[qubes-users] Using Mullvad VPN in Qubes
In case anyone is interested, I just wrote a blog post about how I configure Mullvad in Qubes, using NetworkManager, a script to auto-connect, and the Qubes firewall. https://micahflee.com/2019/11/using-mullvad-in-qubes/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/776b732b-89ac-a13f-aa9c-8e7cd3f928bd%40micahflee.com.
Re: [qubes-users] With 4K monitor, if screen goes blank, mouse clicks don't work in VMs
On 2019-09-24 18:21, Michael Siepmann wrote: > I've read and followed the instructions on > https://www.qubes-os.org/doc/gui-configuration/ but the problem I'm > having is different. Here's what happens: > > 1. I'm using VMs on a 4K monitor successfully, via DisplayPort. > > 2a. I have Dom0 screensaver set to Blank Screen Only and it blanks after > the configured number of minutes > > OR 2b. I switch to using the laptop screen, then back to the 4K monitor > > OR 2c. The computer wakes from sleep while the 4K monitor is in power > saving mode. > > 3. I can no longer click the mouse in my VMs (though it seems as if > maybe all clicks register in a very small area at the top left). The > mouse works normally in dom0. > > 4. If I switch to the laptop internal screen it works fine there, but if > I switch back to the 4K monitor it still doesn't work there. The only > way to get mouse clicking working in the VMs again is to shut down the > VM and restart it while using the 4K monitor. > > The same thing happens if the computer goes to sleep and when I wake it > up the monitor is in power saving mode. My current workaround is to > disable the screensaver, and remember to wake the monitor before waking > the computer, > > Is this a bug I should report? Has anyone else encountered this behavior? I've encountered this bug (or a similar one) as well on a 4K monitor. It appears that the mouse clicks only register if they're within the top left width and height of the laptop resolution. A workaround I've discovered is just restarting your VMs while your 4K monitor is plugged in. If you start a VM with the monitor plugged in, it lets you click anyone on the monitor within that VM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/26c69851-cbe4-a353-1b7f-203bf0b695c3%40micahflee.com. signature.asc Description: OpenPGP digital signature
[qubes-users] /dev/mapper/qubes_dom0-root does not exist
I recently installed Qubes 4.0 on a laptop, installed updates in dom0 and my templates, restored a backup, and did a bunch of custom configuration. And then when I rebooted, Qubes wouldn't boot up due to a partitioning error. (It looks like it's the same problem described here [1]). During boot, I get a hundreds of lines that says: dracut-initqueue[343]: Warning: dracut-initqueue timeout - starting timeout scripts Followed by: dracut-initqueue[343]: Warning: Could not boot. dracut-initqueue[343]: Warning: /dev/mapper/qubes_dom0-root does not exist dracut-initqueue[343]: Warning: /dev/qubes_dom0/root does not exist Starting Dracut Emergency Shell... Then it drops me into an emergency shell. When I run lv_scan, I can see: Scanning devices dm-0 for LVM logical volumes qubes_dom0/root qubes_dom/swap inactive '/dev/qubes_dom0/pool00' [444.64 GiB] inherit inactive '/dev/qubes_dom0/root' [444.64 GiB] inherit ACTIVE '/dev/qubes_dom0/swap' [15.29 GiB] inherit inactive '/dev/qubes_dom0/vm-sys-net-private [2 GiB] inherit And it continues to list another inactive line for each private or root partition for each of my VMs. Only swap is active. I spent a little time trying to troubleshoot this, but ultimately decided that it wasn't worth the time, since I have a fresh backup. So I formatted my disk again, reinstalled Qubes, restored my backup, etc. After installing more updates and rebooting, I just ran into this exact same problem *again*. I think this could be a Qubes bug. Any idea on how I can fix this situation? The dracut emergency shell doesn't seem to come with many LVM tools. There's lvm, lvm_scan, thin_check, thun_dump, thin_repair, and thin_restore. I could boot to the Qubes USB and drop into a troubleshooting shell to have access to more tools. [1] https://groups.google.com/forum/#!searchin/qubes-users/dracut-initqueue$20could$20not$20boot|sort:date/qubes-users/PR3-ZbZXo_0/G8DA86zhCAAJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad0c4e025404fa1b9eb5eb3d39ac3f62%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Talk about HOPE about Qubes
Hello, I just discovered the recording of my HOPE talk showing off many cool things about Qubes. Check it out if you're interested: https://livestream.com/internetsociety2/hope/videos/178431606 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8b1b1752-082e-7708-50de-0d2673c6d38c%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] UpdateVM pref not sticking
‐‐‐ Original Message ‐‐‐ On March 24, 2018 2:28 PM, Micah Lee <mi...@micahflee.com> wrote: > When I installed Qubes 4.0 I chose to install all of my updates over Tor. > Since then, I've opened Qubes Global Settings and changed UpdateVM to > sys-firewall. > > When I install dom0 updates, this seems to work fine. It says `Using > sys-firewall as UpdateVM to download updates for Dom0`. > > But when I try installing updates in my templates, such fedora-26, it still > uses sys-whonix as the UpdateVM. I'm sure because as soon as I try installing > updates, sys-whonix starts, and if I shut it down in the middle of updates, > the updates fail. (And also the downloads are very slow.) > > I'd like to be able to control which UpdateVM my templates use to update. Any > idea how I can troubleshoot what's going on? Looking at another thread going on right now, I found this useful: https://groups.google.com/forum/#!searchin/qubes-users/Whonix%7Csort:date/qubes-users/gLqORddxb-Y/mDxXDi3cAwAJ I can edit /etc/qubes-rpc/policy/qubes.UpdatesProxy, and change target=sys-whonix to target=sys-net. After I do that, my template seems to use sys-net as the UpdateVM. This seems like a bug though. Shouldn't this file change when I change Qubes Global Settings? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1I6fw0aN1qNu1ceuqUMupRoDL38Dn-aLhox9wTOkwIAxAcG54APubk62trf1eCqDEwcOuTZ6lvMzs19oKlBJchss00dA7snHdK3CRLwb5OM%3D%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] UpdateVM pref not sticking
When I installed Qubes 4.0 I chose to install all of my updates over Tor. Since then, I've opened Qubes Global Settings and changed UpdateVM to sys-firewall. When I install dom0 updates, this seems to work fine. It says `Using sys-firewall as UpdateVM to download updates for Dom0`. But when I try installing updates in my templates, such fedora-26, it still uses sys-whonix as the UpdateVM. I'm sure because as soon as I try installing updates, sys-whonix starts, and if I shut it down in the middle of updates, the updates fail. (And also the downloads are very slow.) I'd like to be able to control which UpdateVM my templates use to update. Any idea how I can troubleshoot what's going on? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/uTNNgSLwOQzmGANQ505H44OTCoTO4VrUtXQBeFdyzCB3bOdGS-8pqN9JM0oncUOViqEc0YBFJxghkP1Vx9mV_o78UvjAI2LiyQsp3FJDB5o%3D%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] DNS propagation in Qubes
‐‐‐ Original Message ‐‐‐ On March 8, 2018 11:26 AM, Chris Laprisewrote: > > > >>>\> \[1\] https://dnsprivacy.org/wiki/ > > > > > > \[2\] https://www.qubes-os.org/doc/networking/ > > Micah, > > If you have any specific instructions on how to setup the forwarder > > you're using, I'd be happy to try it myself and post a solution for use > > with qubes-firewall. > > I found the dnsprivacy wiki to be a bit scattered and not very specific. > > Their video "tutorial" is really a lecture on the concept. Thanks, yes I'd love to share instructions. I haven't gotten it working yet -- I'm traveling right now and haven't spent a lot of time on it, and might not for the next week or two. But once I figure it out I'd like to write a blog post or something with instructions. But maybe I should sent it to this list first for people to test and give feedback. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/pPIWHaxl0Lwz4sF1qRHn34jz0i4_oDljtkWk8CQMPNnOtFFKBsOS7gaUGQqLXC9ZFprlaPHpcPW_4IX_LKKwm9no1c-DO7byugnObo8aXzY%3D%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] DNS propagation in Qubes
Qubes 4.0. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/X1juIg1dY5HqEdgRRiliD8belJfZZE8Zt-UAwN3VNsQETPt6oVLAVSRCgd8H0Zq_LvFJz6fWTeYPMKPGjolws8qqCHF8RsbhrtuNz1FpOVc%3D%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] DNS propagation in Qubes
I'm trying to make all DNS requests in Qubes go over TLS (more information about this [1]). I've got this successfully working in sys-net by running a local DNS server on udp 53 that forwards DNS requests to a remote DNS server over TLS, and then setting my only nameserver in /etc/resolv.conf to 127.0.0.1. I've confirmed that this works great in sys-net -- all of my DNS requests are encrypted to my remote DNS server, and none are plaintext. The problem is when I do this, DNS in other downstream VMs all fail. The Qubes networking docs [2] explain how DNS works in Qubes, but I'm confused about how to make this set up work. Any ideas? Thanks! [1] https://dnsprivacy.org/wiki/ [2] https://www.qubes-os.org/doc/networking/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9XVz-7viQEqd-6MPx8NvR4Fnk502VgBDJUYogFE056xaFr-k76ApY7WmEbi3oH6yQZQ7MEHbuqYbwCZInJ8LE9lysw_e3w8Dw93FrISL2hU%3D%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qrexec policies broken after QSB #38 update
On 02/20/18 11:25, Chris Laprise wrote: > Since several people are reporting this, I decided to try some simple > qvm-copy tests and have been unable to reproduce the problem on R4.0-rc4. > > I updated with qubes*testing and then restarted per the QSB. I realized that I had enabled the testing repo in dom0 but not in my templates. After enabled the testing repo in my templates and installing updates, I no longer have this problem. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/638b7bac-4cd8-6d92-3a81-236892923da8%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] qrexec policies broken after QSB #38 update
I just installed updates in dom0 (current-testing) after QSB #38, and now my qrexec policies are semi-broken. To demonstrate, I just made two new AppVMs, testvm1 and testvm2. I want to copy a file from testvm1 to testvm2: [user@testvm1 ~]$ echo test > test.txt [user@testvm1 ~]$ qvm-copy test.txt Request refused [user@testvm1 ~]$ It immediately fails with "Request refused" and doesn't pop up a dom0 window asking where I want to copy it to. This is true when I run `qvm-copy` in any VM, it is immediately denied without prompting me. I'm running into the same problem with other qrexec services too, like: [user@testvm1 ~]$ qvm-open-in-dvm https://www.eff.org/ Request refused [user@testvm1 ~]$ My /etc/qubes-rpc/policy/qubes.Filecopy has only one line: $anyvm $anyvm ask However, if I edit it and add this line to the beginning: testvm1 testvm2 allow It works, but only if I use the deprecated `qvm-copy-to-vm`: [user@testvm1 ~]$ qvm-copy test.txt Request refused [user@testvm1 ~]$ qvm-copy-to-vm testvm2 test.txt qvm-copy-to-vm/qvm-move-to-vm tools are deprecated, use qvm-copy/qvm-move to avoid typing target qube name twice sent 0/1 KB [user@testvm1 ~]$ And likewise, my qubes.Gpg policy works for the VMs where I explicitly allow it. I read the QSB, and it says that the '$' character is being deprecated and replaced with the '@' character, but changing my qrexec policy to this doesn't work: @anyvm @anyvm ask Is anyone else running into this problem? Any solutions? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a5155c72-f7dd-f0f2-a595-9b172b4cc681%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Supercookies / Zombie cookies / Web Tracking — how effective are Qubes security domains against this
Qubes security domains don't necessarily help solve this problem because really the problem is how your web browsers are configured. So a tracking company can't link your browsing activity between Qubes domains -- your "personal" traffic and "work" traffic might look like two separate people -- but within one of those domains, they can still track you, and do all of those tricks. If you want web privacy, you'll have to configure your browser within Qubes the same way you have to outside of Qubes. Or, you can do all of your browser in DisposableVMs. Or use Tor Browser, which has taken many steps to prevent browser tracker as a design goal. On 09/18/2017 09:43 AM, jes...@gmail.com wrote: > In the past I have used a Firefox plugin called "Better Privacy" to try to > push back against multi-front user fingerprinting and analysis mechanisms > such as the kind used by large advertising and user demographics companies > which include the abuse of Flash LSOs, HTML5 local storage, Silverlight, et > al to confirm that the same user is browsing along a website or a distributed > ad network even when they "clear private data" or use incognito mode, even > when they switch to different browsers installed on the same machine, even if > they're using coffee shop wifi or VPNs so that they appear from different IP > addresses, etc. > > The take home being that it only takes one (1) fingerprint hit through one > (1) of the avenues available to tracking organizations to confirm that they > are dealing with the same end-user (or household unit, or something close > enough to pad their toxic dossier with) and thus to link every cookie > fingerprint that they know for this user across both domains under the same > umbrella. > > A pretty thorough look at all of the strategies that I am at least aware of > can be had at this url: > https://www.chromium.org/Home/chromium-security/client-identification-mechanisms > > So I am curious to what extent Qubes security domains may be sufficiently > complete as to defeat potentially all of these mechanisms simultaneously? > Especially if end-user configures one or more domains to pipe all network > traffic over a VPN or tor to additionally differentiate their IP address? > > I am especially interested to hear about how Qubes security domains interact > with Flash LSOs, and .. whatever-it-is that Silverlight and other > multi-browser plugins do, and whether *that* data leaks between domains. :/ > > Thank you for any insight you guys may have on this matter, as it sounds like > it speaks directly to Qubes primary mission goals of security by > compartmentalization. :D > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3e9cdccf-488c-fa1e-2bf0-b70c835108c5%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Network setup - TORVM-VPNVM
On 08/18/2017 03:43 PM, james.buttler1...@gmail.com wrote: > Ah right ok. So I am working the wrong way around when I look at the chain? Think of the ProxyVMs (like sys-whonix, sys-vpn, sys-firewall, sys-net) as being liking a router that you connect a VM to as a gateway to get internet access. sys-net connects to the internet through wifi or ethernet. sys-firewall gets it's internet from sys-net. And in your specific example: sys-whonix gets its internet from sys-firewall. sys-vpn gets its internet from sys-whonix. So you might want to make an AppVM called "personal" and set sys-vpn as its netvm. When you use the internet in that VM, all internet traffic will come from the VPN. You might want to make an AppVM called "captive-portal" and set sys-firewall to be its netvm. When you use the internet there, your IP will be your real IP address without any proxies. For each AppVM, you get to choose which ProxyVM it gets its internet from. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/70b270e2-6096-b619-26a0-c4d4c08d2189%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Network setup - TORVM-VPNVM
On 08/17/2017 04:32 PM, james.buttler1...@gmail.com wrote: > I'm just starting to use qubes os and I'm trying to understand how it all > works. > > If I wanted to setup the system to route all my traffic through tor and then > that tor traffic through a vpn > > Would I simply setup a TORVM with Its netVM being the vpnvm ? > > Or can a netVM not have its own netVM? > > Thanks for the help Qubes comes with sys-whonix, which is a ProxyVM that routes traffic through Tor. If you want to connect to Tor first, and then the VPN second, you would make a new ProxyVM for your VPN (I'll call it sys-vpn) and set its netvm to be sys-whonix. Then you'd create AppVMs and set their netvm to be sys-vpn. This way, all of the internet traffic in those AppVMs would be coming from your VPN's IP address, but you'll be connecting to your VPN anonymously over Tor. If you want all your traffic to go over this VPN, then in the VM Manager you can open Global Settings and set the default netvm to sys-vpn. (You can of course have specific AppVMs that use sys-whonix or sys-firewall as their netvm as well, like if you want to just use Tor, or if you want to click through captive portals on wifi networks.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0d6bb719-3e2c-d442-8a6d-105fa3115a72%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] latest qubes update cause network problems
On 08/17/2017 03:56 AM, Kolja Weber wrote: > Hello, > > at first: thanks for the great work on qubes, it is amazing. > > i discover since the last update on 3.2 problems with my network in case > i suspend my T550 to ram. All VMs wake up fine including the network VM > but it doesent reconize any wlan (no networks show up), lan not tested yet. > > Vm restart doesent solve it, only way to get it back is a full reboot. > Any changes in the xen kernel related to wlan driver? > > Kolja I appear to have this same problem as well. Ethernet works, but after suspend wifi breaks. It looks like it's this issue: https://github.com/QubesOS/qubes-issues/issues/3008 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aa2d4421-787a-ff45-071b-2b71a268d647%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Special (Secure) Browser Frontend for Qubes?!
On 08/08/2017 03:59 PM, taii...@gmx.com wrote: > FYI: Having different VM's using the same template doesn't really matter > as they all have the same browser fingerprint. If your primary concern is browser fingerprinting, you should just use Tor Browser. Other browsers don't attempt to hide your browser fingerprint, especially the most fingerprintable part, your IP address. But browser fingerprinting isn't many people's primary concern, I think. I use browsers in separate AppVMs for compartmentalization. So if one browser gets compromised (or if a website uses css tricks to guess my browser history, etc.), the attacker won't be able to obtain any information about what's going on in browsers in other AppVMs. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f0b802c4-a6d6-4781-f9f6-ec2328778f3b%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes OS 4.0 first release candidate (rc1) has been released!
I've finally got Qubes 4.0-rc1 booted! I've got a couple questions. Without the VM Manager, is there a GUI way to delete VMs? I know you can run "qvm-remove" from a dom0 terminal. Is there a GUI way to start VMs without actually opening an application in them? (I often configure stuff to autostart when the VM is started.) I'm also noticing some strange USB VM stuff. On this computer I've opted to make sys-net both my netvm and usbvm, and I've confirmed that sys-net has my USB controller PCI devices attached. By default, my sys-net uses memory balancing, even though it has the warning message, "Dynamic memory balancing can result in some devices not working!" Should I turn off memory balancing? The devices systray applet thing for me lists these devices: sys-firewall:1-1 QEMU_QEMU_USB_Tablet_42 sys-net:2-7 8087_07dc sys-net:2-8 SunplusIT_INC._Integrated_Camera dom0:mic Microphone What is this qemu thing in sys-firewall? When I run lsusb in sys-firewall I see two devices, "Adomax Technology Co., Ltd" and "Linux Foundation 1.1 root hub". I confirm that sys-firewall doesn't have any USB controller PCI devices. But even weirder, when I boot a different AppVM, like personal, lsusb shows me the same USB devices, but it doesn't appear in the Qubes devices systray applet. And finally, when I plug in a USB device, the systray applet doesn't seem to see it. I plugged in a Yubikey, and when I run qvm-usb in dom0 it displays: sys-net:2-1 Yubico_Yubikey_4_OTP+U2F+CCID And running lsusb in sys-net displays it as well. But the devices dropdown doesn't list this. Also, I noticed that qrexec clients now require an extra step. If I run "qvm-copy-to-vm work example.txt" in my personal AppVM, the dom0 window that pops up asks me to select the target ("work", in this case) before clicking OK to allow it. This seems fine to me, and in fact I like how clear it's being, but "work" isn't pre-filled in, so I have to manually select it, or type it, each time, instead of just pressing enter. Finally, pro tip: In xfce, and especially in Qubes, I find pressing Alt-F3 and typing the name of a program much quicker than using the start menu. If I want to open Firefox in the personal AppVM, I type "personal:" and it shows me all the menu entries for personal, and "personal: f" is enough to select Firefox by pressing enter. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2dee2c30-c593-2824-5cc1-7b0b26a854da%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes OS 4.0 first release candidate (rc1) has been released!
On 07/31/2017 03:22 PM, Rusty Bird wrote: > Micah Lee: >> I just installed Qubes 4.0-rc1 on a Lenovo ThinkPad T440 which runs >> Qubes 3.2 without a problem. After installing it, when I boot up, grub >> works, but then as soon as Qubes starts to boot the computer reboots, >> and I end up back in grub. > > I ran into the same behavior on a T420. Removing iommu=no-igfx from > the Xen command line fixed it. [1] Thank you, this fixed it! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b3640e1a-81fe-a02c-0bb8-131503751a4a%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes OS 4.0 first release candidate (rc1) has been released!
On 07/31/2017 04:43 AM, Marek Marczykowski-Górecki wrote: > Hello, > > We have just released Qubes 4.0-rc1: > > https://www.qubes-os.org/news/2017/07/31/qubes-40-rc1/ I just installed Qubes 4.0-rc1 on a Lenovo ThinkPad T440 which runs Qubes 3.2 without a problem. After installing it, when I boot up, grub works, but then as soon as Qubes starts to boot the computer reboots, and I end up back in grub. Any ideas on how to start troubleshooting? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/37f90321-b62b-a74c-1f01-a6590a7f75a6%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Soft U2F in Qubes?
GitHub has released an interesting piece of Mac software called Soft U2F: https://githubengineering.com/soft-u2f/ It's basically a virtual security key, and it stores its secret in the macOS keyring. When you login to a website with 2FA, instead of using a physical USB security key, you just click an "approve" button that pops up. Their blog about it says: "Authenticators are normally USB devices that communicate over the HID protocol. By emulating a HID device, Soft U2F is able to communicate with your U2F-enabled browser, and by extension, any websites implementing U2F." As it stands, U2F is a pain in Qubes because you have to deal with USB passthrough, and exposing your VMs to sys-usb. How hard would it be to build a Qubes version of Soft U2F that stores the secret in a separate VM, similar to split gpg? This could make using U2F much more usable and secure inside of Qubes, I think. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/518a8fa7-05f3-f1ea-247a-bff614acbdc6%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Those using a Kali vm. Which download iso do you have that is working on qubes?
On 06/30/2017 04:51 AM, jakis2...@gmail.com wrote: > I'm not getting anything properly up. I've seen the errors on here that some > people have and never a solution really. I've also seen the errors talked > about in other places but no solution works on qubes > > As of now I can login and just get the small space at the bottom visible. > > On windows running virtual box there is no problems whatsoever I've had this same problem with different distros in HVMs running GNOME, including with Kali. I never solved it, but I did discover that XFCE doesn't have the same problem. So if you want to run something closer to vanilla Kali, you can download and install the "Kali 64 bit Xfce"[1] iso to an HVM, and this will work. Although, you won't get Qubes tools, which means you won't be able to fully maximize the window, share the clipboard, copy files between VMs, etc. I find that Kali is more usable in Qubes to do it in the way Noor suggested and use Debian with katoolin instead. [1] https://www.kali.org/downloads/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0b0cab82-2759-74db-e3ea-7c3add2e4599%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Display issues with Kali HVM
When I install Kali in an HVM it has this terrible display issue [1]. When I move the mouse to the top-left of the window, I can see the cursor navigate over the Application menu in the bottom left. Does anyone know how to fix this? This screen resolution trick [2] doesn't do it. If I set a custom xorg.conf with these changes, GNOME fails to load when I try logging in, and I get spit back out at the login screen. I know that I can follow instructions here [3] and use katoolin to make a Debian template full of Kali tools, but I'm hoping to actually run Kali itself, with GNOME configured exactly as it is. [1] https://i.imgur.com/pLWGnmw.png [2] https://www.qubes-os.org/doc/linux-hvm-tips/#screen-resolution [3] https://www.qubes-os.org/doc/pentesting/kali/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/32f4ec03-555d-0cf4-1f5f-eb7bd5e69f85%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Breaking the Security Model of Subgraph OS
I met up with Joanna at the recent Tor meeting in Amsterdam, and we tried to see if we could hack Subgraph OS, which I was running on my travel computer. We succeeded, and I've written up all the details here: https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ And also made a video of the exploit here: https://www.youtube.com/watch?v=SVsllZ7g7-I The analysis compares how Qubes would handle such an attack. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b8638f35-6c0c-2d9a-e321-5b951facc8e3%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Chainloading to the Qubes bootloader
On 12/06/2016 12:31 PM, justin.h.holg...@gmail.com wrote: > On Tuesday, December 6, 2016 at 12:24:08 PM UTC-8, Micah Lee wrote: >> On 12/06/2016 12:18 PM, justin.h.holg...@gmail.com wrote: >>> TL/DR: what can I put in /etc/grub.d/40_custom to chainload the Qubes /boot >>> partition at /dev/sda7? >> >> It's kind of old at this point, but I wrote a blog post awhile ago about >> dual-booting Ubuntu and Qubes, including the chainloading details: >> >> https://micahflee.com/2014/04/dual-booting-qubes-and-ubuntu-with-encrypted-disks/ > > Right! I came across that and I was hoping to basically do the reverse, where > the Ubuntu bootloader comes first and has an option for Qubes. Unfortunately, > I couldn't get it to work. You could set chainloading to Ubuntu's grub as the default option in the Qubes grub. You'll boot to Qubes grub, wait 3 seconds, boot to Ubuntu grub, wait 3 seconds, boot to Ubuntu. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3ef8461d-5377-db0e-5da4-510b715a4df8%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Chainloading to the Qubes bootloader
On 12/06/2016 12:18 PM, justin.h.holg...@gmail.com wrote: > TL/DR: what can I put in /etc/grub.d/40_custom to chainload the Qubes /boot > partition at /dev/sda7? It's kind of old at this point, but I wrote a blog post awhile ago about dual-booting Ubuntu and Qubes, including the chainloading details: https://micahflee.com/2014/04/dual-booting-qubes-and-ubuntu-with-encrypted-disks/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5b0c20d2-d221-575c-49fe-f8063173c159%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Yubikeys in Qubes
On 12/02/2016 06:50 PM, Leeteqxv wrote: > Is it not possible to configure this to having the Yubikey require the > person to press the key button manually/physically? > If not, such a limitation would lie in the software rather than in the > Yubikey, I assume, since the Yubikey support Challenge-Response and such > already? If possible, it is definetely preferable to work around > potential PIN theft and subsequent hidden (mis)use by requiring a > manual/physical action. The problem here is that products that can be used as OpenPGP smart cards, like the Yubikey, can't just make arbitrary features like challenge-response for secret key operations. They need to implement the OpenPGP specification so that all software that works with them (GnuPG, OpenKeychain, others) can implement the same spec, and everything can just. The spec currently supports requiring a PIN to do secret key operations, with rate limiting that makes too many invalid PIN guesses locks the card. In order to support challenge-response as well I think the OpenPGP smart card spec would need to get updated, which is a much longer process that just writing some new software. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7b55411b-5d84-6919-3e6e-1be2b8e429a7%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Yubikeys in Qubes
On 12/01/2016 04:37 PM, Marek Marczykowski-Górecki wrote: > The tool run by qvm-usb does support alternative device identification > - using product and vendor ID. Also to specify which device to attach. > This isn't exposed by qvm-usb tool, because it may be ambiguous, but may > be useful here. See README for more details: > https://github.com/QubesOS/qubes-app-linux-usb-proxy > I acknowledge that your solution is better in some aspect: it exists and > works :) It seems, from my brief testing, that all Yubikeys of the same version have the same product and vendor ids. That still might be preferable to grepping for "Yubikey" though. > Is communication with YubiKey encrypted, or at least somehow > authenticated? Otherwise malicious USB VM could easily perform some kind > of man in the middle attack and for example sign document you really > didn't want to sign. Or decrypt arbitrary data. It's possible even when > physical confirmation (button) is required - by simply waiting until you > perform *some* operation. It is authenticated, but unfortunately I don't think in a secure way. When you use any OpenPGP smart card you have to set a PIN to use it, and you have to authenticate with the smart card using the PIN. In the case of Yubikeys, you type the PIN using the gpg pinentry program (some smart card readers have physical keypads to type the PIN, so software keyloggers on the computer can't steal the PIN). But I'm pretty sure that the PIN you type in, in plaintext, gets sent to the Yubikey, so your usbvm could probably log the PIN the very first time you use your smart card, and then use it as much as it wants after that without you knowing. Also, I'm pretty sure none of the communication is encrypted. To decrypt a message on a smart card, you send the ciphertext (and a PIN, if it isn't cached) to the smart card, and it decrypts it responds with the plaintext. So likely, the usbvm could spy on the plaintext of decrypted messages. Unfortunately Yubikeys don't support pressing the physical button for secret key operations. Those are preserved for 2FA and static passwords. > This is general problem with USB devices, which are hard to solve with > the current USB infrastructure (USB VM can do anything with any device > connected to it). Without some fundamental USB rework - probably at > hardware layer, I think the only alternative is protecting the data at > individual device protocol level (like you do with encrypted USB sticks > for example). Sad, but reality. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c322b41-e60f-d577-d15d-6cf7884ee8cf%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Yubikeys in Qubes
On 12/01/2016 05:14 PM, Chris Laprise wrote: > What is an acceptable / secure way to obtain a Yubikey fob? Unfortunately it's kind of hard to find Yubikeys in retail stores. You might check here to see if you can find one close to you: https://www.yubico.com/store/resellers/ Otherwise, you kind of have to order them online. It might make sense to have one person do a single bulk order and pay for the fastest shipping (to reduce the window for interdiction), and then distribute them to in person to friends who want them. But of course it's not perfect. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2cda7f76-87c2-a192-c59c-dcd3f68a8837%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Yubikeys in Qubes
I just wrote a quick blog post about using Yubikeys in Qubes. Specifically, I wanted to share a script that will use qvm-usb to attach your Yubikey to your gpgvm no matter what USB port you plug it into. https://micahflee.com/2016/12/qubes-tip-making-yubikey-openpgp-smart-cards-slightly-more-usable/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5e442acf-1d2f-c37a-b69c-65b1a57e45dd%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Networking between Linux and Windows VMs
On 09/05/2016 02:44 PM, Connor Page wrote: > they should be connected to the same firewallvm, not netvm. iptables in > netvms are set up differently. They are connected to the same firewallvm. And I've successfully gotten networking working between two Linux VMs using this firewallvm. It's just not working with one of the VMs being a Windows HVM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5eddbdaf-ca4e-cf63-b739-1229acc0f052%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Networking between Linux and Windows VMs
I've installed Windows 10 in an HVM (called dev-win10), and I'd like to be able to connect to its RDP service from a Linux VM (called dev). The documentation [1] says both VMs need the same netvm, and in that netvm I need to enable an iptables rule to let dev communicate with dev-win10: iptables -I FORWARD 2 -s $DEV -d $DEV_WIN10 -j ACCEPT Then in the VM that will hosting the service, dev-win10 in this case, I need to allow incoming connections from the source IP: iptables -I INPUT -s $DEV -j ACCEPT This seems to work fine if the VM hosting the service is Linux. Since it's Windows I obviously just need to allow access using the Windows Firewall instead of with iptables. It sure seems like I'm allowing all inbound connections to the Remote Desktop service in the Windows Firewall [2], however when I try connecting to it from dev it times out. I've also tried running a simple http server using python3: python3 -m http.server And I allowed python.exe through the Windows firewall, but I can't connect to that service either. When I try the same experiment in a Linux VM, I can connect to it fine from dev. Any idea what I'm missing? [1] https://www.qubes-os.org/doc/qubes-firewall/#tocAnchor-1-1-4 [2] https://i.imgur.com/PyrKLAm.png -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1615c334-65bc-5cd3-348a-c935e4392abf%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] 3.2-rc1, xfce4 volume control
On 07/13/2016 03:07 PM, Marek Marczykowski-Górecki wrote: > Wasn't that installed by default? It should be... It wasn't for me. I installed xfce by installing the @xfce-desktop-qubes package in dom0, rather than using the installer. > Install xfce4-volumed. It will be installed by default in next release > candidate. Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1781d433-c7a3-4615-efb1-90a654c2dbd2%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] 3.2-rc1, xfce4 volume control
One thing I've noticed is that there's no volume control on my panel, and my laptop's volume up and down keys don't work to adjust the volume. I discovered that I can adjust the volume by manually running alsamixer in dom0. I also discovered that I can install the xfce4-mixer package, and then run xfce4-mixer, to get a GUI granular volume control. That package also include a mixer panel applet, which requires a bit of configuration to work properly. I still haven't made my volume up and down keys work. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1301705c-129f-97f1-24bd-ec9a05b66cdd%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Installing XFCE
I've installed Qubes 3.2-rc1 with only KDE. How do I install XFCE now as well? The docs [1] about this look super outdated. A couple things that I tried but didn't work: sudo qubes-dom0-update xfce4 sudo qubes-dom0-update @XFCE sudo qubes-dom0-update @xfce-desktop-environment [1] https://www.qubes-os.org/doc/xfce/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/adab2276-029f-2acb-3302-5497813cd944%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Opening links in your preferred AppVM
I published a quick blog post explaining how I do this: https://micahflee.com/2016/06/qubes-tip-opening-links-in-your-preferred-appvm/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e8b44135-64fc-fe4c-1e46-c28800215a0b%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] HVM Win7 libxenlight error?
On 06/20/2016 12:03 PM, Andrew David Wong wrote: > Thanks. Tracking here: > > https://github.com/QubesOS/qubes-issues/issues/2096 Excellent. Just to be thorough, the problem was that I hadn't installed the qubes-windows-tools package in dom0. Since that package isn't yet available in R3.2 RC1, I installed it from the testing repos: sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing qubes-windows-tools -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8376ec93-4058-b400-b70e-c9c08e6fb434%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] [R3.2 RC1] USB passthrough
I'm trying to test out USB passthrough in Qubes R3.2 RC1 by following these docs [1]. It says to install the qubes-usb-proxy package in my usbvm's template (in my case, fedora-23), however after installing it I still don't have a qvm-usb in my path. Am I missing something? [user@fedora-23 ~]$ sudo dnf install qubes-usb-proxy Last metadata expiration check: 2:48:42 ago on Sun Jun 19 10:30:21 2016. Package qubes-usb-proxy-0.1-1.fc23.noarch is already installed, skipping. Dependencies resolved. Nothing to do. Sending application list and icons to dom0 Complete! [user@fedora-23 ~]$ which qvm-usb /usr/bin/which: no qvm-usb in (/usr/lib64/qt-3.3/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/user/.local/bin:/home/user/bin) [user@fedora-23 ~]$ [1] https://www.qubes-os.org/doc/usb/#tocAnchor-1-1-5 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33b7cfd8-ea17-e18f-27e9-28773ba43fc7%40micahflee.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [R3.2] Settings for displays missing
On 06/19/2016 07:50 AM, Albin Otterhäll wrote: I've just installed R3.2-RC1 and I can't find the settings for displays in Plasma (KDE). /System Settings --> Display and Monitor/ doesn't contain any settings for monitors, just the compositor. I'm using a Thinkpad T430 (laptop) and trying to connect my external monitors. It appears that there are some missing packages in dom0. I solved this by installing kscreen: $ sudo qubes-dom0-update kscreen This made KDE recognize my external monitor, but I still couldn't find the configuration tool in System Settings. However I figured out that I could open it like this: $ kcmshell5 kscreen -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/58f517aa-f2f0-2ce1-4077-cc5e18d40aa6%40micahflee.com. For more options, visit https://groups.google.com/d/optout.