported by all major linux distros"
>> Only by using a red hat supplied signed binary pre-compiled sketchy
>> version of grub.
>> I don't think I should need to ask red hat for permission to run linux
>> do you?
>> A machine that lacks the ability to use even your own bootloader is not
>> really your machine you are simply licensing the use of it.
>>
>> SB 1.0 specs require owner control and method to shut it off and enroll
>> own keys, SB 2.0 doesn't have this requirement so OEM's will eventually
>> not implement it similarly to MS's ARM computers that only allow you to
>> install windows - thus stopping people from using linux so no it isn't a
>> myth.
>>
>>
>>   I don't believe grub2 can take 

Re: [qubes-users] VPN-ProxyVM: "Leakproof VPN" by Rudd-O vs. "more involved" method in Qubes Wiki

[Chris Laprise]

On 07/12/2017 06:46 AM, Connor Page wrote:


after testing the 3 existing solutions I think the official command line
solution is t he most strict and protected.
I just don't get it why "sleep 2" is outside if statement in
qubes-user-firewall-script. why block all vpn traffic for 2 seconds
every time vms connect to or disconnect from the VPN vm?



The iptables command using --gid-owner won't recognize a system group 
immediately after the group is created, so a delay is necessary 
(otherwise the rule will be refused). Delay is outside the 'if' because 
rc.local and qubes-firewall run asynchronously to each other so it 
seemed appropriate to have it wait for either case. Of course, if this 
workaround fails in any way then traffic becomes blocked - so its safe.


You could get rid of the delay by adding the qvpn group to your template.

The gid-owner rule is there to satisfy an added requirement to block 
unintended non-VPN traffic coming from the proxyVM itself; it is not the 
main anti-leak feature (for downstream VMs).


BTW, I'm working on an update of the Qubes-VPN-support project (similar 
scripting to the doc) that runs as a systemd service. New version will 
have a simplified installer, which I will be posting in the next day or so:


https://github.com/tasket/Qubes-vpn-support

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4d76de3b-1dc5-586c-76d6-d614e0f041e0%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Trouble installing Powerpill in Arch template and curious about blacklisted package list for update

[memetic . contagion]

edit:
fixed with advice from here:
https://bbs.archlinux.org/viewtopic.php?id=223895

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7f9b714a-6063-4740-8f5b-81653741929f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Working with a BTC hardware wallet on Qubes

[Thomas Jefferson]

Hi,

I'm trying to use my ledger nano s and trezor with Qubes. I think the best 
approach, since I need to attach the entire USB controller for this to work, 
would be to use the existing sys-usb. However by default the sys-usb is not 
connected with any NetVM, hence I don't know if this would increase my attack 
vector.
What's the safest way to use trezor or ledger nano s with Qubes?

Should I use the sys-usb or should attach the USB controller to a different 
AppVM and use my HW wallet there? (The latter option will invalidate the use of 
my mouse, so if any other option is available, I'd glad hear it)  

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/37511761.234.1499886552897%40office.mailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Trouble installing Powerpill in Arch template and curious about blacklisted package list for update

[memetic . contagion]

Edit: after the update finished I got this error:

ca-certificates-utils: /etc/ssl/certs/ca-certificates.crt exists in filesystem
Errors occurred, no packages were upgraded.

so I guess it didn't fix it. back to square 1(.5?)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cdc607d8-760f-45ef-8499-935972137545%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Trouble installing Powerpill in Arch template and curious about blacklisted package list for update

[memetic . contagion]

On Wednesday, July 12, 2017 at 6:39:34 PM UTC, memetic@gmail.com wrote:
> On Tuesday, July 11, 2017 at 5:29:38 PM UTC, memetic@gmail.com wrote:
> > so I set up my pacman.conf as suggested in the documentation and I also 
> > initialized my keyring but I keep getting the following error:
> > 
> > 
> > error: xyne-x86_64: signature from "Xyne. (key #3) " is 
> > invalid
> > error: database 'xyne-x86_64' is not valid (invalid or corrupted database 
> > (PGP signature))
> > 
> > my clock is synced so that's not the issue, and I tried importing his new 
> > key listed on the aur page of powerpill, yet for some reason the problem 
> > persist. any Ideas
> > 
> > 
> > on an unrelated note does anyone have a list of packages/groups I should 
> > list in my pacman.conf in order to actually update my system again?
> 
> To others who have a similar issue to number 2, I found this post:
> https://groups.google.com/forum/#!msg/qubes-users/5EJxdzgeRLY/rI5d
> 
> which list some of the packages to be ignored. while I'm still getting a few 
> warning messages, it's actually allowing me to upgrade my older arch install

Edit:(there is no edit option)
after the update ran I got this error:

ca-certificates-utils: /etc/ssl/certs/ca-certificates.crt exists in filesystem
Errors occurred, no packages were upgraded.

s, back to square one.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ce050ea8-4cf3-4261-ab21-81ddc47c8407%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Trouble installing Powerpill in Arch template and curious about blacklisted package list for update

[memetic . contagion]

On Tuesday, July 11, 2017 at 5:29:38 PM UTC, memetic@gmail.com wrote:
> so I set up my pacman.conf as suggested in the documentation and I also 
> initialized my keyring but I keep getting the following error:
> 
> 
> error: xyne-x86_64: signature from "Xyne. (key #3) " is 
> invalid
> error: database 'xyne-x86_64' is not valid (invalid or corrupted database 
> (PGP signature))
> 
> my clock is synced so that's not the issue, and I tried importing his new key 
> listed on the aur page of powerpill, yet for some reason the problem persist. 
> any Ideas
> 
> 
> on an unrelated note does anyone have a list of packages/groups I should list 
> in my pacman.conf in order to actually update my system again?

To others who have a similar issue to number 2, I found this post:
https://groups.google.com/forum/#!msg/qubes-users/5EJxdzgeRLY/rI5d

which list some of the packages to be ignored. while I'm still getting a few 
warning messages, it's actually allowing me to upgrade my older arch install

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fce3c8e4-af50-480e-a30d-eef1957f4a9e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Using and Mounting a Secondary Internal HD

['P R' via qubes-users]

Hello,

Am 11.07.2017 8:30 nachm. schrieb "Nick Geary" :

What is the best method for extending the LVM within Qubes?

So

1) Lukas partition
2) mkfs.ext3
3) fstab & crypttab


Can't just add the 2nd drive to the LVM as additional physical Volume and
then extend the Logical Volume?

Or just use Symlinks.

- PhR

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAM8xnvLxoC%3DJifmZo%2BNSoD8TC9GhU8rDuNYafeJCH7NrEvmmfA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ACCESS TO QUBES LOCALHOST

['P R' via qubes-users]

Hello

Am 12.07.2017 7:44 nachm. schrieb :

(...)
One feature that I'm not sure how to acquire with QUBES - is the ability to
view my localhost website from eg an IPAD or ANDROID phone using my home
WIFI.
(...)


So you want to access a webservice which is running in an AppVM/Qube from
the outside of your Qubes OS Machine.

I think the starting point is the Qubes Documentation:

Port forwarding to a qube from the outside world
https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world

There are also some example scripts, but it looks like a task that needs
some more steps ;-)

If you have further questions after reading the documentation ask and I'm
sure we can help.

Good luck.

- PhR

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAM8xnv%2BUK3XGC3KZw%2BiCyckZuoU-U%2BzHfo81KyneLLQ2Kw4QLQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] ACCESS TO QUBES LOCALHOST

[higginsonjim2]

Relatively new to QUBES - apologies if this is an obvious query.

Am using a STANDALONE VM for "development" work which basically involves 
developing and maintaining a couple of websites.

Everything works fine - I can edit/test on localhost setup - and then load to  
EXTERNAL SERVER when ready.

One feature that I'm not sure how to acquire with QUBES - is the ability to 
view my localhost website from eg an IPAD or ANDROID phone using my home WIFI.

To achieve objective currently, I'm having to copy files to DEBIAN system 
maintained on separate drive. (Using ATTACH BLOCK DEVICE from VM MANAGER)  My 
separate Debian system also has an APACHE localhost server - and WIFI access is 
just straightforward there.

Is QUBES security such that I can't effectively view my QUBES LOCALHOST site 
via WIFI - or is there a technique I am not aware of.
If the latter - grateful if someone can explain the process required.

Thanks
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b4d52e0f-5970-4bc3-9444-c8d8a09db63b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Completely disabling pulse audio (playback and record) in service VMs that don't need sound

[Noor Christensen]

On Wed, Jul 12, 2017 at 06:17:53AM -0700, daltong defourne wrote:
> On Wednesday, July 12, 2017 at 3:04:44 AM UTC+3, Salmiakki wrote:
> > Putting a name in there did not work for me but going to an AppVM and doing 
> > this:
> > mkdir ~/.config/autostart
> > cp /etc/xdg/autostart/pulseaudio.desktop ~/.config/autostart/
> > 
> > and adding X-GNOME-Autostart-enabled=false
> > to that worked!
> 
> Hi!
> Tried that (X-GNOME-Autostart-enabled=false) and pulse still starts
> 
> Does it have to be the only line there (I mostly kept the original
> content)
> 
> I also tried doing those manipulations with qubes-pulseaudio.desktop
> file, to no result 

I don't know what the X-GNOME-Autostart-enabled does, but here's a short
summary on how to use the "ShowIn" XDG fields.

You can provide multiple values for this field. For example, if you only
want the application to run on AppVMs and DisposableVMs:

> [Desktop Entry]
> OnlyShowIn=X-AppVM;X-DisposableVM;

The "ShowIn" field can also be negated. For example, if you want an
application to never run in a TemplateVM but anywhere else:

> [Desktop Entry]
> NotShowIn=X-TemplateVM;

>From /etc/qubes/autostart/README.txt:

> This mechanism overrides only content of /etc/xdg/autostart, files
> placed in ~/.config/autostart are unaffected, so can be used to
> override settings per-VM basis.

It is suggested to use ~/.config/autostart if you need to override anything for
a specific VM. In your case, I guess you want something like the following...

# In TemplateVM
# /etc/qubes/autostart/qubes-pulseaudio.desktop.d/30_qubes.conf:

[Desktop Entry]
NotShowIn=X-QUBES;

On each AppVM you want to enable this application for, create:

# ~/.config/autostart/qubes-pulseaudio.desktop.d/30_qubes.conf

[Desktop Entry]
OnlyShowIn=X-AppVM;
NotShowIn=

Possibly you can skip "OnlyShowIn" and just clear the "NotShowIn" value.

I have found the following Qubes-specific identifiers so far, partly from an
earlier qubes-users thread[0]:

X-QUBES Seems to match any type of Qubes VM

X-AppVM Any VM except TemplateVM, ProxyVM, NetVM
X-NetVM
X-ProxyVM
X-TemplateVM
X-DisposableVM
X-UpdateableVM  TemplateVM or StandaloneVM
X-NonUpdateableVM   Any VM except UpdateableVM

Also, here are some non-Qubes identifiers I've seen elsewhere:

GNOME
KDE
MATE
Unity
Cinnamon

I am not aware of any way to specify a VM name in this context. Maybe because
/etc/xdg/autostart is only relevant for a TemplateVM. And when you get to your
custom files in ~/.config/autostart you are already in a specific VM so no need
to specify it there.

If you really want to do it on the TemplateVM and no config on AppVM, I guess
you could put something in /rw/config/rc.local that only runs if $HOST variable
matches your VM name.

[0]  https://groups.google.com/forum/#!topic/qubes-users/smztkltkwOg

-- noor

|_|O|_|
|_|_|O|  Noor Christensen  
|O|O|O|  n...@fripost.org ~ 0x401DA1E0

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170712143408.zcy4mqte7g3bcvpi%40mail.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

[qubes-users] Re: Trouble installing Powerpill in Arch template and curious about blacklisted package list for update

[memetic . contagion]

On Tuesday, July 11, 2017 at 5:29:38 PM UTC, memetic@gmail.com wrote:
> so I set up my pacman.conf as suggested in the documentation and I also 
> initialized my keyring but I keep getting the following error:
> 
> 
> error: xyne-x86_64: signature from "Xyne. (key #3) " is 
> invalid
> error: database 'xyne-x86_64' is not valid (invalid or corrupted database 
> (PGP signature))
> 
> my clock is synced so that's not the issue, and I tried importing his new key 
> listed on the aur page of powerpill, yet for some reason the problem persist. 
> any Ideas
> 
> 
> on an unrelated note does anyone have a list of packages/groups I should list 
> in my pacman.conf in order to actually update my system again?

So I tried to do it with a relatively fresh arch install (the above error was 
from a template I installed over 6 months ago, whereas this one is only a few 
weeks old), and I got the same error after changing my pacman.conf and updating 
via ```sudo pacman -Syyu```. still the same error. Has anyone else had a 
similar issue? how did you fix it? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eb603084-1165-4411-b9f3-0614651cd3fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Completely disabling pulse audio (playback and record) in service VMs that don't need sound

[daltong defourne]

Hi!
Tried that (X-GNOME-Autostart-enabled=false) and pulse still starts


Does it have to be the only line there (I mostly kept the original content)

I also tried doing those manipulations with qubes-pulseaudio.desktop file, to 
no result 


On Wednesday, July 12, 2017 at 3:04:44 AM UTC+3, Salmiakki wrote:
> I liked this idea, so I wanted to try.
> 
> This seems to work:
> 
> in /etc/qubes/autostart/qubes-pulseaudio.desktop.d/30_qubes.conf 
> put this:
> 
> [Desktop Entry]
> OnlyShowIn=X-AppVM;
> 
> Now only AppVMs have audio.
> Putting a name in there did not work for me but going to an AppVM and doing 
> this:
> mkdir ~/.config/autostart
> cp /etc/xdg/autostart/pulseaudio.desktop ~/.config/autostart/
> 
> and adding X-GNOME-Autostart-enabled=false
> to that worked!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ce1b0357-30ad-4322-aad7-c4c8f3fb2476%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VPN-ProxyVM: "Leakproof VPN" by Rudd-O vs. "more involved" method in Qubes Wiki

[Connor Page]

On Thursday, February 2, 2017, Chris Laprise  wrote:

> On 02/01/2017 07:36 PM, Connor Page wrote:
>
>> actually I think that reliance on mangle can be avoided since routing
>> table selection can be done by source address rather than firewall marks.
>> marks are good to differentiate different types of traffic but in our case
>> all traffic should be trated the same.
>> there is difference in how traffic from the vpn vm is routed. this leads
>> to two different attack vectors by a potentially compromised server. for
>> the official solution routing tables can be manipulated, for Rudd-O's tool
>> problems may arise from martian packets. some thought need to be given to
>> proper firewalling.
>>
>
> That's why I have iptables block according to the *interface*, which
> bypasses issues caused by odd routing. Anti-leak measures are best
> performed by watching below the IP layer.
>
> Chris
>

after testing the 3 existing solutions I think the official command line
solution is t he most strict and protected.
I just don't get it why "sleep 2" is outside if statement in
qubes-user-firewall-script. why block all vpn traffic for 2 seconds every
time vms connect to or disconnect from the VPN vm?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ39Boo7r7yu%3DPo51SzmBJCokGH1A75Pa1gx-%2BksC%3DPBP9_J1g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How do I upgrade to Fedora 26?

[Noor Christensen]

On Wed, Jul 12, 2017 at 09:48:18AM +0200, Alex wrote:
> On 07/11/2017 05:15 PM, Salmiakki wrote:
> > So what is required to get a new template? If I understand correctly
> > third parties create templates for other distros as well, right?
> > 
> Yes, and you can also upgrade an existing template, and that's what I
> usually do (because I tend to customize my templates, preferring the
> wonders of multiple usable VM to anonimity).
> 
> The problem is that there are no yum sources for qubes-related things
> for fedora 26, as Foppe said, so the upgrade will likely fail and, in
> case you manage to complete the upgrade, you will be left with a
> non-updatable set of qubes software for a while.

There are fedora-25 templates in the templates-itl repo for 4.0, but not
yet for 3.2 what I can see...

-- noor

|_|O|_|
|_|_|O|  Noor Christensen  
|O|O|O|  n...@fripost.org ~ 0x401DA1E0

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170712103919.rompahcmeym4pk44%40mail.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [qubes-users] Re: How do I upgrade to Fedora 26?

[Alex]

On 07/11/2017 05:15 PM, Salmiakki wrote:
> So what is required to get a new template? If I understand correctly
> third parties create templates for other distros as well, right?
> 
Yes, and you can also upgrade an existing template, and that's what I
usually do (because I tend to customize my templates, preferring the
wonders of multiple usable VM to anonimity).

The problem is that there are no yum sources for qubes-related things
for fedora 26, as Foppe said, so the upgrade will likely fail and, in
case you manage to complete the upgrade, you will be left with a
non-updatable set of qubes software for a while.

-- 
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9659e02-911a-d928-0d38-dbe0ff60acb4%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature