[qubes-users] [unofficial] Qubes security advisory
#This email represents my analysis of the events of the last few weeks. #It does not reflect the views of the Qubes Project or Qubes developers #in any way. My Qubes laptop got hacked by Five Eyes because they thought I was a terrorist, when in fact I was only making clown videos. That is surely one of the strangest sentences I have ever had to write, so let me establish my bona fides. I'm a cybersecurity reporter [0], and have covered cybersecurity and national security since 2013. I have a masters degree in cybersecurity from Berkeley, and am currently working on my OSCP. I've been using Qubes as my daily laptop since 2014. I'm not a Qubes developer, but I would consider myself an advanced user. I'm also a clown. (I gave a talk at Hackers on Planet Earth this year called "Cybersecurity and Clown" [1]). In fact, when Covid hit I was in France studying clown with Philippe Gaulier, the same clown master who trained Sacha Baron Cohen. I'm a standup comedian and comic actor as well. So when I made these incredibly silly clown videos [2], I didn't expect to find myself under intense physical surveillance for several weeks. I mean, intense. I've been under physical surveillance before for national security reporting I've done (like this article [3]), but this was the closest I've ever seen the security services here in Canada swing their elbows. Knowing that physical surveillance is always accompanied by electronic surveillance, I kept an eye on my devices. My phone got popped first. Zero-click iPhone RCE. Two missed calls from a non-existent number right when the physical surveillance started. But would they risk a Qubes 0-day to go after me--for being a literal fscking clown? They did, and per their new "flyswatter policy" left a JTRIG-style goodbye present when they finally realized I'm just a journalist, and a clown. One morning last week, I launched a disposable Debian 10 template with my preset defaults of no netvm and a blank page preset--but instead a default page of "https://www.youtube.com/; appeared. It only happened once, but it was enough. Does this rise to the standard of journalist proof I'm accustomed to? Of course not. Would I risk my reputation by writing this email to the qubes-users list if I was not confident in my assessment? What do you think? So why am I writing this message? First, and most importantly, there is clearly a great Qubes 0-day floating around that needs to be found and squashed. But also, if Five Eyes are prepared to risk a Qubes 0-day on a clown, who would they *not* risk it on? There must be dozens, if not hundreds, of active Qubes implants out there right now. And this email is meant to burn those implants and make them go dark. If you have Five Eyes in your threat model, then you need to assume compromise and do whatever you need to do. Now. Does this mean I'm going to stop using Qubes? No. Of course not. Qubes is still our best hope for a reasonably secure laptop. Nothing I've said in this email changes that big picture analysis. kind regards, jmp p.s. And yo, guys? Cause I know you're reading this. Next time you decide to dishonor your oath to protect the Constitution, you might read the First Amendment first. [0] https://www.jmporup.com/ [1] https://www.youtube.com/watch?v=fiaZaPwvz54 [2] https://www.youtube.com/playlist?list=PLmE_cQ9Hok0nv7RxYZ_xMJtZb216uvdxi [3] https://arstechnica.com/information-technology/2016/02/the-nsas-skynet-program-may-be-killing-thousands-of-innocent-people/ -- J.M. Porup www.JMPorup.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20201026022434.GA765%40fleas.
Re: [qubes-users] Qubes won’t boot (halp)
On Wed, Jul 29, 2020, at 11:04, Mike Keehan wrote: > On 7/29/20 3:19 PM, 'J.M. Porup' via qubes-users wrote: > > hi everyone, > > > > My up to date Qubes 4 / Thinkpad X1 Carbon refuses to boot. > > > > Boot time to BIOS screen is 15 minutes or so. Bypassing BIOS to boot > > screen, I select Qubes, five minutes pass, and I return to boot screen. > > > > I double checked all my BIOS settings. I also removed and reconnected the > > battery and CMOS battery. > > > > Should I reflash the BIOS? I see many many complaints online of similar > > problems, but all contains Windows-based solutions. > > > > Bricked right now. Would greatly appreciate any suggestions. > > > > thanks, > > jmp > > > > 15 mins to BIOS screen implies a problem with the hardware. > > Mike. Thanks, Mike. I can’t rule out the possibility of a hardware failure, but hours of googling this issue turns up a lot of frustrated Windows users who found software-based solutions. How can I isolate the issue to determine if it is, in fact, a hardware issue or not? thanks, hmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c8634930-d8f3-4f17-a3ce-0de944d7bb0a%40www.fastmail.com.
[qubes-users] Qubes won’t boot (halp)
hi everyone, My up to date Qubes 4 / Thinkpad X1 Carbon refuses to boot. Boot time to BIOS screen is 15 minutes or so. Bypassing BIOS to boot screen, I select Qubes, five minutes pass, and I return to boot screen. I double checked all my BIOS settings. I also removed and reconnected the battery and CMOS battery. Should I reflash the BIOS? I see many many complaints online of similar problems, but all contains Windows-based solutions. Bricked right now. Would greatly appreciate any suggestions. thanks, jmp — J.M. Porup www.JMPorup.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/96d562d2-f357-448c-a31d-1cc0ee123b0a%40www.fastmail.com.
[qubes-users] pen testing / port forwarding guide?
hi, Has anyone written a guide to setting up a Kali vm in Qubes for pen testing? I'm studying for the OSCP, and the Qubes firewall port forwarding guide suggests a fragile and finicky setup that I'm reluctant to rely on. Punching holes from sys-net to sys-firewall to vpn-vm to an an appvm just to run `nc -nlvp ` seems... like a kludge, at best. Issue #4028 tracks this problem. The alternatives seem to be 1) create a HVM with direct access to hardware--no sys-net or firewall-vm--or 2) purchase a dedicated laptop for this use case. Any suggestions? thanks, jmp -- J.M. Porup www.JMPorup.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200714155430.GA1026%40disp7009.
[qubes-users] muttrc decrypt pgp
hi, Current documentation (part of which I vaguely recall helping to write) suggests that the .muttrc decrypt command ought to be: set pgp_decode_command="qubes-gpg-client-wrapper --decrypt --status-fd=2 --batch %f" This command works fine at the command line, but fails in mutt, throwing the error "Could not decrypt PGP message." I'm using Qubes 4 + Debian 9 vms + gpg 2.1.18 I've spent hours reading forum posts trying to debug this, and am at a loss. Has anyone else dealt with this issue? How did you solve it? thanks, jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190428170110.6prylac3sfltaxkq%40fastmail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] split pgp not working in debian 9 vms
On Fri, Apr 05, 2019 at 12:25:30AM +0100, unman wrote: > On Thu, Apr 04, 2019 at 10:52:09AM -0400, J.M. Porup wrote: > > hi, > > > > Configuring split pgp for mutt on a Qubes 4 laptop using Debian 9 vms. > > > > split pgp works to sign documents from the email vm: > > > > qubes-gpg-client-wrapper --clearsign foo.txt > > > > but does not work to encrypt documents/emails: > > > > /usr/lib/mutt/pgpewrap qubes-gpg-client-wrapper --encrypt foo.txt > > > > which returns the error message: > > > > gpg: cannot open '/dev/tty': No such device or address > > > > I've been tinkering with this for several days, and am not finding a > > solution. Why is split pgp working for signing, but not encrypting? > > Add --batch or put this in your gpg.conf thanks. adding --batch gives me the following error: /usr/lib/mutt/pgpewrap qubes-gpg-client-wrapper --encrypt --batch foo.txt gpg: no valid addressees gpg: [stdin]: encryption failed: No user ID For some reason qubes-gpg-client-wrapper can find my signing subkey but not the encryption subkey. ideas? thanks jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190404235128.q336wzwgw7ouo6jb%40fastmail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] split pgp not working in debian 9 vms
hi, Configuring split pgp for mutt on a Qubes 4 laptop using Debian 9 vms. split pgp works to sign documents from the email vm: qubes-gpg-client-wrapper --clearsign foo.txt but does not work to encrypt documents/emails: /usr/lib/mutt/pgpewrap qubes-gpg-client-wrapper --encrypt foo.txt which returns the error message: gpg: cannot open '/dev/tty': No such device or address I've been tinkering with this for several days, and am not finding a solution. Why is split pgp working for signing, but not encrypting? Any ideas? thanks! jmp -- J.M. Porup www.JMPorup.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190404145208.4hxkwxlsnmkvpizz%40fastmail. For more options, visit https://groups.google.com/d/optout.
[qubes-users] QSB #46: reinstalling debian-9 template
according to QSB #46, reinstalling debian-9 from repo qubes-template-community-testing should yield version qubes-template-debian-9-4.0.1-201901230644 but running sudo qubes-dom0-update --enablerepo=qubes-templates-community-testing qubes-template-debian-9 in Qubes 4.0.1 tells me it will install qubes-template-debian-9 version 4.0.1-201812091508 what does this mean, and how do I fix it? thanks! jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190201213058.GA934%40fedora-23-dvm. For more options, visit https://groups.google.com/d/optout.
[qubes-users] gcc-plugins issue when installing vagrant on qubes
Hi everyone, I'm following xahare's guide [0] to getting Vagrant running on Qubes. Specifically, I'm trying to get Varying Vagrant Vagrants [1] running in Qubes for a data journalism project I'm working on. The snag I hit comes when installing virtualbox. According to /var/log/vbox-install.log, the source of the problem seems to be gcc latent entropy plugin: cc1: error: cannot load plugin ./scripts/gcc-plugins/latent_entropy_plugin.so Has anyone else experienced this problem? Can you help me with a workaround? On deadline. thanks, jmp [0] https://gist.github.com/xahare/0f2078fc8c52e7ddece1e5ba70c6d5fc [1] https://varyingvagrantvagrants.org/docs/en-US/installation/ -- J.M. Porup www.JMPorup.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171022133400.GA915%40fedora-23-dvm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Containing Twitter sessions
On Thu, Jun 22, 2017 at 11:40:44AM -0400, Ryan Tate wrote: > I am perplexed by the challenge of containing Twitter use in Qubes. > > > If I had to pick from the default VMs, I would probably put Twitter in > “untrusted” due to the risks on the read side, even though the account itself > is sensitive and ideally you would not put such write capabilities in a "wild > west” environment like “untrusted." Perhaps better is to just make a > “twitter” vm to keep the damage of any compromise contained to the Twitter > account itself. Most ideal, in the future, would be to combine this last > approach with a Qubes browser add-on and force each non-twitter link to open > in another VM, either disposable or the “untrusted”. > > (Has anyone figured out a better approach?) Hi Ryan, I use Twitter in a Whonix Workstation template-based Disposable VM. Open links in a different disposable VM. hth jmp -- J.M. Porup www.JMPorup.com -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170622154957.GB909%40fedora-23-dvm. For more options, visit https://groups.google.com/d/optout.
[qubes-users] updating tor browser in whonix-ws dispvms
Is anyone else using whonix-ws based dispvms? Until recently, tor browser received updates via whonix repos. For some reason that seems to have stopped. The problem is that every time I open a new whonix-ws based dispvm, I'm prompted to download a new version of TBB. Doing so a dozen times a day or more gets a bit tedious. Per Whonix docs, I've tried running update-torbrowser in the templatevm, but the command line output tells me not to bother, because the download will be in /home and won't propagate to dispvms. I've taken a close look at Qubes and Whonix docs, but nothing is jumping out at me as a possible solution. Maybe I'm missing something. Any ideas? thanks jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170226145840.GB1149%40fedora-21-dvm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: files disappearing
On Sat, Aug 20, 2016 at 03:55:47PM -0700, Andrew David Wong wrote: > $ ll /var/lib/qubes/appvms// > > (If you have unaffected AppVMs, see if there is any pattern in differing > permissions.) Thanks for the suggestion, but a close look at the permissions doesn't reveal any difference with other vms, including ones that appear to be working correctly. jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160821005046.GA1180%40fedora-21-dvm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: files disappearing
On Sat, Aug 20, 2016 at 05:56:39PM -0400, J.M. Porup wrote: > On Sat, Aug 20, 2016 at 05:29:19PM -0400, J.M. Porup wrote: > > files in three different vms have disappeared in the last week. > > In one case I lost work. > > > > previously I've seen a vm start without local data, somehow it doesn't > > "catch", usually a shutdown and restart solves the problem. In this case > > multiple restarts over multiple days is not working. > > > > what can I investigate to discover the cause of the missing data? > > assuming, for the sake of argument, accident and not adversary. > > I can reproduce this with appvms based on debian 8, but not fedora 23. > > * create new appvm > * open a terminal, 'touch foo' > * shutdown vm > * restart vm, file is gone > > fedora 23 based appvms persist, but the debian 8 based appvms did not, > at least in this test. I have not checked all my vms yet. Additional data point. * Download the Equation Group files from Mega to report on them * qvm-copy-to-vm --> new fedora 23 based appvm * open terminal in new vm, files are there * shutdown, reboot--files are gone jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160820220019.GE1127%40fedora-21-dvm. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: files disappearing
On Sat, Aug 20, 2016 at 05:29:19PM -0400, J.M. Porup wrote: > files in three different vms have disappeared in the last week. > In one case I lost work. > > previously I've seen a vm start without local data, somehow it doesn't > "catch", usually a shutdown and restart solves the problem. In this case > multiple restarts over multiple days is not working. > > what can I investigate to discover the cause of the missing data? > assuming, for the sake of argument, accident and not adversary. I can reproduce this with appvms based on debian 8, but not fedora 23. * create new appvm * open a terminal, 'touch foo' * shutdown vm * restart vm, file is gone fedora 23 based appvms persist, but the debian 8 based appvms did not, at least in this test. I have not checked all my vms yet. jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160820215638.GD1127%40fedora-21-dvm. For more options, visit https://groups.google.com/d/optout.
[qubes-users] files disappearing
hi, files in three different vms have disappeared in the last week. In one case I lost work. previously I've seen a vm start without local data, somehow it doesn't "catch", usually a shutdown and restart solves the problem. In this case multiple restarts over multiple days is not working. what can I investigate to discover the cause of the missing data? assuming, for the sake of argument, accident and not adversary. thanks jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160820212918.GA1127%40fedora-21-dvm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Cryptsetup LUKS Nuke Option
On Fri, Jul 22, 2016 at 07:39:40PM -0400, Chris Laprise wrote: > But there is no need to patch LUKS to accomplish this, and using only > passphrases as the trigger mechanism is probably too cumbersome in some > situations anyway. > > This could be scripted with better results and flexibility for the end user, > obviating any need to meddle with LUKS code. > > If there is already an issue# for a 'panic button' type of feature request, > I'd suggest linking this thread to it. This code already exists: https://github.com/offensive-security/cryptsetup-nuke-keys jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160726135123.GB1121%40fedora-21-dvm. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Xen exploit talk at Black Hat
https://www.blackhat.com/us-16/briefings.html#ouroboros-tearing-xen-hypervisor-with-the-snake Ouroboros: Tearing Xen Hypervisor with the Snake The Xen Project has been a widely used virtualization platform powering some of the largest clouds in production today. Sitting directly on the hardware below any operating systems, the Xen hypervisor is responsible for the management of CPU/MMU and guest operating systems. Guest operating systems cound be controled to run in PV mode using paravirtualization technologies or HVM mode using hardware-assisted virtualization technologies. Compare to HVM mode, PV mode guest OS kernel could recognize the existence of hypervisor and, thus, work normally via hypervisor inferfaces which are called hypercalls. While performing priviledged operations, PV mode guest OS would submit requests via hypercalls then the hypervisor do these operations for it after verifying its requests. Inspired by Ouroboros, an ancient symbol with a snake bitting its tail, our team has found a critical verification bypass bug in Xen hypervisor and that will be used to tear the hypervisor a hole. With sepecific exploition vectors and payloads, malicious PV guest OS could control not only the hypervisor but also all other guest operating systems running on current platform. by Shangcong Luan of Alibaba https://www.blackhat.com/us-16/speakers/Shangcong-Luan.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160707194929.GI1114%40fedora-21-dvm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] dispvms + whonix template = broken in xfce
On Fri, Jul 01, 2016 at 08:17:25PM +0200, Marek Marczykowski-Górecki wrote: > On Fri, Jul 01, 2016 at 02:19:01PM -0400, J.M. Porup wrote: > > So I've been using dispvms based on the whonix-ws template in order to > > get disposable torbrowser working. > > > > This works great in KDE, but when I switched over to xfce, dispvms > > refuse to start. The usual workaround is to rebuild the dispvm template, > > but that didn't work for me in xfce...so I've had to return to KDE for > > now. > > > > Don't know why the desktop environment should make any difference, can > > anyone confirm this behavior? > > Indeed really strange. What do you mean by "refuse to start"? I go the KDE menu, select DisposableVM --> Firefox, the notification pops up saying "starting dispvm"...but then nothing happens. I find this happens once every dozen or so times I launch a dispvm. This has been consistent for more than a year. A quick Ctrl-R in dom0 to find the rebuild command solves the problem for me. > > Also, related question--is there a way to modify the dispvm script to > > make torbrowser the default dispvm action, instead of firefox? > > Take a look here: > https://www.qubes-os.org/doc/dispvm/#tocAnchor-1-1-5 > > You can then adjust that menu entry (or create new one). thanks! jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160701182744.GN1126%40fedora-21-dvm. For more options, visit https://groups.google.com/d/optout.
[qubes-users] dispvms + whonix template = broken in xfce
So I've been using dispvms based on the whonix-ws template in order to get disposable torbrowser working. This works great in KDE, but when I switched over to xfce, dispvms refuse to start. The usual workaround is to rebuild the dispvm template, but that didn't work for me in xfce...so I've had to return to KDE for now. Don't know why the desktop environment should make any difference, can anyone confirm this behavior? Also, related question--is there a way to modify the dispvm script to make torbrowser the default dispvm action, instead of firefox? thanks jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160701181900.GM1126%40fedora-21-dvm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Installing XFCE
On Fri, Jul 01, 2016 at 11:02:49AM -0700, Micah Lee wrote: > I've installed Qubes 3.2-rc1 with only KDE. How do I install XFCE now as > well? The docs [1] about this look super outdated. A couple things that > I tried but didn't work: > > sudo qubes-dom0-update xfce4 > sudo qubes-dom0-update @XFCE > sudo qubes-dom0-update @xfce-desktop-environment > > [1] https://www.qubes-os.org/doc/xfce/ This worked for me a couple days ago: sudo qubes-dom0-update @xfce-desktop-qubes cheers jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160701181456.GL1126%40fedora-21-dvm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Cryptsetup LUKS Nuke Option
On Wed, Jun 29, 2016 at 02:30:34PM -0700, flux wrote: > My thoughts were more along the lines of mitigative travel protection > crossing borders and such. Like, you can boot to decryption but if the device > is seized, no valid decryption can actually be performed. But as you say, > depending on your situation that could be disadvantageous. I additionally > just enjoy the idea of separating keys from locks regardless of the encrypted > state of those keys. FWIW, I support this feature request as well. Search the archives for previous discussion early 2015 (Caspar Bowden indicated his support for the feature, before he passed.) Overreliance on a boot nuke feature would, as pointed out, be unwise. But as a journalist, I can easily imagine a scenario where I am crossing a border, am asked/ordered to decrypt my laptop, and I prefer to nuke the hard drive rather than comply. Sure, border officials might image the disk first, but how many laptop users have such a feature? I think of it like TLS. Arguing that X.509 certificate infrastructure is broken and not (very) trustworthy doesn't mean we should insist Qubes return to a non-HTTPS website. It's a layer of protection, one of many. So I support this feature request, while noting the priority is low. jmp -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160629230142.GA1116%40fedora-21-dvm. For more options, visit https://groups.google.com/d/optout.