date:20170324

On Fri, Mar 24, 2017 at 03:32:47PM -0700, Nemo wrote:
> On Friday, March 24, 2017 at 6:07:51 PM UTC-4, Unman wrote:
> > On Thu, Mar 23, 2017 at 08:00:57PM -0700, Nemo wrote:
> > > On Thursday, March 23, 2017 at 10:37:58 PM UTC-4, Andrew David Wong wrote:
> > > > -BEGIN PGP SIGNED MESSAGE-
> > > > Hash: SHA512
> > > > 
> > > > On 2017-03-23 19:28, Nemo wrote:
> > > > > I've been writing a bash script that manages firewall settings
> > > > > from dom0, via qvm-firewall and qvm-run for ping.
> > > > > 
> > > > > Everything had been safe until an hour ago, when I added in the 
> > > > > qvm-run/ping function. I let it run for about 20 mins, and when I 
> > > > > came back three of my qubes were damaged in a way that made them 
> > > > > unmountable.
> > > > > 
> > > > > I don't have the terminal readout (I was running bash -x), so I 
> > > > > can't use that to determine where/when the issue occurred. How
> > > > > else can I access logs to troubleshoot my script, and determine
> > > > > whether I need to post a bug report?
> > > > > 
> > > > > I'm new to Linux, but a quick learner.
> > > > > 
> > > > 
> > > > Can you post the script you were running?
> > > > 
> > > > - -- 
> > > > Andrew David Wong (Axon)
> > > > Community Manager, Qubes OS
> > > > https://www.qubes-os.org
> > > 
> > > Script is attached. It's my first attempt at a bash script, and still in 
> > > progress (and obviously potentially dangerous).
> > > 
> > > The script is designed to create exclusive access to certain services (eg 
> > > Facebook) for VMs where they should be used (eg Personal). It does this 
> > > by preventing inappropriate VMs from accessing those addresses.
> > > 
> > > So, all the addresses listed under Banking will be blocked for the other 
> > > VMs laid out in the $vms array, unless that VM  is also allowed access.
> > > 
> > > Services that run round-robin DNS, eg google.com, need to be blocked 
> > > multiple times to ensure there is no access to the service. I tested
> > > 
> > > `qvm-firewall banking -a google.com any`
> > > 
> > > and determined that running it multiple times in succession will 
> > > eventually block all the (current) round-robin IP addresses.
> > > 
> > > So, I added a verification feature to the script, which launches a while 
> > > loop. It waits for
> > > 
> > > `qvm-run -ap banking 'ping -c1 google.com'`
> > > 
> > > to return "Destination Host Prohibited", indicating that the entire 
> > > round-robin has been blocked. Until then (or until 10 iterations) it will 
> > > continue to qvm-firewall block google.com.
> > > 
> > > I believe that the verification function is what caused the problem, but 
> > > I don't know how investigate it. Your thoughts are appreciated!
> > > 
> > 
> > Can you check the size of the firewall rule files for the qubes that
> > won't start - I assume that that is what you mean by unmountable?
> > The files are /var/lib/qubes/appvms//firewall.xml
> > 
> > 'ls -lh' will show the size
> > You can use 'ls -lh /var/lib/qubes/appvms/*/firewall.xml' to check them
> > all.
> 
> By unmountable I mean that they can't start - sorry, that wasn't clear.
> 
> When I attempt to start them, I get
> 
> Error starting VM 'shopping': (2, 'no such file or directory')
> 
> I've restored two of the VMs from backups, but left 'shopping' to 
> troubleshoot.
> 

Did you check the size?

Look at www.qubes-os.org/doc/firewall/ and see if you have breached the
3kb limit referred to.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170324225241.GA15826%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Damaged qubes by running a "safe" script on dom0 - how can I determine the problem?

2017-03-24 Thread Nemo

On Friday, March 24, 2017 at 6:07:51 PM UTC-4, Unman wrote:
> On Thu, Mar 23, 2017 at 08:00:57PM -0700, Nemo wrote:
> > On Thursday, March 23, 2017 at 10:37:58 PM UTC-4, Andrew David Wong wrote:
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA512
> > > 
> > > On 2017-03-23 19:28, Nemo wrote:
> > > > I've been writing a bash script that manages firewall settings
> > > > from dom0, via qvm-firewall and qvm-run for ping.
> > > > 
> > > > Everything had been safe until an hour ago, when I added in the 
> > > > qvm-run/ping function. I let it run for about 20 mins, and when I 
> > > > came back three of my qubes were damaged in a way that made them 
> > > > unmountable.
> > > > 
> > > > I don't have the terminal readout (I was running bash -x), so I 
> > > > can't use that to determine where/when the issue occurred. How
> > > > else can I access logs to troubleshoot my script, and determine
> > > > whether I need to post a bug report?
> > > > 
> > > > I'm new to Linux, but a quick learner.
> > > > 
> > > 
> > > Can you post the script you were running?
> > > 
> > > - -- 
> > > Andrew David Wong (Axon)
> > > Community Manager, Qubes OS
> > > https://www.qubes-os.org
> > 
> > Script is attached. It's my first attempt at a bash script, and still in 
> > progress (and obviously potentially dangerous).
> > 
> > The script is designed to create exclusive access to certain services (eg 
> > Facebook) for VMs where they should be used (eg Personal). It does this by 
> > preventing inappropriate VMs from accessing those addresses.
> > 
> > So, all the addresses listed under Banking will be blocked for the other 
> > VMs laid out in the $vms array, unless that VM  is also allowed access.
> > 
> > Services that run round-robin DNS, eg google.com, need to be blocked 
> > multiple times to ensure there is no access to the service. I tested
> > 
> > `qvm-firewall banking -a google.com any`
> > 
> > and determined that running it multiple times in succession will eventually 
> > block all the (current) round-robin IP addresses.
> > 
> > So, I added a verification feature to the script, which launches a while 
> > loop. It waits for
> > 
> > `qvm-run -ap banking 'ping -c1 google.com'`
> > 
> > to return "Destination Host Prohibited", indicating that the entire 
> > round-robin has been blocked. Until then (or until 10 iterations) it will 
> > continue to qvm-firewall block google.com.
> > 
> > I believe that the verification function is what caused the problem, but I 
> > don't know how investigate it. Your thoughts are appreciated!
> > 
> 
> Can you check the size of the firewall rule files for the qubes that
> won't start - I assume that that is what you mean by unmountable?
> The files are /var/lib/qubes/appvms//firewall.xml
> 
> 'ls -lh' will show the size
> You can use 'ls -lh /var/lib/qubes/appvms/*/firewall.xml' to check them
> all.

By unmountable I mean that they can't start - sorry, that wasn't clear.

When I attempt to start them, I get

Error starting VM 'shopping': (2, 'no such file or directory')

I've restored two of the VMs from backups, but left 'shopping' to troubleshoot.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9ed25ae2-f821-45ff-8d1a-c48ccf2a28ed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Damaged qubes by running a "safe" script on dom0 - how can I determine the problem?

On Thu, Mar 23, 2017 at 08:00:57PM -0700, Nemo wrote:
> On Thursday, March 23, 2017 at 10:37:58 PM UTC-4, Andrew David Wong wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> > 
> > On 2017-03-23 19:28, Nemo wrote:
> > > I've been writing a bash script that manages firewall settings
> > > from dom0, via qvm-firewall and qvm-run for ping.
> > > 
> > > Everything had been safe until an hour ago, when I added in the 
> > > qvm-run/ping function. I let it run for about 20 mins, and when I 
> > > came back three of my qubes were damaged in a way that made them 
> > > unmountable.
> > > 
> > > I don't have the terminal readout (I was running bash -x), so I 
> > > can't use that to determine where/when the issue occurred. How
> > > else can I access logs to troubleshoot my script, and determine
> > > whether I need to post a bug report?
> > > 
> > > I'm new to Linux, but a quick learner.
> > > 
> > 
> > Can you post the script you were running?
> > 
> > - -- 
> > Andrew David Wong (Axon)
> > Community Manager, Qubes OS
> > https://www.qubes-os.org
> 
> Script is attached. It's my first attempt at a bash script, and still in 
> progress (and obviously potentially dangerous).
> 
> The script is designed to create exclusive access to certain services (eg 
> Facebook) for VMs where they should be used (eg Personal). It does this by 
> preventing inappropriate VMs from accessing those addresses.
> 
> So, all the addresses listed under Banking will be blocked for the other VMs 
> laid out in the $vms array, unless that VM  is also allowed access.
> 
> Services that run round-robin DNS, eg google.com, need to be blocked multiple 
> times to ensure there is no access to the service. I tested
> 
> `qvm-firewall banking -a google.com any`
> 
> and determined that running it multiple times in succession will eventually 
> block all the (current) round-robin IP addresses.
> 
> So, I added a verification feature to the script, which launches a while 
> loop. It waits for
> 
> `qvm-run -ap banking 'ping -c1 google.com'`
> 
> to return "Destination Host Prohibited", indicating that the entire 
> round-robin has been blocked. Until then (or until 10 iterations) it will 
> continue to qvm-firewall block google.com.
> 
> I believe that the verification function is what caused the problem, but I 
> don't know how investigate it. Your thoughts are appreciated!
> 

Can you check the size of the firewall rule files for the qubes that
won't start - I assume that that is what you mean by unmountable?
The files are /var/lib/qubes/appvms//firewall.xml

'ls -lh' will show the size
You can use 'ls -lh /var/lib/qubes/appvms/*/firewall.xml' to check them
all.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170324220749.GB15199%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HDD disk full

On Fri, Mar 24, 2017 at 04:26:10PM +, William Fisher wrote:
> Can you give an example of the mkfs command to create a compatible storage
> drive for my Qubes system since the SSD is booting and running Qubes?
> On Fri, Mar 24, 2017 at 10:46 AM Unman  wrote:
> 
> > On Fri, Mar 24, 2017 at 03:30:31PM +, William Fisher wrote:
> > > Thank you!
> > > On Fri, Mar 24, 2017 at 10:25 AM Reg Tiangha 
> > > wrote:
> > >
> > > > On 03/24/2017 08:31 AM, William Fisher wrote:
> > > > > On Friday, March 24, 2017 at 10:12:21 AM UTC-4, William Fisher wrote:
> > > > >> On Friday, March 24, 2017 at 1:42:54 AM UTC-4, Reg Tiangha wrote:
> > > > >>> On 03/23/2017 11:41 PM, William Fisher wrote:
> > > >  Thank you. I'll try it. What's the command to start gparted?
> > > > 
> > > > >>> You can type gparted on the command line, or it'll show up in your
> > > > >>> application menu and you can start it that way.
> > > > >> I loaded gparted but it doesn't address or see the HD.(The HD is
> > listed
> > > > in dom0 as storage) How do I "attach" the drive to the VM with gparted?
> > > > > or... how can I run gparted in dom0, and should I???
> > > > >
> > > > In Qubes Manager, right click on your VM and the drive should be listed
> > > > under "Attach/detach Block Devices." Select the drive and it should
> > then
> > > > be visible to the VM. Launch gparted and then it should be able to see
> > > > the drive.
> > > >
> > > >
> > > > --
> >
> > You dont have to do this, of course.
> > because the drive is already attached to dom0 you can use the tools
> > already there:
> >
> > fdisk/cfdisk to create or delete partitions
> > mkfs (and its derivatives) to format.
> >

Hello William,

Please try not to top post when mailing the list.

Most of this is standard, and you will find many good gudes online. In
brief, you want something like this-

I assume you have a single partition, and it appears in dom0 at
/dev/sdb1. Make sure you know which disk and partition you are working
on - otherwise things may get very bad.
Of course, have backups.

You can format this to ext4 by doing this as root:
mkfs.ext4 /dev/sdb1

You will lose all the data on the existing partition, so if you want to
keep it, back it up first.
(Almost all of this requires root access so either use sudo or 'sudo su'
to get root.)

You can examine the disk, and repartition it if you want using 
'cfdisk /dev/sdb'
That tool is quite easy to use.

Note that this partition wont be encrypted like your main Qubes
partition. This may not worry you, particularly if you only intend to
use it for encrypted backups.
But if you do want  an encrypted disk, the process is somewhat more
involved, particularly if you want to use the same password as your
main Qubes disk, so you only need to enter one password.

Look in /dev/mapper to check the current name of your encrypted disk:
say luks-stringofstuff
'cryptsetup status luks-stringofstuff' - will show you the current
configuration.

Use fdisk or cfdisk to create a Linux partition on /dev/sdb
at sdb1
Then make an encrypted filesystem, using the SAME config as your main
disk: e.g.
'cryptsetup luksFormat /dev/sdb1 --key-size=512 --cipher=aes-xts-plain64'
When prompted use the same password you use for the main disk.

Then open the disk and create the filesystem:
'cryptsetup luksOpen /dev/sdb1 data_enc'
'mkfs.ext4 /dev/mapper/data_enc'
'cryptsetup luksClose data_enc'

If you want to automatically mount the new drive at boot, then you need
to add it to  /etc/fstab:
First get the UUID:
'blkid /dev/sdb1'
This will show you the UUID, and type which should be crypto_LUKS

Edit the file /etc/crypttab and add a line:
data_encUUID=longlineofstuff none luks

Then make sure that the decrypted partition is mounted:
edit the file /etc/fstab, and add a line:
/dev/mapper/data_enc/store  ext4defaults0   2

I hope that doesn't seem too complicated.
You can get more information online, or by using man for information -
e.g. man fstab
Be very careful and make sure you know what you are working on. And , of
course, have backups. (Did I say that before?)

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170324205905.GA15199%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] TemplateVMs have issues connecting to DNF

2017-03-24 Thread Nemo

My TemplateVMs have a recurring and unpredictable problem starting dnf.

dnf will display no output for a number of minutes and then exit with an error
like (not always this)

Error: Failed to synchronize cache for repo 'qubes-vm-r3.2-current'

Error: Failed to synchronize cache for repo 'fedora'

I have the issue about 50% of the time I try to use dnf on a TemplateVM. If the
error appears, I usually attempt to troubleshoot for 20 mins before it randomly
works, or I give up and decide to try later.

Some symptoms/findings:

- An AppVM based on the TemplateVM may be able to use dnf at the same time the
TemplateVM cannot
- Internet access (ie web browsing) is never affected
- Allowing all internet access to the TemplateVM usually does not fix the
problem
- Allowing all internet access and turning off proxy updates usually does not
fix the problem
- Resetting the TemplateVM usually does not fix the problem
- Resetting sys-firewall usually does not fix the problem
- Changing the TemplateVM behind sys-firewall usually does not fix the problem
- Adding fastestmirror=true to dnf.conf does not fix the problem
- Restarting Qubes sometimes fixes the problem

I'm using fedora-25 and fedora-25-minimal as my core distributions.

Has anyone else come across this problem?

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/3ccee9e2-4be7-4107-b3d5-1e1af91954b9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: External GPU for just one VM or OpenSWR

2017-03-24 Thread Vít Šesták

I have good news.

First, I have tried some tasks where I lacked GPU performance, and it is much
better now. Not sure what was improved since Qubes 3.0, but it is better in
both PVMs (Debian) and HVMs (where GPU emulation is probably handled by
stubdom).

Second, I got OpenSWR working on Debian 9 and it is not so hard. OpenSWR is a
part of Mesa 12 (this is the reason why I haven't tried it with Debian 8…).
When Mesa is compiled with OpenSWR support, one can use it by environment
variable GALLIUM_DRIVER=swr. Unfortunately, OpenSWR seems to be neither in
Debian repository nor in Fedora repository. Fortunately, Mesa can be compiled
with OpenSWR by just adding few options. I've compiled it on Debian 9 using
apt-get source, few modifications and debuild. I can share details. I did not
go the clean way (with ensuring dependencies are specified correctly etc.), but
it is working.

I haven't much time for benchmarks, but OpenSWR is reportedly much faster than
llvmpipe.

Since Qubes 4 will have Linux-based stubdoms, it might be worth using OpenSWR
there if it proves to work well. (Maybe not as a default option.) BTW, when
switching to Qubes 4, where will be the output rendered – in AppVMs, or in
stubdoms?

Regards,
Vít Šesták 'v6ak'

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/651cdf17-5bf0-4f5a-a954-91e9af5e868f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Acer F15 and sys-net

2017-03-24 Thread wassw32291

Hello! 

After install Qubes have some issue with sys-net, network not working.

Finding some information on https://www.qubes-os.org/doc/assigning-devices/

In dom0 come to root and add 

echo -n "1" > /sys/bus/pci/devices/:04:00.0/remove solved the problem, 

but after reboot laptop this settings are reset.

My network card is Qualcomm Atheros QCA9377 Wireless Network Adapter and 
Realtek PCIe GBE Family Controller.

How to make sys-net normal work correctly?

Thkx.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/37eb868c-34ef-4a9c-8795-26300f96b66c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: VLAN to AppVM ?

2017-03-24 Thread Marcus Dilger

Am Mittwoch, 22. März 2017 13:10:47 UTC+1 schrieb Marcus Dilger:
> Hello,
> i try to connect a group of AppVMs to different VLAN Networks. The VLAN 
> networks are available at the physical network adapter (LAN Adapter).
> 
> What i have done :
> Setup up an VLAN Interface in the netVM via NetworkManager, that Interface is 
> already visible via ifconfig and also get a IP from the DHCP Server of the 
> VLAN.
> 
> But i have no idea how to connect a sys-firewall / proxy vm to that 
> additional VLAN interface of the netVM ? Is that the best approach at all ? 
> Or maybe it is possible to have multiple netVM for each VLAN ?
> 
> Thank you,
> best
> Marcus

No way. Still not succeeded. Only the netVM get VLAN traffic. All VMs behind 
(i.e. firewall, proxy) get untagged traffic only.
What functional is an additional VLAN interface in netVM for tagged traffic. 
But i have no idea how to configure the firewall / proxy VM behind to connect 
to that additional interface. 

Any help would appreciated.

Thanks,
best
Marcus
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/886300bb-001f-4d74-b9f6-b63ece53aab8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Screensaver timer resets automatically

2017-03-24 Thread Fabrizio Romano Genovese

Hello All,

Just a very simple problem: My screenlock does not work. After fiddling around 
a lot I discovered that the screenlock starts correctly if I set the screen 
lock timer as 15 seconds or less.

Experimenting a bit more, I discovered that if I give, say,
xset s 30 30
then the screen never blanks. If I give 
xset s 5 5
then the screen blanks correctly after 5 seconds, but after some more seconds 
(~15 usually) my pc wakes up again, even if I do not touch mouse/keyboard at 
all. After 5 seconds this cycle starts again.

It is quite clear to me that there is something that is mistakenly registered 
as user activity and that periodically resets my screensaver timer, the only 
problem is that I do not know how to find which process/service/whatever causes 
this. Is there a way to find out what resets this timer?

Thanks for your Time,
Fab

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ae7ccb5-79ce-4689-8b8a-4f7dd23e04ac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] updateVM not setup error when trying to get whonix templates

2017-03-24 Thread Chris Laprise

On 03/23/2017 09:01 AM, nazzaroth.yout...@web.de wrote:

Hello everyone

Originally while i installed Qubes for the first time i had a problem configuring it. I
had the standard choices and also whonix templates set but while the setup configured
qubes at some point it always stoped working. I think it was something like "Qubes
Configuration Setup" and the little bar that goes left to right stopped moving.

i tried different choices but this problem persisted. so in the end i tried the
no configuration (advanced user) option. it indeed helped me to get to the
desktop of qubes, but ofc now i have the problem of no preconfiguration and i
certainly aint an advanced user.

i tried to install whonix the way its written in the docs, but when i try to update the
template vms i get the error "updateVM not setup, exiting". i would guess cause
i have no vms configured not even sysnet or sysfirewall.

is it complicated to config qubes yourself? i'd be glad about any instructions
on that front.
or if its possible to go back to the initial configuration setup and then fix
the bug of the setup stopping in the middle i would ofc do that too.

thanks everyone for reading and helping me :)

When you right-click on each VM and view the logs, do you see errors?

Also, have you checked the HCL to see if your model of computer has
compatibility problems with Qubes?

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/a8402820-445c-32c8-af62-16efcd8d45f5%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] assigning complete usb controller to vm. scanner device works but very, very slow

2017-03-24 Thread Steffen Hartmann

Hello,

I've assigned my scanner (and the complete usb controller) via this description 
https://www.qubes-os.org/doc/assigning-devices/ into a virtual machine.

I can use scanimage to use the scanner but it takes about 5 minutes to scan a 
page.
Everything works however.

Using Scanimage -L also works but also a long delay (30 sec).
This is true for debian 8 and also for fedora 23 and fedora 24 templates.

I also updated to kernel 4.8.12-12 (insde VM) but no change.

OS is Qubes 3.2 running the above kernel in DOM0
PC: Dell 5500 precision

Steffen

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5ec8d2ff-959f-4c10-8a08-87d28d5fe42e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HDD disk full

Can you give an example of the mkfs command to create a compatible storage
drive for my Qubes system since the SSD is booting and running Qubes?
On Fri, Mar 24, 2017 at 10:46 AM Unman  wrote:

> On Fri, Mar 24, 2017 at 03:30:31PM +, William Fisher wrote:
> > Thank you!
> > On Fri, Mar 24, 2017 at 10:25 AM Reg Tiangha 
> > wrote:
> >
> > > On 03/24/2017 08:31 AM, William Fisher wrote:
> > > > On Friday, March 24, 2017 at 10:12:21 AM UTC-4, William Fisher wrote:
> > > >> On Friday, March 24, 2017 at 1:42:54 AM UTC-4, Reg Tiangha wrote:
> > > >>> On 03/23/2017 11:41 PM, William Fisher wrote:
> > >  Thank you. I'll try it. What's the command to start gparted?
> > > 
> > > >>> You can type gparted on the command line, or it'll show up in your
> > > >>> application menu and you can start it that way.
> > > >> I loaded gparted but it doesn't address or see the HD.(The HD is
> listed
> > > in dom0 as storage) How do I "attach" the drive to the VM with gparted?
> > > > or... how can I run gparted in dom0, and should I???
> > > >
> > > In Qubes Manager, right click on your VM and the drive should be listed
> > > under "Attach/detach Block Devices." Select the drive and it should
> then
> > > be visible to the VM. Launch gparted and then it should be able to see
> > > the drive.
> > >
> > >
> > > --
> > > You received this message because you are subscribed to a topic in the
> > > Google Groups "qubes-users" group.
> > > To unsubscribe from this topic, visit
> > > https://groups.google.com/d/topic/qubes-users/jVFIsydHntk/unsubscribe.
> > > To unsubscribe from this group and all its topics, send an email to
> > > qubes-users+unsubscr...@googlegroups.com.
> > > To post to this group, send email to qubes-users@googlegroups.com.
> > > To view this discussion on the web visit
> > >
> https://groups.google.com/d/msgid/qubes-users/ob3dng%244sj%241%40blaine.gmane.org
> > > .
> > > For more options, visit https://groups.google.com/d/optout.
> > >
>
> You dont have to do this, of course.
> because the drive is already attached to dom0 you can use the tools
> already there:
>
> fdisk/cfdisk to create or delete partitions
> mkfs (and its derivatives) to format.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJyh_i99%3DijhVvMjrVsAJ0_BY44ey0pjKEfu7rAMKucKsC%2Bb-w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qvm-open-in-vm: unable to open file twice in a row

On Fri, Mar 24, 2017 at 02:22:17PM +0100, Sven Eriksson wrote:
> Hi,
> 
> Using 'qvm-open-in-vm' to open a pdf-file in another appvm fails for me
> in the following way:
> 
> First time it opens correctly, spawning evince and opening the pdf in
> the other vm. However, when closing the evince window, I get a message:
> "Failed to remove file at exit".
> 
> Next time around, the file will not open. When trying, I get the
> message: "qopen-in-vm: Fatal error: send file to dispVM (error type:
> Broken pipe)" in a message window.
> 
> When renaming the pdf-file with a new name it works to open the file
> once again. But then also with the new name it cannot be opened twice in
> a row.
> 
> It turns out that the filed is stored in the /tmp directory of the
> target vm and that the "Failed to remove file at exit" message above
> concerns the inability to remove the file from the tmp directory.
> 
> If I remove the file manually from the tmp directory, I can once again
> open it from the other vm.
> 
> What is the reason for this behaviour? How can I make the system
> automatically remove the file from the tmp directory upon closing evince?

It's a bug - well spotted. It does not  affect qvm-open-in-dispvm of course,
which is why, I suspect, it hasnt been noted before.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170324155413.GB14277%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Maybe a silly question

On Fri, Mar 24, 2017 at 10:51 AM, Manuel Cornejo
 wrote:
> Doesn't Qubes need and antivirus? What happend if on Qubes we set a VM with 
> Windows 7 in it? Would you install antivirus on the virtual machine hoping 
> that is going to be (the same /more) effective than the traditional not 
> virtualized scenario? How do you protect your Qubes machine from virus? Just 
> by putting down the VM and what about with bios rootkits and other malware?

IMO you are much better off using templates to ensure you don't use
compromised windows VMs to deal with data you care about than you
would be trying to use antivirus (a.k.a. "throwing all the untrusted
input at all the complex parsers, often with extremely weak
sandboxing").

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_AfUt7SQkLTp9kR%3Dj%3DA6bihvUhz9gJTtw9oL0%2B8W6CpDA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Why does Qubes not work with nested virtualization?

It actually does work for limited use cases. I sometimes run Qubes
inside Qubes for quickly testing things ;) The outer VM must be HVM,
and the inner-inner VMs must be PVM, or else you must enable some
less-tested and potentially dangerous code paths in Xen (nestedhvm=1)
which Qubes (on purpose) does not enable by default.

The main issue is networking does not work because Qubes relies on
being able to pci-passthrough a network card to sys-net, and this
(emulating pci passthrough) is afaik not implemented by qemu.

I suspect this is not actually what you meant though, and perhaps you
are asking about running Qubes inside e.g. virtualbox or vmware on
windows or osx? Well, in that case many of the security guarantees of
qubes (device isolation, boot sequence semi-protection, etc.) can not
be made since the outer system has full control and is fully exposed.
Then there is also the problem the outer hypervisors not correctly
emulating or exposing the hardware-assisted virtualization cpu
features to their guests. (IIRC virtualbox still doesn't? Don't quote
me on that though... I haven't tried it myself.)

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CABQWM_ACBVEJfPY2cjzn6wuNqw9zsyf6OML%2BvdoYWmUpRt1TaA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HDD disk full

On Fri, Mar 24, 2017 at 03:30:31PM +, William Fisher wrote:
> Thank you!
> On Fri, Mar 24, 2017 at 10:25 AM Reg Tiangha 
> wrote:
> 
> > On 03/24/2017 08:31 AM, William Fisher wrote:
> > > On Friday, March 24, 2017 at 10:12:21 AM UTC-4, William Fisher wrote:
> > >> On Friday, March 24, 2017 at 1:42:54 AM UTC-4, Reg Tiangha wrote:
> > >>> On 03/23/2017 11:41 PM, William Fisher wrote:
> >  Thank you. I'll try it. What's the command to start gparted?
> > 
> > >>> You can type gparted on the command line, or it'll show up in your
> > >>> application menu and you can start it that way.
> > >> I loaded gparted but it doesn't address or see the HD.(The HD is listed
> > in dom0 as storage) How do I "attach" the drive to the VM with gparted?
> > > or... how can I run gparted in dom0, and should I???
> > >
> > In Qubes Manager, right click on your VM and the drive should be listed
> > under "Attach/detach Block Devices." Select the drive and it should then
> > be visible to the VM. Launch gparted and then it should be able to see
> > the drive.
> >
> >
> > --
> > You received this message because you are subscribed to a topic in the
> > Google Groups "qubes-users" group.
> > To unsubscribe from this topic, visit
> > https://groups.google.com/d/topic/qubes-users/jVFIsydHntk/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to
> > qubes-users+unsubscr...@googlegroups.com.
> > To post to this group, send email to qubes-users@googlegroups.com.
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/qubes-users/ob3dng%244sj%241%40blaine.gmane.org
> > .
> > For more options, visit https://groups.google.com/d/optout.
> >

You dont have to do this, of course.
because the drive is already attached to dom0 you can use the tools
already there:

fdisk/cfdisk to create or delete partitions
mkfs (and its derivatives) to format.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170324154616.GA14277%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

- If we consider a compromised VM with:
  - passwords saved in the browser: an attacker can obtain all passwords
  - your proposed password manager: an attacker can still obtain all
passwords, just needs to wait for them to be used

- If we consider a non-compromised VM with:
  - passwords saved in a browser: an attacker can not obtain passwords
  - your proposed password manager: an attacker can obtain passwords
by changing window titles during authentication (which may or may not
be *detected* by a sharply observant user, but could still not be
*prevented* by one)

Therefore, your proposed solution is actually appears worse from a
security perspective (aiming to guarantee password confidentiality)
than just saving passwords in your browser!

Your argument appears to reduce to "This may be theoretically
exploitable, but the ease of implementation and additional convenience
is more important to me", which assumes your adversary is not
sufficiently {resourced, motivated, creative} to exploit that
theoretical weakness against you. For many users this assumption and
associated trade-off may be fine... however they are quite strongly
rejected in the arguments motivating the design of Qubes.

The key difference between this and the passwordless sudo argument you
bring up is that the qubes security model explicitly assumes that
user->root privilege escalation within a VM is possible, and designs
around that fact. Meaning, assuming the security assumptions of Qubes
[1] hold, passwordless sudo is *not* a theoretical weakness [2].

[1] which have nothing to do with assuming weak/unmotivated adversaries
[2] unless Xen vulns affecting Qubes are somehow more exploitable from
kernel vs. userspace within a VM *and* the adversary does not also
have a linux privesc exploit (which history has shown to be quite
unlikely)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_DFw3_%2BD5XViMkie7mn4x60WgQ7yvYVPhhXdzpxoBoMhQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HDD disk full

Thank you!
On Fri, Mar 24, 2017 at 10:25 AM Reg Tiangha 
wrote:

> On 03/24/2017 08:31 AM, William Fisher wrote:
> > On Friday, March 24, 2017 at 10:12:21 AM UTC-4, William Fisher wrote:
> >> On Friday, March 24, 2017 at 1:42:54 AM UTC-4, Reg Tiangha wrote:
> >>> On 03/23/2017 11:41 PM, William Fisher wrote:
>  Thank you. I'll try it. What's the command to start gparted?
> 
> >>> You can type gparted on the command line, or it'll show up in your
> >>> application menu and you can start it that way.
> >> I loaded gparted but it doesn't address or see the HD.(The HD is listed
> in dom0 as storage) How do I "attach" the drive to the VM with gparted?
> > or... how can I run gparted in dom0, and should I???
> >
> In Qubes Manager, right click on your VM and the drive should be listed
> under "Attach/detach Block Devices." Select the drive and it should then
> be visible to the VM. Launch gparted and then it should be able to see
> the drive.
>
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/qubes-users/jVFIsydHntk/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/ob3dng%244sj%241%40blaine.gmane.org
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJyh_i9HpiOX7epAkYp_0G28JzrchGbA2sBdGrvp5iF3wsY5qQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HDD disk full

2017-03-24 Thread Reg Tiangha

On 03/24/2017 08:31 AM, William Fisher wrote:
> On Friday, March 24, 2017 at 10:12:21 AM UTC-4, William Fisher wrote:
>> On Friday, March 24, 2017 at 1:42:54 AM UTC-4, Reg Tiangha wrote:
>>> On 03/23/2017 11:41 PM, William Fisher wrote:
 Thank you. I'll try it. What's the command to start gparted?

>>> You can type gparted on the command line, or it'll show up in your
>>> application menu and you can start it that way.
>> I loaded gparted but it doesn't address or see the HD.(The HD is listed in 
>> dom0 as storage) How do I "attach" the drive to the VM with gparted?
> or... how can I run gparted in dom0, and should I???
>
In Qubes Manager, right click on your VM and the drive should be listed
under "Attach/detach Block Devices." Select the drive and it should then
be visible to the VM. Launch gparted and then it should be able to see
the drive.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ob3dng%244sj%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Maybe a silly question

2017-03-24 Thread Manuel Cornejo

El miércoles, 22 de marzo de 2017, 4:32:05 (UTC+1), a.mc...@yandex.com  
escribió:
> Hi,
> 
> KasperskyOS is system for embbeded devices, for industrial devices. I don't 
> see any advantages for home usage in Qubes  OS. Besides, it's a closed source 
> peace of software. Just forget about it, unless you are engineer/developer 
> and going to use it for it's primary purposes.
> 
> 
> 
> As for Kaspersky Security for Virtualization, it could add extra security,  
> but due to it's closed source nature it could be a weakness itself.
> 
> Also, it supports Citrix Xen Server, but it doesn't support open source Xen 
> Server itself... Besides, it's not for free and pretty costly, not for home 
> usage.
> 
> 
> On March 22, 2017 4:35:59 AM AEDT, Manuel Cornejo  
> wrote:
> 
> 
> 
> 
> 
> Hi everyone.
> 
> As Qubes works by means of the principle of security by isolation and every 
> part of the hardware is running in a virtual machine. Does it make any sense 
> to use Kaspersky Security for virtualization over the xen hypervisor  to 
> improve security and antihacker security?
> Is going KasperskyOS to suppose a big concurrency to Qubes?
> 
> Sincerely
> 
> Manuel Cornejo

Regarding the cost here it is: 
https://www.antivirussales.com/store/kaspersky-security-virtualization-server-1year-band-p-new
 . $76.38 doesn't seem a lot for 49 seats. The question is that this product is 
licensed for a "network" in mind not for a pc with "networked internals". Well 
so . Doesn't Qubes need and antivirus? What happend if on Qubes we set a VM 
with Windows 7 in it? Would you install antivirus on the virtual machine hoping 
that is going to be (the same /more) effective than the traditional not 
virtualized scenario? How do you protect your Qubes machine from virus? Just by 
putting down the VM and what about with bios rootkits and other malware?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/83de228d-2827-445b-8fac-3cc873937691%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HDD disk full

On Friday, March 24, 2017 at 10:12:21 AM UTC-4, William Fisher wrote:
> On Friday, March 24, 2017 at 1:42:54 AM UTC-4, Reg Tiangha wrote:
> > On 03/23/2017 11:41 PM, William Fisher wrote:
> > > Thank you. I'll try it. What's the command to start gparted?
> > >
> > You can type gparted on the command line, or it'll show up in your
> > application menu and you can start it that way.
> 
> I loaded gparted but it doesn't address or see the HD.(The HD is listed in 
> dom0 as storage) How do I "attach" the drive to the VM with gparted?

or... how can I run gparted in dom0, and should I???

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5ef63161-4a1c-4307-a531-ef55b3328e9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HDD disk full

On Friday, March 24, 2017 at 1:42:54 AM UTC-4, Reg Tiangha wrote:
> On 03/23/2017 11:41 PM, William Fisher wrote:
> > Thank you. I'll try it. What's the command to start gparted?
> >
> You can type gparted on the command line, or it'll show up in your
> application menu and you can start it that way.

I loaded gparted but it doesn't address or see the HD.(The HD is listed in dom0 
as storage) How do I "attach" the drive to the VM with gparted?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/299989c9-642a-4712-a72e-f8117a81edb2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qvm-open-in-vm: unable to open file twice in a row

2017-03-24 Thread Sven Eriksson

Hi,

Using 'qvm-open-in-vm' to open a pdf-file in another appvm fails for me
in the following way:

First time it opens correctly, spawning evince and opening the pdf in
the other vm. However, when closing the evince window, I get a message:
"Failed to remove file at exit".

Next time around, the file will not open. When trying, I get the
message: "qopen-in-vm: Fatal error: send file to dispVM (error type:
Broken pipe)" in a message window.

When renaming the pdf-file with a new name it works to open the file
once again. But then also with the new name it cannot be opened twice in
a row.

It turns out that the filed is stored in the /tmp directory of the
target vm and that the "Failed to remove file at exit" message above
concerns the inability to remove the file from the tmp directory.

If I remove the file manually from the tmp directory, I can once again
open it from the other vm.

What is the reason for this behaviour? How can I make the system
automatically remove the file from the tmp directory upon closing evince?

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/31be5897-7f43-fb8c-bafc-9b2a8d775170%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Why does Qubes not work with nested virtualization?

2017-03-24 Thread public

Nested Virtualization seems to work generally well, albeit slower, even with 
different hypervisors.

Despite the advice given in the install docs:

> Note: We don’t recommend installing Qubes in a virtual machine! It will 
> likely not work.

I tried it an the Kernel comes up, as does the installer; X does not work, 
though it normally does in the same environment (sans Qubes).

The development "workflow" for qubes being what it is, running qubes under a 
hypervisor would be a great help there.

Cheers, Marian

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57bedaec-9490-4cd4-b063-d6e614d80671%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Building Qubes from source, strange error.

2017-03-24 Thread Opal Raava

On Thursday, March 23, 2017 at 9:40:57 PM UTC+1, Opal Raava wrote:
> On Thursday, March 23, 2017 at 8:23:15 PM UTC+1, Opal Raava wrote:
> > On Thursday, March 23, 2017 at 12:11:51 PM UTC+1, Unman wrote:
> > > On Thu, Mar 23, 2017 at 03:40:34AM -0700, lokedhs wrote:
> > > > On Thursday, 23 March 2017 18:23:30 UTC+8, Opal Raava  wrote:
> > > > > On Thursday, March 23, 2017 at 3:27:58 AM UTC+1, lok...@gmail.com 
> > > > > wrote:
> > > > > > On Thursday, 23 March 2017 02:45:53 UTC+8, Opal Raava  wrote:
> > > > > > 
> > > > > > > Which tells us that we probably really do need version 3.9.0 of 
> > > > > > > qubes-tools.
> > > > > > 
> > > > > > Where can that version be found? Looking at the latest master of 
> > > > > > qubes-linux-utils, it only contains version 3.2.3:
> > > > > > 
> > > > > > https://github.com/QubesOS/qubes-linux-utils/blob/master/version
> > > > 
> > > > > Yes, and that is what surprises me as well. The relevant source has 
> > > > > not been touched in a while. I've looked, but I don't know why the 
> > > > > build breaks. 
> > > > > 
> > > > > All I know for a fact is what you said, it asks for 3.9.0 and 
> > > > > delivers 3.2.3 at the master branch. And that the relevant source 
> > > > > files all have not been changed recently.
> > > > 
> > > > The spec file was updated from 2.0.10 to 3.9.0 as of commit 
> > > > 9780a95a0ad20b63f2da401f108f2dcb3511554b. The interesting thing is that 
> > > > the commit was on the 17'th December 2015. This is more than half a 
> > > > year before the most recent ISO images were built.
> > > > 
> > > > I really have no idea what the cause for this could be.
> > > > 
> > > > Regards,
> > > > Elias
> > > > 
> > > 
> > > Finally I understand - you're trying to build a full build of master -
> > > I just dont think this works at the moment - you could *try* following
> > > my suggestion of NOT building artwork at all - just comment it out.
> > > 
> > > Lots of the devel work on v4 (that's now in master) is in the devs repos
> > > - you can see the mysterious 3.9 here:
> > > https://github.com/woju/qubes-linux-utils/tree/core3-devel
> > > 
> > > So I think you have to cherry pick from a number of different repos to
> > > get something like a working v4 if that's what you want.
> > > At least from marmarek and woju.
> > > I dont have scope to try this.
> > > 
> > > (You can just build some components as you like - e.g just the manager.)
> > > 
> > > It IS possible to build templates from master, and they seem to work
> > > fine with 3.2 :although marek has said that things might break, I haven't
> > > seen this as yet.)
> > > 
> > > unman
> > 
> > Ah okay, so all we have to do is specify 'releng3.2' into github or 
> > something to build the R3.2 branch?
> 
> Ah, problem solved. In the web build documentation it says to:
> 
> cp example-configs/qubes-os-master.conf builder.conf
> 
> if you instead do:
> 
> cp example-configs/qubes-os-r3.2.conf
> 
> you get a better branch. I'm currently trying to build that

I have now a new shiny ISO, so this works. Isn't it a bug in the website 
documentation that they recommend building from the master branch?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4e763334-d7fc-49da-8b0b-0f4de7a012b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-24 Thread Shane Optima

> This is actually worse than not using a password manager at all,
> because the window you are about to enter the password into has full
> control over its title, and so this opens a race condition where the
> site could change its title right before dom0 checks it (perhaps
> triggered by "I am displaying a login form, and I just lost focus") to
> turn the dom0 pw mgr into a confused deputy [1] which would be happy
> to deliver the password for site A to the malicious site B which is
> temporarily spoofing site A's expected title.

Counterarguments in order of decisiveness, starting with the least and going to 
most:

1. This is touching on a debate on real security vs. theoretical, and I happen 
to think these situations parallels the debate about cell phone cameras.  Do 
you remember back when they first came out and quite a lot of people were 
constantly complaining about their picture quality (atrocious) and questioning 
why anyone would need a camera in a phone?  Convenience.  You can say "just 
bring a real camera" all you want but when you're talking about day to day 
life, 99% people will inevitably be caught with nothing but their camera phone 
on them.  

And without a usable Dom0 / Offline-VM password manager, 99% people will choose 
inferior passwords, have persistent logins and/or store their passwords on 
their online machine in some fashion. 

>From another angle: If theoretical security must trump real-world security or 
>convenience, then passwordless sudo needs to be removed, right? It's not even 
>all that "theoretical"; wasn't there a Xen jailbreak not that long ago? 


2. I'm assuming the name of the VM being in the window titles prevents the 
password from ever going to the wrong VM. So if you are using multiple VMs of 
different trust levels, your bank password can't be targeted in this way unless 
it's by another highly trusted site. 

I'll take the chance that Gmail is pretending to be Amazon in order to steal my 
password. I mean, I sort of suspect they have stronger methods of identity 
theft at their disposal.

2a. Only sites you have an account with *and* are using this manager with could 
even attempt that attack. So mitigation vs. most realistic attacks is thus as 
simple as only using the password manager with important, "name-brand" websites 
and sticking with your browser's password storage for $ObscureUBB#7482. 

The target user here is a savvy power user who actually understands what's 
going on, not someone who needs training wheels.


3. How are on earth are they going to time that?  How could an AppVM, a 
non-compromised AppVM[1], anticipate the Dom0 window poll?  Like I said, this 
isn't a suggestion for a standard, robust, idiotproof scheme. 

It's also not telepath-proof. If not telepaths, How else are you going to know 
when to change the title? And before you answer, see #4.

4. I was actually already envisioning a few repeated polls over the course of a 
second or so for reliability, to guard against the user clicking around, but 
that would guard against this as well.  All polls have to agree, otherwise the 
AppVM's clipboard is never filled.

In the context of an attentive user, this should be a fatal blow to your 
described attack unless they can stack it with some other bugs. 

The deputy is being closely watched by the sheriff. 


>Not quite. The holy grail would be never having the VM see the
passwords *ever*, and this is in theory actually achievable.

Yes, you can split up the AppVM into multiple pieces but one of the pieces with 
internet access is going to need to see the password at some point.  That's 
far, far ahead of what I'm talking about, though. I'm talking about a very 
simple project with lots of code reuse.

If we're going to start talking about what Qubes should *ideally* do given lots 
of time or resources, I think some words like Alpine, unikernel and Genode 
should be thrown around.

>This is better than using a password manager,

I don't doubt it.  I would never suggest a long term focus on window titles as 
a way of authenticating websites or communicating between Dom0 and DomUs. But I 
think it will be some years before they manage to get things properly separated 
and locked down like that.

I hesitate to make claims about codebases I've never seen, but... this is a 
cookie cutter job, isn't it?  Aren't the pieces all there?  I wouldn't be 
surprised if someone could have something functional in less than a day's work. 
 (Assuming that the person was sufficiently familiar with both the window 
manager and the hyperclipboard code bases.)

Start by using the existing hyperclipboard code with a new hotkey combination, 
toss in an SQLite database or maybe just plain text, poll the window title for 
 milliseconds[2] and if the polls all agree, send it to the clipboard.  If 
they don't all agree, abort.

I was merely thinking of this as a power user thing. Duct tape.  I happen to 
think it's pretty strong duct tape, and that even a

Re: [qubes-users] updateVM not setup error when trying to get whonix templates

2017-03-24 Thread nazzaroth . youtube

thanks for the tips.
I followed everything you said, first time it didnt work cause i got an error
every time i started sys-net with ethernet controller added.
Then i guess i messed up somehow cause at some point qubes stoped to boot
again. well after a complete fresh reinstall i could start sys-net
without a problem with controller added.

but after a while an error message pops up saying: cannot execute qrexec-daemon
the same error happens with sys-firewall.

but you can see both vms working and using some cpu from time to time. also now
messages of update pending show up on templatevms from fedora and
debian. but when i start the update after a while the same error shows up
again: cannot execute qrexec-daemon

so i looked around a bit, i guess qrexec-daemon is a programm i need for
updating to work? and i have to reinstall it? i have a link to some repository
but i dont really now how to use that to install anything (first time i deal
with a linux system)
link is this: http://deb.qubes-os.org/r3.2/vm/

hope anyone can help me with this new problem :)

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/3a52a527-8178-40bb-97ad-b1a11b0fa7dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?