[qubes-users] Re: Windows 7 virtual graphics card

[Drew White]

Yo find out about virtual graphics cards, perform research into Qubes + VNC

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f226281b-5036-4a49-b604-6fe7b235ef06%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Windows 7 virtual graphics card

[Drew White]

On Thursday, 2 June 2016 21:24:02 UTC+10, Achim Patzner wrote:
>
> Is there a way to provide a virtual graphics card that will support 
> 3840*2160 pixels? I'm having serious problem to see anything using a 
> Windows 7 HVM at 257 dpi... 
>
> Either install the tools and go Seamless, OR alter the settings to have 
the text and all larger.
Use the Themes for Windows.
Then you won't have an issue seeing things.
Or else just use a lower resolution.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3667946f-c821-4477-94c3-ddb81e04c19c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes on a Shoestring in a Hurry

[Drew White]

On Sunday, 5 June 2016 19:20:43 UTC+10, unc...@sigaint.org wrote:
>
> On Sat, June 4, 2016 13:58, unc...@sigaint.org  wrote: 
>
> > On Sat, June 4, 2016 12:35, "Holger Levsen"  > wrote: 
> > 
> >> did you try XFCE instead of KDE? XFCE is much more ressource friendly. 
> > 
> > 
> > Thanks for the tip!  I must try a full install; unfortunately that will 
> > take me offline for some hours, for obvious reasons... 
>
> I manually configured a 4GiB encrypted swap partition on an old hard disk, 
> and separately an encrypted LVM for Qubes, plus /boot and biosboot. 
>
> The good news is that Qubes R3.1 starts, and LXDE is smooth. 
>
> The bad news is that Qubes doesn't use the swap, and important things fail 
> due to out-of-memory. 
>

Firstly, I would recommend setting Dom to use only 1 GB of RAM. This is 
best set after initial install and tell it to
NOT create ANY of the VMs..  That way you can define everything after first 
boot.
Set each VM to have 256 MB RAM. IF you have Memory Balancing on, then set 
Maximum to 356 for NetVM and ProxyVM

So install Qubes, but don't create any VMs, create them yourself AFTER you 
have configured Dom0 using the
live DVD /USB after the install.

You say you have 2 GB RAM, so have 512 for Dom0, but better for 1 GB.
Then you have 1 GB to share among the other VMs.
You can go as low as 50 MB for a NetVM. I've got mine running at that.
Min 256 for a ProxyVM (depending on how many firewall rules it will have to 
handle.)
So then you have 700MB (rough)) for all other VMs.


 

> I think the rest is best explained in chronological order. 
>
> In the Qubes installer, I elected to configure all the default qubes plus 
> the option to route all system/update traffic through Whonix 
> ("experimental").  During the final stage when it shows a progress bar and 
> configures various qubes, I received the following modal dialog while it 
> was configuring networking: 
>
> --- begin dialog box 
> [title bar: "[Dom0]"] 
>
> Setting up networking failure! 
>
> ['/usr/sbin/service', 'qubes-netvm', 'start'] failed: 
> Redirecting to /bin/systemctl start  qubes-netvm.service 
> Job for qubes-netvm.service failed. See 'systemctl 
> status qubes-netvm.service' and 'journalctl -xn' for 
> details. 
>
> [Close] 
> --- end dialog box 
>
> When I hit "Close", the installer immediately finished.  I do not know 
> whether it just bailed, and left important configuration undone, or if it 
> really finished.  Thence to the Qubes login screen. 
>
> Running "systemctl status -l qubes-netvm.service", the pertinent lines 
> read in pertinent part (sorry, all of this is manually copied and 
> retyped): 
>
> --- begin quote 
> ERROR: ERROR: insufficient memory to start VM 'sys-firewall' 
> qubes-netvm.service: main process exited, code=exited, status=1/FAILURE 
> --- end quote 
>
> On startup, exactly two qubes are running: dom0 and sys-net.  top(1) 
> (which I grit my teeth running in dom0; is it part of the TCB?) shows less 
> than 30M free memory, and... 0 swap! 
>
> Specific questions: 
>
> (a) How do I not only add my swap partition, but make Qubes automatically 
> unlock and use it at boot?  I think this start config issue is probably a 
> Qubes-specific question, because Qubes is not really like other Linux 
> distributions in these under-the-hood system things. ;-) 
>
> (b) Related to (a), how do I make sure in the Qubes startup configuration 
> that it unlocks both the LVM partition and the swap partition with the 
> same LUKS passphrase?  It is not good to type the passphrase multiple 
> times, e.g. in public with shoulder surfers and possibly security cameras 
> around.  (Or better yet, swap with a one-time ephemeral key.) 
>
> (c) If I can get sufficient qubes started, how do I verify that all 
> network traffic (including update traffic) is routed through sys-whonix? 
> IOW in which qube do I fire up tcpdump(1) or check the logs, and really 
> get a global view of which packets are coming in/out?  I am accustomed to 
> watching traffic (through pf and on physical interfaces).  I just need to 
> know where in the Qubes intranet to get a global view, *without* risking 
> compromise to dom0 or another important qube with a tcpdump(1) or 
> libpcap(3) bug. 
>
> Thanks in advance! 
>
> Almost no longer, 
>
> "Uncubed" (un-uncubed?) 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f0d3f5bb-a8b7-41f0-a9ec-c949c040a21c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Install VPN in anon-whonix

[Chris Laprise]

On 06/08/2016 04:15 PM, asdfg...@sigaint.org wrote:

Hello
I read the guide on whonix site about how setup a VPN in workstation but
it is old and my VPN is a little different, it has a GUI interface but
also a setup for Open VPN (to work i have to use GUI). Do I setup like a
normal VPN in debian (network connection, import configuration,
certificate etc...) and change firewall?

Thank you


Mixing a VPN in the same VM as other tunnels or proxies is a more 
complex affair. Qubes proxy VMs allow us to do this kind of thing more 
cleanly.


So I recommend using a debian proxy VM. The doc Andrew linked to 
contains a firewall script I created with Whonix (and other apps) in 
mind. Its designed to fail closed (block traffic) if openvpn stops 
working, and to stop all leaks. The only thing in or out is tunneled 
traffic and related ICMP. Its designed for simple VPNs that tunnel all 
traffic upstream (i.e. no special subnet selections), so it'll work with 
most services.


There is a fancier version that creates systemd service and has a more 
explicit firewall setup, though its about the same protection:

https://github.com/ttasket/Qubes-vpn-support

What's more, you don't have to alter any template beyond installing 
openvpn to get this working.


OTOH, if you're looking for a solution for Network Manager, the doc 
shows you how but its without a firewall. I am looking into a way to 
make the firewall script work with NM.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5758DB48.1070408%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to install clean template?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-06-08 10:46, Albin Otterhäll wrote:
> How should I go about to install a clean template? When setting up
> a template for a specific domain, e.g. software development, it
> could be useful to have a clean slate.
> 

You can simply clone one of the default templates. If you've already
modified the default template you want to use, you can clone it, then
reinstall it from the repo.

Here are the instructions for reinstalling the Whonix templates, but
the same general procedure should apply to all templates:

https://www.qubes-os.org/doc/whonix/reinstall/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXWLYEAAoJENtN07w5UDAwrZ4P/36NNgpos/AHcDC7PxY/03LZ
EBy9s/XVtQaMMoIIgdhlXVR5LnPYc555nS6mJ9aiLynUxbvJ8G2H/BHZgM4a1Buu
qOVKsiXftyziyR7DIiXFPRq9MirNnKKEMZFp3SRnCuFU1LBotmssbV4OTeglOQcY
MWmyoNWW8/uDocOVurGWTxWOUM9BQ4DqzH3GhGZhP9kKRPcsmR3wfx2I3Zn1tKIg
M5IpSgmeJYN/3P+ENfNZVwLym+KaCSkMEn1VpeCwD119gMrsrijE5f+Ve7fQye94
lHkwnoMOaRtxsj9F6asak9ArH0OInvZy92bshKlW0PUq2en7/OqUelcwUqCLztag
A8Ewz6mKwm/E5JGi7gt82dYYbd8eHVMtcbKlp6ODuLZjdQhMkhMTtTOpfEtlsrXS
KFoktUbL7m9U8vj+Yl8gmU5V9Igr0o1Q4JxxNk3Bw223GRcYBhYnFjer46aQp48e
MunlaZMk83y9HVgaOPxnXAJ+UZeINz0Ll1aj3ItgrQuG/5jfG4Pt9ywsNyj4v+VN
9dUuZof1EuST1k0iT0PmXgqQVu8j6Ibyp1HUtvKQlw632cgu6SEskXrVohNEX9dB
Ia2GeDp9Pnro9QDfQOI0m2m+jA/Rx1KPRZAqyjYECnPxW1ogj2pdmfw238H1clP6
oQYOZQz8rYtb0EXUNknV
=z7Wh
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/18729d7b-ca3f-b721-32d8-7b2f95aeeddd%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: qubes user guide instructed me to brick my qubes disk

[Mike Patton]

On Thursday, 9 June 2016 08:22:44 UTC+10, boromi...@sigaint.org wrote:
>
>
> I followed the user guide here for creating a usb VM because for some 
> reason qubes will otherwise automatically connect a possibly malicious USB 
> to DOM0 for some unknown reason. My qubes is installed onto a USB so i 
> dont know what good any of that would do. 
>
> --- 
>
> https://www.qubes-os.org/doc/usb/ 
>
> Alternatively, you can create a USB qube manually as follows: 
>
> In a dom0 terminal, type lsusb to check if you have a USB controller 
> free of input devices or programmable devices. If you find such free 
> controller, note its name and proceed to step 2. 
> Create a new qube. Give it an appropriate name and color label 
> (recommended: sys-usb, red). 
> In the qube’s settings, go to the “Devices” tab. Find your USB 
> controller in the “Available” list. Move it to the “Selected” list. 
> Click “OK.” Restart the qube. 
> Recommended: Check the box on the “Basic” tab which says “Start VM 
> automatically on boot.” (This will help to mitigate attacks in which 
> someone forces your system to reboot, then plugs in a malicious USB 
> device.) 
>
> -- 
>
>
> LSUSB shows a list of devices and my usb connected to it, i could see my 
> controllers listed and my qubes usb, it did not specify which controller 
> its connected to, which even if it did would be of no help, as the devices 
> tab of the USB vm i created uses different names for the controllers. 
>
> I selected both controllers figuring there is no fault in protected all 
> usb ports. Then i selected 'start vm automatically' to protect against 
> some obscure attack. What the instructions failed to document is that a 
> usb VM will put your USB's into read-only mode which immediately began to 
> brick my qubes usb. I restarted hoping to fix the problem, but having set 
> it to start automatically as instructed forced the system to brick itself. 
>
> Im severely disappointed in the failure of the qubes development team to 
> forsee this simple problem and its failure to document the read-only 
> property of a usb vm. If it cannot even ascertain that its instructions 
> will lead to a fatal outcome how can anyone possibly believe they can 
> secure an entire operating system. 
>
>
>
> Your subject is kind of false.  The guide didn't instruct you to brick 
your install disk.
Unfortunately you did that by not following the instructions.  It 
specifically says:

"*type lsusb to check if you have a USB controller *

*free of input devices or programmable devices. If you find such 
free controller, note its name and proceed*"

Considering the operation is forwarding the USB controller to the usb-vm... 
Forwarding both your controllers (one of which includes your install disk)
doesn't seem like a smart thing to do.  Sorry, just my opinion.

If you weren't sure about the instructions, perhaps it would have been best
to ask somewhere for assistance?  I have had amazing response times to
queries in this group and when reporting a non-bug.

Hope you give it another go.

M.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9da92b3c-6df0-4c8e-b013-cd6fbb3e6f89%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] choosing 1 upgrade of the month

[Tibor Veres]

the ram may be cheaper than you expect if you're willing to accept used. I 
recently bought 6x4g ddr3 ecc on ebay for ~$45

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f8133178-3c8c-42b5-b628-cba932ac75b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] New initramfs won't stick

[mpatton125]

Thanks for the very quick reply! Yes I think you are correct. I will give it a 
go, passing the correct path for efi.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/86c0aec9-a478-4ca5-bef9-fb3b713662f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] SD card goes attached to Dom0 rather than sys-usb

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jun 08, 2016 at 08:44:11AM -0700, Andrew David Wong wrote:
> On 2016-06-08 08:36, Andrew David Wong wrote:
> > On 2016-06-08 08:21, Franz wrote:
> >> Hello,
> > 
> >> I noted that when I insert a SD card into the corresponding slot
> >> of my Lenovo x230, it is automatically attached to Dom0 rather
> >> then sys-usb (default configuration). Well I use the SD card only
> >> for my Nikon camera and I have no reason to trust Nikon less then
> >> Lenovo, so no problem for me, but wonder if this is expected
> >> behaviour.
> > 
> >> Best Fran
> > 
> > 
> > It's probably that the associated hardware device is not assigned
> > to any domU (e.g., your USB qube, if you use one). On my ThinkPad,
> > the device is labeled "PCI Express Card Reader." Assigning it to my
> > USB qube results in any inserted SD card showing up in the USB
> > qube.
> > 
> 
> Issue for implementing an option to have this performed for the user
> when the USB qube is first created:
> 
> https://github.com/QubesOS/qubes-issues/issues/2055

Indeed may be a good idea. On the other hand, I remember that for some
Realtek devices it is impossible to attach the card reader to a
different VM than the (somehow bundled?) network card.

I guess it doesn't apply to your model, could you provide more details?
Also worth collecting info on problematic models to set appropriate
default depending on the hardware.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXWJ1KAAoJENuP0xzK19csPYcH/3jbEvJoLE8Rnc61sAmslpol
DIfXZzTfNt4Ag6bDyOS6zRCzSGiaeCRO+c6K+PLllhq8/dVGhlMIVMute/BfFUDh
6i/N4kSkefG/53Xm/Q7DhGaJTvMlkBmOF4yLI1MTe/RMdRzGscn2nDhaX+7tJejD
vClwZJumFyxPDylvEb42guAtdzJH2l9IcuGeHZGZgjJlwwxOeLi76OBnF4/lryMe
B8Tf42MDyPoyico7TUfg3jN2fSDxjRm4i/+C1LFA58zW5iziOtjTP2U/so//m4Ed
4+XPov7amb3fmXUUst9+zTAL1e00293hOaabtPyoftRV+MwLDAF0fOXM1VFQ9TA=
=pSCz
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160608223346.GV1593%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] DispVM available space

[Connor Page]

Thank you Marek. I guess the setting should be greyed out same as root image 
size.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/209d800b-268f-4a6f-b501-5c0f6cb3d0c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qubes user guide instructed me to brick my qubes disk

[boromirsbeard]

I followed the user guide here for creating a usb VM because for some
reason qubes will otherwise automatically connect a possibly malicious USB
to DOM0 for some unknown reason. My qubes is installed onto a USB so i
dont know what good any of that would do.

---

https://www.qubes-os.org/doc/usb/

Alternatively, you can create a USB qube manually as follows:

In a dom0 terminal, type lsusb to check if you have a USB controller
free of input devices or programmable devices. If you find such free
controller, note its name and proceed to step 2.
Create a new qube. Give it an appropriate name and color label
(recommended: sys-usb, red).
In the qube’s settings, go to the “Devices” tab. Find your USB
controller in the “Available” list. Move it to the “Selected” list.
Click “OK.” Restart the qube.
Recommended: Check the box on the “Basic” tab which says “Start VM
automatically on boot.” (This will help to mitigate attacks in which
someone forces your system to reboot, then plugs in a malicious USB
device.)

--


LSUSB shows a list of devices and my usb connected to it, i could see my
controllers listed and my qubes usb, it did not specify which controller
its connected to, which even if it did would be of no help, as the devices
tab of the USB vm i created uses different names for the controllers.

I selected both controllers figuring there is no fault in protected all
usb ports. Then i selected 'start vm automatically' to protect against
some obscure attack. What the instructions failed to document is that a
usb VM will put your USB's into read-only mode which immediately began to
brick my qubes usb. I restarted hoping to fix the problem, but having set
it to start automatically as instructed forced the system to brick itself.

Im severely disappointed in the failure of the qubes development team to
forsee this simple problem and its failure to document the read-only
property of a usb vm. If it cannot even ascertain that its instructions
will lead to a fatal outcome how can anyone possibly believe they can
secure an entire operating system.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0c997e649d4fad0fea83afb5090ec297.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] [Fwd: qubes wont start anymore]

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-06-08 14:40, boromirsbe...@sigaint.org wrote:
> 
> I havent done much with my new qubes install so far, ive maybe 
> loaded it a few times to test it, now ive gone back on to
> configure bridges and it gives this error right after the boot menu
> and hangs:
> 
> usb 2-5: device descriptor read/64, error -71 usb 2-5: device not 
> accepting address 6, error -71
> 
> 
> Nothing changed on my system since i last used it.
> 
> 
> -
> 
> 
> I've found the bug causing this, qubes starts up into its timed 
> autoselect bootup menu under the assumption your disks will be
> fast enough to load the background processes before its timer runs
> up and it starts. By cancelling the timer and waiting a few more 
> seconds this will allow usb based qubes to load properly. Not that 
> anyone cares since no ones bothered to respond to this in the
> first place.
> 

Thank you for following up to report the solution. FWIW, I think it
was probably that no one knew the answer, not that no one cared. I,
for one, would never have guessed that this was the solution.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXWJnFAAoJENtN07w5UDAwYogP/1sWVoMzL1d2fz6Q4gphQ0mr
Jpr+7UH46YHQr5lMLWVZ47/IumTOF6406lOp+VsbqSdmRNdXdhfp0m8dOyX+emT3
G589XbR7en/Rr8HS4zeRp4MC6nVPQdc7s8GVaa9FsLru1PH1OpmpAM0HwYXj3RDF
lLVKqUV6RftY+GeC9zEtj0Wr5n0/at4IsNJJd52IRbVoy4Pg3X7sS+Bqh4ovDgTe
C4SoZ66xzSKH1H6syMezgVzHCRcmnQ4GR1i3aK5Bd9rh+MF6BQ6a4IV7mEvod6nz
VG6T1BR/NxYsMC8Smi6Fdk8pgpGHDLVaeaRrLmaFlLfhqL1kEMDkYsHdFhaE7wQc
SkBAw62szIovsSVuq2VyxutYyZxZrAcHzQSVxkpEsDUpNuIFAEWkpNoPhj1OPjrW
Bn2CrX9EmyYLqNhRj2pS9jgCzVRaSDNiePVrvoOJhbeY0a+nOAwguHv8WJIemOzA
wAOLLb3pAXcEr/zVjxAglkUKZiXbjPV4devjBliCTuMkb/GCBouggrxi7gfD1/nj
iqifuO9Lnm6n2A0jteZLR0PlkVL2XyHWiSI33qH80m4eCbXNgIjZtLyD5IMtBRaT
KY8XVAYvtCiVqVJyWFfP0AhxaC97B+T9FW5+Ccxcwh9vc/28fXB9uLi4W7D6xxhD
EUrnHRvbgknfXDX/3Xfc
=WKzI
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/376ea662-518f-dbc6-524a-6e9083ac7c0c%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Install VPN in anon-whonix

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-06-08 13:15, asdfg...@sigaint.org wrote:
> Hello I read the guide on whonix site about how setup a VPN in
> workstation but it is old and my VPN is a little different, it has
> a GUI interface but also a setup for Open VPN (to work i have to
> use GUI). Do I setup like a normal VPN in debian (network
> connection, import configuration, certificate etc...) and change
> firewall?
> 
> Thank you
> 

Take a look at our VPN documentation if you haven't already. It was
recently updated:

https://www.qubes-os.org/doc/vpn/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXWJk8AAoJENtN07w5UDAwOR8P/2/P8q03qeL4xmx3tkN8VOOT
jeJJaAKQOkPjNADQ+uFrAsqA/qTpD4KqESAcX8zJmMTAu3TGSA9U57yXggzSQBdG
rmOMgs5s7u3LRoMyoYqDYDG/nUn8wFvTyGp/yyunsx5oJ2WQgSaSCuUJRCKputAg
UIDMeD0+6Ci+uc0KG6zzMiPa9WfhsnGjcIZ7vEmUeP+xi0IGOOhQkRQgWKL3PAp3
wB63FJHMW9qOBYsjQrqOLh7dupqgekh98nDY+IOs9UclBN3/IQOeuKWe9GFEAzA5
ywhR6BWP1lxmTXRKw6Cm8oFvw9+axxnX2E0Nq2DIpQ2F5GGAQPkgqiN7d++ji1Cu
W6TmMeXXM15FZuE8QneZFA+J6eLiJ2GzOE+gam1ZmVU4Hgn56yPIhDto0vTyNvFn
Cf5tDllC4jHaus9zx2ombkH3Fd2vWj9Lq5x2uKjc6bRxuvG6GTuqMHJMnEu62D+M
jKrwnZMydrsGjHNyeBA8ktac3jtSxYgXMNV/DQBC8xBGdtJ8VsvJ9Jy1su8cIFBS
6jXsd1Kb6mf2w59WD3gGLrsCm/TtfxfzXJbxtSjJ/EsdPhCfEZKBtumTqyx9XMO9
vNTwZK/HKkN9AQvVulnj8yChkxTPXNi5O35msCzWISQqBFn2MYRoN3/HoEoGOrj/
2iW2tUnlxhbm3Te1AEC+
=B9Ij
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20ec2d6a-60d1-1c3d-9bc8-fce7644bee59%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: VM CPU mapping - countermeasurements against covert channels via cpu caches?

[Andrew]

1093284'109438'019438'0914328'0913284'0913:
> Hi Andrew,
> 
> could it be that with some real-time OS features, it will possible to splitt 
> the Cores of an CPU in two clean domains?
> 
> This would lead to a better latency performance for real time communication, 
> like skype and for some "air-gapped engines" inside Q.
> 
> Kind Regards
> 

I'm confused what you're trying to achieve: static scheduling of some
VMs on some cores, or the elimination of caches as potential inter-VM
covert channels.  Can you explain exactly what your goal is?

I have an idea: go read up on the relevant literature (which I am sure
exists in substantial volume), reformulate your goal if necessary, and
tell us what you learn.

Andrew

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a04e1cd0-b9b6-8446-23d3-3022a782ffcf%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] DispVM available space

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jun 08, 2016 at 12:37:39PM -0700, Connor Page wrote:
> I've noticed that there is no private image mounted in /rw in disposable vms.
> 1. What is the point of private image size setting in Qubes Manager then?

No point at all...

> 2. Is there an easy way to expand dvm storage without affecting it's template?
> 3. Am I missing something?
> 
> I need to load large files in dvm, check them and then move to another vm. 
> There is not enough RAM to use ramdisk.
> Any quick hints will be appreciated.

One idea is to add additional block device, even file based[*],
optionally encrypt it with ephemeral key and mount in that DispVM. Not
very convenient, but effective.

[*] In dom0:
truncate -s 10G /var/tmp/some-file.img
qvm-block --attach-file dispN dom0:/var/tmp/some-file.img
rm /var/tmp/some-file.img

The actual space will be automatically released as soon as you shutdown
the DispVM.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXWJLuAAoJENuP0xzK19csR20H/jtymqHwp17SxTMCH9CULXq0
7af38ycxEAUq2XgNqPDYXWAcMZPKHUChT/EoVnIK4w+4HIG7Xiw428xKMlg6fxZH
5oATPU/BTU270dp3JMPzy9dqkIRPX0WiwPieGVF1rDsQOkFzQmuU2hbG61mIDCjQ
+FW6ujdiywO9vmbJlTZqBiI4OtsXVw1KATUOY+B6HLlMUlUCftWMtS1XT+Ehb8F2
nKxCze/oM63d2eHTbIy6Pm43OWW9tUTEhk1IO4WjfCnKN8NQLK5Pa51d/qNMuXC1
KSOLV2wemGr/Nkzh7niltbX/jjGbZupVXSyI3heKBFieOuF2X4mYESbBa02wyjY=
=h7BW
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160608214933.GU1593%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] [Fwd: qubes wont start anymore]

[boromirsbeard]

 Original Message 
Subject: qubes wont start anymore
From:boromirsbe...@sigaint.org
Date:Mon, June 6, 2016 4:08 pm
To:  qubes-users@googlegroups.com
--

I havent done much with my new qubes install so far, ive maybe loaded it a
few times to test it, now ive gone back on to configure bridges and it
gives this error right after the boot menu and hangs:

usb 2-5: device descriptor read/64, error -71
usb 2-5: device not accepting address 6, error -71


Nothing changed on my system since i last used it.


-


I've found the bug causing this, qubes starts up into its timed autoselect
bootup menu under the assumption your disks will be fast enough to load
the background processes before its timer runs up and it starts. By
cancelling the timer and waiting a few more seconds this will allow usb
based qubes to load properly. Not that anyone cares since no ones bothered
to respond to this in the first place.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ca0b513b235c6836faf5e3c754f66877.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Should there be a Qubes OS forum?

[09821'034918'0324981'0293481'092348'01943]

Hi Andrew,

the prob is, if you talk seriously about security, will be anonymity...

>From the usability effect, I was happy with the thebrain forum, because it is 
>quite friendly and helpful and has a pre-structuring, which helps to keep this 
>many topics together.

http://forums.thebrain.com/

And for future features they have additional the very kind UserVoice, which has 
the focus to weight the community ideas, so that continuously new functions and 
features get implemented...

https://thebrain.uservoice.com/forums/4597-thebrain-feature-suggestions

But I don't know, which framework is needed for some similar look & feel.

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9ad7e588-f3e8-4c77-988b-47b49320b89d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: VM CPU mapping - countermeasurements against covert channels via cpu caches?

[1093284'109438'019438'0914328'0913284'0913]

Hi Andrew,

could it be that with some real-time OS features, it will possible to splitt 
the Cores of an CPU in two clean domains?

This would lead to a better latency performance for real time communication, 
like skype and for some "air-gapped engines" inside Q.

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3309d04f-5f31-4e93-8a41-d63a5e53285c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] If using the same Whonix GW, does all Wonix WS get the same "identity"?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-06-08 11:55, entr0py wrote:
> Andrew David Wong:
>> On 2016-06-08 00:14, Albin Otterhäll wrote:
>>> I'm assuming that if you connect to Tor using the same Whonix 
>>> gateway (e.g. "sys-whonix"), you get the same "identity" (IP, 
>>> etc.) on both your workstations. Is this correct?
>> 
>> 
>> Not entirely. By default, stream isolation applies to different 
>> workstations and to any supported apps in those workstations.
>> This means that every VM connected to sys-whonix will (and every 
>> supported app in those VMs) will use a different circuit through 
>> the Tor network, hence a different exit node, hence have a 
>> different IP address.
>> 
>> However, there are still side-channel attacks that can be used to
>>  correlate multiple workstations running on the same host 
>> (stressing hardware and observing the effects in all
>> workstations, clock skew, network timings, etc.).
>> 
>> Details: https://www.whonix.org/wiki/Multiple_Whonix-Workstations
>>  https://www.whonix.org/wiki/Stream_Isolation
>> 
>> 
> 
> What Andrew said. Some nitpicking:
> 
> There is no guarantee that you will have a different exit node (or 
> even a different circuit). It's random so you might wind up with
> the same but not intentionally.
> 

Thanks for clarifying that. I had guessed that it was random and thus
the same exit node or even circuit could be selected by coincidence,
but wasn't sure. IIUC, this should be pretty unlikely in the case of
exit nodes, since there are many, and nigh-improbable in the case of
circuits, since there are vastly more possible combinations of nodes,
even taking into account that many nodes can only occupy certain
positions in the circuit (guard, relay, exit).

> Also, Tor Browser has stream isolation features of its own, such
> as separate circuits per tab and new circuits after a set time 
> interval.
> 
> Finally, non-stream-isolated (meaning non-tor-proxified) apps in
> the *same* workstation will share the same circuit since they will
> route through Whonix-Gateway's Transparent Proxy Port (TransPort).
> The TransPort can be disabled to prevent this. (Instructions in
> Andrew's links).
> 


- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXWIQdAAoJENtN07w5UDAwaQAP/ik320nIeqfea6V43gp5eLaI
l6kadNNL5jrw9DeHCAbYpRxcEz/a386B4f0VscGHBf9DCbVwmAFyqkXUKEY17NOr
CaZDJUjmVrdT8S0YHN9qoFnO8nY63Pu3DxL3fx5yVbBLWdPNhG2tnHF2klavz8sQ
ckvjPsENLLWdyQFmNvlW6SQMttrCSWmG8EiuRTnhXi8UuboaRXUV8o6dQ/OzX2Ip
lZPj9YFbS45DtAcKLa0QEhkaz7104LQIq85vohVHaYFon5FqdKpq6beqlaBtLrUj
UyNk1FYnbDwQaMvWUuU5/OEaK59SzSG3qUG+5FFJWT2SIrGgpi7yoIkXv4TNR6NF
+uvTuOzNTdcKKJDmB9K9fqwsoniz5AgdGVHkMh4oBTFRZE2FpTz+iJyoPeIxdHhx
vpiXLhkLjFO9jojdd1tN6i9RtWQzs8kAkzkiprkEB9V0+xeUyqio6YBMDblebS0P
MVbsMFush6YISymoJNVimDez01XD1UqQR6rlusvbt2Fo83hEwwt+gNolOGVcObeN
LtoNKv5XBfGMnyJqMpKbV+ek1fC8XCcL4ibYnTrlBozVDefmk6YHumCVfnpI8As0
DYzcOfT8PDhjXe1Xc0I8txcSi2xgjpIZuuAtH24s3FhUD2qbiRNRW06ZwvKW8Ixv
2OZfQEoNf4obLKwD43jn
=reTt
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c6080b0d-c3ea-6c85-f135-6d7072d6ba2c%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Install VPN in anon-whonix

[asdfgher]

Hello
I read the guide on whonix site about how setup a VPN in workstation but
it is old and my VPN is a little different, it has a GUI interface but
also a setup for Open VPN (to work i have to use GUI). Do I setup like a
normal VPN in debian (network connection, import configuration,
certificate etc...) and change firewall?

Thank you

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/805c58e82d9138233a75b828588c6eed.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] DispVM available space

[Connor Page]

I've noticed that there is no private image mounted in /rw in disposable vms.
1. What is the point of private image size setting in Qubes Manager then?
2. Is there an easy way to expand dvm storage without affecting it's template?
3. Am I missing something?

I need to load large files in dvm, check them and then move to another vm. 
There is not enough RAM to use ramdisk.
Any quick hints will be appreciated.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4a931885-00e6-47fa-b946-9fd0cd821ff2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] inter-vm traffic cant ping windows 10 hvm

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-06-08 08:22, moritzbrunner2...@gmail.com wrote:
> Hello, I tried to connect my windows 10 hvm, which firewall is
> disabled, with my fedora appvm, but I can't connect/ping it.I tried
> the same with 2 fedora vm's and it worked properly... Thank you for
> helping in advance
> 

Take a look at this section if you haven't already:

https://www.qubes-os.org/doc/qubes-firewall/#tocAnchor-1-1-4

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXWHGVAAoJENtN07w5UDAwRtIP/j36ZkMOkqI/FQekuxkkANdB
wpLTrf4mcYCQ8qkmm67CQuYrOQXsneQeVtlWHVFm3zJJBWpGvp0agaX6t7sD5SeL
dWZv90JiR3d6uOQvF50nphAtTG0F9oFxKfZRL8iavM1sOYZOwUQpLLQo/Mltb8pV
5bF32ksTGz0vGaI4SVWaGrg1kOboe6CFMBgayIlBDoUHUAgB95ZcsJEkgeDvU75v
LIUkpvtFFwckluNWPOIQxiMzqtdPHrxbW9TyAZ6lzVp/B1RTuqMzA4YGX9VxDzUV
ciTqJSa4ZHFY+fDrQPAwt6PqnJhtt8X+ByLvZOUHXkVKDOFMDIZtbXUQLYOvNlIo
EHo748XR0AtI2ykBhUZCEHUuRRnRIZHLWnclTNzJiZCLH+2ISzS11/4Z4GLUc9pz
X2I76RtdwOZy1S3enzcfnyXszxJQ9kalLQtrYJjyxFahdDDCVYlyb3e9qW3e3XwF
COiH1BRpsG+17/lrYhsdq9wEdtKl0nukXiGdZUGgMkIxLqzpt7S5ohFmGe44Ox+4
qlTEgLi17dDM7Wyq+3dNN6pTEygqSxkgpVYJXZl/gISZWXFAXRVNAT0Ux86IbkYT
OL+F8b8rYLHhXgHqNj2FF9b8FlBdtcKQWVyrWek6OaFpy528uEmsyjJcrMebGobm
icGn7kWr6cs7xILhktjn
=gjN+
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a7b5088e-bbea-d23b-322f-2358aa858eaf%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] If using the same Whonix GW, does all Wonix WS get the same "identity"?

[entr0py]

Andrew David Wong:
> On 2016-06-08 00:14, Albin Otterhäll wrote:
>> I'm assuming that if you connect to Tor using the same Whonix
>> gateway (e.g. "sys-whonix"), you get the same "identity" (IP, etc.)
>> on both your workstations. Is this correct?
> 
> 
> Not entirely. By default, stream isolation applies to different
> workstations and to any supported apps in those workstations. This
> means that every VM connected to sys-whonix will (and every supported
> app in those VMs) will use a different circuit through the Tor
> network, hence a different exit node, hence have a different IP address.
> 
> However, there are still side-channel attacks that can be used to
> correlate multiple workstations running on the same host (stressing
> hardware and observing the effects in all workstations, clock skew,
> network timings, etc.).
> 
> Details:
> https://www.whonix.org/wiki/Multiple_Whonix-Workstations
> https://www.whonix.org/wiki/Stream_Isolation
> 
> 

What Andrew said. Some nitpicking:

There is no guarantee that you will have a different exit node (or even a 
different circuit). It's random so you might wind up with the same but not 
intentionally.

Also, Tor Browser has stream isolation features of its own, such as separate 
circuits per tab and new circuits after a set time interval.

Finally, non-stream-isolated (meaning non-tor-proxified) apps in the *same* 
workstation will share the same circuit since they will route through 
Whonix-Gateway's Transparent Proxy Port (TransPort). The TransPort can be 
disabled to prevent this. (Instructions in Andrew's links).

-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57586A08.1050606%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to install clean template?

[Albin Otterhäll]

How should I go about to install a clean template? When setting up a
template for a specific domain, e.g. software development, it could be
useful to have a clean slate.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/nj9lmj%24lag%241%40ger.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Proxify VM

[Jeremy Lator]

Yes, sys-firewall could be a problemI can use JonDo in another dedicated 
proxyVM above 
sys-firewallnetVM-->sys-firewall-->proxyVM1(withJondo)-->proxyVM2(vpn)From:
 Chris Laprise Sent: Tue, 07 Jun 2016 01:35:24To: 
Jeremy Lator , Andrew David Wong 
, qubes-users@googlegroups.comSubject: Re: 
[qubes-users] Proxify VMOn 06/06/2016 06:11 AM, Jeremy Lator wrote:> 
Shortly> I have JonDo in the first VM and a VPN in the second VM. I want 
that> the VPN detect socks of JonDo during the connection> MyISP --> 
 JonDo -->  Firewall -->  VPN-->   
 internet>      \           
 /                 \  / \/ 
             \ />       
      |                 
        | |             
   |>        sys-net       
    sys-firewall   proxyVM    appVM>>>So 
"internet" is really an appvm with your browser?Then your diagram 
implies that you want to use vpn software (i.e.openvpn) through jondo. That 
would mean configuring openvpn to access asocks proxy. I think jondo was 
created to have the browser (and otherapps) access the socks proxy, but if you 
really want it this way openvpncan support socks proxies. Check this 
out:https://www.comparitech.com/blog/vpn-privacy/hide-openvpn-traffic-with-ssh-tunnel/Having
 sys-firewall there might be a problem. That's because you have toput the 
address of the jondo vm (seen as the 'gateway' address in thedownstream 
vm) in the openvpn config.Chris

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1465243524.S.3691.8849.f5-147-124.1465408561.9082%40webmail.rediffmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes OS' mailing lists now available via Gmane!

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-06-08 09:14, J. Eppler wrote:
> Hello,
> 
> that is nice, but do you have the links to the page?
> 
> Best regards J. Eppler
> 

http://dir.gmane.org/gmane.os.qubes.user
http://dir.gmane.org/gmane.os.qubes.devel

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXWEXHAAoJENtN07w5UDAwutUP/0V9wNUyjcwtNjsGhi9EzL9l
1EebuWu00U8ESwf00R0tBOc/pVQ71U04YrBTq5j9iqZtBVtyib8buexqhXhyu8CI
iORTl8N9kja3ZkZCNNrghFZxRkk+uk5lRo+bOWaWt79uJo4cu8nqTuRd50odqTCf
0WrCvtLVmrJVKE2GzT05fiWwWNdSbg2+I+i9MRj5LOOvC0hkx9xIIW5zFhNhXDgU
xozY2tve39N5GL4FqIVMJso8ovihdrkEQL3T9NgESAVsb0j9w2lNOHl1+1XV3ZbH
B0HyaDT5gT87pXxM7lUyJ4ogCnVg8BvnnQuqOJQHC54n3AWw0mNnJ7mIZfoqumWy
+4ImnFtLOsC8sHGQpi96Ywu5598DZJT7Ok2H9IhfHJOYHeKPsilQxZAmETJCQL8U
rM8cTq2SDMzPUFOavTLu/AaDx14ek9vAKP1KCq/AfFbWc9lnrWg/gDeU36a840Vs
llExJ2YmrRsRfAf3UoOGP28aTXf28RXe4EjEBqVjF9y2xNpoLgHkpr2E0tSHfl9a
hg994uQqaPJe/u8Ic5iTQd4R3YFX58zGm9rKyTp6oiziptxCT3Cu9jTUQgt0A+dS
QhTO2oKt3xXh/ztH853mcbyV1xOus+Nnm+cj4DCZh285PC15e2RBs88tIbrHcs4p
LfxzFYhC2HAU5BE6d485
=lIiY
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5f170adc-ba7b-b3cc-5aaa-a2f00fbf9918%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Should there be a Qubes OS forum?

[J. Eppler]

Hello Andrew, 

I think it would be nice to have a easy to search forum for user questions. 
I don't think the qubes-devel list needs a forum.

Best regards
  J. Eppler

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ab28f130-2406-416f-805d-519ef8461df4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes OS' mailing lists now available via Gmane!

[J. Eppler]

 Hello, 

that is nice, but do you have the links to the page?

Best regards
 J. Eppler

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c694226e-4137-4c35-b89e-d68fd19ce7e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] SD card goes attached to Dom0 rather than sys-usb

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-06-08 08:36, Andrew David Wong wrote:
> On 2016-06-08 08:21, Franz wrote:
>> Hello,
> 
>> I noted that when I insert a SD card into the corresponding slot
>> of my Lenovo x230, it is automatically attached to Dom0 rather
>> then sys-usb (default configuration). Well I use the SD card only
>> for my Nikon camera and I have no reason to trust Nikon less then
>> Lenovo, so no problem for me, but wonder if this is expected
>> behaviour.
> 
>> Best Fran
> 
> 
> It's probably that the associated hardware device is not assigned
> to any domU (e.g., your USB qube, if you use one). On my ThinkPad,
> the device is labeled "PCI Express Card Reader." Assigning it to my
> USB qube results in any inserted SD card showing up in the USB
> qube.
> 

Issue for implementing an option to have this performed for the user
when the USB qube is first created:

https://github.com/QubesOS/qubes-issues/issues/2055

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXWD1JAAoJENtN07w5UDAwa0YP/Rdb0qlMttyudH+VjExiibgX
wf1RsNHeqeO2gG2lne18ejXE1E+KvIWFKROJYoKwLxspLH12VAkUVhgpcV2j0z4b
LYF8T/AFBSOryFiI6Yv2s63pFocNrOesAfG3PRwXttBHbouH5RZ0EIxPfkwwvpFd
XTYvPL2k9oDrWeXVOxBQOtkzgjZMQjoI96p6wJBFh8SQYbxI2L5YFklkl12wb3ng
8/6a6pIAMdOgQvtOv8GqF4u2f1yjaZRiCvzpBA8/ihbt9rlZFMxk8hr0yMYxboSQ
ROQDshLfHGvc4A7xJh8MEQawP4Fh8P0nWHfesTch/p16QJW5d3yfQbU/Svh/PwfN
tcQYTsBXgSVGMVUYNUZrV2jUCkFV7mkcxgkOO+PBxh212zYdrbrsH352XRzcfG6z
2DI3fFtyfAQSR5Fvlv6/g+dzI5sGipqktikMfW7wnEnXEbKHIf7P+Wsm1naHw6Ii
8LQ4sRkEb0VKcnWdcMuiXO2eRAvd88PSHF//dtBFNoUXcqNlhvQJiXE0JSS6OUGT
B6dm8fk7OsUhvBXuPPzLEXeNqv42M2UETlWEMW6r26LxX9souA7bcqEEr8q/2xaF
IIS1OZvxcEUUCFUQQTFOZpXKcwDFNcRCuHKPiO1JmlL6huRfvRhc43JLdro7TyN4
bmMcIM90BXvFI9VDCAbN
=5x7p
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6b862716-1559-7f63-2b69-121bb193f63d%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] SD card goes attached to Dom0 rather than sys-usb

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-06-08 08:21, Franz wrote:
> Hello,
> 
> I noted that when I insert a SD card into the corresponding slot of
> my Lenovo x230, it is automatically attached to Dom0 rather then
> sys-usb (default configuration). Well I use the SD card only for my
> Nikon camera and I have no reason to trust Nikon less then Lenovo,
> so no problem for me, but wonder if this is expected behaviour.
> 
> Best Fran
> 

It's probably that the associated hardware device is not assigned to
any domU (e.g., your USB qube, if you use one). On my ThinkPad, the
device is labeled "PCI Express Card Reader." Assigning it to my USB
qube results in any inserted SD card showing up in the USB qube.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXWDuJAAoJENtN07w5UDAwWvgP/1E9KJAJnMDxBvzqt1qekVSm
srxBKOiP3oa14BQ58cW+w9DQq13XliumXfv/CdEHUM8+aVsQ52xKAn7u5VUFHk8V
SWB3+z/p+cVWL3hg6SpzT6r/SVCF6bYXAI921tQkK2//BajFahv8A/uKgkyBnu5+
gHSefo+8qHd9RSzDffDz1Z7/PA9TNbnV1JS5QBhwiDTtFU20vNMe1m3zpJT3c6mu
aMlmQPb3u6wim1Udmua061MmnYxHrc8xHSLibOI6UMlpcMDuGLA04XDJMClt6yOy
d8oIP3Sl/+OQeiUlpwE/aubifXMNUdOYgXg/oA1j8aoD3gX3wSRiivfmQBX4Wt+c
De0EW7eNhDnBBkoam0Jwfpx3t/Uw5z2x/qIJUvywaG2fKU5ZyvS+UL2FzAcoQVtU
aLBkevWF29nros2xDm6KGIGJ1zRtCFpgBr0PGkorM0g6YaLEbYH44QdQw0Y/4oZx
CWbjc3PbsZnc//BIBK7VifT2HUWGR687uRSjOGSi9yH6XIiPzAbBkwri+0B9EC9d
omGHkPC/8Z6h1zJRQaNh1X3WHJa+wmnaHD947hBgIo1uLuiwZo9tsHbO/JmXsmx6
+Uv0hf+x4q2fAmWdv27hqRfvpVXegh5askjEOwALoJtSj2cUBAGzzrw03MJkbMse
DSy00c7n0GplC34sJrrV
=gX2g
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1f972c59-d398-0088-fdcd-ffe7204e25d0%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] inter-vm traffic cant ping windows 10 hvm

[moritzbrunner2000]

Hello,
I tried to connect my windows 10 hvm, which firewall is disabled, with my 
fedora appvm, but I can't connect/ping it.I tried the same with 2 fedora vm's 
and it worked properly...
Thank you for helping in advance

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7bb9e638-bb15-4f1f-a417-b92a2eb0ad19%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] SD card goes attached to Dom0 rather than sys-usb

[Franz]

Hello,

I noted that when I insert a SD card into the corresponding slot of my
Lenovo x230, it is automatically attached to Dom0 rather then sys-usb
(default configuration). Well I use the SD card only for my Nikon camera
and I have no reason to trust Nikon less then Lenovo, so no problem for me,
but wonder if this is expected behaviour.

Best
Fran

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qCFJDQO_%3D8f7MGE5WUgvk%2BK-giqezNGC8xqxeusv0WE0w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] If using the same Whonix GW, does all Wonix WS get the same "identity"?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-06-08 00:14, Albin Otterhäll wrote:
> I'm assuming that if you connect to Tor using the same Whonix
> gateway (e.g. "sys-whonix"), you get the same "identity" (IP, etc.)
> on both your workstations. Is this correct?
> 

Not entirely. By default, stream isolation applies to different
workstations and to any supported apps in those workstations. This
means that every VM connected to sys-whonix will (and every supported
app in those VMs) will use a different circuit through the Tor
network, hence a different exit node, hence have a different IP address.

However, there are still side-channel attacks that can be used to
correlate multiple workstations running on the same host (stressing
hardware and observing the effects in all workstations, clock skew,
network timings, etc.).

Details:
https://www.whonix.org/wiki/Multiple_Whonix-Workstations
https://www.whonix.org/wiki/Stream_Isolation

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXWDTtAAoJENtN07w5UDAwkIMQAIsKMKDrWfy6JnVW0TZGFTgj
xk8QqTVg8sCwC0TqNBbpNccexb6AWB2IjS63k7CYfe9/mfPih92w+Qx+JzUiAiBo
Uyx+iTQ7MI9oNK/Aaqw0KEahTN/BiB4T+MhrebOyUEZNL0E0C4ax3SiZboMbNo+9
7wUlJ2DHrFNALYiYlQ40UKTtcaqpQB+aZ7RMi6fI+XU0Dpi35lSqTNEpqdxRaCot
M9oXap6tXn4PltF8JU+GR6lg43svdVMqrM/w+y0M/pi2Q0L83wxtc1W3FQJWsNOs
/dZazPoQsiongnjmxzUmW3L/ebgwZneVzb3Gzf2D3jTfKNNBtxvM2grX7Q6Z+H/t
S3lUaxkSH7dMDAyFoC0gBT08wZqlwiljjCUigDkuPdxiPOmefe5KftfhAWJHYjrK
RbjdYkzq0C0an3coT6cXCePIoIPA9cY7+j3tP42UkaW/lR/te5EvoywMrvPEDV+O
quuYBoajZgBP8K6Xp1yp4ykxJJjEm42LYY14WCdtZhYep6y9IUazsdxUeRSQnGM2
SSCdBW97S2gI1mzJlDaCz8szFK4mwNK7H5iUk7kqQ8LGFlB3DbTyfSIuy1ZetqE4
COUMWM8Ho/8jUVh9Ex8fTqsztdtSOAXDBNhn+4+y6XKcTVdYOYYUltHY30mQPEg8
iiYBUAdh/VIb8loHlBPS
=nJMD
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f416ee32-8df3-b154-66a7-573f3b26a886%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] choosing 1 upgrade of the month

[dinnerateight]

I know SSD is recommded running up front and I have a good one on a pretty decent xeon dell with 8gig ram..the processor doesn't show overload ever, the ram doesn't get hit hard..but with 2 maybe 3 qubes running and taking into consideration it shares one router to the modem with 2 other machines...I'm beginning to think that any slow downs are happening because one or the other machines is clogging up the router...and while the qubes arch keeps this separated when these machines are all plugged into the same router it's like they are in there having a secrets telling party...

well, i was going to get a solid wd black, or max out on the ssd (these are going in the workstation as qubes is being worked on in the laptop...they have the same specs just the workstation is got more juice..i mean basically the same)..

 

the question is..do I complete the endless goal of [ a. getting the 2nd (and which one) NIC and cause the workstation to arbitrate as THE router and keeping things separated correctly maybe by pfsense and friends..almost get how that is to be implemented and am priviting OPNsense to get involved more..they asked me what I wanted them to do all I had said was give me an .iso so I can make the VM... and is that probably why my Qubes which is coming along joanna gonna get a nobel medal...

 

or, am I wrong in that and so A) max the ram from 8 to 16 (it's costly as I would want to keep up the ECC), or B) go ahead now and get what I will need eventually too expensive a 4GB WD black as I have to match another 4GB drive and raid may happen sometime.. or C) get I have plenty of HDD, 8gig ram seems like it's not the problem..and so all in on the SSD for the workstation ..the pro samsung 3d one is robust but my budget is the shits..

 

So, isolate these computers as bog downs seem to break through when I kill a process even though its not even in the Qubes machine..and if so how to properly do that...It may be as simple as correctly setting up the Dlink to qos or whatever to stop that interference. one day I swear I thought one computer was playing music that another one should have been although it was faded etc...

 

Or, for this month, get the ram maxed, or 1 of the 2 drives both I will need eventually...

Remember, this is because I can't find a good explanation for why I get really bogged except it seems to be because of competition for router..and failures in other computers which share the router...

 

I need to get this right as it's ready and getting more ready (qubes that is) and I want it to have a proper platform.

thanks

 

 

 



-- 
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/trinity-a79b0248-499c-4896-b24c-00fff101ed52-1465396065881%403capp-mailcom-bs15.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] New initramfs won't stick

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jun 08, 2016 at 04:39:47AM -0700, mpatton...@gmail.com wrote:
> Hi there, 
> 
> My USB keyboard requires a kernel module that isn't contained within 
> initramfs by default (hid-logitech-hidpp).
> 
> I have added a new file to the dracut modules conf directory which contains:

Just to make sure: it should be in /etc/dracut.conf.d

> add_drivers+=" hid-logitech-hidpp "
> 
> After creating a new initramfs, I have checked the contents with lsinitrd and 
> the kernel module is there. 
> 
> However after I reboot, the keyboard still doesn't work at the LUKS decrypt 
> prompt.
> 
> When I check the initramfs again, the kernel module isn't there?
> 
> Do I have to do something else to make the change stick?

Do you boot in UEFI mode? In such a case, initramfs is on ESP, not /boot
directly. The path is /boot/efi/EFI/qubes/initramfs-KERNELVERSION, so
you need to pass this path to dracut when generating it.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXWByyAAoJENuP0xzK19csg8AH/1VEAuufzi1Rvotaqu5tUSqz
iwoR0yLK293p0OkhNO8MBU9ZVuZB1vuBvf4NctlqpvNV0/fUyrN6CszlXyYYhSLV
S1qzjdoxqJUiHOwnCsG4oQF2DOrNpcLTWn3nYoZw+1V5jDcI0nmCqdSnsF4C4kUX
Jt2koYIMlR8xODP2kZ75Q49MfKfXTm30nD3jkaKHLmGYoa+ax4d7shx5YtkVKwDF
sP9oyO26Si3XhPoW7ng4IFpj3zpdgorGarhuOoVf5FGxaVYcfHY82P1s57I/s11r
K8/+H2/WBhlozVCOh6UO0p+QpM3Fd+B5TXDrv+py6+nXh0L6RIBPuqQzAGLkncs=
=E/cV
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160608132505.GQ1593%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] New initramfs won't stick

[mpatton125]

Hi there, 

My USB keyboard requires a kernel module that isn't contained within initramfs 
by default (hid-logitech-hidpp).

I have added a new file to the dracut modules conf directory which contains:

add_drivers+=" hid-logitech-hidpp "

After creating a new initramfs, I have checked the contents with lsinitrd and 
the kernel module is there. 

However after I reboot, the keyboard still doesn't work at the LUKS decrypt 
prompt.

When I check the initramfs again, the kernel module isn't there?

Do I have to do something else to make the change stick?

M.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/025cca06-e3bf-42bf-8451-bbda40d6e7ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Everything is Tiny and Buggy in Display

[Eva Star]

Welcome. I also have the same experience with graphic artifacts and low 
graphic performance on GUI. I'm waiting for new Qubes 3.2 with new Fedora 
and Kernel. Hope new kernel 4.6+ will support my new graphic card. So, we 
are at the same boat.

I think RC of Qubes 3.2 will be available on next week...
 

> This graphic problem is literally the only issue preventing me from using 
> Qubes because it makes it unusable and after reading other threads, it 
> seems many other people are put off from Qubes due to graphic issues as well
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/386bc5b8-71f7-4716-913f-ab82564add39%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] If using the same Whonix GW, does all Wonix WS get the same "identity"?

[Albin Otterhäll]

I'm assuming that if you connect to Tor using the same Whonix gateway
(e.g. "sys-whonix"), you get the same "identity" (IP, etc.) on both your
workstations. Is this correct?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/nj8gkg%24a21%241%40ger.gmane.org.
For more options, visit https://groups.google.com/d/optout.