Re: [qubes-users] Tor security - browsing/downloading over http
'awokd' via qubes-users: > On Tue, April 3, 2018 11:42 pm, Giulio wrote: >> 3) Not using tor in order to download files prevent only man in the >> middles attack coming from the tor network, your provider, your >> neighbors, your dns server etc may still tricks you the same way. > > To jsnow's question on this, file modifications can be automated. The > attacker could have a selection of files already modified, then watch for > anyone trying to download it and substitute the poisoned one. Probably > other ways to dynamically patch filetypes (like all .EXE for example) on > the fly too. Check out "Quantum Insert". Tor helps here because it's much > more difficult to target specific recipients for poisoned files, so they > have to be sent to everyone who requests them which increases the > likelihood they will get discovered. Of course, that's not the case if > you're logging in to something. Ok yea that makes sense. I guess i'm partially protected by the fact i'm not doing anything really suspicious, but i guess what i'm concerned about is dragnet attempts to compromise everyone and anyone, tho it makes sense that would increase the chance they'd be caught which makes it less likely. -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/268ec220-23ef-bc66-4951-0a9c870f2b6e%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Tor security - browsing/downloading over http
Hi Giulio, Giulio: > 1) Most website with a login do have https. Yea especially now compared with a few years ago. Some still don't unfortunately! > 2) Which type of files are you talking about? If we are not talking about > executables (i hope not) then Qubes do have disposable vms which should > prevent an attacker from accessing sensitive files or gaining persistance. Mostly pdfs/documents and maybe media files, but maybe also things like game roms to play in an emulator. Nothing super important but i still want to avoid compromise especially if i'm transfering files to a usb stick/another computer. I need to get in the habit of opening files in dispvms tho. > As a general rule, mixing any of your tor activities with your non tor > activities do break the very purpose of tor, especially if you use the same > accounts in and out. Yea using the same accounts for things in and out of tor is pretty pointless. It seems pretty safe tho to use the same site in and out of tor if you're doing different things and therefore not linked? (as long as it's not at the same time) > My suggestion is to first try to understand what the purpose of tor is and > against which type of adversary you need protection and then make your > choices on that basis. As far as what kind of adversary i'm thinking about here i guess ones with alot of resources, who think using tor is inherently bad/suspicious, and so operate exit nodes to scoop up data on tor users, and try to compromise random users to see what they're up to. -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c71de19c-0510-0b00-d1a0-2d8c98e026c6%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Help with 4.0 transition from 3.2?
cooloutac: > On Tuesday, April 3, 2018 at 8:54:48 AM UTC-4, vel...@tutamail.com wrote: >> 7) It is my understanding that 4.0 introduces a remote admin functionhow >> do I confirm this is OFF and can never be turned on? > > 7. first I've heard of this got any links to exactly what you are referring? > I think they're talking about this? https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ Not sure if that's been implemented yet tho. -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6601056f-e89b-93e5-0a41-6aaeae34f108%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Tor security - browsing/downloading over http
Hi everyone, I've been thinking about ways i can increase security when using tor in a whonix vm, and i had a few questions about the security risks of browsing/downloading files over http. I've looked up some info about it and i know it presents a security risk, but i don't really know what i'm talking about so i thought i'd ask you guys. Please let me know if i'm wrong about anything here (which is likely!) Sorry this is so long! Anyways, let's say i want to use a site that doesn't use https (http only) that i can do 3 things on: 1. general browsing/reading content 2. download small files 3. log into an account, which is required to download large files I'm browsing the site in a relatively unsecure vm that i don't necessarily care much about, but i'll probably want to move some of the files to another vm to use elsewhere, or to a usb stick to transfer to another machine. If i use the site over tor, the exit node operator can read all the unencrypted traffic, and possibly maliciously modify files downloaded, which is why it's recommended to always use https when possible over tor. Qubes helps with this since i can do all my browsing on the site in a separate vm, but there's still a security risk especially if i transfer files elsewhere. It seems to me that i basically have 4 options: 1. Do everything over tor, including downloading files and logging into the account. This is bad because the exit node operator can see my username/password, and i don't think there's any way of really reducing the risk from this. 2. Browse the site and download small files (without logging in) over tor, but use a non-tor VM to log into the account to download larger files. This is better than option 1 because exit node operators never see me log into the account, but still presents a security risk because they can maliciously modify files i download. It seems to me that exit node operators doing something like this (modifying files downloaded over http to compromise my vm) is something that would have to be done manually, in real time, but please let me know if i'm wrong about that! I also don't know how likely this is to actually happen. But it seems to me that a way to reduce the risk here is to use the "get a new tor circuit" option right before downloading the file. That way the new exit node operator would have not much warning/time to do something bad before i download the file. Would that help? 3. Do general browsing in tor, but download all files outside of tor. This is better than option 2 from a security standpoint because i'm not downloading files in a risky way over tor that will then be transfered elsewhere, and if the vm i'm browsing the site in using tor gets compromised, i don't really care. But it's a pain to have to switch to a non-tor vm every time to download a file (and i know it's recommended not to have tor and non-tor connections to the same site at the same time). 4. Do everything on the site outside of tor because the site doesn't support https. This is best from a security perspective, but worst from a privacy/anonymity perspective because i can't use tor to browse the site. If i really wanted to only use https over tor, i could enable the "block http connections" option in https everywhere, but couldn't this increase fingerprintability of browser since most tor users don't block http connections? The same reason it's recommended not to use additional browser plugins in tor browser. What do you guys think is the best way to go about it? Am i wrong about anything here or missing something? I know this may be too long to read, sorry! -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3d12c7d6-4b38-4356-9f80-fa749db2280b%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Quebes and whonix
Black Beard: > Hello guys, > > okay. 1000 thx for your nice and helpful feedbacks. > > I want use win10, too. Lets say , i want install Quebes full on my laptop, > but needs my Win10, too. How can i realized this project without a Usb Stick? > > regards and thx in advance Hi Black Beard, Like others have said dual booting qubes with windows reduces security, so it's better to avoid it if possible. You can install windows in a VM in qubes to run windows apps in, and that's good enough for most purposes. See documentation here: https://www.qubes-os.org/doc/hvm/ https://www.qubes-os.org/doc/windows-appvms/ If you really do need dual boot though there's documentation here: https://www.qubes-os.org/doc/multiboot/ -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aadc7b88-097b-66bc-575b-e59b738445d1%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I load firmware-atheros into Qubes 4.0 R5?
Holger Levsen: > On Thu, Mar 29, 2018 at 03:38:34PM -0400, taii...@gmx.com wrote: >> My issue is with purisms incredibly dishonest marketing, their pressure >> campaigns on the FSF, their insulting of their competitors - not their >> existence in general or the practice of selling of laptops that are only >> slightly more free than a dell. > > Taiidan, this is the qubes-users mailing list, ment to discuss issues > and joys with Qubes OS. Whatever you think of Purism is really not > suited that well on this list. If you want to educate people, I'd like > to suggest you take it elsewhere, either private or some other public > list or setup a wiki page or whatever. > > If everybody beats up their favorite horse on this list, this list > will become a lot more noisy and less useful for everyone. For example I > don't think using Thunderbird for reading email is a reasonable choice > for users interested in reasonable security, but I wont mention that in > every (not even any...) thread discussing thunderbird. Same can be said > about many many topics. Hi Holger, I actually kinda like that Taiidan brings up these issues once in a while. Whether or not someone agrees with them about the purism issue, talking about this stuff on the list causes people to think more about security/privacy, which is a good thing. I mean yea maybe a really lengthy in depth discussion could be taken off list, but I think conversations that aren't completely strictly on topic (security/privacy in general, or free/libre hardware, instead of qubes-specific) can be good because it gets people thinking about these issues. And your thoughts on thunderbird would be useful too, not everyone has to agree :) -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1e2433ee-97d6-1d1b-683c-c83b4ca232f4%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Onionizing
'awokd' via qubes-users: > On Thu, March 29, 2018 6:57 pm, coinshark...@gmail.com wrote: >> whonix 14 templates have the tor v3 addresses preconfigured >> >> i mirrored the debian-9 template to them and its the qubes tor v3 onion >> that is not working. the other addresses are the debian v2 onion and >> whonix v3. >> >> they work. >> >> qubes v3 says 404 notfound or :there is no release file. >> >> it must not have a release file.. >> >> qubes v2 took over an hour to download the headers/release file. not >> worth it. > > Have you seen > https://github.com/QubesOS/qubes-issues/issues/3737#issuecomment-376348366 > ? Yea it looks like a 4.0/whonix 14 specific issue, the qubes v3 repo works fine for me in 3.2. -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c2619161-f94a-c2a8-4c17-2d4df35ad2df%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Onionizing
coinshark...@gmail.com: > Hi. Im want to onionize qubes > > I installed whonix 14 and I have edited my sources like this. > > > qubes.r4.list > # Main qubes updates repository > #deb [arch=amd64] http://deb.qubes-os.org/r4.0/vm stretch main > #deb-src http://deb.qubes-os.org/r4.0/vm stretch main > #deb [arch=amd64] http://deb.qubesos4z6n4.onion/r4.0/vm stretch main > deb [arch=amd64] > http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion > stretch main > > have also tried removing [arch=amd64] and changing source to > http://sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion > > > > I get error > > Err:4 > http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion > stretch/main amd64 Packages > 404 Not Found > W: The repository > 'http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion > stretch Release' does not have a Release file. > N: Data from such a repository can't be authenticated and is therefore > potentially dangerous to use. > N: See apt-secure(8) manpage for repository creation and user configuration > details. > E: Failed to fetch > http://deb.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/dists/stretch/main/binary-amd64/Packages > 404 Not Found > E: Some index files failed to download. They have been ignored, or old ones > used instead. > > Is there a reason? Hi, The qubes/whonix onion repos have been down for the past week or so, but they're actually back up now so they should be working. I don't know about whonix 14 though, I thought the current version was still 13. Is it a beta version? Anyways maybe try establishing a new tor circuit? Or maybe just wait a while. You could always just use the clearnet repos temporarily, but the onion repos are working for me now. -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6fcdb700-47bf-0c88-75fa-cdc8de919a63%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] debian-9 template for sys-firewall in 3.2
cooloutac: > debian-9 was never in the 3.2 repos. Its stated as such in the docs. They > also state they will support 3.2 for a year after 4.0 has its final release. > But I guess the avg user will have to know how to update their debian-9. Or > just abandon debian. You can't use it as a sys-firewall afterwards and I've > noticed some other anomalies. I upgraded my template to debian-9 and it seems to work for me as sys-firewall. Or at least I tested it with allow all except and deny all except, with various websites white/blacklisted, and it seemed to work as expected (only able to access whitelisted sites or not able to access blacklisted sites in firefox). I didn't do a more thorough test though. Is there something I'm missing? -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bab5b8dc-04cc-635b-68c1-1425bd7062aa%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dom0 updates broken
cooloutac: > On Friday, March 16, 2018 at 10:23:56 AM UTC-4, Lorenzo Lamas wrote: >> On Friday, March 16, 2018 at 10:29:25 AM UTC+1, awokd wrote: >>> On Fri, March 16, 2018 8:42 am, Lorenzo Lamas wrote: On Qubes 3.2 I'm getting this error when performing qubes-dom0-update: tar: /var/lib/qubes/dom0-updates: Cannot open: No such file or directory tar: Error is not recoverable: exiting now Dom0 updates dir does not exists: /var/lib/qubes/dom0-updates >>> >>> https://github.com/QubesOS/qubes-issues/issues/3620 >>> >>> Update your update template once the R3.2 patch hits current. >> >> Thanks! I updated one template from the current-testing and it works again. > > I had this problem when updating debian-8 to 9. Had to switch sys-net to > fedora 26. I had this problem too. I wouldn't think upgrading debian-8 template to debian-9 would have caused it because my updateVM is sys-whonix, with whonix-gw template, which wasn't upgraded. Anyways for me the solution recommended in the github issue worked. In the template of the updateVM (in my case in whonix-gw) I did: sudo mkdir /var/lib/qubes/dom0-updates sudo chown user:user /var/lib/qubes/dom0-updates Then restarted the updateVM and ran dom0 updates again and it worked. -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/19199e26-02ce-1ee1-a27b-faebc9ebf94f%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes/Whonix onion repositories down?
Andrew David Wong: > On 2018-03-22 17:45, js...@riseup.net wrote: >> Trying to update my templates I get "connection failed" errors on >> connecting to the qubes and whonix onion repos (qubesos4z6n4.onion >> and kk63ava6.onion). > > Yes, this is a known issue. See: > > https://github.com/QubesOS/qubes-issues/issues/1352#event-1536336416 Thanks Andrew and unman. Hopefully fortasse will fix it soon! -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5c192365-6368-bcd1-191e-4b5a9efe0502%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes/Whonix onion repositories down?
Hi everyone, Trying to update my templates I get "connection failed" errors on connecting to the qubes and whonix onion repos (qubesos4z6n4.onion and kk63ava6.onion). The debian onion repos work like normal. I also can't connect to the v3 versions, and I can't connect to the .onion sites in Tor Browser either. Updates work when I change the source to the standard clearnet repos (at least for qubes, haven't confirmed with whonix yet). Anyone else having this problem? -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dc909534-434e-cbb3-a36d-58d1330aa6ad%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] What happened to domain manager in 4?
mikihonz...@gmail.com: >> Of course, if people want a GUI manager they can produce one - equally >> people who don't want one can use command line tools or scripts to >> provide the functionality they want. >> > That's the point. Since I cannot write one myself, I stopped using qubes > because my use case depends on it. Some users may only ever use firefox and > nothing else, they wouldn't mind stripping every other (cli)tool from qubes. > I see no point in making up lowest possible denominators of useability. > Qubes has a unique architecure of integrating virtual machines. If there are > no proper tools to make it possible for a user to adjust this system to his > specific use case withouth the need to write a program, some people may stop > using it (also last I checked there wasn't a proper documentation on the new > commands). I don't think that's good or bad and maybe I'm the only one who's > going back to a different OS. > > regards > Loved 3.2 A truly great software. Keep in mind that 4.0 is still basically in beta and hasn't actually been released yet (someone else pointed out that it's a "release candidate" and not beta, and there's a difference, but still). 3.2 is still the latest stable release. I still use 3.2, and it works great for me. 3.2 should still be an option for you if the lack of qubes manager in 4.0 is a show stopper. Unless there's some reason you can't use 3.2? Anyway, I'm just hoping people don't move away from qubes completely just because the unreleased beta version is missing a useful feature. Qubes is a lot less vulnerable than other OSes. It works great for me in general and I think it's definitely worth a few minor inconveniences. I will add my vote in favor of the qubes manager though btw. I know everything qubes manager can do can also be done in command line, and I'm comfortable enough with the command line that I can make it work, but it would be less convenient for me to have to do without qubes manager, despite its flaws! -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fefebc81-8b73-c14b-2f62-2e998d9386e8%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Printing and scanning with Qubes - a love story
Franz: > On Fri, Jul 21, 2017 at 10:28 AM, js...@riseup.net <js...@riseup.net> wrote: >>>> >>>> I've been having some problems with this myself. Specifically, I'm not >>>> sure how to pass my USB printer to an appVM. The only thing I can see to >>>> do is to attach my whole USB controller to a VM, but I'm pretty sure if >>>> I do that I'll lose my input devices (USB keyboard and mouse) and not be >>>> able to control the system. >>> >>> See https://www.qubes-os.org/doc/usb/#attaching-a-single-usb- >> device-to-a-qube-usb-passthrough >>> >>>> Do you have to have a usbvm (sys-usb) in order to get this to work? >>> >>> Yes. >> >> Thanks for the reply! I had seen that documentation, but I was hoping >> there was another way to do it. >> > > Just buy yourself a cheap network printer adapter that will transform your > printer in a network printer. Then you follow Qubes tutorial for a network > printer, which is the canonical way to print under Qubes. > > Why complicate your life when it can be simple? > Best > Fran I actually tried that for about an hour, couldn't get it to work and gave up on it. My printer has a network port too so I didn't need an adapter. I don't remember exactly what errors I was getting, but even after I managed to add the printer and install the drivers from the manufacturer the printer would never respond. Oh well, maybe I'll try it again sometime and worst case be able to give a more detailed report. Thanks! -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/630fd5d8-e8d0-68f0-4afe-ec3949f92379%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Printing and scanning with Qubes - a love story
Patrik Hagara: > On 07/21/2017 04:05 PM, Patrik Hagara wrote: >>> Qubes is still worth it anyway, and I can always copy files over >>> to my other machine via USB stick when I need to print >>> something. > > This might be a pretty nice attack vector for the "other machine" to > compromise your Qubes system. > > Say you buy (assumed clean) USB stick, connect it to your Qubes system > (which is not using USB VM), format it and copy some documents to > it... Then you plug the stick into your non-Qubes system and print the > docs. That machine might be infected and in turn infect the USB stick. > Now the next time you connect it to your Qubes system, it gets > infected as well. > > Game over. > > Please note that this scenario is not at all far-fetched -- malware > routinely spreads via removable media. Plus, it's the perfect way of > bridging air-gaps (see eg. Stuxnet for a high-profile malware example). > > This might make you think really hard about the trade-offs between > keyboard/mouse security (detailed in my previous e-mail) and not > having an USB VM at all. > > > Cheers, > Patrik Yep that's definitely a concern. And usb sticks can be compromised straight out of the box even. Clearly the ideal solution is to use a PS/2 mouse and keyboard (or just using a laptop as long as the mouse and keyboard connect internally via PS/2), but unfortunately that's not really an option for me. And I'm going to have to transfer files back and forth between these two systems anyway, one way or another. This is even more problematic because my other system is Linux/Windows dual boot, so my Linux OS is really only as secure as Windows! Though I guess using an online file upload service is an option too, but I might have problems when I need to transfer 40GB of files! If I'm going to have to use usb sticks anyway, then it seems like there's really no point in creating the usb qube and exposing myself to that additional attack vector in qubes. Thanks for your help though! -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4838acde-85d3-5665-df25-3c3b4eec46eb%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Printing and scanning with Qubes - a love story
Patrik Hagara: > On 07/21/2017 03:28 PM, js...@riseup.net wrote: >> Thanks for the reply! I had seen that documentation, but I was >> hoping there was another way to do it. > >> It looks like I can't create a usbvm, because I'm using a desktop >> computer with no PS/2 ports and only one USB controller, and so I >> need my USB controller in dom0 to use my keyboard and mouse. > >> Am I wrong about that? If not, it looks like I'm hosed as far as >> USB printers are concerned. Oh well. Qubes is still worth it >> anyway, and I can always copy files over to my other machine via >> USB stick when I need to print something. > > > Well, it is possible... However, you have to fully understand all the > security implications -- the USB VM will have full access to your > keyboard and mouse, able to intercept or fake key presses and mouse > movement. > > The docs recommend using two-factor authentication for logging into > dom0 (eg. with a Yubikey or similar device) in order to prevent the > (potentially compromised) USB qube from detecting when you lock your > screen and walk away, then unlocking the screen with a captured > passphrase and doing nefarious things. Additionally, you need to be > constantly on the lookout for any "weird" keyboard activity even while > using the computer -- and some of it might be (so fast as to be) > invisible... > > Should you decide to proceed with USB qube setup anyway, you will need > to make sure you *do not* use "rd.qubes.hide_all_usb" kernel param as > otherwise you won't be able to enter your disk passphrase during boot. > > Additionally, you will have to set an auto-accept policy for > qubes.InputKeyboard and qubes.InputMouse RPC calls coming from the USB > qube *before* creating the USB qube (as otherwise you'd lose all input > methods as soon as the USB qube is started). > > Other than that, all the steps are detailed in the doc article already > linked by Jean-Philippe. Oh so basically the instructions in the documentation (https://www.qubes-os.org/doc/usb/) for using USB keyboard and mouse can be done before creating the usb qube? Just edit the qubes.InputKeyboard and qubes.InputMouse files as the documentation says, and put in the name of the usb qube I'm going to create, and then create the usb qube (using the qubesctl commands at the top of that page)? I'll have to think about whether I want to do that. It's definitely more of a security risk, and I don't know if I want to get a Yubikey and bother with two-factor authentication. Though really it should still be more secure than using a regular Linux distro, right? Since the same attack vector is available in that case as well, plus a lot more? I'm just not sure that I trust enough that I know what I'm doing to not mess things up and then not be able to use my system! -Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dc67a3b1-8213-017e-959e-d7b4369ca3c9%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Printing and scanning with Qubes - a love story
Jean-Philippe Ouellet: > On Thu, Jul 20, 2017 at 12:32 PM, js...@riseup.net <js...@riseup.net> wrote: >> Hi, >> >> I've been having some problems with this myself. Specifically, I'm not >> sure how to pass my USB printer to an appVM. The only thing I can see to >> do is to attach my whole USB controller to a VM, but I'm pretty sure if >> I do that I'll lose my input devices (USB keyboard and mouse) and not be >> able to control the system. > > See > https://www.qubes-os.org/doc/usb/#attaching-a-single-usb-device-to-a-qube-usb-passthrough > >> Do you have to have a usbvm (sys-usb) in order to get this to work? > > Yes. Thanks for the reply! I had seen that documentation, but I was hoping there was another way to do it. It looks like I can't create a usbvm, because I'm using a desktop computer with no PS/2 ports and only one USB controller, and so I need my USB controller in dom0 to use my keyboard and mouse. Am I wrong about that? If not, it looks like I'm hosed as far as USB printers are concerned. Oh well. Qubes is still worth it anyway, and I can always copy files over to my other machine via USB stick when I need to print something. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7d834cf9-7e7f-36d6-eca4-3b4b2a96b2e2%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Printing and scanning with Qubes - a love story
Jean-Philippe Ouellet: > On Qubes, it's a completely different story. First, I pass my USB > printer or scanner through to a DispVM. To print, I just copy the file > to the DispVM, open it with anything, and print it, and the printer is > automatically found and "just works" (thanks Fedora). To scan: I pass > the printer to a DispVM, open simple-scan, click the scan button, and > it just works! When I'm happy with my scan, I copy it out of the > DispVM and then convert to trusted PDF! So far every printer or > scanner just works the first time, I haven't needed to look under the > hood for anything. > > With sys-usb, DispVMs, and convert-to-trusted-pdf I feel reasonably > confident that if the printers or scanners were malicious, the worst > they could do is mutate my documents or store them for later retrieval > by an adversary (which is an inherent problem with any commodity > printer and totally unrelated to the OS used to interface with). This > would be even more true with a stateless laptop without any persistent > mutable firmware for the USB controllers, and when sys-usb can act > like a DispVM itself without hacks (R4?). Hi, I've been having some problems with this myself. Specifically, I'm not sure how to pass my USB printer to an appVM. The only thing I can see to do is to attach my whole USB controller to a VM, but I'm pretty sure if I do that I'll lose my input devices (USB keyboard and mouse) and not be able to control the system. Do you have to have a usbvm (sys-usb) in order to get this to work? My appVMs are based on a debian-8 template, if that matters. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ff5f414e-f3ef-4483-cefb-08d289ce6f0c%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I use a USB printer / joystick?
js...@riseup.net: >> Hi everyone, >> >> I'm running Qubes 3.2 and I'd like to use a USB joystick (Playstation >> 3 controller) for games, but I'm not sure how. >> >> When I connect the controller to my USB port, Qubes doesn't seem to >> recognize it at all. I don't see a way to "attach" it to an AppVM (not >> a block device or PCI device), and apps like joystick config and >> emulators don't recognize that it's there. >> >> Is there something special I'm supposed to do for a USB joystick? My >> USB keyboard and mouse work fine. >> >> (I'm using a desktop computer with no PS/2 ports and only one USB >> controller, so my understanding is that I can't make a USB qube.) >> >> Any help would be greatly appreciated! > > By the way, I'm having the same issue with a USB printer (USB mass > storage devices work just fine). Inability to print is a bigger issue > for me than using my joystick! Anyone have any thoughts on this? I hope I'm not hosed due to inability to create a usbvm. Right now I have my usb printer connected to a separate machine running a different distro, and copy files over via usb stick to print, but this is obviously not an ideal solution (the joystick thing doesn't matter much at this point). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/777ca233-db03-6dd7-85f5-4a7797380e76%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Adding appmenu entries to AppVM's
loke...@gmail.com: > I have some applications I have installed manually in /usr/local on appvms. I > would like to create appmenu entries for these applications. However, the > Qubes appmenu management only deals with menus coming from templates. > > Is there an official way to handle this? I don't think there's an "official" way to do it, but it is possible. I made a few custom appmenu entries by creating a new .desktop file in /usr/share/applications/ in the *template* on which the appvm is based. You'll never launch it in the template, but you have to create the .desktop file there so Qubes will recognize it. Then create a new .desktop file in /var/lib/qubes/vm-templates//apps.templates/ in dom0 pointing to the .desktop file you created in the template. If that's not enough it might also be necessary to create another .desktop file in /var/lib/qubes/appvms//apps/ in dom0 for it as well. This will result in it being possible to add your new entry for any appvm based on that template, not just the one you installed the application on, but it should get the job done. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8335b854-17e7-d8c2-175b-578d6304fa15%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I use a USB joystick?
On 06/29/2017 11:11 PM, js...@riseup.net wrote: Hi everyone, I'm running Qubes 3.2 and I'd like to use a USB joystick (Playstation 3 controller) for games, but I'm not sure how. When I connect the controller to my USB port, Qubes doesn't seem to recognize it at all. I don't see a way to "attach" it to an AppVM (not a block device or PCI device), and apps like joystick config and emulators don't recognize that it's there. Is there something special I'm supposed to do for a USB joystick? My USB keyboard and mouse work fine. (I'm using a desktop computer with no PS/2 ports and only one USB controller, so my understanding is that I can't make a USB qube.) Any help would be greatly appreciated! By the way, I'm having the same issue with a USB printer (USB mass storage devices work just fine). Inability to print is a bigger issue for me than using my joystick! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/58af6a39-4912-044a-18df-31f2759ce622%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How do I use a USB joystick?
Hi everyone, I'm running Qubes 3.2 and I'd like to use a USB joystick (Playstation 3 controller) for games, but I'm not sure how. When I connect the controller to my USB port, Qubes doesn't seem to recognize it at all. I don't see a way to "attach" it to an AppVM (not a block device or PCI device), and apps like joystick config and emulators don't recognize that it's there. Is there something special I'm supposed to do for a USB joystick? My USB keyboard and mouse work fine. (I'm using a desktop computer with no PS/2 ports and only one USB controller, so my understanding is that I can't make a USB qube.) Any help would be greatly appreciated! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/96a9f9de-ed99-c70d-7dcf-e9359141a39d%40riseup.net. For more options, visit https://groups.google.com/d/optout.
