Re: [qubes-users] Done with Qubes

[Stuart Perkins]

Instream...

On Tue, 27 Aug 2019 11:39:06 -0700 (PDT)
O K  wrote:

>You mean I create a VM with Whonix OS installed (using virtualbox I'm 
>guessing)?  I will have to research that, but yes I do need to use a VM, or 
>multiple VM's.  I'd also like to find a way to use Firejail to sandbox 
>whatever browser I'm using, if that's possible.
>

What I used to do before I found Qubes was snapshot my running VM's...have one 
just for "sandbox" like work.  Whenever I shut them down, I would just revert 
to the snapshot.  This ensures that the programs were not modified...similar to 
a Qubes template.

When a VM prompted for updates, I would revert to snapshot, do updates, take 
new snapshot.  This way the chances of something sneaking in were minimized.  
Not perfect, but almost a model of qubes and templates.  Multiple VM's for 
different tasks as well. When I discovered Qubes it was very familiar already.

Whonix comes in the gateway and browser VM's for VirtualBox too, and I even had 
that running on my home server before I went Qubes.  If you play the same 
snapshot/update game with them you can maintain a reasonable level of security.

For persistent data, use an attached HD image which is NOT part of the 
snapshot, or some NAS serving VM which does nothing else.

Not perfect, but reasonable. 


>On Friday, August 23, 2019 at 6:03:55 PM UTC-4, Jackie wrote:
>>
>> O K: 
>> > Thanks for all the help but I've been trying to figure out how to get 
>> Qubes 
>> > running for months and I've decided it's just a giant waste of my time 
>> > because every time I get one bug fixed, two more show up to take it's 
>> > place.  I think it's a brilliant idea but it needs a lot of work and 
>> > streamlining before it's ready for public use.  It's a shame because my 
>> > privacy and anonymity online are a matter of my personal safety and it 
>> > would be nice to have a secure OS.  TAILS is not a fully usable system 
>> > either.  I will have to install Ubuntu.  Good luck, everyone. 
>>
>> Hi, 
>>
>> Qubes definitely has a learning curve, but i think it's worth it (and 
>> i'm definitely no linux expert). 
>>
>> But if you don't want to use qubes, one thing you can do for better 
>> security and privacy is install debian/ubuntu and use non-qubes whonix 
>> (you can use virtualbox, which is pretty easy to use). You can have 
>> multiple whonix workstations, and you can create other VMs like debian 
>> as well to compartmentalize your workflows. A solution like this is more 
>> insecure than qubes, but definitely less insecure than just using bare 
>> metal debian/ubuntu for everything. You still get the benefits of 
>> virtualization and compartmentalization, but without the extra security 
>> features of qubes (i'd recommend not using the host os for anything 
>> directly, and doing everything in VMs). 
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190827215757.7117bb92%40gmail.com.

Re: [qubes-users] Done with Qubes

['Jackie' via qubes-users]

O K:

You mean I create a VM with Whonix OS installed (using virtualbox I'm
guessing)?  I will have to research that, but yes I do need to use a VM, or
multiple VM's.  I'd also like to find a way to use Firejail to sandbox
whatever browser I'm using, if that's possible.


The whonix website has pre built images for virtualbox you can download 
and install. You can run firejail inside whonix workstation too.



On Friday, August 23, 2019 at 6:03:55 PM UTC-4, Jackie wrote:


O K:

Thanks for all the help but I've been trying to figure out how to get

Qubes

running for months and I've decided it's just a giant waste of my time
because every time I get one bug fixed, two more show up to take it's
place.  I think it's a brilliant idea but it needs a lot of work and
streamlining before it's ready for public use.  It's a shame because my
privacy and anonymity online are a matter of my personal safety and it
would be nice to have a secure OS.  TAILS is not a fully usable system
either.  I will have to install Ubuntu.  Good luck, everyone.


Hi,

Qubes definitely has a learning curve, but i think it's worth it (and
i'm definitely no linux expert).

But if you don't want to use qubes, one thing you can do for better
security and privacy is install debian/ubuntu and use non-qubes whonix
(you can use virtualbox, which is pretty easy to use). You can have
multiple whonix workstations, and you can create other VMs like debian
as well to compartmentalize your workflows. A solution like this is more
insecure than qubes, but definitely less insecure than just using bare
metal debian/ubuntu for everything. You still get the benefits of
virtualization and compartmentalization, but without the extra security
features of qubes (i'd recommend not using the host os for anything
directly, and doing everything in VMs).


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c94a4f53-df53-cf9c-d4eb-08698ea51f19%40danwin1210.me.

Re: [qubes-users] Anonymous as possible

[scurge1tl]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



GT500Shlby:
> Recently I went looking for as high as humanly possible anonymity
> but quickly deployed.
> 
> For a purely hypothetical example, say I have evidence on a
> prominent person. Think got mistress prego, mistress no want
> abortion, mistress gets bookend to skull, murder cover-up gone
> awry. So obviously me having said info, puts me in severe risk of
> being killed myself. Like full on conspiracy theory novel/adventure
> story. The idea is to be as realistic to the cyber security
> preparations as possible.
> 
> So I pick out an older laptop from recycle, flash the bios and
> remove any serial numbers and assets tags, pop in a newer SSD from
> a different recycled system (0 purchae records), reflash its
> firmware to remove serial number. Source an external wireless
> adapter with changeable MAC address and again, make sure no digital
> serial number. Now I need an OS. TAILS is a good option, but I saw
> Qubes used a while back and thought of it.
> 
> The idea is to go to a public place with lots of stores/cafes that
> have free wifi, but sitting outside those establishments in a
> non-cctv area but jacking their wifi, probably using a sharklasers
> email to get registered then using a vpn with bitcoin and another
> sharklasers email and then using tor above that to then create a
> throwaway reddit account to browse on r/gonewild err I mean drop
> the docs on the bad dude. However, my concern is, I'm having
> trouble finding the latest release date. the listed release
> schedule makes it look like the current stable release is over a
> year old. What is the TL;DR of the state of development of Qubes?
> 
>> From other privacy focused people, are their any holes in my
>> privacy scheme?
> 


Your model is actually a high risk environment, involving actions of
physical harm or death of you or your close ones.
In this case you would need to employ much measures and
countermeasures, not necessarily related to the digital behavior, more
than the OS like Tails or Qubes, to stay safe. Your behavior patterns
changes, your physical movement and monitoring of your life emissions,
the way you obtained the compro, from whom, how, when, where and so
on. Your contacts can be compromised already. Beware of your writing
stylistics, typos, and other similar leakages of your identity. In
case you have written something publicly under your real identity, you
should count that if you don't use deception, it can be one of the
identifiers narrowing options from adversary in pursuit of finding you.

Know your adversary and its level of determination, resources and time
available to find out key indicators leading to you. The higher it is,
the higher security measures and deception layers need to be employed
by you.

In this case you will for sure need certain level of well pre-prepared
deception layers to make sure that if your contingency plans fail, you
have a well working backup plan, spreading options on more ways
adversary needs to follow on each layer, to give you time and a
especially clear warning, that there is somehow successful adversarial
activity, without leaking this intelligence to the adversary.

You will basically need to do the job done and destroy all traces from
you, and remain exposed shortest time possible, and leak as little as
possible emissions about your activity and at the same time not break
too significantly your daily routine. All preparation activities are
deviations from your routine, and can rise suspicion even after the
job done.
Once done, there should be more less zero possibility to get any
intelligence about your sensitive activity by any means, even backwards.

Coming to the OS, in this case Tails will do the job. It is amnesic
and the only hot potato is the SD card, if your activity isn't leaked
already, which is still possible.
If you were for example searching for the Tails through an insecure
OS, downloaded TBB through a non-anonymous channel, or even through
your IP address, and so on, you can already be on a watch list.
Estimate how many people in your area use Tor or Tails and you will
see it is not much. It can be see you are using Tor or Tails, as it
has very unique behavior.

All that, provided you know what you are doing, you are able to get
Tails securely, can reliably obtain their signing pgp keys, confirm
the downloaded file with it, its hash, can run it securely, in this
case remotely (see external wifi card, with cantenna for example, to
get wifi connection from few kilometers away) and having clear OpSec,
and be sure you are not compromised already, from the very beginning,
you could be quite safe.


-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAl1lgZlfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6UzsEw//Q7enT4Rw/8x8yYiXzmWy2GMJ4AAez4x38UMI91j+VLgZ9ER9O5MnBEHO
7oZiXyAjPTGswYZP8beceaR3a7z

Re: [qubes-users] Done with Qubes

[O K]

You mean I create a VM with Whonix OS installed (using virtualbox I'm 
guessing)?  I will have to research that, but yes I do need to use a VM, or 
multiple VM's.  I'd also like to find a way to use Firejail to sandbox 
whatever browser I'm using, if that's possible.

On Friday, August 23, 2019 at 6:03:55 PM UTC-4, Jackie wrote:
>
> O K: 
> > Thanks for all the help but I've been trying to figure out how to get 
> Qubes 
> > running for months and I've decided it's just a giant waste of my time 
> > because every time I get one bug fixed, two more show up to take it's 
> > place.  I think it's a brilliant idea but it needs a lot of work and 
> > streamlining before it's ready for public use.  It's a shame because my 
> > privacy and anonymity online are a matter of my personal safety and it 
> > would be nice to have a secure OS.  TAILS is not a fully usable system 
> > either.  I will have to install Ubuntu.  Good luck, everyone. 
>
> Hi, 
>
> Qubes definitely has a learning curve, but i think it's worth it (and 
> i'm definitely no linux expert). 
>
> But if you don't want to use qubes, one thing you can do for better 
> security and privacy is install debian/ubuntu and use non-qubes whonix 
> (you can use virtualbox, which is pretty easy to use). You can have 
> multiple whonix workstations, and you can create other VMs like debian 
> as well to compartmentalize your workflows. A solution like this is more 
> insecure than qubes, but definitely less insecure than just using bare 
> metal debian/ubuntu for everything. You still get the benefits of 
> virtualization and compartmentalization, but without the extra security 
> features of qubes (i'd recommend not using the host os for anything 
> directly, and doing everything in VMs). 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/047729ba-02a1-49b8-8d7d-5d7f711313f1%40googlegroups.com.

Re: [qubes-users] Qubes/class, Was: slightly off-topic: self-resetting OS idea

[799]

Hello,

panina  schrieb am Di., 27. Aug. 2019, 10:17:

>
>
>
> This is a view that I see quite a lot. It is a whole different discussion.
> Hence the re-subjecting.
> Firstly, this view completely lacks class analysis. Not everyone can
> afford to buy the newest shiny. A lot of us have to use whatever we can
> get our hands on.
>

Honestly I don't know what other people on this list use for hardware.
But if I look arround what my coworkers, customers, friends, family ..
everyone arround me is using, I am the one who is owning very old and very
cheap hardware (x230).
As such my assumption that most people are using newer and shinyer hardware
than me ;-)

Whenever a secure OS is mentioned, Qubes is the go-to. Everyone comes here.
> The approach that you have to buy new, specific hardware to have a
> functioning OS means anyone poor, or in a country with a poor dollar
> exchange rate, is left behind.
>

This is a constructed scenario. You will always find someone who will be
left behind.
If people who can afford to buy "shiny" new hardware would be used cheap
hardware which will likely do the same job, they can even buy 3 devices
instead of one and give it away for free. Win.
Also there is no need at all to buy new hardware if you want to run Qubes,
even more it makes sense to buy older hardware.
But even if you need to spent a few bucks it would not stop me and should
not stop you from investing into your security and privacy.

If Qubes was one of many options, this would cause less damage. But
> right now, there aren't many alternatives. So privacy and secure tech
> becomes an economic issue, a luxury
>

Why? As mentioned you can run Qubes on a very cheap laptop. I don't really
think that those "hardware" costs are really the reason why people are NOT
running Qubes.

>> I firmly claim that basic privacy should be a human right.

Yes, I agree.



> Furthermore, Qubes currently concentrates on Intel hardware.


Because it is easy to get and that's what most users are using. I think it
is rather unlikely that this will change in the near future.
But afaik I know it is also running on AMD CPUs.

I do not in any way feel that this is a sane choice right now. I feel it
> would be rather stupid to buy new hardware right now that has Intel
> processors.
>

You don't have to, but all alternatives (if there are any) would cost more
money or lead to the fact that I am unable to run qubes.

Too many security issues, and new ones popping up all the time.
>

What are you referring to and how are those security issues related to
Qubes or Qubes specific. If there is a problem with the Intel hardware,
with the xen hypervisor, or Linux bugs, this has nothing to do with Qubes.

So my second problem is: this approach would assume that I agree with
> every choice that the Qubes team does, which I don't.
>

You don't have to, but the good thing is that you can take the part you
like and tweak the part you don't like it improve on top of what you get.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vi_jaEUeUM-OwL02YSC5mRQoDHtEV-RgCzcwr3xE4j5w%40mail.gmail.com.

Re: [qubes-users] Re: nmcli loosing connectivity

[0brand]

> Brilliant idea!
> But sadly turned out to be mainly informative. Debian doesn't see the
> wifi card at all, it only works on fedora 29 & 30 (not 28). But I've
> tried fedora 29 & 30 baremetal on this machine, and this doesn't happen
> there. So it is either Qubes- or Xen-specific.
> 
> Any other ideas are welcome.
> 
 Your wifi driver might not be availble in Debian 10. You need to find
out the wifi card you are using and check to see if it is supported in
Debian (buster, testing, unstable)

https://packages.debian.org/buster/firmware-iwlwifi
https://packages.debian.org/bullseye/firmware-iwlwifi
https://packages.debian.org/sid/firmware-iwlwifi

Step 1)

If supported in Debian buster.

sudo apt-get install iwlwifi

If supported in bullseye (debian testing)

See:

https://www.whonix.org/wiki/Install_Software#Install_from_Debian_Testing

If supported in sid (debian unstable)

See:

https://www.whonix.org/wiki/Install_Software#Install_from_Debian_Unstable

Step 2)

Find the correct pci (wifi) device to attach to the the sys-net VM.

https://www.qubes-os.org/doc/pci-devices/













-- 
GPG Public Key: 0xCFDBC23923C0433B
Fingerprint: B67C 6FE6 4BAE 05CD 05ED 775D CFDB C239 23C0 433B

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b08da61e-5e9a-ca74-1247-55db764405fc%40mailbox.org.

[qubes-users] QEMU / KVM in Fedora qube with HVM to be used for installing UEFI boot ISO VM

[Martin Thygesen]

If anyone has prior learning for installing and operating qemu/kvm inside a 
fedora HVM qube please advise.

I'm looking to emulate UEFI support for a boot iso that requires it for 
installation and operational
The boot iso does *not* require a secure boot, it's mainly just a build 
issue from the persons that manage the ISO build itself.

I'm looking at this option since Xen in dom0 support for UEFI HVM is 
basically non-functional for my requirements at this time.

Before investing the time I'd like to double-check to see if there is prior 
learning here.

Granted I'm not completely sure that qemu/kvm can fully emulate UEFI boot, 
on fedora on top of qubes.
Looking at some other qemu/kvm forums, support for UEFI boot seems to be 
well documented and resolved.

Anyway if you have prior learning hear, I'd appreciate the input or 
pointers before I go down that path.

I'm more than happy to document this going forward for others to use if I 
can get some idea of the implications this will have aside from some of the 
obvious challenges.

- Regards Martin

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2af94f86-533d-43b0-8264-d3f4d7328a9b%40googlegroups.com.

Re: [qubes-users] slightly off-topic: self-resetting OS idea

['awokd' via qubes-users]

Chris Laprise:
> On 8/27/19 4:18 AM, panina wrote:
>> What I'm after is something that does what dvm's do, but not through
>> Qubes. Same effect, on something that boots on a USB stick or so, much
>> in the way that Tails does.

> You could also just use a bare Ubuntu or other Linux, and setup
> different (unprivileged) users for different tasks, like you setup
> different qubes. It wouldn't be too hard to keep resetting the user
> directories that need protection. But you're relying entirely on Linux
> security at that point.

Riffing on that idea- OpenBSD on a readonly medium with a RAM tmpfs
overlay? Don't know if any of that is possible.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c3105a01-96d0-293f-c85f-6e5b3b8b8109%40danwin1210.me.

Re: [qubes-users] slightly off-topic: self-resetting OS idea

[Chris Laprise]

On 8/27/19 4:18 AM, panina wrote:
> What I'm after is something that does what dvm's do, but not through
> Qubes. Same effect, on something that boots on a USB stick or so, much
> in the way that Tails does.

TAILS won't protect you from malware that can escalate privileges and 
bypass the read-only flag on a USB stick and/or add itself to the 
BIOS/UEFI firmware. And the malware could come from a compromised 
network card if that hardware is not isolated.


The main point of Qubes is to not rely on a complex monolithic kernel 
(Linux, Windows, etc) as your primary means of security... Using a small 
hypervisor with hardware isolation instead.


The only alternative that I know can be achieved simply is to install an 
OS like Ubuntu onto the USB stick and then install it again inside a 
Virtualbox container. Its a step down from Qubes security (and slower 
than Qubes), but its still a hypervisor and you can keep resetting the 
VM to an earlier snapshot.


You could also just use a bare Ubuntu or other Linux, and setup 
different (unprivileged) users for different tasks, like you setup 
different qubes. It wouldn't be too hard to keep resetting the user 
directories that need protection. But you're relying entirely on Linux 
security at that point.


-

Re: Intel processors, have you seen the threads about AMD based hardware 
like the Lenovo G505s?


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c54ed8d-d604-4a8a-8a3e-e168cac845f5%40posteo.net.

Re: [qubes-users] Re: nmcli loosing connectivity

['awokd' via qubes-users]

panina:

> But sadly turned out to be mainly informative. Debian doesn't see the
> wifi card at all, it only works on fedora 29 & 30 (not 28). But I've
> tried fedora 29 & 30 baremetal on this machine, and this doesn't happen
> there. So it is either Qubes- or Xen-specific.

You might need to install the Realtek firmware package in the Debian
template. I wouldn't be too hasty to rule out Fedora; I've seen a number
of bugs filed against Network Manager + wifi on 29 & 30. Did you run it
baremetal as long as you have in Qubes?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/afefdecd-4220-2af6-a2a6-7b1ee1e031fc%40danwin1210.me.

Re: [qubes-users] Re: nmcli loosing connectivity

[panina]

On 8/26/19 9:04 PM, 'awokd' via qubes-users wrote:
> panina:
> 
>> What usually happends is that the system looses connectivity from time
>> to time. Sys-net reports the wifi as connected, but cannot ping my
>> gateway. The solution is to use nmcli to bring the connection down, and
>> up again. This will most of the time bring up the connectivity again.
>> Restarting the NetworkManager service does not help.
> 
> Try swapping your sys-net template from Fedora to Debian or vice-versa.
> Sometimes one distro will handle a wifi card better than another.
> 

Brilliant idea!
But sadly turned out to be mainly informative. Debian doesn't see the
wifi card at all, it only works on fedora 29 & 30 (not 28). But I've
tried fedora 29 & 30 baremetal on this machine, and this doesn't happen
there. So it is either Qubes- or Xen-specific.

Any other ideas are welcome.

<3
/panina

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9b986494-14a2-c315-96a8-4fa774a34dd8%40nonbinary.me.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Device showing up in Qubes sys-usb terminal but not devices icon, and attach error in dom0

[euidzero]

Do you any update on this ?
I'll open an issue in qubes issue tracker if not.

THX



Le mardi 28 mai 2019 15:04:30 UTC+2, brend...@gmail.com a écrit :
>
> On Monday, May 27, 2019 at 8:05:07 PM UTC-4, awokd wrote:
> > Stumpy wrote on 5/27/19 4:09 PM:
> > > I am trying to use an onlykey U2F but have run into some issues like it
> > > showing up in dom0 and sys-usb but seems like i cant use it.
> > > 
> > > in sys-usb:
> > > [user@sys-usb ~]$ lsusb | grep Only
> > > Bus 004 Device 010: ID 1d50:60fc OpenMoko, Inc. OnlyKey Two-factor
> > > Authentication and Password Solution
> > > 
> > > and in Dom0:
> > > [ralph@dom0 ~]$ qvm-usb | grep ONLY ; sudo qvm-usb a sys-usb sys-usb:42
> > > sys-usb:4-2 CRYPTOTRUST_ONLYKEY_346etc
> > > Device attach failed:
> > > [ralph@dom0 ~]$
> > > 
> > > I decided to go with the chrome app but even though sys-usb seems to 
> see 
> > > the onlykey I cant seem to attach it to the chrome appvm i made?
> > > 
> > If you are using a custom template for your Chrome AppVM, don't forget 
> > to install the necessary qubes-usb package in it.
>
> Also:
> 1) Is it a composite USB device (multiple services on a single endpoint, 
> not a hub).
> 2) Is one or more service based on the HID interface and possibly blocked 
> as it is seen as a keyboard?
>
> Similar issues occur with yubikeys, I believe there are documents that may 
> help on the qubes-os.org site related to making yubikeys work.
>
> Brendan
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/81b5268b-087a-4dca-958d-400085ff35b6%40googlegroups.com.

Re: [qubes-users] slightly off-topic: self-resetting OS idea

[panina]

On 8/26/19 11:22 AM, David Hobach wrote:
> On 8/26/19 10:24 AM, panina wrote:
>> Hi!
>>
>> This is not strictly Qubes-OS related, rather inspired by Qubes.
>>
>> I've been struggling with some parts of Qubes usage. Most of the time,
>> it is overkill for me, and putting some strain on my computer. The
>> bugginess is also quite annoying, whenever I just need to do some
>> everyday work.
>> I've been thinking I'd like some form of dual-boot solution, or possibly
>> a Live USB that could be used.
>> Most of the time I work with ssh and webapps, so the only persistent
>> data I need to work will fit on a smartcard.
>>
>> My thought is to have an installation that mounts most of the root
>> partition as readonly, and uses ramdisks wherever the system wants to
>> write (e.g /var/log). I'm also thinking it should be possible to get a
>> fingerprint or somesuch of the root partition, and use my TPM2 to check
>> this.
>>
>> The system should also have a possibility to update itself, that I can
>> choose to do in environments that I feel is safe.
>>
>> I am wondering if anyone knows of an OS that works like this? Or if
>> anyone knows of tools that might accomplish parts of this?
> 
> Ehm... You're describing Qubes OS with disposable VMs there? The
> fingerprinting is essentially AEM?
> 
> If you need to keep your data on an external disk (SDCard), you can use
> either a manual approach with qvm-copy, permanently attach the disk to a
> single disposable VM with a fixed name or use an automated solution such
> as [1]. You might also want to look into qvm-pool.
> 
> [1] https://github.com/3hhh/qcrypt
> 

What I'm after is something that does what dvm's do, but not through
Qubes. Same effect, on something that boots on a USB stick or so, much
in the way that Tails does.

<3
/eira

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/033531db-0710-5e95-3f6d-25ba81aa7048%40nonbinary.me.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Qubes/class, Was: slightly off-topic: self-resetting OS idea

[panina]

On 8/26/19 6:27 PM, 799 wrote:
> Hello
> 
> David Hobach mailto:trip...@hackingthe.net>>
> schrieb am Mo., 26. Aug. 2019, 11:22:
> 
> On 8/26/19 10:24 AM, panina wrote:
> > Hi!
> >
> > This is not strictly Qubes-OS related, rather inspired by Qubes.
> >
> > I've been struggling with some parts of Qubes usage. Most of the time,
> > it is overkill for me, and putting some strain on my computer. The
> > bugginess is also quite annoying, whenever I just need to do some
> > everyday work.
> > I've been thinking I'd like some form of dual-boot solution, or
> possibly
> > a Live USB that could be used.
> > Most of the time I work with ssh and webapps, so the only persistent
> > data I need to work will fit on a smartcard.
> >
> > My thought is to have an installation that mounts most of the root
> > partition as readonly, and uses ramdisks wherever the system wants to
> > write (e.g /var/log). I'm also thinking it should be possible to get a
> > fingerprint or somesuch of the root partition, and use my TPM2 to
> check
> > this.
> >
> > The system should also have a possibility to update itself, that I can
> > choose to do in environments that I feel is safe.
> >
> > I am wondering if anyone knows of an OS that works like this? Or if
> > anyone knows of tools that might accomplish parts of this?
> 
> Ehm... You're describing Qubes OS with disposable VMs there? The
> fingerprinting is essentially AEM?
> 
> If you need to keep your data on an external disk (SDCard), you can use
> either a manual approach with qvm-copy, permanently attach the disk
> to a
> single disposable VM with a fixed name or use an automated solution
> such
> as [1]. You might also want to look into qvm-pool.
> 
> [1] https://github.com/3hhh/qcrypt
> 
> 
> I don't know why people are complaining about the "bugginess" and that
> it needs more performance.
> 
> If you buy the right hardware you'll not run into lots of bugs and get
> enough performance to run qubes. You can buy a Lenovo T530/430, W530,
> X230 for not much money, add a SSD some RAM and you'll not run into
> performance problems (normal use).

This is a view that I see quite a lot. It is a whole different
discussion. Hence the re-subjecting.

Firstly, this view completely lacks class analysis. Not everyone can
afford to buy the newest shiny. A lot of us have to use whatever we can
get our hands on.
Whenever a secure OS is mentioned, Qubes is the go-to. Everyone comes
here. The approach that you have to buy new, specific hardware to have a
functioning OS means anyone poor, or in a country with a poor dollar
exchange rate, is left behind.
If Qubes was one of many options, this would cause less damage. But
right now, there aren't many alternatives. So privacy and secure tech
becomes an economic issue, a luxury. I firmly claim that basic privacy
should be a human right.

However, this is a completely different discussion.

Furthermore, Qubes currently concentrates on Intel hardware. I do not in
any way feel that this is a sane choice right now. I feel it would be
rather stupid to buy new hardware right now that has Intel processors.
Too many security issues, and new ones popping up all the time.
So my second problem is: this approach would assume that I agree with
every choice that the Qubes team does, which I don't.

> 
> As David mentioned Qubes will do exactly what you need if you're using
> disposable VMs.
> Regarding the fingerprinting, you can use AEM (Anti Evil Maid) or write
> your own script.
> I tried something which will fingerprint all files in /boot and gpg sign
> the signature which is then stored in the LUKS encrypted root partition.
> 
> You can then free booting into Qubes check the current boot Partition
> against the fingerprints.
> https://github.com/one7two99/my-qubes/tree/master/docs/boot-protect
> 
> Not sure if this is really secure, would be nice to have this checked by
> someone who knows more about security.
> 
> [799]
> 
> -- 
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users+unsubscr...@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vkPZAv4pTQzTn9_W%2Bp_yC5_ZtOz3rmdvi59on60u88Qw%40mail.gmail.com
> .

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qube