[qubes-users] Re: Problem creating Win7 HVM
I downloaded another Win7_64bit.iso from another source, same problem. >>Getting Stuck at a glowing windows logo Before windows even starts the >>install process. I found the Qubes VM directory dom0 /var/lib/qubes/vm-templates/ And confirmed when i delete the VM, that the VM is deleted from the directory. So it cant be an issue of trying to continue part of a failed install. Ive tried creating both a HVM & a HVM-template Allocated 2048Gb of ram (Not memory balanced) Need some help trouble shooting. Is there a log somewhere that could provide insight? Cheers -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/16dbb006-58cd-466d-9235-468348d2dda1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Kaspersky OS
The article i read failed to mention it was close source... Totally agree if thats the case. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/98bc077f-684d-4e35-92cc-419d2833da47%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Kaspersky OS
Wow just been reading about Kaspersky OS. Dam maybe this could be a new super hardened VM for Qubes..? Apparently not even based on Linux tho, built from the ground up, 14 year project. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0769e654-e60c-44d6-8993-a4a5ec43ccee%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Problem creating Win7 HVM
So using the VM manager i created a Win7 HVM (not a HVM template) I copied over the Win7.iso to a the user directory in dom0 using "qvm-run --pass-io 'cat /path/to/file_in_src_domain' > /path/to/file_name_in_dom0" And ran "qvm-start win7 --cdrom=/home/myusername/Win7.iso" = First attempt = HVM loaded, got to the stage where it starts installing files, and got an error reading file or something along those lines. I assumed the Win7_64bit.iso i downloaded from microsoft got corrupted, so I re-downloaded the .iso == Second attempt == I deleted the previous Win7 HVM, and created a new one Copied over the iso and ran command to start HVM again. Whats happening is Now is the HVM doesnt pass the windows logo stage. it just sits there and glows. I dont think that i should even see the glowing windows logo at this stage of the install. I suspect that even tho i deleted & re-created the Win7 HVM, its still trying to boot of the failed partial install. === Is there a way to check the old Win7 HVM has been completely deleted? Could this be another issue? Cheers Is -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c777475c-82f9-4fdb-9354-7610834f9065%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Fedora 24 template available for Qubes 3.2
Just pointing out that there documentation here needs updating to include commands for fedora-24: https://www.qubes-os.org/doc/templates/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/30472ff8-b958-4188-9e6f-35de5e4655ce%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Replacing Dolphin on Whonix-ws
I Really dislike Dolphin. Thumbnail previews dont even seem to work, and its kinda annoying to use. I'd like to swap it out for something lite and simple (like the fedora-23 file browser) Just wanted to check thats not going to break anything? Looking at the package removal list, i think it probably will... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4013a4be-3402-4a26-824e-11c450d99ea0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Does the Standard Firewall-VM Actaully do anything?
It also raises the question, Is there any benefit running a VPN-Proxy-VM through sys-firewall? Or maybe save the overhead and just connect VPN-Proxy-VM directly to sys-Net? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/46293b88-6235-4ae6-b360-e9c3875a4f00%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Just Broke Debian-8 Template
On Thursday, 17 November 2016 10:33:28 UTC+10, Vít Šesták wrote: > I've tried to replicate it in a DVM and it behaved according to my > expectation: > > When running sudo apt remove imagemagick, it asks me for also removing some > qubes-* packages. The reason is that those packages depend on ImageMagick > package, so you should either remove them as well or keep ImageMagick. Well, > the prompt looks mostly as a standard remove prompt. If you don't read > carefully what is going to be removed, it is easy not to notice that > something additional is going to be removed. I remember I have done a similar > kind of mistake when removing a Debian package. > > Now, it is easy to see why just installing ImageMagick didn't help. Your > problem is not just that you miss ImageMagick, the problem is also that you > have removed few other packages, including Qubes GUI daemon. You should be > able to install them in similar way you have installed ImageMagick. You can > see the list of packages you have removed in /var/log/apt/term.log. One also > could check what dependencies are typically removed when removing > ImageMagick. (I can't do it right now because I am not on Qubes ATM.) > > Regards, > Vít Šesták 'v6ak' Just for anyones future reference the additional packages seem to be: qubes-core-agent qubes-gui-agent qubes-input-proxy-sender qubes-pdf-converter -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/89a25239-aea5-4bc6-8efa-b92a64291a46%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Does the Standard Firewall-VM Actaully do anything?
So im finally getting around to rebuilding the sys-firewall VM on a minimal template. Put it off because i thought there would be a lot of scripting to setup. According to documentation, it doesnt need any extra packages. https://www.qubes-os.org/doc/templates/fedora-minimal/ And when creating the VM, there is no specific option for a "firewall VM", only "ProxyVM". * So is it correct to assume the sys-firewall VM is just an empty box routing connections? * There are no specific scripts/rules/packages of protection? * Does this actually provide any protection in the sense of a traditional software firewall? How so? Does it stop incoming connections? Or just add a layer of separation between sys-net & app-VMs? * It seems sys-firewall is just there for users to create their own custom rules in VM Manager settings? Can u give an example of rules U guys actually use? Thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c6e75fcc-20d0-42e1-b36d-54e213f42db4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Just Broke Debian-8 Template
On Wednesday, 16 November 2016 21:08:14 UTC+10, Unman wrote: > On Wed, Nov 16, 2016 at 10:26:34AM +, Unman wrote: > > On Tue, Nov 15, 2016 at 09:50:58PM -0800, Sec Tester wrote: > > > So i wanted to uninstall that rubbish image editor "imagemagick" > > > > > > Ran: sudo apt-get remove imagemagick > > > > > > VM crashed. Error in VM manager says "qrexec not connected" > > > > > > Tried to restart, VM manager Error says "can not start qubes-guid" > > > > > > Would prefer not to replace entire template if possible? > > > > > > Cheers. > > > > > Indeed, the warning about removing qubes-gui-agent and assorted other > > qubes modules might have tipped you off that this wasn't wise. > > > > Use qvm-revert-template-changes which will get you back to a clean > > start. > > > > unman > > > > Alternatively connect to a console from dom0 using: > sudo xl console > This will give you a console connection from where you can > log in as root and reinstall the packages you removed. > > unman Thank you qvm-revert-template-changes debian-8 - didnt fix it. I tried to set an earlier date, but --help file and man file didnt specific the option format. while VM light was still yellow ran: sudo xl debian-8 root apt-get install imagemagick Unfortunately still wont start up. must be other missing a packages. I decided to just replace the template. > Indeed, the warning about removing qubes-gui-agent and assorted other > qubes modules might have tipped you off that this wasn't wise. ha, well just habbit of hitting y when runnning apt-get. Oops :P -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9238ac05-f1cd-465e-abf3-2788d5e002d7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Just Broke Debian-8 Template
So i wanted to uninstall that rubbish image editor "imagemagick" Ran: sudo apt-get remove imagemagick VM crashed. Error in VM manager says "qrexec not connected" Tried to restart, VM manager Error says "can not start qubes-guid" Would prefer not to replace entire template if possible? Cheers. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/61b34100-9754-448e-994c-6a63f5ab5358%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Disposable VMs are not disposed of
Concerning. Its not the same website is it? Remembering you by IP? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5dcb25ea-2697-4de3-9fec-ba570b393533%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Disguising Qubes VMs
A thought on security through obfuscation. Right now in terminal is you type: "uname -r" we get the kernel version, which has "qubes" in the name. Straight away the attacker, knows he's dealing with a qubes VM. Could we not name the kernels to match their original OS? And following that same concept, disguise any other tell tale signs this is a VM on Qubes. QubesIncoming, could just be called received. Use non qubes unique process or packet names. This would also include renaming Xen stuff. Hiding any obvious qubes unique directories deeper into the file system. Of course if an attacker specifically tries to tell if they are in a VM its impossible to 100% hide it, but if an attacker does a quick check and thinks they're on a standard debian desktop, memory attacks & dom0 are never a target. Just an idea. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c3fc9950-076e-4bfa-a2fe-43dbb3ce2f57%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Improvement: check disk space before copy to VM
Could open up a vulnerability if not done carefully. VM could use it to query and identify other VMs in existence on the system. But if it required a dom0 authorization before checking & transferring, should be ok. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8d1f49d8-60c0-4b80-94e2-0f0866410495%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Thoughts on Qubes OS Security... Could be improved.
> > Why not grsecurity/PaX? especially with Qubes 4 switching to HVM (or PVHv2 or > whatever it's called now), it will apparently work fine. Nice suggestion. I would certainly welcome its implementation. Actually looks like there were successful efforts to implement this back in 2013. https://groups.google.com/forum/#!topic/qubes-devel/l5mi2dklu18 Seriously, why didnt qubes pick this up and run with it? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1a73f70b-5d8a-4938-813c-6fa0c03fbae3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Installing VPN in Qubes Versus VPN on a Router
I guess the main benefit to having VPN on router is it takes that overhead off the PCs CPU & memory. But the paper is right, a lot of network hardware is backdoored. Especially the cisco stuff. And im suspicious of the Chinese stuff too. We should endeavor to run open source routers. But im not aware of any open source modems? Im actually surprised someone hasnt cracked the proprietary DSL code and leaked an open source modem. I bet we would not like what we found in their proprietary code :/ Having a VPN-Proxy-VM offers the flexibility to chose what VMs directly connect to the internet, and which VMs are routed through the VPN which is nice. I've set my VPN-Proxy-VM using a minimal template, to future reduce the attack surface. You can also run the whonix-gw over the vpn, or vise versa. I imagine since snowden said to the world he uses Qubes OS, the NSA have had their team looking for ways in. I think qubes can be hardened much more than it currently is. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/43b6362b-0fd1-4105-b865-ccf0415cc8ce%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: #2 .odt files and LibreOffice Install
you want to copy the file from your work VM to the fedora-23 template and then install all with terminal? 1)open terminal in your workVM 2)ls (useful to lists directories/files) 3)cd Downloads (or where ever you saved it) 4)qvm-copy-to-vm "DestinationVM" filename https://www.qubes-os.org/doc/vm-tools/qvm-copy-to-vm/ 4)sudo dnf install /path/to/package.rpm (path will likely be /home/user/QubesIncoming/nameofsendingVM) That should get libreoffice installed for you. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4092697e-5e91-4a91-843b-78244239d6f4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Fedora 24 template available for Qubes 3.2
> Yes, it is also available - as noted in the message. And i read too quickly, doh :o) Look forward to taking 24 for a spin. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5c1147ea-f2e9-4702-82b6-24ded29b7197%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Thoughts on Qubes OS Security... Could be improved.
> > This might add significant time to the install, but could be a tick box > > option, with a note about extra time. > > I think a better practice along these lines is to supply the additional > packages needed to create a desktop-friendly template... alongside the > minimal template. This would take a *little* extra time during installation. > > Another option would be to simply provide a script that purges all the > packages that are unneeded for a minimal template. > Good suggestion. A script that shrinks templates into minimals. I like this idea. A script could then also create a min debian template too. I just had a look inside the Qubes-R3.2-x86_64.iso I found the templates under packages/q I wonder if a script could also be used to turn a whonix-ws into a whonix-gw or vise versa. This could reduce the size of the Qubes.iso by about 500mb. making more room for other goodies. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b358c399-fb50-4632-a582-922a30b44199%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Fedora 24 template available for Qubes 3.2
NICE!! Any specific improvements or fixes running Fedora-24? I noticed F-23 seemed to have trouble playing flash videos for me. F-24 Min template coming? A Deb-8 min template would also be nice :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b899644a-927c-4c07-bf0d-a5667c4a2b72%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Genymotion in Qubes
Nice question. I would also like to know. Have you setup a Win7 HVM? This maybe be the best place to try setup Genymotion. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fda74214-2db6-48f7-b81a-bf90683697e3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Thoughts on Qubes OS Security... Could be improved.
Hi Marek, >On Sunday, 13 November 2016 03:33:50 UTC+10, Marek Marczykowski-Górecki wrote: > > They have basically said, Elite hackers can gain root, so lets just not > > even bother with this foundational layer of security. > > The point is _if_ someone is able to run arbitrary code as user, he/she > can easily run it also as root, because of tremendous attack surface of > linux kernel and all the services running as root. In the worst case one > needs some patience and simply wait for you to authorize some command to > be ran as root (regardless of authorization method - password, qrexec > confirmation as described on https://www.qubes-os.org/doc/vm-sudo/ or > anything else). In the simplest case one may alias 'sudo' to for > example 'sudo /tmp/my-evil-script'. Thats why i would like to see root pw + selinux together in Qubes VMs. > On the other hand, making it harder to execute arbitrary code in the VM > (reducing attack surface) makes sense. Things like SELinux, AppArmor, > seecomp filters etc. > Take a look at SubgraphOS + QubesOS thread here for more details: > https://secure-os.org/pipermail/desktops/2015-October/02.html This sounds FANTASTIC!! Definitely adds those extra layers of protection i was talking about. I hope Qubes consider this in the future. > Yes, this mostly makes sense. As for out of the box configuration we're > somehow limited by installation image size. Now it barely fits on DVD > (which also means a lot to download). Adding another Linux-based > template means another few hundreds MBs. > Using unikernel may help here (see MirageOS for firewallVM). It is still > not mature enough to have it in default installation, but I hope it will > be some day. It's hard to do the same with sys-net, because the need for > all the hardware support... Install size is a valid restriction. Could the install process not compile a minimal templates from the standard fedora-23 template? This might add significant time to the install, but could be a tick box option, with a note about extra time. > > Again - this may be useful for some, but not as part of default > installation image. In some cases this may be even harmful, see here: > https://groups.google.com/d/msgid/qubes-devel/80a370cd-7868-5c2a-e0ff-c9b05a569f10%40gmail.com I agree that this doesn't need to be an out of the box feature. But would be nice to be able to implement. glad to see issue has already been raised. > The file copy protocol is specifically designed the way to avoid > immediate target compromise if you copy a file there. For example files > are always placed in directory named after source VM name. I hope it's > obvious enough to not blindly click on files from > "QubesIncoming/untrusted" directory in your template... So QubesIncoming container makes self executing code impossible? eg worms etc If so then an attacker may try to infect the users ligitmate files with a Parasitic virus, that will be copied & opened at some point. My point is this kind of activity can currently go on inside our VMs unopposed. There are currntly no preventative layers of security inside VMs. Which is the perfect enviroment to execute attacks on dom0, or infect user & system files. > We even consider getting rid of this confirmation in file copy at all: > https://github.com/QubesOS/qubes-issues/issues/2280 CRAZY. IMO if people want a "windows" experience where everything runs as admin, and security is dropped in the name of convince, then they belong on windows. The demographic that are interested in Qubes OS are security & privacy focused. Honestly if things could transfer between VMs without authorization, then what is the point of even having seperate VMs? and thus even running Qubes? Hi Chris, > Its easy to enable apparmor. See the Whonix documentation about this. > I will have a look thanks. I have read that AppArmor isnt as robust as SELinux, but IMO an extra layer of security is better than none. > Therefore, I think it is up to the community to promote the Linux extra > security measures as a kind of add-on. Enabling it could be a good thing > IF and only if we can do it with minimal effort and distraction. But > keep it far away from pre-installed or supported status. Well how hard is it really to at least provide the option of root password protection for VM's? Say a check box in the VM settings that let dom0 know this VM needs a password before trying to update it. > I will say this is fair. > > Even so, the attackers have to find an exploit for the apps you're > using. The apps are already designed by default not to grant access. But > they have large surface area and Linux could help reduce it somewhat. > Throwing a chair in the path of your attacker (and warding off the > percentage of attackers that can't deal with chairs) is a good thing. The "chair" from my reading actually Stops the Majority of attacks. I read a whitepaper that showed just by NOT runni
[qubes-users] Re: proper way to autostart script in dom0
maybe it needs to be made exacutable.. from the directory of file in terminal sudo chmod +x /the/directory/of/file/filename.sh -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0b98a473-c00c-452b-875b-6bfe447f7752%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: some trouble installing qubes on a macbook air. please help
Just a suggestion. In bios try differnt settings. Maybe change hard drive from ahci to ide or legacy of vise versa. In my bios i had to change from uefi before i could even get to the install menu. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cd7ba11b-cdec-48d2-b3da-d23fa7bca40e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: #2 .odt files and LibreOffice Install
Im not sure about the kernel problem, maybe one of the Qubes team will have advice on that, post the error log if you can find it. One other small thing that you've probably tried. sudo dnf upgrade Good luck -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/40177af9-222b-45ce-b52b-917ff66d75d3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Thoughts on Qubes OS Security... Could be improved.
Some examples of Default Root access possibly being exploited in Qubes. === Looks like the DRAMA attack would require root access in VM, to compromises Qubes shared memory "taskset 0x2 sudo ./measure -p 0.7 -s 16." https://groups.google.com/forum/#!topic/qubes-users/qAd8NxcJB3I = I thought of a possible persistent attack vector, that would survive even after rebooting the VM. If malware wrote its self into rw/config/rc.local it could reinfecting the system every restart. === === Also today i used the CLI command to move files between VM's "qvm-copy-to-vm" a dom0 prompt seems to be the only thing stopping an attacker spreading malicious code across the whole machine, including templates. Using the DRAMA attack to Authorize, bypass or spoof permission to transfer malware across the entire system. A VM root password would just add that extra layer of prevention. === All of these attacks could be mitigated with a password for root access in VM. SELinux policies could also limit directories being read & written to. Im still studying Qubes OS tho. Perhaps there are existing security features in qubes im unaware of that prevent these attacks without requiring a VM root password? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e9640658-7763-4e57-8af2-5eb0ff09a86d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: #2 .odt files and LibreOffice Install
Your trying to modify the fedora-23 template correct? Is sys-firewall specified as its net VM? If not, set the fedora-23 template NetVM to sys-firewall. Then try "sudo dnf install libreoffice" Do your other app VM's have internet access? If not. Does sys-firewall have sys-net set as its "NetVM"? == Ping tests == Open terminal in sys-Net. Try: ping www.google.com If that works Open terminal in sys-firewall. Then > ping www.google.com If there is no ping result even from sys-net, then you have to check if the adaptor has been asigned, and is enabled. https://www.qubes-os.org/doc/assigning-devices/ Just so you know, you cant ping or browse internet from a template, but it should still be able to update, and install packages via dnf. sometimes stopping all the VM's and restarting them fixes internet. worst case, you could replace the fedora-23 template with a fresh one from qubes. in dom0 open a terminal. sudo qubes-dom0-update --action=reinstall qubes-template-package-name https://www.qubes-os.org/doc/reinstall-template/ if non of that works. maybe easier to just reinstall Qubes OS? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ac246815-3491-478c-b00a-f74810d79448%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Leak Problems with VPN ProxyVM + AirVPN & Network lock
> You might get more interest if you explained which features of the AirVPN GUI > are worth having. The Github README is blank. > > I think most openvpn users are content to use the official client since it's > simpler and better audited. The current fail-close solution has also been > reviewed by some intelligent (and paranoid) people. Once the VPN is up, the > GUI is hidden behind your work so I'm not sure what advantage it has. Primary reason, the AirVPN GUI makes it very fast to change between the 172 servers AirVPN has https://airvpn.org/status/ GUI shows the stats for each server load, latency. Handy when picking which one to connect to. Also handy to see current uplaod/download speeds. Shows current IP address. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a99b2fa2-fc0d-44b8-aa99-03a7f78724a0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Are Qubes/Xen vulnerable to new DRAMA attack?
Perhaps another reason why VM's shouldn't have default root access? "taskset 0x2 sudo ./measure -p 0.7 -s 16." -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/39a126d2-d254-464d-bd91-ec2d76850405%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Please help, can't get into Qubes
On Saturday, 12 November 2016 06:39:50 UTC+10, Fred wrote: > I made a change to the PCI devices for the sys-net VM and now Qubes > hangs on boot when starting this vm. > > I've tried using the installation image to get to system rescue via the > troubleshooting link in the installer. I can get into my system this way > but I'm unsure what to change as removing the pci device from the > sys-net XML file doesn't seem to make this change persist -- something > keeps generating a new one with the bad PCI device XML node. > > How can I disable sys-net from starting when connected via a rescue shell? why not just delete sys-net VM and build a new one? once created, remember assign the adaptor to it https://www.qubes-os.org/doc/assigning-devices/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0fa585dc-8eed-4354-8437-5dbf5815f82f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Thoughts on Qubes OS Security... Could be improved.
So Im still new to Qubes, but after going through a bit of a learning curve, building & customizing VM's to suit my security needs, I have a few thoughts on its security. Firstly I really love the direction Qubes has taken the future of operating systems, and its has definitely become my OS of choice. HOWEVER, i feel that Qubes OS relies HEAVILY on ONE security mechanism > Isolation. There are 2 ways we can improve security 1. But adding layers of protection. 2. By reducing the attack surface area. Layers of protection In regards to layers of protection, IMO Qubes only has one. By isolating VM's if a system is infected, it has to breach that VM & gain access to dom0, where it then has total control of the system. The problem is in the current configuration, there is nothing to stop a hacker or malicious software from running, manipulating VM system files, or downloading additional hack tools/scripts to attempt to breach into dom0. To basic extra layers of protection missing from Qubes that usually hardens Linux security are; Password protected root access on VM's SELinux or AppArmor. I have read Qubes excuse for NOT requiring a password for root access in VM's https://www.qubes-os.org/doc/vm-sudo/ I frankly think saying "its highly unlikely if that person (who could breach a VM to dom0) couldn't also find a user-to-root escalation in VM" as a very LAZY justification. They have basically said, Elite hackers can gain root, so lets just not even bother with this foundational layer of security. So we have VM's where any script kiddies code can run riot. This to me is over confidence in VM isolation, and a lax attitude because, hey if your infected you can just reboot & VM is clean again right? Except the infected files sitting in the home directory, just waiting to be opened again and run with root permissions. And in the example of a server VM, that system may rarely be rebooted very often? Infecting the system to infect others that connect to that server. NOT GOOD. >From what i've read SELinux isn't running do to some compatibility errors, and >because there is no point when the whole system has root access. Well lets >lock down default VM root access, and lets find a way to make SELinux work in >Qubes VMs & even dom0, or possibly AppArmor. Or maybe we need a totally new >piece of software that is Qubes specific. The more layers of security in the system the better. Reducing the attack surface area Qubes OS through the use of dom0 has reduced the attack surface area of the kernel, which is good. However, where i think Qubes could improve right out of the box, is having dedicated minimized templates for sys-net & sys-firewall. I spent time setting up fedora-23-minimal templates specifically for sys-net, sys-VPN, banking, email & browsing. I plan to make another for sys-firewall soon. VM's that have the minimal amount of programs on as possible, reduce the attack surface, and possible exploits. Again SELinux not only adds a layer of protection, it also reduces the attack surface area vulnerable in the system. = Finial suggestion = I would like to see the option to setup a decoy OS in the installation procedure, similar to true crypt/Veracrypt. These days many countries airport security can force you to turn on your laptop to be inspected, and while i imagine airport security being very confused by Qubes haha, It would be nice to not have to show them any secure files. Another approach could be decoy VM's (as opposed to another entire decoy Qubes OS), that boot into different encrypted VM's depending on the password. == I do think the Qubes OS team are doing a great job. And i hope they maintain a security based focus, and not depend solely on isolation. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e10d2a7c-bfd1-424f-afc1-b8e3eb9c1d5b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: #2 .odt files and LibreOffice Install
try : sudo dnf install libreoffice Here's how to copy paste between qubes os VM's; CTRL + C CTRL + Shift + C then go to VM you want to copy to CTRL + Shitf + v CTRL + V -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0ca91505-06b6-4a72-99c1-45af22252487%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Leak Problems with VPN ProxyVM + AirVPN & Network lock
On Saturday, 12 November 2016 04:22:37 UTC+10, Chris Laprise wrote: > > > > A tip for stopping DNS leaks with the GUI: You have to run a script like > 'qubes-setup-dnat-to-ns' (in Qubes) or 'qubes-vpn-handler.sh' (in the > VPN doc) after the client connects or else DNS packets won't get > forwarded through the tunnel. Looking at the airvpn program, you could > probably symlink its 'update-resolv-conf' to point to > 'qubes-vpn-handler.sh' and it should work. Just don't click on the > 'Activate Network Lock' as that will overwrite the firewall rules. > > Chris Im interested in building a script to work around AirVPN GUI, as opposed to OpenVPN. I would really have to research and understand exactly what each line of the current script is doing to manipulated it to work with AirVPN. This is currently out of my ability. I would welcome collaboration on this task. If i do eventually get something working, i will be sure to post it back here On Saturday, 12 November 2016 04:24:36 UTC+10, David Hobach wrote: > On 11/10/2016 10:07 PM, Chris Laprise wrote: > > @Sec Tester: > I also checked for leaks using your "google method", but didn't observe > any except for the local IP which is a browser issue. > Glad to hear you got it done as well. Just for anyones future reference, https://ipleak.net/ was a nice tool for leak tests. others worked as well tho. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3dedeb0d-1e8b-4fd6-9a7a-a2379c680ee9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Leak Problems with VPN ProxyVM + AirVPN & Network lock
I have successfully applied the setup and scripting in https://www.qubes-os.org/doc/vpn/ No more DNS leaks. This means i can atleast use my vpn, until i find a way to make things work with the AirVPN GUI. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9f9baf4a-df69-4894-b495-12c91e94d40c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Leak Problems with VPN ProxyVM + AirVPN & Network lock
After further testing, more specifically its a DNS IP leak with the AirVPN GUI with network lock off. I also leak DNS when running OpenVPN in the VPN-Proxy-VM, Havent yet applied Qubes scripts to stop leaks. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dce9ec66-3fe9-43e5-8dbf-00e2b85a4a6f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Leak Problems with VPN ProxyVM + AirVPN & Network lock
Thank you Chris & David for the replies. Unfortunately at this stage no one seems to know a solution. I will try out the Qubes VPN guide, as i really need to use my vpn. But will miss the AirVPN GUI features. I hope in time i'll find a way to secure from leaks while still using the GUI. Please post steps if anyone finds a way. "What test do you use?" I just googled "VPN leak test", ran a few on the first page. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0c18678-987b-4219-9b5d-987e23fe0b54%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Leak Problems with VPN ProxyVM + AirVPN & Network lock
I've considered leaving network lock off, and building my own custom IP Tables, or firewall rules to stop the leaks. But this is currently beyond my skill set, so would need some hand holding to learn what to do. I have looked at the section here on the Qubes site on how to stop leaks using scripts, but its kinda confusing, and looks like its for a CLI approach, when i would prefer to have my AirVPN GUI for convince. https://www.qubes-os.org/doc/vpn/#proxyvm -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8d4b36e6-e656-49c7-9bf4-03ee700429d8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] ANN: Leakproof Qubes VPN
Hey Rudd-O, Thanks for your effort and great contribution to the Qubes community. Not sure why Chris was critical, especially without specifically showing evidence of any problems. Maybe just a troll? I haven't tried your program out yet, Im keeping it as my backup option, as im still hoping to find a way to get my AirVPN GUI to work. I would prefer a GUI over a CLI, especially when i might want to switch servers quickly or look at my stats. As you seem like such an expert on this, i was hoping you could have a look at my post, and see if you could workout whats going wrong? https://groups.google.com/forum/#!topic/qubes-users/T0wbCuIgISg If you have the time that would be Awesome! Cheers. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b451c810-eba8-4c94-bf0c-237ef7b3678e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: HELP: TemplateVM's have lost internet access
Thank you for the reply Unman. You might be right about them never having internet access. Because dnf & yum works, i think i assumed the internet work. The reason i actually found this issues, was because i was ping testing, trying to solve a problem i was having setting up a VPN ProxyVM. (See this thread i just posted) https://groups.google.com/forum/#!topic/qubes-users/T0wbCuIgISg When i found the templates couldnt ping the internet, it sent me down this path trying to trouble shoot. I can still dnf yum etc now even while on sys-firewall. So we can consider this "issue" solved. Thank you Unman & Drew. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c56c6ad4-87d4-4bdf-9590-a2ddcb6dd00d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Leak Problems with VPN ProxyVM + AirVPN & Network lock
Im trying to setup a VPN ProxyVM on Qubes R3.2 == Here's what works: == Ive got AirVPN GUI setup and working on Fedora-23-minimal My AppVM can proxy through VPN ProxyVM whatismyip.com shows the VPN IP Here's whats broken: When i leak test the browser on the AppVM, my real IP leaks. The AirVPN GUI has a nice Network lock feature, that works well on the ProxyVM, stops leaks. However, the network lock feature blocks the AppVM too, cutting off its internet. In the AirVPN GUI, there are advanced settings that are suppose to allow lockal vpn traffic. And you can even specify specific IP's. Unfortunately this isnt working. = Im hoping someone with a higher understanding of IP tables, and networking can help me find a solution. Here is a link to the airVPN GUI client https://airvpn.org/linux/ If you email them they will likely give your a 3 day trial account to test. but you probably dont even need an account to see what the network lock is doing to tables, and why the exception isn't working. I have been trying to solve this on the AirVPN forum, but no fix yet. Here is the thread > https://airvpn.org/topic/20157-problem-with-network-lock-on-qube-os/ Thanks for your time :) PS: Ive tried using fedora-23 standard template too, same problem. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8bf419fc-fcc4-4549-b0eb-d7ebb70fb02b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HELP: TemplateVM's have lost internet access
Hey Drew, Cheers for the reply. It wasn't possible to 100% follow your instructions; In "Global settings" it doesn't seem possible to set the default "netVM" to "none". It only lists choices of netVM or ProxyVMs. I left it set to "sys-firewall". I followed the rest of your instructions. Deleted the sys-net VM, created a new one. re-assigned the network adapter with qvm-pci -a when setting sys-net as default netVM, the templates can ping the Internet. BUT shouldnt i keep everything proxied through sys-firewall? Or is there some reason the templates cant go through the sys-firewall? and must go through sys-net? It seems more clear at this point the sys-firewall is responsible for stopping the templates internet. But i dont know why? I could set the template netVM to sys-net, but would prefer to solve this if possible? Look forward to your reply. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a91ef7ff-6f92-450b-bf7c-7c7685db8338%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HELP: TemplateVM's have lost internet access
UPDATE: I just ran qvm-revert-template-changes fedora-23 Unfortunately still not able to ping out to the internet from templateVM. Could sys-firewall config be causing this? I havent even played with those settings tho. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/271a254c-3d9d-4949-b84e-7384f25bab58%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
