AW: [qubes-users] Re: Idea for (resonable secure) cloud-storage usage with Qubes
Hello Ron, Thank you for the feedback. > Have you considered using SSHFS rather than > NFS? I'm no security expert, but it would > seem to me to be more secure than NFS. Actually yes, I thought about it after other mentioned that enabling NFS would offer another attack window. Even when I am unsure as I have but some encryption and firewall restrictions in place. The Access&Transfer VM is the only one connected to the internet and the NFS Storage VM. The other AppVMs who will connect to the storage VM don't have an online connection. >From my understanding an attacker must come through the Access&Transfer VM and >then attack the Storage VM. Unfortunately I don't how those attacks take place and how much time is necessary. It could be possible to launch the access&transfer VM only periodically just to sync the data. Keep in mind, that all data is encrypted from the view of the access+transfer VM. I'd like to setup firewall rules, which will only allow traffic from the access+transfer VM to the cloud storage provider, but this need some further investigation. As far as I understand Qubes Firewall GUI will not work with domain names but with IPs. Regarding sshfs I will give it a try, as ssh is used to connect remotly I am (reasonable) sure that it has less attack possibilities than NFS. Even when enabling inter-VM networking I feel more secure when I can keep my data encrypted+synced and have the data access separated in different VMs. [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/_HKrGSpPkv_IGVU_nDSatjZ4QDQ6hwh-gT4QSoB4PQBtS3JIYwjXXpKVyGXELcaiaBLgo1y39vRZtqjP9gQYalHxJ0pLn2IHdrDe088ZrDQ%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes 4.0: Creating VMs on USB Drives?
Thanks for that, it works great. Is there someplace where I can read docs specific to qubes 4.0? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/404bc805-27cc-435e-8a04-55881900f4a1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: shutdown problem with rc4.0
Am Montag, 16. Oktober 2017 22:48:21 UTC+2 schrieb tharr...@gmail.com: > On Monday, October 16, 2017 at 8:03:57 PM UTC, Steffen Hartmann wrote: > > Hello, > > > > After a fresh install the shutdown procedure now hangs every time. I didnt > > have this issue on previous version. > > > > Since the screen remains black, howto track down this effect? > > > > I have a dell precision 5500 with 16 GB and permissive bit true for a > > broadcom network card. > > > > Thank you in advance > > > > Steffen > > I've had this problem too but I waited for a while like 2 mins and it finally > shutdown but for some reason the disposable vms don't get reset. ok I tried that, I have been wating some hours but it didnt help. It even happens after logging into the os and shutdown immediatly. No disp. vms included. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ef6ed3c3-b1c0-4253-9445-7158c88b0a84%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Idea for (resonable secure) cloud-storage usage with Qubes
On Saturday, October 14, 2017 at 5:54:28 PM UTC-6, [799] wrote: ... > Solution Design: > > [Access+Transfer AppVM] > > Template: fedora-25-minimal > > Additional packages: > > - OneDrive Freeclient (https://github.com/skilion/onedrive) > > - sudo dnf -y install nfsutils > > Will be configured to mount a NFS-share from the Storage AppVM and to access > OneDrive to synchronize the files > > Data will be downloaded and storad in the mounted NFS-Share of the Storage > AppVM ... > In the Work AppVM you are mounting the NFS Share from the Storage AppVM: > > sudo mount 10.137.2.20:/var/nfs/work /mnt/onedrive-work.encfs > > > > In Order to access the files, the NFS share is encfs-mounted: > > encfs /mnt/onedrive-work.encfs ~/work ... > What's your opinion about this approach (I hope I could make clear what the > idea is) - am I opening to much attack possibilities because I need to have > NFS server running between the AppVMs? Keep in mind, that I am only sharing > one directory, which is encrypted and only the AppVM knows how to decrypt the > data. > > So even if the Storage AppVM gets compromissed, the data should be encrypted > (and therof protected). ... > Interested to get your feedback. > > > [799] Have you considered using SSHFS rather than NFS? I'm no security expert, but it would seem to me to be more secure than NFS. Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e94c1d60-7c05-412a-a504-b3548862a5cb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0: Creating VMs on USB Drives?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Oct 16, 2017 at 01:47:17PM -0700, tharris...@gmail.com wrote: > I read this after the release of rc1: > "Flexible VM volume manager (easy to keep VMs on external drives, or in > memory-only),..." > > I'm on 4.0 rc1 using testing repo but I have no idea how to do this. Take a look at qvm-pool tool. It allows you to create additional storage pools, for example on a secondary disk (here mounted on /mnt/external). For example: qvm-pool -a ext file -o dir_path=/mnt/external ("ext" is freely chosen name) Then, you can create new VMs there: qvm-create -P ext -l red some-vm If you want to migrate VMs between pools, it isn't directly possible. But you can clone VM to a different storage pool (see qvm-clone). More on this will be in a separate article. For reference, pasting qvm-pool help here: [user@dom0 ~]$ qvm-pool --help usage: qvm-pool [-h] [--verbose] [--quiet] [-o options] [-l | -i POOLNAME | -a NAME DRIVER | -r NAME | --help-drivers] Manages Qubes pools and their options optional arguments: -h, --helpshow this help message and exit --verbose, -v increase verbosity --quiet, -q decrease verbosity -o optionscomma-separated list of driver options -l, --listlist all pools and exit (default action) -i POOLNAME, --info POOLNAME print pool info and exit -a NAME DRIVER, --add NAME DRIVER add pool -r NAME, --remove NAME remove pool --help-driverslist all drivers with their options and exit [user@dom0 ~]$ qvm-pool --help-drivers DRIVEROPTIONS file revisions_to_keep, dir_path linux-kernel dir_path lvm_thin volume_group, thin_pool, revisions_to_keep If you want to store some templates there, and/or a lot of VMs, I recommend "lvm_thin" driver (you need to create LVM volume group, then thin pool manually). But for just few VMs, "file" driver should be enough. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJZ477/AAoJENuP0xzK19csrf8IAJVTO1Gzm18LTJjQlhhmVD/v 4RQ3ctSNvj9McihbGSuk1CApvdOiuZIT38rZCqz922QT2uoC9hDXWe7tWuodhCqT ZOxSWxpINPEMtjfY6LH4hROeGbSPWrsUvR0ScHmMcve11z5fxx/OWTztTwvqmC4P 1WQqlShRY+FbzWr+5NDR7GkoXFpPNaLtY7rT7lCnMGllcvud5KbbhdHS8e4KJ9jJ IXErE65XHytQaFvMtKdIJPw6JIlK8cJYkrEiAy7ySqhctTzpseXNFGdk7mX39a6/ D6bQ/w5VCfJ1eqC2qi4h2Nt3j4W0SlmE5TXNWaNxxNwC3X1jKZPKI8yw/fssI6U= =pQua -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171017003524.GK10749%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Unable to uninstall or reinstall Whonix
On Mon, Oct 16, 2017 at 10:02 AM, Franz <169...@gmail.com> wrote: > > > On Mon, Oct 16, 2017 at 4:13 AM, Franz <169...@gmail.com> wrote: > >> >> >> On Mon, Oct 16, 2017 at 4:09 AM, Franz <169...@gmail.com> wrote: >> >>> >>> >>> On Sat, Oct 14, 2017 at 11:17 AM, Person wrote: >>> I believe I’m going to ask the Whonix forums, then. Thank you all for your input. >>> It is really very simple, just follow instructions here >>> >>> https://www.qubes-os.org/doc/whonix/install/ >>> >>> In my case the command did not work in one step, I had to divide it in >>> two >>> >>> sudo qubes-dom0-update --enablerepo=qubes-templates-community >>> qubes-template-whonix-ws >>> >>> >>> >>> sudo qubes-dom0-update --enablerepo=qubes-templates-community >>> qubes-template-whonix-gw >>> >>> Best >>> >> >> But if it had been already installed previously, you should add the >> option >> --action=reinstall >> > > Well installation works well, but trying to start the template I get a > cannot execute a qrexec-daemon > A work-around: changing the netVM of whonix-gw to sys-firewall allows whonix-gw to start without the qrexec issue. Then shutting it down and using the correct netVM that is sys-whonix everything works. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qBOJq0AjHD0S7B%3Dh2zHLzharpwhWGNWBpqByvbsH2E_JQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes Patch for WPA_SUPPLICANT KRACK exploit
On Mon, Oct 16, 2017 at 03:39:36PM -0700, cyberian@national.shitposting.agency wrote: > Should I wait for qubes to release a patch or should I grab the Fedora 25 > patch for this exploit? > Install the Fedora patch. It's not a Qubes issue. Debian patch also available. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171016233103.tcr34derj2evqfn2%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VMWare machine on Qubes
On Mon, Oct 16, 2017 at 01:57:50PM -0700, Alejandro Berlanga wrote: > Hello everyone, > > FIrst of all I am very noob to Qubes. And my problem is that I have a vm > machine created for vmware and I was hoping if there is a way to install it > on Qubes? > > P.D. If you need more info tell me please!! > > Thank You > You can convert the disk to raw format and then try to use it in a qube. Something like 'qvm-img convert -S -O raw ' Then configure a new qube and use the new raw img as root.img The chances of this working are dependent on what OS is involved - some wont boot given a substantial hardware change, some may require relicensing. hth unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171016224307.nq3fvsmltadprm2n%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes Patch for WPA_SUPPLICANT KRACK exploit
Should I wait for qubes to release a patch or should I grab the Fedora 25 patch for this exploit? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/659e8e64-7de7-46c6-90a4-fd8a94f75847%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes Live Images
I had some enforced spare time last week and dusted off some old Live images for r3.2. They need tidying up but are usable now. There are two iso images, suitable for burning to DVD or USB. Both use Debian templates. The smaller (2GB) is pretty vanilla, with some additional non-free drivers for wifi adapters. The larger (2.4GB) has a TorVM, and Tor Browser in an online qube. There are restrictive iptables on sys-net and TorVM, and MAC spoofing set on sys-net. The offline qube has libre office and veracrypt installed. The menu system is simple, and wont update if you create new qubes. You'll need to use 'qvm-run -a ', or practice working with the mysteries of xdg menus. Both images will run(sort of) in 4GB RAM - 8 is better. If you use DVD then get used to the sound of the disc thrashing. The faster DVD drive you have the better. (That said they work reasonably well on an old MacBook with 8GB RAM.) You also need patience - generally it seems better to start new qubes discretely. Running from USB is fine. If you have ample RAM you'll forget it's a live system, unless you hammer the (limited) free disk space. Both images are available from http://qubes.3isec.org - hashes and signatures to check included. I hope to have updated versions ready for 4.0-rc2, along with a tidy build system, and (maybe) an installer. Cheers unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171016223202.asz2pplz7caouqdz%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] FYI: New email address
Just a quick note that I've switch to a new email address dedicated to this group, and unsubscribed my old ronhd at shaw address. It's still active, but I won't see posts to the group ML on it. Thanks, Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAEbwT065BT%3D7z_PjbduZrWnJ7PZFCjXLxUXhMaH8YEcEkXFHEg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] VMWare machine on Qubes
Hello everyone, FIrst of all I am very noob to Qubes. And my problem is that I have a vm machine created for vmware and I was hoping if there is a way to install it on Qubes? P.D. If you need more info tell me please!! Thank You -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5e228ad5-6ba1-4953-9ef9-1f9fcac171f3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: shutdown problem with rc4.0
On Monday, October 16, 2017 at 8:03:57 PM UTC, Steffen Hartmann wrote: > Hello, > > After a fresh install the shutdown procedure now hangs every time. I didnt > have this issue on previous version. > > Since the screen remains black, howto track down this effect? > > I have a dell precision 5500 with 16 GB and permissive bit true for a > broadcom network card. > > Thank you in advance > > Steffen I've had this problem too but I waited for a while like 2 mins and it finally shutdown but for some reason the disposable vms don't get reset. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/54747e3e-a9d4-401a-af8f-76e3ff5c2d62%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes 4.0: Creating VMs on USB Drives?
I read this after the release of rc1: "Flexible VM volume manager (easy to keep VMs on external drives, or in memory-only),..." I'm on 4.0 rc1 using testing repo but I have no idea how to do this. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c53a7508-8ce9-4d3a-bad6-f8eec7ce3947%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] shutdown problem with rc4.0
Hello, After a fresh install the shutdown procedure now hangs every time. I didnt have this issue on previous version. Since the screen remains black, howto track down this effect? I have a dell precision 5500 with 16 GB and permissive bit true for a broadcom network card. Thank you in advance Steffen -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4241af81-4810-4462-b450-7cc5a0377d11%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes 4.0-rc2 release
On Monday, October 16, 2017 at 8:07:37 PM UTC+2, plata...@gmail.com wrote: > Dear Qubes Team, > > in there the next delay or will the 4.0-rc2 be released in the next couple of > hours (today)? > > regards > > gregor Delayed one week. Reasons here: https://groups.google.com/forum/#!topic/qubes-devel/23FwvVd-pjU -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e489fdeb-37e5-444d-b33a-9ba8ec6b7252%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes 4.0-rc2 release
Dear Qubes Team, in there the next delay or will the 4.0-rc2 be released in the next couple of hours (today)? regards gregor -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/244483ec-3f23-409e-ba38-8813613ffd92%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Unable to uninstall or reinstall Whonix
On Mon, Oct 16, 2017 at 4:13 AM, Franz <169...@gmail.com> wrote: > > > On Mon, Oct 16, 2017 at 4:09 AM, Franz <169...@gmail.com> wrote: > >> >> >> On Sat, Oct 14, 2017 at 11:17 AM, Person wrote: >> >>> I believe I’m going to ask the Whonix forums, then. >>> >>> Thank you all for your input. >>> >>> >> It is really very simple, just follow instructions here >> >> https://www.qubes-os.org/doc/whonix/install/ >> >> In my case the command did not work in one step, I had to divide it in two >> >> sudo qubes-dom0-update --enablerepo=qubes-templates-community >> qubes-template-whonix-ws >> >> >> >> sudo qubes-dom0-update --enablerepo=qubes-templates-community >> qubes-template-whonix-gw >> >> Best >> > > But if it had been already installed previously, you should add the option > --action=reinstall > Well installation works well, but trying to start the template I get a cannot execute a qrexec-daemon -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qCV-7-5kw3OK4_uH9SRkEVD-Ta8bziuT5KuLeJF0_uvtA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Connect to the AppVM with VNC using Xen capabilities
воскресенье, 15 октября 2017 г., 1:46:40 UTC-4 пользователь msg...@gmail.com написал: > Hello. > > I want to connect to one of my AppVMs with VNC from remote host using Xen > capabilities. > I wanted to do it with the custom Xen config, but I can't figure out how to > change the default Xen config or use custom Xen config to start my AppVM. I > think it was possible in Qubes OS 3.2 with "qvm-start > –custom-config=CUSTOM_CONFIG", but I've installed Qubes OS 4.0 > (current-testing) and there is no such option now. > I've found the location of the Xen configs used for VMs in > /etc/libvirt/libxl/vmname.xml and tried to change the graphics type parameter > from 'qubes' to 'vnc' in my AppVM config with virsh and then start the AppVM, > but the Xen config keep reverting back to its original state after I start > AppVM. Is it hardcoded for Qubes OS to overwrite this file every time when I > start VM? > How can I enable vnc in Xen config for Qubes OS VM? > Rdp/x11vnc and other services that can be installed in the quest OS are not > an options, because I need to access the VM even if the network is broken in > the VM. I've found the way to do it in this document: https://github.com/QubesOS/qubes-core-admin/blob/master/doc/libvirt.rst It works fine. Also, there was an error in this libvirt.rst document, it states that it looks for the files:`/etc/qubes/templates/libvirt/by-name/.xml` but it actually looks for files:`/etc/qubes/templates/libvirt/xen/by-name/.xml` in the source code: https://github.com/QubesOS/qubes-core-admin/blob/master/qubes/vm/__init__.py -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6025a370-8fb7-44f5-91ec-dee3ad1f1cdd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Expired certificate warnings for ftp.qubes-os.org
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Oct 16, 2017 at 03:16:22PM +0300, private user82 wrote: > Hi, > > I'm receiving warnings in my browser that the certificates for > "ftp.qubes-os.org" and "keys.qubes-os.org" have expired today. > > SHA256 > Fingerprint=42:DE:02:82:3F:8C:27:3E:6B:E0:D0:8B:4F:36:7A:64:23:9F:CD:74:78:2B:82:43:1E:0C:31:AE:0C:B6:54:F3 > > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 > Validity > Not Before: Jul 18 08:15:00 2017 GMT > Not After : Oct 16 08:15:00 2017 GMT > Subject: CN=ftp.qubes-os.org Thanks, fixed. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJZ4xW4AAoJENuP0xzK19cspdsH/RhJtkvZ5M6dGB/urJ1RqoiM WHyLKpLDXeGyE56SIeaH2WhBh1s46Qa/XufrPk8x4pN2//rp7mGapRI8Xnq8E4Lt OcEwHCmXCzIgnOnz152VZpts+hN5eO3dN8ioAj/Ge+DEHZJPHaiz5XEiHFFckhxW Jr6ec9nFR86JNOAdBTm6xte4RIz2aLLF8B0OySPRCBGRVhQMhnQTdVexroGNA4Zh O1Qa3BlJzjomBSS7kNrm4+oKmTP2T1T3MrjgxM3Fp4UUBB08QLLiNAZGZcTgJ/vn JSRGBBYtd646Gp1T9pLF7ytzNA3VejOxJwW3H9J7OBJDFtS4Js3f4p8TydYWcK4= =9+60 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171016123309.GJ10749%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Expired certificate warnings for ftp.qubes-os.org
Hi, I'm receiving warnings in my browser that the certificates for "ftp.qubes-os.org" and "keys.qubes-os.org" have expired today. SHA256 Fingerprint=42:DE:02:82:3F:8C:27:3E:6B:E0:D0:8B:4F:36:7A:64:23:9F:CD:74:78:2B:82:43:1E:0C:31:AE:0C:B6:54:F3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Jul 18 08:15:00 2017 GMT Not After : Oct 16 08:15:00 2017 GMT Subject: CN=ftp.qubes-os.org -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/13141508156182%40web17j.yandex.ru. For more options, visit https://groups.google.com/d/optout.
[qubes-users] fedora-25 template
Hi i have created new vm using fedora-25 . when i am using external screen the apps in this vm resolution are very big (...strange ) when i am creating vm from debian template everything work fine . again thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/28b93b6e-ec9e-4c9c-8b5b-6e19d24f24f3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Read-only file system in applVM
On Friday, October 13, 2017 at 4:12:12 AM UTC+2, Chris Laprise wrote: > On 10/12/2017 06:42 AM, Foppe de Haan wrote: > > On Wednesday, October 11, 2017 at 10:08:18 PM UTC+2, Chris Laprise wrote: > >> On 10/11/2017 04:05 PM, Chris Laprise wrote: > >>> > >>> I can explain the steps. You may wish to backup your appVM before > >>> continuing. > >>> > >>> 1. Start a dispVM (I'll call it disp1). Your appVM should not be running. > >>> > >>> 2. In dom0 run 'qvm-block -A /var/lib/qubes/appvms/yourappvm/private.img' > >>> Substitute 'yourappvm' in above command with the name of your appVM. > >> Correction: This command should be 'qvm-block -A disp1 > >> dom0:/var/lib/qubes/appvms/yourappvm/private.img' > >> > >> > >> -- > >> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > > just for my information: why not just run that from dom0 directly (e.g. > > sudo fsck /var/lib/qubes/appvms/bla/bla.img)? is there a security risk > > involved with the invocation of fsck? > > > > Actually, yes there is a risk. > > -- > > Chris Laprise, tas...@posteo.net > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 btw, when I try this (qvm-block method) in R4.0-rc1, I get 'backend vm 'dom0' doesn't expose device '/var/lib/qubes/etc/etc.img'. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c065d54a-ec38-4f55-84d0-e8b6adfae77d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: qmemman entries in the journal
On Saturday, March 11, 2017 at 10:17:22 AM UTC+1, Beacon wrote: > On Saturday, December 10, 2016 at 11:27:52 AM UTC+5, Achim Patzner wrote: > > Hi! > > > > > > Could someone tell me what qmemman tries to tell me from time to time > > when it is logging this (line wrapping by my editor): > > > > > > Dez 10 03:29:05 dom0 qmemman.systemstate[2624]: > > Xen free = 61143341669 too small for satisfy assignments! > > assigned_but_unused=61301070009L, domdict= > > {'1': {'last_target': 314572800, 'meminfo': None, 'memory_current': > > 312463360L, 'no_progress': False, 'memory_actual': 314572800, > > 'memory_maximum': 314572800, 'mem_used': None, 'id': '1', > > 'slow_memset_react': False}, > >'0': {'last_target': 65586845881, 'meminfo': {'MemTotal': 4287901696, > > 'Cached': 1112002560, 'SwapFree': 63999832064, 'SwapTotal': 63999832064, > > 'MemFree': 2623762432, 'Buffers': 5431296}, 'memory_current': > > 4287885312L, 'no_progress': False, 'memory_actual': 65586845881, > > 'memory_maximum': 68578967552, 'mem_used': 546705408, 'id': '0', > > 'slow_memset_react': False}, > >'3': {'last_target': 524288000, 'meminfo': None, 'memory_current': > > 524288000L, 'no_progress': False, 'memory_actual': 524288000L, > > 'memory_maximum': 3145728000, 'mem_used': None, 'id': '3', > > 'slow_memset_react': False}, > >'2': {'last_target': 524288000, 'meminfo': None, 'memory_current': > > 524288000L, 'no_progress': False, 'memory_actual': 524288000L, > > 'memory_maximum': 3145728000, 'mem_used': None, 'id': '2', > > 'slow_memset_react': False}, > >'4': {'last_target': 419430400, 'meminfo': None, 'memory_current': > > 419430400L, 'no_progress': False, 'memory_actual': 419430400L, > > 'memory_maximum': 4194304000, 'mem_used': None, 'id': '4', > > 'slow_memset_react': False} > > } > > > > I'm not really running out of memory, am I? It is happening with about > > 10 template VMs running which could be using up 40 GB at most (as all > > have a maximum of 4000 MB in their configurations). > > > > > > > > Achim > > Hi Are you still in the group? Hi, I have similar error. In my case this error sometimes probably causes restart of computer. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f91ab43b-f812-4777-827f-9b3627ac72b0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Unable to uninstall or reinstall Whonix
On Mon, Oct 16, 2017 at 4:09 AM, Franz <169...@gmail.com> wrote: > > > On Sat, Oct 14, 2017 at 11:17 AM, Person wrote: > >> I believe I’m going to ask the Whonix forums, then. >> >> Thank you all for your input. >> >> > It is really very simple, just follow instructions here > > https://www.qubes-os.org/doc/whonix/install/ > > In my case the command did not work in one step, I had to divide it in two > > sudo qubes-dom0-update --enablerepo=qubes-templates-community > qubes-template-whonix-ws > > > > sudo qubes-dom0-update --enablerepo=qubes-templates-community > qubes-template-whonix-gw > > Best > But if it had been already installed previously, you should add the option --action=reinstall -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qAyNUe0REwG9LsVTtxWJjHE%2Bm2crkFr%3DKJNonTvwJpeAA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Unable to uninstall or reinstall Whonix
On Sat, Oct 14, 2017 at 11:17 AM, Person wrote: > I believe I’m going to ask the Whonix forums, then. > > Thank you all for your input. > > It is really very simple, just follow instructions here https://www.qubes-os.org/doc/whonix/install/ In my case the command did not work in one step, I had to divide it in two sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-whonix-ws sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-whonix-gw Best -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qCaQ9hBr%3D2W%3DpmXk8U-rq8ty1aQOxUzNNWhWMveGF4xng%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: AW: Re: [qubes-users] AW: Idea for (resonable secure) cloud-storage usage with Qubes
Hi again, On 10/15/2017 08:37 PM, '[799]' via qubes-users wrote: I think you have some misconceptions here - the main one being why people tend to use Qubes OS: Segregation of data to application- specific domains, i.e. impact of a domain compromise is limited. You are right, regarding why people use Qubes. But depending on specific workflows there is a need to either work with cloud storage for collaboration or to switch the OS completely for this use case. Ok, that's something I can understand. So far I was under the impression that all of your VMs were using that cloud backed storage. Think about a (cloud based or on premise) storage service which is used by several people. My goal is to work 100% in Qubes and I think that splitting access of data and local storage offers a better security than having the data synced and stored in one AppVM. And I tried to build something that makes it easier to access data from various VMs in an easy way (knowing that it is less secure than using qvm-copy-to-vm). But using some scripts we can reduce the attack surface on nfs in such a way, that we only enable NFS/open ports when access is needed. I can't see how this approach is less secure than using one VM for syncing/storing/accessing the data? The point here is that it's not much more secure neither. In fact you might even introduce unwanted mistakes (mistakenly opening ports to one of your other VMs e.g.), which ultimately could lead to the compromise to one of your other VMs. Attacking a nfs implementation shouldn't be too hard for a dedicated attacker, i.e. you can bet that a compromise of any of your nfs-connected VMs would lead to a compromise of _at least_ all of your nfs connected VMs. Which is equal or worse than what you had without that idea. So the standard attack path would be: other OS --> nfs-client VM --> other nfs VMs Your idea however makes your Qubes installation vulnerable to: - Any attacks originating from that OS ("files should still be accessible/decryption from other Operating systems") True, but wouldn't this mean that the AppVM which is working as NFS Client must be compromised before NFS is attacked? Yes, also holds for the standard Qubes OS model though (you running your nfs client in the same domain where you have your nfs data). Nfs-based attacks (basically all your AppVMs using nfs will be vulnerable to all nfs vulnerabilities NFS access to the server is allowed on a per VM basis (firewall allow per IP), shouldn't this be enough to reduce NFS attack surface? No. Protocol & implementation vulnerabilities exist. encfs based attacks which people can even find on wikipedia. Yes true, it is a shame, that we still don't have a multiplatform open source encryption standard that could maybe also be adapted by cloud storage providers. But as mentioned the idea could also be implemented with other encryption solutions like CryFS, ... I don't know that one. Anyway file-based encryption suffers from revealing meta data such as file access timestamps, number of files, work activity, maybe even folder structures. Volume-based encryption doesn't tend to have these issues. The containers of the truecrypt successor should also be supported by cryptsetup if I recall correctly. Assuming the other OS is Qubes OS you could do one encrypted voloume/container per Qubes domain and do an implementation as follows: - mount the remote fs in some "distributor" appVM, e.g. using sshfs - use qvm-block from dom0 to attach the encrypted containers from the distributor VM to the respective target domains - decrypt the containers in the respective domains using keys that can only be found there That implementation still suffers from parsing attacks on cryptsetup, but the others should be identical to attacking Qubes OS itself. It might be possible to mitigate potential cryptsetup issues by writing an own qrexec service, but that should be left to the pros... The performance should be roughly as good as reading & writing from a network backend is in general. For non-Qubes OS systems I don't see the point of separating domains though. The other OS doesn't do it neither. KR David -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b5758a2c-bcdd-aa2b-ece9-b7031e22d59a%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] No space left on device
On Sun, Oct 15, 2017 at 12:00 PM, Franz <169...@gmail.com> wrote: > > > On Oct 13, 2017 22:19, "Franz" <169...@gmail.com> wrote: > > > > On Oct 13, 2017 20:56, "Franz" <169...@gmail.com> wrote: > > > > On Oct 13, 2017 19:32, "Marek Marczykowski-Górecki" < > marma...@invisiblethingslab.com> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Fri, Oct 13, 2017 at 06:27:31PM -0300, Franz wrote: > > whonix was not working so tried to reinstall it for 3.2Qubes with this > > command > > > > $ sudo qubes-dom0-update --enablerepo=qubes-templates-community > > --action=reinstall qubes-template-whonix-ws > > > > However while it worked for whonix-gw I am getting the following error > > for whonix-ws after the long download: > > > > qfile-agent: Fatal error: File copy: No space left on device; Last > > file: qubes-template-whonix-ws-3.0.6-201608050146.noarch.rpm (error > > type: No space left on device) > > '/usr/lib/qubes/qrexec-client-vm dom0 qubes.ReceiveUpdates > > /usr/lib/qubes/qfile-agent /var/lib/qubes/dom0-updates/packages/*.rpm' > > failed with exit code 1! > > > > > > No space left on device? Running df -h on dom0 the most used item is: > > > > /dev/dm-1 82%, used 189G available 43G which should be more than > > enough for a less than 700MB download > > > > So where should I look for? > > Template (and generally packages) is downloaded to > /var/lib/qubes/updates in dom0. Maybe you have something smaller mounted > there? > > > There I found only the following: /var/lib/qubes/updates/rpm/qub > es-template-whonix-ws-3.0.6-201...noarch.rpm > > Doing > du -h > There gives 191M which is very smaller than the 43G I expected. > > But the fact that some space is still available suggests that the template > was fully downloaded and I do not have to download it again. Correct? > > You > > may want to try --clean option, to clean cache first. > > > It seems --clean is an option for a command. Which command? > > > I understood, it is the same update command. But running it, it replies 0 > files removed. So it may not help. > > Is there a easy way to increase space? > > > > I updated the template again using the --clean option, but I get the same > "no space left" error. > > But the situation is even worse. Now df -h shows that even the last 43G > disappeared from /dev/dm-1. So zero available space left. > > Hope there is a solution > Best > Fran > I removed some templates and everything worked again. It seems there is only a limited space allocated to templates and when this space fills up, then it messes with the general space available in the system at /dev/dm-1 eating up all available space. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qC2J08wRKWm%2B%3DFCWFK1MHYbgyx9DFc8LUwbE9ZAvW-efA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.