[qubes-users] Re: Qubes 3.2 dnsmasq update?

2017-10-07 Thread Reg Tiangha 
On 2017-10-07 1:19 PM, Ron Hunter-Duvar wrote:

> Well, I did all this, and confirmed that the sys-* servicevms are all
> using Fedora 25, but it still has dnsmasq version 2.76. According to
> US-CERT, 2.78 is needed to get the vulnerability fixes. Which concerns
> me, given the length of time that the exploit code has been public.
> Surprises me too, since Debian had it out in a matter of hours.
> 
> However, it's not running in any of these, nor in dom0. Should I just
> uninstall it?
> 
> Thanks,
> Ron
> 

It's weird, but it seems like every distro *but* Fedora has released an
updated version or version with a backported fix. Even Red Hat
Enterprise has done it. I don't know what the hold up is, but it'll be a
package with a backported fix and currently it's set to be 2.76.4 (or
greater if more bugs are found).

https://bodhi.fedoraproject.org/updates/FEDORA-2017-515264ae24

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/orcae3%24jon%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Microsoft Surface Book with Performance Base R4.0 RC1

2017-10-07 Thread Alex Floyd 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

The steps to getting Qubes-OS R4.0 RC1 to run on the Surface Book are
pretty simple. Not everything works, but it is a testing image. I also
have read that the Nvidia dGPU isnt detected by any flavor of linux. I
believe that it is running through USB 3.0 to PCIe to the CPU. I will
have to investigate this some more and see if I can figure anything out.

I had issues with the install media for a long time, and used 10
different USB drives to try to install R4.0 RC1 with the install failing
at RPM unpacking the Fedora 25 template. I found out it was because of
how I was creating the media. The only way I have successfully created
the media was using Fedora and dd the Qubes-OS ISO to the drive. Using
Rufus on Windows 10 with their version of dd would not work.

Step 1: Use Fedora to dd Qubes-OS R4.0 RC1 ISO to USB drive.

Step 2: Install Qubes-OS R4.0 RC1 as normal, with the GUI.

Step 3: When the install finishes, hit Ctrl+Alt+F2 to get to the
terminal.

Step 4: Copy the /EFI/Qubes/ folder contents to a newly created
/EFI/BOOT/ folder with "cd /mnt/sysimage/boot/efi/EFI && mkdir BOOT"
then "cp ./Qubes/xen* ./BOOT" then "cp ./Qubes/vm* ./BOOT" then "cp
./Qubes/init* ./BOOT"

The Surface Book only likes to boot "*.efi" from /EFI/BOOT/ and not
/EFI/*/ folders. I also like to leave the /EFI/Qubes directory intact,
just in case I mess up the boot folder, then I can just copy everything
over again and have the default files.

Step 5: Edit the xen.cfg file in /EFI/BOOT/ to remove the Xen boot
parameter "iommu=no-igfx" and replace it with "iommu=on". This will be
under the "options=" line for each kernel entry. You must edit all of
the kernel entries "options=" line for this to work properly.

This will allow your machine to boot! Without doing this, you just get a
boot loop where Xen starts to load and then you see the magical red top
with an unlocked lock Surface splash screen after the screen goes black
to start the boot process. If you are lucky and the Qubes-OS installer
correctly set up your NVME drive for booting, you should be good to go
and able to boot Qubes-OS R4.0 RC1! If you are unlucky or need to add
additional boot parameters to the EFI boot chain, then you will need a
few more steps.

Extra steps need both Qubes-OS R4.0 RC1 and Qubes-OS R3.2 USB drives to
be able to boot into the rescue mode and use efibootmgr. the efibootmgr
is R4.0 RC1 does not like to play with the GPT formatted NVME drive I
have, and registers the boot record as an MBR drive.

Step 6: Use Fedora to dd Qubes-OS R3.2 to a USB drive.

Step 7: Mount both Qubes-OS drives.

Step 8: Navigate to /EFI/BOOT/ on the Qubes-OS R3.2 USB drive and delete
"xen.cfg" "xen.efi" "BOOTX64.efi"

I have not yet found a way to boot Qubes-OS R3.2 on the Surface Book,
even though technically the hardware is compatible. The UEFI workarounds
do not seem to work on Xen 4.6.x that Qubes-OS R3.2 uses. So we must use
the Xen 4.8.1 version that Qubes-OS R4.0 RC1 uses.

Step 9: Navigate to /EFI/BOOT/ on the Qubes-OS R4.0 RC1 USB drive and
copy "xen.cfg" "xen.efi" "BOOTX64.efi" to the Qubes-OS R3.2 USB drive in
the /EFI/BOOT/ directory.

Step 10: Insert the edited Qubes-OS R3.2 USB drive into the Surface
Book. Select the "Rescue Qubes" option, then press "e" to edit the boot
chain. Go to the end of the second line of the boot chain and add "--
efi=attr=uc" and press Ctrl+X to boot with those options. There is a
space between the '--' and 'efi=attr=uc'.

You will need an external USB keyboard to continue from this point! The
keyboard on the base does not work in the Qubes-OS R3.2 installer.

Step 11: When the "Rescue Qubes" mode boots, you will have 4 options to
choose from. Press "1" on the keyboard and hit "Enter". Then it will ask
you for your encryption password, enter the password that you chose to
encrypt your drive during the Qubes-OS install. It will take a minute or
two, and then tell you that you that your system is mounted to
/mnt/sysimage/. Hit "Enter" to get a shell.

 If the prompt does not ask for your drive encryption password, and just
 says "Hit enter to continue to a shell" or something along those lines,
 then you need to reboot into the UEFI menu and delete the "Qubes" boot
 entry and follow steps 10 and 11 again.

Step 12: change directories to the /EFI/BOOT/ directory and then use
efibootmgr to create a new entry for Qubes-OS R4.0 RC1. The commands
that I used to do this are:

"cd /mnt/sysimage/boot/efi/EFI/BOOT"

"efibootmgr -v" The "efibootmgr -v" command is to make sure that no
other Qubes boot entries are present. If they are present, note the
number [ex: 0005 Qubes HD(1,MBR,0)] and then use
the command "efibootmgr -b  -B" to remove the entry. The  is
where you would put the boot entry number, like 0005 in the example I
gave you.

If there are no Qubes boot entries, then use this command to create one.
"efibootmgr -v -c -u -L QubesOS -l /EFI/BOOT/xen.efi -d

[qubes-users] HCL - Microsoft Surface Book with Performance Base

2017-10-07 Thread Alex Floyd 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

The steps to getting Qubes-OS R4.0 RC1 to run on the Surface Book are
pretty simple. Not everything works, but it is a testing image. I also
have read that the Nvidia dGPU isnt detected by any flavor of linux. I
believe that it is running through USB 3.0 to PCIe to the CPU. I will
have to investigate this some more and see if I can figure anything out.

I had issues with the install media for a long time, and used 10
different USB drives to try to install R4.0 RC1 with the install failing
at RPM unpacking the Fedora 25 template. I found out it was because of
how I was creating the media. The only way I have successfully created
the media was using Fedora and dd the Qubes-OS ISO to the drive. Using
Rufus on Windows 10 with their version of dd would not work.

Step 1: Use Fedora to dd Qubes-OS R4.0 RC1 ISO to USB drive.

Step 2: Install Qubes-OS R4.0 RC1 as normal, with the GUI.

Step 3: When the install finishes, hit Ctrl+Alt+F2 to get to the
terminal.

Step 4: Copy the /EFI/Qubes/ folder contents to a newly created
/EFI/BOOT/ folder with "cd /mnt/sysimage/boot/efi/EFI && mkdir BOOT"
then "cp ./Qubes/xen* ./BOOT" then "cp ./Qubes/vm* ./BOOT" then "cp
./Qubes/init* ./BOOT"

The Surface Book only likes to boot "*.efi" from /EFI/BOOT/ and not
/EFI/*/ folders. I also like to leave the /EFI/Qubes directory intact,
just in case I mess up the boot folder, then I can just copy everything
over again and have the default files.

Step 5: Edit the xen.cfg file in /EFI/BOOT/ to remove the Xen boot
parameter "iommu=no-igfx" and replace it with "iommu=on". This will be
under the "options=" line for each kernel entry. You must edit all of
the kernel entries "options=" line for this to work properly.

This will allow your machine to boot! Without doing this, you just get a
boot loop where Xen starts to load and then you see the magical red top
with an unlocked lock Surface splash screen after the screen goes black
to start the boot process. If you are lucky and the Qubes-OS installer
correctly set up your NVME drive for booting, you should be good to go
and able to boot Qubes-OS R4.0 RC1! If you are unlucky or need to add
additional boot parameters to the EFI boot chain, then you will need a
few more steps.

Extra steps need both Qubes-OS R4.0 RC1 and Qubes-OS R3.2 USB drives to
be able to boot into the rescue mode and use efibootmgr. the efibootmgr
is R4.0 RC1 does not like to play with the GPT formatted NVME drive I
have, and registers the boot record as an MBR drive.

Step 6: Use Fedora to dd Qubes-OS R3.2 to a USB drive.

Step 7: Mount both Qubes-OS drives.

Step 8: Navigate to /EFI/BOOT/ on the Qubes-OS R3.2 USB drive and delete
"xen.cfg" "xen.efi" "BOOTX64.efi"

I have not yet found a way to boot Qubes-OS R3.2 on the Surface Book,
even though technically the hardware is compatible. The UEFI workarounds
do not seem to work on Xen 4.6.x that Qubes-OS R3.2 uses. So we must use
the Xen 4.8.1 version that Qubes-OS R4.0 RC1 uses.

Step 9: Navigate to /EFI/BOOT/ on the Qubes-OS R4.0 RC1 USB drive and
copy "xen.cfg" "xen.efi" "BOOTX64.efi" to the Qubes-OS R3.2 USB drive in
the /EFI/BOOT/ directory.

Step 10: Insert the edited Qubes-OS R3.2 USB drive into the Surface
Book. Select the "Rescue Qubes" option, then press "e" to edit the boot
chain. Go to the end of the second line of the boot chain and add "--
efi=attr=uc" and press Ctrl+X to boot with those options. There is a
space between the '--' and 'efi=attr=uc'.

You will need an external USB keyboard to continue from this point! The
keyboard on the base does not work in the Qubes-OS R3.2 installer.

Step 11: When the "Rescue Qubes" mode boots, you will have 4 options to
choose from. Press "1" on the keyboard and hit "Enter". Then it will ask
you for your encryption password, enter the password that you chose to
encrypt your drive during the Qubes-OS install. It will take a minute or
two, and then tell you that you that your system is mounted to
/mnt/sysimage/. Hit "Enter" to get a shell.

 If the prompt does not ask for your drive encryption password, and just
 says "Hit enter to continue to a shell" or something along those lines,
 then you need to reboot into the UEFI menu and delete the "Qubes" boot
 entry and follow steps 10 and 11 again.

Step 12: change directories to the /EFI/BOOT/ directory and then use
efibootmgr to create a new entry for Qubes-OS R4.0 RC1. The commands
that I used to do this are:

"cd /mnt/sysimage/boot/efi/EFI/BOOT"

"efibootmgr -v" The "efibootmgr -v" command is to make sure that no
other Qubes boot entries are present. If they are present, note the
number [ex: 0005 Qubes HD(1,MBR,0)] and then use
the command "efibootmgr -b  -B" to remove the entry. The  is
where you would put the boot entry number, like 0005 in the example I
gave you.

If there are no Qubes boot entries, then use this command to create one.
"efibootmgr -v -c -u -L QubesOS -l /EFI/BOOT/xen.efi -d

[qubes-users] kswapd0 using 100% CPU with not even a MB swap in use

2017-10-07 Thread Holger Levsen 
Hi,

so kswapd0 is using 100% CPU in one of my Qubes and this makes the fan spin
and noisy… and that Qube is hardly using any swap at all:

$ free
  totalusedfree  shared  buff/cache   available
Mem:1888212  776484  640712   70296  471016 1031616
Swap:   1048572 716 1047856

So I ran "sudo swapoff -a" (and "sudo swapon -a") and now zero swap is used but
kswapd0 is still busy swapping(?) and the fan is noisy and I wonder what to do…

Any hints / ideas?

(I know I could shut down the VM and restart it but I hope there's a better
solution / workaround.)


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171007102911.2sq63k3yyelhpki6%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

[qubes-users] Re: Unable to uninstall or reinstall Whonix

2017-10-07 Thread filtration 

> I looked at Arm again. It seems that Arm is working, but I don’t know
the commands to edit the Tor configuration.
>
> Arm mentions a list of problems relating to Tor
(http://imgur.com/XrJHKSK). It seems that I have relaying disabled,
torrc differs from what Tor is using, there is insufficient uptime, Tor
is preventing utilities like netstat and lsof from working, and no armrc
is working. Unfortunately, I can’t figure out how to solve these problems.
>
> This is the link I found in the bottom of the Arm report:
https://trac.torproject.org/projects/tor/ticket/3313. I’m not too sure
what it means..
>
Forgive me, Person, but maybe you should be reinstalling at this point.
You are asking for lots of help with all these problems; the people
helping you probably have other things to do.

Try again from scratch and resist the urge to "customize." I used to
break lots of installs that way, until I reigned in that behavior.

Don't proceed with customizations unless you are fully aware of the
consequences.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/orbh0u%24oop%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Audio in Debian VMs just disappeared?

2017-10-07 Thread Stumpy 
For some reason the audio in all my Debian VMs has stopped working? 
AFAIK I haven't done anything other than regular updates. I didn't 
notice until recently so I am not sure about exactly when it started.


In the audio mixer window none of the debian vms are showing up. I tried 
plaing something in VLC and it gave the follwoing errors:


https://privatebin.net/?f36509f33694a053#821JIyu4z/YqpQ61qGRYFP9Bspo7DAP8HmkPJCAk9Q8=

Also,  another strange, maybe unrelated thing happened, I don' thave 
nautilus in my debian VMs any more and I tried to reinstall then but 
error saying I had some missing dependencies?



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2219d1ff1f46b2c2f528ad9512c1dcea%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?

2017-10-07 Thread Ron Hunter-Duvar 

On 10/07/2017 01:10 PM, frassefredk...@gmail.com wrote:

Thank you for your response and for sharing your thoughts and experince from 
using Lenovo Thinkpads! I looked at the Hardware Compatibility List and looked 
at Thinkpads, most of the models did not seem to be for sale anymore.


Honestly I haven't seen any user using touchscreen with Qubes.
Just out of interest what is the use case for touch?
Regarding recommendation:
You haven't said which display size you need.
'

The use case of touch is mainly for ergonomical reasons. I read and write alot 
and it is better for my arms to scroll down the documents and highlight things 
using the touch instead of the keyboard and mouse. This is so important for me 
that I would pay more for a touchscrren even. But if I would be able to take 
notes on a Yoga from a conference, using the touch screen, then that would not 
a be a bad thing either, but I dont expect that to work well wth Qubes.

Desired size of the screen is 14-16 inches.


I Should be been more clear about my question regarding the security of the 
Lenovo and if they can be trusted. I have read articles accusing Lenovo of 
planting backdoors in its hardware. My technical skills are currently on a 
hobbyists level so I'm not always sure what to trust and not, wanted some input 
from others regarding this. But then I have also read this article (cited 
below)  that sort of says that the likelyhood of there being a backdoor planted 
by Lenovo is low. I just dont know what to believe in. Do you have any comments 
to this? :)

"Lenovo hardware is reportedly banned from the US CIA, as well as the UK's MI5 
and MI6, as well as the Australian Security Intelligence Organization (ASIO) and 
Secret Intelligence Service (ASIS). As of the time of writing, no evidence of any 
wrongdoing on the part of Lenovo has been presented by any of governments who have 
banned their hardware from use in intelligence services.

On devices as open as computers, and especially with Lenovo's ThinkPad product line, 
which has been long venerated for being foremost among laptops designed with 
modularity in mind—featuring detailed disassembly manuals and readily available 
replacement parts—it is difficult to imagine that many opportunities exist to hide a 
hardware backdoor in a relatively open product. Combined with the fact that the 
vital components (processor, RAM, etc.) aren't made by Lenovo, there are few 
opportunities for Lenovo to introduce a hardware-level backdoor in a way that 
wouldn't be glaringly obvious to any engineer armed with a screwdriver."
Source: 
http://www.techrepublic.com/blog/it-security/corporate-espionage-or-fearmongering-the-facts-about-hardware-level-backdoors/

"...glaringly obvious to any engineer armed with a screwdriver." That's 
the most unbelievably naive view of security I can remember reading. I 
bet the author's password is "pa33w0rd", and it's secure because no one 
would guess some letters were switched with numbers.


https://thehackernews.com/2015/09/lenovo-laptop-virus.html

Note: (1) confirmed, (2) 3 times, (3) one of them was BIOS-embedded.

https://thehackernews.com/2015/08/lenovo-rootkit-malware.html

Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/06858cf0-1bfe-31a0-b318-03a811a2ed92%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?

2017-10-07 Thread Ron Hunter-Duvar 

On 10/07/2017 09:42 AM, Frasse F wrote:

I would like some purchasing advice: I'm looking for a laptop that is 
reasonably secure and also has a built in touch screen. I would prefer if it 
had 16 GB of ram as I want to run Qubes OS and I want to sometimes be able to 
run a Windows App-VM for dictation and speech recognition which is processed 
locally (I do a lot of writing and I also care about security/privacy).

...
My second alternative is to buy a non purism laptop which has both a 
touchscreen, enough RAM and is fairly secure. So my second alternative that I'm 
considering would be the Lenovo 520 Yoga. 
https://www.dustin.se/product/5011033265/yoga-520-touch . The model is running 
the Intel® Core™ i5-7200U Processor. According to the specification page on 
Intels website, this processor does not have the vPro technology. 
https://ark.intel.com/products/95443/Intel-Core-i5-7200U-Processor-3M-Cache-up-to-3_10-GHz

These are my questions

1) Is there anything except for the AMT/vPro aspect of the hardware security 
that I might have overlooked that is critical when evaluating the Lenovo Yogas 
safety?

2) Should one in general be sceptic towards Lenovo even when they are using 
hardware from other manufacturers?
Personally, I avoid Lenovo like the plague since they became 
Chinese-owned. Yes, I know pretty much all the hardware is manufactured 
in China now anyway, but having the senior company management controlled 
by the Chinese government adds a whole 'nother layer of vulnerabilities.


My suspicions were confirmed when they were caught pre-installing 
spyware on them. Of course, that was only Windows, and they were forced 
to remove it, and claimed it was only intended for Chinese customers. 
But to me it shows their intent, and there are many other ways they can 
embed spyware (BIOS/UFI, other firmware) that would affect Linux too, 
and wouldn't be so easily removed.


Call me paranoid (because I am), but that's my opinion.

I typically go with Dell, although their quality has gone down in recent 
years, and I can't comment on Qubes-specific issues, or your particular 
requirements.




3) are there a Qubes user out there who are already using a laptop with touch 
screen and enough ram, running Qubes? What laptop model are you using and would 
you recommend it?



Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/26e6628d-9b30-0b64-0405-06ac2d6898f1%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 dnsmasq update?

2017-10-07 Thread Ron Hunter-Duvar 

On 10/06/2017 09:04 PM, Ron Hunter-Duvar wrote:

On October 6, 2017 5:05:49 PM MDT, Unman  wrote:

On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote:
...
The install disk still contains fed23 templates and you're expected to
update as soon as you have installed.

To install a new template all you have to do is :
sudo qubes-dom0-update qubes-template-fedora-25

Thanks for the tip. I don't remember seeing it in the getting started material 
I read. Doing it now.



This will install the template and you can then just switch your
serviceVMs - either using Qubes Manager, or by:
'qvm-prefs  -s template '.

...
Well, I did all this, and confirmed that the sys-* servicevms are all 
using Fedora 25, but it still has dnsmasq version 2.76. According to 
US-CERT, 2.78 is needed to get the vulnerability fixes. Which concerns 
me, given the length of time that the exploit code has been public. 
Surprises me too, since Debian had it out in a matter of hours.


However, it's not running in any of these, nor in dom0. Should I just 
uninstall it?


Thanks,
Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/728aa211-a104-87aa-eb42-59301b562ed9%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?

2017-10-07 Thread frassefredkrok 
Thank you for your response and for sharing your thoughts and experince from 
using Lenovo Thinkpads! I looked at the Hardware Compatibility List and looked 
at Thinkpads, most of the models did not seem to be for sale anymore. 

> Honestly I haven't seen any user using touchscreen with Qubes.
> Just out of interest what is the use case for touch?
> Regarding recommendation:
> You haven't said which display size you need.
> '

The use case of touch is mainly for ergonomical reasons. I read and write alot 
and it is better for my arms to scroll down the documents and highlight things 
using the touch instead of the keyboard and mouse. This is so important for me 
that I would pay more for a touchscrren even. But if I would be able to take 
notes on a Yoga from a conference, using the touch screen, then that would not 
a be a bad thing either, but I dont expect that to work well wth Qubes. 

Desired size of the screen is 14-16 inches. 


I Should be been more clear about my question regarding the security of the 
Lenovo and if they can be trusted. I have read articles accusing Lenovo of 
planting backdoors in its hardware. My technical skills are currently on a 
hobbyists level so I'm not always sure what to trust and not, wanted some input 
from others regarding this. But then I have also read this article (cited 
below)  that sort of says that the likelyhood of there being a backdoor planted 
by Lenovo is low. I just dont know what to believe in. Do you have any comments 
to this? :) 

"Lenovo hardware is reportedly banned from the US CIA, as well as the UK's MI5 
and MI6, as well as the Australian Security Intelligence Organization (ASIO) 
and Secret Intelligence Service (ASIS). As of the time of writing, no evidence 
of any wrongdoing on the part of Lenovo has been presented by any of 
governments who have banned their hardware from use in intelligence services.

On devices as open as computers, and especially with Lenovo's ThinkPad product 
line, which has been long venerated for being foremost among laptops designed 
with modularity in mind—featuring detailed disassembly manuals and readily 
available replacement parts—it is difficult to imagine that many opportunities 
exist to hide a hardware backdoor in a relatively open product. Combined with 
the fact that the vital components (processor, RAM, etc.) aren't made by 
Lenovo, there are few opportunities for Lenovo to introduce a hardware-level 
backdoor in a way that wouldn't be glaringly obvious to any engineer armed with 
a screwdriver."  
Source: 
http://www.techrepublic.com/blog/it-security/corporate-espionage-or-fearmongering-the-facts-about-hardware-level-backdoors/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c6224b9b-9f60-4efc-8e98-ff1320ca97de%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Possible to add second interface to sys-firewall?

2017-10-07 Thread Ron Hunter-Duvar 

On 10/06/2017 01:41 PM, Ed wrote:

On 10/06/2017 03:14 PM, Mike Keehan wrote:

On Fri, 6 Oct 2017 12:17:26 -0400
Ed  wrote:


On 10/06/2017 12:10 PM, Mike Keehan wrote:



Wouldn't it be possible to add a second Firewall VM to be used
solely by your special single vm?


Yes I believe this would def work, and also should be
automatic/reliable across reboots, but I was really hoping to not
give up 2-4GB of RAM just for this purpose.



I think you will find that the firewall VM runs OK in just 500Mb, maybe
less.  Search the mail list for "vm memory" - there have been a number
of discussions about how much is actually used by the system VMs.  (I
can't remember the details off hand, or I would give more info!)

It is worth knowing that although a VM is initially set up with a 4Gb
memory allocation, it only uses what it needs.   The rest is still
available to the other qubes etc.


    Mike.



You know that's not a bad point.  I never really looked into reducing 
the memory allotment.  I just know anecdotally on my systems the 
firewall vm's use 2-3GB (when left with the default max of 4GB).  I 
also know they will run on less if I'm pushing a system out of memory 
but I never though to just restrict them to less to start.


I'm not really strapped for memory on the machine I'm working with 
here so it does look like adding an additional firewall VM would be 
the easiest way to get what I want, it just seemed a tad wasteful to 
me, but perfect is the enemy of good


Appreciate the input!



IMO, it's best to leave memory management to the OS until such time as a 
definite problem is found (which would most likely show up as swapping, 
which would cause massive performance problems).


I suspect you'd find if you looked closely at the vm that most of the 
memory used is for caching. That's a good thing. No point having memory 
sit unused and forcing to to keep downloading the same files. The moment 
the cache is needed for something else, it'll be reallocated.


Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/976e6d2e-b2ab-4e82-3a9b-4ac1a001c7b5%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

AW: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?

2017-10-07 Thread 'One7two99' via qubes-users 
Hello,

>> These are my questions

>> 1) Is there anything except for the AMT/vPro
>> aspect of the hardware security that I might
>> have overlooked that is critical when
>> evaluating the Lenovo Yogas safety?

If talking about hardware security I would suggest looking into a device which 
can run coreboot.

>> 2) Should one in general be sceptic towards
>> Lenovo even when they are using hardware
>> from other manufacturers?

The good thing with Lenovo/Thinkpad is that lots of devices have a good Linux 
support.
And you get 'older' devices which run smoothly under Qubes after adding a SSD 
and more RAM.
You can also get dockingstations very cheaply.
I'm using Thinkpads since years and would definitely recommend it.

>> 3) are there a Qubes user out there who are
>> already using a laptop with touch screen and
>> enough ram, running Qubes? What laptop
>> model are you using and would you
>> recommend it?

Honestly I haven't seen any user using touchscreen with Qubes.
Just out of interest what is the use case for touch?
Regarding recommendation:
You haven't said which display size you need.

Leaving touch functionality out, I would recommend a x230 with 16 GB RAM, LTE, 
SSD and fresh battery -> 10-11h battery runtime.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5wRHq99M3bbKrsMiz1Nq28tiJ-4So0gE7ptJsgn6DRyyK_P8P6Fp6-YsU6UelLiPX1i4ORjSFe7kkbdv81Ip5-2GGvQl3HoIVGRowX0cGJI%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?

2017-10-07 Thread Frasse F 
I would like some purchasing advice: I'm looking for a laptop that is 
reasonably secure and also has a built in touch screen. I would prefer if it 
had 16 GB of ram as I want to run Qubes OS and I want to sometimes be able to 
run a Windows App-VM for dictation and speech recognition which is processed 
locally (I do a lot of writing and I also care about security/privacy). 

The dream would be to run one of Purisms Libre 13 and 15 laptops, however they 
do not have a touch screen. Purism are planning to release a Librem 11 laptop 
(with a touchscreen) but it will only have 8 GB of RAM and cannot be upgraded. 
I think this is not enough for my needs. 

Thats why I'm looking for an alternative laptop. I read on Purisms website that 
having a processor without AMT or in Intels case what they call "vPro" is 
important to avoid possible hardware backdoors. 
https://puri.sm/learn/avoiding-intel-amt/ 

My second alternative is to buy a non purism laptop which has both a 
touchscreen, enough RAM and is fairly secure. So my second alternative that I'm 
considering would be the Lenovo 520 Yoga. 
https://www.dustin.se/product/5011033265/yoga-520-touch . The model is running 
the Intel® Core™ i5-7200U Processor. According to the specification page on 
Intels website, this processor does not have the vPro technology. 
https://ark.intel.com/products/95443/Intel-Core-i5-7200U-Processor-3M-Cache-up-to-3_10-GHz

These are my questions

1) Is there anything except for the AMT/vPro aspect of the hardware security 
that I might have overlooked that is critical when evaluating the Lenovo Yogas 
safety? 

2) Should one in general be sceptic towards Lenovo even when they are using 
hardware from other manufacturers?

3) are there a Qubes user out there who are already using a laptop with touch 
screen and enough ram, running Qubes? What laptop model are you using and would 
you recommend it?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1a4c0100-aa7e-4483-8f41-528464177ef5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.