[qubes-users] Re: Cannot Attach ISO to Windows 7 VM
Apparently I have the same problem downloading Ubuntu, so this is a problem with my Qubes. Should I reinstall it? Does Qubes usually have this problem with HVMs? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f165acfa-c4ff-4162-8741-79bf370b3371%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Ubuntu Template
On Sun, Nov 12, 2017 at 04:51:20PM +0100, rysiek wrote: > Hey, > > Dnia Saturday, October 14, 2017 11:30:16 PM CET Unman pisze: > > Ubuntu template build hasnt yet been updated to 4.0 > > is there any movement on this? Is there any way I can jump into this and > help? > Any docs I should read to get me started along the way of fixing Ubuntu > templates for R4.0? > > -- > Pozdrawiam, > Michał "rysiek" Woźniak > Hi I've just put in a couple of PRs to allow building for Xenial in 4.0. If anyone wants to try Xenial in 4.0 there's a ready-built template at qubes.3isec.org/Templates unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171114015506.dintedizlnqnn35b%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Any AMD based laptop that works with Qubes 4 and doesn't have PSP?
On 11/13/2017 02:56 PM, qubestheb...@tutanota.com wrote: Thanks a lot for the suggestion, based on some forum posts on their support it seems that AMD-V is supported with the proprietary BIOS[1] but I could find nothing about AMD-Vi, and this HCL report didn't test for AMD-Vi support with the proprietary BIOS[2]. If you look on the coreboot wiki there is a dmesg log that confirms support for both with coreboot. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/16f60712-890c-2ad0-df75-e63a4c4721f6%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Any AMD based laptop that works with Qubes 4 and doesn't have PSP?
On 11/13/2017 05:58 AM, Yuraeitha wrote: On Monday, November 13, 2017 at 12:10:33 AM UTC, tai...@gmx.com wrote: On 11/12/2017 01:42 PM, qubestheb...@tutanota.com wrote: Hello Qubes users Does anyone have an AMD based laptop that doesn't have PSP (i.e. anything pre-2013), and if so, does it work with Qubes 4? Mainly asking for hardware recommendation and so that I can choose a stock model that does come with a working AMD-V with RVI and AMD-Vi (aka AMD IOMMU). Thanks infinitely for any help! Boom. Lenovo G505S. https://www.coreboot.org/Board:lenovo/g505s Owner controlled. The blobs for video and power management are removable as there isn't any hardware code signing enforcement. Some thoughts: - A10-5750M is 2013 Q2, the request is pre-2013. For this chip, does it have the privacy invasive blob? or is it without? It doesn't have PSP. - The A10-5750M isn't all that fast, but it isn't super slow either for normal requiring needs, like browsing, streaming, writing, in Qubes. I use a CPU which is much slower than that and I don't have an issue. - 6GB RAM is harsh for Qubes, while it may work with few VM's up, it can be a hassle. Need to ensure that the machine can upgrade its RAM, but it should also be considered an extra expense before buying. Never mind checking whether it can be upgraded or not to begin with. Is the RAM easily accessible? Does the current RAM have to be removed or does it have an extra free slot? etc. Of course you can easily upgrade the RAM. - I would also consider a HDD to be less optimal for Qubes. I haven't run Qubes on non SSD's, so I can't be entirely sure, but it strikes me as more different than between Linux/Windows running on HDD vs. SSD, due to all the loading and copying during Qubes runtime. While HDD seems entirely practical and feasible, it does also seems like it might cause some buttlenecks, which may not be desired. There is also a question of how big these bottlenecks actually are. Anyone have experience with Qubes on HDD's vs. SSD's here? If wanting an SSD, it'll be an extra expense in addition to the RAM, unless you have an unused SSD laying around already. You gotta have an SSD, but used laptops don't come with drives so you would be buying one anyway. - Is the firmware blob really removable and truly user controlled? You hear a lot of claims like these, but I haven't actually seen anyone completely succeed yet on any decent laptops. Yeah this is the real thing-- it isn't like purism's faux free firmware where 100% of the init process is done via binary blobs. The only blobs are for video and power management, so this is the best option there is - in comparison the Lenovo X230 with coreboot will have an open source init for those but you'll be stuck with a nerfed ME - in my expert opinion the G505S is the better choice. Trust me, I have 4 computers that run coreboot and I am a regular on the mailinglist. - Lenovo is known to be a customer- and privacy offender, as well as a proven lier in these regards, caught with their hands in the candy jar, multiple of times again and again at that. What reasons are there for this Lenovo laptop to be exploitable to the point, that it makes up for the bad and distrust rep of Lenovo? Can everything Lenovo can do to the laptop, really be undone? Lenovo's shenanigans were BIOS based, if you install coreboot you replace their BIOS. - Has other people run Qubes 4 RC-2 on the Lenovo G505S? On paper it looks good enough, but has anyone tested this? It'll work, trust me. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33ec129b-d05d-b1a0-b245-782ca4df8124%40gmx.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] USB exposed to M.2 SSD drives?
Browsing the Wikipedia page for the M.2 SSD Form Factor (https://en.wikipedia.org/wiki/M.2), I noticed that multiple buses are exposed through the M.2 connector, including USB. My question is, does this represent an isolation problem for Qubes? I.e. could a malicious USB device bypass the isolation provided by VT-d, in order to gain direct communication with an SSD controller for a firmware compromise of the SSD?.. Perhaps this issue is mitigated in some way, would be great to hear people's thoughts on the matter, as many new devices (including the Purism offerings) are shipping with these ports. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12621510616670%40web58j.yandex.ru. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Windows 10 on Qubes (freeRDP)
Hi! Thanks so much for writing this down. On step 2, these instructions to establish inter VM networking [1] seem to be aimed at linux vms. It says we should use iptables and and edit the rc.local file on both vms. Any tip on how we could do that on the windows 10 qube? [1] https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ae9fca7e-cd24-4dc0-8453-8466cffb9c11%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HCL - ASUS PRIME B350M-A + AMD Ryzen 7 1700X
After reading the release notes of Qubes 4.0-rc2 I noticed, that the USB VM was missing. This turned out to be due to a known bug, that occurs when an USB mouse is present while configuring Qubes. In that case the option to create a USB VM is not shown. So I did a clean reinstall and configuration without a mouse present. Now there is a USB VM. However, there is a problem. The USB VM very often does not start with the error message: Start failed: internal error: Unable to reset PCI device :03:00.0: internal error: Active :03:00.1 devices on bus with :03:00.0, dot doing bus reset. This problem is probably worth a separate topic. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/66cb0c31-1f9e-487c-b431-4d0ef302baec%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] HCL - HP G62 (submodel 318CA)
Qubes 3.2 works far better than I ever expected it to on this machine. Wireless networking and the USB Qube work fine right out the box. Only seems to chug when starting up. Sometime runs out of memory with more than 2 appVMs open. *Issues and potential issues:* *- *If you want to run Qubes (<4.0) on this get a fast 7mm SATA SSD, I went with the *Samsung 850 Evo*. This laptop is painful for running even a single Linux distro on bare metal without one. *- *Make sure you enable virtualisation technology in the BIOS before installing. *- *S4 Sleep/Hibernate does not seem to work at all. All the options for it just blank the screen and put xScreenSaver up (doesn't even turn off backlight). Not sure if this is Qubes in general or just on this setup. *- *Screen backlight doesn't seem to want to turn off while the rest of the system is running. No matter what settings I fiddle with. *- *This laptop comes with a tiny amount of ram so changing the sys-* qubes to minimal templates <https://www.qubes-os.org/doc/templates/fedora-minimal/> and lowering their starting ram is probably valuable. Maybe make your own based on something really light like *Alpine Linux* <https://www.alpinelinux.org/> or a unikernal <http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/>. (play with the resource settings in general) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CA%2BSfMGny2BisK-7uX_VcF1x_X%2BPuoyLjoeJhr1AGkri67j1P9g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. Qubes-HCL-Hewlett_Packard-HP_G62_Notebook_PC-20171113-075518.yml Description: application/yaml
Re: [qubes-users] Any AMD based laptop that works with Qubes 4 and doesn't have PSP?
First of all, thanks a lot Yuraeitha and tai...@gmx.com, your help is truly appreciated. @Yuraeitha Concerning support for the required features for Qubes 4.x, AMD - unlike Intel - doesn't segment their market by removing certain features, and AMD-V and AMD-Vi are fortunately present and supported in most of their CPUs. The problem however is whether the motherboard/bios/... support those features. And that's why I'm asking to see whether an owner of an AMD based laptop (with no PSP) got Qubes 4.0-rc2 working as intended. Now, concerning performance: I only do some web dev work so there's nothing fancy about my performance needs. Also I do plan to upgrade the RAM to 16Go as well as buy an SSD. > For this chip, does it have the privacy invasive blob? or is it without? It doesn't have AMD's PSP, I used "pre-2013" to mean before or at 2013 :) @tai...@gmx.com Thanks a lot for the suggestion, based on some forum posts on their support it seems that AMD-V is supported with the proprietary BIOS[1] but I could find nothing about AMD-Vi, and this HCL report didn't test for AMD-Vi support with the proprietary BIOS[2]. [1] : https://forums.lenovo.com/t5/Lenovo-B-and-G-Series-Notebooks/enable-amd-v-support-for-G505S/td-p/1496428 [2] : https://groups.google.com/d/msg/qubes-users/5dwZt4xANpA/0a8VkMQlaQYJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/KyqxArQ--3-0%40tutanota.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
Hello, I'll react to multiple questions and statements from multiple people. > A figure I heard was that qc can cut search time for symmetric key merely in > half, whereas its can cut time for asymmetric key by orders of magnitude. No. For symmetric key, it does not halve the time. It works like halving key length. It is asymptotic improvement. With classical computer adding one bit doubles time for brute-force. With QC, adding *two* bits doubles time for probabilistic brute-force. See Grover's algorithm as I mentioned above. For asymmetric cryptography, “orders of magnitude” can be true, but it does not express that it is asymptotic improvement – you can resolve some problems in *polynomial* time. But there are some ciphers that are believed to be quantum-resistant, meaning that there is no such known attack. > in Qubes, the signature confirmation happens in dom0 or in the sys-net? Dom0 updates are verified in dom0, template updates are verified in templates. But that's not important if your adversary can factorize release signing key. > Doubling up the key length seems like an interesting prospect, but has the > potential risk to fail in the future by quantum computing Why? Doubling key size is a asymptotic countermeasurement. Moreover, for bruteforce (but not necessarily for other types of attack), Grover's algorithm has been proven to be optimal, i.e., you can't go asymptotically bettter. Unless a QC can perform many many many more operations in the same time and at the same cost, it should suffice. Unless there is some extra breakthrough. Remember, virtually no cryptographic scheme has been proven to be secure (except some like and Vernam cipher – but those have limited applicability), so, someone might theoretically break AES tomorrow. We just rely on the fact many that people have failed with this, so this is unlikely. But this is a theoretical issue even without QC. > I've wondered for a good while if splitting up an symmetric encrypted file in > multiple of parts, say for example minimum two parts, and send one over the > internet, and carry the other on yourself in person, that if only one part is > stolen (for example someone steal your laptop with sensitive competitive > business trade secrets), then it's still uncrackable? Usually no, unless you use a scheme specially designed for that. You might be interested in secret sharing, which is even more powerful concept. > Wait, hold on, your last line, regarding that "some" asymmetric encryption is > believed to be secure against future quantum computing? Is it possible to > elaborate on that? For example, see https://en.m.wikipedia.org/wiki/NTRU . > Also if this turns out to indeed be quantum crack proof, whould it be > feasible to use these for what we currently use symmetric encryption for? You could, but I see no reason for that. QC makes bruteforce considerably easier, but it is still considerably hard. With a proper key size, symmetric crypto will be still faster and have probably smaller keys for comparable security level. For asymmetric ciphers, bruteforce is usually not much considered, because they are usually better attacks. But Grover's algorithm should be applicable even for asymmetric ciphers. It however does not make much sense (at least not without modifications), because they have much larger keys. > Also, correct me if I'm wrong, but aren't there here two exponential effects, > one ontop of the other? Which may be overlooked by us too. I mean, imagine > the scale-ability of doubling the Qubits every day, it's not linier, it's > exponential. But the Qubits themselves are exponential too. AFAIU, this is a common misconception. Well, you need exponentially growing space for emulating QC on classic computer. But you don't get exponentially faster computer. You get a computer with more memory. Such computer can process larger tasks, e.g., factorize larger numbers. But once you have enough memory, adding more qubits make AFAIU no improvement. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4c85ee7e-b7a2-4f25-be68-022132c517fd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] View traffic going from/to an appvm? or going through the sys-firewall?
On 11/11/2017 08:44 AM, Stumpy wrote: I posted earlier about trying to limit traffic on some appvms and got some helpful feedback about specific services but I am now thinking it would be most useful to just see traffic leaving a appvm and then adding rules based on that. problem is, i don't know how to view appvm network traffic. Is there a command I could use or a log that I could look over to help me with this? I would like to do this in both my fedora and deb based vms. I have a hack you might be interested in. It does not show you the traffic but it will show you what is denied by the firewall, via capturing the ICMP denied messages. For some special VM's (email, boinc, untrusted, etc) where I want to lock it down to just the essential services, I run this in a mode where it echos the appropriate "qvm-firewall -add /16" to the console, where I will pick and choose to cut and paste the commands I want to run into another dom0 terminal window. Once pasted you can edit the command to refine how you want it to permit hosts or netblocks. The default is /16 since the firewall is limited in how many entries it will allow. Yes, its a hack, and it would not be safe to allow everything it presents, but it works well enough for me. > qvm-fwdenied -A -C 10 It is run from dom0 where it launches a tcpdump in the VM you are interested in, and will capture -C packets and then return. It collects N packets and returns to process them, so it can miss packets when it is not in tcpdump mode. If an ICMP denied event occurs it will compose the qvm-firewall command to permit that host, but it will not run it for you. You need to decide what is permitted. I generally run it to investigate why an application is not working correctly in an intentionally locked down VM, as this is generally faster than launching wireshark and collecting/filtering the traffic flow. If what you really want is to just see the traffic flow then open wireshark in the same way and let it run. If your goal is to simply manage what the VM connects to then you might be able to hack my script to get what you want. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c2001b5a-784a-6a7c-87ca-98f2545e772b%40jhuapl.edu. For more options, visit https://groups.google.com/d/optout. #!/usr/bin/python2 # -*- encoding: utf8 -*- from qubes.qubes import QubesVmCollection from qubes.qubes import QubesHost from qubes.qubes import QubesException from optparse import OptionParser import subprocess import sys import os import re import glob import logging import logging.handlers from datetime import datetime import time import traceback LOG_FILENAME = '/var/tmp/qvm-fwdenied.log' def main(): usage = "usage: %prog [-A] [-C n] " parser = OptionParser (usage) parser.add_option ("-A", "--allowlist", action="store_true", dest="generate_allow_list", default=[False], help="generage allow list for firewall") parser.add_option ("-R", "--repeat", action="store_true", dest="repeat_mode", default=[False], help="repeat continuously until ^C") parser.add_option ("-C", "--count", type="int", dest="packet_count", default=[200], help="return after N packets received") (options, args) = parser.parse_args () #print args if len(args) != 1 : print 'vm name not provided' sys.exit(0) #print args vm = args[0] my_logger = logging.getLogger('MyLogger') my_logger.setLevel(logging.INFO) handler = logging.handlers.RotatingFileHandler(LOG_FILENAME,maxBytes=20,backupCount=5) my_logger.addHandler(handler) my_logger.info('') nowstring = str(datetime.now()) my_logger.info('qvm-fwdenied started:' + nowstring) packets = options.packet_count cmd = 'qvm-run -a --pass-io -u root ' + vm + ' "tcpdump -f -c ' + str(packets) + '"' my_logger.info(cmd) if options.repeat_mode : my_logger.info('repeat mode on') print 'repeat mode enabled' looping = True try: while looping: process = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE) out, err = process.communicate() errcode = process.returncode hosts = set() dom0_updated = False needs_restart = False for line in out.split('\n'):
[qubes-users] Re: Does VT-d protect against this?
On Friday, November 10, 2017 at 6:45:07 PM UTC-5, David Schissler wrote: > Researchers find almost EVERY computer with an Intel Skylake and above CPU > can be owned via USB > https://thenextweb.com/security/2017/11/09/researchers-find-almost-every-computer-intel-skylake-cpu-can-owned-via-usb/?amp=1 Maybe if plugged in with o/s running. Not if plugged in before. It does not even need an os to be running. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c7d7ced-a669-463e-aead-72d8f554a7b7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Does VT-d protect against this?
On Friday, November 10, 2017 at 6:45:07 PM UTC-5, David Schissler wrote: > Researchers find almost EVERY computer with an Intel Skylake and above CPU > can be owned via USB > https://thenextweb.com/security/2017/11/09/researchers-find-almost-every-computer-intel-skylake-cpu-can-owned-via-usb/?amp=1 make sure you install latest bios. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cec42239-f768-418a-af5e-7b7b64e5e13b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is there a way to use secure boot with qubes?
On Wednesday, November 8, 2017 at 11:06:28 PM UTC-5, tai...@gmx.com wrote: > On 11/08/2017 03:52 PM, Guerlan wrote: > > > My computer complains about bad signature when I try to install qubes. Is > > there a way to install it without disabling secure boot? Does qubes support > > secure boot? Is there a way to install qubes keys on the BIOS? Why did it > > reject the keys? > > > If you can't turn off "secure" boot then return your computer and buy > one for real (as of now it is simply a lease if you can't install > whatever OS and bootloader you want). > Owner controllability is very important, I suggest a lenovo g505s with > coreboot (this laptop has open source init unlike many others and it has > no ME/PSP or hardware code signing enforcement) I just always go back to hacking teams bios exploits which were prevented if secure boot is on. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4b8755e8-a990-4e30-8aa8-21b352f76579%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Is there a way to use secure boot with qubes?
On Thursday, November 9, 2017 at 6:27:01 AM UTC-5, blacklight wrote: > On Wednesday, 8 November 2017 20:52:14 UTC, Guerlan wrote: > > My computer complains about bad signature when I try to install qubes. Is > > there a way to install it without disabling secure boot? Does qubes support > > secure boot? Is there a way to install qubes keys on the BIOS? Why did it > > reject the keys? > > the question is more that if secureboot supports qubes, rather than the > otherway around. to be supported by secureboot, one would need to buy a very > expensive license from microsoft, something qubes is not able afford atm. It only cost 100 dollars. But you don't even have to use microsoft key, you can create your own. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d80ff784-243c-4974-8d33-9229b06a33b4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Apparmor profiles whonix-ws
Hi. Is there anybody out there with some working Apparmor profiles for Thunderbird 52.4.0/Torbirdy/Enigmail/Split-GPG via Whonix? Thanks, cheers! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ouc8p0%24gfd%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Any AMD based laptop that works with Qubes 4 and doesn't have PSP?
On Monday, November 13, 2017 at 12:10:33 AM UTC, tai...@gmx.com wrote: > On 11/12/2017 01:42 PM, qubestheb...@tutanota.com wrote: > > > Hello Qubes users > > > > Does anyone have an AMD based laptop that doesn't have PSP (i.e. anything > > pre-2013), and if so, does it work with Qubes 4? Mainly asking for hardware > > recommendation and so that I can choose a stock model that does come with a > > working AMD-V with RVI and AMD-Vi (aka AMD IOMMU). > > > > Thanks infinitely for any help! > > > Boom. > Lenovo G505S. > https://www.coreboot.org/Board:lenovo/g505s > > Owner controlled. > The blobs for video and power management are removable as there isn't > any hardware code signing enforcement. It's possible the Lenovo G505S may be a good suggestion, though there are some things to consider or reflect over. The OP both seem to know what he's looking for, but at the same time not entirely either, due to asking this question. It's really hard to know how much he knows from 3 lines of short information, and we should probably throw in more information, as to not risk having him buy something purely on recommendation alone. It'd be cool with more information though, as to what your needs are qubest...@tutanota.com, or what you know already. Some thoughts: - A10-5750M is 2013 Q2, the request is pre-2013. For this chip, does it have the privacy invasive blob? or is it without? - The A10-5750M isn't all that fast, but it isn't super slow either for normal requiring needs, like browsing, streaming, writing, in Qubes. https://www.cpubenchmark.net/cpu.php?cpu=AMD+A10-5750M+APU It depends on the users need, for example I got a Qubes laptop using https://www.cpubenchmark.net/cpu.php?cpu=Intel+Core+M-5Y10c+%40+0.80GHz which is perfectly fine for many causal things. But its CPU a bit laggy/sloppy for example when running Windows AppVM. The recommendation is slightly more powerful in its benchmark. If having similar needs, then the performance is fine, if more needs, then not so much. We need more information here before any recommendation. It may be plenty for normal Linux Qubes with some browsing and having a good basic amount of VM's running idle and sometimes spin up a bit to handle a task or two. But it can easily be horrible for running Windows AppVM which is more performance hungry. - 6GB RAM is harsh for Qubes, while it may work with few VM's up, it can be a hassle. Need to ensure that the machine can upgrade its RAM, but it should also be considered an extra expense before buying. Never mind checking whether it can be upgraded or not to begin with. Is the RAM easily accessible? Does the current RAM have to be removed or does it have an extra free slot? etc. - I would also consider a HDD to be less optimal for Qubes. I haven't run Qubes on non SSD's, so I can't be entirely sure, but it strikes me as more different than between Linux/Windows running on HDD vs. SSD, due to all the loading and copying during Qubes runtime. While HDD seems entirely practical and feasible, it does also seems like it might cause some buttlenecks, which may not be desired. There is also a question of how big these bottlenecks actually are. Anyone have experience with Qubes on HDD's vs. SSD's here? If wanting an SSD, it'll be an extra expense in addition to the RAM, unless you have an unused SSD laying around already. - Is the firmware blob really removable and truly user controlled? You hear a lot of claims like these, but I haven't actually seen anyone completely succeed yet on any decent laptops. - Lenovo is known to be a customer- and privacy offender, as well as a proven lier in these regards, caught with their hands in the candy jar, multiple of times again and again at that. What reasons are there for this Lenovo laptop to be exploitable to the point, that it makes up for the bad and distrust rep of Lenovo? Can everything Lenovo can do to the laptop, really be undone? - It's nice that a lot of threats can be reduced, like the UEFI --> Coreboot, and some of the firmware can re removed, but are these threats truly removed? I'm primarily thinking about the dangerous "feeling safe, thereby being less secure, since not on guard anymore, thereby caught off-guard". Is everything truly removed? Granted firmware like from the drives and such are still there, but I'm specifically thinking about whether the claims being made by these people are truly reliable or not. - Has other people run Qubes 4 RC-2 on the Lenovo G505S? On paper it looks good enough, but has anyone tested this? - Other things to reflect over? Suggestions? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit
Re: [qubes-users] Anything like Split GPG for Keepass?
On Monday, November 13, 2017 at 2:05:02 AM UTC, Patrick Schleizer wrote: > Eric Shelton: > > I am curious how people are making effective use of Keepass in a vault > > domain. It seems like with a browser plugin, you might be able to take a > > Split GPG type of approach, and avoid all of the cutting and pasting across > > domains. Any comments or suggestions? > > > > - Eric > > > > > An inter-VM password manager for Qubes OS based on pass ( > https://www.passwordstore.org/ ) > > https://github.com/Rudd-O/qubes-pass > > https://groups.google.com/forum/#!topic/qubes-users/amry7Shb94o > > (Adding this here since search for "Keepass" "Qubes" leads to this old > thread which claims there is no solution at all.) Doesn't this automation increase possible surface attacks on the keys themselves though? Even if using existing Qubes tools, not re-inventing the wheel, and keeping Qubes itself safe as it was before using the tool, but the automated policy can still be tricked into giving over the password though? If true, then manual copy/paste between Qubes is supposedly more safe? Because the initiation is started from the isolated dom0 ps/2 keyboard (or USB qubed keyboard), and not initiated from within the internet exposed Qube itself. I imagine this might be good for less important passwords, daily ones that can be annoying to type in, but also aren't too important. But regarding important passwords, perhaps use the manual method instead? Having to use manual password copy/paste is a bit slow, takes up at the very least several seconds, if not half a minute, to open it up and navigate to find your password, and then copy/paste it over. So it becomes a question between speed/convenience/insecure vs. slow/inconvenience/secure? Maybe we can make a hybrid here? Like for example have a hardware key, requiring you to press it before it accepts the automated process. Or even just a popup from the isolated offline password-manager VM, before proceeding. It's not fully automated, but it's also not as intensively manual either. Maybe the inter-VM password manager for Qubes already does something akin to requiring a single quick action from inside the offline isolated password manager VM before fulfulling the request of the online VM. If I missed it, then I apolgize, but I can't see it anywhere. Thoughts on using a hybrid method though? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d7ab6f86-67cf-4783-9e05-33b3d914acb1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Relation between increasing RAM and the increased need for display memory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/11/2017 04:22 PM, @LeeteqXV (Twitter & Mastodon.technology) wrote: > Ref. "(maybe if you using Compiz with fancy desktop effects) " > > For me, the desktop environment affects my well-being and mood > very much, so yes some of such "effects" are important, both for > efficiency and for the general good feeling when working etc.,, not > the fancy part. > > I prefer to have 12+ viewports/workspaces, each with its own name > and background image, so I can associate specific > tasks/applications to each one, plus with a wrap-around function to > navigate beyond the borders. I use Compiz for this on Ubuntu, and > fortunately all of the above is possible in Qubes without any extra > tools. > > Compiz provides customized window transparency so that when I > write, I arrange for good (text++) contrast towards the nice > background image on each desktop, on a per-window basis. I use > Alt+[numeric"+"] and Alt-[numeric"-"] keyboard shortcuts to > increase/decrease the transparency on the active window. (Not sure > if this is possible in Qubes out-of-the-box?) > > With this as the background (all done outside of the VMs), along > with the initially mentioned points about increasing use of > one-app-vms, are you saying that we can basically just keep upping > the RAM without worrying about the potential need for increased > display memory? I used those effects as well. So yes, I would still say you do not have to worry about your video RAM. > I would like to know what are the minimum requirements for the > graphics card in this respect, for "both ends of the spectre", so > to speak; My experience is that you can't have any Qubes compatible hardware that is not enough for any kind of fancy compiz effects. Mainly because the VGA is integrated into the CPU package (most of the systems nowadays). You may have to increase the default assigned video RAM in BIOS, but that's all. > a) ~16GB RAM, which is getting increasingly possible with > sub-€1000 laptops (just for the perspective on the limits). b) > >32GB RAM, for the high-end computers. > > Will it be possible to use a (compatible) laptop in the sub-€1000 > range as long as it has enough RAM, or should one also verify that > the display card meet some kind of minimum specifications (for the > scenario where we are going to run a LOT of VMs, only limited by > the available RAM)? See my note above. > + How is this different with Qubes 4.x compared to 3.2? Nothing changed about VGA. - -- Zrubi -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJaCF1jAAoJEBozWgtUjzdkIkYQAMQqUpqMo2SgApIgni5Gvj44 M5dOvhWYVIgOGw+SyG9VwuAxvPAfeJKvSrv1U4W9JayM6IwsRtWE37xD51PGERPD Z+Ge1HMZnU5v+qR3yDKLo7qgIjAzj/12r3waWUuf89KdMGFOhOKTWEE9SS20Tpv0 GfaLwTJHZkNU1RBfroui0maoUXA9mp4LB/Pix9ueIa3ygtXlhcA98nJd7zTYTJ1Z VhVj1vBoR0Qwdh5EutMCknXSEnV3H8HojNT168BdqkQcIfxOaG2IWJiYBDZ3fjgg V9DfbRrHUbH8C/zBm9K45cRTKZFglvvL6zFJC3o8ktLTVfJsQTO/eEAapUAj3H1l 7YlDuCw7eHWlX0gdMMvgu9jWKtWNVWGxXucuqVBk+kso/T8svNYb2YQraWr93Ovq 8n057Eb76KumDHTMrFZ0hr1neZPzBVUf7FHzODBt7qMGF0FpukjzsX6Q8sN6DVmw MLAIW+UOJ859VHXzblfbPDvvTBcZDaZlwvhOWdd109Lqb+dcqbuTqJEAnN1nLibV 1YSGrcKfCdiBZqxSFhFKDt3727ddr3+56a1N+ZZBtAgfh3nPqdzGi5tJocEl/hoc m57BN+H4evHtoq0XPiDhSm9HQj+j65Bd8w8ep6j4NFMKF3xxxgHAMQA7SThXBr88 5TPYItMNE4R2OYjw7oBq =h9IP -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f871941b-dc09-7393-bc13-cb0de47306e1%40zrubi.hu. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
Speaking of quantum network, it is doable, for instance you can check araknet.eliott.tech -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3b9e9145-8a64-4530-9f39-0bf813ac73c6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] HCL - HP Envy 17 Leap Motion SE NB Quad Edition
Hey any problems with sleep/wake? I have some in line (envy 13, 2016) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9abb2eb7-ca3a-4499-8a6b-c0a243a8f042%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Anything like Split GPG for Keepass?
Dnia Monday, November 13, 2017 2:04:00 AM CET Patrick Schleizer pisze: > Eric Shelton: > > I am curious how people are making effective use of Keepass in a vault > > domain. It seems like with a browser plugin, you might be able to take a > > Split GPG type of approach, and avoid all of the cutting and pasting > > across > > domains. Any comments or suggestions? > > > > - Eric > > An inter-VM password manager for Qubes OS based on pass Should also be possible with Keyringer: https://keyringer.pw -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1741875.XalDMoeGcs%40lapuntu. For more options, visit https://groups.google.com/d/optout. signature.asc Description: This is a digitally signed message part.