Re: [qubes-users] How much important is TPM?
On Friday, March 31, 2017 at 10:45:28 PM UTC-4, cooloutac wrote: > On Friday, March 31, 2017 at 4:20:09 PM UTC-4, Vít Šesták wrote: > > Thanks for your responses. p > > > > In this thread, I'd like to discuss how much can it help (i.e., how hard is > > it to bypass). > > > > On self-encrypting devices: I generally don't trust those implementations > > to be well-reviewed and well-designed, so SED is not a use case for me. > > > > Regards, > > Vít Šesták 'v6ak' > > I think secure boot would make it better, but maybe a controversial thing to > say. I don't know much about this subject myself, but I don't think it > actually stops anything. Just lets you know if something has changed. Like > a file integrity program kind of. > > And if something does change there is no fix so you will have to replace all > the hardware. (If thats something you're willing to do). > > You can also do other things like nail polish on screws or crevices. photo > them before you leave it unattended... strongbox? lol Actually I say all that but supposedly hacking teams insyde bios hack worked remotely also. So maybe physical attack is not only vector, especially now we know that its possible for intel me to turn on wifi when we don't know it. Or some have some cellular connections. Even vpro/ME first came out was always for adminstering pcs remotely if off or crashed os. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/03b9f968-9624-42ca-8d80-2eb9828f9035%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How much important is TPM?
On Friday, March 31, 2017 at 4:20:09 PM UTC-4, Vít Šesták wrote: > Thanks for your responses. p > > In this thread, I'd like to discuss how much can it help (i.e., how hard is > it to bypass). > > On self-encrypting devices: I generally don't trust those implementations to > be well-reviewed and well-designed, so SED is not a use case for me. > > Regards, > Vít Šesták 'v6ak' I think secure boot would make it better, but maybe a controversial thing to say. I don't know much about this subject myself, but I don't think it actually stops anything. Just lets you know if something has changed. Like a file integrity program kind of. And if something does change there is no fix so you will have to replace all the hardware. (If thats something you're willing to do). You can also do other things like nail polish on screws or crevices. photo them before you leave it unattended... strongbox? lol -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7bd4d43c-1aa2-4633-912a-627e99d2e3b6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Custom qrexec services
On Sat, Jan 28, 2017 at 9:04 PM, Marek Marczykowski-Górecki wrote: > 1. write USB - _unidirectional_ service to write an fs image into USB > stick (service into USB VM) I like this idea (mostly got tired of ... | qvm-run -p sys-usb 'dd of=/dev/sda') and wrote my own. [1] Not unidirectional, mine passes back the hashes of reading back what it just wrote (more to detect failing media than for security). Also allows the device name to be controlled with argument-specific policy. [1]: https://gist.github.com/jpouellet/abe5cf438267afffc851a1a11d8be8f0 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_BGLDqHnQ9%3DAJB3LwbccR%3DScAVW02yrFmY3KPGPHaXXcw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Security and dispVM firefox customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-03-31 13:02, Jean-Philippe Ouellet wrote: > If you are concerned about the size of your anonymity set then you > ought to be using unmodified TBB in a whonix-ws-based template > rather than Firefox in a DispVM. > > We don't currently make guarantees about the cross-machine > uniformity of DispVM browsers. There are ways to fingerprint the > default DispVM browser without changing any browser-related > settings, such as observing which additional fonts have become > available in your DispVM template as dependencies of other things > installed there, and almost certainly other things I'm not thinking > of right now. So... is this a problem we even want to try to solve? > I'm not sure. IMO concerned individuals should just be pointed > towards whonix. > This is the correct answer. It's not a *security* issue. It's a *privacy* issue. Currently, there's no guarantee of privacy (in the sense of a concerted effort to achieve non-fingerprintability) in any VM that is not a Whonix VM. When you require privacy, use a Whonix VM. https://groups.google.com/d/msg/qubes-users/HrvuWc4PNag/0h0CoHdSBwAJ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJY3u6xAAoJENtN07w5UDAwZRYP/1m9kK3MglCVAZVFLa5Jq5ap pmqFQ6gguslo1kA+j+Z4aqBV/A41jyg3mIuwTISeqK870QROxxEkCqxe1GfRRM0J rnjklbPO4462++EDysUHIdzlGn6+kAzQMTF7X9sbTg2Mc8Ry9esSBToJ88LrXf+4 vzE7RJVt0pB+2+lbNB9M0/Ar9JpfNcNgMhzjpaKTp+BjP4xie5OJ0sG/Vy6Pgnwf r0K94gp5Ge7wpGRYwbRulgzDYhcz9adLLT6K7AAgh7C1BHkqvbrW6YW/KZF84uB2 H0S5Bn0eaFEy7/BA+ljz015PP3g4bZwsLxPRnF849kFvJ6GSNFVxn2UZTv+JJKa4 GCj/gROSYYlB9I1oLt0MOs4h4uPdBK7XW6Z9RYq8kXU5FFdU2gpubpYEFTgqzqQY swSZhz4PRZa09Cr5HY6AwSAaodn5O52DOGo+fPr1AxQRLf0dMevbknkN8CmhEYNI JJH0x4zINgsj9zWEDDgf7c8zR4aeGo7yEgy3j1BAkBoBt8TBB5BsdxmMp/A0IkBj GoSHJg39DJTWyikaEDCwjPYiQ63eyti5MgfpfIh3c4++ub+uSFoPPR1CLmzwolws 9vQCltIAXvPjII4gpmd2QRt0V+6WOH42/0fAUydw0XF4VZc87lFgmGyMXmqo8cxB qMSDFj0M2wz/bp88hzXD =mtou -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/04b41427-9311-1b08-0888-e4fdb65bd0fc%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [Debian 8] Audio problem after upgrading
On 03/31/2017 04:21 PM, Chris Laprise wrote: On 03/30/2017 05:32 PM, J. Eppler wrote: Hello, I upgraded my Debian 8 "Jessie" template from Debian Qubes r3.1 to Qubes r3.2. Now, I have problems with the audio output. When I try to play audio files I do not hear anything and music player - web or deskotp - skip through songs very fast without playing them. I tried to play something with clementine, this is the error message I got: ~~~ user@personal-music:~$ clementine Cannot connect to server socket err = No such file or directory Cannot connect to server request channel jack server is not running or cannot be started AL lib: (WW) alc_initconfig: Failed to initialize backend "pulse" AL lib: (EE) alsa_open_playback: Could not open playback device 'default': No such file or directory 16:17:22.874 WARN unknown QTimeLine::start: already running ~~~ Anybody, any ideas what the issue could be? Maybe different, but it reminds me of this issue: https://github.com/QubesOS/qubes-issues/issues/1927 Are you sure you changed /etc/apt/sources.d/qubes-r3.list so the lines reference 'http://deb.qubes-os.org/r3.2/vm' instead of 'r3.1'? It occurred to me that my debian templates have the testing repos enabled in qubes-r3.list. They contain fixes so you may want to enable them. Failing a workaround, maybe you could upgrade the template from dom0 to get the template package meant for 3.2. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4ebb0ff3-1d3f-1cdc-48d4-1595a4a30937%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: External GPU for just one VM or OpenSWR
The performance on Intel i7-2670QM does not look so promising in those two cases: * glxgears – lower FPS (but glxgears is reportedly not representative) * Smokin' guns – considerably smoother experience with lvmpipe than with openswr. Maybe my CPU is comparatively bad on instructions needed by OpenSWR. Or maybe I've hit some edge cases where OpenSWR performs worse. Or maybe OpenSWR is not as good in reality as they suggest. Not sure. OTOH, the llvmpipe looks mostly good enough now. Yes, it eats much CPU in some cases. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e6c8ace9-afcf-4d7b-8c5f-bc1eda121f41%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Grabbing mouse pointer
Some continuation of my monolog for those who are interested: I was able to get it working using qubes-input-proxy between VMs. A brief overview: * Another X11 instance running on display :1 with dummy video driver. * VNC server (x0tigervncserver) listening on 127.0.0.1 allowing access to the X11 instance. * VNC client (vncviewer from TigerVNC) connected to the server mentioned above. * VM sys-net has modified service for qubes-input-proxy to send the mouse events to the target VM instead of dom0. * Target VM has a slightly modified Qubes RPC endpoint (prepended /usr/bin/env DISPLAY=:1) in order to work with the proper display. Result: * Internal touchpad works as usual. * External mouse is grabbed for the VM. * External mouse does not move the system pointer (as it is rendered by dom0), but maybe this does not matter much for use cases of grabbed pointer. * It is possible but impractical to use both mouse grabbed by the VM and touchpad connected to the dom0 at the same time. * Easy to go fullscreen :) Some ideas etc.: * It is a good idea to run a window manager in the VM. I use Openbox. * It does not work when TigerVNC creates its own X11 server, not sure why. This is the reason I am using xinit+x0vncserver with dummy display output instead of just using tigervncserver command. * Maybe even the USB approach would work under normal circumstances. I have udev configured to disable all HIDs by default, which complicates using the mouse a bit. * If we get qubes-usb-proxy-sender to dom0, we could theoretically do this for all (even non-USB) devices. This would be probably a more user friendly way. * Non-Linux systems (e.g. Windows) can be probably handled through RDP/VNC/… over local network. * Maybe we could pass the mouse input to server :0 and avoid the need of extra X11 instance and VNC at all. I, however, like the better fullscreen support with the VNC. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/216892a7-d21e-4992-a8ef-639892fc7e44%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [Debian 8] Audio problem after upgrading
On 03/30/2017 05:32 PM, J. Eppler wrote: Hello, I upgraded my Debian 8 "Jessie" template from Debian Qubes r3.1 to Qubes r3.2. Now, I have problems with the audio output. When I try to play audio files I do not hear anything and music player - web or deskotp - skip through songs very fast without playing them. I tried to play something with clementine, this is the error message I got: ~~~ user@personal-music:~$ clementine Cannot connect to server socket err = No such file or directory Cannot connect to server request channel jack server is not running or cannot be started AL lib: (WW) alc_initconfig: Failed to initialize backend "pulse" AL lib: (EE) alsa_open_playback: Could not open playback device 'default': No such file or directory 16:17:22.874 WARN unknown QTimeLine::start: already running ~~~ Anybody, any ideas what the issue could be? Maybe different, but it reminds me of this issue: https://github.com/QubesOS/qubes-issues/issues/1927 Are you sure you changed /etc/apt/sources.d/qubes-r3.list so the lines reference 'http://deb.qubes-os.org/r3.2/vm' instead of 'r3.1'? Failing a workaround, maybe you could upgrade the template from dom0 to get the template package meant for 3.2. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/48958284-983f-a2a5-0ca9-91ecd2a06e3e%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How much important is TPM?
Thanks for your responses. p In this thread, I'd like to discuss how much can it help (i.e., how hard is it to bypass). On self-encrypting devices: I generally don't trust those implementations to be well-reviewed and well-designed, so SED is not a use case for me. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ee57b666-cd0d-4cf6-8ae9-1d1bb7dcfd4d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Security and dispVM firefox customization
If you are concerned about the size of your anonymity set then you ought to be using unmodified TBB in a whonix-ws-based template rather than Firefox in a DispVM. We don't currently make guarantees about the cross-machine uniformity of DispVM browsers. There are ways to fingerprint the default DispVM browser without changing any browser-related settings, such as observing which additional fonts have become available in your DispVM template as dependencies of other things installed there, and almost certainly other things I'm not thinking of right now. So... is this a problem we even want to try to solve? I'm not sure. IMO concerned individuals should just be pointed towards whonix. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_BYg2URnx_bxu4KcNU5P-oeLv5WKhsadbacWa1UXOWHew%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Maybe a silly question
I gave up on Virus scans a couple years ago. I turned into one of the grey bears that use to tell me in the late 90s they were useless... Actually revelations nowadays are that they are not just useless since they can't keep up with literally millions of viruses released every month, according to head of IAD for the NSA like 5 years ago... probably way more now. But the fact is they are more of a security risk then they are worth. There is a security researcher Tavis Ormandy? who has exposed kapersky and exploits Norton quite frequently. Norton once took one of my suggestion when they started their 2009 I think was the year, a symantec employee contacted me and I was psyched to see they included my suggestion. With a brand new revamped norton that was destroying everyone else with the lightest foot print. Then I caught them hiding processses in the kernel and their own program, which ahd a feature who listed which cpu use was from norton or other on system, was lying haha. And after like 2 or 3 years they were back to raping hdd's and using resources again. Rumours from the 90s about them making their own viruses to promote their own software has also been proven not too long ago. Especially related to Kapersky being caught as well. Some of them are so blatantly corrupt nowadays you know its them when they pop up on your windows machine out of nowhere lol...cough personal antivirus...cough.. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/62c555ef-bf67-4f4d-bc8d-d3694a021790%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [Debian 8] Audio problem after upgrading
On Thursday, March 30, 2017 at 5:32:08 PM UTC-4, J. Eppler wrote: > Hello, > > I upgraded my Debian 8 "Jessie" template from Debian Qubes r3.1 to Qubes > r3.2. Now, I have problems with the audio output. When I try to play audio > files I do not hear anything and music player - web or deskotp - skip through > songs very fast without playing them. > > I tried to play something with clementine, this is the error message I got: > > ~~~ > user@personal-music:~$ clementine > Cannot connect to server socket err = No such file or directory > Cannot connect to server request channel > jack server is not running or cannot be started > AL lib: (WW) alc_initconfig: Failed to initialize backend "pulse" > AL lib: (EE) alsa_open_playback: Could not open playback device 'default': No > such file or directory > 16:17:22.874 WARN unknown QTimeLine::start: already > running > ~~~ > > Anybody, any ideas what the issue could be? tried alsamixer, and alsamixer in dom0? sometimes thigns get muted on mine, not sure why, i have to unmute everything for it to work again then mute back what I don't need. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b6db4747-8425-4f31-a509-f36929830254%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?
On Thursday, March 30, 2017 at 6:21:21 PM UTC-4, Shane Optima wrote: > On Thursday, March 30, 2017 at 5:27:12 PM UTC-4, Chris Laprise wrote: > > I get the feeling when you talk about people contributing, you mean > > /other/ people. That's fine, but in my estimation what you're proposing > > would take under 30 lines of bash code. > > I think I've already covered this exact as comprehensively as can be done > without writing you an actual autobiographical novel > > What the hell, I'll try again anyway. Yes, I could do it. Yes, it would in > the end be a very small project (that's the entire point of suggesting it.) > Yes, it would be interesting and useful. It would also be useful for me to > figure out why Thunderbird is derping out again, learn Javascript, migrate > all of my boxes to COW filesystems (which entails researching and choosing > between ZFS, btrfs or bcachefs), and also do several thousand things that > *aren't* computer-related, many of which either involve my son or attempting > to make money doing non-IT things. > > To the extent that I am talking about this specific issue and not "ZOMG > systemd sucks, why haven't you built Alpine Templates that can do 3d gaming, > XFCE sucks why not use ObscureWM Deluxe, etc.", I was trying to be > considerate and constructive. I even mentioned semi-seriously how this could > (down the road) be part of a monetization scheme for Qubes, but despite all > of that you still managed to play the lazy, self-absorbed noob card. > Congratulations. > > If you can send me a package of free time, I would be more than happy to give > it a shot right away. As it is now, if it really is that so amazingly simple > as to hardly be worth mentioning and yet no one has done it, then I submit > that I have already made a "contribution" and it is to point out that this > thing *should be done*: > > *** > > Chris: "The schoolhouse is on fire!" > > Volunteer Fireman: "Have you ever hooked a firehose up to a hydrant before?" > > Chris: "No, uh, but I mean it's on fire *right now* and..." > > Volunteer Fireman: "Look, it's really quite simple. And this would be a great > opportunity for you learn something. Nothing beats hands-on experience." > > > *** > > Chris: "If you had enough time to write *all of that*..." > > Me: "Then perhaps you'd do me the courtesy of reading it instead of > attempting to use it (with no trace of irony) as a evidence of my sloth?" > > Maybe if you (or someone) could write a Firefox extension to modify all > browser page titles to be a concatenation of the page title and a short token > of characters generated from a salted hash of the URL (so that I don't have > to deal with any more hyperbole out of people like M. Ouelette), I could > write the Dom0 bash bit. Or vice versa. Couldn't promise delivery on a tight > deadline, though. I'd rather not have such a tool sitting there "enabled". lol -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6ea39552-b8e2-4aba-8a35-3511333a3b89%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Security and dispVM firefox customization
Little explanation if I wrote badly readable text in English. If we will run this customized firefox from dispVM connected to VeryPrivateVPN and from NonVPN(public) then GAVE OVER. -- Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cffc7e46-1354-5615-95f9-5f8951bccc71%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Security and dispVM firefox customization
https://www.qubes-os.org/doc/dispvm-customization/ Docs say that we can customize our firefox default startup settings and homepage. Docs say is safe. There is no any warnings at the doc about that. But when we starting firefox first time to made ANY customization then firefox profile created and on it firefox store prefs.js (settings) with unique IDS for telemetry and ads purposes. On each request to firefox servers for checking updates, search engines updates etc. firefox will send this id with all requests. So, saving this changes on the DispVM template for customization will identify our firefox copy as exactly the same on each disp vm instance. Then, if we will use this firefox on ANY dispVM (inherited from private, public) to open some url. Firefox will run with the same profile and it will send on the network the same ID generated on the first step of the template customization. As a result global advisory will know that the same "private" person and "public" person use the same firefox. Yes? It's URGENTLY NOT SECURE! But documentation say simple run firefox and "change startup settings and homepage". Is it normal? p.s. Or there is some other way to change firefox settings for every new created profile without running firefox? I don't know. And documentation does not show this to user, but send the user by the insecure way with such advice and recommendations. -- Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a4800377-94d5-0706-851d-ddb867a6e007%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] debian 9: guid/qrexec crashes (fixed by enabling stretch-testing repo+updating)
Hi, just in case others are having similar problems: I'm running Qubes 3.2. I created a fresh debian 9 by upgrading from debian 8. Today the terminal in debian 9 started crashing (closing). In the logs I saw: U2MFN_GET_MFN_FOR_PAG: get_user_pages failed, ret=0x2 (or similar - I didn't count the 'f's) /var/log/qubes/guid.debian9.log contains: ErrorHandler: BadAccess (attempt to access private resource denied) used versions in VM: qubes-core-agent 3.2.16-1+deb qubes-gui-agent 3.2.11-1+deb (not sure if the version is truncated since it comes from 'xl console') Now I modified /etc/apt/sources.list.d/qubes-r3.list to enable the 'stretch-testing' repo, after upgrading my versions are now: qubes-core-agent 3.2.16-1+deb9u1 (not truncated anymore) qubes-gui-agent 3.2.15-1+deb9u1 It no longer appears to crash now. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/792a9840-7201-7aa7-e919-7ba8648a8118%40openmailbox.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature