Re: [qubes-users] whonix workstation 15 browser dropped both noscript and https
drok...@gmail.com: What are they doing over there? Really? I haven't upgraded to whonix 15 yet, and i'm really not very familiar with it, but i can't imagine that whonix would intentionally use a version of tor browser without noscript or https everywhere. Maybe you're affected by the security certificates bug that affected firefox and derivatives a while back, where extensions disappeared? Try updating tor browser to the most recent version and see if the extensions come back. Or reinstall tor browser in the template. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/584e48ef-883d-21a5-240e-0e34b7022242%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Upgrading to whonix 15
Jon deps: On 7/7/19 10:06 PM, Steven Walker wrote: I am a virtual newbie to qubes. I am using 4.0.1 on a thinkpad T420. I would like to upgrade from whonix 14 to 15 without screwing anything up. Can anyone advise? Steve Uninstall old whonix-14 Reinstall new whonix-15 search this forum then ask https://www.whonix.org/wiki/Qubes/Install it may look more complicated than it is ; because of the formatting start at the start , learn the terminology , your just changing the appvms to not reference the whonix-14 templates then removing the templates via dom0 and either running the script or reinstalling the same way most templates are installed via dom0 only trick may be changing the "jinja" config file from -14 to -15 though if you read the thread some folks didn't remove -14 before installing -15 and apparently that may be "safe" also Or if you've made template customizations you want to keep you can upgrade your existing templates. https://www.whonix.org/wiki/Upgrading_Whonix_14_to_Whonix_15 Just clone your templates first and follow the upgrade procedure on the clones. Then once you've confirmed everything works as expected and switched your appvms over to the new template you can remove the original ones. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/936c29dc-5ca2-e281-7908-e9603209ac2b%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is not safe to use Qubes OS 3.2?
'awokd' via qubes-users: davidmizr2...@gmail.com: Hi, i'm asking because my hardware is not compatible with qubes 4.0 Is not safe to use Qubes OS 3.2? Thanks It is less safe to use 3.2 than it used to be when it was getting patches. It doesn't immediately become unsafe once it is no longer supported, especially if you are keeping the templates up to date with security patches. However, the longer you stay on 3.2, the less safe it gets. If the choice is between using qubes 3.2 and using a monolithic linux distro (because of incompatibility with 4.0), i'd say 3.2 is still the better choice, but i'm not an expert. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/44de23d1-d7f3-979e-98c9-9717ceb28050%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is not safe to use Qubes OS 3.2?
'awokd' via qubes-users: davidmizr2...@gmail.com: Hi, i'm asking because my hardware is not compatible with qubes 4.0 Is not safe to use Qubes OS 3.2? Thanks It is less safe to use 3.2 than it used to be when it was getting patches. It doesn't immediately become unsafe once it is no longer supported, especially if you are keeping the templates up to date with security patches. However, the longer you stay on 3.2, the less safe it gets. If the choice is between using qubes 3.2 and using a monolithic linux distro (because of incompatibility with 4.0), i'd say 3.2 is still the better choice, but i'm not an expert. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36548514-3694-b5fc-fa6d-d7726cf5a068%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: off topic - invite codes to 'riseup'
Siddhatha: On Tuesday, October 28, 2014 at 11:26:49 AM UTC-7, bm-2cu9wcijafoqtf6...@bitmessage.ch wrote: Dear qubes-users, I am long time qubes follower and user. I apologize in advance if anyone feels this request is spam. I am looking for two invite codes needed to sign up to anonymous riseup.net email service. I am hoping there are some qubes users who are riseup.net account holders. Can anyone please send me a couple of invite codes that I might be able to sign up? Thank you in advance. I am using QUbes several years this is my first p3ost to this group,m hope I am compliant with the regs and am not inadertantly in viol eg top-posting, etc. So I am wondering if riseup is not inferior to protonmail or tutanota because (1) riseup is ideologically committed to some kind of left/dyi/anarchist worldview and might regard almost anyone not in total agreement with the latest poliitically correct consensus as evil and possibly subjected therefore to some kind of discriminatory process (2) riseup is basically waving a red flag at virtually all Western intelligence agencies as well as every form of right wing or alt-right in that it's antifa-esque orientation is unduly provocative. (*) It may not have the level of professionalism available eg at protonmail although its' current look and feel is a big imrpovement . Adside from that, the lag time and now apparently the need for in vite codes is kind of ridiculous. Just some thoughts herre... My two cents on riseup, and private and anonymous emails.. I'm not part of the riseup collective so i can't speak for them, but i do have a riseup account and i'm at least somewhat familiar with them. Riseup is a leftist horizontal collective, basically libertarian socialist / anarchist. They don't want anyone diametrically opposed to their worldview (like supporters of capitalism, Leninists..) using their services. They maintain their services primarily as tools for leftist activists and organizers to communicate securely. But i wouldn't necessarily tie riseup to "political correctness" which is a culture war thing, and a whole different set of issues. Whether you think riseup is an intelligence agency honeypot or has otherwise been compromised is up to you. But i haven't noticed a "lag time" for riseup services. (They offer several services other than email by the way, that are worth checking out.) And you used to be able to sign up for a "red" account, required for email, by contacting them directly, but now you need invite codes, which i'm pretty sure is for anti-spam reasons. Regarding other email providers, finding a good anonymous (and tor friendly) free email provider is a challenge. Riseup: tor friendly and a very good provider i think, but with the invite code requirement it's not exactly anonymous. Protonmail: well respected, but free accounts don't support POP3 which i need. Bitmessage.ch (bitmailendavkbec.onion): tor friendly, supports POP3, but new registrations have been down for a while. Also requires an outside email address from another provider in order to register. VFEmail: they were hacked, old accounts are borked, new registrations disabled, maybe forever. Mail2Tor (mail2tor2zyjdctd.onion): webmail only. elude.in (eludemaillhqfkh5.onion): they want verification of an outside email address, but that can be skipped. Webmail works but POP3 doesn't (apparently if you pay it's supported?) danwin1210.me (danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion): very tor friendly, everything is done through a hidden service, no webmail (POP3/IMAP only). Registration is very easy, no outside email address required. But anonymity is not the same as privacy. The above providers are quite anonymous since it's through tor, but there's no reason to believe they're really private. They say they respect privacy of course but that's just a promise that means nothing. They and anyone they give access to can easily read all of your emails unless they're encrypted. If you really want private email (as opposed to anonymous email), your best bet is probably to host your own email server (and always use PGP encryption). -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/37385f70-03b9-d84e-0511-565da87f8076%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I keep installed app working
'Island Anchor' via qubes-users: Hi I installed app in Qubes and followed process sudo apt-get install git build-essential ... etc finally got to make then I was able to successfully launch the app in my folders. When I close the VM or shut-down upon reload I cannot run the app. However, if I start to run the sudo commands again, I noticed I can actually start the old install in the folder. Am I missing some further command or something to keep the app sticking? Thanks for any insight or assistance. Hi, Are you installing in the template or the appvm? Generally software installed in appvms won't persist after reboot (unless installed in home), so you generally need to install software in the template. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25227aba-fd86-1879-ff6f-ec71aea30fe0%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Icons on my desktop security question?
22...@tutamail.com: Rookie question: 1) Why I didn't discover this before I don't know, simply drag the program from the Qubes drop down menu onto the desktop i.e. drag "Fedora-dvm-Firefox" or any other app program onto the desktop for easy access. Does this impact my Qubes security? It asked if I want to execute this program the first time I use the icon, clicked "Yes"... Pretty slick feature... Yea having shortcuts for frequently used apps on my desktop definitely helps usability for me too. I can't think of any security implications for this, since an attacker shouldn't be able to execute them unless they have access to dom0 anyway, but i'm not an expert! When xfce asks if you want to execute the shortcut you should be able to just mark it executable so it doesn't ask again. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d543cc42-a302-6aad-35f2-aeaf1b09e8f3%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Announcement: Qubes Tor onion services will no longer be maintained
22...@tutamail.com: My understanding is: The -gw and -ws templates, -dvm, appvm, etc and functionality will remain...correct? The Qubes-os.org onion site is going away...right? I have been keeping pretty good track of my changes from default install(dom0 and templates) over the past few year when I originally installed 4.0, but "...have been relying on (e.g., for package repos..." might have been something I did a while ago. How would one check this? Yes the qubes onion hosting (website and repo) is gone, but the announcement from Andrew said that unman is working on hosting it again (thank you unman!) Until that's back up the only thing that needs to be changed is your update source, if you changed it to the qubes onion repo before (the whonix onion repo is still working). To check, in debian/whonix templates, look in /etc/apt/sources.list.d/qubes-r?.list (? is 4 or 3 depending on qubes version). If you have a .onion address in there it needs to be changed back to the clearnet address until the onion repo is back up. In dom0 (and i think in fedora templates too) the relevant files are in /etc/yum.repos.d/ -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7084f490-06d7-d782-f197-2f4e165f54d4%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
John Goold: On 3/16/19 6:35 PM, js...@bitmessage.ch wrote: [Question] So, what do other Qubes users do to protect their families in case they die/get killed, get imprisoned, go missing? In addition to (very) occasional full backups using default qubes tools, i also backup important data to an external hard drive with a luks encrypted partition, so it can be easily accessed outside of qubes if needed. But that still needs someone (spouse, child, executor of your estate) to have access to a key phrase (if that is the right term). What about bank account numbers, etc. If you use KeePassX 2 or similar, what about access to it? Do you have the necessary passwords written down with instructions, sealed in an envelope and stored in a safety deposit box? Something else? We tend to keep more and more financial, legal and medical information on our personal computers rather than keeping paper copies (I am an old guy but my wife and I keep everything in electronic form unless required by law to keep a paper copy -- so I expect the "younger" crowd probably tends to do so as well). We keep at least two backups of such data -- copies to our shared file server and backups to external drives. One of our children has the master password to our password vaults -- there is a non-negligible possibility that both of us could be badly hurt (or killed) in the same accident (e.g. plane or car crash). Anyway, with our emphasis on Qubes and security, I was curious about this other aspect of people's affairs. Do you have all your important data locked down in Qubes so *only* you can get at it? John I'm the only one who can get into my qubes box. Actually i've been thinking about it since you started this thread but i'm not sure of the best way to solve that problem of giving someone trusted access to important data if needed. i've neglected that so far (i guess i've been pretending i'm immortal?) Anyways, first it has to be someone i really trust, since there really isn't a good way to make sure they have access after i die but they don't have access before (although maybe something like that could be worked out with the safe deposit box you mentioned?) And second is the problem of preventing access by people other than the trusted person. I can write down a passphrase for them and put it in an envelope, and tell them don't open it unless i die, but then my passphrase is written down and anyone who gains access to the envelope can get access to my important data. And third is the problem that the only people i *really* trust are probably going to die before i do, but that's not exactly a technical problem.. Anyways, if you have a keepassx database you can just put it on a flash drive or some other storage since the database file is encrypted, but anyone you want to access it will still have to have a passphrase either way. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9252e5b0-1458-9aa6-5b2b-af2f6a8fe487%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes - Critique (long)
Hi John, John Goold: * When launching a program from the Qubes menu, particularly if the target appVM has to be started, the program often fails to be launched. This happens very frequently with the Text Editor. This is annoying as one waits a bit in case one is simply being impatient, or at least I do, so as not to launch two copies of the program by accident. I experience that too on debian (i don't use fedora appvms). As Chris said it's a longstanding bug with gnome apps like nautilus and gedit. Actually i much prefer the nemo window manager, i think it's great and much better than nautilus (dolphin works too but i don't like it as much). You can install whatever window manager you want in the template and use it in your appvms. By the way does anyone know how to add the qubes specific functions (move/copy to vm, open in dispvm) to the context menu in nemo? It would be nice to not have to switch to nautilus for those functions (i know i can use cli for it too tho). * Ignoring whonix (I do not use it... yet), there are two template VMs in the vanilla Qubes 4.0.1 installation: Fedora and Debian. However, they have not been treated equally, with Debian being the loser. The Qubes documentation indicates that Fedora was favoured for security reasons. I'm also not sure about this. My understanding is that debian is actually better than fedora from a security standpoint because of how updates are done (fedora updates being more vulnerable to man in the middle attacks). At least for some people, it seems Debian is a necessity, but it is not given the attention it deserves. At a minimum, a GUI software installer should be included in the Qubes distribution which would make it much easier for people to install other software they feel inclined to use. I'm not sure about the default debian template in 4.0, but i remember the default debian 8 template in 3.2 had a gui package install/update tool (labelled "Packages" or "Package Updates" or something like that). I remember using it a few times, but i mainly just use cli to install software. If the new debian template doesn't have that by default, as airelemental said you can install one. Using Linux and now Qubes, I not only do not shutdown the computer (i.e. power-off), but I do not logout -- I simply "Lock the Screen" and power-off my monitor. I do the opposite, i reboot every day, and i never had any problems with copy and paste between qubes, and i very rarely have other problems like crashes. I would at least reboot after installing dom0 updates. [Question] So, what do other Qubes users do to protect their families in case they die/get killed, get imprisoned, go missing? In addition to (very) occasional full backups using default qubes tools, i also backup important data to an external hard drive with a luks encrypted partition, so it can be easily accessed outside of qubes if needed. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5fdb49c0-bf55-98b3-8306-af7e4aeb4311%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: why mail-list?
kitchm via Forum: The discussion includes the fine points about the legality of keeping the information of a mailing list on one's own computer for searching or referencing, or whatever some have thought it useful for. Obviously not a good idea for the security reasons stated. (I might add that not one person has listed the steps for so doing anyway. Even when asked, it appears it is easy to talk but hard to do.) Hi, I think the easiest way to do that is to sign up for the mailing list using an email provider that supports POP3 (i guess IMAP could work too, but i hate IMAP). Then set up an email client like Thunderbird using POP3, and all posts to the mailing list (from that point forward) will be downloaded to Thunderbird as emails. Then you can just archive everything (or as much or as little as you want). It may also make sense to transfer the archived emails to an offline VM for security reasons. If you mean to also archive all posts that were made before you joined the mailing list, i think there's a way to do that too, but i'm not sure how. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2032ad37-4d3e-3d41-5353-f05a35cfa8d7%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How secure is a VM if a user tries to tampers it?
brendan.h...@gmail.com: On Friday, February 8, 2019 at 10:24:17 AM UTC-5, Laszlo Zrubecz wrote: This kind of total (enterprise) control was planned for qubes 4.x - however I don't hear about real life usage. Yeah, I recall reading about that. I think this is what you're talking about? https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ The idea was to separate admin and user roles to allow for remote management in an enterprise environment. That post says that's probably a 5.0 thing. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e8fd48c6-5752-f435-38d3-845c5ffb3a8e%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Backup stops when the backup file reaches 3Gb
Mike Keehan: Hi, I'm using Qubes Backup to save some of my qubes into another VM. The backup VM has 18 Gb of storage available, but whenever the backup file reaches 3Gb, the backup process just hangs. No CPU usage, no error messages, just stops. The backup window shows 40% complete, but never moves any further (different % for different combinations of qubes in the backup list). After waiting a considerable time (well, 5-10 minutes), hitting Cancel in the backup window does cancel it. The rest of the system is continuing to work without problem. Happens every time I try to use Qubes backup. The Qubes Disk Space widget shows less than 50% disk used overall, the backupVM shows only 18% disk used when the 3Gb file has been saved. I'm stumped. Mike. Hi, You may have to wait longer than 5-10 minutes. I experience something similar when doing a full backup, except it's worse because i'm backing up like 2.5TB. It appears to hang for several hours at a time (and this happens more than once), but it does eventually make visible progress again. The whole process takes over 24 hours. This is why i do full backups very infrequently. For you it shouldn't take nearly as long because it's a lot less data, but the progress appearing to hang for a while seems to be normal. I'm using 3.2 tho, and i know they made changes to the backup mechanism under the hood in 4.0, so i'm not sure if this issue still applies in 4.0. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5406576f-66c0-3af8-d74e-fbb6b9d4a952%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] QSB #46: APT update mechanism vulnerability
Marek Marczykowski-Górecki: Summary The Debian Security Team has announced a security vulnerability (DSA-4371-1) in the Advanced Package Tool (APT). The vulnerability lies in the way APT performs HTTP redirect handling when downloading packages. Exploitation of this vulnerability could lead to privilege escalation [1] inside an APT-based VM, such as a Debian or Whonix VM. This bug does _not_ allow escape from any VM or enable any attacks on other parts of the Qubes system. In particular, this bug does _not_ affect dom0, the Xen hypervisor, or any non-APT-based VMs. Nevertheless, we have decided to release this bulletin, because if a TemplateVM is affected, then every VM based on that template is affected. Hi, Does this vulnerability apply to whonix users who download updates over tor from .onion repos? My understanding is that it shouldn't, since the exit node operator or any other MITM doesn't even know it's apt traffic, they just see encrypted traffic to a hidden service. Is this right, or am i not understanding something? -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0276ef7-cee4-ed9e-6323-6928ca61dbeb%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Using a Desktop Computer with Qubes (R 4.0.1)
John Goold: Just discovered that there is only one USB controller (but 4 USB connector sockets). So when I tried to attach the USB controller to the appVM (had to set it to HVM), I lost the mouse and keyboard :-( I have got the impression from reading the documentation and posts to this forum that if I have disk encryption enabled, that I cannot create a sys-usb VM without losing the mouse+keyboard (and possibly not being able to enter the pass-phrase when powering up. Yea with only one usb controller you can't attach the whole controller to a VM without losing your usb keyboard/mouse. I'm in the same situation. It sounds like you've already looked at the docs but here's the link: https://www.qubes-os.org/doc/usb/ You have to have sys-usb to attach a usb device like a scanner to an appvm (unless you can just attach the whole usb controller, which you can't). I haven't done this myself but my understanding from reading the docs is it's still possible to have sys-usb, you just have to be careful not to lock yourself out (not able to control the system with usb mouse/keyboard, or not able to enter encryption passphrase at boot). According to the docs, if you're using 4.0, you can just use salt to set up a usb qube with the ability to use a usb keyboard with the command sudo qubesctl state.sls qvm.usb-keyboard The doc says that this will create the usb qube if it's not present, and that it will expose dom0 to usb devices on boot so you can enter the passphrase. After you do this though you still may want to check your grub/efi config file to make sure it doesn't have the "rd.qubes.hide_all_usb" line in it, just in case. Or you can follow the steps in the docs to do it manually, just make sure to add the required lines to the qubes.InputKeyboard and qubes.InputMouse files first, and don't add the "rd.qubes.hide_all_usb line to grub/efi config file. Also this has security implications since if your sys-usb is compromised an attacker could scoop up your keystrokes, but this should still be safer than attaching insecure usb devices to dom0. But it should work, unless i'm reading something wrong. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fe249d79-6aba-d9ae-2343-a8890931aaad%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to create AppVM?
seshu: Hi, I'm really excited that i got 4.0.1 RC installed on my desktop. I'm a first time Qubes user, but have quickly come up to speed. One thing I haven't noticed in the Docs is how to create an appVM? I want to setup Google Chrome to play Netflix. But, do that in a separate appVM. Similarily for email, etc. Is their documentation on this and I'm just missing it? Thanks in advance for the help! It's really cool to be using Qubes! Hi, There are a couple ways to do it. In qubes manager there should be a button at the top with a plus sign. Or select in the menu VM -> create new VM. At least this is true in 3.2. I know qubes manager is different in 4.0 so maybe these options have been changed or removed? Anyways you can also do it on command line with qvm-create. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2497b729-bd00-64c4-d76e-6896a8b8e676%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can I set an unencrypted external HD as /home folder for a VM
Guy Frank: > I tried Qubes once before but gave up because the hardware I had wasn't > compatible. I'm now giving Qubes another try w/ a new machine and had a > couple questions. Keep in mind I'm a newbie. > > One question I had is whether there is any way to set an unencrypted (or > encrypted?) external HD as the /home folder for a VM? > > This would make it much more convenient for me to move my work between Qubes > and a non-Qubes desktop. I realize this is a security hole, but the > alternative of simply sticking with Ubuntu is even less secure. > > Guy Hi Guy, I'm not sure about setting it as /home but i think it's possible. But it's easy to attach an external HD to a vm and save your files to it. https://www.qubes-os.org/doc/usb/ Also it's pretty easy to encrypt it with luks for security, it just takes a little longer each time. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c68838ae-93ec-9908-3270-24ac58316601%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4, qubes.UpdatesProxy policy, torify everything
x99nin...@gmail.com: > Hi again and thanks for answers to Unman and Ivan. > My last question is about qubes.UpdatesProxy policy. > Now the dom0 is being updated through sys-whonix-14 but all vm templates are > being updated over sys-net. > Is it possible to update everything over TOR (sys-whonix-14) ? > How best to do this - change the repositories into VM templates to TOR repo > or change rule for all templates on qubes.UpdatesProxy policy? > > (for example, $type:TemplateVM $default allow,target=sys-whonix-14) > > Thanks. Hi, I think you should be able to just set sys-whonix as updateVM and then switch to the onion repos in each template. It works for me in 3.2. There are instructions in the whonix docs: https://www.whonix.org/wiki/Onionizing_Repositories -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a9a0f405-a880-df64-a31a-63c62c15392d%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes System Storage Max size
Reza Naqshbendi: > Hi there, > > I'm using Qubes 3.2 with recently upgraded fedora-28. For one of my VMs > I wanted to increase the System Storage max size, I mistyped the figure > and went beyond what I wanted. I've set it around 100GB! I noticed > immediately but the problem is that I can't change it back. I can > increase it even more (!) but I can't reduce it. After the setting I got > the message that I needed to run resize2fs for the change to be > implemented really. I didn't but after the reboot I see it still having > the giant size! > > The initial reason for me to increase the system storage size was to be > able to install GIMP 2.10 through Flatpak. With the default system > storage size, and in spite of having 15GB in private size of the > template, I couldn't install the package getting the message that I had > not enough space left. Space is all over the place, but probably not at > the right spot. > > Thanks Hi, Yea qubes has a problem with shrinking the image size after it's been expanded. https://www.qubes-os.org/doc/resize-disk-image/ The easiest thing is probably just to leave it as it is. The template isn't really using that much space and qubes manager will show how much space it's actually using. You can redownload a fresh template and start again too tho. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/402f1c72-6388-b9aa-b923-126167585e77%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] whonixdvm isn't using updated torbrowser
donoban: > On 05/21/18 06:45, cooloutac wrote: >> even though I'm updating the template. I have to keep choosing the >> option to restart the browser to update. > >> Anyone else experience this? I think maybe I should just delete it >> an recreate it. > > > I'm updating the whonix-ws-dvm (not template) and works fine Yea i think the dvm template (whonix-ws-dvm or whatever it's called) has its own copy of tor browser in it so that's the one that needs to be updated, then the update will be persistent in new dispVMs. I downloaded tor browser in it manually first, and i think it would prompt to install tor browser every time otherwise. https://www.qubes-os.org/doc/dispvm-customization/ -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ed807bef-e00d-5734-c978-7d50acd34cba%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: why Whonix and not Tails or the anon-vm?
Name: > well, it's not really my question, but I did notice that in these > semi-permanent fedora-27-dvm and whonix-dvm that if I make bookmarks > in firefox they persist which surprises me, as I thought the whole point > was that with dvm's nothing persisted, I'm not sure I really > understand why I even have these domains listed fedora-27-dvm etc, > IIRC, in Q3.2 when you went to make a DVM it started and initially > took a while, and then told you next time it would be faster, but when > you closed whatever was using the DVM no domain persisted in the qvm-ls > / VM manager, etc ; much less things like browser bookmarks ... > > I expect with whonix-appqubes that bookmarks would persist, but not > whonix-dvm's Hmm are you setting the bookmarks in an actual dispVM or in the dvm template vm (like whonix-ws-dvm)? My understanding is that when you create a dispVM qubes makes a temporary copy of the dvm template, so changes made to the dvm template itself would persist. At least that's the way it works for me in 3.2. I made certain changes in whonix-ws-dvm like making sure settings are the way i want them, so they'll persist in dispVMs. https://www.qubes-os.org/doc/dispvm-customization/ -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/022d77ef-0daa-73dd-c4d1-4950f6fd825a%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Install/Import KeePass and the Database
Black Beard: > Hey again, > > i instll KeepassX on the Vm "Q" work and put the database in the same Vm. All > works perfectly. But if i try to open a website with the autotype function > nothing happend. > > Before i type crtl+k and under windows10 all works without any problems. If i > try the same methode under Qubes it not work. I click in the field(username) > and on KeePassX with right click perform autotype. Nothing happend. > > If someone knows why? > > regards The autotype thing doesn't really work in qubes because of the domain separation. When you have keepassx open in say vault domain, and then do autotype, it just copies the username/password into vault domain clipboard and then pastes it (also into vault domain), even though your web browser is probably (and should be) running in a different domain. It's a good idea to keep a domain/vm dedicated to keepassx, for security of all your passwords. The vault domain is good for this. It's a bit more of a pain to copy usernames/passwords from keepassx to your web browser or other application in another domain (in a regular linux not using virtualization you can just use autotype key) but it's just a convenience/security tradeoff. So, say you have your keepassx database opened in vault domain, and your web browser on a website in work domain, and you want to log into the website. Here are the steps. 1. click on the entry in vault->keepassx 2. ctrl+b to copy username into vault domain clipboard 3. ctrl+shift+c to copy username from vault domain clipboard to dom0 clipboard 4. click into work->firefox username field 5. ctrl+shift+v to paste username from dom0 clipboard to work domain clipboard 6. ctrl+v to paste username from work domain clipboard to firefox username field 7. click back on the entry in vault->keepassx 8. ctrl+c to copy password into vault domain clipboard 9. ctrl+shift+c to copy password from vault domain clipboard to dom0 clipboard 10. click into work->firefox password field 11. ctrl+shift+v to paste password from dom0 clipboard to work domain clipboard 12. ctrl+v to paste password from work domain clipboard to firefox password field 13. then you can log in This is kinda a pain and it looks long but once you get used to it it only takes a few seconds really. And there's always a tradeoff between convenience and security (qubes doesn't normally allow applications to copy/paste data between domains for security reasons). There may be a script that does the inter-vm copy/paste automatically? Not sure about that, but still this doesn't take very long once you get used to it. See qubes doc for copy/paste between domains: https://www.qubes-os.org/doc/copy-paste/ -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e614fe8f-b1f8-01d8-e9b4-74bfda6df5f9%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Install/Import KeePass and the Database
Black Beard: > Hey guys, > > i install KeepassX on the "Q" Domain Vault and copied the database to > "Q" Domain:personal. > > Yes, the database is in the folder QubesIncoming but i cant find the base > with KeepassX. > > Oh, Oh i must learn many... :) Oh, the database file has to be in the same vm/domain you're running keepassx on. So in this case copy the database file to the vault domain, then run keepassx in vault and it should see it. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2e016bb7-be1f-0c5a-f469-bbc1d878d209%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Install/Import KeePass and the Database
Black Beard: > Hey, > > i install KeepassX successfully. > > On my external HDD i have the database on it. Now i played a little bit with > the AppVm. > > On "Q" Service:sys-usb he find my external hdd. > > On "Q" Domain:Vault i install KeePassX before. When i try to put my database > in the file directory home-user-Downlads and try opened with Keepassx he cant > find the file(The file home lay on my Desktop).On this AppVm i become a > warning message if i try to put my USB on it. > > On "Q" Service:sys-usb i install KeepassX again try to bind the database on > it and it works, perfectly. > > I understand now how that works, but i dont know is it the correct way??? > > I hope i good write the probleme/question?! :) > > regards Hi, Did you copy the file from your usb vm to the vault vm? In qubes there's a special way to copy files from one vm to another (the vms are kept separate for security reasons). Open the file manager in your usb vm, right click on the database file, and select copy to another vm, and put in the name of the vm you want to copy it to. Once the file's been copied it'll be in the QubesIncoming folder in the destination vm's home folder. See this doc page: https://www.qubes-os.org/doc/copying-files/ There's also a video on the qubes website that shows how to use alot of qubes features: https://www.qubes-os.org/video-tours/ It's for an older version but it's still really helpful. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/08da1cc1-d090-9d82-ac16-d8c27367d3ed%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Uninstall windows and install qubes
cangen...@gmail.com: > Hi, I completed my tests on USB Qubes. Now I wonder, while installing Qubes, > will it give an option "replace Windows with Qubes" as in the case of Ubuntu? > My other relevant (real) question is, I have to fully format my PC (format > C:) (I want to get rid off someone I know who has been hacking me for 8 > years!). Then I believe first I need to install Windows so that I can install > the drivers, and then replace Windows with Qubes. Because installing all the > drivers via Qubes seem to be troublesome. > Thank you Hi, It's been awhile since i installed qubes, and i'm not sure how much different the 4.0 installer is from 3.2, but if you choose to delete your existing partitions during the install and replace them with the qubes partition, then windows will be wiped out. Also any drivers installed in windows won't be there when you install qubes because the whole windows partition was deleted. But qubes comes with the drivers that most people would need, and for things like special printer drivers or other kinds of devices there are usually drivers available for linux. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d784709f-5d65-17f4-f5cb-4120acbeb2cf%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VM maximum size is too small
Reza: > That's what I do to change the size: > 1) I stop the VM > 2) I select it in the VM Manager (in DOM0) > 3) I click on "settings" icon (the wheel)and I increase the "private storage > max size" from 2048 to its max value 10240 (written right below as 'system > storage max size'). Hi, The system storage size is based on the template, which generally doesn't need to be changed. The private storage size is how much space is available in the vm's home folder, and it can be increased higher than the system storage size. You can increase it up to 1048576 MB in qubes manager, and even higher in dom0 terminal (i have a vm with ~2TB data). https://www.qubes-os.org/doc/resize-disk-image/ -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a2f45fae-b145-09c2-1966-9edec0eafc76%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Difference between Whonix Workstation and Debian/Fedora?
Daniil .Travnikov: >> It's possible to use a debian/fedora based appVM with firefox, connected >> to sys-whonix, and all connections will go through tor. >> >> But whonix recommends to use a whonix-ws based appVM with tor browser >> instead to reduce fingerprintability. Most tor users are using tor >> browser, so if you're using tor with firefox and not tor browser it's >> easier to fingerprint you. > > > Whonix recommends this, but nothing to tell about Qubes Whonix. Qubes > contains the basis of Whonix Workstation logic in all OS. I'm not sure what you mean here? > When we use Whonix-Gateway we have one TOR connection (3 onion connections), > but when we use TOR browser (in any OS) we have second TOR connection (which > means that now we have already 6 onions). And in some reason it is not a safe > way. Whonix already prevents tor over tor connections. When you use tor browser in a whonix-ws based VM connected to sys-whonix it won't be tor over tor (there will only be 3 relays not 6). At least when you use tor browser in a whonix-ws based vm anyways. From looking at the whonix documentation it looks like if you download tor browser in a regular debian/fedora based vm and connect to sys-whonix that would result in tor over tor. Whonix modifies tor browser in whonix-ws so it works with whonix-gw/sys-whonix to prevent tor over tor. http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tor_Browser#Whonix_Tor_Browser_Differences https://www.whonix.org/wiki/Tor_Browser#Whonix_Tor_Browser_Differences But anyways, using tor browser in whonix-ws based appVM connected to sys-whonix doesn't result in tor over tor. So it looks like there are basically 4 ways to browse the internet using tor with qubes: 1. Use tor browser in a whonix-ws based appVM connected to sys-whonix (this is recommended, whonix prevents tor over tor scenarios, and all other traffic from the vm outside of tor browser is also routed through tor) 2. Use tor browser in a regular debian/fedora based appVM connected to sys-firewall (just like using tor browser outside of whonix, you'd miss out on any other whonix features, and other traffic from that vm outside of tor browser would not be routed through tor) 3. Use regular firefox in a debian/fedora based appVM connected to sys-whonix (no tor over tor, and all traffic from the VM is routed through tor, but it would be easier for adversaries to fingerprint you because most tor users use tor browser, not firefox, so you're more unique this way) 4. Use tor browser in a regular debian/fedora based appVM connected to sys-whonix (this would result in tor over tor, which is bad) At least this is my understanding based in what i've read in the whonix docs, but someone may know better than me! -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ee03caeb-fb5f-3b3e-44d5-63bd3c360271%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Difference between Whonix Workstation and Debian/Fedora?
Daniil .Travnikov: > Could anybody help me to understand what is the difference between Whonix > Workstation and Debian/Fedora? (I mean Templates VM in Qubes). > > When I want to use one of my Debian VM through TOR, I am turn on > Whonix-Gateway. > > And I am asking beacuse I don't understand for what I must use > Whonix-Workstation? Hi, It's possible to use a debian/fedora based appVM with firefox, connected to sys-whonix, and all connections will go through tor. But whonix recommends to use a whonix-ws based appVM with tor browser instead to reduce fingerprintability. Most tor users are using tor browser, so if you're using tor with firefox and not tor browser it's easier to fingerprint you. I don't know if there are any other reasons why you would need to use whonix-ws instead of debian/fedora or if there's any reason not to use tor browser in a debian/fedora VM. But i like to use whonix-ws as a template for any VM that's going to connect to tor, and debian for other VMs. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f3a7a870-dfec-d66f-8b2e-259a67e544f0%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: debian-9 template
john: > btw, which file managers are recommended ? Nautilus or Nemo , I > believe I installed both, but what I see available is just called > "files" ; IIRC in debian-8 it was actually called Nautilus or , sorry > if this is a debian question I like nemo better than nautilus, but the qubes specific file options (copy/move to other VM, open in dispVM) only appear in nautilus (or dolphin for whonix VMs). You can have both installed tho and use nemo for regular purposes. Thunar is another good file manager (dom0 uses it) and it comes with a GUI bulk rename tool that can be handy. I'm not sure how to enable the qubes specific actions in a non-default file manager like nemo tho. It's possible to create custom actions but i haven't really looked into it enough. But yea nautilus and nemo are both just called "files" in the deb VMs. You can manually edit the desktop files so they'll display the proper names to distinguish them. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4f0a9dae-0141-2932-d37c-be5bb1c58448%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Preventing VPN leaks once VPN connection is disconnect
niepowie...@gmail.com: > I'm user of vpn bitmask software and accidentally, from time to time > connection disconnect and there is few second to connect again. > > How is easiest way to set up firewall rules that prevent leaks with clear and > unencrypted traffic? I'm pretty sure bitmask is supposed to block unencrypted connections automatically when VPN connection drops (fail closed). The old version of bitmask had problems when running in a qubes proxyVM (DNS leaks in particular), but the new version in their debian stretch repo seemingly fixes these problems. i'm not sure if not failing closed is still a problem tho. If you're running the most recent version of bitmask in a proxyVM and it's not failing closed, maybe run it in the appVM instead? Others will have to answer the firewall question tho because i don't know much about that. -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fda4c50b-ffab-914d-a687-3319ee67ab3c%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to Alt-Tab Cycle Minimized WIndows
anon432: > I'm hoping there is an obvious and simple solution, but I have looked through > every XFCE and window manager setting I can find. > > System: Qubes 4.0 stable. XFCE desktop. > > Current behavior: If a Window is Minimized, using Alt-Tab to cycle through > open windows does NOT show or cycle through the minimized window. > > Expected Behavior: Alt-Tab cycles through all windows on the desktop > regardless of minimized status. > > Is this a setting I am missing? > > Is this a security feature I don't understand? > > If so, can I disable it? What are the ramifications? Hi, There's a related setting that should fix it. I'm using 3.2 with XFCE, and I don't know if 4.0 uses a different version that has the setting in a different place, but for me anyways.. Qubes menu -> system tools -> window manager tweaks On cycling tab, make sure "include hidden (ie iconified) windows" is checked -- Jackie -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/62fc5b58-b5b4-92b5-f724-ca94a2f10816%40bitmessage.ch. For more options, visit https://groups.google.com/d/optout.