Re: [qubes-users] How would you remotely infiltrate a default Qubes OS?
> Since the lions' share of Qubes installs are Intel based, I think a > side-channel attack would be the most likely way to breach a Qubes > system. I thought Spectre and Meltdown have been dealt with by shutting off hyperthreading and updating microcode? Also, the latest CPUs have Spectre mitigation built-in, though this only deals with the earlier variants of the attacks if I remember correctly. > DDR4 memory offers a big attack surface as well Does this refer to the RowHammer (HammerRow?) attack? > OTOH, a state actor wishing to attack a Qubes system might have better luck with the RPM MITM against Fedora that we discussed in another thread. Pretty much my biggest concern right now, though I'm procrastinating on writing the damn script Relevant to the thread: https://arstechnica.com/information-technology/2020/08/nsa-and-fbi-warn-that-new-linux-malware-threatens-national-security/ P.S. I'm not liking this new Google Groups look On Friday, 14 August 2020 at 00:06:42 UTC+8 Chris Laprise wrote: > On 8/13/20 10:59 AM, fiftyfour...@gmail.com wrote: > > If you were tasked with remotely hacking into a default but updated > > Qubes OS system (installation configuration of 4.0.3, but with updated > > templates and dom0), how would you do it? What would you attack? The > > precise objective (e.g. retrieve a PGP key from a vault, read a text > > document, achieve persistence, modify the system) is open--I just want > > to see how people might generally approach this question so I might > > better plug potential holes. > > > > Sorry for the extremely broad question--please think of this as > > something like a 'red team' exercise. > > Since the lions' share of Qubes installs are Intel based, I think a > side-channel attack would be the most likely way to breach a Qubes > system. But also its not just Intel CPUs that are weak here; DDR4 memory > offers a big attack surface as well. Such attacks can be carried out > with javascript from websites. > > OTOH, a state actor wishing to attack a Qubes system might have better > luck with the RPM MITM against Fedora that we discussed in another thread. > > -- > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/495b0cac-fbee-4a45-93a6-2e56c4ef44a4n%40googlegroups.com.
Re: [Fwd: Re: [qubes-users] how to install virtualbox?]
On Thu, Aug 13, 2020 at 08:57:01PM +, 'disrupt_the_flow' via qubes-users wrote: > On August 13, 2020 7:41:23 PM UTC, "afdskjbkjds...@secmail.pro" > wrote: > > > >I need the virtual box for development, there's a virtual environment > >configured for it. > >So if I am new to linux, I can't do it? Maybe there are some guides? > > > > > >-- > >You received this message because you are subscribed to the Google > >Groups "qubes-users" group. > >To unsubscribe from this group and stop receiving emails from it, send > >an email to qubes-users+unsubscr...@googlegroups.com. > >To view this discussion on the web visit > >https://groups.google.com/d/msgid/qubes-users/4c9fed44debd4b5d8cd8aec1c3905972.squirrel%40giyzk7o6dcunb2ry.onion. > > I dont think it's possible tbh. If anyone has done please tell us. Anyway if > you really need virtualbox you could in a Debian live USB and play there. > Running in a Debian standalone. Install the virtualbox package and dependencies, as normal. Edit the file, /usr/lib/virtualbox/vboxdrv.sh and comment out the Xen test at lines 269-271 That's minimum to get you running. You'll be limited in what you can run and vbox will complain if you have VT-x etc enabled, but it may do. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200814003505.GA12054%40thirdeyesecurity.org.
Re: [qubes-users] Qubes Won't Boot with 4.19.125-1 Kernel
Tried kernels 5.6.x again and no luck. Still getting the black cursor only screen. Still stuck on 4.19.132-1 Em segunda-feira, 3 de agosto de 2020 às 22:05:02 UTC-3, pudding escreveu: > Update: kernel 4.19.128-1 boots fine on my laptop, but 4.19.132-1 that > comes with the newest dom0 update does not. I've set the install_limit > to 6 just in case. Will continue observing. > > > pudding > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1ecacf9c-4380-433b-b424-71c37b49934en%40googlegroups.com.
Re: [Fwd: Re: [qubes-users] how to install virtualbox?]
On 13.08.20 22:57, 'disrupt_the_flow' via qubes-users wrote: > On August 13, 2020 7:41:23 PM UTC, "afdskjbkjds...@secmail.pro" > wrote: > > > I need the virtual box for development, there's a virtual environment > configured for it. > So if I am new to linux, I can't do it? Maybe there are some guides? > > > I dont think it's possible tbh. If anyone has done please tell us. > Anyway if you really need virtualbox you could in a Debian live USB and > play there. Sure it is possible. If you have a particular question, just go ahead and ask. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e57c5d28-9b8c-2bb8-5190-5e3af2bbf5a3%40posteo.net.
Re: [Fwd: Re: [qubes-users] how to install virtualbox?]
On August 13, 2020 7:41:23 PM UTC, "afdskjbkjds...@secmail.pro" wrote: > >I need the virtual box for development, there's a virtual environment >configured for it. >So if I am new to linux, I can't do it? Maybe there are some guides? > > >-- >You received this message because you are subscribed to the Google >Groups "qubes-users" group. >To unsubscribe from this group and stop receiving emails from it, send >an email to qubes-users+unsubscr...@googlegroups.com. >To view this discussion on the web visit >https://groups.google.com/d/msgid/qubes-users/4c9fed44debd4b5d8cd8aec1c3905972.squirrel%40giyzk7o6dcunb2ry.onion. I dont think it's possible tbh. If anyone has done please tell us. Anyway if you really need virtualbox you could in a Debian live USB and play there. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/64DB8C92-FEB1-45C9-8FAC-3F8A1E8883D1%40pretty.Easy.privacy. pEpkey.asc Description: application/pgp-keys
[Fwd: Re: [qubes-users] how to install virtualbox?]
I need the virtual box for development, there's a virtual environment configured for it. So if I am new to linux, I can't do it? Maybe there are some guides? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4c9fed44debd4b5d8cd8aec1c3905972.squirrel%40giyzk7o6dcunb2ry.onion.
[qubes-users] Latest download of Qubes is where?
Yes, I understand that the latest stable version is 4.0.3.. Just is, I am person who is kinda just fooling around, and I only have so many hours during a week for investigating Qubes OS. My online ability is limited to public WiFi, and a small amount of Hot Spot from my phone. It is easier for me to download an ISO, and install Qubes from scratch, than it is to try to do updates from the awkward position of my car while trying to read how to's to do a series of updates, and fixes to say Fedora 32 templates. I installed one of the 4.1 Qubes downloads. Wondering where the later versions of Qubes, that are sorta working are hiding? and how do I determine which one I want to download?? Question two: I thought a few folks were going to try to make the beginning of using Qubes, after first install to be easier for Human Rights advocates, and Whistle Blowers. I personally think of those folks being, not very geeky-techie types. They have a low threshold of giving up on using a secure OS which is like Qubes. Anyone know of whether anyone is working on an this project? Thanks for whatever replies are made. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3e3b5c71-be1e-4a10-8b87-7b27c05cc9f9n%40googlegroups.com.
[qubes-users] Ok, I'm lost. Dracut timeout, emergency shell. Trying to install.
Specs:
GTX 1060 6GB AMD Ryzen 9 3900x Asus X470 Strix-f Gaming 32GB G.Skill Trident
DDR4
I'm trying to install.
Normal boot cycles the display on and off. Flashes dracut-pre-udev[609]:
rp.idmapd: conf_reinit: open ("(null)", 0_RDONLY) failed. Nouveau fix causes
three dots to appear and then X startup fails. No graphics mode same thing. No
graphics mode and commenting out those two lines in the bootx64.cfg managed to
get me into the dracut terminal, but I'm getting dracut-initqueue timeout
errors.
I'm using the latest version of Qubes. Anyone have any idea? Virtualization is
enabled in bios, both types. Rufus is DD mode. I've tried two separate
downloads too.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/a5e5e328-2795-41cd-bdd5-ac71f66bc70fo%40googlegroups.com.
Re: [qubes-users] how to install virtualbox?
afdskjbkjds...@secmail.pro: > Is it even possible to do that? I tried to make some mistakes, but it > didn't work out. Nothing is impossible, but it's too difficult and time consuming to recommend. Qubes is already a hypervisor running multiple VMs. Why would you want another one like Virtualbox on top of it? -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e9f6599e-d73e-c90b-014b-1944f969c5a3%40danwin1210.me.
[qubes-users] how to install virtualbox?
Is it even possible to do that? I tried to make some mistakes, but it didn't work out. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5502a0bd6eab097974b9c967eb287464.squirrel%40giyzk7o6dcunb2ry.onion.
Re: [qubes-users] How would you remotely infiltrate a default Qubes OS?
On 8/13/20 10:59 AM, fiftyfourthparal...@gmail.com wrote: If you were tasked with remotely hacking into a default but updated Qubes OS system (installation configuration of 4.0.3, but with updated templates and dom0), how would you do it? What would you attack? The precise objective (e.g. retrieve a PGP key from a vault, read a text document, achieve persistence, modify the system) is open--I just want to see how people might generally approach this question so I might better plug potential holes. Sorry for the extremely broad question--please think of this as something like a 'red team' exercise. Since the lions' share of Qubes installs are Intel based, I think a side-channel attack would be the most likely way to breach a Qubes system. But also its not just Intel CPUs that are weak here; DDR4 memory offers a big attack surface as well. Such attacks can be carried out with javascript from websites. OTOH, a state actor wishing to attack a Qubes system might have better luck with the RPM MITM against Fedora that we discussed in another thread. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2dff0958-e186-e1bf-ade9-2d519597fe7c%40posteo.net.
Re: [qubes-users] How would you remotely infiltrate a default Qubes OS?
On Thursday, 13 August 2020 23:09:04 UTC+8, disrupt_the_flow wrote: > > On August 13, 2020 2:59:37 PM UTC, "fiftyfour...@gmail.com " > > wrote: >> >> If you were tasked with remotely hacking into a default but updated Qubes >> OS system (installation configuration of 4.0.3, but with updated templates >> and dom0), how would you do it? What would you attack? The precise >> objective (e.g. retrieve a PGP key from a vault, read a text document, >> achieve persistence, modify the system) is open--I just want to see how >> people might generally approach this question so I might better plug >> potential holes. >> >> Sorry for the extremely broad question--please think of this as something >> like a 'red team' exercise. >> >> > Or maybe you want to actually hack a computer with Qubesos but you don't > know how. I highly doubt you can write patches. > That strikes me as an unnecessarily paranoid way of thinking. White hat hackers are an important part of security. Also, I don't understand what you mean about me being unable to write patches. It should be clear from my recent posting history that I can't write patches--or any code beyond the most basic Python. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/906024f7-1942-4d34-a344-b526025193ado%40googlegroups.com.
Re: [qubes-users] How would you remotely infiltrate a default Qubes OS?
On August 13, 2020 2:59:37 PM UTC, "fiftyfourthparal...@gmail.com" wrote: >If you were tasked with remotely hacking into a default but updated >Qubes >OS system (installation configuration of 4.0.3, but with updated >templates >and dom0), how would you do it? What would you attack? The precise >objective (e.g. retrieve a PGP key from a vault, read a text document, >achieve persistence, modify the system) is open--I just want to see how > >people might generally approach this question so I might better plug >potential holes. > >Sorry for the extremely broad question--please think of this as >something >like a 'red team' exercise. > >-- >You received this message because you are subscribed to the Google >Groups "qubes-users" group. >To unsubscribe from this group and stop receiving emails from it, send >an email to qubes-users+unsubscr...@googlegroups.com. >To view this discussion on the web visit >https://groups.google.com/d/msgid/qubes-users/7bb49647-afea-4471-b6f1-c9e0b7cdda7ao%40googlegroups.com. Or maybe you want to actually hack a computer with Qubesos but you don't know how. I highly doubt you can write patches. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1576572C-B1F5-4597-A170-74E31A6D5D16%40pretty.Easy.privacy. pEpkey.asc Description: application/pgp-keys
[qubes-users] How would you remotely infiltrate a default Qubes OS?
If you were tasked with remotely hacking into a default but updated Qubes OS system (installation configuration of 4.0.3, but with updated templates and dom0), how would you do it? What would you attack? The precise objective (e.g. retrieve a PGP key from a vault, read a text document, achieve persistence, modify the system) is open--I just want to see how people might generally approach this question so I might better plug potential holes. Sorry for the extremely broad question--please think of this as something like a 'red team' exercise. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7bb49647-afea-4471-b6f1-c9e0b7cdda7ao%40googlegroups.com.
Re: [qubes-users] connecting to an app on an appvm from lan
On Thu, Aug 13, 2020 at 12:34:39AM +0200, Qubes wrote: > How does one go about connecting to an appvm from another device on your > LAN? Is there any documentation on this? > > Just to avoid confusion a device on the same network as where sys-net gets > it's network from. > https://www.qubes-os.org/doc/firewall/ covers in some detail in the section on "Port forwarding" If you hit problems, give some detail on what you have done, and we should be able to help. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200813140649.GB9446%40thirdeyesecurity.org.
Re: [qubes-users] Suggestions as a user
On Wed, Aug 12, 2020 at 07:23:27AM -0700, acharya.sagar.sag...@gmail.com wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hello guys, I would like to suggest a few changes and while you may not > have them in qubes by default, I ask you to give an option to the users > such that they be able to make it easily. > > With GUI VM coming in 4.1, I request you to have linux-libre in dom0. > Linux-libre for every template by default would be even better and > certainly my choice. (atleast Freedora instead of Fedora). KDE instead of > XFCE would be a better default option since it provides a better UI. It > provides a premium feel and is a level above XFCE. Shifting focus to GNU > recommended OSes like Hyperbola, Parabola, Guix is also a step ahead in my > view. > > I state this because GNU has also had an aim to make a completely free > software to be used on a computer. While they approach with security by > correctness and by actively trying to demotivate nonfree software, I feel > they might not get to the end. Also, they don't make it difficult for the > user to install a problematic software by mistake like Qubes does. If Qubes > combines such OSes (especially recommend Hyperbola, they are highly > critical of any contaminating packages) with it own security by > compartmentalization, it will be a step ahead. > > Thanking you > Sagar Acharya > > P.S. I dream of having a stateless computer (Joanna 2015) with > libreboot+Qubes having HyperbolaBSD in dom0 and Parabola, Guix and > Hyperbola as available template VMs, with plasma as a DE. That would be > ideal and a nightmare for malicious crackers. > -BEGIN PGP SIGNATURE- > > iQGzBAEBCAAdFiEEeMyXyyr6L/PtWnZUnZv6jjOfaEIFAl8z+voACgkQnZv6jjOf > aEJqFwv9Eb8RioP2sHOp91g2AtNxCRXcs88HvrJYwCBJWPuQBqAax+yWIcgB24F0 > bmYsHewPWPYzguOVZ565C1ma1PbmAjUi0UYriv4ddstEbWpKnX6I2VtfsTeCpP9s > j3NtDBXtbQXEAY+10soubiNm/CjLNNaCYidgkubnOXaXHAIgUukIchINA/Zxp/dz > aw8VNapGzoayCFDATiz8rJXYCI4eGe3mRngjAcsXVNwPoxPVnUlMlGAf8RzRUXle > /dsczJvk6jgyQoYETWgntfqG+er0dZm6D3whN4rVxqtqxO+9SR1rwi5Fi5Ly4AS3 > yEeWo7fum7x6stJnp1N5CnQENN0heqev2qEcsvMniq1MRuGnKit4AmP8H2mVSwtm > Oor2W6vZCivMB4dPkoeSBZ+zjjkPQwb5x3ljBoa3465BGeXnAGxblfW3RFM50Ml7 > yQsxN3G1FsrGOcwz5GpdSzDCm7sMF/0P77VYBqtTgBEkSvOI/gWLEIeIHWzi7oAT > enJPiihw > =61lG > -END PGP SIGNATURE- > Nothing like reading someone's personal preferences. Unfortunately linux-libre is not something I could endorse - removing the tests and warnings about known CPU vulnerabilities, on the spurious ground that a user might just want to install microcode to enhance their security, makes it unfit for a security focussed distro. The same applies to libreboot, which has the added incoherence of advocating updating EC firmware, while blocking CPU microcode. As to the rest, I support KDE because it allows users to more easily control the Qubes Menu - a major pain point for many - and provides Activities, which meld perfectly with the use of Qubes security domains. The OS you recommend are interesting, but Qubes has to be as usable as possible with a wide reach, and I'm afraid a focus on free software alone wont help there. It would be simple to incorporate those OS into Qubes as templates, (with extra work for a BSD hyperbola), but what would be the benefit for most users, who need non-free blobs to get their machines working? Don't let me put you off: it's a worthy aim, and will hit a small set of users. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200813140334.GA9446%40thirdeyesecurity.org.
