Re: [qubes-users] Seeking moderators for unofficial Qubes IRC channels on Freenode and OFTC

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 07/20/2017 07:27 PM, Andrew David Wong wrote:
> Dear Qubes Community,
> 
> We're looking for well-known, trustworthy volunteers from the 
> community who would like to be moderators in the unofficial Qubes
> IRC channels on Freenode and OFTC (#qubes on both). We'd like to
> have at least two unrelated moderators who can oversee both
> channels. If you're interested, please let us know.
> 
> Best, Andrew
> 
> 

I'm always lurking in the Freenode #qubes, I'd be happy to be a moderato
r.

- -- 
kulinacs 
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAll/fr8ACgkQuXLc0JPg
MlYXLw//QtqB0NyvPLScIus5pZf7/93HiOkt7PJhnaqg0ENInvXkeXhJQg0bAJEA
KxjdpggoxhwwsChxh4T1aq5f/YkeP5XDZhKAEeY4W/GElzTjFWgM7GSdlPb9bejS
R7AOlwmtD+z0epdOHxQUb9ZWFyM0yJ9uEN/HP4tlDAqh0TrGxrWQQvoKYVagCXos
bHCWcr0ynGYcRnAB//ABhRAcitGwBpyCfWgJc4fyR2sppmu6qVf5/drKC2eeJ605
H8c/RQThDuymj3W9vssYz5eLHsYYqugOJWwhCxjBIQ0bmwAmoQAH4EoVo0OoHV+T
yZojBFtTnuNB+/Tf3NlOnYs8sNXmcTVoCLDt7mHYM+8mpLc2+6xCTK+K30wNjXla
eveHEVjE81sxgqUhQGuh2C5jojrEReEGtPS5VAYPYVGh5kCbHarrK/XyuI9oGY98
y36H1+ViFBUdvWo5zvmA/qd/YwmRvFDULC+dFijzp6BXjEnMe9RP2D3taSHN34fB
RADfhcM16GLwem14ROw9oRk8FhR8BECXYMwRmr0fqP8rH6bkGLQXswioeXKGPQdZ
cJA73oyNvgiKByA7SaZdkKFJtUoPMzBGPw//kVpOWJavfkvYwZJsaG/SbvSq03ZI
NBHn0qeveaMYB9Qg26HnEKcMGgFxdY2RNTnVMpGFSqrXTMmMFV4=
=Alcw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7bebf087-cb13-8113-a35c-d3ec4edba2f4%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HCL - Toshiba Satellite C55A

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/10/2017 03:01 PM, Caleb Thompson wrote:
> So how important is it that I don't have an IOMMU or TPM? What
> things can I not do? Sorry for the newbie question.
> 
> 
> On Mon, Jan 9, 2017 at 8:35 PM, Nicklaus McClendon 
> <nickl...@kulinacs.com <mailto:nickl...@kulinacs.com>> wrote:
> 
> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
> 
> On 01/09/2017 08:12 PM, Caleb Thompson wrote:
>> Update: I'm trying to figure out why the report says I have no 
>> IOMMU when my BIOS says I'm set to VT-x. Are they different
>> things? Is an IOMMU something I can take my computer to a
>> computer store to have added to it?
> 
> Intel VT-d provides IOMMU support on Intel chips. If your
> processor does not support IOMMU/VT-d, you will need to get a new
> processor, it isn't something that can just be added.
> 
> - -- kulinacs <nickl...@kulinacs.com
> <mailto:nickl...@kulinacs.com>> -BEGIN PGP SIGNATURE-
> 
> iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlh0OmwACgkQuXLc0JPg 
> Mlam5g/6Aq8bFB6Lz6TV6UlgGYYnnkibeVFHoJ2fKXUcE8NiW6kiv+ykzOLLhCtb 
> bqiQniJvbh4tFwg7YRkD9bFMapx3expyG1y1cAbY1IzpKJ4Ljc8D59Zn7xy+oy+/ 
> zyS0EHakVHy7zYXiI+hVh+E781QDqdxroed5niAP76sd3xmIIKGchvJVfBrTXS2o 
> GPOSVm0+9Y2IVRiBINPF+4XlsMcWrdI8CuvLIBGq3AKh2ZAyZklUTVAD9ByeT9zx 
> 2uz22QwPbbz18y3c2aJpS4PZqsfLvtUtVjXbqBqOGetXIklQkp68cSGXCNsrh7Ah 
> tnjyjRWOk6QAmRQ2l7Nt0wLTKVQZE0xuP2xClIjOzEOQJFhS/OjNjpF2MAv1WDr0 
> ZU2Owj3etTuHCJ7GKGz6kx7kEzovgf5fHaC14yxGk08BaaEOCEvIj6/TU7RXfF21 
> OawfCKrpaLuQO/YqbgGozKsxi7GXHBZV/q/9ApfBfy0enZdrUKDFFgSQtBubeGI9 
> EoKichPSyqEYPQGozUXztLtp2B3nXUkXvnZ7umPgQPdUZS1UI92Mbt6nPrQUvqoL 
> btwJrxaVB6v0ldvOJtPdUbJBhh8imQM45Vcw3JFKlRRDcUw+q1YXgEaBqvP7sEWJ 
> 4wJpIaLDoLAt8a7NUeDrj7+hEGZEdY/+NqI2IqgaEmwYwNKkKNs= =FlOO -END
> PGP SIGNATURE-
> 
> 
IOMMU allows you to isolate devices to specific chunks of memory.
Without it is possible for someone to use a device in any VM to
compromise the entire system.

The TPM is mostly used for Anti Evil Maid with Qubes.
https://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html

- -- 
kulinacs <nickl...@kulinacs.com>
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlh1b4IACgkQuXLc0JPg
MlZy+w/9GVlPda2ca7gJ+twoeKZKAHW5jEEtWSBCt06tq4EFmQC5Gxn9XTYuYO5A
GY3T6rC1VpUyU4fnlvxtQgFW5pFrvROudrPnEynLxlscQAJaRQXCV2NJDNViG1H5
1fkLSUc8sOpNRX/4FgUoo1f2MPEI4sASJvg6ZhWG1zMzdPiOZ/FPyfIFNkyqNAlC
Z5/O041G6s0ot7Y25mLhcBvoZkQkvdetPYvhJWMxakMB3TUjA5AKj2oL1/VvIGPO
TSVwA22CnlC2uVTgjWF033+s0QkXJfaa0skG865moz7R3twe2F34V6LrZ/uko+sR
LVzkl+9DzWFZDd8AWj5bpAVZ6xN4z59Hypm7qRi6HU+eF4Z64p+1+KQ3zSVVyehG
1fiQEuAkbtn5uRs+vZjKKRMCzxgZFWUcNepYiy9atv7s4vPSn9RDAPRGJmtUniOy
K1hEPz1RT1I2ptP8ZVq7Lw/9ukzFwW0CPdTLT0jnnpQpAjSncginSVONoUsEZxS4
/Zh0P6zwKU49IMFeiCZOZDqrx08X41AqWmFTjqvTkvxCppUH260AVXqOKY9VHzO4
6ZumsvYJCi7oGZ0S/hmCSlHPYQnp8t/JO6e3Sz+S00nZZClMOozoDHQcyAnsv2F2
MPxWV04NRtN4IeEdHQ7cD7JtpplPQzesVKD0bVohGcYgRTDGFag=
=KDL1
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6fe3de1e-5394-e591-b5e7-d8892b9c6545%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HCL - Toshiba Satellite C55A

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/09/2017 08:12 PM, Caleb Thompson wrote:
> Update: I'm trying to figure out why the report says I have no
> IOMMU when my BIOS says I'm set to VT-x. Are they different things?
> Is an IOMMU something I can take my computer to a computer store to
> have added to it?

Intel VT-d provides IOMMU support on Intel chips. If your processor
does not support IOMMU/VT-d, you will need to get a new processor, it
isn't something that can just be added.

- -- 
kulinacs 
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlh0OmwACgkQuXLc0JPg
Mlam5g/6Aq8bFB6Lz6TV6UlgGYYnnkibeVFHoJ2fKXUcE8NiW6kiv+ykzOLLhCtb
bqiQniJvbh4tFwg7YRkD9bFMapx3expyG1y1cAbY1IzpKJ4Ljc8D59Zn7xy+oy+/
zyS0EHakVHy7zYXiI+hVh+E781QDqdxroed5niAP76sd3xmIIKGchvJVfBrTXS2o
GPOSVm0+9Y2IVRiBINPF+4XlsMcWrdI8CuvLIBGq3AKh2ZAyZklUTVAD9ByeT9zx
2uz22QwPbbz18y3c2aJpS4PZqsfLvtUtVjXbqBqOGetXIklQkp68cSGXCNsrh7Ah
tnjyjRWOk6QAmRQ2l7Nt0wLTKVQZE0xuP2xClIjOzEOQJFhS/OjNjpF2MAv1WDr0
ZU2Owj3etTuHCJ7GKGz6kx7kEzovgf5fHaC14yxGk08BaaEOCEvIj6/TU7RXfF21
OawfCKrpaLuQO/YqbgGozKsxi7GXHBZV/q/9ApfBfy0enZdrUKDFFgSQtBubeGI9
EoKichPSyqEYPQGozUXztLtp2B3nXUkXvnZ7umPgQPdUZS1UI92Mbt6nPrQUvqoL
btwJrxaVB6v0ldvOJtPdUbJBhh8imQM45Vcw3JFKlRRDcUw+q1YXgEaBqvP7sEWJ
4wJpIaLDoLAt8a7NUeDrj7+hEGZEdY/+NqI2IqgaEmwYwNKkKNs=
=FlOO
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c3a6ca43-e3ff-3f38-0baf-cf858bf455ae%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Using pass with split GPG

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I've been looking into solutions for password managers utilizing
Qubes' isolation as well as possible while not compromising
functionality. Password based options are suboptimal, as regular
backups and syncing can be challenging, as the "Vault" qube for the
database should not have network capability. Similarly, options that
require copy and pasting between qubes lead to password being kept on
the clipboard until manually removed. As such, I began looking at
using pass with split gpg. Pass is designed to work with Git for
backup and synchronization and uses GPG for encryption. With the
following patch, you can set
$PASSWORD_STORE_GPG_PROGRAM="qubes-gpg-client-wrapper" and enjoy pass
with split gpg.

https://lists.zx2c4.com/pipermail/password-store/2017-January/002633.htm
l
- -- 
kulinacs 
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlhwOjkACgkQuXLc0JPg
MlZ7hA//aJ/9lsZlT2fx/VhKfN+CBkqNQZ7xkiQBc3qwso91Qu+PvyO4/WOPupb1
BYZkye838+s+tR3/1NHE7iwAZfl1fThlKKz+19TpFIWL64ARL408O7Bw+ijVezRY
xL9tJMCaQkLvQRwwFXNBrETDlRnpzJwCj1YmA2oU717g0PBjs1qi4cq/cu7Mo/D+
w2cA2V7n8dPPY9lZa3oNH+xsL1N1g/OzQ3I8hgFMprd2Tpk7Xr2EJWNH+1AhCPtV
AIsKv+QcgikIWscXRj+6EWYq3EG1qUA8dTWhO3st8LR7nvGJLSJYI92Fv0C4354T
h8f6m8nza8JyTzBjk/FekjObil2q+3BEUaBHQA7sK6Q5kQEkYXprzm1G1X5tALWB
8gmdceYNiJBae/w3WQU4I2QG1ZdETy7T66hTMafHa5NEvDFVabWb2+50hsnGZ5Z/
KIP9cnliPzZKFKlm8tCmiYbFIG08w9QnIH3TBYzCxjmlLDldgw9U4KUts2V23fJq
PH1gSChgEaCad9zTWMbJ5+s+QH6gmTBipUV1rrYN9P2vMeDhOX7tsB0NOG+jRBk6
dx45CQ2KzQopxy31z1Sd7HXMDmTeL+7lOuyPjhhOwrQSqHF9qHQbT73ujIDmps9W
XKyw39uXrIZqg0XrkV77T9CybnLLsXFfDaJ0NlVYdBZ8ImzJ+hY=
=VOI4
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5282174a-57e0-5927-f801-df6d6b7b3b92%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Heads Bootloader

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Trammell Hudson spoke a couple of days ago about a custom bootloader
designed to minimally load the OS in a secure manner, and mentioned he
got it compatible with Qubes. Does anyone here have any experience
with this?

Talk: https://www.youtube.com/watch?v=UqxRPLfrpfA
Repo: https://github.com/osresearch/heads
- -- 
kulinacs 
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlhkTL0ACgkQuXLc0JPg
MlavtA/9GuiOZUlM89830n/0xV7uOpVPksnUrgjY5DxSHwoPgC1mkUzQQvrdWhKO
1GCYen3cbE27Hoyr/I3czBcTfqIQV/yHlQNJDVwyyoQDyC3g3Zq8huS2uqdZjl7l
0TiCA+cZ0jc4xAmgty9YMcmpgTcRMRFzQIVD91zsoAJF8qT66q8FEwgb3YZBGlMp
HQ60JkEswDSkyhSy99Iaes3R7AiyXwR8b9+QUwKajwr7IQpdEFQytlxOYGhJXHD7
HRPflgTBSDHYj8zyPzcXHxx/IJw/C+Po+YuWTGy8uoQQzGLNPHwdcjRinRLj+Ru1
MKNUjjXqdRhw6QWBrej6U1fYdCqhg4udMCvDKkWa3xtnfFs+ZKPBU9pQccmGFwle
28EjyDwwakmrQdbVf8M1DvEWlVqBu7rP1BjDnmRJ1hGgnoO4To35gbh78p01/796
xmImBkTBPwNRM/BIrNWXinQtIdD+zHhb1LgRsUPNx9hCStnPCRC4RmkHonqS3Bry
sgSk1gzYiveb/P64Qm7sljxrevqLDoY4Gy4deuBcfDW2iZvqp71RI3QAIahVNlPF
bjjoLHLJ5wDbSP0xQQBQvTLDn0rgteryUHBkNsBdY07VUo8ZSX4K7wWTXsYNKX4Y
LmDOCw9UM6yBL8uaKxUYpeaR2NkdCKWgjqEKrvGb9fMul33Rtvo=
=863E
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b98ea523-70b2-e370-7bad-090a2548faed%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes as Server OS?

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 12/23/2016 07:09 PM, Jean-Philippe Ouellet wrote:
>> If you can't access dom0, qrexec is default allowed,
> 
> Uhh What? Can you elaborate?

qrexec usage is normally defined by an RPC. This RPC has a policy,
either allow, deny, or ask. My understanding is that if you don't have
access to dom0 to respond to a prompt, you must allow the running RPC
by default if you want to use it. This argument, of course, hinges on
my skepticism of secure remote dom0 access.

>> which removes the added security of it.
> 
> Definitely not entirely.

I'm not sure what security is added by having a default allow Qubes
RPC policy, but once again, this could be mitigated with secure dom0
access.

> 
>> If you're remotely accessing dom0, you're adding the networking
>> stack to the TCB,
> 
> Not necessarily. At least your NIC need not be trusted, potentially
> more.

I think the NIC still must be trusted in some form or fashion,
however, as a rogue attacker in the network vm could just shut off
access to whatever secure management VM being utilized. I'm not sure
how to classify this though. An attack on the NIC could stop remote
management, but I don't think this would harm security. In any case,
there is a lot to be added to the TCB by allowing network access, like
a management VM, that makes me question its usefulness.

>> and once again have a basic Xen installation with extra
>> unnecessary overhead.
> 
> ... and if overhead is your primary concern, why even bother with
> Xen at all? Why not use containers or such.

Overhead relative to functionality. A type 1 hypervisor offers better
isolation than containers, and I was suggesting that Qubes features
may not provide more security in a server environment.

- -- 
kulinacs 
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlhdwsoACgkQuXLc0JPg
MlaxFxAAl8ElXNawe9okc1RkzE6jbZUyEXK4r3n2SHsdZh1L2VIgmDBhcZankrm5
FoTMCpcqpoUIFde1PyaA5ZiIC9wCgDaiLMRHRkblCV6CYZ+7mufb0hUUX98jngLS
Qkgee6lE0qB4iZWbtMKyOjlZbkODe1y8L65MjYB6qEy28IaXlHD64rptMi86qnvS
4Wag811+4Uox9reWCY5cmqriyMmx5sQN2cauWOausYIB8GRk/yYRXAk4Ex7bSuYh
DXHrS2RIyZ9w5M7By1hcKaD+n29AJ42xVmJPlnK7kcTV67yO/gW7PDjwlLQj5W7F
b2Ql4IBv56eTjP16cEeiq95K24enfx6drHBJuyRbopGVleAsGP4ZXroxZbufPxpf
vrV6hdcxPoDZ+vigfdQTP5pxtZYk4msut0rAYi/36fhhvCkSmYYPDEZXUzlFg0us
wSCw/9Tf/mir5aG7vNa4UzF2NKJRZHoudG+Td5cAJULpCgnocaQ+K27fOpA3UrK2
LzEuZi1iG5KbXyRueeOi+PYYtDuf86vFBxS1z79fooEN1mu8ksv4IsJcG5lbs6p2
C3398XeoyuE5oy+fzSXgU+Yem2w5AQ4PNIfzU+5XDXG9tBHXMXbjL/EhHAIxldgq
C0fce2Sfdw+pPj6nyE5qDe0gsvCotQgkjC1/NZmx/i/7FqaOUL8=
=SWEu
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9fb2cfd4-7b14-84d4-e3f7-6328bc0bf288%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes as Server OS?

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 12/23/2016 05:18 PM, Jean-Philippe Ouellet wrote:
> ... except with decent dom0 disaggregation working out of the box, 
> and I'm personally making good use of qrexec in a server context
> as well.
> 
> Securely accessing dom0 remotely is left as an exercise for the 
> reader. ;)
> 

I'm intrigued. How is qrexec utilized? qrexec is better than networked
access in the case of Qubes because it is verified through dom0, which
is part of the TCB. If you can't access dom0, qrexec is default allowed,
which removes the added security of it. If you're remotely accessing
dom0, you're adding the networking stack to the TCB, and once again have
a basic Xen installation with extra unnecessary overhead. qrexec with a
networked dom0 doesn't seem anymore secure than using SSH to run remote
scripts between networked VMs.
- -- 
kulinacs 
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlhdrX4ACgkQuXLc0JPg
MlalzRAAgKmZPLtbbkuEyRr3fyJVDjxLwrV20c+WdtH/t9Snx//RPdLPmhEkqMTM
D4fscVTjjJzjXFg5m5JGZQpPKiZgENEwYxgnuyqIxWg7gcySr83lXCGRdL64u1n8
r5ydg42R7gqaeS8fh+Fkhxext+4PmOGieinh9FZRPYc+eT+VWsbZvMK7Yhso1bZO
U64JroC8O/JwUzJOl9VhqHChRjcbcxQszbyQadFT0QpEZ5HUoVcuW5nSj5w7jttJ
lCV8CkIOMwGDuzaZJU3b2dRIxMqe2C4wQRtlsXHTO9JANN4S22z+OBlfkb/KhxGB
d6caVxqgj0wgg0xWX7Fz5LBpNQtrL5xqBDVDMil3KSRsHEjJb23Ky6opJyJNaMWW
jtvShsp6fFZD18262ZwUwwqRMYV6sE4a3nITAo3yoIRaT3LHBKnUBHXuRqxKYJPf
AmkQAbyovsDKJ/9GHhHnOPLNunJqx/2pjuO4SaT1/7/+vb/ARXLmsq10jXdYKDsF
o2XeC3DisRlStU5/vXXOx4NW4cbj21a9hyaQ9pQxEv9QOi/0kDSdVzXyaw6qR3U+
cXMBYplL2ZnrjXCPpmZY4wI92STATMMgw/Vb8ZSbeSRKiaFYHrQv2SpFvMRW6VK1
4tPTkLF242cTUzkOFWtvD8kMwvHy1aGx/hfm1r11TlvPQHXgTzg=
=2+BL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/84d8b7d8-4f21-3d3d-7b4a-955a66d0a705%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: BIOS Security Settings?

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 12/18/2016 03:17 PM, taii...@gmx.com wrote:
> Some laptops such as dell latitudes/precisions have a "master
> recovery password" that is generated from the current serial number
> of the laptop (so do thinkpads) "Cannot be bypassed" - well you
> could always clip on a eprom writer to the chip correct? I assume
> then you could force it to spill.
> 
> Entering the password on a latitude/precision then resets the
> serial number and you have to re-enter it, you're now thinking that
> you could simply do this to make a code that no one knows however
> on the pre-boot authentication screen it helpfully provides the
> current serial number.
> 
> BIOS passwords and PBA schemes are simply another layer in
> security, ideally you would have both a password and a smart-card
> so somebody can't simply do shoulder surfing password recovery and
> then be able to steal your laptop. (Most business laptops have a
> contact-smart card reader).
> 
> 
> Yes you should switch off ME, although "Disabled" means something 
> different to intel than it does to you and me - it isn't really
> off. If you do that you will have to blacklist intel_ips kernel
> module to prevent log spam of "ME Hung"
> 
> There is a project from some coreboot developers that is able to
> nerf (not remove) ME from most systems (caution - may brick your
> mobo - do not perform without an external eeprom flashing device)
> although of course you're still stuck with the proprietary bios and
> FSP on anything recent.
> 
I was unaware that the master recovery password existed for Thinkpads
and hadn't been able to find any sort of thing when I searched
previously, I'd be interested to see your source. The official Lenovo
help page suggests that it does not exist.
https://support.lenovo.com/us/en/documents/ht036206#super
You could clip on analysis tools, as I mentioned as "digital analysis
of the chip itself", perhaps analog analysis is more correct in this cas
e.

- -- 
kulinacs 
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlhW8ZAACgkQuXLc0JPg
MlZbnQ/9Eoc7DwTp66EaV+tOWNaCKvaP5C1x3N8ObSlvUMxn/Lphl3chrgA5yrbW
zwMhnZrBPjpzL4a7WHcAg/1tAOoo+zX1yQLXttO8TqAnnthJMgBdd0RA5fBCAccu
KAFrwqQB8y/7m1ZQtSzA+pd/JXuStqfI6Z8NXybU1BaOWq0/HMaJeplPj5ch6ZtV
4/vB7Ox9ot92QULLIbEKpBcmnBT9hSKdfSHI+LdBBZK25oYK7E8YuGe4EwPyqvYj
EFz/tKBEKAq+gvsTb7qj0L8ZyCHUSRF3YxXfTfltAaZFFcblywc3DOIEnz/Xi1un
mL/uMgb6ssqAwYUcm2CAUNIBMKhpSroPAi2J88kZq5u/ii7p50Ay+Hg8teXl1cpg
gloWsEIuFtda9O3qt7GEO/CftlX9s47PN/eZz+txZsVLucXjdKcoKy+NUUzClqzC
7RI4aOcddNzUP1Uk2Dvt/cnXuUBSq/+H5L96IhFhI6g6DzzDcZ1I6LOydOrys6bm
cWoUyvvnKEKfdxpEdTIY2aS1MtvJyqV2AZGRIDShQYwNv7v/kG1tCjD8xncUAdrF
RJ7Tvfiqsh4VQRsWmYsbuIVe8bH3s33Q3RMXEj7OXAgPWQy8QyDlwbf6/+Yhaei9
gpeDvwSq99+YyM0uQfWqW+NEIX0Xi1rlcUuIVLf+D/eGo0+qfys=
=nDod
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f7c5e8c9-7a04-e0f5-5857-6ff59179c015%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: BIOS Security Settings?

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 12/18/2016 01:26 PM, Grzesiek Chodzicki wrote:
> W dniu niedziela, 18 grudnia 2016 17:15:59 UTC+1 użytkownik 
> '0194358'019438'0194328'01943 napisał:
>> Hello,
>> 
>> does a BIOS password (against BIOS changes), gives a higher 
>> system security, or it is more like a security fake and could be 
>> easily bypassed?
>> 
>> Should I switch the IME off?
>> 
>> Kind Regards
> 
> Usually, the BIOS password can be reset by using a jumper on the 
> motherboard, a dedicated button, or by removing the CMOS battery
> so it's trivial to bypass. However if one day you notice that the 
> password is gone or that it has changed, that's a good indicator 
> that somebody accessed your pc.
> 
In Lenovo Thinkpads (mentioning as they tend to be popular for Qubes)
however, the supervisor BIOS password is stored in an EEPROM chip and
cannot be bypassed without digital analysis of the chip itself. So,
more secure against a standard attacker, but by no means secure
against a dedicated one.

- -- 
kulinacs 
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlhW4x4ACgkQuXLc0JPg
MlYAeRAApBziRvsaUCGsWbUetc8Z0wEAHhoQrOYU9GdO5/FyRU0QtALMDBcjv/6z
sYc5udhPn9lJoR9Ak65e+BRcR0zjWZ/jrkhan1GSvBV1B+Wma0jUyrLeVImq/gDj
Bn3ZxPsDCWhX5kClAFAa1f+ckUgY8s+ksgpHC4aui/FcJGGBUO7P1KpC3US4MO8+
pBj2E0Aw5pcUqiqfk7MoKpaaGh16IzOyhm5EWkT2xOFTayQJPuMUec1F92N/8ikU
SrVeC0VCCeIDD3DHoeGHa+4fu1+nurmGbwgICwWHRGHqqtdCG+IalUhEMsSF2oa0
oV5IbpvtdevnrE6JSv1AmLMe5w4tUDRryP6MUsd8BQHUwTfxDI9Lxbd9ip1oS2Uh
fog2n7mxgkGqKfx5yY/kAiVWPYBoYp2gNy4K6XzYX0j7eZlHM36K5hQSH0C+FSu1
i/3OonmeBZ3PfOiF+GRw7tT6jq4lLxC0P2fkueiruHDX6hUjGs+qbhQbsjQWtufY
KtPbmo/vR7QWvne4rs2Vcz1b5qgpO4c69MD68Fy0ks+xsbAhZ/WeARfCPGpqHhFR
CMwvEzkWsf/nYnj0+AetiIkJB9dbCUdPeSiwxy1Q5tzgkQii5daRbY15v8igH73l
96fl7Mp96ERzMDEhC7fq2D1K0A7a3YEzQx7e+GiYhIezysy44/g=
=jsc7
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/888f56ef-2aad-5a6d-dae5-08127cd83d80%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] how to get appVM colour for customizing bash prompt's colours

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 09/16/2016 01:18 PM, Robert wrote:
> Hi!
> 
> I wonder if there is a command-line way to get the name (or any
> other id) of appVM's colour, used for window borders and such, from
> within the same appVM (not dom0)? It could be useful for
> customizing bash prompt's colours.
> 
> I guess, I'd not be surprised if the answer was no due to security
> reasons.
> 
> Best regards, Robert
> 
> 
I'm not sure if there is an official way, but I have written an RPC do
to this. https://github.com/kulinacs/qubes-rpc-GetLabel
I have the command run in /rw/config/rc.local and have it set to auto
allow.

- -- 
kulinacs 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EARYIAAYFAlfcPmYACgkQW1Q2Vuxs8jNwvQEA8omVIHS0V1D6YGSzlJLSJ4IJ
Qm82iOXMt1V86mc8sG0BAMlW2529AVT5Ia1n4Sm0dYg8J/4TkK3fF+P6TpnCYi4E
=5WrB
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e56cc595-049a-7dc6-b4c4-31f74d025683%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes for running virtual servers

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 08/23/2016 11:07 AM, darren...@redskiesgroup.com wrote:
> How does Qubes perform as the host OS in a virtualised server 
> environment?
> 
> I'm thinking of a configuration where the host OS is Qubes with 
> VM's running for things like a virtualised email server, IDS 
> server, perhaps a Tor relay etc. I've used Qubes as a desktop
> host, I'm just curious about whether it's a practical host for 
> virtualised serviers?
> 
You might want to look into using Xen instead. https://www.xenproject.or
g/
Xen is the hypervisor Qubes uses, and should do what you're looking for.

- -- 
kulinacs 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EARYIAAYFAle8dicACgkQW1Q2Vuxs8jNH2AEA7AnM5eaWIt0Dav4n/4Drk4pq
p7Y1Es16as7U90kXy7QA/0HvxbtPZ9cZTUNVlblT7oU6p5p96sqAZ5DTapxekisI
=oCt0
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a9bfc6be-41d1-cf87-6afe-a7da1f5025ce%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Tool to record Whonix / Tor browsing history..?

[Nicklaus McClendon]

On 08/14/2016 06:33 PM, Unman wrote:
> On Fri, Aug 12, 2016 at 02:58:26PM +, Manuel Amador (Rudd-O) wrote:
>> On 08/12/2016 01:39 PM, neilhard...@gmail.com wrote:
>>> I would like to be able to do something like:
>>>
>>> 1. Use Whonix/Tor as a disposable VM
>>>
>>> 2. Record browsing history using an external software
>>>
>>> One of the reasons I don't use Tor that much (other than slow speed, 
>>> captchas etc) is because I actually want to have a record of the websites I 
>>> have visited.
>>>
>>> We know that it could be risky to have the Tor browser itself record 
>>> history, if it gets hacked.
>>>
>>> But to have some tool running outside of the VM would be useful..
>>
>> For the same reason that attackers outside the VM can't see what you're
>> visiting, you yourself won't be able to see it either.
>>
>> What you want is not doable.
>>
>> If you want to have a record of sites you visit, then tell the Tor
>> Browser to record your browsing history, and hope that works for you.
>>
>> -- 
>> Rudd-O
>> http://rudd-o.com/
>>
> 
> It should be possible to insert a proxy between the browser and the Tor
> gateway, and sniff the traffic there.
> You could use a crafted tcpdump filter to some effect, but you wont just
> get a record of websites, but all requests, so you will have to do some
> post processing on the file to identify the websites. Not difficult, but
> probably wont be exactly what you want. It will, of course, also include
> all resource requests: that could be interesting, and might surprise
> you.
> 
> unman
> 

I was thinking something like have the Tor Browser record history in a
disposable VM, and have a Qubes RPC pull the Firefox profile to a
separate VM. More options like parsing the SQLite database could be
included to increase usability.
https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data

-- 
kulinacs 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/76bc7cdc-d0d9-faaa-27b1-292674c1900d%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] installing Signal on Qubes mini-HOWTO

[Nicklaus McClendon]

On 08/14/2016 05:22 PM, IX4 Svs wrote:
> Just spent a few minutes to figure this out so I thought I'd share.
> 
> If you're a Signal user on Android, you can now have Signal inside
> Qubes. Here's how I did it:
> 
> 1. Install the Chromium browser in your appvm template - skip if you
> were already using it. Shut down the template VM.
> 2. Create a new AppVM called Signal
> 3. Launch Chromium browser in new VM, go to chrome://extensions/ in the
> address bar and follow the link to the Chrome app store.
> 4. In the app store, search for "Signal private messenger" and install
> the app.
> 5. The app launches automatically on first install. Follow the prompts
> to "link" this app with your phone.
> 6. At this stage Signal should work on your Qubes system.
> 
> Let's make Signal a bit more usable by creating a shortcut in our
> desktop panel that launches Signal directly. (this assumes KDE desktop
> on Dom0)
> 
> 7. Create a Chromium shortcut using the Qubes way (Q -> Domain: Signal
> -> Signal: Add more shortcuts... -> Select "Chromium web browser")
> 8. Follow
> http://support.whispersystems.org/hc/en-us/articles/216839277-Where-is-Signal-Desktop-on-my-computer-
> to create a desktop shortcut
> 9. Right-click on Chromium icon in panel, select "Icon Settings"
> 10. Change the "Command" field of the "Application" tab to: qvm-run -a
> --tray Signal '/usr/lib64/chromium-browser/chromium-browser.sh
> --profile-directory=Default --app-id=(long string which you'll get from
> the properties of the desktop shortcut you created in step #7)'
> 11. Copy the Signal app icon file from the Signal AppVM to Dom0. I used
> the following command to copy the icon file to Dom0: [user@dom0]$
> qvm-run --pass-io Signal 'cat
> /home/user/.local/share/icons/hicolor/48x48/apps/chrome-(long-appID)-Default.png'
>> /home/users/signal-icon.png
> 12. Now you can change your new shortcut's icon from Chrome to Signal,
> by pointing it to /home/users/signal-icon.png
> 
> If anyone has a better way of creating a custom panel shortcut I'd love
> to hear it.
> 
> Cheers,
> 
> Alex
This is a really neat idea and guide, thanks for sharing it! It might be
better to work with the way Qubes' handles the shortcuts internally.
That documentation can be found here.
https://www.qubes-os.org/doc/managing-appvm-shortcuts/#tocAnchor-1-1-1

If you dig through the GetAppMenus RPC, you'll see it (generally put)
draws it source list from desktop files in /usr/share/applications. If
you put a Signal .desktop file in there, you should (I think, untested)
be able to simply use the GetAppMenus RPC.
-- 
kulinacs 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dbd0f71c-ee9b-002f-519c-449fce6a83fd%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Qubes 3.2(R2) USB Connecting to DOM0 by Default

[Nicklaus McClendon]

On 08/12/2016 01:27 PM, johnroberts19...@gmail.com wrote:
> On Thursday, August 11, 2016 at 8:50:53 PM UTC+2, Andrew David Wong wrote:
> On 2016-08-11 05:08, amad...@riseup.net wrote:
 My understanding is that by default Qubes Dom0 is protected from USB
 attacks by disallowing access to USB's. To the contrary,on my system, USB's
 have direct access to Dom0 - I plug in a usb -popup shows it's connected to
 dom0 - i have direct access via dom0 to the files on the usb.

 Is it just me? or it it a system failure?

> 
> Pleas read this page:
> 
> https://www.qubes-os.org/doc/usb/
> 
> Without a USB qube, the USB controllers are left in dom0, which sounds like
> your situation. Depending on the version of Qubes you're using and whether
> you're using a USB keyboard and/or mouse, you should have been prompted during
> installation to create a USB qube. However, you can also create one yourself
> by following the instructions on that page.
> 
> 
> So i use R 3.1 and have a usb mouse and keyboard but nothing about usb 
> mention while the installation. i wonder the same as the author after i 
> insert usb stick to my system and it's at dom0.
> 
Do you have a USB Qube? If not, you need to make on following Axon's
instructions above. Otherwise, I would check your USB Qube's attached
devices with Qubes VM Manager (the Devices tab in the USB Qube's
settings) and make sure your USB Controllers are selected.

-- 
kulinacs 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/799e56e8-8afc-1bdb-08a6-4cbfe66b688f%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] what practices, modules, and toolsets should I be familiar with to effectively contribute to qubes?

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 08/11/2016 11:32 AM, 'digitaldijjn' via qubes-users wrote:
> I'm a programming noob going in my first year of a computer science
> program. I spend most of my free time getting better with python3,
> though I am familiar with java as well. In order to be able to
> contribute the the project, what are the subjects, modules,
> languages, practices and toolsets that I need to be familiar with?
> Also are there parts of the project you guys looking to get the
> most outside help? Areas somewhat neglected becaused the developers
> are too busy focusing on major (security) concerns but has lots of
> user request for?
> 
I would personally recommend checking out the help wanted list on the
Qubes Issue tracker on github:
https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+la
bel%3A%22help+wanted%22
As far as helping out in general, I think we could always use more
documentation. If you find a feature not documented or poorly
documented, you should write it up and submit it to the documentation
repo: https://github.com/QubesOS/qubes-doc

- -- 
kulinacs 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EARYIAAYFAlesviwACgkQW1Q2Vuxs8jO/NgD/QvzQ01KCWD9OBPWDaukjm/0w
q67n3L4jhvUUPrCKOB4BALx9ZTvNVrEkAoLbIALwzLYcDSW2ifUeeM7azi0mq2sM
=NM1Q
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1d392c36-ed67-1ddf-b234-f5252227fd3b%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Memory resources

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 08/10/2016 04:57 PM, angelo "angico" costa wrote:
> Hi, guys.
> 
> Since I've read Kyle Rankin's articles on Qubes in the 5 last
> issues of Linux Journal, I decided to give Qubes a try, and I
> downloaded and installed Qubes-os 3.1 on an old hero Compaq
> Presario C700 series notebook, with a Dual Core Intel CPU and 4GB
> RAM.
> 
> Then, I made the required updates and created a VM (based on Debian
> template) in order to install and run OwnCloud client, so I could
> have my ebook library synced with my other notebook, and the system
> could become usable for something.
> 
> All seems to be fine and working good. But when I try to open the
> default WorkVM, the system yells a harsh "ERROR: Insuficient Memory
> to start VM"!
> 
> So I ask you: Isn't 4GB RAM anything near the ideal for me to
> really start doing some work on that machine. Or if it's barely
> affordable, what configuration am I missing?
> 
> Thank you very much!
> 

Just to note, the absolute minimum to run Qubes OS is listed as 4GB of
RAM. https://www.qubes-os.org/doc/system-requirements/ Running at the
minimum may not result in a great performance. If you consider
upgrading hardware in the future and plan to use Qubes, I highly
recommending checking the Hardware Compatibility List before
purchasing anything. https://www.qubes-os.org/hcl/

As far as getting Qubes to run with 4GB of RAM, you should look at
manually setting each VMs RAM in the Qubes VM Manager (The RAM
settings are in the Advanced Tab.) I would recommend dropping the Max
memory of your sys-net VM and sys-firewall VM to between 500 and 1000
to free more RAM for another VM. I would also recommend disabling the
sys-usb VM if you have it enabled, at least until you can tune your
RAM to run it as well.


- -- 
kulinacs 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EARYIAAYFAler7IUACgkQW1Q2Vuxs8jNmPQEAqp9faNSG0Nt+ftl65DVyejpJ
4HCLbIbgLEZDlzJ8xOsA/jKbaeduE4uLNmfuXDrw2kVq/oQNBq6NViz1lUB5GWkO
=nP2c
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ff4118a2-0911-55ae-8deb-ab691961d982%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.