[qubes-users] Receive-only email VM

[reddit . tor]

In Qubes, is it possible to set up a VM that can receive email, but  
not send information out, via email or otherwise?


The motivation is: Many online accounts rely on an email address to  
reset passwords. However, the VM that handles inbound emails,  
processes a lot of untrusted input. If the VM gets compromised by an  
attacker, the attacker can then send password reset emails and read  
them. So to defend against this, I want to prevent the compromised VM  
from communicating out the contents of these password reset emails.


Specifically:
1. Assume the VM is compromised (can't rely on in-VM enforcement mechanisms).
2. Assume the email provider is not compromised

To further illustrate the problem, here are example setups and why  
they don't work:


Setup 1: Use qubes firewall to restrict to the email provider's server  
and IMAP port. Block UDP requests using qvm-firewall.
Why it doesn't work: Attacker can create an account on the same email  
provider and connect to their account (the firewall rules will not  
prevent this). They can then sync emails containing any data, to their  
account.


Setup 2: Like Setup 1, but use POP3.
Why it doesn't work: Attacker creates account at provider, transmits  
data via POP3 delete operations.


Does anyone have a email setup with this inbound-only property,  
ideally that does not require running their own email server?


Thank you.


-
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190802172417.Horde.M2A6oHRcxGgHKjm0legNGrC%40www.vfemail.net.

[qubes-users] HCL for Lenovo X240

[rss+qubes]

Everything works flawlessly except return from suspend, where sys-usb
is frozen and needs a restart. I am now in the habit of simply turning
off sys-usb before suspending.

I did have one nasty surprise: this machine is fitted for a maximum of
8G of RAM. There is in fact only one RAM socket. A pleasant surprise
after this was that, for me, it is actually usable. Once or twice a day
I have to turn something off to start something else, but so far this
has been tolerable. Obviously, YMMV.

I have an X230 with 16G of RAM, so buying a later model that cannot
handle as much RAM was a real kick in the butt. (Thanks, Lenovo.)
Because of the RAM fiasco, I think it would be a real good idea if
this report makes it into the HCL. It is noticeably faster than the
X230, but the X230 is still a better machine for a Qubes user.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190805175252.4582a554%40armor-mail.com.


Qubes-HCL-LENOVO-20AMS2P10Q-20190805-173748.yml
Description: application/yaml

Re: [qubes-users] Re: Failed qubesd deamon connection

[cammumtar]

On Sunday, 14 July 2019 00:58:56 UTC+3, awokd  wrote:
> r...@gmail.com:
> > On Wednesday, 10 July 2019 18:46:11 UTC+3, awokd  wrote:
> >>
> >>> On Tuesday, 9 July 2019 04:43:14 UTC+3, awokd  wrote:
> > On Monday, 8 July 2019 23:42:36 UTC+3, camm...@gmail.com  wrote:
> >> I have tried everything on the internet to solve my problem it says 
> >> Start-limit-hit. I try you post in another chat nano 
> >> var/lib/qubes/qubes.xml.resut no directory exist.
> >> I try everything else I find on the web withe no solution. I have 
> >> photos I don't want to lost and work stuff I need.
> >> Please help me.
> >
> > https://postimg.cc/2bPYyHMW
> > https://postimg.cc/YjGq7FZg
> >
> > More details of my problem.
> >
>  Provide text log file of "sudo journalctl -b" output. Note you may want 
>  to edit out hardware serial #s, etc.
> >>>
> >>> https://ibb.co/9h1ftRV
> >>> https://ibb.co/BPkP5xh
> >>> https://ibb.co/Jjfw788
> >>> https://ibb.co/pZfmbhw
> >>> https://ibb.co/r7bG2Tt
> >>> https://ibb.co/Yj855pZ
> >>> https://ibb.co/318v99W
> >>> https://ibb.co/RjSB7qJ
> >>> https://ibb.co/W6SJZQm
> >>> https://ibb.co/tY7mnbv
> >>> https://ibb.co/wz7TCTm
> >>> https://ibb.co/BtYyw8y
> >>> https://ibb.co/wpq7gts
> >>> https://ibb.co/KD8qZ1V
> >>> https://ibb.co/WvDKkZS
> >>> https://ibb.co/276gsbw
> >>> https://ibb.co/4gXZ3Rc
> >>> https://ibb.co/QfgJjmP
> >>> https://ibb.co/c27y82v
> >>> https://ibb.co/kcCLfT8
> >>> https://ibb.co/L87KrZs
> >>>
> >>> These are links to images I take. 
> >>> I can make for you a video and send if you want. It is about 3500 lines 
> >>> total.
> >>>
> >>> I really appreciate your help. Thank you very much. I really like qubes 
> >>> no problems until I put USB to transfer photos. Then after this problem 
> >>> occurs. I use same USB everything nothing new. Only one computer and 1 
> >>> camera that's it.
> >>>
> >>> Thank you very much. 
> >>>
> >> Appreciate the time it took to make all those pictures, but I was
> >> looking for a text file instead? You should be able to mount a USB drive
> >> from the command line and copy it out.
> > 
> > I am at [root@dom0 usb-drive]# cp 
> > What do I type in to copy the file to usb. I don't want you to think I 
> > haven't tried for a good 10hrs but I couldn't find fill directory. Do maybe 
> > I need to create it?? 
> > Please advise. Thank you 
> > 
> If you have the usb drive mounted and are in its directory:
> 
> sudo journalctl -b > ./journal.log

Finally had screen replaced
This is the link https://ufile.io/l9rf93tw

Please tell me if need anything more to help fix problem. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/06038b4b-2a47-4f21-b6d2-8b265376cf0c%40googlegroups.com.

[qubes-users] Qubes installer gives dracut-pre-udev error. (Second mailing attempt.)

['interested_in_QubesOS' via qubes-users]

Second time I'm posting this because last time the mailing list sent me an 
"attachment blocked" message or something like that. I'll try with no 
attachment then reply to my own post with the attachment.

I see something almost exactly like what I described below every time I boot up 
the installation medium, choosing the option to test media and install. The 
only changes I've noticed are the multi-digit numbers. After this it goes to 
the loading/testing screen, then to the actual installation configuration menu 
as if nothing is wrong... Is that the case, is there nothing wrong?

Legend: Anything in bold means it has changed. (The only things that changed 
were the multi-digit numbers.)

[   9.916342] dracut-pre-udev[472]: rpc.idmapd: conf_reinit: open 
("null)", 0_RDOMLY) failed
[   9.916791] dracut-pre-udev[472]: rpc.idmapd: conf_reinit: open 
("null)", 0_RDOMLY) failed
This is displayed twice, seemingly because of sudden resolution change.

Second time I fired up the installation medium (and recorded this part):
[   9.663112] dracut-pre-udev[471]: rpc.idmapd: conf_reinit: open 
("null)", 0_RDOMLY) failed
[   9.663586] dracut-pre-udev[471]: rpc.idmapd: conf_reinit: open 
("null)", 0_RDOMLY) failed
Once again, displayed twice.

The attached video shows what I described.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/DDj41UKWuGrJ-VbgVDsCaS_J7KYXEvh28Q9SrReUQ_ywY3k3fAPW8aI3om9leHxMtERrAWkb4dYwNkVkHfWQiAKHHaE3qUiIawXCkjXnzZo%3D%40protonmail.com.

Re: [qubes-users] Re: USB Controller passthru to HVM on Qubes 3.1

[Pete Howell]

I do have a system running 3.2, but I can't keep Windows 7 running on it -- it 
just dies after 10 minutes or so.

Does anyone have any ideas?  I launched the HVM from the command line in the 
hopes I might see an error, but the system starts up clean -- just no device 
showing on Windows.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/de2b2545-885c-4d2e-8076-1607ab9731d1%40googlegroups.com.

Re: [qubes-users] Coreboot?

[ljul8047]

So like installing coreboot should eliminate any malware installed at firmware 
levels, right?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ee50f98c-6651-4348-b08f-8de105821098%40googlegroups.com.

Re: [qubes-users] Coreboot?

[ljul8047]

Thanks a lot for the reply. So if the previous owner’s dom0/laptop was 
infected, it wouldn’t have any effect on me if I change the SSD and install 
coreboot, am I understanding right? I apologise for my ignorance on this topic, 
I’m learning only now.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67087989-79ef-49eb-8b39-1d9c10a6082e%40googlegroups.com.

Re: [qubes-users] Coreboot?

['awokd' via qubes-users]

ljul8...@gmail.com:
> I was told that buying an used laptop represents an extra risk since the 
> previous owner could have used the laptop with Qubes and got dom0 infected.

There's some terminology mixed up here. Qubes' dom0 is part of the
operating system, not the hardware. A Qubes dom0 infection, although
unlikely, is no different than a Windows or Linux infection, and can be
cleaned by formatting the drive. What you are concerned about is a
firmware infection, which is less likely to happen compared to other
OS's if someone was already running Qubes. Again, out of the hundreds of
thousands malwares out there, I've only heard of a couple that install
themselves at the firmware level so the chances of you finding a used
laptop with one are minimal. You need to weigh this against the
possibility that new laptops could also be infected. Some say all new
x86 laptops are backdoored, for example.

> After a little bit of research, I was told that installing coreboot would 
> eliminate/delete any malware that, in a hypothetical case, took control of 
> dom0 when the previous owner used the laptop for Qubes but I’m not too sure 
> if this is true, do you guys thinks it’s true?
> 

Yes, I believe flashing Coreboot would eliminate known system firmware
malwares. See 799's reply, he beat me to it!

You might also check out https://insurgo.ca/ if you're not comfortable
flashing yourself.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/17b38f88-625b-2c33-67ae-afc2cd40b797%40danwin1210.me.

Re: [qubes-users] Coreboot?

[799]

Hello,

On Mon, 5 Aug 2019 at 22:58,  wrote:

> I was told that buying an used laptop represents an extra risk since the
> previous owner could have used the laptop with Qubes and got dom0 infected.
> After a little bit of research, I was told that installing coreboot would
> eliminate/delete any malware that, in a hypothetical case, took control of
> dom0 when the previous owner used the laptop for Qubes but I’m not too sure
> if this is true, do you guys thinks it’s true?
>

I would always replace the storage media in a used laptop to get a fresh
SSD, as this is where your data is stored and you don't want to mess
arround with a used SSD or HDDs. And with todays low prices for SSDs it's
even more fun to do so.

If dom0 was "infected" you would not be affected if you use another ssd,
you could of course also reinstall Qubes on the used device, but as
mentioned above .. no reason to do so.
If the previous user has an infected or manipulated BIOS you can indeed
reflash with coreboot, in fact I would always suggest to run coreboot if
your laptop is able to do so - I would even reccomend to buy only devices
which support coreboot (for example Lenovo X230 / T430 / W530 ...).

Keep in mind that an attacker could always place a tiny spy device inside a
used laptop which can then be used to sniff your keyboard entries etc. But
as this is an attack which is more likely used if you are a high priority
target, I think that this scenario is quiet unlikely.

Therefore:
Buy a used Lenovo X/T/W x30, install coreboot and become a happy Qubes user.
If you need more information how to install coreboot, take a look here,
where I tried to document a whole run through for a X230:
https://github.com/one7two99/my-qubes/blob/master/docs/coreboot/howto-coreboot_copy.md

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t%2B2uiU4N6EOk47g48%3D0o1Fawb5qkQoX8K0tVrfo-81Qg%40mail.gmail.com.

[qubes-users] Coreboot?

[ljul8047]

I was told that buying an used laptop represents an extra risk since the 
previous owner could have used the laptop with Qubes and got dom0 infected. 
After a little bit of research, I was told that installing coreboot would 
eliminate/delete any malware that, in a hypothetical case, took control of dom0 
when the previous owner used the laptop for Qubes but I’m not too sure if this 
is true, do you guys thinks it’s true?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/33570915-f78e-4211-9dfe-fb3ff2651c9c%40googlegroups.com.

Re: [qubes-users] Lenovo T480/T480s anyone got power management working properly?

[Stefan Leibfarth]

Hi!

On 05.08.19 12:39, Jurre andmore wrote:

> I had resume problems, until I disabled thunderbolt in the bios. From that
> moment on, I could resume without a problem.

I'm not sure this is all necessary, but:
"Un-assign second USB controller (15c1 ?) from sys-usb for suspend to
work" [1].

Greetings
Stefan

[1]
https://www.qubes-os.org/hcl/#lenovo_thinkpad-t480-20l6s1rg00_i7-8650u_kaby-lake-r_integrated-graphics

> Op zo 4 aug. 2019 om 20:37 schreef :
> 
>> Hello,
>>
>> I'm struggling to get my T480s working on resume as it displays a blank
>> screen that doesn't allow me to do anything.
>> All problematic modules are already part of the suspend blacklist:
>>
>> ehci_pci
>> xhci_pci
>> iwldvm
>> iwlmvm
>>
>> Nonetheless the resume only works when I shutdown the sys-usb before the
>> suspend, which is a bit painful to do on every suspend.
>> Power management also doesn't work, when I press the power off button
>> nothing happens nor the laptop enters the suspend state.
>> The battery also get hot very quickly and drains very fast it seems its
>> not optimized.
>>
>> Did anyone managed to fix these issues with the T480s or the T480?
>>
>> Any recommendations are really appreciate.
>>
>> Thank you!
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/qubes-users/6d955b4251a377fd6607926a01f818d4%40disroot.org
>> 
>> .
>>
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8717d967-7f1e-5753-2de3-1fd7d7695d8f%40leibfarth.org.

Re: [qubes-users] Lenovo T480/T480s anyone got power management working properly?

[Jurre andmore]

Hey!

I had resume problems, until I disabled thunderbolt in the bios. From that
moment on, I could resume without a problem.

Hope it helps.

Best,
Jurre

Op zo 4 aug. 2019 om 20:37 schreef :

> Hello,
>
> I'm struggling to get my T480s working on resume as it displays a blank
> screen that doesn't allow me to do anything.
> All problematic modules are already part of the suspend blacklist:
>
> ehci_pci
> xhci_pci
> iwldvm
> iwlmvm
>
> Nonetheless the resume only works when I shutdown the sys-usb before the
> suspend, which is a bit painful to do on every suspend.
> Power management also doesn't work, when I press the power off button
> nothing happens nor the laptop enters the suspend state.
> The battery also get hot very quickly and drains very fast it seems its
> not optimized.
>
> Did anyone managed to fix these issues with the T480s or the T480?
>
> Any recommendations are really appreciate.
>
> Thank you!
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/6d955b4251a377fd6607926a01f818d4%40disroot.org
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABa6M9pB8Xg4bGgd8JVLJsvWrWQ4gfRzhVfUhu9Y18Qy0OiQDg%40mail.gmail.com.

[qubes-users] Qubes on Intel NUC8i7hvk

[galthop]

I'm running qubes on a NUC8i7beh with a nvme sdd, not optane and it all seems 
to work.

I had to change some bios settings as the fans were kicking in a lot but other 
than that it was an easy install. I didn't need any special drivers.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1d18cc79-aa2b-488e-8eb0-039cafc47642%40googlegroups.com.