[qubes-users] HCL Acer Chomebook C710

2016-07-28 Thread Paul Harper 
This Chromebook has been modified by install Coreboot from John Lewis.
https://johnlewis.ie/custom-chromebook-firmware/rom-download/

I also added 16GB of RAM and an SSD 480 GB Hard Drive. All seems to be
working well.

-- 
Regards,


Paul

about.me/pauljamesharper

GnuPG Fingerprint: B3C2 6A80 BB3E 8D4D 126E  4FBE 5F62 4195 17D3 CB75


“Wisdom consists in being able to distinguish among dangers and make a
choice of the least harmful.” — Niccolo Machiavelli, The Prince

“The user’s going to pick dancing pigs over security every time.” — Bruce
Schneier

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAG1manyDe6Q8mgp7Zr907UTgPrK4%2Bx%3DHBse6avGZJvN_32xD%2BQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-Google-Parrot-20160729-114941.yml
Description: application/yaml

Re: [qubes-users] Qubes Security Bulletin #24 (Critical bug)

2016-07-28 Thread Niels Kobschaetzki 

On 16/07/28 20:25, Chris Laprise wrote:

On 07/27/2016 04:27 PM, Andrew David Wong wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-26 20:01, Chris Laprise wrote:

On 07/26/2016 08:45 PM, el...@tutanota.com wrote:

What is best way to verify our system supports these things?

I think you can also check out the processor with Intel.. ark.intel.com
You can search through the different processors if you are looking to
pick up a new computer.


A guide I found at AMD:
http://support.amd.com/en-us/kb-articles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx

 From Microsoft:
http://support.amd.com/en-us/kb-articles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx

 Basically, anything recent that isn't too cost-reduced.

Chris


Chris, I think you may have accidentally pasted the same link twice.

- --


Sorry, didn't hit Ctrl-shift-V when I should ;)

Here's the MS link:
http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx


Neat, the X201 supports SLAT :)

"Old" laptop but still on the safe side :)

Niels

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160729042010.GA1141%40mail.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] What do you think about the idea of a FileVM?

2016-07-28 Thread epicdonk 
A fileVM would be a mountable filesystem that 2 or more AppVMs can share.

A fileVM could be a normal partition like MSDOS/FAT32, an encrypted filesystem, 
or even a distributed or cloud filesystem.

There are numerous uses for this, for example, installing Dropbox on a Linux 
AppVM and sharing the dropbox folder with a Windows AppVM that has Microsoft 
Office installed so you can edit docx files. You would create one DOS/FAT32 
partition that would be attached to both the Linux and Windows AppVM. Currently 
you would have to install dropbox on both the Windows and Linux AppVMs doubling 
storage requirements.

As long as the two AppVMs share the same risk tolerance there doesn't seem to 
be any reason not to allow this in my mind?

The current system of having to manually transfer individual files from one 
AppVM to another is a productivity bottleneck and to many makes QubesOS 
undesirable as a primary OS. 

I understand there are many reasons to enforce the manual transfer in certain 
AppVM domains depending upon their nature, and this should be the default, but 
we also need a way to intelligently share large amounts of files between AppVMs 
in the same security domain.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/425c5d89-f850-4f71-ab32-711f97e8bc6f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] networking on Dom0

2016-07-28 Thread facu . curti 
Hi there.

I want to get networking on Dom0... I know everything you are going to say... I 
use qubes for investigate, I dont have ANY sensitive data, and I want to use 
Qubes, not another OS.

I need to get a program that uses internet and 3D. As I have only one video 
card (passtrougth is impossible), I think this is the best solution. I dont 
need so much capability, but I need 3D working.

Please, spare any comments about security and/or using other os... I know 
everything that. I just want to use Qubes with this program...

What is the best way to connect dom0 in to the network?

Someone can help me?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/01ea05d7-6df1-49d0-8785-b970786b8799%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to log all the websites accessed by a VM

2016-07-28 Thread Franz 
On Thu, Jul 28, 2016 at 8:00 PM, Steve Coleman 
wrote:

> On 07/26/2016 06:25 PM, Franz wrote:
>
>>
>>
>> On Tue, Jul 26, 2016 at 11:38 AM, Steve Coleman
>> > wrote:
>>
>> Another hack to avoid having to manually type in the addresses is
>> done with the attached script. Its like Mareks solution, but does
>> the parsing on the dom0 side
>>
>
>
> I understand this means this script should be executed directly in dom0,
>> but isn't this a security problem?
>>
>
> Yes, there is one risk I know. If the VM that had been firewalled off from
> the Internet has already been 0wned, then the hacker could replace the
> tcpdump utility with something that passes a ";" back withing the ip
> address field and has a shell command after that. DNS could be hacked, or a
> man in the middle could do it too. Then that ";" in the field might then
> get parsed by the python script and passed to the command line where the
> qvm-firewall command is invoked with the bogus IP/hostname, thus executing
> something nefarious in the dom0 shell. All that would be needed to correct
> this flaw is a little sanitation of the IP/host parameter, proper detection
> of that hack-attack, and that problem is solved, except that your VM was
> rooted.
>
> That being said the script is only a work in progress shared for input,
> and if your VM is already 0wned then you already do have a real problem.
> Firewalling the VM off obviously is too little too late. Detection then
> becomes key to resiliency and recovery. The one problem I have with this
> architecture in general is that detection of an attack is not an inherent
> feature of the overall design. Ideally I would want something like an
> selinux targeted policy in each VM, generating avc messages, that would
> then be forwarded by the kernel in realtime and then somehow feeding a
> central intrusion monitor which could then notify the owner when important
> system resources are being tampered with. Before that tampering leads to a
> full scale system circumvention. Perhaps just monitoring a checksum on the
> copy-on-write system image? or just detect a page write back to the cow?
> Whatever it is it needs to be realtime and not easily interceptable by the
> adversary considering they already have root in at least one VM.
>
> As in the above example, if you knew that your tcpdump executable had just
> been replaced, before you locked down your firewall on that VM, then you
> would have a much better chance at getting your system back under your own
> control before they can start attacking the hypervisor. Without knowing if
> your system is hacked or not can you really feel safe? I don't feel unsafe,
> but I do feel blind. Don't get me wrong, qubes is a *beautiful* design, I
> love it and use it daily and tell *everyone* about it, its just that
> prevention of a hack only takes you so far. Application level protocol
> attacks that bypass network restrictions are way too easy, and too
> numerous, so system level detection can be equally important. This is
> because there are people out there that do this for a living. You really
> don't want to be their target, but if for some reason you are, you _really_
> need to detect that they have arrived. Its nice when you can tell if
> someone is jiggling your doorknob or not. Detection doesn't always work,
> but neither does system software. It absolutely needs to be a multilayered
> solution to be resilient.
>
>
Joanna wrote in the past something like that it is impossible to identify
an attack and for this reason we should focus so much on prevention. I have
personally no idea, but this goes beyond the purpose of this thread.
Perhaps you should start a new thread to properly support your ideas.
Best
Fran


> best regards.
>
> and the syntax is a little easier. It does the remote tcpdump
>> command in the vm and the results are returned through the pass-io
>> mechanism. With the -A option the script then generates the
>> qvm-firewall add commands to its stdout.
>>
>> Then, if you want to add that address to the firewall you simply
>> copy and paste the lines you want from that dom0 command terminal
>> window into another dom0 command window, and the address is added to
>> the firewall without any manual typing. If you want, you can add a
>> netmask (e.g. address/24) to an IP in the target window before
>> pressing enter.
>>
>> [user@dom0 ~]$ qvm-fwdenied -A 
>> qvm-firewall  -add
>> ec2-54-200-125-198.us-west-2.compute.amazonaws.com
>>  any
>> qvm-firewall  -add 104.244.43.140 any
>> qvm-firewall  -add 104.244.43.44 any
>> qvm-firewall  -add
>> ec2-54-148-80-75.us-west-2.compute.amazonaws.com
>>  any
>> qvm-firewall  -add
>>

Re: [qubes-users] Qubes Security Bulletin #24 (Critical bug)

2016-07-28 Thread Chris Laprise 

On 07/27/2016 04:27 PM, Andrew David Wong wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-26 20:01, Chris Laprise wrote:

On 07/26/2016 08:45 PM, el...@tutanota.com wrote:

What is best way to verify our system supports these things?

I think you can also check out the processor with Intel.. ark.intel.com
You can search through the different processors if you are looking to
pick up a new computer.


A guide I found at AMD:
http://support.amd.com/en-us/kb-articles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx

  From Microsoft:
http://support.amd.com/en-us/kb-articles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx

  Basically, anything recent that isn't too cost-reduced.

Chris


Chris, I think you may have accidentally pasted the same link twice.

- -- 


Sorry, didn't hit Ctrl-shift-V when I should ;)

Here's the MS link:
http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e93fd151-1dc1-0c42-5977-d33534a3d61b%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes 3.2 rc2 has been released!

2016-07-28 Thread Iestyn Best 
Thank you guys, great work.

Just a little side note, yesterday when I updated it seemed to break my window 
borders in KDE. I am now using XFCE and all seems fine.

I have not tried KDE again today, just trying to get use to XFCE now as that is 
your focus now.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/698c34ec-8310-4d02-b952-b5ad0f3b1d57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: networking on Dom0 - can I have it please?

2016-07-28 Thread facu . curti 
El jueves, 25 de febrero de 2016, 23:26:21 (UTC-3), Nom  escribió:
> Is there anyway to get networking on Dom0 to work?
> 
> Before everyone screams "UNACCEPTABLE!", (Don't pretend you weren't going 
> to). I know it doesn't fit the security model of the OS. But my threat model 
> - quite reasonably doesn't require it. I would like to be able to still have 
> some of the benefits of the OS's secure design with the chosen compromise of 
> networking in Dom0. So can we just leave it at; I need network access on Dom0 
> for "reasons", OK?
> 
> I tried running the old 'qubes-dom0-network-via-netvm' that was removed in 
> this patch: 
> https://github.com/QubesOS/qubes-core-admin/commit/bb9d8bbf7881ce13023ac905f98511beaeaaeae7
> 
> Running 'qubes-dom0-network-via-netvm up' it gets as far as doing 'modprobe 
> xen-netfront' successfully and fails on line 70 when calling 
> 'qvm_collection[0].attach_network(...)' and reports:
> 'Dom0 does not have libvirt object'.
> 
> Is there a work around?

Nom, you found solution? I want to do the same :P

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c145ef48-1b0c-4bef-af28-30e170155274%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to log all the websites accessed by a VM

2016-07-28 Thread Steve Coleman 

On 07/26/2016 06:25 PM, Franz wrote:



On Tue, Jul 26, 2016 at 11:38 AM, Steve Coleman
> wrote:

Another hack to avoid having to manually type in the addresses is
done with the attached script. Its like Mareks solution, but does
the parsing on the dom0 side




I understand this means this script should be executed directly in dom0,
but isn't this a security problem?


Yes, there is one risk I know. If the VM that had been firewalled off 
from the Internet has already been 0wned, then the hacker could replace 
the tcpdump utility with something that passes a ";" back withing the ip 
address field and has a shell command after that. DNS could be hacked, 
or a man in the middle could do it too. Then that ";" in the field might 
then get parsed by the python script and passed to the command line 
where the qvm-firewall command is invoked with the bogus IP/hostname, 
thus executing something nefarious in the dom0 shell. All that would be 
needed to correct this flaw is a little sanitation of the IP/host 
parameter, proper detection of that hack-attack, and that problem is 
solved, except that your VM was rooted.


That being said the script is only a work in progress shared for input, 
and if your VM is already 0wned then you already do have a real problem. 
Firewalling the VM off obviously is too little too late. Detection then 
becomes key to resiliency and recovery. The one problem I have with this 
architecture in general is that detection of an attack is not an 
inherent feature of the overall design. Ideally I would want something 
like an selinux targeted policy in each VM, generating avc messages, 
that would then be forwarded by the kernel in realtime and then somehow 
feeding a central intrusion monitor which could then notify the owner 
when important system resources are being tampered with. Before that 
tampering leads to a full scale system circumvention. Perhaps just 
monitoring a checksum on the copy-on-write system image? or just detect 
a page write back to the cow? Whatever it is it needs to be realtime and 
not easily interceptable by the adversary considering they already have 
root in at least one VM.


As in the above example, if you knew that your tcpdump executable had 
just been replaced, before you locked down your firewall on that VM, 
then you would have a much better chance at getting your system back 
under your own control before they can start attacking the hypervisor. 
Without knowing if your system is hacked or not can you really feel 
safe? I don't feel unsafe, but I do feel blind. Don't get me wrong, 
qubes is a *beautiful* design, I love it and use it daily and tell 
*everyone* about it, its just that prevention of a hack only takes you 
so far. Application level protocol attacks that bypass network 
restrictions are way too easy, and too numerous, so system level 
detection can be equally important. This is because there are people out 
there that do this for a living. You really don't want to be their 
target, but if for some reason you are, you _really_ need to detect that 
they have arrived. Its nice when you can tell if someone is jiggling 
your doorknob or not. Detection doesn't always work, but neither does 
system software. It absolutely needs to be a multilayered solution to be 
resilient.


best regards.


and the syntax is a little easier. It does the remote tcpdump
command in the vm and the results are returned through the pass-io
mechanism. With the -A option the script then generates the
qvm-firewall add commands to its stdout.

Then, if you want to add that address to the firewall you simply
copy and paste the lines you want from that dom0 command terminal
window into another dom0 command window, and the address is added to
the firewall without any manual typing. If you want, you can add a
netmask (e.g. address/24) to an IP in the target window before
pressing enter.

[user@dom0 ~]$ qvm-fwdenied -A 
qvm-firewall  -add
ec2-54-200-125-198.us-west-2.compute.amazonaws.com
 any
qvm-firewall  -add 104.244.43.140 any
qvm-firewall  -add 104.244.43.44 any
qvm-firewall  -add
ec2-54-148-80-75.us-west-2.compute.amazonaws.com
 any
qvm-firewall  -add
ec2-52-88-118-150.us-west-2.compute.amazonaws.com
 any
qvm-firewall  -add
ec2-52-25-189-162.us-west-2.compute.amazonaws.com
 any
...

Note that these appear in batches on the console because tcpdump is
in a mode where it exits after some number of captured packets have
been filtered, with the default set to 200 packets. By default it
will repeatedly restart tcpdump for another batch. The -C ### option

Re: [qubes-users] Question on creating USB qube

2016-07-28 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Jul 28, 2016 at 03:31:12PM -0300, Desobediente wrote:
> What that option means is to not actually create a new "sys-usb" qube to
> handle the USB controllers, but rather use the already existing "sys-net"
> qube to handle the USB controllers.
> 
> Since the "sys-net" qube already handles networking, the option states
> "both networking and USB devices".
> 
> Having a "sys-usb" qube on will probably consume a small amount of
> additional RAM memory, and having "sys-net" handle more things will
> probably open an hypothetical probability of something going wrong in an
> hypothetical future.
> 
> Come to think about it, I have another question: how different would be to
> use USB network cards in the three different scenarios (USB handled by
> dom0, sys-net and sys-usb)?

USB handled in dom0: no way to use it for VM networking

USB handled in sys-net: should be easily accessible using the same
NetworkManager icon

USB handled in sys-usb: possible to use it after some configuration:
One of:
 - assign the device to sys-net using qvm-usb
 - enable NetworkManager sys-usb (in "services" tab in sys-usb settings)
   and assign it as a netvm for sys-firewall

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXmorcAAoJENuP0xzK19csTDUIAJoctr5bseALRFL0VDfWmSjG
+kjLeCsmhcSZ3tkhw27GH4Au9PMuDlrHjkrTzk0fpg61r7VkM/YuobJn+/3T79TK
GjEgJa1mtUEkGRVtz1S9SyMLiK2kZXE4jIYWmc42auxYmrM/8f5wLg/Md4rFKKIO
50xeSXu9uagfaQp2UZG5gPZxAQ1rEj7RMenwLFE0fB9L1JYusQXyxajAIC8f8zZT
ce/M7ImmGC7B3Ig6QWCgHF4rnsZPZaUXd5UgxFoenEyITn4MP6Ar4aYSmP1fYqSv
Onh3vZvx79K0M+oI0QhtKcmuUbP+jARZQwkyWb4p0TRkfdokVte5LgPOqdCLMcE=
=cE/N
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160728224443.GI32095%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Will SLAT / EPT truly make QUBES 4.0 more secure..?

2016-07-28 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Jul 28, 2016 at 03:05:59PM -0700, neilhard...@gmail.com wrote:
> Based on 2 Xen exploits in just the last 1 year, QUBES 4.0 is moving over to 
> using SLAT / EPT for memory isolation, and to using HVM/PVH rather than PV.
> 
> Certainly, in the last 2 Xen exploits, it has only affected PV and not HVM.
> 
> However, is it possible that using Intel's EPT is even riskier..?
> 
> Intel ME is said to be insecure by Joanna Rutkowska due to its insecure 
> implementation, and not being able to look at the code, because it is 
> closed-source.

The main problem with Intel ME is that we can't really know what it is
doing. It is basically a second system with full access to all resources
(including RAM) and we can't look even at the binary running there. Or
disable it. So, even it is bug-free (which is unlikely), it may still be
malicious on purpose and we don't have any way to detect it.

> Well, couldn't the same be said for Intel's EPT..? Surely this is 
> closed-source too..? No..?
> 
> At least with Xen, we can actually see the code and fix the bugs, whereas 
> surely with Intel we have no chance.
> 
> Or am I missing something here..?

Yes, the missing part is that you use your CPU anyway. So if the
microcode, or whatever part of CPU is implementing EPT, is buggy, it
will affect the system in any case (in case of EPT, in Qubes 3.x, it
will affect only HVM, but still). On the other hand, not using PV
domains makes a whole lot of Xen code unavailable to the attacker. Quite
complex code, and as we can see, somehow buggy.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXmobVAAoJENuP0xzK19csO6AH/2w2L+o/EToBzEoW0FyFfgiI
v8tnU6f5KN/yw9jN/PDv9fuYO7emvgFCHmIf7HKht+i1tMeOXYfeE3QFVLeSiLV9
VtXQeCCC6XChGVsqulhuAQz+c1an5cEpGJEOG3UPcodVVvHRFQEE0KZX50O1cH/W
Icb5N6XTx/wNVLysn/CerJQMIa7CHMjylGJwIgFKX5GpdHcWSZ58QLvxDeog74Ry
LxvlRBJcWogq4yafIFIE1RKsfTx8J/13vzSbOJRQXG4KgkZ9KcYXqKreVtJkzHsZ
YoGbZVCOgdtHyjABunWkduID6UkCYVSR9MNpLEGMTAxTtu7n0ko7m6vZHdLAYBU=
=ix6h
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160728222732.GH32095%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Will SLAT / EPT truly make QUBES 4.0 more secure..?

2016-07-28 Thread neilhardley 
Based on 2 Xen exploits in just the last 1 year, QUBES 4.0 is moving over to 
using SLAT / EPT for memory isolation, and to using HVM/PVH rather than PV.

Certainly, in the last 2 Xen exploits, it has only affected PV and not HVM.

However, is it possible that using Intel's EPT is even riskier..?

Intel ME is said to be insecure by Joanna Rutkowska due to its insecure 
implementation, and not being able to look at the code, because it is 
closed-source.

Well, couldn't the same be said for Intel's EPT..? Surely this is closed-source 
too..? No..?

At least with Xen, we can actually see the code and fix the bugs, whereas 
surely with Intel we have no chance.

Or am I missing something here..?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fb61e544-740e-4e7a-a837-898e507d2711%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Question on creating USB qube

2016-07-28 Thread R.B. 

On 07/28/2016 08:43 PM, neilhard...@gmail.com wrote:

OK thanks for the explanation.

Let me follow up with another question.

Do I need to create a USB qube in order to take advantage of the VT-D/IOMMU 
protection for my internal WiFi chip... or is sys-net OK in that regard..?



Hi Neil,

In my experience, USB network dongle (either wifi or copper), do not 
seem to work outside the the USB cube. I tried to assign the USB network 
adapter to sys-net, but it failed Since then, I installed 3.2rc1 
with the option of USB and networking in one qube.


You Could try it, but I think you'd need to prevent the network drivers 
from loading in the USB qube somehow.


Greetings,

RB

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/730d826e-bf5c-3e15-8117-b8f936240b5e%40reboli.nl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Wireless PCI card that is compatible with cubes os

2016-07-28 Thread randallrbaker 
I'm having the worst time trying to get my wireless drivers working and am 
wondering if there is a wireless card that works out of the box? With out the 
need to download any drivers as I'm using my phone as a hotspot to access the 
net.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c2031ab5-8509-4f09-b653-ebff102f9ed6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to log all the websites accessed by a VM

2016-07-28 Thread Desobediente 
I'd like to add that I also use CIDR notation for the firewall rules, in
addition to the name rules, and it works in most cases.

Sometimes some services change their addresses, but the time consumed to
add new entries is not relevant.

I use the 'dig' tool to find out in which block they are. Some of them use
a whole /24 block. But most of time that's too many addresses, and would
lead to unblock totally unrelated stuff:

$ dig service.example.com

-- 
iuri.neocities.org

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAF0bz4Rf%3D%2BrHpMsGc5_%2BDODY9xnYAgj2GVGkNYP673uf4JG22w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to log all the websites accessed by a VM

2016-07-28 Thread Franz 
On Wed, Jul 27, 2016 at 5:35 PM, R.B.  wrote:

> On 07/27/2016 12:25 AM, Franz wrote:
>
>>
>>
>> On Tue, Jul 26, 2016 at 11:38 AM, Steve Coleman
>> > wrote:
>>
>> Another hack to avoid having to manually type in the addresses is
>> done with the attached script. Its like Mareks solution, but does
>> the parsing on the dom0 side
>>
>>
>> I understand this means this script should be executed directly in dom0,
>> but isn't this a security problem?
>>
>
> Let's see... In this use case we have a "new" vm we want to give a filter.
> So, you fire up the vm and start the script from Dom0.
> Then you start your browser and visit the site you want it to work with.
> At first it will be dns requests originating from the browser and answers
> from you dns server.
> The risks here are malformed packets that could trip either tcpdump or
> python (in this case). To me, it is very unlikely this could result in an
> advanced persistent threat (APT) in Dom0.
> Nevertheless, running full streams back-and-forth through any program like
> tcpdump with a --pass-io to Dom0 can be considered a possible hazard.
>
> In short: As a way to test what you need to communicate with your bank,
> while only dns or icmp packets are considered - like in the tcpdump example
> of Marek, it should be OK.
>
> Use it with care.
>
>
I tried to do that, but on the way I was too frightened to do something
wrong, so stopped. But found an easier way:

Run Marek script
https://gist.github.com/marmarek/1d0a296930b7784327aaf9a801ec5585
 into the applVM that tries to connect to the net, but cannot because the
firewall is manually set to "Deny network access except...". Then copy the
result into a file in the same applVM.

then from Dom0 terminal wrote:

qvm-run --pass-io appl-VM-name 'cat path to just-created-file'

This makes all the firewall setting to appear directly on Dom0 terminal. It
is enough to copy all of them and past them on the same terminal and it is
done.

This seems safer for one like me that does not know what he is doing.

The most surprising thing is that it works, the applVM can really connect
through the selected addresses.

Best
Fran


> Greetings,
>
> RB
>
>
>>
>> and the syntax is a little easier. It does the remote tcpdump
>> command in the vm and the results are returned through the pass-io
>> mechanism. With the -A option the script then generates the
>> qvm-firewall add commands to its stdout.
>>
>> Then, if you want to add that address to the firewall you simply
>> copy and paste the lines you want from that dom0 command terminal
>> window into another dom0 command window, and the address is added to
>> the firewall without any manual typing. If you want, you can add a
>> netmask (e.g. address/24) to an IP in the target window before
>> pressing enter.
>>
>> [user@dom0 ~]$ qvm-fwdenied -A 
>> qvm-firewall  -add
>> ec2-54-200-125-198.us-west-2.compute.amazonaws.com
>>  any
>> qvm-firewall  -add 104.244.43.140 any
>> qvm-firewall  -add 104.244.43.44 any
>> qvm-firewall  -add
>> ec2-54-148-80-75.us-west-2.compute.amazonaws.com
>>  any
>> qvm-firewall  -add
>> ec2-52-88-118-150.us-west-2.compute.amazonaws.com
>>  any
>> qvm-firewall  -add
>> ec2-52-25-189-162.us-west-2.compute.amazonaws.com
>>  any
>> ...
>>
>> Note that these appear in batches on the console because tcpdump is
>> in a mode where it exits after some number of captured packets have
>> been filtered, with the default set to 200 packets. By default it
>> will repeatedly restart tcpdump for another batch. The -C ### option
>> allows that default number of packets to be changed.
>>
>> It would be far better if the script was made to be multi-threaded
>> so the output of tcpdump could be read while another thread outputs
>> the commands and asks the user if each entry should be added or not.
>> I just have not had time to look into that yet. its obviously a work
>> in progress.
>>
>> Also it logs everything to /var/tmp/qvm-fwdenied.log if you need to
>> look at what happened in your last session.
>>
>>
>> On 07/25/2016 02:14 PM, Franz wrote:
>>
>>
>>
>> On Mon, Jul 25, 2016 at 2:51 PM, Marek Marczykowski-Górecki
>> > 
>> > >> wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> On Mon, Jul 25, 2016 at 02:46:55PM -0300, Franz wrote:
>> > On

Re: [qubes-users] Question on creating USB qube

2016-07-28 Thread neilhardley 
OK thanks for the explanation.

Let me follow up with another question.

Do I need to create a USB qube in order to take advantage of the VT-D/IOMMU 
protection for my internal WiFi chip... or is sys-net OK in that regard..?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5dc5207a-ac2d-4360-935e-66f8ee07ae21%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Question on creating USB qube

2016-07-28 Thread Desobediente 
What that option means is to not actually create a new "sys-usb" qube to
handle the USB controllers, but rather use the already existing "sys-net"
qube to handle the USB controllers.

Since the "sys-net" qube already handles networking, the option states
"both networking and USB devices".

Having a "sys-usb" qube on will probably consume a small amount of
additional RAM memory, and having "sys-net" handle more things will
probably open an hypothetical probability of something going wrong in an
hypothetical future.

Come to think about it, I have another question: how different would be to
use USB network cards in the three different scenarios (USB handled by
dom0, sys-net and sys-usb)?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAF0bz4R2USokm18Mir5AjyPYzasLPRCRq_EoAw_EG8WGoH3CkA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Question on creating USB qube

2016-07-28 Thread neilhardley 
I am installing QUBES 3.2 to a new laptop.

With the 1st option:

[X] "Create a USB qube holding all USB controllers (sys-usb) [experimental]"

There is then a 2nd option underneath:

[ ] "Use sys-net qube for both networking and USB devices"

Is it recommended to check the box for the 2nd option or not?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f839361d-effb-4543-8fd2-8598398c40c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes 3.2 rc2 has been released!

2016-07-28 Thread neilhardley 
Does this come with the newest Xen patch after the exploit yesterday?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3cfde5a7-d5b7-4bc5-94d2-0e918881c7b1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] A problem with update

2016-07-28 Thread admixior 
[Solved]

Yum crashed because there's no more RAM. Include sys-firewall in memory 
balancing solved this problem.

However "No updates available" is bit confusing.

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f2ab79bd-ebbd-42a8-b657-d956102b7ccd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] A problem with update

2016-07-28 Thread admixior 
Okey,
I did step by step (I hope every needed line) in quebes-dom0-update  and on 
sys-firewall.

Finally I runned yum and... some packages are checked and sys-firewall lagged 
for a while. After all it looks like that:

http://pastebin.com/0SnJZh7M 

It seems like qubes-download-dom0-updates.sh doesn't supports yum crash.
But why it is always crashing? Any idea?

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/73c800c9-242f-4521-959e-ca49a49d8637%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes 3.2 rc2 has been released!

2016-07-28 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Details here:
https://www.qubes-os.org/news/2016/07/28/qubes-OS-3-2-rc2-has-been-released/

As usual, you can download new image from:
https://www.qubes-os.org/downloads/

Users of R3.2 rc1 can just install updates, no need for full reinstall.
For older releases check above page for upgrade instructions.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXmf5AAAoJENuP0xzK19csDmkH/03njjel549paROC+OdUEFUn
s7cz2MXSFuz+b2ck0uEom4wZGOMt2YVn/KbeirvFljMhNhr1U3A8NOYzOoe5TGM5
IXM7YuBsaHQiVJYB8mpjTkHRkOjqoYQ7AVryRJd9oL/Fuz8Ft21wzPOagqFxsFCZ
IX7wvI3bHAGPKJJn2OFImk3HEM2/hdOpVMDJtNpgooEKTi/x+M/O3zRN9S48W2fY
rogc7NeOUMi2qj9cOoEjWvmDR2BxTFs+HAQmWKDQ0gu4ksOtgG2YVWD1VRNqIRi9
B/9Zg0wlGa0Pi/5FNSh6gwLRNFVo2Y+x+htJX4nBPysFQE295IW2DCBqpigSjcE=
=rf1q
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160728124447.GB32095%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: A problem with update

2016-07-28 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Jul 28, 2016 at 09:44:46AM +0200, donoban wrote:
> 
> On 28/07/16 09:42, admix...@gmail.com wrote:
> > Apart from the dom0 update, there is a something nasty in quebes-os
> > debian jessie repository (debian-8, whonix-ws and gw):
> > 
> > W: Failed to fetch
> > http://deb.qubes-os.org/r3.1/vm/dists/jessie/main/binary-amd64/Package
> s
> > Hash Sum mismatch
> > 
> > Can anyone confirm the issue, or is it only on my computer.
> > 
> > Regards
> > 
> 
> Same problem here.

Should be ok now.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXmcy5AAoJENuP0xzK19cs/p8IAJTBqcnhq+UIG50v7rXmzEfi
5s9MSAuO7tVpaMkS9r4rxORzxsUipONoQjufmjhdgzhVRAVMMcfH4MUXwINO4CWY
drc4CFBLhkbltgx29CcBtIxiOEvt5MtmKvW8dDmV35o6EsT1QLwQWGNMDAE+zWXK
UicN8HtAhBhw5TUmdvHnuNWiGW2Wi2Kq9QrQIVTqimjE+FdEOUjrubkDeGXpt8/d
48S9fEhLoEtK4anEQkTAmEVx79k/XHWbe3z7Q4RR2Ta+shPaDC/Wd/OZvKcpswDl
jVz3vSdEXWVg6aK3455QfU+kXXtc2vRsutx+LXNH00d2bMWbZUQESp2iCec3798=
=1Sxr
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160728091328.GX32095%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] A problem with update

2016-07-28 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jul 27, 2016 at 10:31:10PM -0700, admix...@gmail.com wrote:
> Hi,
> I'm trying to update qubes but there still show that there is no updates (for 
> few moths).
> I thought that was true until I tried to download update for xen.
> 
> Some commands:
> http://pastebin.com/Q7nhfZnX
> Linux dom0 4.1.13-9.pvops.qubes.x86_64 #1 SMP Thu Feb 11 15:46:02 UTC 2016 
> x86_64 x86_64 x86_64 GNU/Linux
> 
> Can somebody tell me whats going on?

I think --debuglevel option is not supported - this is why you've got
that help message instead. Try `qubes-dom0-update --clean` to remove old
metadata first.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXmc9nAAoJENuP0xzK19csDp8H/AxRPuOImKt7Oih1iKwf0kJ+
c+qEiY/sguQbqQC8oOXUrulEHZ4aT+9d1sUdAcmUVjQNt7ewo3ksikejfLTQ8uA1
+C7Q63/7sAJUZU+/0x0DCxjC5FMtz+XNwvdAWC8jXU5NNFGjOzw0qkUZUTZhbg0g
injHV5nMVag+Hw4h4I2LOsRhqMVyk2fCeSRQPylB7YB6IfRwHiU/zXcuhq8Eziy/
DqaLztWediTjigsEsMHY+cX06osZdwM8WCxM96lnnQIFA87vSKfPYMV+V3JG9dHs
osVOZYQxopTPy6teulmAOl3yWduJFuXD/mIS8zGlLSUyvFlqH4pGD4APPVBCP9U=
=mxAU
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160728092454.GY32095%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to find a notebook with VT-d (IOMMU) support

2016-07-28 Thread niels 
> On July 28, 2016 at 10:43 AM ab0f1...@opayq.com wrote:
> 
> On Thursday, 28 July 2016 11:39:24 UTC+3, Andrew David Wong wrote:
> 
> > I don't think that's what he's saying. I think he's just pointing out that 
> > it
> > can be very problematic. It's still worth trying if you have an AMD rig, 
> > since
> > your combination of hardware (CPU, motherboard, etc.) might be compatible.
> > 
> > *   --
> > Andrew David Wong (Axon)
> > Community Manager, Qubes OS
> > https://www.qubes-os.org
> 
> Thanks for the quick reply! As a complete newb to this level of IT security, 
> how can I tell if Qubes works properly or not? Or will it just fail to 
> install and run properly? Also, I assume 8 GB of RAM won't allow me to run 
> too many VMs in parallel.

I have 8GB of RAM and have 7 VMs permanently open (sys-net, sys-firewall, 
untrusted, mail, personal, vault, sync-vault) and use the RAM-eater Chrome. The 
only problem arises when I use a special USB-VM to get some devices working 
which doesn't assigns RAM dynamically but statically. Since that VM needs to 
run Chrome etc I gave it 4GB of RAM and then it's getting problematic for 
running too many of the other VMs.

Niels

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/836826890.9955.1469705161828%40office.mailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] A problem with update

2016-07-28 Thread admixior 
Ok, maybe, but...
I've got xen-4.6.0-13.fc20.x86_64 (rpm -qa | grep xen) instead of the new 
version mentioned in *-devel forum:
http://yum.qubes-os.org/r3.1/current/dom0/fc20/rpm/xen-4.6.1-20.fc20.x86_64.rpm

and qubes-dom0-update report always "No new updates available"
I've tried run with "--clean" and it still don't work.

Maybe I executed something by accident which has deleted/overwrote an important 
file?

Have you any idea? Or what should I check?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6846cd15-0614-4c7e-a3fe-7aec6c0acf9d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to find a notebook with VT-d (IOMMU) support

2016-07-28 Thread ab0f1985 
On Thursday, 28 July 2016 12:57:43 UTC+3, Andrew David Wong  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2016-07-28 01:43, ab0f1...@opayq.com wrote:
> > On Thursday, 28 July 2016 11:39:24 UTC+3, Andrew David Wong  wrote:
> >> I don't think that's what he's saying. I think he's just pointing out
> >> that it can be very problematic. It's still worth trying if you have an
> >> AMD rig, since your combination of hardware (CPU, motherboard, etc.)
> >> might be compatible.
> >> 
> > 
> > Thanks for the quick reply! As a complete newb to this level of IT
> > security, how can I tell if Qubes works properly or not?
> 
> You can check basic hardware compatibility with the qubes-hcl-report command
> after installing, as explained here:
> 
> https://www.qubes-os.org/doc/hcl/
> 
> > Or will it just fail to install and run properly?
> 
> It *may* fail to install and run properly, but it may install successfully 
> even
> if you do not have, e.g., IOMMU. If you're missing, e.g., IOMMU, then that
> will be reported on the HCL report mentioned above. At that point, you can
> read about any missing or unsupported features and decide whether you're
> comfortable using Qubes without them.
> 
> > Also, I assume 8 GB of RAM won't allow me to run too many VMs in parallel.
> 
> 8 GB should be fine to run a few VMs. It really depends on your personal usage
> habits. Many people use Qubes with 8GB and are happy with it. Others need 
> more.
> 
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCgAGBQJXmdcPAAoJENtN07w5UDAw+XEQALO8No8/mkLMcd+8jBVTFbQ4
> ePmj+8CHpM/465aeCbJXqjnf2DfhsKnkdOzAaVBOma86TuwumMmp+VlWzxSnUzIb
> /tjZ6xB7HE2Er2DwOwtKVXhlXFY/MBY9BPneQb+Lmkx7HH5pYxJ0kEjktkB7iXcf
> Ep9FFOo6Wd4xXX5CO7uKK95qD+kW54gc3JAj0CKBsMqxWXpw8jQgoL5/BmEFZLgT
> AjZgAK6IKkXfygKZZxM2sXFwx0hUXPGnS1DSl73Dpn8yGxf1lO+edGclnDPex87Y
> WxLQJyRGuOXa2RkrUXOqRArh4KQIS3DaDiJAweg7OqZtjAMawT5U+KKVvq+QHLHC
> zxxOjvB2xxVl9JcQIzLJ5iDMrMS6nlSKv5iInk2Ji4yOiWZqhDJZSQhuMY34GgjD
> UMJcC7XKMFyE2WW+2s/2AtMgD+bsU5l5luHqTZwOfT5gliiDRTusWYEL/phmggve
> YCRoe5UQ6WtjNZ+BSWIldZROF58zjCarAR1qiJDBKHcFsD7ImbDXRfM42vD5ke2g
> +zxUnKiI/olBGdZRLgUUqH6m/1XnBDiBcpc5W65syAwn6FdmYIpPbTGzHeROY+Mk
> XcHEAb2wDCnbGz83RvZoe6mh7JLXAz8sanqUVwm0h07EfAJ/NKpVKizCkYLp1jB4
> w93zhBUumF53hlzaV0eX
> =lDjT
> -END PGP SIGNATURE-

Will definitely try it soon then! Thanks a lot for your time and patience :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/433f507e-083a-41ae-8b79-3a34ed1d19dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to find a notebook with VT-d (IOMMU) support

2016-07-28 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-28 01:43, ab0f1...@opayq.com wrote:
> On Thursday, 28 July 2016 11:39:24 UTC+3, Andrew David Wong  wrote:
>> I don't think that's what he's saying. I think he's just pointing out
>> that it can be very problematic. It's still worth trying if you have an
>> AMD rig, since your combination of hardware (CPU, motherboard, etc.)
>> might be compatible.
>> 
> 
> Thanks for the quick reply! As a complete newb to this level of IT
> security, how can I tell if Qubes works properly or not?

You can check basic hardware compatibility with the qubes-hcl-report command
after installing, as explained here:

https://www.qubes-os.org/doc/hcl/

> Or will it just fail to install and run properly?

It *may* fail to install and run properly, but it may install successfully even
if you do not have, e.g., IOMMU. If you're missing, e.g., IOMMU, then that
will be reported on the HCL report mentioned above. At that point, you can
read about any missing or unsupported features and decide whether you're
comfortable using Qubes without them.

> Also, I assume 8 GB of RAM won't allow me to run too many VMs in parallel.

8 GB should be fine to run a few VMs. It really depends on your personal usage
habits. Many people use Qubes with 8GB and are happy with it. Others need more.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXmdcPAAoJENtN07w5UDAw+XEQALO8No8/mkLMcd+8jBVTFbQ4
ePmj+8CHpM/465aeCbJXqjnf2DfhsKnkdOzAaVBOma86TuwumMmp+VlWzxSnUzIb
/tjZ6xB7HE2Er2DwOwtKVXhlXFY/MBY9BPneQb+Lmkx7HH5pYxJ0kEjktkB7iXcf
Ep9FFOo6Wd4xXX5CO7uKK95qD+kW54gc3JAj0CKBsMqxWXpw8jQgoL5/BmEFZLgT
AjZgAK6IKkXfygKZZxM2sXFwx0hUXPGnS1DSl73Dpn8yGxf1lO+edGclnDPex87Y
WxLQJyRGuOXa2RkrUXOqRArh4KQIS3DaDiJAweg7OqZtjAMawT5U+KKVvq+QHLHC
zxxOjvB2xxVl9JcQIzLJ5iDMrMS6nlSKv5iInk2Ji4yOiWZqhDJZSQhuMY34GgjD
UMJcC7XKMFyE2WW+2s/2AtMgD+bsU5l5luHqTZwOfT5gliiDRTusWYEL/phmggve
YCRoe5UQ6WtjNZ+BSWIldZROF58zjCarAR1qiJDBKHcFsD7ImbDXRfM42vD5ke2g
+zxUnKiI/olBGdZRLgUUqH6m/1XnBDiBcpc5W65syAwn6FdmYIpPbTGzHeROY+Mk
XcHEAb2wDCnbGz83RvZoe6mh7JLXAz8sanqUVwm0h07EfAJ/NKpVKizCkYLp1jB4
w93zhBUumF53hlzaV0eX
=lDjT
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0de5af61-f67e-8b11-b785-dd9f41463cb5%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: A problem with update

2016-07-28 Thread donoban 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 28/07/16 11:13, Marek Marczykowski-Górecki wrote:
> Should be ok now.
> 

Perfect, thanks Marek.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXmc/cAAoJEBQTENjj7Qil27EP/j2j0vZdIin0lw1KRQxQz5CO
h9QXaV0AIenwJts/L5f6LevH71uGZI0LlBclgJXGjq2jNluE5MBOWMCX5y1IUDyV
rylnlCNHhlZeshUzoLYJ94RlQ8uAAXnUaovtVzC1TsO4Lr7NTuv4sTIpY5fIN4ir
WyI+85NnKkfzupQ2HdgrH8yB5CzjMxeGvR7eggFrm36oN9VfGrT4XOAQAXydmKHS
iHpiOH/3gGJPCmtNZizR/k/y+uGVlZapmxQmH67YezjPKyLKlbQLZZOTJII5Hplf
mnqkppcbKXhkFfMf2iJBr5butdUc3PuWptvCJIoIyKKqqvjaNIB9bEYrscwELdVG
5IFupzYkq4T2WH0KyZU8rGQzhgzoo8sP5Ir0IoTO7iktTYYgdXM7a4hiQzDs7/CH
Jj5j/P2CKwebnlbVryhS4MVYJK6HWWwF+NQSV7k+y+XAtpyunXe2XfvtG02r2uPG
pgnfbHStWWIY742JR4FPcrimOB7lcUb38GlpW+BeeeqwA1g6WYuFXCysG5UtLHLc
VtijeHevNG4qiWlRpUoXhHDumzh3M4Nvr4VreGUHq2rD9dfgq04JLqTFKxqXzsXl
ER0ijUar3ilL9EFE4GzdiUF0qvuQ/hgK2rSKKSIyVRlwuJ//jBMYthBQMo7aGWz8
hJbwPFJG62EerSI4bgxF
=+2n5
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/93f130f6-d32a-290e-8faf-72426e1252b7%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Can't seem to get my wireless working. Any help would be appreciated!

2016-07-28 Thread Gorka Alonso 
El jueves, 28 de julio de 2016, 10:24:10 (UTC+2), randal...@gmail.com  escribió:
> I cant get my bcm4360 drivers to install properly and when I paste the code 
> into sys-net terminal I get this error. please help me out thanks!
> 
> 
>  [user@sys-net ~]$ wget http://git.io/vuLC7 -v -O 
> fedora23_broadcom_wl_install.sh && sh ./fedora23_broadcom_wl_install.sh; 
> URL transformed to HTTPS due to an HSTS policy 
> --2016-04-16 17:47:47--  https://git.io/vuLC7 
> Resolving git.io (git.io)... 23.23.173.104, 23.23.111.66, 54.243.161.116 
> Connecting to git.io (git.io)|23.23.173.104|:443... connected. 
> HTTP request sent, awaiting response... 302 Found 
> Location: 
> https://gist.githubusercontent.com/onpubcom/7f41dc9cbe90556b2113/raw/a69939c941319741744bea28dadf273f118d67a2/fedora23_broadcom_wl_install.sh
>  [following] 
> --2016-04-16 17:47:47--  
> https://gist.githubusercontent.com/onpubcom/7f41dc9cbe90556b2113/raw/a69939c941319741744bea28dadf273f118d67a2/fedora23_broadcom_wl_install.sh
>  
> Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 
> 23.235.47.133 
> Connecting to gist.githubusercontent.com 
> (gist.githubusercontent.com)|23.235.47.133|:443... connected. 
> HTTP request sent, awaiting response... 200 OK 
> Length: 1058 (1.0K) [text/plain] 
> Saving to: ‘fedora23_broadcom_wl_install.sh’ 
> 
> fedora23_broadcom_w 100%[===>]   1.03K  --.-KB/sin 0s 
>   
> 
> 2016-04-16 17:47:48 (74.5 MB/s) - ‘fedora23_broadcom_wl_install.sh’ saved 
> [1058/1058] 
> 
> Last metadata expiration check: 0:59:15 ago on Sat Apr 16 16:48:35 2016. 
> Package gcc-5.3.1-6.fc23.x86_64 is already installed, skipping. 
> Package kernel-devel-1000:4.1.13-9.pvops.qubes.x86_64 is already installed, 
> skipping. 
> Dependencies resolved. 
> Nothing to do. 
> Sending application list and icons to dom0 
> Complete! 
> mkdir: cannot create directory ‘hybrid_wl_f23’: File exists 
> --2016-04-16 17:47:53--  
> http://www.broadcom.com/docs/linux_sta/hybrid-v35_64-nodebug-pcoem-6_30_223_271.tar.gz
>  
> Resolving www.broadcom.com (www.broadcom.com)... 209.132.249.240 
> Connecting to www.broadcom.com (www.broadcom.com)|209.132.249.240|:80... 
> connected. 
> HTTP request sent, awaiting response... 200 OK 
> Length: 2928541 (2.8M) [application/octet-stream] 
> Saving to: ‘hybrid-v35_64-nodebug-pcoem-6_30_223_271.tar.gz.4’ 
> 
> hybrid-v35_64-nodeb 100%[===>]   2.79M   666KB/sin 4.3s   
>   
> 
> 2016-04-16 17:47:57 (668 KB/s) - 
> ‘hybrid-v35_64-nodebug-pcoem-6_30_223_271.tar.gz.4’ saved [2928541/2928541] 
> 
> Makefile 
> lib/ 
> lib/wlc_hybrid.o_shipped 
> lib/LICENSE.txt 
> src/ 
> src/include/ 
> src/include/typedefs.h 
> src/include/linuxver.h 
> src/include/bcmutils.h 
> src/include/siutils.h 
> src/include/packed_section_start.h 
> src/include/epivers.h 
> src/include/linux_osl.h 
> src/include/bcmendian.h 
> src/include/packed_section_end.h 
> src/include/pcicfg.h 
> src/include/bcmdefs.h 
> src/include/bcmcrypto/ 
> src/include/bcmcrypto/tkhash.h 
> src/include/wlioctl.h 
> src/include/osl.h 
> src/shared/ 
> src/shared/bcmwifi/ 
> src/shared/bcmwifi/include/ 
> src/shared/bcmwifi/include/bcmwifi_channels.h 
> src/shared/bcmwifi/include/bcmwifi_rates.h 
> src/shared/linux_osl.c 
> src/wl/ 
> src/wl/sys/ 
> src/wl/sys/wl_dbg.h 
> src/wl/sys/wlc_key.h 
> src/wl/sys/wl_linux.h 
> src/wl/sys/wl_linux.c 
> src/wl/sys/wlc_wowl.h 
> src/wl/sys/wl_iw.c 
> src/wl/sys/wlc_pub.h 
> src/wl/sys/wl_iw.h 
> src/wl/sys/wl_export.h 
> src/wl/sys/wl_cfg80211_hybrid.h 
> src/wl/sys/wlc_ethereal.h 
> src/wl/sys/wl_cfg80211_hybrid.c 
> src/wl/sys/wlc_utils.h 
> src/wl/sys/wlc_types.h 
> src/common/ 
> src/common/include/ 
> src/common/include/proto/ 
> src/common/include/proto/bcmeth.h 
> src/common/include/proto/ieee80211_radiotap.h 
> src/common/include/proto/ethernet.h 
> src/common/include/proto/802.1d.h 
> src/common/include/proto/bcmip.h 
> src/common/include/proto/bcmevent.h 
> src/common/include/proto/802.11.h 
> src/common/include/proto/wpa.h 
> KBUILD_NOPEDANTIC=1 make -C /lib/modules/`uname -r`/build M=`pwd` clean 
> make[1]: Entering directory '/usr/src/kernels/4.1.13-9.pvops.qubes.x86_64' 
> CFG80211 API is prefered for this kernel version 
> /home/user/hybrid_wl_f23/Makefile:85: Neither CFG80211 nor Wireless Extension 
> is enabled in kernel 
> make[1]: Leaving directory '/usr/src/kernels/4.1.13-9.pvops.qubes.x86_64' 
> KBUILD_NOPEDANTIC=1 make -C /lib/modules/`uname -r`/build M=`pwd` 
> make[1]: Entering directory '/usr/src/kernels/4.1.13-9.pvops.qubes.x86_64' 
> CFG80211 API is prefered for this kernel version 
> Using CFG80211 API 
>   LD  /home/user/hybrid_wl_f23/built-in.o 
>   CC [M]  /home/user/hybrid_wl_f23/src/shared/linux_osl.o 
>   CC [M]  /home/user/hybrid_wl_f23/src/wl/sys/wl_linux.o 
>   CC [M]  /home/user/hybrid_wl_f23/src/wl/sys/wl_iw.o 
>   CC [M]  /home/user/hybrid_wl_f23/src/wl/sys/wl_cfg80211_hybrid.o 
>   LD [M]  /home/user/hybrid_wl_f23/wl.o 
>

[qubes-users] Can't seem to get my wireless working. Any help would be appreciated!

2016-07-28 Thread randallrbaker 
I've even turned off secure boot, but it still gives me the WL error.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5ac6fb87-9006-477e-8ba2-e572c84eb623%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Can't seem to get my wireless working. Any help would be appreciated!

2016-07-28 Thread randallrbaker 
I've even turned off secure boot, but it still gives me the WL error.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a5f23b2f-2e8e-4c53-ab19-5311d4bc26a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to find a notebook with VT-d (IOMMU) support

2016-07-28 Thread ab0f1985 
On Tuesday, 20 August 2013 21:12:12 UTC+3, Eric Shelton  wrote:
> VT-d, which provides IOMMU services, is a very important feature for 
> realizing the security promises of Qubes OS.  Without it, although the CPU 
> isolates VMs, their memory lies open to relatively easy DMA-based attacks, 
> with network devices and GPUs being some of the more well-known pieces of 
> hardware for executing such attacks.
> 
> 
> 
> Finding a system - especially a notebook system - that supports VT-d is a 
> serious challenge.  Unfortunately, a great majority of laptop/notebook 
> systems do not even have the hardware necessary to use VT-d, and the presence 
> or absence of this feature is not well documented by vendors.  Although the 
> Hardware Compatability List (https://wiki.qubes-os.org/trac/wiki/HCL) is a 
> helpful resource, it only lists a handful of models, many of which have been 
> discontinued.  It is helpful to have a more systematic way of identifying 
> systems that at least have the necessary hardware to support VT-d (BIOS 
> support, discussed below, presents a secondary issue). 
> 
> 
> 
> 
> What to look for:
> 
> 
> For Ivy Bridge, BOTH the CPU and chipset must support VT-d, which compounds 
> the problem of finding a VT-d capable system.  The most common issue is that 
> although the CPU will support VT-d, the chipset does not.  However, there are 
> systems where not even the CPU has the needed support (such as all of the 
> mobile i3 models?).
> 
> 
> 
> To save you some hassle: only 2 (out of 7!) Ivy Bridge chipsets will work: 
> QM77 and QS77.  Unfortunately, most systems use the HM7x chipsets...
> 
> 
> For Haswell, the issue is simpler, because the CPU and chipset are in a 
> single package, which eliminates mixing & matching.  Nevertheless, only some 
> Haswell chips have VT-d support, with most Haswell laptops/notebooks I have 
> seen listed not having VT-d.
> 
> 
> On Sandy Bridge, there is VT-d support to be found, although probably with 
> the same chipset issues as Ivy Bridge.
> 
> 
> 
> 
> Where to look:
> 
> 
> I have found the following two websites very helpful in identifying notebooks 
> with supporting hardware:
> 
> 
> 1) CPU and chipset specifications available at http://ark.intel.com/ (for 
> example, 
> http://ark.intel.com/products/75033/Intel-Core-i5-4350U-Processor-3M-Cache-up-to-2_90-GHz
>  for the Haswell i5-4350U)
> 
> 
> Typically, I just drop the CPU or chipset identifier into Google, and the 
> corresponding ark.intel.com page will show up towards the top of the results.
> 
> 
> For VT-d, the feature you are looking for is labeled "Intel® Virtualization 
> Technology for Directed I/O (VT-d)", and you want the table to say "Yes" for 
> this item.
> 
> 
> Examples:
> i5-4350U 
> (http://ark.intel.com/products/75033/Intel-Core-i5-4350U-Processor-3M-Cache-up-to-2_90-GHz):
>  Yes
> i5-3230M 
> (http://ark.intel.com/products/72056/Intel-Core-i5-3230M-Processor-3M-Cache-up-to-3_20-GHz-BGA):
>  No
> HM77 (http://ark.intel.com/products/64339/Intel-BD82HM77-PCH): No
> 
> 
> 2) Chipset- and CPU-specific pages at http://www.notebookcheck.com/
> 
> 
> The Intel pages are the authoritative reference for what CPUs and chipsets 
> support VT-d, but how do you determine (a) what CPU+chipset is in a given 
> notebook model, or (b) what notebook models make use of given CPUs+chipsets?  
> With Ivy Bridge, vendors will almost never indicate the chipset model.  For 
> one system, I ended up starting from chip markings shown in an iFixIt 
> teardown, and web searching back from that to determine the chipset model.
> 
> 
> Luckily, there is at least one website providing a better way to go about 
> this: http://www.notebookcheck.com/, which has taken the time & effort to 
> document which CPUs & chipsets are present in various models.
> 
> 
> For Ivy Bridge chipsets, 
> http://www.notebookcheck.com/Intel-Ivy-Bridge-Chipsaetze-7-Series-Chipsets.88194.0.html
>  gives links to pages for each chipset, such as QM77 and HM77.  Then, on each 
> chipset-specific page is a list of notebooks identified as using that 
> chipset.  As I mentioned above, the chipset is usually the weak link, so 
> working back from the supporting chipsets, and then confirming there is also 
> a supporting CPU, seems the way to go.
> 
> 
> Here are links to the only two supporting chipsets I mentioned above:
> QM77: http://www.notebookcheck.com/Intel-QM77-Express-Chipset.88218.0.html
> QS77: http://www.notebookcheck.com/Intel-QS77-Express-Chipset.88220.0.html
> 
> 
> The page provided for Haswell, 
> http://www.notebookcheck.com/Intel-Dual-Core-Ableger-der-Haswell-Generation-vorgestellt.93523.0.html,
>  is extremely helpful, because the tables on that page directly indicate 
> which models support various Intel technologies, including VT-d.
> 
> 
> As can be seen on the charts, only the least expensive models in each lineup 
> lack VT-d support.  Unfortunately, those are also the models I have most 
> frequently seen included

Re: [qubes-users] Re: A problem with update

2016-07-28 Thread donoban 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


On 28/07/16 09:42, admix...@gmail.com wrote:
> Apart from the dom0 update, there is a something nasty in quebes-os
> debian jessie repository (debian-8, whonix-ws and gw):
> 
> W: Failed to fetch
> http://deb.qubes-os.org/r3.1/vm/dists/jessie/main/binary-amd64/Package
s
> Hash Sum mismatch
> 
> Can anyone confirm the issue, or is it only on my computer.
> 
> Regards
> 

Same problem here.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXmbfuAAoJEBQTENjj7Qily34P/jgHHBl5be2dE/WBeS5j0aV4
2uH5qlW/ZnYdl76yZch7+YVzyDTsoY7MfAlWpDOp2Fr/2ABEl8fRLXf68+n37Y/8
LQCP1MliHsP53Gk7cR5xTzSNtsStBbJISRvn95bZuiEU0D9ifMB2JpjoqGskSwL/
4rBy5TL107V6YRL7b5swOOnh8zSmbUSkeQFVXBuAfOcT84uF1xnJxoE9b/qj7rRn
6rpEmHuxSNTY2p9DJsb1ooUav6rLr/KG3dfOmSshCjROIk4tGeIMyG8YyAfRnd01
DtDcqtlYQT9coYiP3rOj8M0P7a+KPEFPHoHut4gMra1Jrvcxr1D1F58FUPEwU4KW
BfeqDqukL3HQi7OmhjOoY+eRpS3akcVieXAKtgGnYDPsWR+u2fkIEO3AE1lP1o6C
CQ+I634DIvUsvyM14ENJuGOcCQOK0XOLk+BM8AFFhHZoUMwWsSEkZRxU5XI6hgEa
7v9dxsHZIQxAXDwrAL0rOU5JDC1MV0Reu5m2005sdNDTwBUjP1uATKsKynrpR+XT
S1IX3/spE9aMvrYA+3TMAeFfJpGUcUHimXICZUAIF84mlv+Ib72r+X8Kg1fhRIDI
CT6Vcss6kGV4qdNZ9OldHyf7Hevxh63s0NP8B4YJBdPTiUj+PfPSzDzqyXFuD5hd
MAi5DFdcpR4+6mtvPyAK
=/OsC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c3ae8c3-1967-8c4b-a636-4528a95c190f%40riseup.net.
For more options, visit https://groups.google.com/d/optout.