[qubes-users] Getting to the bottom of screenshots in Qubes OS
Hi Everyone, Speaking with a colleague earlier today, I heard "Qubes is great, but the no screenshots problem makes it a 'hard' no for me". As a Qubes user and advocate, this stung. Surely, I thought, if clipboard can take copy+paste between Qubes, then it should be able to move screenshots? Requesting input on the following concept: - import screenshot.png allows you to take a screenshot from an x window. - qvm-run lets you launch apps in a specific VM from a command placed in dom0. - Using / Adding shortcuts on the panel achieves this by using the following syntax " qvm-run -q -a --service QUBE_NAME qubes.StartApp+AppName " Where: -q is quiet/non-verbose -a is autostart - Assigning that command under System Tools > Keyboard > Application Shortcuts works to launch it just fine. What is the syntax needed to launch "import" and how can I tell Dom0 to launch it in the Qube currently in focus? Is there any "current AppVM in focus" variable? Or does dom0 have no knowledge of this for security purposes? It seems unlikely to me. Also, what is the reason we can have global clipboard and qvm-move, but not a similar function for screenshots? Cheers, Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/32352715-176c-5e1f-414f-40b1cc452895%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] A lot of dom0 updates recently
On 6/17/20 4:53 AM, tetrahedra via qubes-users wrote: dom0 seems to be getting a lot of updates at the moment (3x in the last 1-2 weeks?) ... are there any security holes we should know about? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200617045326.GA5613%40danwin1210.me. I've been noticing this, too. Something interesting has been occurring in about half of my Dom0 updates lately: In the "details" section of the Qubes Updater it shows no detail, only: Fairly ambiguous. Did it even update? Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/75f9dfb2-dcf0-e147-d5c6-5b9ddbbc60d4%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Personal Qube halts during startup
On 6/6/20 1:39 PM, Logan wrote: I am as of yet unable to resolve the same issue of a Debian 10 Qube halting during startup that I discovered about 2 weeks ago. I haven't been able to fix it since: My last post stated: " I have identified the moment when all services start shutting down and the system halts: Appears to be I/O related. I should have enough disk space as I just increased Private storage to 10240mb and System storage is the same. Here is the smoking gun, I think: Debian GNU/Linux 10 Personal hvc0 login: [15.293110] fuse init (API version 7.27) [31.774331] tun: Universal TUN/TAP device driver, 1.6 [23025.639734] blkfront: xvdd: empty flush op failed [23025.639751] blkfront: xvdd: barrier or flush: disabled; pe Stopping .[0;1;39mRealtimeKit Scheduling Policy Serv Stopping .[0;1;39mAvailability of block devices.[0m. [.[0;32m OK .[0m] Stopped target .[0;1;39mTimers.[0m. [.[0;32m OK .[0m] Stopped .[0;1;39mDaily man-db regeneratio Stopping .[0;1;39mCUPS Scheduler.[0m... " Any hints? I'd like to learn from this and not just roll-back, if possible. I've really hit a wall, though. Cheers, Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1f5c2932-fed1-f564-7528-a5707b9541a5%40threatmodel.io. Slightly ashamed, but this case is closed. The resolution is somewhat humourous: I typo'd my idle timer setting to 0 when meant for 10. I disabled "shutdown-idle" under qube settings >> service sand everything works now. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/68acd74d-6285-355f-4455-3f2cd22833c4%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
[qubes-users] Personal Qube halts during startup
I am as of yet unable to resolve the same issue of a Debian 10 Qube halting during startup that I discovered about 2 weeks ago. I haven't been able to fix it since: My last post stated: " I have identified the moment when all services start shutting down and the system halts: Appears to be I/O related. I should have enough disk space as I just increased Private storage to 10240mb and System storage is the same. Here is the smoking gun, I think: Debian GNU/Linux 10 Personal hvc0 login: [15.293110] fuse init (API version 7.27) [31.774331] tun: Universal TUN/TAP device driver, 1.6 [23025.639734] blkfront: xvdd: empty flush op failed [23025.639751] blkfront: xvdd: barrier or flush: disabled; pe Stopping .[0;1;39mRealtimeKit Scheduling Policy Serv Stopping .[0;1;39mAvailability of block devices.[0m. [.[0;32m OK .[0m] Stopped target .[0;1;39mTimers.[0m. [.[0;32m OK .[0m] Stopped .[0;1;39mDaily man-db regeneratio Stopping .[0;1;39mCUPS Scheduler.[0m... " Any hints? I'd like to learn from this and not just roll-back, if possible. I've really hit a wall, though. Cheers, Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1f5c2932-fed1-f564-7528-a5707b9541a5%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] "Failed to return clean data" in Debian-10 Template
On 5/23/20 3:23 PM, unman wrote: On Sat, May 23, 2020 at 02:30:53PM +, Logan wrote: On 5/23/20 1:25 PM, unman wrote: On Sat, May 23, 2020 at 08:39:11AM +, Logan wrote: Hi all, I am having trouble understanding the error i'm getting from the Qubes Updater. My Debian template is no longer executing updates successfully. Other templates are still ok. From all my searching I can only determine that retcode 255 appears to be salt related. Any hints? I've typed out the report from dom0. Updating debian-10 Error on updating debian-10: command '['sudo', 'qubesctl', '--skip-dom0', '--targets=debian-10', '--show-output', 'state.sls', 'update.qubes-vm']' returned non-zero exit status 20 debian-10: --- _error: Failed to return clean data retcode: 255 stderr: stdout: Thanks, Logan I cant reproduce this. Can you try a dom0 update - also may be worth updating the template by hnad and then seeing if that fixes the issue. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200523132559.GD32656%40thirdeyesecurity.org. Manually updated appears to have resolved the update issue, but my personal VM is now failing whereas other Debian based appVMs still work. Possibly an awkward coincidence. It boots and about 10 seconds later a system halt is called: A few possible issues are in the guest-.log, but the one that stands out most is: switch_root: failed to mount moving /dev to /sysroot/dev: invalid argument I'll include more log details after I run a diff between this and a fresh VM. Logan Has it resolved the salt update issue? Not entirely clear. Yes it has! Thank you. On the other issue, you are taking right steps. Your diff would be interesting - make sure you have a backup of the data in your personal VM, just in case. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200523152346.GA905%40thirdeyesecurity.org. I have identified the moment when all services start shutting down and the system halts: Appears to be I/O related. I should have enough disk space as I just increased Private storage to 10240mb and System storage is the same. Here is the smoking gun, I think: Debian GNU/Linux 10 Personal hvc0 login: [15.293110] fuse init (API version 7.27) [31.774331] tun: Universal TUN/TAP device driver, 1.6 [23025.639734] blkfront: xvdd: empty flush op failed [23025.639751] blkfront: xvdd: barrier or flush: disabled; pe Stopping .[0;1;39mRealtimeKit Scheduling Policy Serv Stopping .[0;1;39mAvailability of block devices.[0m. [.[0;32m OK .[0m] Stopped target .[0;1;39mTimers.[0m. [.[0;32m OK .[0m] Stopped .[0;1;39mDaily man-db regeneratio Stopping .[0;1;39mCUPS Scheduler.[0m... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5748ea83-b262-0f29-67e6-dc937e32300c%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] "Failed to return clean data" in Debian-10 Template
On 5/23/20 1:25 PM, unman wrote: On Sat, May 23, 2020 at 08:39:11AM +, Logan wrote: Hi all, I am having trouble understanding the error i'm getting from the Qubes Updater. My Debian template is no longer executing updates successfully. Other templates are still ok. From all my searching I can only determine that retcode 255 appears to be salt related. Any hints? I've typed out the report from dom0. Updating debian-10 Error on updating debian-10: command '['sudo', 'qubesctl', '--skip-dom0', '--targets=debian-10', '--show-output', 'state.sls', 'update.qubes-vm']' returned non-zero exit status 20 debian-10: --- _error: Failed to return clean data retcode: 255 stderr: stdout: Thanks, Logan I cant reproduce this. Can you try a dom0 update - also may be worth updating the template by hnad and then seeing if that fixes the issue. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200523132559.GD32656%40thirdeyesecurity.org. Manually updated appears to have resolved the update issue, but my personal VM is now failing whereas other Debian based appVMs still work. Possibly an awkward coincidence. It boots and about 10 seconds later a system halt is called: A few possible issues are in the guest-.log, but the one that stands out most is: switch_root: failed to mount moving /dev to /sysroot/dev: invalid argument I'll include more log details after I run a diff between this and a fresh VM. Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be2038f7-211b-e194-b3ee-e9b8647d84a4%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
[qubes-users] "Failed to return clean data" in Debian-10 Template
Hi all, I am having trouble understanding the error i'm getting from the Qubes Updater. My Debian template is no longer executing updates successfully. Other templates are still ok. From all my searching I can only determine that retcode 255 appears to be salt related. Any hints? I've typed out the report from dom0. Updating debian-10 Error on updating debian-10: command '['sudo', 'qubesctl', '--skip-dom0', '--targets=debian-10', '--show-output', 'state.sls', 'update.qubes-vm']' returned non-zero exit status 20 debian-10: --- _error: Failed to return clean data retcode: 255 stderr: stdout: Thanks, Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7699ba94-c9d2-4305-c7cb-9e51e6788d98%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Qubes-vpn-support Tor Browser not working
features, but nothing compares to TOR Browser, like in-depth fingerprinting combining settings as Screen Resolution and viewport... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com <mailto:qubes-users+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3833f72e-5235-4969-bea6-7ada065bd19b%40googlegroups.com <https://groups.google.com/d/msgid/qubes-users/3833f72e-5235-4969-bea6-7ada065bd19b%40googlegroups.com?utm_medium=email_source=footer>.When you have no choice and need to bypass cloudflare or similar here's my quick and dirty: Open any VPN provider's app that provides a SOCKS5 proxy inside a Whonix-WS appVM. Check the documentation for the IP/Port and point FF's network settings to the proxy address. Done. I'll repeat what everyone else is saying: This is generally not advisable as your are often better spinning up a throwaway Deb or Fedora appvm with vpn, but this approach is simple and does work. Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9e8655c4-25d4-c29d-5ae3-11cf447288d5%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Some VMs Stopped Opening Terminal
On 5/19/20 1:40 PM, 'Matt Drez' via qubes-users wrote: Hey guys, Some of my VMs won't open "Terminal", and "Files". If I go to the dom0 terminal and try to run `qvm-run terminal` then I get a `command failed with code: 127` I can still run xterm though. Any ideas as to why and how to fix it? Matt -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com <mailto:qubes-users+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fJuKT_hptCBl25HvSijR1SVYAjEx8Y5wvObOFcR_3GfZ91ryXYN8sCqZx3MA2cNoW4B9bpGtb9F4ha66iQwtVCM1msX4CUExOhPn7Gxt55Q%3D%40pm.me <https://groups.google.com/d/msgid/qubes-users/fJuKT_hptCBl25HvSijR1SVYAjEx8Y5wvObOFcR_3GfZ91ryXYN8sCqZx3MA2cNoW4B9bpGtb9F4ha66iQwtVCM1msX4CUExOhPn7Gxt55Q%3D%40pm.me?utm_medium=email_source=footer>. Check your remaining disk space. 9/10 times when I have issues running an application, it is caused by running out of space. Also: iirc there's a bug that makes the Debian and Fedora-dvms unable to run terminal in case that was the VM you tried it on. At least this is true on my 4.0.3 Cheers, Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/41547ef9-5433-6f2f-99fe-22a0ce2b8101%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
[qubes-users] Persistent Timezone per Qube
Hello, What is the best way to set a timezone for a particular qube that is constantly behind a proxy in a particular timezone? I have tried "timedatectl set-timezone Asia/Kolkata", but it isn't persistent. I would rather not use NTP if possible. I thought sticking the timedatectl Thanks, Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33c8fd5f-0e44-88bf-8612-5f783ae80289%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] SplitGPG with Subkeys Encryption Error
On 5/16/20 5:42 AM, Robert Spigler wrote: I have a master private key (Certify Only) stored in Vault, separate Encryption and Sign secrete_subkeys generated in Vault and stored in networkless work-gpg. All public keys stored in a separate AppVM for 'qubes-gpg-client' command to access the work-gpg VM via the Split GPG protocol. I have succesfully tested signing and verifying text with my new key, and decrypting messages to my new key. My one issue has been encrypting messages to other keys: `export QUBES_GPG_DOMAIN=work-gpg` `cat InFile | qubes-gpg-client --encrypt --recipient RECIPIENT` Results in the error: >gpg: There is no assurance this key belongs to the named user >gpg: cannot open '/dev/tty': No such device or address Well, I can't sign the public key, that is a documented downside of SplitGPG with Subkeys. As for the second, I tried adding `no-tty` to ~/.gnupg/gpg.conf in work-gpg trying the above command again results in the new error: `EOF` with no change to the file. So I try a new approach: `export QUBES_GPG_DOMAIN=work-gpg` (I'll stop repeating this line so I don't annoy you all) `qubes-gpg-client --output OutFile --encrypt --recipient RECIPIENT InFile` Error: >Only '-' argument supported for --output option ^^I have no idea what that is about. So, remove the output file request and just attempt to write over: `qubes-gpg-client --encrypt --recipient RECIPIENT InFile` Error: >gpg: There is no assurance this key belongs to the names user >gpg: Sorry, no terminal at all requested - can't get input' Let's remove the conf line we added earlier, and run again: Error: >There is no assurance this key belongs to the named user >gpg: cannot open '/dev/tty': No such device or address' I give up! Does anyone have any idea what is going on here? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com <mailto:qubes-users+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/19c2623b-100b-4e7b-8618-d00f16dba464%40googlegroups.com <https://groups.google.com/d/msgid/qubes-users/19c2623b-100b-4e7b-8618-d00f16dba464%40googlegroups.com?utm_medium=email_source=footer>. I have keys with the same configuration and also struggled with this for a while. Purchasing an OpenPGP smartcard (yubikey, nitrokey etc) really simplified things for me. I keep the private key(s) in my vault and now I sign, encrypt and authenticate using it wherever I need. I know that this is not the solution you are looking for. But its a good one to achieve the same end. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/219577be-8601-215c-572a-46ec93232171%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Can I have Windows & Qubes on the same laptop?
On 5/11/20 12:28 PM, unman wrote: On Mon, May 11, 2020 at 12:25:54PM +, Logan wrote: On 5/11/20 12:09 PM, unman wrote: Screeds and screeds of HTML. Can you NOT do this? Look at your settings and change to "plain text", at least for this list, please Sorry to be a nuisance. I believe it is fixed now: I have added googlegroups.com into my text domains in Thunderbird so it shouldn't happen again. Cheers, thanks. Sorry for the grouchiness - stressful times. No worries mate. It's my first time using a group like this and it's not unreasonable to assume some Qubes users are using terminal-based readers. Plaintext never goes out of fashion. Have a good rest of your day. :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200511122848.GA14188%40thirdeyesecurity.org. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8de76799-a888-e9e2-728c-fe96d67299c8%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Can I have Windows & Qubes on the same laptop?
On 5/11/20 12:09 PM, unman wrote: On Mon, May 11, 2020 at 12:01:49PM +, Logan wrote: -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e6af715a-fe00-46ec-ddde-24748076ad2b%40threatmodel.io. Would you be willing to share the URL here? If not, could you message me privately? I'm definitely interested in reading it. -Logan On 5/11/20 11:58 AM, Mark Fernandes wrote: On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote: ?? Depending on your machine you may be able to find ways to do this, by installing a kill switch, or by BIOS configuration. You may find that your BIOS allows you to disable certain devices pre boot, and this may enable you to switch between active disks.?? I'm by no means an expert on Qubes or this particular issue. However, I am in the midst of writing a Wikibooks book on cost-effective end-user security that has a section about this. My thoughts in the book are more like RFCs (requests for comments) rather than definitive ideas (my hope is that other people will further develop, revise, and correct them, as applicable). Please take that into account when reading them. The section is shown below. https://en.wikipedia.org/wiki/Qubes_OS; moz-do-not-send="true">Qubes OS 4.0.3 side-by-side with other https://en.wikipedia.org/wiki/Operating_system; moz-do-not-send="true">operating systems https://en.wikipedia.org/wiki/Qubes_OS; moz-do-not-send="true">Qubes OS 4.0.3 is https://www.qubes-os.org/faq/index.html#can-i-run-applications-like-games-which-require-3d-support; moz-do-not-send="true">documented as not coping well with https://en.wikipedia.org/wiki/Software; moz-do-not-send="true">software that specifically benefits from https://en.wikipedia.org/wiki/Hardware_acceleration; moz-do-not-send="true">3D-optimised hardware. Since a user may well want to use such optimisation, the best way to use such optimisation on the same machine might be to do something like, or the same as, the following: https://en.wikipedia.org/wiki/Installation_(computer_programs)" moz-do-not-send="true">Install a https://en.wikipedia.org/wiki/Linux; moz-do-not-send="true">Linux https://en.wikipedia.org/wiki/Operating_system; moz-do-not-send="true">operating system, with good security but still with the capacity for being able to utilise 3D-optimised hardware, on an https://en.wikipedia.org/wiki/SSD; moz-do-not-send="true">SSD external https://en.wikipedia.org/wiki/Data_storage; moz-do-not-send="true">drive, such that this other operating system is not run over Qubes, but instead run separate to Qubes. When wanting to use this other Linux OS, disable the internal drive (containing Qubes) in either: the https://en.wikipedia.org/wiki/BIOS; moz-do-not-send="true">BIOS,?? ??OR IF WISHING TO BE MORE SECURE, both the BIOS?? as well as by physically disconnecting the internal drive (this latter option might be a good idea to do?? because https://en.wikipedia.org/wiki/Malware; moz-do-not-send="true">malware in a BIOS's https://en.wikipedia.org/wiki/Firmware; moz-do-not-send="true">firmware?? can still connect to BIOS-disabled drives). https://en.wikipedia.org/wiki/Booting; moz-do-not-send="true">Boot off the SSD to run this other Linux. After using the non-Qubes installation, because of the possibility of malware being introduced into the BIOS firmware by the non-Qubes installation, optionally https://en.wikipedia.org/wiki/BIOS#Reprogramming; moz-do-not-send="true">flash the BIOS's firmware to ensure better the Qubes installation isn???t compromised through firmware https://en.wikipedia.org/wiki/Malware; moz-do-not
Re: [qubes-users] Can I have Windows & Qubes on the same laptop?
publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key On 5/11/20 11:58 AM, Mark Fernandes wrote: On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote: Depending on your machine you may be able to find ways to do this, by installing a kill switch, or by BIOS configuration. You may find that your BIOS allows you to disable certain devices pre boot, and this may enable you to switch between active disks. I'm by no means an expert on Qubes or this particular issue. However, I am in the midst of writing a Wikibooks book on cost-effective end-user security that has a section about this. My thoughts in the book are more like RFCs (requests for comments) rather than definitive ideas (my hope is that other people will further develop, revise, and correct them, as applicable). Please take that into account when reading them. The section is shown below. Qubes OS 4.0.3 side-by-side with other operating systems Qubes OS 4.0.3 is documented as not coping well with software that specifically benefits from 3D-optimised hardware. Since a user may well want to use such optimisation, the best way to use such optimisation on the same machine might be to do something like, or the same as, the following: Install a Linux operating system, with good security but still with the capacity for being able to utilise 3D-optimised hardware, on an SSD external drive, such that this other operating system is not run over Qubes, but instead run separate to Qubes. When wanting to use this other Linux OS, disable the internal drive (containing Qubes) in either: the BIOS, OR IF WISHING TO BE MORE SECURE, both the BIOS as well as by physically disconnecting the internal drive (this latter option might be a good idea to do because malware in a BIOS's firmware can still connect to BIOS-disabled drives). Boot off the SSD to run this other Linux. After using the non-Qubes installation, because of the possibility of malware being introduced into the BIOS firmware by the non-Qubes installation, optionally flash the BIOS's firmware to ensure better the Qubes installation isn’t compromised through firmware malware when you next use Qubes. By following the above steps, and choosing the most secure options in the steps, because of: the disabling of the internal drive via the BIOS, the physical disconnection of the drive containing the Qubes installation, and the flashing of the BIOS firmware before the ‘reconnection’ of the Qubes installation, any such other OS should not be able to access or even ‘touch’ the Qubes OS installation, thereby hopefully safeguarding the Qubes installation from attacks conducted through the other presumably-less-secure OS. Kind regards, Mark Fernandes Would you be willing to share the URL here? If not, could you message me privately? I'm definitely interested in reading it. -Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be02e5ea-f7a5-473b-9fd0-1d06a9223f0c%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cfe9c216-80e3-1537-f453-fce6c3723175%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Can I have Windows & Qubes on the same laptop?
publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key Would you be willing to share the URL here? If not, could you message me privately? I'm definitely interested in reading it. -Logan On 5/11/20 11:58 AM, Mark Fernandes wrote: On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote: Depending on your machine you may be able to find ways to do this, by installing a kill switch, or by BIOS configuration. You may find that your BIOS allows you to disable certain devices pre boot, and this may enable you to switch between active disks. I'm by no means an expert on Qubes or this particular issue. However, I am in the midst of writing a Wikibooks book on cost-effective end-user security that has a section about this. My thoughts in the book are more like RFCs (requests for comments) rather than definitive ideas (my hope is that other people will further develop, revise, and correct them, as applicable). Please take that into account when reading them. The section is shown below. Qubes OS 4.0.3 side-by-side with other operating systems Qubes OS 4.0.3 is documented as not coping well with software that specifically benefits from 3D-optimised hardware. Since a user may well want to use such optimisation, the best way to use such optimisation on the same machine might be to do something like, or the same as, the following: Install a Linux operating system, with good security but still with the capacity for being able to utilise 3D-optimised hardware, on an SSD external drive, such that this other operating system is not run over Qubes, but instead run separate to Qubes. When wanting to use this other Linux OS, disable the internal drive (containing Qubes) in either: the BIOS, OR IF WISHING TO BE MORE SECURE, both the BIOS as well as by physically disconnecting the internal drive (this latter option might be a good idea to do because malware in a BIOS's firmware can still connect to BIOS-disabled drives). Boot off the SSD to run this other Linux. After using the non-Qubes installation, because of the possibility of malware being introduced into the BIOS firmware by the non-Qubes installation, optionally flash the BIOS's firmware to ensure better the Qubes installation isn’t compromised through firmware malware when you next use Qubes. By following the above steps, and choosing the most secure options in the steps, because of: the disabling of the internal drive via the BIOS, the physical disconnection of the drive containing the Qubes installation, and the flashing of the BIOS firmware before the ‘reconnection’ of the Qubes installation, any such other OS should not be able to access or even ‘touch’ the Qubes OS installation, thereby hopefully safeguarding the Qubes installation from attacks conducted through the other presumably-less-secure OS. Kind regards, Mark Fernandes -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be02e5ea-f7a5-473b-9fd0-1d06a9223f0c%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e6af715a-fe00-46ec-ddde-24748076ad2b%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Set a Qube to shutdown when its last AppVM closes.
Just shutdown a qube. Not my PC On 5/9/20 12:09 PM, Frédéric Pierret wrote: On 2020-05-09 13:05, Logan wrote: Is there a way to configure Qubes so that when I close the last AppvM belonging to a TemplateBasedVM/Domain it auto shuts down? By auto shuts down you mean poweroff your computer? I think it's pretty easy to do it by writing your own Qubes core-admin addon extension. I would write function catching domain shutdown and looking if it remains running VM else poweroff. Here are examples of core-admin addon extension: https://github.com/QubesOS/qubes-core-admin-addon-whonix https://github.com/QubesOS-contrib/qubes-core-admin-addon-bridge-device I have been dreaming of this for some time but haven't been able to find a solution. Logan Frédéric -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2d5e62be-c2e0-4f34-bb4a-246c3deb7f67%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
[qubes-users] Set a Qube to shutdown when its last AppVM closes.
Is there a way to configure Qubes so that when I close the last AppvM belonging to a TemplateBasedVM/Domain it auto shuts down? I have been dreaming of this for some time but haven't been able to find a solution. Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/182b32a3-367a-6681-5d4c-675c068d742d%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Qubes better dove tailed for Journalists, and Human Rights Workers.
publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key Cool. I am aware that FPF does training for journalists, but not to what extent. I will reach out to them to see what is already being provided. In the meantime, I will do my homework on salt to see if I can contribute. Logan On 5/9/20 3:14 AM, Insurgo Technologies Libres / Open Technologies wrote: There is a ticket opened on qubes for personas. Time to poke and make Freedom Of Press foundation into this. And tailor salt recipes to be deployed for those personas. My 2 cents On May 9, 2020 2:55:57 AM UTC, Logan wrote: Hi Catacombs, This is an important topic. It actually is my intention to come up with a list of tweaks that a less tech-savvy journalist could benefit from. I am not versed in customizing or automating Linux installs via scripts, but a motivated designer could engineer such a tool for a more visually appealing turn-key installation that is closer to "just works" than the "hack it to perfection" experience most of us have had with Qubes. The matter exists that Qubes is a completely different way of computing, though. A structured training program may be beneficial to these groups. If an organization or group were created to promote the use of Qubes and provide custom tools and training to journalists this could be quite a benefit to the community as a whole. What would it take to get a working group together for this? I'm definitely interested in working on something like it. Logan On 5/9/20 12:47 AM, Sven Semmler wrote: On Fri, May 08, 2020 at 04:12:57PM -0700, Catacombs wrote: It is not my intention to provide a list of things to put in the basic OS for an Investigator who is not what I would term, a techno geek, nor who does not want to be. It is to find out what has been discussed in the past about this subject, and for some of you, who are more experienced with QUBE's, and investigators, to put that list together, and perhaps build that list into the basic Install of QUBE's. Hi Catacombs, your points are valid. One thing I am aware of is the the Freedom of the Press Foundation is using Qubes and that there is at least one UX designer thinking about usability and contributing actively to Qubes. You will see these improvement over time. Another thing all of us "techno geeks" can do in the meantime is to monitor this mailing list and maybe even the IRC channel and help as many users as possible. I think the standard Fedora template has a pretty solid list of default apps installed. But for sure there could be more tutorial style videos, better documentation, maybe even tailored templates. I don't know what a Journalist needs - do you? To some degree I think the core Qubes team wants to stay out of the 'what should be included in the default template' discussion as there are as many opinions as discussion participants. There is even an FAQ entry about it: https://www.qubes-os.org/faq/#could-you-please-make-my-preference-the-default I understand this is not exactly what you asked for and a GUI text editor and a video player are pretty standard things. I am surprised they weren't there. /Sven -- public key: https://www.svensemmler.org/0x8F541FB6.asc fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c69f08a9-abc8-d9e4-6467-cdff444164f3%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Qubes better dove tailed for Journalists, and Human Rights Workers.
Hi Catacombs, This is an important topic. It actually is my intention to come up with a list of tweaks that a less tech-savvy journalist could benefit from. I am not versed in customizing or automating Linux installs via scripts, but a motivated designer could engineer such a tool for a more visually appealing turn-key installation that is closer to "just works" than the "hack it to perfection" experience most of us have had with Qubes. The matter exists that Qubes is a completely different way of computing, though. A structured training program may be beneficial to these groups. If an organization or group were created to promote the use of Qubes and provide custom tools and training to journalists this could be quite a benefit to the community as a whole. What would it take to get a working group together for this? I'm definitely interested in working on something like it. Logan On 5/9/20 12:47 AM, Sven Semmler wrote: On Fri, May 08, 2020 at 04:12:57PM -0700, Catacombs wrote: It is not my intention to provide a list of things to put in the basic OS for an Investigator who is not what I would term, a techno geek, nor who does not want to be. It is to find out what has been discussed in the past about this subject, and for some of you, who are more experienced with QUBE's, and investigators, to put that list together, and perhaps build that list into the basic Install of QUBE's. Hi Catacombs, your points are valid. One thing I am aware of is the the Freedom of the Press Foundation is using Qubes and that there is at least one UX designer thinking about usability and contributing actively to Qubes. You will see these improvement over time. Another thing all of us "techno geeks" can do in the meantime is to monitor this mailing list and maybe even the IRC channel and help as many users as possible. I think the standard Fedora template has a pretty solid list of default apps installed. But for sure there could be more tutorial style videos, better documentation, maybe even tailored templates. I don't know what a Journalist needs - do you? To some degree I think the core Qubes team wants to stay out of the 'what should be included in the default template' discussion as there are as many opinions as discussion participants. There is even an FAQ entry about it: https://www.qubes-os.org/faq/#could-you-please-make-my-preference-the-default I understand this is not exactly what you asked for and a GUI text editor and a video player are pretty standard things. I am surprised they weren't there. /Sven -- public key: https://www.svensemmler.org/0x8F541FB6.asc fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/66b09d50-223f-9c73-dac5-e9a12032c6b2%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Kali rolling template can't find source to update.
publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key Thanks for your help. My sources.list was already bullseye, though. I am still struggling to find the answer to the issue. I'll offer my sources files and selected output of apt update i'm receiving: /etc/apt/sources.list: deb http://deb.debian.org/debian/ bullseye testing main contrib non-free deb http://deb.debian.org/debian/ bullseye testing-updates main contrib non-free deb http://deb.debian.org/debian-security bullseye testing-security main /etc/apt/sources.list.d/qubes-r4.list: # Main qubes updates repository deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm bullseye main #deb-src https://deb.qubes-os.org/r4.0/vm bullseye main # Qubes updates candidates repository deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm bullseye-testing main deb-src https://deb.qubes-os.org/r4.0/vm bullseye-testing main # Qubes security updates testing repository deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm bullseye-securitytesting main deb-src https://deb.qubes-os.org/r4.0/vm bullseye-securitytesting main Output of "sudo apt update" Hit:1 http://deb.debian.org/debian bullseye InRelease Hit:3 https://deb.qubes-os.org/r4.0/vm bullseye InRelease Hit:2 http://ftp.halifax.rwth-aachen.de/kali kali-rolling InRelease Hit:4 https://deb.qubes-os.org/r4.0/vm bullseye-testing InRelease Ign:5 http://deb.debian.org/debian-security bullseye InRelease Hit:6 https://deb.qubes-os.org/r4.0/vm bullseye-securitytesting InRelease Err:7 http://deb.debian.org/debian-security bullseye Release 404 Not Found [IP: 127.0.0.1 8082] Reading package lists... Done Then... W: Skipping acquire of configured file 'testing-updates/i18n/Translation-en_US' as repository 'http://deb.debian.org/debian bullseye InRelease' doesn't have the component 'testing-updates' (component misspelt in sources.list?) E: The repository 'http://deb.debian.org/debian-security bullseye Release' does not have a Release file. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list:4 W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:2 and /etc/apt/sources.list:4 Any hints would be much appreciated. Logan On Wed, Apr 29, 2020 at 05:00:24PM +, lo...@threatmodel.io wrote: > I followed the instructions for building a debian-based rolling Kali template > found at: > https://www.qubes-os.org/doc/pentesting/kali/#templatevm-from-debian4_0 > > My qube was running well for a few months when suddenly I got the following > error when updating with apt-get: > > E: Can't find a source to download version '4.0.51-1+deb11u1' of > 'qubes-core-agent-passwordless-root:amd64' Kali is a rolling distro and you have probably created the qube based on Debian 10 (buster) and Kali has now moved on to Debian 11 (bullseye). Also note that the above linked website contains a hint: For installation based on Debian 10 stable, please note that the security repository of Debian testing has recently been renamed from testing>/update to -security. To account for that change, execute the following command. [user@kali ~]$ sudo sed -i 's/bullseye\/updates/bullseye-security/g' /etc/apt/sources.list In any case I am pretty confident your issue is that the files in your /etc/apt/sources.list point to buster instead of bullseye or to the /update insead -security repo. > I can't seem to find any similar issues online. Any advice is appreciated. Also search qubes-issues on github. /Sven -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9605ee76-2ecc-e56d-8a63-b3a43fce0e08%40threatmodel.io.
[qubes-users] dom0 doesn't fully restore
As a disaster recovery drill, I backed up, wiped my drive, and attempted to do a full restore on top of a fresh Qubes install to see how i'd do in a nightmare scenario. Other qubes were restored properly, but my dom0 barely restored. All XFCE panel settings were gone. I had to reinstall u2f proxy and some others I previously installed, yet select appearance setting remained. I thought a restored qube was a bit-by-bit recreation of the qube. Isn't it? Is this expected? Has anyone else experienced what I did? Yes, I replaced the user folder with the one installed by the fresh install. Frankly, I was very unhappy with the experience. I have, however, restored 99% of what I had prior to the drill with a lot of work. Thankful that my other qubes were ok and I hadn't done Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7b87d9d5-9a2e-f505-49c7-a95eb3c3c2a3%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
[qubes-users] Making AppVMs Open in Specific Workspaces
Is it possible to specify a particular workspace for each domain/qube ? Example: AppVMs of Domain 1 (Personal) always open in Workspace 2 AppVMs of Domain 2 (Anon-Whonix) open in Workspace 3 I have tried setting XFCE profiles without any success. The apps reopen as expected, but all get glommed together in Workspace 1 when I login again. Thanks, Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0fe8f40c-2c79-5534-0b76-8c5537eca77e%40threatmodel.io. publickey - logan@threatmodel.io.asc.pgp Description: application/pgp-key signature.asc Description: OpenPGP digital signature
[qubes-users] Kali rolling template can't find source to update.
Hello, I followed the instructions for building a debian-based rolling Kali template found at: https://www.qubes-os.org/doc/pentesting/kali/#templatevm-from-debian4_0 My qube was running well for a few months when suddenly I got the following error when updating with apt-get: E: Can't find a source to download version '4.0.51-1+deb11u1' of 'qubes-core-agent-passwordless-root:amd64' I can't seem to find any similar issues online. Any advice is appreciated. Cheers, Logan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Oc-VI_GYQmzsIYPB36AiOXq9_eeGa80KrI0PXb6OmVrUXoCI6D2PKeG7zSNiQmn6Ol0A6C24Wypkk0CG9ywf2G5BRtNiWQdoPnsw8JDsHN0%3D%40threatmodel.io. publickey - logan@threatmodel.io - 0x0689DE32.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
