Re: [qubes-users] Re: certified laptop delivery to Russia

2017-06-23 Thread taii...@gmx.com

Ah the smell of disinformation.

On 06/23/2017 10:28 AM, cooloutac wrote:


On Thursday, June 22, 2017 at 6:51:27 PM UTC-4, tai...@gmx.com wrote:

On 06/21/2017 10:57 PM, cooloutac wrote:


I agree they are super overpriced  But i'm not sure we can have 100% libre 
hardware, at least not for desktops.  I heard the guy Chris from thinkpenguin 
talk about on a radio show once,  how there is really only a couple 
manufactures that dominate the world.  You would have to make every single part 
from scratch.

I don't know anything about coreboot or libreboot. Though I know I'd actually 
would like to have secure boot,  but I guess I'm crazy.


Of course you can, see the TALOS project for libre hardware/firmware
concepts and the KGPE-D16/KCMA-D8 for actual production libre firmware,
there are some POWER computers as well.

If someone tells you otherwise they don't know what they are talking
about, there is nothing stopping a company from making a libre computer
even a small company as long as they have the cash, purism could have
they just didn't want to.

Secure Boot is a marketing term for kernel code signing enforcement and
grub already does this, MS "secure" (from you) boot is a way for them to
eventually stop people from running linux.

I searched talos project and see stuff about body armor?
The TALOS project from raptor engineering was a 100% libre firmware and 
hardware PC project that did not meet crowdfunding goals.


The guy from think penguin who sells libre laptops doesn't know what he is  
talking about? I agree he is a little extreme and paranoid,  but The radio show 
was focused on wireless devices at the time and the dangers of the fcc ruling 
to lock them,  and why purism, nor anybody, truly has a 100% libre machine.  
There is many firmwares integrated and attached to a mobo, but you are acting 
as if there is only one.
Thinkpenguin and system76 are good honest companies FYI, I would suggest 
supporting them if you are interested in a new intel machine for linux.
He is not extreme nor paranoid, the fcc thing could mean the end of open 
source linux drivers and firmware for wifi chips.


There is not "many firmwares attached to a mobo" there really is only 
one most of the time, I know what I am talking about as I am involved in 
the coreboot project and I own several libre firmware machines.
The KGPE-D16 and KCMA-D8 have full functionality with libre firmware and 
zero blobs, I even play the latest games on mine so that excuse from 
purism that "oh no one has this" doesn't fly moreso because they haven't 
even "struck a compromise for the latest hardware" or what not as again 
their "coreboot" has entirely blobbed hw init making it pointless.


The exception to this rule would be a device with for example an 
integrated storage device, FullMAC (not the SoftMAC AGN atheros types) 
wireless chip, or a laptop/mobile board with an EC.


I don't know what you mean secure boot is a way to stop linux. It is supported 
by all major linux distributions.  Even after that myth is proven wrong you 
still perpetuate it?   Even after Richard Stallman himself says its ok to use 
secure boot?

"supported by all major linux distros"
Only by using a red hat supplied signed binary pre-compiled sketchy 
version of grub.
I don't think I should need to ask red hat for permission to run linux 
do you?
A machine that lacks the ability to use even your own bootloader is not 
really your machine you are simply licensing the use of it.


SB 1.0 specs require owner control and method to shut it off and enroll 
own keys, SB 2.0 doesn't have this requirement so OEM's will eventually 
not implement it similarly to MS's ARM computers that only allow you to 
install windows - thus stopping people from using linux so no it isn't a 
myth.

I don't believe grub2 can take the place of secure boot. WOuld it have stopped 
hacking teams insyde bios exploit?   More to it then just the kernel.  I 
believe you would sign the grub but then grub would also be protected.  I mean 
what does grub have to do with the bios?

Again secure boot is simply kernel signing nothing special.
Grub2 on a coreboot device can perform the same function only it is 
always owned controlled, most coreboot users use grub to load kernels 
instead of loading a kernel directly from CBFS.


HT's exploit of crappy proprietary BIOS's would work on a "secure" boot 
or otherwise machine.



If you want a 100% libre computer,you will have to manufacture every single 
chip on the mobo yourself.

[citation needed]
Again that is purism propaganda that simply isn't true - again see 
raptor engineerings TALOS project as a proof of concept, it was already 
ready to go they just had to fab the boards.

   Because there is literally only maybe 2 or 3 companies who manufacture 
certain parts for a mobo in all of the world.

[citation needed]
If you were a hardware engineer you would know that isn't true, why do 
you insist on saying "facts" about things you know nothing 

[qubes-users] Internet

2017-06-23 Thread davidchoy358
I have installed qubes os and I can't figure out how to connect to the internet 
at all. I have no idea what to do and I so far nothing has helped me at all. 
Please tell me step by step how to connect to the internet after freshly 
installing
Qubes 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9b6634c9-7f82-4c17-ade4-d54123ead640%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Setting up regular bitcoin donation / buying support case?

2017-06-23 Thread taii...@gmx.com
I agree - setting up a team of non-developers that are linux support 
specialists for the business users of qubes would be a great way to drum 
up cash.


This should be made to happen, maybe cc ADW?


FYI There are an incredibly large amount of detailed bitcoin howto 
guides on the internet, there isn't any need for the devs to waste time 
making another.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0a4d0e8-0674-43ab-5ea5-c201a0d654ad%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] power9 and qubes os

2017-06-23 Thread taii...@gmx.com

On 06/23/2017 08:24 PM, 'Johnysecured88' via qubes-users wrote:


Seriously, is power9 support at least a possibility for qubes os? It seems 
absurd that we should only focus on x86 given how locked down and backdoored it 
is.

Sent with [ProtonMail](https://protonmail.com) Secure Email.

If you have the the type of job that allows you to purchase a server 
that costs as much as a nice used car you probably know how to compile a 
distro or pay someone to do so so there isn't anything stopping you from 
compiling it for POWER, but yes I also can't understand the rabid x86 
fixation that the linux community has some people even say "oh power is 
expensive and thats lame" as if you wouldn't pay just as much for an 
intel offering with equivalent performance.


You could also compile it for ARM and get a performance server board or 
something.


If you don't mind me asking what do you need all this security for? I am 
always curious - as for me there really isn't any reason besides it 
being cool in of itself.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fc9e3848-e909-b131-f967-fdacc82f96b8%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] power9 and qubes os

2017-06-23 Thread 'Johnysecured88' via qubes-users
Seriously, is power9 support at least a possibility for qubes os? It seems 
absurd that we should only focus on x86 given how locked down and backdoored it 
is.

Sent with [ProtonMail](https://protonmail.com) Secure Email.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Ho_xTeJG1vVGYlRdE6Q5Bm7B6fSWIxXnzJ2NILHAMVHoQ3b87UClX-a4Lyt__VrcRwWzAvWkM_FqsZk4OfENYdSOeUs3-46Alnfqa8KbzQ4%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: “Convert to Trusted PDF” protocol, & Backup VMs, which typically?

2017-06-23 Thread yreb-qusw

On 06/23/2017 09:23 AM, Unman wrote:

On Fri, Jun 23, 2017 at 08:21:07AM -1000, yreb-qusw wrote:

On 06/23/2017 05:43 AM, Unman wrote:

On Thu, Jun 22, 2017 at 07:24:56PM -1000, yreb-qusw wrote:

On 06/21/2017 04:21 PM, cooloutac wrote:

On Saturday, June 17, 2017 at 5:45:45 PM UTC-4, yreb-qusw wrote:

Permit me to ask two questions?



1) I was reading this

-
https://security.stackexchange.com/questions/151300/what-is-the-safest-way-to-deal-with-loads-of-incoming-pdf-files-some-of-which-c

(Credits: Micah Lee)
What's that “Convert to Trusted PDF” you were talking about?

Let's say you found an interesting document, and let's say that you had
an offline virtual machine specifically dedicated for storing and
opening documents. Of course, you can directly send that document to
that VM, but there could still be a chance that this document is
malicious and may try for instance to delete all of your files (a
behavior that you wouldn't notice in the short-lived DisposableVM). But
you can also convert it into what's called a ‘Trusted PDF’.



You send the

file to a different VM, then you open the file manager, navigate to the
directory of the file, right-click and choose “Convert to Trusted PDF”,
and then send the file back to the VM where you collect your documents.





But what does it exactly do? The “Convert to Trusted PDF” tool creates a
new DisposableVM, puts the file there, and then transform it via a
parser (that runs in the DisposableVM) that basically takes the RGB
value of each pixel and leaves anything else. It's a bit like opening
the PDF in an isolated environment and then ‘screenshoting it’ if you
will. The file obviously gets much bigger, if I recall it transformed
when I tested a 10Mb PDF into a 400Mb one. You can get much more details
on that in this blogpost by security researcher and Qubes OS creator
Joanna Rutkowska.

[https://theinvisiblethings.blogspot.nl/2013/02/converting-untrusted-pdfs-into-trusted.html]

--
Upon reading it on the suggested sequence of opening  random/all PDFs,
maybe , people vary  their sequence.

It sounds like in say my Whonix Anon-appvm  , I d/l  a PDF, is it then
suggested I copy this PDF  to a , what,  PDF dedicated AppVM 1st,
Before doing  a  “Convert to Trusted PDF”  on the PDF file ?

This would add a step to the much faster,  just  “Convert to Trusted
PDF”  from the actual  Anon-Whonix  AppVM


2)
Do folks typically backup  their Template VMs  ?  as I noticed they
aren't set up by default to backup ?

and/or what is the thinking behind backing up various VMs ?  I guess the
ones that have been the most modified eg  the AppVMs ?   I have 1 very
large 20 gigabyte  VM with old videos/pictures on it,  do I  back that
one up ? for example?


you just right click on the file and hit convert to trusted pdf.  i'm nto sure 
what you're asking.


...I separated the sentence out , above,  it clearly says  "you send the
file to a different VM"  THEN convert to a trusted PDF.   What would this
'diferent VM' be?   ?a disposable VM ? or  ?



I think you need to read that post more carefully, although it isn't
altogether clear.
I think the scenario Micah has in mind is that you have downloaded a PDF
in an untrusted network connected qube, and have a trusted isolated qube
for storage.
Instead of converting the PDF in the untrusted machine (who knows what
might have been done to your Qubes tools?), or qvm-copying the untrusted
PDF in to the storage qube, he copies it to another, converts there and
then moves the trusted PDF in to trusted storage.(I think the "copy back"
is just a mistake.) That "other" qube can be anything you choose - a
disposableVM, a dedicated converter..
This is one approach to take - I'd suggest using a disposableVM if you
want to do it. However, it looks like overkill to me, because there's a
suggestion that just having an untrusted PDF in the storage qube
increases the risk. I don't believe this need be so.
Another approach might be to have a mini template for the storage qube,
and open every file in a disposableVM. If you are wedded to GUI file
managers, you could still do this by setting default file handlers to use
qvm-open-in-dvm for pretty much every filetype.

I hope that make things a little clearer

unman


THIS only works for PDF files,  not for  other docs?  I set up my default
disposable VM  as  anon-whonix  ,  and when I go to open  .docx  it tries
to use  Tor Browser .  However,  PDFs open normally in the PDF  application
hmmm



You need to ensure that the dispVMTemplate is configured to properly
deal with docx files.
There was quite a long thread earlier in the year on "How to set file
association in disposable VMs", which is worth looking at. In general,
you should be able to use mimeopen in the dispVMTemplate to set the
association, and provided that you then
'touch /home/user/.qubes-dispvm-customized' and regenetae the template,
you should be fine.
There's more information on customizing disposableVMs here:

Re: [qubes-users] Re: “Convert to Trusted PDF” protocol, & Backup VMs, which typically?

2017-06-23 Thread Unman
On Fri, Jun 23, 2017 at 08:21:07AM -1000, yreb-qusw wrote:
> On 06/23/2017 05:43 AM, Unman wrote:
> > On Thu, Jun 22, 2017 at 07:24:56PM -1000, yreb-qusw wrote:
> > > On 06/21/2017 04:21 PM, cooloutac wrote:
> > > > On Saturday, June 17, 2017 at 5:45:45 PM UTC-4, yreb-qusw wrote:
> > > > > Permit me to ask two questions?
> > > > > 
> > > > > 
> > > > > 
> > > > > 1) I was reading this
> > > > > 
> > > > > -
> > > > > https://security.stackexchange.com/questions/151300/what-is-the-safest-way-to-deal-with-loads-of-incoming-pdf-files-some-of-which-c
> > > > > 
> > > > > (Credits: Micah Lee)
> > > > > What's that “Convert to Trusted PDF” you were talking about?
> > > > > 
> > > > > Let's say you found an interesting document, and let's say that you 
> > > > > had
> > > > > an offline virtual machine specifically dedicated for storing and
> > > > > opening documents. Of course, you can directly send that document to
> > > > > that VM, but there could still be a chance that this document is
> > > > > malicious and may try for instance to delete all of your files (a
> > > > > behavior that you wouldn't notice in the short-lived DisposableVM). 
> > > > > But
> > > > > you can also convert it into what's called a ‘Trusted PDF’.
> > > 
> > > 
> > > You send the
> > > > > file to a different VM, then you open the file manager, navigate to 
> > > > > the
> > > > > directory of the file, right-click and choose “Convert to Trusted 
> > > > > PDF”,
> > > > > and then send the file back to the VM where you collect your 
> > > > > documents.
> > > 
> > > 
> > > 
> > > > > But what does it exactly do? The “Convert to Trusted PDF” tool 
> > > > > creates a
> > > > > new DisposableVM, puts the file there, and then transform it via a
> > > > > parser (that runs in the DisposableVM) that basically takes the RGB
> > > > > value of each pixel and leaves anything else. It's a bit like opening
> > > > > the PDF in an isolated environment and then ‘screenshoting it’ if you
> > > > > will. The file obviously gets much bigger, if I recall it transformed
> > > > > when I tested a 10Mb PDF into a 400Mb one. You can get much more 
> > > > > details
> > > > > on that in this blogpost by security researcher and Qubes OS creator
> > > > > Joanna Rutkowska.
> > > > > 
> > > > > [https://theinvisiblethings.blogspot.nl/2013/02/converting-untrusted-pdfs-into-trusted.html]
> > > > > 
> > > > > --
> > > > > Upon reading it on the suggested sequence of opening  random/all PDFs,
> > > > > maybe , people vary  their sequence.
> > > > > 
> > > > > It sounds like in say my Whonix Anon-appvm  , I d/l  a PDF, is it then
> > > > > suggested I copy this PDF  to a , what,  PDF dedicated AppVM 1st,
> > > > > Before doing  a  “Convert to Trusted PDF”  on the PDF file ?
> > > > > 
> > > > > This would add a step to the much faster,  just  “Convert to Trusted
> > > > > PDF”  from the actual  Anon-Whonix  AppVM
> > > > > 
> > > > > 
> > > > > 2)
> > > > > Do folks typically backup  their Template VMs  ?  as I noticed they
> > > > > aren't set up by default to backup ?
> > > > > 
> > > > > and/or what is the thinking behind backing up various VMs ?  I guess 
> > > > > the
> > > > > ones that have been the most modified eg  the AppVMs ?   I have 1 very
> > > > > large 20 gigabyte  VM with old videos/pictures on it,  do I  back that
> > > > > one up ? for example?
> > > > 
> > > > you just right click on the file and hit convert to trusted pdf.  i'm 
> > > > nto sure what you're asking.
> > > 
> > > ...I separated the sentence out , above,  it clearly says  "you send 
> > > the
> > > file to a different VM"  THEN convert to a trusted PDF.   What would this
> > > 'diferent VM' be?   ?a disposable VM ? or  ?
> > > 
> > 
> > I think you need to read that post more carefully, although it isn't
> > altogether clear.
> > I think the scenario Micah has in mind is that you have downloaded a PDF
> > in an untrusted network connected qube, and have a trusted isolated qube
> > for storage.
> > Instead of converting the PDF in the untrusted machine (who knows what
> > might have been done to your Qubes tools?), or qvm-copying the untrusted
> > PDF in to the storage qube, he copies it to another, converts there and
> > then moves the trusted PDF in to trusted storage.(I think the "copy back"
> > is just a mistake.) That "other" qube can be anything you choose - a
> > disposableVM, a dedicated converter..
> > This is one approach to take - I'd suggest using a disposableVM if you
> > want to do it. However, it looks like overkill to me, because there's a
> > suggestion that just having an untrusted PDF in the storage qube
> > increases the risk. I don't believe this need be so.
> > Another approach might be to have a mini template for the storage qube,
> > and open every file in a disposableVM. If you are wedded to GUI file
> > managers, you could still do this by setting default file handlers to use
> > qvm-open-in-dvm for pretty much every filetype.
> > 
> > I 

[qubes-users] Debian Buster repo

2017-06-23 Thread Dominique St-Pierre Boucher
Hello,

Anyone switched their template from Stretch to Buster? I want to try but there 
is no qubes repo for it!!

Dominique

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/55b8af7d-0b5d-4c93-89e1-8b3292b8843e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: “Convert to Trusted PDF” protocol, & Backup VMs, which typically?

2017-06-23 Thread yreb-qusw

On 06/23/2017 05:43 AM, Unman wrote:

On Thu, Jun 22, 2017 at 07:24:56PM -1000, yreb-qusw wrote:

On 06/21/2017 04:21 PM, cooloutac wrote:

On Saturday, June 17, 2017 at 5:45:45 PM UTC-4, yreb-qusw wrote:

Permit me to ask two questions?



1) I was reading this

-
https://security.stackexchange.com/questions/151300/what-is-the-safest-way-to-deal-with-loads-of-incoming-pdf-files-some-of-which-c

(Credits: Micah Lee)
What's that “Convert to Trusted PDF” you were talking about?

Let's say you found an interesting document, and let's say that you had
an offline virtual machine specifically dedicated for storing and
opening documents. Of course, you can directly send that document to
that VM, but there could still be a chance that this document is
malicious and may try for instance to delete all of your files (a
behavior that you wouldn't notice in the short-lived DisposableVM). But
you can also convert it into what's called a ‘Trusted PDF’.



You send the

file to a different VM, then you open the file manager, navigate to the
directory of the file, right-click and choose “Convert to Trusted PDF”,
and then send the file back to the VM where you collect your documents.





But what does it exactly do? The “Convert to Trusted PDF” tool creates a
new DisposableVM, puts the file there, and then transform it via a
parser (that runs in the DisposableVM) that basically takes the RGB
value of each pixel and leaves anything else. It's a bit like opening
the PDF in an isolated environment and then ‘screenshoting it’ if you
will. The file obviously gets much bigger, if I recall it transformed
when I tested a 10Mb PDF into a 400Mb one. You can get much more details
on that in this blogpost by security researcher and Qubes OS creator
Joanna Rutkowska.

[https://theinvisiblethings.blogspot.nl/2013/02/converting-untrusted-pdfs-into-trusted.html]

--
Upon reading it on the suggested sequence of opening  random/all PDFs,
maybe , people vary  their sequence.

It sounds like in say my Whonix Anon-appvm  , I d/l  a PDF, is it then
suggested I copy this PDF  to a , what,  PDF dedicated AppVM 1st,
Before doing  a  “Convert to Trusted PDF”  on the PDF file ?

This would add a step to the much faster,  just  “Convert to Trusted
PDF”  from the actual  Anon-Whonix  AppVM


2)
Do folks typically backup  their Template VMs  ?  as I noticed they
aren't set up by default to backup ?

and/or what is the thinking behind backing up various VMs ?  I guess the
ones that have been the most modified eg  the AppVMs ?   I have 1 very
large 20 gigabyte  VM with old videos/pictures on it,  do I  back that
one up ? for example?


you just right click on the file and hit convert to trusted pdf.  i'm nto sure 
what you're asking.


...I separated the sentence out , above,  it clearly says  "you send the
file to a different VM"  THEN convert to a trusted PDF.   What would this
'diferent VM' be?   ?a disposable VM ? or  ?



I think you need to read that post more carefully, although it isn't
altogether clear.
I think the scenario Micah has in mind is that you have downloaded a PDF
in an untrusted network connected qube, and have a trusted isolated qube
for storage.
Instead of converting the PDF in the untrusted machine (who knows what
might have been done to your Qubes tools?), or qvm-copying the untrusted
PDF in to the storage qube, he copies it to another, converts there and
then moves the trusted PDF in to trusted storage.(I think the "copy back"
is just a mistake.) That "other" qube can be anything you choose - a
disposableVM, a dedicated converter..
This is one approach to take - I'd suggest using a disposableVM if you
want to do it. However, it looks like overkill to me, because there's a
suggestion that just having an untrusted PDF in the storage qube
increases the risk. I don't believe this need be so.
Another approach might be to have a mini template for the storage qube,
and open every file in a disposableVM. If you are wedded to GUI file
managers, you could still do this by setting default file handlers to use
qvm-open-in-dvm for pretty much every filetype.

I hope that make things a little clearer

unman

THIS only works for PDF files,  not for  other docs?  I set up my 
default disposable VM  as  anon-whonix  ,  and when I go to open  .docx 
 it tries  to use  Tor Browser .  However,  PDFs open normally in the 
PDF  application hmmm


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/83abb5b0-c544-7e68-bb62-5a4cb4c15227%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: HCL - Dell XPS 15 9560

2017-06-23 Thread David Nogueira
On Monday, February 20, 2017 at 8:16:35 AM UTC, Stefan wrote:
> Hi,
> 
> installed Qubes 3.2 on my new laptop. After some initial problems, it
> seems to be working great!
> 
> After installing from the ISO image, the graphics driver was working
> fine (at least I remember it this way), only suspend to RAM crashed the
> machine. I updated all packages (fedora template and dom0), and after a
> reboot, X used the framebuffer driver and did not detect the Intel
> graphics chip :-(
> 
> Both problems were solved by enabling the qubes-dom0-unstable repo and
> updating the dom0 kernel to the version provided there. Intel VGA and
> Suspend to RAM are working fine now.
> 
> 
> The nvidia chip (GTX 1050) is not supported by the nouveau driver, and I
> didn't go through the pain (not to speak of the security concerns) of
> manually installing the latest proprietary driver from nVidia on dom0.
> 
> 
> Suspend to RAM seems to have some problem with the WLAN driver, though.
> After some suspend cycles, WLAN won't come up again. I put the driver
> ath10k_pci to the suspend-module-blacklist, I think this did the trick.
> 
> 
> Stefan.
Thanks for the work Stefan.

- Any chance anyone has the 4k screen? I am having issues setting a lower 
resolution than 4k or working with HiDPI overall, what were your approaches?

- Also any luck in being able to set brightness levels?

thanks,
David

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a7c7a098-0adc-4f40-9d02-8c7eb9429a88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: “Convert to Trusted PDF” protocol, & Backup VMs, which typically?

2017-06-23 Thread yreb-qusw

On 06/23/2017 05:43 AM, Unman wrote:

On Thu, Jun 22, 2017 at 07:24:56PM -1000, yreb-qusw wrote:

On 06/21/2017 04:21 PM, cooloutac wrote:

On Saturday, June 17, 2017 at 5:45:45 PM UTC-4, yreb-qusw wrote:

Permit me to ask two questions?



1) I was reading this

-
https://security.stackexchange.com/questions/151300/what-is-the-safest-way-to-deal-with-loads-of-incoming-pdf-files-some-of-which-c

(Credits: Micah Lee)
What's that “Convert to Trusted PDF” you were talking about?

Let's say you found an interesting document, and let's say that you had
an offline virtual machine specifically dedicated for storing and
opening documents. Of course, you can directly send that document to
that VM, but there could still be a chance that this document is
malicious and may try for instance to delete all of your files (a
behavior that you wouldn't notice in the short-lived DisposableVM). But
you can also convert it into what's called a ‘Trusted PDF’.



You send the

file to a different VM, then you open the file manager, navigate to the
directory of the file, right-click and choose “Convert to Trusted PDF”,
and then send the file back to the VM where you collect your documents.





But what does it exactly do? The “Convert to Trusted PDF” tool creates a
new DisposableVM, puts the file there, and then transform it via a
parser (that runs in the DisposableVM) that basically takes the RGB
value of each pixel and leaves anything else. It's a bit like opening
the PDF in an isolated environment and then ‘screenshoting it’ if you
will. The file obviously gets much bigger, if I recall it transformed
when I tested a 10Mb PDF into a 400Mb one. You can get much more details
on that in this blogpost by security researcher and Qubes OS creator
Joanna Rutkowska.

[https://theinvisiblethings.blogspot.nl/2013/02/converting-untrusted-pdfs-into-trusted.html]

--
Upon reading it on the suggested sequence of opening  random/all PDFs,
maybe , people vary  their sequence.

It sounds like in say my Whonix Anon-appvm  , I d/l  a PDF, is it then
suggested I copy this PDF  to a , what,  PDF dedicated AppVM 1st,
Before doing  a  “Convert to Trusted PDF”  on the PDF file ?

This would add a step to the much faster,  just  “Convert to Trusted
PDF”  from the actual  Anon-Whonix  AppVM


2)
Do folks typically backup  their Template VMs  ?  as I noticed they
aren't set up by default to backup ?

and/or what is the thinking behind backing up various VMs ?  I guess the
ones that have been the most modified eg  the AppVMs ?   I have 1 very
large 20 gigabyte  VM with old videos/pictures on it,  do I  back that
one up ? for example?


you just right click on the file and hit convert to trusted pdf.  i'm nto sure 
what you're asking.


...I separated the sentence out , above,  it clearly says  "you send the
file to a different VM"  THEN convert to a trusted PDF.   What would this
'diferent VM' be?   ?a disposable VM ? or  ?



I think you need to read that post more carefully, although it isn't
altogether clear.
I think the scenario Micah has in mind is that you have downloaded a PDF
in an untrusted network connected qube, and have a trusted isolated qube
for storage.
Instead of converting the PDF in the untrusted machine (who knows what
might have been done to your Qubes tools?), or qvm-copying the untrusted
PDF in to the storage qube, he copies it to another, converts there and
then moves the trusted PDF in to trusted storage.(I think the "copy back"
is just a mistake.) That "other" qube can be anything you choose - a
disposableVM, a dedicated converter..
This is one approach to take - I'd suggest using a disposableVM if you
want to do it. However, it looks like overkill to me, because there's a
suggestion that just having an untrusted PDF in the storage qube
increases the risk. I don't believe this need be so.
Another approach might be to have a mini template for the storage qube,
and open every file in a disposableVM. If you are wedded to GUI file
managers, you could still do this by setting default file handlers to use
qvm-open-in-dvm for pretty much every filetype.

I hope that make things a little clearer

unman

Yes, sir, Unman, that is closer to what I was asking.   Sorry, for any 
confusion.


If you look at the original URL, I'm just quoting from  Micah's 
article, as you said, so Unman, you are saying   it probably is fine to 
NOT copy the pdf  to a disposable qube  before doing  the  "converted to 
trusted PDF?"


I guess if one doesn't want to keep the PDF file, there is no reason to 
"convert" it,  one would just  'open in a disposable VM' anyway,  but 
good  opsec  would be to make sure to go back and del  the  PDF that was 
downloaded and opened in the disposable VM,  ?


I wish they could automate this as well, that after opening it in the 
disposable VM the original in the AppVM qube  would get auto deleted 
or so :)


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.

Re: [qubes-users] Containing Twitter sessions

2017-06-23 Thread Unman
On Thu, Jun 22, 2017 at 01:27:28PM -0400, Chris Laprise wrote:
> On 06/22/2017 11:40 AM, Ryan Tate wrote:
> > I am perplexed by the challenge of containing Twitter use in Qubes.
> > 
> > With Twitter, you must be logged in to effectively read or write.
> > 
> > On the read side, it is a wildly promiscuous experience exposing the
> > user to various untrusted sites. Indeed a key goal of using Twitter
> > is to discover new sites and media.
> > 
> > On the write side, it is very sensitive, containing private messages,
> > the ability to post public messages with significant personal
> > reputational risks, and even to do lightweight out-of-band
> > authentication for other channels.
> > 
> > If I had to pick from the default VMs, I would probably put Twitter
> > in “untrusted” due to the risks on the read side, even though the
> > account itself is sensitive and ideally you would not put such write
> > capabilities in a "wild west” environment like “untrusted." Perhaps
> > better is to just make a “twitter” vm to keep the damage of any
> > compromise contained to the Twitter account itself. Most ideal, in
> > the future, would be to combine this last approach with a Qubes
> > browser add-on and force each non-twitter link to open in another VM,
> > either disposable or the “untrusted”.
> > 
> > (Has anyone figured out a better approach?)
> 
> I do two things:
> 
> * Refrain from clicking links; copy to untrusted VM browser instead
> 
> * Turn on https everywhere addon in https-only mode
> 
> The latter means that even if I click on a link, the site visited will at
> least have some verification (or else it won't load).
> 

There is an alternative approach which would be to use a twitter client
like corebird, and to configure mimeopen so that links are opened in a
disposableVM.
I would certainly use a dedicated qube for this.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170623155418.ozwrlaksrdpbzzpb%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: “Convert to Trusted PDF” protocol, & Backup VMs, which typically?

2017-06-23 Thread Unman
On Thu, Jun 22, 2017 at 07:24:56PM -1000, yreb-qusw wrote:
> On 06/21/2017 04:21 PM, cooloutac wrote:
> > On Saturday, June 17, 2017 at 5:45:45 PM UTC-4, yreb-qusw wrote:
> > > Permit me to ask two questions?
> > > 
> > > 
> > > 
> > > 1) I was reading this
> > > 
> > > -
> > > https://security.stackexchange.com/questions/151300/what-is-the-safest-way-to-deal-with-loads-of-incoming-pdf-files-some-of-which-c
> > > 
> > > (Credits: Micah Lee)
> > > What's that “Convert to Trusted PDF” you were talking about?
> > > 
> > > Let's say you found an interesting document, and let's say that you had
> > > an offline virtual machine specifically dedicated for storing and
> > > opening documents. Of course, you can directly send that document to
> > > that VM, but there could still be a chance that this document is
> > > malicious and may try for instance to delete all of your files (a
> > > behavior that you wouldn't notice in the short-lived DisposableVM). But
> > > you can also convert it into what's called a ‘Trusted PDF’.
> 
> 
> You send the
> > > file to a different VM, then you open the file manager, navigate to the
> > > directory of the file, right-click and choose “Convert to Trusted PDF”,
> > > and then send the file back to the VM where you collect your documents.
> 
> 
> 
> > > But what does it exactly do? The “Convert to Trusted PDF” tool creates a
> > > new DisposableVM, puts the file there, and then transform it via a
> > > parser (that runs in the DisposableVM) that basically takes the RGB
> > > value of each pixel and leaves anything else. It's a bit like opening
> > > the PDF in an isolated environment and then ‘screenshoting it’ if you
> > > will. The file obviously gets much bigger, if I recall it transformed
> > > when I tested a 10Mb PDF into a 400Mb one. You can get much more details
> > > on that in this blogpost by security researcher and Qubes OS creator
> > > Joanna Rutkowska.
> > > 
> > > [https://theinvisiblethings.blogspot.nl/2013/02/converting-untrusted-pdfs-into-trusted.html]
> > > 
> > > --
> > > Upon reading it on the suggested sequence of opening  random/all PDFs,
> > > maybe , people vary  their sequence.
> > > 
> > > It sounds like in say my Whonix Anon-appvm  , I d/l  a PDF, is it then
> > > suggested I copy this PDF  to a , what,  PDF dedicated AppVM 1st,
> > > Before doing  a  “Convert to Trusted PDF”  on the PDF file ?
> > > 
> > > This would add a step to the much faster,  just  “Convert to Trusted
> > > PDF”  from the actual  Anon-Whonix  AppVM
> > > 
> > > 
> > > 2)
> > > Do folks typically backup  their Template VMs  ?  as I noticed they
> > > aren't set up by default to backup ?
> > > 
> > > and/or what is the thinking behind backing up various VMs ?  I guess the
> > > ones that have been the most modified eg  the AppVMs ?   I have 1 very
> > > large 20 gigabyte  VM with old videos/pictures on it,  do I  back that
> > > one up ? for example?
> > 
> > you just right click on the file and hit convert to trusted pdf.  i'm nto 
> > sure what you're asking.
> 
> ...I separated the sentence out , above,  it clearly says  "you send the
> file to a different VM"  THEN convert to a trusted PDF.   What would this
> 'diferent VM' be?   ?a disposable VM ? or  ?
> 

I think you need to read that post more carefully, although it isn't
altogether clear.
I think the scenario Micah has in mind is that you have downloaded a PDF
in an untrusted network connected qube, and have a trusted isolated qube
for storage.
Instead of converting the PDF in the untrusted machine (who knows what
might have been done to your Qubes tools?), or qvm-copying the untrusted
PDF in to the storage qube, he copies it to another, converts there and
then moves the trusted PDF in to trusted storage.(I think the "copy back"
is just a mistake.) That "other" qube can be anything you choose - a
disposableVM, a dedicated converter..
This is one approach to take - I'd suggest using a disposableVM if you
want to do it. However, it looks like overkill to me, because there's a
suggestion that just having an untrusted PDF in the storage qube
increases the risk. I don't believe this need be so.
Another approach might be to have a mini template for the storage qube,
and open every file in a disposableVM. If you are wedded to GUI file
managers, you could still do this by setting default file handlers to use
qvm-open-in-dvm for pretty much every filetype.

I hope that make things a little clearer

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170623154315.7ze2vgiyj4shqsrv%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Setting up regular bitcoin donation / buying support case?

2017-06-23 Thread Pawel Debski
W dniu środa, 21 czerwca 2017 12:47:17 UTC+2 użytkownik Vincent Adultman 
napisał:
> Hi all
> 
> 
> 
> Over on https://www.qubes-os.org/donate/ I see I can setup a donation one of 
> two ways, Bitcoin and via Open Collective, however 14% for the latter seems a 
> hell of a donation overhead. As such, I'd like to use Bitcoin but have no 
> idea how. While I realise there are probably many idiots guides, I wonder if 
> this is a common feeling of people that visit the donate page.
> 
> 
> 
> I'm happy to muddle through setting up a recurring bitcoin donation and then 
> contribute a guide (I currently have nothing else for which I would use 
> bitcoin) if this would be helpful, but also wonder if someone has some notes 
> stuffed away in a gist or similar somewhere?
> 
> 
> 
> On a related point, I've not been keeping up on all the ways you guys are 
> seeking funding, but I believe selling individual support licenses for those 
> who wished to purchase them was decided to be not worth the revenue it would 
> generate vs effort, is this still the case? I use Qubes as my daily driver 
> and cannot get any of the 4.x series kernels to work on my laptop, so am 
> behind on this element of security updates. I take it I can't purchase a 
> support case from ITL at the current point in time?
> 
> 
> 
> Vin

Yep, setting-up a bitcoin wallet & exchage plus high commisions on other 
channels kept me from donating. Plus the donation is terrible tax pain for 
enterpreneurs in PL. The easiest would be to receive a monthly EU VAT invoice 
for "Software development" and SEPA bank transfer.

How does it look from your side dear Qubes team?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9d15acfb-ebf4-45b9-b6bf-7ba66b20e4d1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Dell XPS 9560 4k resolution issues

2017-06-23 Thread David Nogueira
Hi all,

I have been struggling to find a good way to use my 4k display. For context, I 
have looked for setting HiDPI, am aware of 
https://github.com/QubesOS/qubes-issues/issues/1951 and others, but at least 
for now I see HiDPI as a half solution.

I don't care about my full screen resolution in Qubes, so I am ok in setting it 
to something like 1920x1080, the issue is I am not being able to. Since the 
only mode available in xrandr is 3840x2160 I am forced to add a new mode.

I ran cvt 1920 1080 60 in dom0, get:

Modeline "1920x1080 60.00" 173.00  1920 2048 2248 2576   1080 1083 1088 1120 
-hsync +vsync

I --newmode and --addmode to default and when I try setting the mode:

xrandr --verbose --output default --mode 1920x1080_60.00
xrandr: Failed to get size of gamma for output default
crtc 0: disable
screen 0: 1920x1080 508x286 mm  95.92dpi
crtc 0: 1920x1080_60.00  59.96 +0+0 "default"
xrandr: Configure crtc 0 failed
crtc 0: disable
screen 0: revert
crtc 0: revert

I have tried a few things, ran out of ideas, sorry if this is a bit too basic 
but am a bit stuck.

Best.
David

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1480f289-07b4-49dc-b2e0-fceba3695942%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: certified laptop delivery to Russia

2017-06-23 Thread cooloutac
On Thursday, June 22, 2017 at 6:51:27 PM UTC-4, tai...@gmx.com wrote:
> On 06/21/2017 10:57 PM, cooloutac wrote:
> 
> >
> > I agree they are super overpriced  But i'm not sure we can have 100% libre 
> > hardware, at least not for desktops.  I heard the guy Chris from 
> > thinkpenguin talk about on a radio show once,  how there is really only a 
> > couple manufactures that dominate the world.  You would have to make every 
> > single part from scratch.
> >
> > I don't know anything about coreboot or libreboot. Though I know I'd 
> > actually would like to have secure boot,  but I guess I'm crazy.
> >
> Of course you can, see the TALOS project for libre hardware/firmware 
> concepts and the KGPE-D16/KCMA-D8 for actual production libre firmware, 
> there are some POWER computers as well.
> 
> If someone tells you otherwise they don't know what they are talking 
> about, there is nothing stopping a company from making a libre computer 
> even a small company as long as they have the cash, purism could have 
> they just didn't want to.
> 
> Secure Boot is a marketing term for kernel code signing enforcement and 
> grub already does this, MS "secure" (from you) boot is a way for them to 
> eventually stop people from running linux.

I searched talos project and see stuff about body armor?

The guy from think penguin who sells libre laptops doesn't know what he is  
talking about? I agree he is a little extreme and paranoid,  but The radio show 
was focused on wireless devices at the time and the dangers of the fcc ruling 
to lock them,  and why purism, nor anybody, truly has a 100% libre machine.  
There is many firmwares integrated and attached to a mobo, but you are acting 
as if there is only one.

I don't know what you mean secure boot is a way to stop linux. It is supported 
by all major linux distributions.  Even after that myth is proven wrong you 
still perpetuate it?   Even after Richard Stallman himself says its ok to use 
secure boot? 

I don't believe grub2 can take the place of secure boot. WOuld it have stopped 
hacking teams insyde bios exploit?   More to it then just the kernel.  I 
believe you would sign the grub but then grub would also be protected.  I mean 
what does grub have to do with the bios?

If you want a conspiracy theory here is one.  The reason the pyramid is on a 
dollar is because its human nature for there to be one entity controlling 
everythign else.   If you want a 100% libre computer,you will have to 
manufacture every single chip on the mobo yourself.  Not just the ones with 
firmwares,  Because there is literally only maybe 2 or 3 companies who 
manufacture certain parts for a mobo in all of the world. 

 Do you know how much time and money,  legal and political obstacles that would 
have?   It would take more then the resources of a small indie company.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a719690b-e6ab-42fb-ac8f-3b0a15d939d9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: “Convert to Trusted PDF” protocol, & Backup VMs, which typically?

2017-06-23 Thread cooloutac
On Friday, June 23, 2017 at 1:25:04 AM UTC-4, yreb-qusw wrote:
> On 06/21/2017 04:21 PM, cooloutac wrote:
> > On Saturday, June 17, 2017 at 5:45:45 PM UTC-4, yreb-qusw wrote:
> >> Permit me to ask two questions?
> >>
> >>
> >>
> >> 1) I was reading this
> >>
> >> -
> >> https://security.stackexchange.com/questions/151300/what-is-the-safest-way-to-deal-with-loads-of-incoming-pdf-files-some-of-which-c
> >>
> >> (Credits: Micah Lee)
> >> What's that “Convert to Trusted PDF” you were talking about?
> >>
> >> Let's say you found an interesting document, and let's say that you had
> >> an offline virtual machine specifically dedicated for storing and
> >> opening documents. Of course, you can directly send that document to
> >> that VM, but there could still be a chance that this document is
> >> malicious and may try for instance to delete all of your files (a
> >> behavior that you wouldn't notice in the short-lived DisposableVM). But
> >> you can also convert it into what's called a ‘Trusted PDF’.
> 
> 
> You send the
> >> file to a different VM, then you open the file manager, navigate to the
> >> directory of the file, right-click and choose “Convert to Trusted PDF”,
> >> and then send the file back to the VM where you collect your documents.
> 
> 
> 
> >> But what does it exactly do? The “Convert to Trusted PDF” tool creates a
> >> new DisposableVM, puts the file there, and then transform it via a
> >> parser (that runs in the DisposableVM) that basically takes the RGB
> >> value of each pixel and leaves anything else. It's a bit like opening
> >> the PDF in an isolated environment and then ‘screenshoting it’ if you
> >> will. The file obviously gets much bigger, if I recall it transformed
> >> when I tested a 10Mb PDF into a 400Mb one. You can get much more details
> >> on that in this blogpost by security researcher and Qubes OS creator
> >> Joanna Rutkowska.
> >>
> >> [https://theinvisiblethings.blogspot.nl/2013/02/converting-untrusted-pdfs-into-trusted.html]
> >>
> >> --
> >> Upon reading it on the suggested sequence of opening  random/all PDFs,
> >> maybe , people vary  their sequence.
> >>
> >> It sounds like in say my Whonix Anon-appvm  , I d/l  a PDF, is it then
> >> suggested I copy this PDF  to a , what,  PDF dedicated AppVM 1st,
> >> Before doing  a  “Convert to Trusted PDF”  on the PDF file ?
> >>
> >> This would add a step to the much faster,  just  “Convert to Trusted
> >> PDF”  from the actual  Anon-Whonix  AppVM
> >>
> >>
> >> 2)
> >> Do folks typically backup  their Template VMs  ?  as I noticed they
> >> aren't set up by default to backup ?
> >>
> >> and/or what is the thinking behind backing up various VMs ?  I guess the
> >> ones that have been the most modified eg  the AppVMs ?   I have 1 very
> >> large 20 gigabyte  VM with old videos/pictures on it,  do I  back that
> >> one up ? for example?
> >
> > you just right click on the file and hit convert to trusted pdf.  i'm nto 
> > sure what you're asking.
> 
> ...I separated the sentence out , above,  it clearly says  "you send 
> the file to a different VM"  THEN convert to a trusted PDF.   What would 
> this 'diferent VM' be?   ?a disposable VM ? or  ?
> 
> 
> > when it comes to backing up template vms.  I only backup my cloned vms.  I 
> > clone vms from the defaults if I'm gonna install custom configs in them.  
> > also so it has a diff name then default vms for less chance of issues when 
> > restoring.
> >
> > and of course you back up your videos and pictures, are you being serious? 
> > lol.  thats what most people backup.  and deeper thought is what if they 
> > all have viruses and everytime you open one up you infect your system.
> >
> > So that leads to another thought that well if you are willing to reinstall 
> > all your programs and configs from scratch on a default template, mabe 
> > you'd be better off.  But backing them up and restoring them is for 
> > convenience.
> 
> ...ya, like many people perhaps,  though, I used Qubes 90% of the 
> time, my old files/photos, are also on laptop, google photos, removable 
> large hard drive, windows 10 dual boot HD, etc,  yes, they are on Qubes, 
> but take up a huge amount of space, HENCE, backing them up would be a 
> bit of a pain for the time it takes.
> 
> ..you clone AppVMs you mean then back them up ; I really can't 
> follow what your saying about  your backups in sum, thanks
> 
> >

not sure why you are sending it to another vm. But if you want to it can be 
anything.

Whether you want to spend the time to backup your data or not is up to you. 

You asked about template vms.  I was saying I only backup cloned templates.  
not default ones.  which I create for the reasons stated in my previous post.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send 

[qubes-users] http filter

2017-06-23 Thread Bernhard
Hello,

in the (nice) tutorial
https://www.qubes-os.org/doc/config/http-filtering-proxy/ it is
suggested to run the tinyproxy inside the FirewallVM. That is
estonishing to me. I would think the qubes way were to have a proxyVM
(based on some minimal template) that is set *behind* Firewall and on in
it. one ascii picture replaces ten phrases:

Jungle  <->  SysNet  <-> FirewallVM <-> ProxyVM  <-+-> AppVM1

 <-+-> AppVM2

So here are my two questions:

- is this better than the suggested  tinyproxy-in-FirewallVM ?

- did someone set up his filtering that way and give some hints / errors
to avoid?

Thanks, Bernhard




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/61ea05f9-9f6a-403d-7052-4deb8f56fb0d%40web.de.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Whonix-ws template will not connect to sys-whonix after upgrade

2017-06-23 Thread Noor Christensen
On Thu, Jun 22, 2017 at 08:38:05PM -0400, 'Essax' via qubes-users wrote:
> I also cloned a whonix-ws temp for testing to make sure it was the
> upgrade that caused the problem and sure enough as soon as I did the
> upgrade I could not connect it to sys-whonix. (the gui and qvm-prefs
> said other wise though) When I ran sudo apt-get update from whoinix-ws
> konsole i get
> 
> Err http://sgvtcaew4bxjd7ln.onion jessie/updates Release.gpg Cannot
> initiate the connection to 10.137.255.254:8082 (10.137.255.254). -
> connect (101: Network is unreachable

Have you enabled "Allow connections to Updates Proxy" in the firewall
settings for your whonix-ws TemplateVM?

-- noor

|_|O|_|
|_|_|O|  Noor Christensen  
|O|O|O|  n...@fripost.org ~ 0x401DA1E0

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170623083251.m7ikzpaz2i6ev4rr%40mail.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature


[qubes-users] Re: ssh-agent, gnome-keyring, ed25519 keys

2017-06-23 Thread samcwb2
On Thursday, August 4, 2016 at 9:03:53 AM UTC-7, pixel fairy wrote:
> On Wednesday, August 3, 2016 at 8:21:03 PM UTC-7, pixel fairy wrote:
> > out of the box, fedora23 template, ssh-agent works fine with rsa keys, but 
> > not ed25519. 
> > 
> > could not add identity "/home/user/.ssh/id_ed25519": communication with 
> > agent failed
> > 
> > running "ssh-agent bash" and then adding both keys works fine. is there a 
> > clean way to disable this keyring? its not like we need it.
> 
> so in ubuntu this is easy to disable. "gnome-session-properties" and uncheck 
> "ssh key agent". you get back the real ssh-agent. none of the methods ive 
> found online work to disable it in the fedora or debian appvms.

The need for this bypass is due to a long standing bug in gnome-keyring.

For those googling this, after making pixel fairy's recommended change, restart 
your session and issue "ssh-add" in a shell prompt after which your keys will 
work fine for the remainder of the session.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8b6fa2b4-3ddd-407c-8a70-333e4e0bcdbe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.