Re: [qubes-users] Re: performance hit with 4.0rc4

2018-02-08 Thread pixelfairy 
with debug true, it started what seemed to be a console. probing edd..ok
was the last thing it printed, which happend pretty fast. then it just
stayed there showing that edd message before blanking and dom0 showing the
notification that the domain had started.

in 4.0rc3 they were hvm, and ran faster.

On Wed, Feb 7, 2018 at 9:55 PM pixelfairy <pixelfa...@gmail.com> wrote:

> they're all pvh. they were hvm when restoring from qubes-backup, but that
> restore partially failed.
>
> On Wed, Feb 7, 2018 at 9:23 PM Chris Laprise <tas...@posteo.net> wrote:
>
>> On 02/07/2018 09:55 PM, pixel fairy wrote:
>> > On Wednesday, February 7, 2018 at 6:54:32 PM UTC-8, pixel fairy wrote:
>> >> reinstalled over 4.0rc3 and vms take much longer to start now. it
>> usually takes a few seconds before getting the notification that an app vm
>> is starting.
>> >>
>> >> firefox performs fine, including youtube in full screen (1080p)
>> >>
>> >> chrome is a bit jumpy in most use, but plays video fine as long as it
>> not full screen
>> >>
>> >> blender is noticeably slower, but still usable for small scenes.
>> >
>> > If theres any strait forward way to debug this id love to.
>> >
>>
>> What does 'qvm-prefs' show for the virt_mode? It is the hvm mode that
>> starts most slowly and taxes the system. Most of the VMs (except sys-net
>> and sys-usb) should be using pvh mode.
>>
>> If the VMs are taking a very long time to start you can try enabling
>> debug mode from either 'qvm-prefs' or VM Settings dialog.
>>
>> --
>>
>> Chris Laprise, tas...@posteo.net
>> https://github.com/tasket
>> https://twitter.com/ttaskett
>> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CACr%3DtZfvTop%3D%3Dm_idqf-LACbPOnc7TGVub-9k-xj3EwmV4uQQg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: performance hit with 4.0rc4

2018-02-07 Thread pixelfairy 
they're all pvh. they were hvm when restoring from qubes-backup, but that
restore partially failed.

On Wed, Feb 7, 2018 at 9:23 PM Chris Laprise  wrote:

> On 02/07/2018 09:55 PM, pixel fairy wrote:
> > On Wednesday, February 7, 2018 at 6:54:32 PM UTC-8, pixel fairy wrote:
> >> reinstalled over 4.0rc3 and vms take much longer to start now. it
> usually takes a few seconds before getting the notification that an app vm
> is starting.
> >>
> >> firefox performs fine, including youtube in full screen (1080p)
> >>
> >> chrome is a bit jumpy in most use, but plays video fine as long as it
> not full screen
> >>
> >> blender is noticeably slower, but still usable for small scenes.
> >
> > If theres any strait forward way to debug this id love to.
> >
>
> What does 'qvm-prefs' show for the virt_mode? It is the hvm mode that
> starts most slowly and taxes the system. Most of the VMs (except sys-net
> and sys-usb) should be using pvh mode.
>
> If the VMs are taking a very long time to start you can try enabling
> debug mode from either 'qvm-prefs' or VM Settings dialog.
>
> --
>
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CACr%3DtZdtkuDVkjWQCL%2BE2TSfgnBci%3DKBZpjAVOeGKprLsXySoA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: [qubes-devel] Qubes OS 4.0-rc4 has been released!

2018-02-06 Thread pixelfairy 
strange. starting VMs is much slower for me and a minion than 4rc3 or 3.2
were. even vm performance seems slower. for example typing in and scrolling
in windows in firefox is slower, though videos on youtube still play fine,
even in full screen. we expected a performance hit for mitigating the
recent flaws.

blender is much slower. i know blender is outside of qubes domain, but it
shows the performance difference.

On Tue, Feb 6, 2018 at 11:53 AM David Hobach  wrote:

> On 02/01/2018 03:44 AM, Andrew David Wong wrote:
> > We're pleased to announce the fourth release candidate for Qubes 4.0!
>
> A big thanks for that!
>
> So far it seems more stable than the previous RCs and PVH doesn't only
> provide the mentioned security gain, but also provides much better
> performance over HVM on older machines.
>
> 4.0rc1 felt twice as slow as 3.2 and now rc4 feels like the same level
> of speed as 3.2.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/qubes-users/57reYSQsB00/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/47ae1411-c153-7f19-bebf-bcda284ee628%40hackingthe.net
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CACr%3DtZcjH%2BKL0dkREW%2B6L-UYA2%3DAwf3fmipfD6z-zpH%2BcqK8Rg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: to firejail or not to firejail

2017-08-29 Thread pixelfairy 
just remembered, a couple other ssh exploits, and googled for them, found a
couple others. so that does come up once in a while.

On Tue, Aug 29, 2017 at 12:54 AM pixel fairy  wrote:

> On Monday, August 28, 2017 at 10:46:22 PM UTC-7, Eric wrote:
> > The question as always is, what are you protecting? If it's your user
> data, compartmentalize differently. If it's some kind of root privilege
> escalation, that's a lost cause, as the vm sudo page explains. If it's some
> kind of malware that could get written with root privileges, well, that
> gets erased by rebooting the VM, unless it's persistent in your user data,
> but if it is, it's incredibly unlikely to be runable (at least not without
> explicit user action).
> >
> > I raise these questions because the answer to many of the "OMGWTFBBQ
> passwordless sudo" threads that appear every so often, come back down to
> either "whatever you're proposing wouldn't make a difference read the doc
> again" and "are you sure you read the doc and understood why the decision
> was made the way it was?"
>
> this wasnt specifically because of the passwordless sudo. its a general
> access control and hardening thing. i see firejail as complementary to
> qubes-os. ssh shouldnt access the x server. firefox shouldnt write outside
> of its own folder and Downloads. neither should shell out and call sudo.
> when they do, or try to, id really like to know about it. firejail can log
> such access, and you can have another process follow that log to alert you.
>
> but having firejail do that, and watching that log, are more processes,
> more attack surface.
>
> to add to extremely unlikely, ive only known of one ssh client exploit in
> the wild, and i think it was over 10 years ago.
>
> >
> > I don't disagree that hardening VMs in general is good practice; I am
> very sad that Subgraph is MIA and grsecurity patches are no longer
> available, since they were a great way to harden Linux VMs.
>
> subgraph was a neat idea. looked at it for a friend whos laptop lacked
> hypervisor extensions, but couldnt get it to work.
>
> >
> > In your particular situation, a good compromise might be the dom0
> escalation prompt, described at the end of the VM Sudo documenation (no
> additional code, really, and at least *some* peace of mind that...it would
> take a few more seconds of extra work to find a root privilege escalation
> that would get around the prompt requirement?)
>
> looked over that out of curiosity since it seemed like a neat idea, but
> never tried it.
>
> >
> >
> > On Monday, August 28, 2017 at 9:22:48 PM UTC-7, pixel fairy wrote:
> > > firejail , https://firejail.wordpress.com/
> > >
> > > can be used to restrict and/or contexualize a process with namespaces.
> i was thinking of restricting ssh connections with it to prevent the free
> privilege escalation qubes gives malicious apps in case of an exploitable
> hole in ssh. but, firejail itself is more code to exploit, and though it
> matters less in qubes, setuid.
> > >
> > > so what thinks all of you? worth the extra attack surface?
> > >
> > > was also thinking of using firejails logging to flag attempts at sudo
> etc as another means to flag a host with problems. this again, means extra
> code that itself could be exploited.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/qubes-users/RnKRH0lIP_c/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/ab05b325-683f-417d-9862-1833fe867678%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CACr%3DtZdi_du%3D82Ym0wwqVSLg5Hzw8PwzsVHXKdV23Nd3RJDgjA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Just realized one of the major disadvantages of Qubes OS...

2017-07-14 Thread pixelfairy 
This thread should be renamed ipv6, and there was such a thread in
qubes-devel. one of the issues is what to do when moving from an ipv6
enabled network to one without. netvm can easily note the difference and
adapt, but weather your bridging or natting, all the appvms wont know any
better and will start trying to use the non existent ipv6.

one possible solution is dns filtering. dont return  records when no
global address is present, but then your going down another rabbit hole.

On Thu, Jul 13, 2017 at 11:34 PM Alex  wrote:

> On 07/14/2017 05:30 AM, motech man wrote:
> > On Thursday, July 13, 2017 at 12:05:34 PM UTC-5, geoff.m...@gmail.com
> > wrote:
> >> A bit of thread necromancy here, but - if you're using a smartphone
> >> in the US with mobile data, there's a *very* good chance you're
> >> already using IPv6.
> >> [...]>>
> >> --Geo
> >
> > I also expect to see routers for home market that will talk ipv6
> > externally and ipv4 internally. That will help a lot of people
> > transition.
> Here in Italy (and a lot of other countries too) home routers just
> started distributing /64 internally, in full dual-stack mode, during
> this spring for the major ISPs.
>
> Public institutions are expected to be fully dual-stack connected and
> publicly available by the end of the year by law.
>
> I don't see any advantage in having a situation like you described - why
> not just full dual stack, and the devices connect to the technology they
> support?
>
> Apart from us qubes aficionados, any win10 pc, apple or android device,
> and the vast majority of linux workstation/server distros fully support
> dual stack configurations, and happily work preferring ipv6 when available.
>
> --
> Alex
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/qubes-users/rJYmO78ckxM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/809adbd0-7716-c7b8-9adf-df3d56787d34%40gmx.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CACr%3DtZdrVO15Dc0FrEibXkH1Tz9_VwHrYHyMmx3t4oNxyXtpWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.