Re: [qubes-users] The VPN avalibel in Qubes

2019-08-16 Thread 799
Hello Chris,

Chris Laprise  schrieb am Di., 13. Aug. 2019, 23:10:

> (...)
> The easiest & most comprehensive/secure VPN config for Qubes is here:
>
> https://github.com/tasket/Qubes-vpn-support
>
> You can also try your luck with the VPN instructions on the Qubes
> website, but its more manual work (even if you use Network Manager) for
> less results.
>

I just tried your script and installation was straightforward.
Very nice work, thanks for sharing.

Should be included in Qubes by default or at least be highlighted in bold
in the Qubes docs:
https://www.qubes-os.org/doc/vpn/

I'll also take a look into your other scripts ;-)

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vcgi5OXtr_WY9t1N%2BbMgoDfB0njkX-sfv4ARhHbn6zdw%40mail.gmail.com.


Re: [qubes-users] using static dispVM for sys-net

2019-08-16 Thread Chris Laprise

On 8/10/19 5:12 AM, 799 wrote:

Hello,

Jon deps mailto:yreb...@riseup.net>> schrieb am 
Mi., 3. Juli 2019, 22:30:


am curious if anyone actually does this , and how or would it make
any sense instead to use a static sys-firewall ,  if I
just have the default  sys-firewall  (which might be easier because
there would not be a need for the PCI  setup  ?each time)


What would be the better choice regarding attack surface:
  disposable netvm+firewallvm vs. mirage-firewall?
If I understand it right the mirage firewall has no/less option to be 
compromised.
I am using the mirage fw and are only using a fedora-30-minimal based 
sys-firewall to get dom0-updates, which can't be done via the mirage 
firewall.


But I'll also change this firewall to a static disposable FW.

Question:
Afaik the problem when using a static disposable sys-net VM is, that I 
need to enter my Wifi Credentials each time, as the VM will be unable to 
remember them.

Is there any way tweaking this behaviour?


To get a similar result, adding Qubes-VM-hardening to your template 
would sanitize sys-net on each boot while retaining your wifi connection 
passwords. After installing, all you have to do is enable 
'vm-boot-protect-root' Qubes service for the sys-net VM. By default, the 
contents of /home are retained, but you can change that by also enabling 
'vm-boot-tag-qhome' which sets up a quarantine on /home.


(You can also use it to do minor per-vm customizations at startup, which 
allows more re-use of a template instead of having to make clones.)


The result isn't quite as secure as using a DispVM, because the Ext4 
filesystem itself could (theoretically) be exploited. But I think it 
raises the bar quite a bit.


https://github.com/tasket/Qubes-VM-hardening

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5fc9440a-5d09-c043-26a5-6290befe7729%40posteo.net.


[qubes-users] Re: using static dispVM for sys-net

2019-08-16 Thread rec wins
On 8/9/19 11:12 PM, 799 wrote:
> Hello,
> 
> Jon deps  schrieb am Mi., 3. 
> Juli 2019, 22:30:
> 
>> am curious if anyone actually does this , and how or would it make any
>> sense instead to use a static sys-firewall ,  if I
>> just have the default  sys-firewall  (which might be easier because
>> there would not be a need for the PCI  setup  ?each time)
> 
> 
> What would be the better choice regarding attack surface:
>  disposable netvm+firewallvm vs. mirage-firewall?
> If I understand it right the mirage firewall has no/less option to be
> compromised.
> I am using the mirage fw and are only using a fedora-30-minimal based
> sys-firewall to get dom0-updates, which can't be done via the mirage
> firewall.
> 
> But I'll also change this firewall to a static disposable FW.
> 
> Question:
> Afaik the problem when using a static disposable sys-net VM is, that I need
> to enter my Wifi Credentials each time, as the VM will be unable to
> remember them.
> Is there any way tweaking this behaviour?
> 
> 799
> 

799,  do you have  mirageOS  upstream of sys-net2 (disposable)  working.

I built and have mirage as sys-firewall, but I built it before I created
sys-net2 (disposable)

and the mirage firewall works  upstream of sys-net  but  not sys-net2


I'm thinking during the build process it must be looking for sys-net and
not a sys-net2 , esp  if it's not there ?

I could rebuild not that I have a sys-net2  , but  not too confident
about that

best regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92d1f0ca-24bb-88a7-976b-a71309b361b9%40riseup.net.


[qubes-users] Re: How do I make sure that kernel-headers can be found at /lib/modules/4.19.56-1.pvops.qubes.x86_64/build or /lib/modules/4.19.56-1.pvops.qubes.x86_64/source

2019-08-16 Thread 'jmxy' via qubes-users
Answer is much more simple than I thought -- you install the kernel-devel 
packages for the version of the kernel that you are using.

Looks like that's in qubes-dom0-current-testing. Seeing some strange here that 
looks like the update VM downloading the package but then not passing the 
package back to dom0. Any idea of what's going on here?

sudo qubes-dom0-update kernel-devel-4.19.56-1.pvops.qubes.x86_64
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some 
time...
Fedora 25 - x86_64 - Updates3.3 MB/s |  24 MB 00:07
Fedora 25 - x86_64  3.8 MB/s |  50 MB 00:13
Qubes Dom0 Repository (updates) 3.4 MB/s |  12 MB 00:03
Qubes Dom0 Repository (updates-testing)  11 MB/s |  23 MB 00:02
determining the fastest mirror (15 hosts).. done.--  B/s |   0  B --:-- ETA
Qubes Templates repository  2.3 kB/s |  12 kB 00:05
Dependencies resolved.

Package Arch   VersionRepository  Size

Installing:
kernel-devel
 x86_64 1000:4.19.56-1.pvops.qubes qubes-dom0-current-testing  13 M

Transaction Summary

Install  1 Package

Total download size: 13 M
Installed size: 52 M
DNF will only download packages for the transaction.
Downloading Packages:
kernel-devel-4.19.56-1.pvops.qubes.x86_64.rpm   3.1 MB/s |  13 MB 00:04

Total   2.4 MB/s |  13 MB 00:05
Complete!
The downloaded packages were saved in cache until the next successful 
transaction.
You can remove cached packages by executing 'dnf clean packages'.
Qubes OS Repository for Dom0
  
131 MB/s | 138 kB 00:00
No package kernel-devel-4.19.56-1.pvops.qubes.x86_64 available.
Error: Unable to find a match.

Sent with [ProtonMail](https://protonmail.com) Secure Email.

‐‐‐ Original Message ‐‐‐
On Friday, August 16, 2019 2:13 PM, jmxy  wrote:

> Hi,
> I'm trying to get Displaylink drivers working on my P52s ThinkPad so I can 
> use a USB-C docking station (needs Displaylink to use monitors through USB-C 
> dock). I've had a few hiccups which I've detailed 
> [here](https://www.reddit.com/r/Qubes/comments/crapm4/how_to_install_displaylink_drivers_on_qubes/)
>  trying to get this package working: 
> https://github.com/displaylink-rpm/displaylink-rpm/releases.
>
> It looks like the rpm uses a post install script to start the Displaylink 
> service.
>
> ```
> $ rpm -qip --scripts displaylink.rpm
> postinstall scriptlet (using /bin/sh):
> # The displaylink service may crash as dkms rebuilds the module
> /usr/bin/systemctl -q is-active displaylink.service && /usr/bin/systemctl 
> stop displaylink.service
> /usr/bin/systemctl daemon-reload
> /usr/bin/systemctl -q is-enabled dkms.service || /usr/bin/systemctl enable 
> dkms.service
> /sbin/dkms install evdi/1.6.2 >> /var/log/displaylink/displaylink.log 2>&1
> /usr/bin/systemctl start displaylink.service
> ```
> For me it fails because it can't find my kernel headers:
>
> ```
> $ less /var/log/displaylink/displaylink.log
> Creating symlink /var/lib/dkms/evdi/1.6.2/source ->
> /usr/src/evdi-1.6.2
>
> DKMS: add completed.
> Error! echo
> Your kernel headers for kernel 4.19.56-1.pvops.qubes.x86_64 cannot be found at
> /lib/modules/4.19.56-1.pvops.qubes.x86_64/build or 
> /lib/modules/4.19.56-1.pvops.qubes.x86_64/source.
> Warning: I do not know how to handle 4.19.56-1.pvops.qubes.x86_64.
> Error! echo
> Your kernel headers for kernel 4.19.56-1.pvops.qubes.x86_64 cannot be found at
> /lib/modules/4.19.56-1.pvops.qubes.x86_64/build or 
> /lib/modules/4.19.56-1.pvops.qubes.x86_64/source.
>
> --
> Deleting module version: 1.6.2
> completely from the DKMS tree.
> --
> Done.
>
> Creating symlink /var/lib/dkms/evdi/1.6.2/source ->
> /usr/src/evdi-1.6.2
>
> DKMS: add completed.
> Error! echo
> Your kernel headers for kernel 4.19.56-1.pvops.qubes.x86_64 cannot be found at
> /lib/modules/4.19.56-1.pvops.qubes.x86_64/build or 
> /lib/modules/4.19.56-1.pvops.qubes.x86_64/source.
> Warning: I do not know how to handle 4.19.56-1.pvops.qubes.x86_64.
> Error! echo
> Your kernel headers for kernel 4.19.56-1.pvops.qubes.x86_64 cannot be found at
> /lib/modules/4.19.56-1.pvops.qubes.x86_64/build or 
> /lib/modules/4.19.56-1.pvops.qubes.x86_64/source.
> ```
> Any thoughts on how I can ensure that this package can find the right 
> kernel-headers?
>
> Cheers!
> jm
>
> Sent with [ProtonMail](https://protonmail.com) Secure 

[qubes-users] How do I make sure that kernel-headers can be found at /lib/modules/4.19.56-1.pvops.qubes.x86_64/build or /lib/modules/4.19.56-1.pvops.qubes.x86_64/source

2019-08-16 Thread 'jmxy' via qubes-users
Hi,
I'm trying to get Displaylink drivers working on my P52s ThinkPad so I can use 
a USB-C docking station (needs Displaylink to use monitors through USB-C dock). 
I've had a few hiccups which I've detailed 
[here](https://www.reddit.com/r/Qubes/comments/crapm4/how_to_install_displaylink_drivers_on_qubes/)
 trying to get this package working: 
https://github.com/displaylink-rpm/displaylink-rpm/releases.

It looks like the rpm uses a post install script to start the Displaylink 
service.

```
$ rpm -qip --scripts displaylink.rpm
postinstall scriptlet (using /bin/sh):
# The displaylink service may crash as dkms rebuilds the module
/usr/bin/systemctl -q is-active displaylink.service && /usr/bin/systemctl stop 
displaylink.service
/usr/bin/systemctl daemon-reload
/usr/bin/systemctl -q is-enabled dkms.service || /usr/bin/systemctl enable 
dkms.service
/sbin/dkms install evdi/1.6.2 >> /var/log/displaylink/displaylink.log 2>&1
/usr/bin/systemctl start displaylink.service
```
For me it fails because it can't find my kernel headers:

```
$ less /var/log/displaylink/displaylink.log
Creating symlink /var/lib/dkms/evdi/1.6.2/source ->
/usr/src/evdi-1.6.2

DKMS: add completed.
Error! echo
Your kernel headers for kernel 4.19.56-1.pvops.qubes.x86_64 cannot be found at
/lib/modules/4.19.56-1.pvops.qubes.x86_64/build or 
/lib/modules/4.19.56-1.pvops.qubes.x86_64/source.
Warning: I do not know how to handle 4.19.56-1.pvops.qubes.x86_64.
Error! echo
Your kernel headers for kernel 4.19.56-1.pvops.qubes.x86_64 cannot be found at
/lib/modules/4.19.56-1.pvops.qubes.x86_64/build or 
/lib/modules/4.19.56-1.pvops.qubes.x86_64/source.

--
Deleting module version: 1.6.2
completely from the DKMS tree.
--
Done.

Creating symlink /var/lib/dkms/evdi/1.6.2/source ->
/usr/src/evdi-1.6.2

DKMS: add completed.
Error! echo
Your kernel headers for kernel 4.19.56-1.pvops.qubes.x86_64 cannot be found at
/lib/modules/4.19.56-1.pvops.qubes.x86_64/build or 
/lib/modules/4.19.56-1.pvops.qubes.x86_64/source.
Warning: I do not know how to handle 4.19.56-1.pvops.qubes.x86_64.
Error! echo
Your kernel headers for kernel 4.19.56-1.pvops.qubes.x86_64 cannot be found at
/lib/modules/4.19.56-1.pvops.qubes.x86_64/build or 
/lib/modules/4.19.56-1.pvops.qubes.x86_64/source.
```
Any thoughts on how I can ensure that this package can find the right 
kernel-headers?

Cheers!
jm

Sent with [ProtonMail](https://protonmail.com) Secure Email.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/phimvYJ7bnWzKrNJ3gXFh14R5OtMIY9sU6btxmDeRlAoMx7jHyI0bPUvgFMcF6csbtRiGwr4sIp2tqsxSJDk7EPfGtAfkV-YbEcuVeWrnAc%3D%40protonmail.com.


Re: [qubes-users] Problem with NextCloud-Client App-VM (unable to login on 2nd boot)

2019-08-16 Thread sourcexorapprentice
*long day, missed the part where I blasted my old keyrings if step 3 fails:
sudo rm -rf /home/user/.local/share/keyrings

I had no saved passwords/keys but it was still an issue somehow, so this 
forced the new first-time keyring password prompt on AppVM reboot that I 
left blank. So apparently libgnome-keyring is a dependency. No idea what 
the Nextcloud forum are referenced with libgnome-keyring0.

On Friday, August 16, 2019 at 4:58:08 PM UTC-4, sourcexorapprentice wrote:
>
> libgnome-keyring, not just gnome-keyring.
>
> Various forums suggest an issue (is there though?) in Fedora where PAM and 
> the gnome keyring do not play nice together and an additional theory that 
> the Fedora keyring is just not making Nextcloud entries due to some bug. 
>
> My current solution:
> 1. Boot your template Fedora VM and then install the gnome keyring:
> dnf install -y libgnome-keyring
> sudo shutdown -h now
> 2. Restart your qubes AppVM and login to your Nextcloud client with your 
> password, restart
> 3. Nextcloud starts and is good to go without password
>
> If 3 fails (did for me), then you may want to blast your keyrings 
> (warning: you're deleting your keyrings, so other saved password...), so in 
> the AppVM just run "sudo dnf -y remove gnome-keyring && sudo dnf -y install 
> gnome-keyring" reboot and enter a null password on boot, then repeat step 2.
>
> I'm still anxious about this because my keyring uses as...NULL password! 
> My understanding is that this is an acceptable risk and has the same logic 
> as the null root password. Someone who is local on the AppVM is going to be 
> able to escalate to root anyway, and therefore will own the keyring so 
> you're pwned anyway so just make the keyring null so it's less annoying. Is 
> this horribly wrong?
>
> Example of suggested solutions:
> https://github.com/nextcloud/desktop/issues/427
>
> On Friday, August 16, 2019 at 4:19:22 PM UTC-4, 799 wrote:
>>
>> Hello,
>>
>> On Fri, 16 Aug 2019 at 11:22, Stefan Leibfarth  
>> wrote:
>>
>>> [...]
>>> I'd guess it's not directly Qubes related, maybe this problem:
>>>
>>> https://help.nextcloud.com/t/nextcloud-client-asks-for-password-every-time-it-starts/28591/3
>>>
>>
>> I tried nearly everything from this forum post, I also tried to use other 
>> templates fedora-29, fedora-30, still the same problem.
>> I also tried to install gnome-keyring but it doesn't make a difference.
>>
>> Anyelse has a Nextcloud CLIENT (not server) running in Qubes and give me 
>> a hint, why I need to re-enter my credentials after boot and even after the 
>> nextcloud client is not pocking up the sync again.
>>
>> [799]
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/80c109d6-3894-4a69-85b3-265e517db57e%40googlegroups.com.


Re: [qubes-users] Problem with NextCloud-Client App-VM (unable to login on 2nd boot)

2019-08-16 Thread sourcexorapprentice

libgnome-keyring, not just gnome-keyring.

Various forums suggest an issue (is there though?) in Fedora where PAM and 
the gnome keyring do not play nice together and an additional theory that 
the Fedora keyring is just not making Nextcloud entries due to some bug. 

My current solution:
1. Boot your template Fedora VM and then install the gnome keyring:
dnf install -y libgnome-keyring
sudo shutdown -h now
2. Restart your qubes AppVM and login to your Nextcloud client with your 
password, restart
3. Nextcloud starts and is good to go without password

If 3 fails (did for me), then you may want to blast your keyrings (warning: 
you're deleting your keyrings, so other saved password...), so in the AppVM 
just run "sudo dnf -y remove gnome-keyring && sudo dnf -y install 
gnome-keyring" reboot and enter a null password on boot, then repeat step 2.

I'm still anxious about this because my keyring uses as...NULL password! My 
understanding is that this is an acceptable risk and has the same logic as 
the null root password. Someone who is local on the AppVM is going to be 
able to escalate to root anyway, and therefore will own the keyring so 
you're pwned anyway so just make the keyring null so it's less annoying. Is 
this horribly wrong?

Example of suggested solutions:
https://github.com/nextcloud/desktop/issues/427

On Friday, August 16, 2019 at 4:19:22 PM UTC-4, 799 wrote:
>
> Hello,
>
> On Fri, 16 Aug 2019 at 11:22, Stefan Leibfarth  > wrote:
>
>> [...]
>> I'd guess it's not directly Qubes related, maybe this problem:
>>
>> https://help.nextcloud.com/t/nextcloud-client-asks-for-password-every-time-it-starts/28591/3
>>
>
> I tried nearly everything from this forum post, I also tried to use other 
> templates fedora-29, fedora-30, still the same problem.
> I also tried to install gnome-keyring but it doesn't make a difference.
>
> Anyelse has a Nextcloud CLIENT (not server) running in Qubes and give me a 
> hint, why I need to re-enter my credentials after boot and even after the 
> nextcloud client is not pocking up the sync again.
>
> [799]
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0655f4f-e862-495d-8339-890294d6ccf2%40googlegroups.com.


[qubes-users] Re: best and less expensive Lenovo think pad

2019-08-16 Thread American Qubist 001
I lose track of the difference between Ideapads and Thinkpads but I have 
installed Qubes successfully on 4GB RAM Lenovos that cost less than $300 
new, without issue. Nice to upgrade memory to 8 GB though. 

On Monday, August 12, 2019 at 12:26:15 AM UTC-7, 27casa...@gmail.com wrote:
>
> What is the best and less expensive Lenovo think pad for new Qube?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8db243b6-bcd3-401d-8706-e47e430b2b45%40googlegroups.com.


Re: [qubes-users] best and less expensive Lenovo think pad

2019-08-16 Thread American Qubist 001
Is it really so bad just to use the standard EFI with fastboot and secure 
boot disabled? I use that with a password but maybe coreboot is important 
too. No one has physical access afaik unless the landlord is letting 
Russian spies into my apartment. 

On Monday, August 12, 2019 at 3:51:35 AM UTC-7, awokd wrote:
>
> 27casa...@gmail.com : 
> > What is the best and less expensive Lenovo think pad for new Qube? 
> > 
> G505s if you're prepared to Coreboot it yourself. PrivacyBeast if not. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fdb6ab29-7daf-49a3-850f-74668ed16b2e%40googlegroups.com.


Re: [qubes-users] Problem with NextCloud-Client App-VM (unable to login on 2nd boot)

2019-08-16 Thread 799
Hello,

On Fri, 16 Aug 2019 at 11:22, Stefan Leibfarth  wrote:

> [...]
> I'd guess it's not directly Qubes related, maybe this problem:
>
> https://help.nextcloud.com/t/nextcloud-client-asks-for-password-every-time-it-starts/28591/3
>

I tried nearly everything from this forum post, I also tried to use other
templates fedora-29, fedora-30, still the same problem.
I also tried to install gnome-keyring but it doesn't make a difference.

Anyelse has a Nextcloud CLIENT (not server) running in Qubes and give me a
hint, why I need to re-enter my credentials after boot and even after the
nextcloud client is not pocking up the sync again.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tTGtifnYKCRbq0sFa2EhmWEk%2BQb2h6mPxJ-fdAhWJwHQ%40mail.gmail.com.


[qubes-users] What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64 ISO?

2019-08-16 Thread O K
I've downloaded the iso and gotten the sha-256 of the file from the MD5/SHA 
utility.  I just need to figure out how to verify that number with the 
actual checksum.  I cannot for the life of me figure out the GPG, PGP, PCP 
or whatever else it is.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f33fc641-8658-484c-a35b-fd91892d1817%40googlegroups.com.


[qubes-users] What is the SHA-256 checksum of the Qubes-R4.0.1-x86_64.iso?

2019-08-16 Thread O K
I've downloaded the iso and gotten the sea-256 of the file from a utility. 
 I just need to figure out how to verify that number with the actual 
checksum.  I cannot for the life of me figure out the GPG, PGP, PCP or 
whatever else it is.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6b1cd55d-3382-474d-8b1e-ca07ccc6d8bf%40googlegroups.com.


Re: [qubes-users] Which qube is most secure for internet use?

2019-08-16 Thread O K
No, I will only be using the computer on public networks, not a private one 
so router, phone, etc is not an issue.  I'm talking about if someone were 
to become a target because, let's say, he was in China speaking out against 
the gov't - the gov't could identify what network and computer that traffic 
was coming from, hack into his computer and they're off to the races. 
 Obviously China, N. Korea, etc can probably get into any computer, server, 
etc. they want (N. Koreans hacked into Universal studios or whatever studio 
that was), and they certainly won't be after me, but I'm talking from a 
security standpoint.

On Friday, August 16, 2019 at 12:54:45 PM UTC-4, 799 wrote:
>
>
>
> O K > schrieb am Fr., 16. Aug. 2019, 18:17:
>
>> Well I'm not as concerned about people monitoring/intercepting the 
>> content of my communications, just about identifying information about the 
>> hardware of my computer being accessible.
>>
>
> Why? If someone can't identify you, why should he make the effort to find 
> a way into your Qubes machine to get the hardware info? If it is an attack 
> which you're not the specific target, there are easier options, like 
> hacking your router or maybe one of your "smart" home devices.
>
> I know it's not easy to acquire info about someone's computer from the 
>> internet, and if the computer's running Qubes I would imagine it's harder, 
>> but I think it can be done (definitely Mac address but possibly more info).
>>
>
> Yes. Using Qubes will increase your security to a reasonable secure level 
> (if you use it correctly).
>
> [799]
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/581b826b-edd4-499a-a0fe-de8979388384%40googlegroups.com.


Re: [qubes-users] Which qube is most secure for internet use?

2019-08-16 Thread 799
O K  schrieb am Fr., 16. Aug. 2019, 18:17:

> Well I'm not as concerned about people monitoring/intercepting the content
> of my communications, just about identifying information about the hardware
> of my computer being accessible.
>

Why? If someone can't identify you, why should he make the effort to find a
way into your Qubes machine to get the hardware info? If it is an attack
which you're not the specific target, there are easier options, like
hacking your router or maybe one of your "smart" home devices.

I know it's not easy to acquire info about someone's computer from the
> internet, and if the computer's running Qubes I would imagine it's harder,
> but I think it can be done (definitely Mac address but possibly more info).
>

Yes. Using Qubes will increase your security to a reasonable secure level
(if you use it correctly).

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tjrAjUO3YZ6Caj1Fid2LRZykD%2BOs%2BB64D4Z418vhuXHA%40mail.gmail.com.


Re: [qubes-users] Which qube is most secure for internet use?

2019-08-16 Thread O K
Well I'm not as concerned about people monitoring/intercepting the content 
of my communications, just about identifying information about the hardware 
of my computer being accessible.  I know it's not easy to acquire info 
about someone's computer from the internet, and if the computer's running 
Qubes I would imagine it's harder, but I think it can be done (definitely 
Mac address but possibly more info).

On Friday, August 16, 2019 at 11:57:19 AM UTC-4, 799 wrote:
>
>
> On Fri, 16 Aug 2019 at 16:52, O K > wrote:
> > Which qube is most secure when it comes to keeping any identifying info 
> about my computer
> > invisible from anyone on the internet (or if not completely, which qube 
> does this the best)?  Thanks.
>  
> I would say that the safest way to assume, that there is no invisibility.
> But using a Whonix DVM -> whonix-dvm-ws-14-dvm will likely be a good 
> option.
> You might want to learn about this here:
> https://www.whonix.org/wiki/Qubes/DisposableVM
>
> Addtionally you might want to ask yourself: What are the threads your 
> protecting against?
> And then try to figure out what is the weakest part in your setup.
>
> [799]
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f22e5e9f-5b21-4d6a-88d8-d14d128a89dc%40googlegroups.com.


Re: [qubes-users] best and less expensive Lenovo think pad

2019-08-16 Thread 799
On Fri, 16 Aug 2019 at 15:42,  wrote:

> Can coreboot be installed on T580, have you ever heard of such?
>

The following coreboot page will answer your question:
https://coreboot.org/status/board-status.html

additionally you might want to look into the FAQ:
https://www.coreboot.org/FAQ#Will_coreboot_work_on_my_machine.3F

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sQQhwq-%2BqOtgEUbyM_9-FHeNe0h9KxBoKq6v%2B0mrdfOg%40mail.gmail.com.


Re: [qubes-users] Which qube is most secure for internet use?

2019-08-16 Thread 799
On Fri, 16 Aug 2019 at 16:52, O K  wrote:
> Which qube is most secure when it comes to keeping any identifying info
about my computer
> invisible from anyone on the internet (or if not completely, which qube
does this the best)?  Thanks.

I would say that the safest way to assume, that there is no invisibility.
But using a Whonix DVM -> whonix-dvm-ws-14-dvm will likely be a good option.
You might want to learn about this here:
https://www.whonix.org/wiki/Qubes/DisposableVM

Addtionally you might want to ask yourself: What are the threads your
protecting against?
And then try to figure out what is the weakest part in your setup.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sMR8RLvZX8dB2JwrYmFkMtLfAH4xE23X6BZFR4N53cjQ%40mail.gmail.com.


Re: [qubes-users] best and less expensive Lenovo think pad

2019-08-16 Thread 27casanova27
It workt! Again thanks for sharing. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d2d36e4c-0eda-4271-9911-09fcf6c0b8df%40googlegroups.com.


[qubes-users] Which qube is most secure for internet use?

2019-08-16 Thread O K
Which qube is most secure when it comes to keeping any identifying info 
about my computer invisible from anyone on the internet (or if not 
completely, which qube does this the best)?  Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b573e46d-b88a-4802-b847-612b9dfddcf6%40googlegroups.com.


[qubes-users] How do I create a Qubes USB Installer within Qubes OS (if it's possible)?

2019-08-16 Thread O K
Mint lets you do it, but not sure about Qubes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1d5f227-9292-4da3-9741-11fa1e7775df%40googlegroups.com.


Re: [qubes-users] best and less expensive Lenovo think pad

2019-08-16 Thread thecrispytoast
Can coreboot be installed on T580, have you ever heard of such?

On Monday, August 12, 2019 at 11:33:46 PM UTC+7, 799 wrote:
>
> Hello,
>
> <27casa...@gmail.com > schrieb am Mo., 12. Aug. 2019, 09:26:
>
>> What is the best and less expensive Lenovo think pad for new Qube?
>>
>
> As always ... It depends. The G505s is not a bad choice but it is not from 
> the Thinkpad line but a consumer laptop.
> I would say the Lenovo X230 or T430 as you can install Coreboot on them, 
> you get USB3 and LTE. And you can add some cool things like illuminates 
> keyboards, an additional battery pack (Slice battery) which gives you lots 
> of battery runtime.
> Additionally you can get a docking station (not sure if this is available 
> for a G505s) which gives you additional Display options.
>
> I would go with the x230, 16GB RAM and a new SSD, then add Coreboot (I 
> have a specific howto covering this).
>
> But as they are all so cheap: buy them all and test them, then sell the 
> ones you don't like to keep ;-)
>
> 799
>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a0fd1ddc-b280-4c0e-9ade-a1e626ca1478%40googlegroups.com.


[qubes-users] Behaviour of qvm-open-in-(d)vm

2019-08-16 Thread Phil Knüfer
Hi,

today I worked with the command line tool 'qvm-open-in-vm' and realised
that its behaviour is quite similar to qvm-open/qvm-copy.

The way I understand it is:

There used to be qvm-copy-to-vm/qvm-move-to-vm which would take the name
of the destination vm as first parameter and a file path as the second
parameter. At some point (I believe it was with the release of Qubes
4.0) these tools have been deprecated in favour of qvm-move/qvm-copy,
which now take only one parameter and interactively ask the user for the
destination VM.

qvm-open-in-vm still works like the older tools, that is, it takes two
parameters (VM name + file name or URL to be opened), but then still
shows the GUI prompt where the user needs to pick the destination VM.

I am not overly familiar with Qubes inter-VM communication but from my
point of view, qvm-open-in-vm should be deprecated as well and replaced
by a similarly working qvm-open tool.

What do you think?

Please let me know if this mail should rather be addressed to qubes-devel.

Regards,

Phil


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6df43db9-8c7d-7458-1f1b-41c2d885b597%40digitrace.de.


signature.asc
Description: OpenPGP digital signature


Re: [qubes-users] best and less expensive Lenovo think pad

2019-08-16 Thread unman
On Thu, Aug 15, 2019 at 01:18:51PM -0700, 27casanov...@gmail.com wrote:
> Hi 799, when I tride to instal I run in to mesage saying that Qubes wouldent 
> funktion becous hardware whas mising.
> 
> The I proceeded withe installation. And later during setup I got this 
> message: 
> 
> sys firewall failed
> 
> And then:
> 
> Start faild... Could not find capabilites for arch=x86_64  
> 
> The later is refering to missing hardware i gues.

That means you havent got VT-x enabled.
Check in your BIOS that you have enabled VT-x and VT-D, virtulization,
some entry like that.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190816112629.GA19321%40thirdeyesecurity.org.


Re: [qubes-users] Problem with NextCloud-Client App-VM (unable to login on 2nd boot)

2019-08-16 Thread Stefan Leibfarth
Hello,

Am 15.08.2019 um 00:03 schrieb one7two99:
> I want to use a dedicated AppVM to sync data to a private NextCloud-Server.

[...]

> Can someone explain why I the login/sync fails after rebooting the AppVM?
> 
> This are the steps to build a NextCloud-Client-Template and an AppVM
> based on this template.
> 
> All steps have to be run from dom0:
> 
> 
>  start 
> 
> Template=fedora-30-minimal
> TemplateName=t-fedora-30-storage

[...]

> can be done in another AppVM)
> # Hint: Add an App-Password/Token
> 
> - end 

Seems fine to me.

I'd guess it's not directly Qubes related, maybe this problem:
https://help.nextcloud.com/t/nextcloud-client-asks-for-password-every-time-it-starts/28591/3

Try to start the client from the command line and see if there are any
errors.

If that doesn't help try to install the client in an AppVM based on the
default Fedora-Template. If that's running fine you might miss some
required packages (see link above).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/398a76cc-699c-f8f8-9e71-7c8134080a4e%40leibfarth.org.


[qubes-users] error: when upating dom0

2019-08-16 Thread scurge1tl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi, I am getting following error when sudo qube-dom0-update:

error: could not delete old database at
/var/lib/qubes/dom0-updates/home/user/.rpmdbold.3822

The update than finishes without any issue. But the error is
persistent throughout every update. I am seing this error for
sometime, but it gets annoying a bit now.

Is there any workaround to get rid of it?

Thank you!

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAl1WXQ9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6UynHhAAwfU+apZBR9r1wNwzV299m6LvbtKwo12cwl/jOlQu0rhtMi+XC+4J7f89
ctcNaXjC1f/uljP06xzT7YmgnplghUCU39A3rCmhlvEX9FE2xo0K/raiYruWaNxU
uAN9TeATAtvf9eL19K/f9TwatJzHVTyhi0sT1//AuQdvCdW47jqcKLPH/fStNYlO
2nZ11mltyGJCFTB8hSgtTTDlZMZDevhtuk7vQP+DzxHc6g1gf7ZX63KGuL/Q8Vb4
bFe/JaECn7uFUh/bbppmibYfYSOGnFP++ostScsBeGEuYTUy30BL26mzREabV4P0
kGxDgHPUOfXRVcu/Q2+qRnjqfx+5nyZ7+ZFEBLzUZIQPZq7RmCm5vPML9yAs6DK9
I3eIBHARkXYFkvziZPVxbs5YOpqCAreBgo1j3G4kEChMwRBHDocvOWsVU3k3/FWw
jmL91QyKopoiGvH+ZXMBIuRb8rOl6P1XvzHI5x18I8j7ueuVukQ+p1TrErPP6P+U
c06h/MvDkB8zCVDYYFHri2fOrA40Hd4EB+JPlHWlArT7gqgjOms2Rhe1eGUPyczA
Rfdnkr18cpLCko0bJFOcJ86Txhck2w8qMwWxjoZ0W7slrxzLBudGq5lO9l+L+mEz
cjo8ePjkT+MMIR9WO1CNP75tIPaGYhpXU1R6l7qe8f6N87pYJfc=
=rxWx
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c75d4f12-2898-15fd-9909-cf8a63bb588c%40cock.li.


0xC1F4E83AF470A4ED.asc
Description: application/pgp-keys