Re: [qubes-users] Re: unexpected system restart

2018-04-04 Thread Robert Fisk 
On 04/03/2018 02:24 PM, qubenix wrote:
> cooloutac:
>> On Monday, April 2, 2018 at 12:31:09 PM UTC-4, qubenix wrote:
>>> Hello all. I'm currently still on R3.2.
>>>
>>> I had a situation where I was working with a normal (for me) amount of
>>> VMs running. Nothing even close to extreme as far as cpu/mem/io/temp.
>>> During startup of an AppVM that I use all the time, my system just did a
>>> hard shutdown ("no input" on screen, connected with hdmi) and then right
>>> into a restart.
>>>
>>> How can I debug this in a useful way? Does someone have an idea what
>>> might cause it?
>>>
>>> -- 
>>> qubenix
>>> GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500
>>
>> weird.  you using sleep mode at all?  Checked the obvious issues like temps, 
>>  hdd errors,  memory stability?
>>
> 
> No sleep, checked all obvious issues.
> 

Does the AppVM have any attached PCI devices? I have one R3.2 system
where starting a VM with USB controller attached occasionally causes the
whole machine to reboot.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/72b26482-e22d-8194-7383-2b9a9db1bcf2%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Firewall rules for Thunderbird and Gmail

2018-02-25 Thread Robert Fisk 
On 02/13/2018 06:39 AM, Demi Obenour wrote:
> What websites and ports do I need to whitelist if I want to enable use
> Thunderbird with GMail and Google Calendar?  I am using the Google
> Calendar add-on.
>

To actually answer the question, this Google support page has what you
need to know:

https://support.google.com/a/answer/60764?hl=en

Regards,
Robert

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/95c26ec0-6735-24fe-1068-4fb587f73504%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: USB Keyboard thoughts...

2017-12-05 Thread Robert Fisk 
On 12/05/2017 05:09 PM, taii...@gmx.com wrote:
> On 12/04/2017 07:31 PM, cooloutac wrote:
>
>> I use a usb to ps2 adapter for my keyboard.
> I assume with the mistaken impression that PS/2 is more secure for
> some reason - for the record it sends your keystrokes out on the
> ground wire.
>

Sends keystrokes out? To where? Inquiring minds request further
information / references!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/15ea3f01-e90f-6db4-69e8-d4bd452a45ef%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] USB Keyboard thoughts...

2017-12-03 Thread Robert Fisk 
On 12/03/2017 09:37 AM, Jean-Philippe Ouellet wrote:
> On Fri, Dec 1, 2017 at 1:10 PM, Matty South  wrote:
>> I love the Qubes project! I've been thinking of ways to improve the security 
>> when it comes to USB Keyboards.
>>
>> I'm sure a lot of us who use Qubes as our day-to-day OS have a nice keyboard 
>> attached to the system. Upon plugging in the USB keyboard for the first 
>> time, I rightfully got a security warning about the implications of passing 
>> USB Keyboard input into dom0 (think USB Rubber Ducky attack among others). 
>> OK, I'm on board so far. What surprises me is that I didn't just authorize 
>> THIS keyboard to pass through to dom0, I have authorized *ANY* USB keyboard 
>> to access dom0. I verified this with other keyboards and even a home-made 
>> Rubber Ducky attack using a teensy.
>>
>> Curious, is there a reason why we don't restrict the authorized USB keyboard 
>> based on USB Serial number or even VID or PID. Sure with PID/VID, a physical 
>> attacker who knows your brand of keyboard could still pass through 
>> keystrokes, but it would still up the bar a little for these style of 
>> attacks.
>>
>> I'm on Version 3.2 so forgive me if this has been addressed in 4.0.
>>
>> Secondly, I don't want to be the guy begging for improvements, I would like 
>> to contribute. Can anyone point me to a good place to start if I want to add 
>> this feature? I'm thinking here maybe? 
>> https://github.com/QubesOS/qubes-app-linux-usb-proxy
> See https://github.com/QubesOS/qubes-issues/issues/2518
>

Hi Matty and all,

I am the developer of the USG hardware firewall mentioned in issue 2518.
On its own this gadget can do most of what you want - it blocks hidden
hubs so a flash drive cannot also supply keystrokes, and it blocks
devices re-enumerating as a keyboard after first enumerating as
something else.

Issue 2518 is about encrypting keystrokes from the keyboard to dom0, so
that a compromised sys-usb cannot sniff or spoof them. Jean-Philippe
suggested borrowing ideas from CrypTech's HSM design, which is worth
looking into. However I don't have time to look into this myself right
now. I would also require help with the qubes-side implementation of
whatever secure channel we choose. You are welcome to look through the
thread and let us know what you think!

Regards,
Robert

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a64e8e14-1378-e0ee-89d2-65433414f17f%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: NAUTILUS MISSING FOLLOWING UPDATE TO DEBIAN 9

2017-08-19 Thread Robert Fisk 
On 08/19/2017 10:12 AM, pixel fairy wrote:
> On Friday, August 18, 2017 at 3:56:38 AM UTC-7, higgin...@gmail.com wrote:
>> Thanks Foppe de Haan.
>>
>> The sudo apt-get install nautilus was all I needed.
>>
>> All fine now.
>>
>> Cheers
> @Andrew David Wong , maybe this should be a step in 
> https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/
>

I noticed that nautilus was removed by "sudo apt-get autoremove" in step
5 of the upgrade doc.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5669abc1-36e3-fd7e-d550-ea31b35c5b5b%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] sys-usb and usb read-only

2017-08-11 Thread Robert Fisk 
On 08/11/2017 08:41 PM, Nicolas Mojon wrote:
> Hi, 
>
> I would like to know if on the new 4.0 it is possible to lock down data in a 
> VM like that nothing can go out of the VM (like no internet or copypaste 
> through dom0). I would like to make that specially for usb sticks or other 
> stocking device, that people can work on things on the usb in the VM but 
> nothing must be able to go out.
>
> Additionally to that, I would like to know if it is possible to use the 
> sys-usb vm but with an usb keyboard, cause for the moment, when I try to 
> implement it, it finish in a dead lock cause I cannot use the keyboard when 
> restarting. And even with the ask policy, it happens after the login so it is 
> pretty problematic and allow it completely,will probably cause a security 
> issue for my system on of the question above.
>
> Thank you in advance...
>
> Best regards
>
> Nicolas
>

Hi Nicolas,

I am not aware of any changes between r3.2 and r4.0 that would affect
your use case. You can disable the vm's networking of course. If you
want a read-only USB flash drive you should look at the USG hardware
firewall. I have recently released configurable firmware with a
read-only mass storage option:

https://github.com/robertfisk/usg/wiki

Regarding USB keyboards with sys-usb, as you have discovered this does
not work. Enabling sys-usb sets a kernel option to hide all USB
controllers from dom0, and you then cannot type the disk password. You
have two choices:

 1 - Leave sys-usb enabled. Boot with a PS/2 keyboard attached (laptop
keyboards are PS/2)
 2 - Disable sys-usb. Leave your keyboard's PCI USB controller attached
to dom0. Assign other PCI USB controllers to your own usb VM. If your
system only has one USB controller you could purchase a USB expansion card.

Read the Qubes USB docs for more info:

https://www.qubes-os.org/doc/usb/

Regards,
Robert

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f539d88f-6575-6786-6139-d2705b0781a5%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] My Windows VM always stops after a while

2017-04-13 Thread Robert Fisk 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 04/13/2017 05:24 PM, loke...@gmail.com wrote:
> I have a Windows VM where I run Outlook for work purposes. It works
> great and I keep it in a separate xfce workspace. I'm running it in
> desktop mode (i.e. the Windows desktop is in a single Xfce
> window).
> 
> After a certain amount of time (hard to say how long, but I'd guess
> it's in the 30 minute to 1 hour range) the Windows desktop
> disappears, and in the Qubes manager the Windows VM is marked as
> yellow. It will stay yellow until I hard-kill the VM.
> 
> Does anyone have any idea what is going on, and what I can do to
> fix it?
> 

I notice this problem when a Windows VM is left running, but doesn't
receive any user input for 30min or more. The window will disappear
when I'm not looking and I later find the VM stopped.

In my case the solution is to use the VM, and it is reliable until the
work is finished and I shut it down. Just a thought - have a look
through the power saving & sleep options. It might be trying to "save
power"  and causing problems with Xen.

Regards,
Robert
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJY7x2IAAoJEN65WsAVra66Q/kP/ixQBirBWIGjP9fKCsoZFveU
BfRsxFcWoz+kdYeDDVXkcH6p8K1Zgnuo3w0ArHGt1tQHxdvLKjdBwcgpJ+iXQTLG
wDR5r6SIoN9jpnB0RBNobhEbVADpq4jiy/lidqFjEgPlPf1SM7pSXz5uV1ZMt7mE
LwuMv21zGOLjjAGvgQ7ss1Q/dEdyTC0Kcwjm2p5HEUHTe52HDXDyWxf+66usoQ+t
wo2ewkorDN003sMMXqZio70P67eJWkZcT65WLCFBOj5LCz5VwshASMUuXeDIXdP3
+BfbUzzdCRnpN8L0TBuCla13zY86GMkvf+/8A17/13nj00yaStwbB/JsGTCXhv9m
s/twtyBVNnvLoDvLkH93Tx++5afqlcWTyRY9tX2ltCaEClaHWBLHbVFIFGaEeuFQ
xksmCx9oylq/mI/GyipcPA4d9ScqsNvzaFHJVwv6ioQIEhds244zimJfZ1SVSVbA
KMQezZhu7XVDFpSYx3EBREWuJGAqAi0Dx8IwqslimWwuouFcmt334qHpTwfCf7m7
mr7R1h7cpWmOKvYliCOMI/2UidI3aFfqX6ibc0LvlBbWkP9DW0Ieqs0syc8x/oUE
JvFnhaOPPJnkVfCAU6V287AgqQC3KbPIa5tMIx/+c7bJmOU3/sylrrYG9ww3WQge
pXZin1qcKV9xCZJWJFC7
=rA5D
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c78781fc-7b4c-953a-3217-e91273b861cf%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] USG - AFirewall For USB's

2017-03-15 Thread Robert Fisk 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/15/2017 05:22 PM, Syd Brisby wrote:
> If you remove the wireless module from a laptop, then connect a USB
> wifi adapter (or bluetooth adapter) to a USG and plug the two into
> the laptop, could a (future?) USG act as a hardware firewall for
> the wifi device (or bluetooth device)? For example, Deter MAC
> address scanning? Deter portscanning and rogue packets being sent
> to ports? Deter man-in-the-middle hotspot attacks? Or deter
> bluetooth hacking attempts? etcetera.
> 

Theoretically yes, a USB firewall could perform this function. However
it would involve porting large parts of the linux network stack to run
on an embedded microprocessor with 256kB flash and 64kB RAM. Difficult
and painful if possible at all. Certainly not a task for one developer
in their spare time!

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJYycOvAAoJEN65WsAVra66v+EP/1scyx4Fk1s+7R8zIA8wME2c
C7hNYmoDv9s2ILcYhsY7wBCbg5AC0kx1dDPZkMnn54n2DQ6Pei3E5ANXIZZB0efY
A3CXT8VLdJ0HnmQ85LCyjSIGcY0zP+TbhSeNBptCxMAh5C6Dlte31Rf7gEDRj79z
miG7g/p4iNUK3iFLCYxe5HhX0xd0QCm8hWzYf5PBpUWQL0pPQnuKIkesIvgttaSM
xlSycSOySstul56WA9Nt+d66hfqhlLgsdpnVaO6nTwcYxZHEqIOMfoT5VDTQqbib
pmJPjoulgO6cXY/P2EWLRnToKlzc8j3TBgBvSr2NRQ+W5pmIJc7vNGKLqc2fO1WS
Ba1hle7fXLVRu7sAKdZPwZB8s0jxsN8v1iWPnjEex/DF7ZWtgbpt2uU//wm4H9vO
Dd3bqvjwcb7dnWzDQ0rnqVa2XBJfWipOQOPPO2UaiKo03a2rQz3UX9sAaN4ukxSs
FZmewFPk8NbJ/Ynp0kJdcO3Al5UtsbgGg//nuQeNBmNqMnvJfd4WgpuwstOkx95m
h0on7lZIHRQw3BiG83thMCi+9JlcVMI6OnheQJYwtAEVpcNtI0LanpVI9mbkGR2Y
5GngttD19fe4aoNjkNuPko28H3vfQFgK255oKMPnhtD2ES0iROLh+M2FeeAh3G2/
YRbZl7Fc8Si4PDHveKD2
=ZwtO
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5fe82838-011a-54e4-7cae-1c9fbac0fe22%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] USG - AFirewall For USB's

2017-03-13 Thread Robert Fisk 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03/13/2017 02:56 PM, Jean-Philippe Ouellet wrote:
> On Sun, Mar 12, 2017 at 3:06 AM,   wrote:
>> This guy claims to have created a firewall for untrusted USB's 
>> https://github.com/robertfisk/USG/wiki . Anyone tested this?
> 
> Previously discussed here:
> 
> https://groups.google.com/d/msg/qubes-users/MEzOZ_naupo/lMjdMDwFAwAJ
>
> 
https://groups.google.com/d/topic/qubes-users/UHiDauas4rM/discussion
> 


>> Anyone tested this?
I have... a lot!

I am preparing another batch of hardware right now. Anyone interested
in ordering one can contact me in about 2 weeks when it will be ready.

The price is NZ$80 each (about US$60), and tracked airmail to major
continents is NZ$55 (about US$40). If you don't want to buy one from
me, you can make your own from development boards!

https://github.com/robertfisk/USG/wiki/Hardware-%28DIY-v0.9%29

Regards,
Robert
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJYxmpmAAoJEN65WsAVra665ZEQAIKSti5AMlFrjreWZdhaTir2
E3bpUDWuwf5nYOHu08WPb8xQhiUGtisN4zbBfRkNq4lLfsIieI3McUo/d3fjg1Pc
VqbOJvtnRpvCxtCVXmUEWl08TZXwb1uBAoisSmvR56/j2soLqFD8XcLgXbQc/iBo
m7PKQHkl8WWesI9ZHIspuCaXRhUm+k2L/xTqwtbaysMSGggzOgbpNPo3sYVaaZHH
5tJIYiPLwXxToBfFmaA3J+4keA7NH5bUp1nULIq6VPQkSTOz8Fi/0tYbnwJ0OjAD
tu5gMTCQp7xYU/TyWI4rD+obS08N4keYy2IKYSXRNqaIKU3n5T5bfL85v+zyZBdY
dD2Nk4IIC47+ENbWrHCg3lPnPOKaBlWh9QoHEmFmzLgVaacHa8o5JSmhA46khXe0
+Wgidw3jRGNy4V89q9+51XNzJbYX/EZ2h/xnXNPeTp0d6fjMRMHIzCuSvor0mCI3
ZaSobVn5CRViPn2l9bBiKeHgAXK6XkwoiZI6ysyaga/xCOWO0Fz/BB+iUBhv1DTn
2YP3dMYKnTJ9MA8euNuCgHWuZEZfRgCH+l1v32CFLvmC+omvb7JJQRGTKEHp5/3S
wrie4oMgo2VdzfVNHBWfFhPRIv77Qut9nPfq2hSherR0IX/laYK7kzCfaI8ddRbX
BZ2Nhaxo8nw9EBdEka24
=Zjm7
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/014bfb50-d56a-77a4-19c7-69994961b895%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Possible to get usable Win7 gui?

2017-01-02 Thread Robert Fisk 
On 01/02/2017 09:33 AM, Jeremy Rand wrote:
> Robert Fisk:
>> On 12/30/2016 01:33 AM, Jarle Thorsen wrote:
>>> torsdag 29. desember 2016 13.14.25 UTC+1 skrev Grzesiek Chodzicki
>>> følgende:
>>>> W dniu czwartek, 29 grudnia 2016 13:07:44 UTC+1 użytkownik
>>>> Jarle Thorsen napisał:
>>>>> Currently my Windows 7 StandaloneVM feels a bit sluggish.
>>>>>
>>>>> Moving windows (no phun intended) is a pain.
>>>>>
>>>>> Is it possible to have a Windows VM without any lag, or is
>>>>> this just a part of the deal with Qubes OS?
>>>>>
>>>>> What tweaks should I do to get my Windows VM as responsive as
>>>>> possible?
>>>>>
>>>>> I have no problems with lag in dom0 or any of the Linux VMs.
>>>>>
>>>>> My display is 2560x1440, maybe a large display is part of my
>>>>> problem?
>>>>
>>>> VM Performance is largely dependent on the CPU and RAM so
>>>> ensure that your Windows VM has enough vCPUs and RAM assigned
>>>> to it.
>>>
>>> Throwing more vCPUs and RAM at it hasn't made a big difference so
>>> far, but I'm moving my system to a way more powerful system the
>>> next couple of days, hope that will make a difference.
>>>
>>> Can anybody please confirm that it is indeed possible to have a
>>> lag-free Windows experience under QubesOS?
>>>
> 
>> I run a Win7 VM on a i5 gen 4 ULV machine. I have always had
>> problems with lag increasing over time. On bootup the VM is fast,
>> but after 20 min it is unusable with each screen redraw taking ~4
>> sec and associated high CPU usage. This has happened both on R3.0
>> and R3.2.
> 
>> I work around the issue by using Remmina (or other RDP client) in
>> an appVM, and allowing IP forwarding in the firewall vm. This
>> solution does not suffer from increasing lag, and should be usable
>> for everything except gaming. See instructions here:
> 
>> https://www.qubes-os.org/doc/firewall/
> 
> 
>> Regards, Robert
> 
> I'm curious, are you using Qubes Windows Tools in that VM?  My Windows
> VM's do not have Qubes Windows Tools.  (I'm trying to figure out what
> might explain why you've run into this issue and I haven't.)
> 
> Cheers,
> -Jeremy
> 

Yes I have QWT installed in the VM, however I guess the problem is
somewhere else: I only notice the problem when using Adobe applications.
These have custom button and toolbar styles presumably drawn with weird
custom Adobe code. As time passes these toolbars redraw slower and
slower, to the point where you can see each new UI element appear in a
tedious ripple across the screen.

I can't remember if restarting the application in question fixes the
problem, or whether a VM reboot was required. But using RDP allows me to
get on with the work, which is all I really care about!

Regards,
Robert

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/be509c87-0b6e-a31f-ee28-9ced3b912cec%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Possible to get usable Win7 gui?

2017-01-01 Thread Robert Fisk 
On 12/30/2016 01:33 AM, Jarle Thorsen wrote:
> torsdag 29. desember 2016 13.14.25 UTC+1 skrev Grzesiek Chodzicki følgende:
>> W dniu czwartek, 29 grudnia 2016 13:07:44 UTC+1 użytkownik Jarle Thorsen 
>> napisał:
>>> Currently my Windows 7 StandaloneVM feels a bit sluggish.
>>>
>>> Moving windows (no phun intended) is a pain.
>>>
>>> Is it possible to have a Windows VM without any lag, or is this just a part 
>>> of the deal with Qubes OS?
>>>
>>> What tweaks should I do to get my Windows VM as responsive as possible?
>>>
>>> I have no problems with lag in dom0 or any of the Linux VMs.
>>>
>>> My display is 2560x1440, maybe a large display is part of my problem?
>>
>> VM Performance is largely dependent on the CPU and RAM so ensure that your 
>> Windows VM has enough vCPUs and RAM assigned to it.
> 
> Throwing more vCPUs and RAM at it hasn't made a big difference so far, but 
> I'm moving my system to a way more powerful system the next couple of days, 
> hope that will make a difference.
> 
> Can anybody please confirm that it is indeed possible to have a lag-free 
> Windows experience under QubesOS?
> 

I run a Win7 VM on a i5 gen 4 ULV machine. I have always had problems
with lag increasing over time. On bootup the VM is fast, but after 20
min it is unusable with each screen redraw taking ~4 sec and associated
high CPU usage. This has happened both on R3.0 and R3.2.

I work around the issue by using Remmina (or other RDP client) in an
appVM, and allowing IP forwarding in the firewall vm. This solution does
not suffer from increasing lag, and should be usable for everything
except gaming. See instructions here:

https://www.qubes-os.org/doc/firewall/


Regards,
Robert

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9f4b6ee9-29bc-df4d-241e-22aa95c5fb7e%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] USB hardware firewall

2016-12-10 Thread Robert Fisk 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 12/10/2016 08:25 AM, Marek Marczykowski-Górecki wrote:
> On Sun, Sep 04, 2016 at 06:35:42PM +1200, Robert Fisk wrote:
>> On 09/01/2016 06:55 PM, johnyju...@sigaint.org wrote:
>>> I was thinking earlier that some form of a "USB Firewall"
>>> hardware device might be cool to create; one that goes into
>>> each USB port in between each device and the PC, and only
>>> passes a specific device, or only a HID device (and doesn't
>>> permit a drive to add another HID identity).  Yet another side
>>> project for winter. :)  There may be existing products.
> 
> 
>> Ahem. Allow me to introduce you to a project I have been working
>> on for a while now:
> 
>> https://github.com/robertfisk/usg/wiki 
>> https://github.com/robertfisk/USG/wiki/FAQ
> 
>> The USG (which is Good, not Bad) is a hardware firewall for your
>> USB ports. It connects between your computer and your untrusted
>> USB device, isolating the badness with two dedicated processors.
> 
>> Features: - Isolates low-level USB exploits by using a simple
>> internal protocol with minimal attack surface
> 
>> - No hub support blocks 'hidden' malicious devices
> 
>> - Prevents devices changing their enumerated class after
>> connection, stopping malicious class changes.
> 
> 
>> Device support: mass storage (flash drives), keyboards, mice.
> 
>> Project status: You can build your own USG v0.9 hardware out of 
>> development boards if you are handy with a soldering iron. End
>> user hardware is approaching production-ready status, samples
>> will be available in the coming months.
> 
>> Feedback / pull requests / sales leads are welcome!
> 
> This project have great potential! The USB proxy hardware can be
> used for somehow more secure USB keyboard usage on Qubes OS, when
> only a single USB controller is available. Take a look at this
> idea[1]:
> 
> Have a piece of hardware plugged between USB keyboard and PC (based
> on https://github.com/robertfisk/USG?), to encrypt and
> integrity-protect the events. And then decrypt them in dom0 and
> check integrity protection, and only then pass them down to input
> devices stack. This should at least partially guard against
> malicious USB VM. It still will be able to perform timing based
> attacks to guess what you're typing - not sure how accurate such
> attacks are currently. Such device could introduce artificial delay
> (like - inject queued events every 50ms) to at least partially
> mitigate such attacks.
> 
> What do you think about it? I think the hardware you've designed
> is perfect for this!
> 
> [1] 
> https://github.com/QubesOS/qubes-issues/issues/2507#issuecomment-265894809
>
> 
> 

This sounds like a great idea, and I am keen to be involved. There is
plenty of flash space available on the embedded CPUs to implement some
form of encryption, although the best method of doing so on bare-metal
ARM is certainly open for discussion.

A recent batch of hardware samples sold out in November. Due to Real
Life(TM) the next batch of hardware is likely to be ready late January
or early February. Pricing is currently NZ$80 each (approx US$57).

Regards,
Robert
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJYTINVAAoJEN65WsAVra66UqgP/js8V9oHjYtsVs8wHhBs0Iq+
NL4pWUUtceGlCPBJZnKhmPM2Q7gNve3CS4K1i3JikSGIMw4BTqH59JqRmHIv1UDW
jH3DHfbGRLNXAJQTAUFQVV+M43rMQXcM0BT5xrTUdlwG8dQhe44cS+cW1BzmSBtn
FsszZVEp7UU6IJ/YZMYfEIbd/dhq92YBU5fU16F6PVdAFq8ObQoLCMPxWN8GLSKy
JgYkcRHiC2mjzYWN5hv+iZYFVWfxR33jkUoo7n2Iyaz27bYjHyKCy83sBsnhUaLg
Xr2+HJxGoxtScG9Q42ay1/40W5LQyhLRyvnYg1Yih1p18JrY54oe4k2F5jGnj953
giQri7lg6xWk9Md9rDRKvq7Xc2Kd6VdRAp1ooPfehGSIidGRdyYEAVttaqMxmZB3
7U1j35ELDTN3q79++LxnQr01yERsQHM6cKYQsog5/mOHtSG2+iOK2RoNK5M2fhQB
wrULmBTmwNruRGO+W2RBCcOZCvmP8WTthEb85BSVwHlrra6Vv02oFyAvDTj4Q8RI
NLV9HqwXILW1eICCoQUOzcW41SAYrn3ykX/eWgksg221Lks9RWzfxDItBXtrjXSR
pqKtbqRVZIT0k35GJug8RjTuG2JRaMbSEepblmWCvm9cN4bl/RRkOy9uRgfBLKsx
+k6vRfW54/ly/WT/XVJh
=1NhG
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1fe8b1eb-4de2-ca63-c91f-4b5d3387bfeb%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] USB hardware firewall (was: epoxy on ram to prevent cold boot attacks?)

2016-09-03 Thread Robert Fisk 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 09/01/2016 06:55 PM, johnyju...@sigaint.org wrote:
> I was thinking earlier that some form of a "USB Firewall" hardware
> device might be cool to create; one that goes into each USB port in
> between each device and the PC, and only passes a specific device,
> or only a HID device (and doesn't permit a drive to add another HID
> identity).  Yet another side project for winter. :)  There may be
> existing products.


Ahem. Allow me to introduce you to a project I have been working on
for a while now:

https://github.com/robertfisk/usg/wiki
https://github.com/robertfisk/USG/wiki/FAQ

The USG (which is Good, not Bad) is a hardware firewall for your USB
ports. It connects between your computer and your untrusted USB
device, isolating the badness with two dedicated processors.

Features:
 - Isolates low-level USB exploits by using a simple internal protocol
with minimal attack surface

 - No hub support blocks 'hidden' malicious devices

 - Prevents devices changing their enumerated class after connection,
stopping malicious class changes.


Device support: mass storage (flash drives), keyboards, mice.

Project status: You can build your own USG v0.9 hardware out of
development boards if you are handy with a soldering iron. End user
hardware is approaching production-ready status, samples will be
available in the coming months.

Feedback / pull requests / sales leads are welcome!

Robert
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJXy8C+AAoJEN65WsAVra66zQEP/jJMgf8FnaLW9jLCb13dZbkM
IQQ50CgOFyzVF+S//FlZ794k9qfMFxumxfVMATawsTBooNhlTa9ASedMrcoWMuZI
fuYNMeVoSYijyavqvimHMS8axiKwaI48q6olrTsOKwDM6joBb3rKQnsv63NJlbH3
+qUOY9IVDSoFKG9ki9TpltknlYuI3NDIkPRr07Ekx5XiCs92CihuNn1xTlCtweEt
4Y1YtPv2HfYFGcbQk2w17efp0mFweiqZldsxbwNLEPv03GvrNg54vlxC1Yr8ByGB
nSPHslfgaCOqv4/XMvYAUA+22b7+d6VxRIYFojetdmmCi5u5fIFGv+6ErLIpPTVs
wNZOli0npmLeuAnYME+6wKw0ozsYtKQNudIATHy6t6IwWBew+SCoWnCdlJZQFx0i
YZwv8kJXzqTGU50vxad1FsDYQL1AaBEJBwqAGS9vV5OsyvAqpXuUacZWzrLgT4hM
+HupcnoWErFMZzbNZeTMMFHuP6yTwV0mh3jP99vLtLYyjYmq6qoy+aDCQUTvtH+Y
4wEq4h7VRY9U0HI5hq0B/5LyJw4KKpimYzNmSyiDi9/FSyRa9tPe1idYjHEQsCuU
sTybVvwCocIKF23XV4vPHNYydcdMvG8aHHQSeZ9ywLEkmxTeL0s9SL1+qaOOcqPC
c2HOcC6+FigpPFwrGvgC
=Hvzi
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57CBC0BE.6070709%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.