Re: [qubes-users] Exported Volume Error.

2021-04-12 Thread Stuart Perkins
Worse...bottom...

On Wed, 27 Jan 2021 20:02:38 -0600
"'Stuart Perkins' via qubes-users"  wrote:

>On Thu, 28 Jan 2021 00:31:16 +
>Rusty Bird  wrote:
>
>>-BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA512
>>
>>'Stuart Perkins' via qubes-users:  
>>> Ok, now I'm afraid to turn off my computer or even stop any Debian template 
>>> based VM's...
>>
>>Don't panic, it's just a bug* in qubes-core-dom0-4.0.56. Your VM data
>>is still okay.
>>  
>>> Here is what happened.  
>>> 
>>> I was going to do a general update on Dom0 and my Debian-10 and
>>> Fedora-32 templates.
>>> 
>>> As is my habit, I deleted the older clones of those template VM's
>>> and was creating new clones with qvm-clone from a Dom0 command
>>> window.
>>> 
>>> While attempting to create a new clone of the Debian-10 template, it
>>> halted with an error:
>>> 
>>> file pool cannot export dirty volumes.
>>> 
>>> Searching for that issue suggested I start the template VM and exit
>>> it cleanly...although I don't have a recollection of a "dirty" exit
>>> (crash, kill etc...).
>>> 
>>> I went to start the template with qvm-start and it won't, giving the
>>> error:
>>> 
>>> file pool cannot start a VM with an exported volume.
>>> 
>>> How in the world do I recover from this?
>>
>>If you restart your computer (or only qubesd), it will drop the
>>lingering export lock and you'll be able to start the original
>>template again, etc.
>>
>>Rusty  
>
>I figured that out, eventually...after some sweat.  I rely on this machine way 
>too much.  All critical data was backed up, but I was not looking forward to a 
>reinstall and the time it would take out of my "way-too-busy" week.
>
>Aside:  I found out the command line "qvm-clone" will NOT work.  That is what 
>left it in this state.  Oddly enough, using the Qubes Manager gui it succeeds 
>in the clone...but leaves it where you can't start the template to do the 
>update until you reboot again.
>
>Just FYI.  In my install I chose NOT to do the LVM as it adds an unnecessary 
>layer of complexity to a laptop, which is already an encrypted installation.  
>I want to add additional drive space ONCE, and do that with just formatting 
>the second drive and symbolic links from the appvm directory to the "too large 
>for my ssd" drives.  SSD is 260G.  Hard drive is 2TB.  Like most Qubes users, 
>I work the crap out of my machine...a coreboot Lenovo T420i.
>
>Now that I'm up to 5.4.88, is this fixed?
>
>Stuart
>

Rather than getting fixed, the problem is worse now.  I cannot even clone a 
template cube with the gui.  I would have hoped this would be fixed, not made 
worse.

I have cloned appvms without issue, but trying to clone a template gives the 
"dirty volume" error.  I don't want to update my templates without being able 
to clone them first for backup.  What is the root cause of the "dirty volume" 
error? I am NOT using LVM.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210412103816.7b588314%40usa.net.


Re: [qubes-users] Exported Volume Error.

2021-01-27 Thread 'Stuart Perkins' via qubes-users



On Thu, 28 Jan 2021 00:31:16 +
Rusty Bird  wrote:

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA512
>
>'Stuart Perkins' via qubes-users:
>> Ok, now I'm afraid to turn off my computer or even stop any Debian template 
>> based VM's...  
>
>Don't panic, it's just a bug* in qubes-core-dom0-4.0.56. Your VM data
>is still okay.
>
>> Here is what happened.  
>> 
>> I was going to do a general update on Dom0 and my Debian-10 and
>> Fedora-32 templates.
>> 
>> As is my habit, I deleted the older clones of those template VM's
>> and was creating new clones with qvm-clone from a Dom0 command
>> window.
>> 
>> While attempting to create a new clone of the Debian-10 template, it
>> halted with an error:
>> 
>> file pool cannot export dirty volumes.
>> 
>> Searching for that issue suggested I start the template VM and exit
>> it cleanly...although I don't have a recollection of a "dirty" exit
>> (crash, kill etc...).
>> 
>> I went to start the template with qvm-start and it won't, giving the
>> error:
>> 
>> file pool cannot start a VM with an exported volume.
>> 
>> How in the world do I recover from this?  
>
>If you restart your computer (or only qubesd), it will drop the
>lingering export lock and you'll be able to start the original
>template again, etc.
>
>Rusty

I figured that out, eventually...after some sweat.  I rely on this machine way 
too much.  All critical data was backed up, but I was not looking forward to a 
reinstall and the time it would take out of my "way-too-busy" week.

Aside:  I found out the command line "qvm-clone" will NOT work.  That is what 
left it in this state.  Oddly enough, using the Qubes Manager gui it succeeds 
in the clone...but leaves it where you can't start the template to do the 
update until you reboot again.

Just FYI.  In my install I chose NOT to do the LVM as it adds an unnecessary 
layer of complexity to a laptop, which is already an encrypted installation.  I 
want to add additional drive space ONCE, and do that with just formatting the 
second drive and symbolic links from the appvm directory to the "too large for 
my ssd" drives.  SSD is 260G.  Hard drive is 2TB.  Like most Qubes users, I 
work the crap out of my machine...a coreboot Lenovo T420i.

Now that I'm up to 5.4.88, is this fixed?

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210127200238.161d72d0%40yahoo.com.


[qubes-users] Exported Volume Error.

2021-01-27 Thread 'Stuart Perkins' via qubes-users
Ok, now I'm afraid to turn off my computer or even stop any Debian template 
based VM's...

Here is what happened.  

I was going to do a general update on Dom0 and my Debian-10 and Fedora-32 
templates.

As is my habit, I deleted the older clones of those template VM's and was 
creating new clones with qvm-clone from a Dom0 command window.

While attempting to create a new clone of the Debian-10 template, it halted 
with an error:

file pool cannot export dirty volumes.

Searching for that issue suggested I start the template VM and exit it 
cleanly...although I don't have a recollection of a "dirty" exit (crash, kill 
etc...).

I went to start the template with qvm-start and it won't, giving the error:

file pool cannot start a VM with an exported volume.

How in the world do I recover from this?

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210127123934.562adad4%40yahoo.com.


Re: [qubes-users] Re: Cheap laptops that run Qubes

2021-01-25 Thread Stuart Perkins



On Mon, 25 Jan 2021 07:40:39 -0800 (PST)
Mark Fernandes  wrote:

>On Wednesday, 6 January 2021 at 00:04:44 UTC anonymou...@danwin1210.me 
>wrote:
>
>> I'm looking for a laptop that can run Qubes without stress. I want the 
>> cheapest one possible. 
>> Please let me know which one I should get. 
>>
>
>
>It just so happens that I've been researching what are the cheapest 
>computers to do fairly standard computer things...
>
>I would advise against using a used computer, unless you have strong 
>reasons to believe it hasn't been compromised. A used computer can go 
>through various owners, and any one of those owners could have been 
>targeted to the extent that the computer was hacked, perhaps even to the 
>point of hardware tampering. Additionally, the person selling or passing 
>the computer on to you, may be involved in a racket where they are 
>deliberately passing on hacked computers for bad purposes. Since you want 
>to run Qubes, I'm guessing security is important to you, which is why I'm 
>generally advising against using a used computer.
>
>If you want to go down the route of a used computer in spite of the above, 
>you ought to think about faithfully reinstalling all of the firmware chips. 
>You can't necessarily rely on firmware-updating mechanisms provided by the 
>existing firmware, as such mechanisms may themselves be compromised. I'm 
>going through the same process for my old Chromebook C720 laptop-like 
>computer. I've settled on de-soldering the main system firmware chip 
><https://doc.coreboot.org/flash_tutorial/ext_standalone.html> to replace it 
>with one securely obtained in anonymous ways (to overcome targeted attacks) 
><https://en.wikibooks.org/wiki/Talk:End-user_Computer_Security/Main_content/Broad_security_principles#Concerning_§⟪User_randomly_selecting_unit_from_off_physical_shelves⟫,_and_add_§⟪Anonymity_based⟫?>
> 
>that I'll be reprogramming using a brand new, securely obtained, Raspberry 
>Pi computer 
><https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-Flashing-with-Raspberry-Pi>,
> 
>in addition to completely replacing components that have 
>potentially-compromised firmware chips 
><https://en.wikibooks.org/wiki/Talk:End-user_Computer_Security/Main_content/Software_based#There_are_other_kinds_of_bootloaders_other_than_BIOSes_and_UEFIs,_as_well_as_similar_security_threats_based_in_other_kinds_of_firmware_(such_as_in_the_firmware_chips_of_graphics_cards)_so_perhaps_material_should_be_extended_and_generalised_to_cover?>
> 
>(such as the system disk). After taking such firmware-based security 
>measures, you probably will mostly have to keep your 'fingers crossed', 
>that the hardware hasn't been altered in other ways—such other kinds of 
>alteration are probably unlikely though.
>
>On the other hand, if you are looking at a brand new computer, Raspberry Pi 
>computers <https://www.raspberrypi.org/products/raspberry-pi-400/>, 
>smartphones, and tablets are just about the cheapest brand new computers 
>you can get where you are able to do general computing things. As for the 
>laptop requirement, you could perhaps think about setting-up a "pseudo 
>laptop experience" using such computing devices.
>
>
>Hope this helps,
>
>
>Kind regards,
>
>
>Mark Fernandes
>
>
>
> 
>

I run on a "used" computer...but...

Bios completely overwritten with coreboot.
New hard drive.
New solid state hard drive.

Chose a model with no "blobs" of code needed in the BIOS.  Levovo Thinkpad 
T420i.  The newest Lenovo model you can completely coreboot is an X1 carbon 
Generation 1.  From Generation 2 on you will need blobs of encrypted code in 
the bios.

Stuart Perkins

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210125122011.0f64259b%40usa.net.


Re: [qubes-users] Problems setting /etc/hosts

2021-01-21 Thread Stuart Perkins



On Wed, 20 Jan 2021 22:34:14 +
"'awokd' via qubes-users"  wrote:

>mgla...@gmail.com:
>> Hi,
>> 
>> Hopefully I'm doing something silly here.
>> 
>> I want to add a couple of entries into my /etc/hosts file in a specific VM.
>> The instructions here are nice and
>> clear: https://www.qubes-os.org/doc/config-files/ except... that doesn't
>> work.
>> 
>> I've added the following to my /rw/config/rc.local :
>> echo '127.0.0.1 example.com' >> /etc/hosts
>> And after a VM restart my /etc/hosts is unchanged.  
>
>Might have to add "sudo" in front of that echo. Also, double-check that 
>rc.local is set as executable and in proper script format. Does it work 
>if you run it yourself from the command line?
>
>> Also, as an aside, is it odd that rc.local is owned by root, if it's
>> something that's expected to be changed per-VM?  
>
>No, because it's only the root account that belongs to the VM.
>
I setup a "hosts.ext" file in the home directory of the user on the VM and an 
/rw/config/rc.local script which cat's it to the end of /etc/hosts on boot.  
That makes entries for other machines on my home network (not Qubes) for my 
convenience (rdp/vinagre, ssh etc...)  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210121155525.5860987c%40usa.net.


Re: [EXT] [qubes-users] How to attach private storage from one AppVM to another AppVM (LVM)?

2020-12-10 Thread Stuart Perkins



On Thu, 10 Dec 2020 20:43:27 +0100
Ulrich Windl  wrote:

>On 12/7/20 3:56 PM, 'heinrich...@googlemail.com' via qubes-users wrote:
>>  From one AppVM I need to temporarily access a large amount of files 
>> from another AppVM. Can this be done without copying the files around?
>> 
>> _Background: _
>> I have a large amount of files stored in AppVM "BIG". That's hundreds of 
>> GB in a separate pool on a spinning HDD.
>> I also have a small AppVM "SMALL" running a program that needs to access 
>> files from "BIG". This AppVM resides on a small SSD.
>> 
>> In the past I copied files from BIG to SMALL. But this takes time and I 
>> need to sort the files beforehand because there is not enough space on 
>> the SSD. I don't want to do that anymore. It would be okay to allow 
>> AppVM "SMALL" to access files from "BIG"'s private storage directly.
>> 
>> Googling around tells me to mount "private.img", but I'm using LVM so 
>> that's not an option. But how can this be done? Can it be done? (Or is 
>> there even a better "file sharing" approach for this amount of data 
>> without having to revert to a NAS?)
>> 
>> Any tips are appreciated.  
>
>Actually I have not done it, but it feels like you should have an NFS 
>server on BIG with a network only accessible from inside qubes, and 
>specifically from SMALL. Still it will have to transfer the file 
>contents, but you benefit from any application that only reads parts of 
>the files.
>
>When not wanting to copy I guess you'll have to mount a snapshot of 
>BIG's data as the LV should be mounted only once (AFAIK).
>
What I have done is...

created a large disk image (600g or so) on the mail dom0 drive space

written a script in dom0 to attach the image to whichever machine I want to 
access it from.

This script..
  attaches the image to a loop device
  mounts the image to the machine I desire
  added /etc/hosts entries to each app vm to mount to a dedicated directory 
when doing "sudo mount -a" by uuid
  script ends with an execution of "sudo mount -a" on the target vm

  there is also a corresponding unmount script, so if it is mounted to "mail" I 
can easily unmount it and mount it to "money".


This lets me treat the 600g.img file like a removable media which can be 
attached to any app vm.  I also back that drive image up on my network server.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201210222756.6b8c55f6%40usa.net.


Re: [qubes-users] Is it recommended to install any anti-virus, anti-malware or anti-spyware apps in Qubes OS 4.0.3 or does Qubes OS takes care of all that ? - If not, which do you recommend ?

2020-03-11 Thread Stuart Perkins



On Wed, 11 Mar 2020 06:00:30 -0700 (PDT)
"'M' via qubes-users"  wrote:

>As a newbie I would like some guidance on how to set up the "QubesFirewall" 
>"correctly".
>
>I have looked on the following pages, but didn't find any guidance on this.
>
>https://www.qubes-os.org/doc/firewall/
>https://groups.google.com/forum/#!topic/qubes-devel/niMbDhS_nWI
>https://blog.invisiblethings.org/2011/09/28/playing-with-qubes-networking-for-fun.html

It depends entirely on the purpose of the AppVM.  I have one called "money" 
where I keep my bookkeeping software.  The ONLY thing allowed in the firewall 
rules is for it to connect to my home network for backup purposes when I'm not 
at home.  I have not firewalled my "mail" AppVM yet, but I could restrict it to 
the servers I use for e-mail (I do pop3 access to yahoo, gmail, hotmail and one 
paid for account).  Of course "vault" has zero network access at all.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200311100133.5bacbc47%40gmail.com.


[qubes-users] Embarrassing question

2020-03-10 Thread Stuart Perkins
I can't for the life of me figure out how to regenerate the boot file...

I want to "nosplash" it, and I just can't find anything that works.

I find the "splash" screen annoying and I don't want to have keep pressing a 
key to make it go away.  I like to see the messages...they tell me stuff.

How do I edit the configuration to suppress the splash?

How do I regenerate the boot files?

None of it is making any sense today.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200310185747.3eb74f8e%40gmail.com.


Re: [qubes-users] the qubes clipboard

2020-03-01 Thread Stuart Perkins



On Mon, 2 Mar 2020 00:35:44 +
"'Jackie' via qubes-users"  wrote:

>unman:
>> On Sat, Feb 29, 2020 at 07:02:58PM +, 'Jackie' via qubes-users wrote:  
>>> Ulrich Windl:  
 Hi!

 I'm very much confused with the Qubes OS clipboard:
 When trying to copy some text from a Temrinal, I mark the text with the 
 mouse then press "Ctrl+Shift+C", and I get a confirmation that the text is 
 copied.
 However when I try to paste the clipboard in another machine, the contents 
 is not what I had marked.
 When I use the "Edit->Copy" menu in the Terminal after having marked the 
 text, and then press "Ctrl+Shift+C" again, the correct text is put in the 
 Qubes OS clipboard.
 Confusingly the Terminal displays the shortcut "Ctrl+Shift+C" for 
 "Edit->Copy".

 Isn't that a highly confusing feature (slowing down productive work a lot 
 IMHO)?

 Regards,
 Ulrich  
>>>
>>> Hi,
>>>
>>> In general, copying text from one VM to another is a four step process.
>>> Highlight text in VM1 document and ctrl+C to copy to VM1 clipboard. Then
>>> ctrl+shift+C to copy to dom0 clipboard. Then in VM2 window ctrl+shift+V to
>>> copy to VM2 clipboard, then ctrl+V to paste into document.
>>>
>>> It's pretty fast once you get used to it, just highlight, ctrl+C,
>>> ctrl+shift+C, alt+tab, ctrl+shift+V, ctrl+V.
>>>
>>> Terminal is a special case because ctrl+C, ctrl+V doesn't work to
>>> copy/paste, and default terminal shortcuts are the same as qubes inter-vm
>>> copy/paste shortcuts that take precedence. To paste text into terminal i
>>> ctrl+shift+V like normal to copy into VM clipboard, then edit->paste to
>>> paste into terminal. Or to copy from terminal, highlight, edit->copy, then
>>> ctrl+shift+C to copy to dom0 clipboard.
>>>
>>> Actually i think it's possible to change the dom0 shortcut so they no longer
>>> conflict, but the occasional edit->copy or edit->paste in terminal isn't too
>>> inconvenient for me.
>>>  
>> 
>> Also, it depends (naturally) on *which* terminal you use.
>> I have little experience with gnome-terminal, which is, I think, what
>> op is using.
>> Using xterm or uxterm, mouse selection *does* work to copy, and
>> Ctrl+Shift+C copies that text to clipboard for transmission to another
>> qube.
>> Does gnome-terminal need some extra configuration to enable "selection
>> by mouse"?  
>
>Gnome-terminal is what i use too. Actually i'm able to *select* text 
>with the mouse, the problem is copying it to VM clipboard. The shortcut 
>for copy in gnome-terminal is ctrl+shift+C, which qubes intercepts.
>
>But actually now that i look gnome-terminal allows you to change the 
>shortcut in preferences, so you can change it to whatever you want then 
>use keyboard shortcuts like normal.
>
>Right click->copy and right click->paste also work.
>

Was on a phone, and didn't read the thread through.  On my old Qubes install, I 
changed the Qubes copy/paste to use the "windows" key...made it easier.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200301193940.33cfa177%40gmail.com.


Re: [qubes-users] the qubes clipboard

2020-03-01 Thread Stuart Perkins
On Sat, Feb 29, 2020, 11:15 AM Ulrich Windl <
ulrich.wi...@rz.uni-regensburg.de> wrote:

> Hi!
>
> I'm very much confused with the Qubes OS clipboard:
> When trying to copy some text from a Temrinal, I mark the text with the
> mouse then press "Ctrl+Shift+C", and I get a confirmation that the text is
> copied.
> However when I try to paste the clipboard in another machine, the contents
> is not what I had marked.
> When I use the "Edit->Copy" menu in the Terminal after having marked the
> text, and then press "Ctrl+Shift+C" again, the correct text is put in the
> Qubes OS clipboard.
> Confusingly the Terminal displays the shortcut "Ctrl+Shift+C" for
> "Edit->Copy".
>
> Isn't that a highly confusing feature (slowing down productive work a lot
> IMHO)?
>
> Regards,
> Ulrich
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/5E5A9C1102A10003749A%40gwsmtp.uni-regensburg.de
> .
>

Qubes copy and paste from one vm to another is a multi step process.  First
"copy" in the source vm window using the vm's copy keys (may be ctl-c or
right click "copy" or "ctl-insert" depending on what you are running). This
places text in vm's buffer. Then ctl-shift-c to copy vm buffer to qubes
buffer. Then click in target vm window to give target vm "focus". Then
ctl-shift-v to paste from qubes buffer to target vm buffer. Then paste as
normal in target vm...may be ctl-v, shift-insert or other, again depending
on what you are running.

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAArVCJVJP8fJATknznBu62iR4aTTgF8qU7mJSnuax%2B89%3DG3jsw%40mail.gmail.com.


Re: [qubes-users] What gives with the restrictions on mounting devices?

2020-03-01 Thread Stuart Perkins



On Sun, 1 Mar 2020 15:03:46 +
unman  wrote:

>On Sun, Mar 01, 2020 at 06:48:14AM -0600, Stuart Perkins wrote:
>> I have a 300gb drive image I mount on whichever machine I want to put common 
>> things...pictures/documents/etc...and this happens:
>> 
>> Here is my mount scrip..{/mnt/2tb is the mount point for my 2 terrabyte 
>> drive}
>> 
>> ==
>> [admin@dom0 ~]$ cat bin/mount300g.sh
>> if [ A${1} == A ] 
>> then VM=untrusted
>> else VM=${1}
>> fi
>> MOUNTED=`qvm-block|grep 300g.img|wc -l`
>> if [ ${MOUNTED} == 1 ]
>> then
>>  ONVM=`qvm-block|grep 300g.img|awk '{print $3}'`
>>  echo Already Mounted on ${ONVM}
>>  exit 0
>> fi
>> sudo losetup -f /mnt/2tb/300g.img
>> LOOPDEV=`losetup --list | grep -F 300g.img|awk '{print $1}'|awk -F/ '{print 
>> $3}'`
>> qvm-block attach ${VM} dom0:${LOOPDEV}
>> VMDEV=`qvm-block|grep 300g.img|awk -Fxvd '{print "xvd" substr($2,1,1)}'`
>> echo Mounted on ${VM} as ${VMDEV}
>> qvm-run -p ${VM} 'sudo mount -a'
>> ==
>> 
>> 
>> And here is what happens on a freshly opened dom0 command window...
>> 
>> ==
>> [admin@dom0 ~]$ mount300g.sh untrusted
>> qvm-block: error: backend vm 'dom0' doesn't expose device 'loop21'
>> Mounted on untrusted as
>> mount: /home/user/300g: can't find 
>> UUID="b7a87607-d757-41f8-95fe-408268f3b62b".
>> ==
>> 
>> So, I remove it by dropping the mount with losetup...
>> 
>> Then I issue a "cd" command, which does nothing since I'm still at the home 
>> directory...
>> 
>> Then I re-try the mount, and it succeeds...
>> 
>> ==
>> [admin@dom0 ~]$ mount300g.sh untrusted
>> Mounted on untrusted as xvdi
>> ==
>> 
>> Two questions:
>> 
>> 1. What sort of half-done edit is this nonesense?  It is embarrassing.
>> 
>> 2. What exactly is trying to be controlled by restricting the exposure of 
>> loop devices to manual mounting anyway?  My machine, and I'll mount what I 
>> want where I want.  
>
>I wouldnt do this.
>I wouldnt do it like this - there's no error checking, you dont test
>outputs before moving on to next stage,`mount -a` is almost certainly
>not what you want.
>
>That said, it works for me - 300G image on a 1TB drive
>
>What shell are you running? (I note you dont specify in the script)
>Is `cd` at all relevant, or would *any* command do? 
>Would it work if you just waited for a few minutes?
>
>My guess is that there's some issue between the *first* losetup and the
>LOOPDEV variable, and on the second run you pick up the *first* - you
>could test this with a long sleep between the losetup line and the
>LOOPDEV line.
>
I understand the security implications...and I take the "risks" with my own 
stuff.  I hadn't thought of just a sleep...I may try it with a 3 second sleep 
in between.  One would think the error message would be something "/dev/loop21 
does not exist" though if that were the case.  Thanks for the hint though...I 
hadn't thought of just waiting a bit.  My use of "cd" is simply a "do nothing" 
command..I may try something else like an "ls" and see if I get the same 
results if the wait doesn't do it.  Just an oddness of the error message.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200301102649.5e078f7a%40gmail.com.


[qubes-users] What gives with the restrictions on mounting devices?

2020-03-01 Thread Stuart Perkins
I have a 300gb drive image I mount on whichever machine I want to put common 
things...pictures/documents/etc...and this happens:

Here is my mount scrip..{/mnt/2tb is the mount point for my 2 terrabyte drive}

==
[admin@dom0 ~]$ cat bin/mount300g.sh
if [ A${1} == A ] 
then VM=untrusted
else VM=${1}
fi
MOUNTED=`qvm-block|grep 300g.img|wc -l`
if [ ${MOUNTED} == 1 ]
then
ONVM=`qvm-block|grep 300g.img|awk '{print $3}'`
echo Already Mounted on ${ONVM}
exit 0
fi
sudo losetup -f /mnt/2tb/300g.img
LOOPDEV=`losetup --list | grep -F 300g.img|awk '{print $1}'|awk -F/ '{print 
$3}'`
qvm-block attach ${VM} dom0:${LOOPDEV}
VMDEV=`qvm-block|grep 300g.img|awk -Fxvd '{print "xvd" substr($2,1,1)}'`
echo Mounted on ${VM} as ${VMDEV}
qvm-run -p ${VM} 'sudo mount -a'
==


And here is what happens on a freshly opened dom0 command window...

==
[admin@dom0 ~]$ mount300g.sh untrusted
qvm-block: error: backend vm 'dom0' doesn't expose device 'loop21'
Mounted on untrusted as
mount: /home/user/300g: can't find UUID="b7a87607-d757-41f8-95fe-408268f3b62b".
==

So, I remove it by dropping the mount with losetup...

Then I issue a "cd" command, which does nothing since I'm still at the home 
directory...

Then I re-try the mount, and it succeeds...

==
[admin@dom0 ~]$ mount300g.sh untrusted
Mounted on untrusted as xvdi
==

Two questions:

1. What sort of half-done edit is this nonesense?  It is embarrassing.

2. What exactly is trying to be controlled by restricting the exposure of loop 
devices to manual mounting anyway?  My machine, and I'll mount what I want 
where I want.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200301064814.68852c99%40gmail.com.


[qubes-users] Expose loop devices

2020-02-27 Thread Stuart Perkins
I use a "disk image" on more than one appvm (not at the same time of
course) and mounting as a loop device in dom0 then qvm-block attach to the
target vm works ... most of the time. I normally get an error concerning
qubes not exposing the device until I perform a "cd" command.

It is a poor implementation of a security intent.  This is how I
circumvent...

Open dom0 terminal.
Execute script to loop mount disk image (losetup) and attach to vm via
qvm-block.
Get error device not "exposed"

Unmount loop device.
Issue "cd" command...stay in home dir...change nothing.
Loop mount image.
Qvm-block attach...
Success.

This is repeatable. Is there a way to turn off that "feature"?

I can avoid it by issuing the "cd" command first.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAArVCJWqNYMY6HFSBBeC4faJfrgc74HzE-Y%2BJyaQtS9Dz4MP9g%40mail.gmail.com.


[qubes-users] Wifi won't connect

2020-02-21 Thread Stuart Perkins
I finally got my replacement laptop.

This is a Lenovo T420, with coreboot BIOS.

It came from my supplier with Qubes 4.0 installed.

It all works well on wired internet or unsecured wifi, but my main router is 
WPA secured and it won't get a DHCP response.  The main router is the one 
running dhcp, so it is the same dhcp server I get when connected to my 
unsecured extension. (I live miles from anyone and the unsecured router is 
inside a metal skinned RV I use for office, so don't gripe at me about having 
it wide open.  It won't work outside the RV).

Anyway, I bring the machine into the house and try and connect to the secured 
wifi router and it never gets an address.

What am I missing?

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200221211612.01d2de14%40gmail.com.


Re: [qubes-users] Cant connect hard drive to appvms?

2019-09-04 Thread Stuart Perkins



On Wed, 4 Sep 2019 20:12:26 -0400
Stumpy  wrote:

>I have a hard drive that i cant seem to connect to any of the appvms yet 
>I can see and access it via dom0 (not good i know).
>I can attach a usb flash drive to my appvms but not the hard drive?
>
>This is on my laptop and i do not have a sys-usb (didnt give me the 
>option when installing qubes (v4.0.2) but if i can connect a flash then 
>i cant figure why i cant connect the external hard drive to appvms, esp 
>if i can use/see the drive via dom0?
>
>Thoughts?
>

Without sys-usb, you may need to overtly assign the device the usb controller 
is on to a VM.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190904203815.021d2d33%40gmail.com.


Re: [qubes-users] Done with Qubes

2019-08-27 Thread Stuart Perkins
Instream...

On Tue, 27 Aug 2019 11:39:06 -0700 (PDT)
O K  wrote:

>You mean I create a VM with Whonix OS installed (using virtualbox I'm 
>guessing)?  I will have to research that, but yes I do need to use a VM, or 
>multiple VM's.  I'd also like to find a way to use Firejail to sandbox 
>whatever browser I'm using, if that's possible.
>

What I used to do before I found Qubes was snapshot my running VM's...have one 
just for "sandbox" like work.  Whenever I shut them down, I would just revert 
to the snapshot.  This ensures that the programs were not modified...similar to 
a Qubes template.

When a VM prompted for updates, I would revert to snapshot, do updates, take 
new snapshot.  This way the chances of something sneaking in were minimized.  
Not perfect, but almost a model of qubes and templates.  Multiple VM's for 
different tasks as well. When I discovered Qubes it was very familiar already.

Whonix comes in the gateway and browser VM's for VirtualBox too, and I even had 
that running on my home server before I went Qubes.  If you play the same 
snapshot/update game with them you can maintain a reasonable level of security.

For persistent data, use an attached HD image which is NOT part of the 
snapshot, or some NAS serving VM which does nothing else.

Not perfect, but reasonable. 


>On Friday, August 23, 2019 at 6:03:55 PM UTC-4, Jackie wrote:
>>
>> O K: 
>> > Thanks for all the help but I've been trying to figure out how to get 
>> Qubes 
>> > running for months and I've decided it's just a giant waste of my time 
>> > because every time I get one bug fixed, two more show up to take it's 
>> > place.  I think it's a brilliant idea but it needs a lot of work and 
>> > streamlining before it's ready for public use.  It's a shame because my 
>> > privacy and anonymity online are a matter of my personal safety and it 
>> > would be nice to have a secure OS.  TAILS is not a fully usable system 
>> > either.  I will have to install Ubuntu.  Good luck, everyone. 
>>
>> Hi, 
>>
>> Qubes definitely has a learning curve, but i think it's worth it (and 
>> i'm definitely no linux expert). 
>>
>> But if you don't want to use qubes, one thing you can do for better 
>> security and privacy is install debian/ubuntu and use non-qubes whonix 
>> (you can use virtualbox, which is pretty easy to use). You can have 
>> multiple whonix workstations, and you can create other VMs like debian 
>> as well to compartmentalize your workflows. A solution like this is more 
>> insecure than qubes, but definitely less insecure than just using bare 
>> metal debian/ubuntu for everything. You still get the benefits of 
>> virtualization and compartmentalization, but without the extra security 
>> features of qubes (i'd recommend not using the host os for anything 
>> directly, and doing everything in VMs). 
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190827215757.7117bb92%40gmail.com.


[qubes-users] Re: Got new hardware coming

2019-08-19 Thread Stuart Perkins
Well, a snag.  Evidently the newer kernel is not respecting the power 
management instructions on the boot params, and keeps wanting to lockup.  The 
guy building it for me is working on a work around.  If we can't get coreboot 
to work I may be stuck with an earlier model such as a T420 as my next box.  I 
was really wanting the 32gb ram capacity of the W520...

I consider the qubes model most secure without any blobs or (ak) the hardware 
vendor bios.  I may have to be keep a blob for the video in order to get the 
W520 working...  

We really need a target built system for coreboot/qubes for the best security.  
It needs to require ZERO blobs for most security.

I'll keep you posted with the results.

Stuart

On Tue, 13 Aug 2019 18:42:41 -0500
Stuart Perkins  wrote:

>I have commissioned the creation of a coreboot Lenovo W520.
>
>It is already running Qubes 4.x, but I will likely do a reinstall just for the 
>experience and to put it together with my GUI of choice etc...
>
>I will have a 240+GB SSD for the main OS and certain VM's.
>
>I will move my 2TB hdd over and set it up for the data areas which are just 
>plain too big for the SSD, much like I have my current setup.
>
>It has the Nvidia graphics which loses the ability to run the VGA port without 
>a blob I don't want to include in it, so external monitors will have to be USB 
>driven.
>
>It will be equipped with 16GB of RAM as well initially, then I will up it to 
>24 in order to save 8 for this machine, which I will commission as a backup 
>server for my home network (not running qubes, but it is is still core 
>booted...and I will be running Debian with VirtualBox VM's for various 
>things...like I did before Qubes and like I do now of my current home "server".
>
>I will finally get off of Qubes 3.2...  ;)
>
>I have not been actually reading the 4.0 messages here, but I have been 
>downloading them and will read through them for any issues I have before 
>bugging folks here...other than an up front question:
>
>Is there any known issues with a corebooted W520 and Qubes 4.x?
>
>Stuart
>
>


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190819083434.21e36ed9%40gmail.com.


[qubes-users] Got new hardware coming

2019-08-13 Thread Stuart Perkins
I have commissioned the creation of a coreboot Lenovo W520.

It is already running Qubes 4.x, but I will likely do a reinstall just for the 
experience and to put it together with my GUI of choice etc...

I will have a 240+GB SSD for the main OS and certain VM's.

I will move my 2TB hdd over and set it up for the data areas which are just 
plain too big for the SSD, much like I have my current setup.

It has the Nvidia graphics which loses the ability to run the VGA port without 
a blob I don't want to include in it, so external monitors will have to be USB 
driven.

It will be equipped with 16GB of RAM as well initially, then I will up it to 24 
in order to save 8 for this machine, which I will commission as a backup server 
for my home network (not running qubes, but it is is still core booted...and I 
will be running Debian with VirtualBox VM's for various things...like I did 
before Qubes and like I do now of my current home "server".

I will finally get off of Qubes 3.2...  ;)

I have not been actually reading the 4.0 messages here, but I have been 
downloading them and will read through them for any issues I have before 
bugging folks here...other than an up front question:

Is there any known issues with a corebooted W520 and Qubes 4.x?

Stuart


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190813184241.4435992e%40gmail.com.


Re: [qubes-users] Is it possible to still download the last 3.2 templates?

2019-04-30 Thread Stuart Perkins



On Tue, 30 Apr 2019 01:28:06 +0100
unman  wrote:

>On Mon, Apr 29, 2019 at 08:40:16AM -0500, Stuart Perkins wrote:
>> I'm still stuck on 3.2 and need to redo my debian template.  Is there a 
>> place where the last 3.2 template can be downloaded?
>> 
>> Stuart  
>
>Of course.
>You should  be able to simply reinstall using dnf.
>If that doesn't work then you can download at:
>https://yum.qubes-os.org/r3.2/templates-itl/rpm
>Check the signature (rpm -K) and then transfer in to dom0.
>

Ok, that kinda worked.

Installed a directory under /var/lib/qubes/vm-templates, but the root.img is in 
three parts and the private.img is missing.  Can't add the template to the 
manager.

What exactly is the private.img for in a template anyway?  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190430112245.49dfd194%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Is it possible to still download the last 3.2 templates?

2019-04-30 Thread Stuart Perkins



On Tue, 30 Apr 2019 01:28:06 +0100
unman  wrote:

>On Mon, Apr 29, 2019 at 08:40:16AM -0500, Stuart Perkins wrote:
>> I'm still stuck on 3.2 and need to redo my debian template.  Is there a 
>> place where the last 3.2 template can be downloaded?
>> 
>> Stuart  
>
>Of course.
>You should  be able to simply reinstall using dnf.
>If that doesn't work then you can download at:
>https://yum.qubes-os.org/r3.2/templates-itl/rpm
>Check the signature (rpm -K) and then transfer in to dom0.
>

Thanks unman.  Hopefully it won't be very long before I can get something with 
working USB so I can use an extrnal drive to back stuff up from my important 
templates and install 4.0...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190430101330.05271558%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Is it possible to still download the last 3.2 templates?

2019-04-29 Thread Stuart Perkins
I'm still stuck on 3.2 and need to redo my debian template.  Is there a place 
where the last 3.2 template can be downloaded?

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190429084016.3ee9169f%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help with hardware

2019-04-27 Thread Stuart Perkins
Many thinkpad models are on the compatible list.  I use a T520 which has been 
further secured by coreboot.

disclaimer:...  I'm still running 3.2 as I have not had the opportunity to 
upgrade.  My USB ports on this motherboard are not working, and I want to get a 
fully functional one setup before I install 4...



On Sat, 27 Apr 2019 09:08:35 +
"'mathab' via qubes-users"  wrote:

>Hello,
>I would like to install qubes os but I am having trouble with hardware. My 
>current desktop setup is:
>ryzen 5 2600
>gtx 970
>TUF B450M-PLUS GAMING
>8GB RAM
>but it seems like i have trouble with these technologies: HAP/SLAT/EPT/RVI
>What changes would I need to make for it to work?
>Also I am considering buying a laptop is there any laptop that is under 300 
>euro (can be used) that will run this os?
>Where I live there is a lot of used thinkpads.
>
>Thanks for reading this and I hope you will help me out.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190427061139.37de1434%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes - Critique (long)

2019-03-18 Thread Stuart Perkins



On Fri, 15 Mar 2019 21:31:02 -0500
John Goold  wrote:

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>*A Critique of Qubes*
>
>Before discussing Qubes, I want to give you a bit of background about
>me. I do not want to tell my life-story, I doubt anyone is interested.
>However, I want you to know "where I am coming from" and what I want
>from Qubes. I am keeping in mind that what I want is just that and
>Qubes may not be intended to satisfy, or interest in satisfying my
>wants and needs -- that is, I may simply be part of the wrong
>demographic.
>
>* Retired roughly 2 decades
>* 73 years old
>* Degree in Computer Science
>* Started out programming mainframes in Assembly Language (machine
>  code)
>* Later, large-scale software development (various roles) -- R & D,
>  telecoms and mission-critical apps (those involved in health-care are
>  regulated)
>* Proprietary H/W and OSes, then various Unixes.
>
>I am not paranoid over privacy and security, but I recognize there are
>many individuals who, rightfully, fear for their privacy and anonymity
>- -- their livelihood and even their lives may depend on it.
>
>Wants:
>
>* Reliability -- do not fail on me or, if something goes wrong, fail
>  gracefully.
>* Reasonable security -- more than is provided by the more standard
>  Linux distributions (I am a fan of Linux Mint).
>* Reasonable privacy (I hope that is not an oxymoron); though perhaps
>  it is too late in the game for me (though I have never been a fan of
>  social media, or anything Google)
>* No need to spend large amounts of time tinkering with my basic
>  personal computer setup.
>* Ease of use and administration, including software installation.
>* GUI for virtually everything unless there is a really, really, really
>  good reason to use a CLI. Do not get me wrong, I am comfortable with
>  CLI's, but I do not want to spend my time researching various Linux
>  administration tools. Consider me lazy if you wish.
>* No need to build my own tools to use Qubes (I do some website and
>  server- side development to keep the neurons firing -- I can do all
>  the programming I want in that environment).
>
>Basically, my personal computer(s) is a tool. If I write some software
>on it, that software will be for some other purpose and not to
>complement the OS.
>
>- -
>
>Critique:
>
>I started using Qubes for my main computer about two months ago. I had
>previously experimented with release 3.2 and 4.0 on my HP laptop and
>ran into various problems -- discussed by many users ad nausium in
>qubes-users. I got a nice little desktop computer for Christmas (from
>my wife :-) -- an Intel NUC7i7 (32 GB RAM, 512 GB SSD).
>
>So I started from the beginning. Installing Qubes 4.0.1 was relatively
>straightforward, although it did require researching the use of a USB
>mouse and keyboard.
>
>Basic configuration was no worse than any Linux distribution I have
>played with. Software installation was not as straightforward. I was
>forced into using the CLI (I do have two proprietary programs: VueScan
>and Bcompare). Installing other software can be problematic. I
>installed Chromium. The install appeared successful. I was able to add
>Chromium to an appVM. When I started the appVM and launched Chromium
>from the menu... nothing! No window, no error message. I tried a number
>of times (the reason for just re-trying will be mentioned below).
>
>Issues...
>
>* When launching a program from the Qubes menu, particularly if the
>  target   appVM has to be started, the program often fails to be
>  launched. This happens very frequently with the Text Editor.
>
>  This is annoying as one waits a bit in case one is simply being
>  impatient, or at least I do, so as not to launch two copies of the
>  program by accident.
>
>* When a USB device is attached to an appVM, there is an appropriate
>  notification. When it is detached, there is a notification that the
>  device is being detached, but no notification to indicate that it has
>  been successfully detached  so how long should one wait before
>  unplugging it?
>
>* Ignoring whonix (I do not use it... yet), there are two template VMs
>  in the vanilla Qubes 4.0.1 installation: Fedora and Debian. However,
>  they have not been treated equally, with Debian being the loser. The
>  Qubes documentation indicates that Fedora was favoured for security
>  reasons.
>
>  Since I had been using Linux distributions based, directly or
>  indirectly, on Debian, when I first set up Qubes, I created my appVMs
>  based on Debian. That  was painful as I then had to install a lot of
>  basic software.
>
>  When I re-read the documentation, I realized the security reasons,
>  so I switched all my appVMs (except one!) back to Fedora. It was not
>  painful, but I would have rather have spent the time doing something
>  else.
>
>  The kicker came when Firefox stopped playing Flash content in my
>  untrusted appVM, complaining 

Re: [qubes-users] having to Install and run software twice?

2019-03-11 Thread Stuart Perkins



On Fri, 8 Mar 2019 16:31:48 -0600
Daniel Allcock  wrote:

>Hi Stuart,
>
>Just a guess, but perhaps this is it.  I assume you are using
>dnf install in the usual way, not anything exotic.
>
>When you install software in the template, the AppVm doesn't "notice"
>until you restart it.  Furthermore, it won't see the new software
>unless you shut down the template before you restart the appvm.  So
>the procedure is: install software in the template, then shut down
>the template, then restart the appvm.
>
>This can be troublesome if you are in the middle of something and don't
>want to restart the appvm, but need some package. In that case you can
>go ahead and install in the appvm too.  Just understand that the
>installation in the appvm will be wiped out when the appvm is shut
>down.  (Although you won't notice, if it is installed in the template.)
>
>Daniel 
>
>On Fri, 8 Mar 2019 13:40:32 -0600
>Stuart Perkins  wrote:
>
>> On Fri, 8 Mar 2019 09:45:36 -0800 (PST)
>> chris.boscarin...@gmail.com wrote:
>>   
>> >Hi,
>> >Just a quick question. I install software into my template (Fedora,
>> >in this case) but when I try to run it from my "personal" qube, I
>> >must install it again in that qube, as well as run the program once
>> >in the template, then again in the "personal" qube. I don't see
>> >anything in the documentation about having to do this,  so I
>> >wondered if I was doing something incorrectly, or that's the correct
>> >procedure. Thanks. Chris
>> >
>> 
>> Depends on the software installation path.  Some software installs
>> under the user directories, which would NOT be copied from the
>> template to the appvm.
>>   
>

Yes, Daniel.  I was assuming the shutdown/restart sequence.  

When you start an appVM, it refreshes its copy of the software installation.  
Updating the template vm is not really complete until you shut it down after 
doing the updates/installs.  I probably should have specified that.  

If you do the indicated start template/install software/shutdown 
template/shutdown appvm/start appvm and the newly installed software is not 
there, it may be that the installation directory wound up somewhere other than 
the "normal" software path on the Template.  Some software has a habit of doing 
that...such as "tor browser" which installs in your /home/... path.

Normally, to install new software for an appvm..

Start the template used by the appvm.
Install the software in the template for the appvm.
Shutdown the template.
if the appvm is running, shut it down.
Start the appvm to get a "fresh copy" of the installed software from the 
template.

Then you should be able to run the new software in the appvm.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190311094903.0b2a3477%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] having to Install and run software twice?

2019-03-08 Thread Stuart Perkins



On Fri, 8 Mar 2019 09:45:36 -0800 (PST)
chris.boscarin...@gmail.com wrote:

>Hi,
>Just a quick question. I install software into my template (Fedora, in this 
>case) but when I try to run it from my "personal" qube, I must install it 
>again in that qube, as well as run the program once in the template, then 
>again in the "personal" qube.
>I don't see anything in the documentation about having to do this,  so I 
>wondered if I was doing something incorrectly, or that's the correct procedure.
>Thanks.
>Chris
>

Depends on the software installation path.  Some software installs under the 
user directories, which would NOT be copied from the template to the appvm.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190308134032.72863d3b%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Best practices?

2019-02-26 Thread Stuart Perkins



On Tue, 26 Feb 2019 03:59:18 +
"'awokd' via qubes-users"  wrote:

>dexinthec...@gmail.com:
>> Just recently installed Qubes being new to Linux altogether I haven’t quiet 
>> developed my own best practices and the documentation online has a pretty 
>> steep learning curve. Anyway I was wondering what do you guys usually 
>> perform after a clean install. What do you do on a weekly basis, monthly, 
>> annually etc? How do you optimize Qube OS or is it already pretty optimized?
>>   
>I set up a trim cron job per https://www.qubes-os.org/doc/disk-trim/ and 
>set issue_discards = 1 in /etc/lvm/lvm.conf. Thought I also set up 
>something to delete all logs older than a month but either I forgot to 
>or it doesn't seem to be working.
>

Starting your Linux life with Qubes is a bit like starting your political 
career by running for President, or starting your mountain climbing hobby at 
Everest.  Much of what you do with Qubes is no different than straight up 
Linux, but there is a lot more to it as well.  If you have previous 
virtualization experience, it is a plus.  VMWare is where I started back in 
VMWare Workstation 4 days.  I was a paying customer of theirs from versions 4 
through 6 before jumping over to VirtualBox.  Qubes with its Xen based 
virtualization was a logical next step for me...as I was already planning on 
moving over to Xen.

What I do as a matter of course with my Qubes box is create ONE clone of each 
template...Fedora and Debian are the ones I use...and proceed on my merry way.  
I do the updates on the templates, and if there is a TON of updates...not just 
a browser like Chrome, Vivaldi, Chromium, Firefox...I back out of the update 
without doing it, delete the old clone of the template (space is a bit tight) 
and make a fresh clone of the working template.  If the updated template causes 
trouble, I shut down everything but dom0, change all of the VM's using the 
borked template to use the last clone, delete the borked template, clone the 
clone back to the original name then change all the VM's to use the original 
name again.  A small PITA but it pretty much guarantees that I am workable in 
the event of a borked update...which unfortunately does happen from time to 
time.

I use qvm-clone and qvm-ls and qvm-prefs on the command line in a dom0 terminal 
to make the changes, but they could be done through the gui interface.

I'm still on 3.2 with an install of 4 planned as soon as I get my new 
motherboard received and installed...my usb's are toast on this one.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190226065511.5d64c5f5%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Best ideal laptop for Qubes?

2019-02-24 Thread Stuart Perkins



On Sun, 24 Feb 2019 00:39:56 -0800 (PST)
nosugarmaxta...@gmail.com wrote:

>On Sunday, 24 February 2019 03:44:51 UTC+11, 799  wrote:
>>  schrieb am Sa., 23. Feb. 2019, 14:35:
>> 
>> 
>> Not quite sure why people try use Qubes with laptops. I found far better 
>> performance on desktops. Laptops are the opposite of flexible. PC's you can 
>> upgrade to your hearts content. 
>> 
>> 
>> 
>> Maybe because for 90% a laptop offers enough performance, has much lower 
>> space & power requirement and can be used flexible?
>> And because maybe more people "have to use" computers than they "like to 
>> build" them thereselves.
>> Just a guess ;-)
>> 
>> 
>> I was asking the other question:
>> Who is buying those desktop PCs today? 
>> 
>> 
>> - O  
>
>Who are buying desktops? Anyone who is serious about computing. Developers, 
>gamers, businesses, those interested in VR, those interested in security, 
>those interested in a build that can be upgraded to their hearts content. 
>
>Laptops have their purpose. They can provide a mobile computing experience. I 
>use one for work purposes. But, lets be real. That is the only advantage over 
>a desktop (even power usage can be just as low on a desktop if you want it to 
>be). You don't even have to build one yourself for Qubes. You can easily buy a 
>SSF Dell Optiplex off ebay for $200 with a Intel 4770/4790 and 16/32gb of ram. 
>
>I have an i7 laptop from 2011 that can't even run Qubes 4.0 because laptop 
>cpus get shafted in the specs (thankfully they at least get vt'd these days). 
>I have others that have heating problems because there is only so much cooling 
>you can give a laptop, while some of my desktops have 5 14cm fans keeping them 
>cool at 5ghz overclocks.
>
>You say laptops are flexible? But are they? you can't just rip out parts 
>(apart from ram/hdd) like a desktop. And their actual upgrade paths are 
>limited. With my desktop I have parts from multiple build/years. It is just 
>that flexible. 
>
>Also, space requirements? you living in a tent? 
>
>I speak out about this.. because I have 5 laptops sitting around collecting 
>dust. They have limited use because they are laptops. Desktops can always be 
>adapted to another use. One of my older builds became a pfsense router, for 
>example. 
>
>
>

I use an older Dell D630 as a "server" on my home network.  It hosts three 
different VM's under VirtualBox.  One is really old...XP...keeps track of my 
solar electric system.  Two are Linux based...one is a VPN server, and one 
hosts a webpage for my farm.  It runs continuously and is a replacement for the 
prior laptop I has doing the job for almost 10 years of continuous running.  
They can be repurposed quite easily.  Yes, it is a PITA to "upgrade" the 
hardware much...but a usable laptop can be e-bay found for well < $100...and I 
treat them like a cheap disposable appliance.  Why by a complicated built in 
oven when a counter top toaster oven will do the job?

Everything has a purpose.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190224092716.57525b9f%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Best ideal laptop for Qubes?

2019-02-24 Thread Stuart Perkins



On Sat, 23 Feb 2019 05:35:20 -0800 (PST)
nosugarmaxta...@gmail.com wrote:

>On Thursday, 21 February 2019 11:49:27 UTC+11, dexint...@gmail.com  wrote:
>> I've been spending hours and hours looking at laptop configs from dell to 
>> lenovo and I still have yet to make a decision. I'm hoping you guys can help 
>> me. 
>> 
>> Uses:
>> 
>> - Programming
>> - Web Dev
>> - Tor
>> - Screen real estate
>> - Regular web surfing and videos
>> - Some video and photo editing but I have a PC for that 
>> 
>> I'd like to keep cost as low as possible but my budget is very flexible if I 
>> need to stretch it. I want something that will last me 3-5 years.  
>
>Not quite sure why people try use Qubes with laptops. I found far better 
>performance on desktops. Laptops are the opposite of flexible. PC's you can 
>upgrade to your hearts content. 
>

My use case on my laptop is this...

I consult in the business world, and have a rather large presence in the e-mail 
world.  I use Qubes because it separates...

1) programs from data with template VM's
2) tasks with discrete VM's based on purpose...e-mail, business records, 
servicing a particular client, password manager, general browsing etc...

Prior to Qubes, I would use snapshot kept VirtualBox vms with a non-snapshot 
kept virtual disk for data and revert to snapshot with each VM shutdown with 
multiple VM's for various purposes.  I would periodically start the VM's, do 
software updates and retake my snapshot...essentially emulating a template 
based VM.

When I found Qubes, I found an entire OS designed around that very concept and 
more...so it was a logical fit to my laptop.  Add a coreboot/ME-disabled system 
and security is manifestly enhanced, which is good for my business.  While I 
don't intentionally keep client data around for long, the fact that I have to 
handle it from time to time makes keeping it separate and secure paramount.  

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190224091556.1b1e38ef%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to connect to usb tethering of my mobile to sys-net qube

2019-02-21 Thread Stuart Perkins



On Thu, 21 Feb 2019 05:25:52 -0800 (PST)
acharya.sagar.sag...@gmail.com wrote:

>I don't have a sys-usb. If I assign my usbs to sys-usb, then how will the net 
>VM have access to it?
>Also according to Joanna here, networking stacks lie in NetVM
>https://blog.invisiblethings.org/2017/10/03/core3.html
>So I want to move my USB bus of the mobile connection to sys-net. When I tried 
>the command
>
>qvm-pci -a sys-net 08:00.3 
>which is the address of my usb bus, it shows error regarding 'sys-net'
>
>Also,
>Under dom0, when I execute commmand
>qvm-block
>With tethered usb it doesn't show any device and without tethered usb, it shows
>
>dom0:sr0  File-Stor_Gadget (CDROM)
>which means once I start tethering, the USB connection somehow dissappears.
>
>Thanks Stuart
>

If you implement sys-usb, it allows you to assign each device to other app or 
system vm's.  This way you could assign your usb network device to sys-net and 
your storage device to another appVM.  If you need to separate multiple devices 
on the same usb hub, this may be the only way.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190221081341.1bc1995b%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: backup of files in a qube without networking to an internet service

2019-02-21 Thread Stuart Perkins



On Wed, 20 Feb 2019 15:53:49 -0500
Chris Laprise  wrote:

>On 2/20/19 2:46 PM, Stuart Perkins wrote:
>> 
>> 
>> On Wed, 20 Feb 2019 10:38:15 +
>> lik...@gmx.de wrote:
>>   
>>> On 2/19/19 6:22 PM, Chris Laprise wrote:  
>>>> On 2/19/19 10:41 AM, liked2-mmb7mzph...@public.gmane.org wrote:  
>>>>> Hi,
>>>>>
>>>>> assume there are files stored in a qube without networking. Furthermore 
>>>>> assume there's a secured backup server located in the internet. This 
>>>>> server is only a storage of client-side (before data is sent over the 
>>>>> wire) encrypted files.  What options do you imagine to backup those files 
>>>>> (skip the client-side encryption) to the server?
>>>>>
>>>>> I can imagine the following options:
>>>>> 1. enable temporary the network with firewall restricted to the server 
>>>>> for  the (previously offline) qube
>>>>>    Advantage: no inter-vm copying of files.
>>>>>   Disadvantage: firewall rules must be setup correctly to avoid to 
>>>>> bypass any other traffic like icmp/dns etc. I can imaging a potential 
>>>>> information leakage due to enabling network access.
>>>>> 2. copy files temporary to another qube (dvm?) with a firewalled internet 
>>>>> connection
>>>>>   Advantage: files not being backed up can stay secured in the 
>>>>> non-network cube. Leakage of data is reduced in comparison to 1.
>>>>>   Disadvantage: can take time and needs additional disk ressources
>>>>>
>>>>> I've learned that you should always find at least 3 options, otherwise 
>>>>> you haven't thought hard enough. Which options am I missing?
>>>>>
>>>>> Which option would you prefer and why?  
>>>>
>>>> Another disadvantage of #1 is that connecting the net to the source qube 
>>>> exposes it to attack.
>>>>
>>>> Had you thought about using qvm-backup? Also, I'm working on a fast 
>>>> incremental backup tool that's suitable for Qubes:
>>>>
>>>> https://github.com/tasket/sparsebak
>>>>  
>>>
>>> I've checked qvm-backup. It's an appropriate solution if you don't care 
>>> about disk space and bandwitdth of the network connection. Saving of a 
>>> subset of files due to remote space and bandwidth resouces will not work 
>>> well with qvm-backup.
>>>
>>> Also incremental backup is not really possible with qvm-backup.
>>>
>>> Regarding the solution you're working on: If I get it right, it's meant to 
>>> be a disk->disk backup? What I'm looking for is an incremental client-side 
>>> encrypted backup, similar to the tool duplicati. Also a poor man solution 
>>> with git+rsync+veracrypt would be possible.
>>> Can you imagine how sparsebak could be combined with truecrypt? Is there 
>>> compression support?
>>>  
>> 
>> My backup routine is this.
>> 
>> Important files are kept in a LUKS encrypted container on specific appVM's, 
>> mounted when needed.
>> 
>> A similar LUKS encrypted container is maintained on my home network server.  
>> I mount the container on my home server over an ssh connection then use 
>> rsync.
>> 
>> Different appVM's use different paths within the container, so they all 
>> backup to the same home network based container...which is unmounted when 
>> not actively being used.
>> 
>> If I completely lost my current machine setup, it would only take a couple 
>> of hours to setup a new one...and quite some time to rsync all of the 
>> important files, but solid and repeatable.
>> 
>> My encrypted backup contains 30 years of e-mails as well as financial and 
>> client information.  I also keep another backup of the same information on a 
>> completely different physical machine, which while not Qubes can actually 
>> run enough software against the encrypted container to continue with my 
>> necessary day-to-day tasks.
>> 
>> I clone my templates before major upgrades or just if there are questionable 
>> upgrades happening so if there is an issue I can set all of the machines 
>> which use the template to use the backup while I sort it out.  I may not 
>> make a fresh backup of a template if the only upgrades are chrome or vivaldi 
>> or something else non-critical.
>> 
>> It is hard to beat rsync...just work 

Re: [qubes-users] How to connect to usb tethering of my mobile to sys-net qube

2019-02-20 Thread Stuart Perkins



On Wed, 20 Feb 2019 08:35:29 -0800 (PST)
acharya.sagar.sag...@gmail.com wrote:

>I understand that the other VM which have firewall as their NetVM get the 
>network which gets filtered through firewall VM to secure the system. The 
>firewall system in turn receives network from sys-net. I connected my mobile 
>and flipped the switch of USB tethering but am not sure how to configure it.
>
>I'm at the network connection page of sys-net where I need help of how to 
>configure the network.
>
>There's not any material related to qubes USB tethering elsewhere.
>

Qubes passes network activity ultimately through sys-net.  Sys-net is just a 
virtual machine with access to the network devices.  This means that in order 
to use a usb tethered phone as a network device, the sys-net vm must have 
access to the usb device the phone is connected to.  If you have sys-usb 
implemented, it means assigning the device via qvm-usb.  If not, it means 
assigning the usb hub at the qubes manager level...which will make other 
devices on the same hub inaccessible to other VMs.

Stuart
Qubes 3.2 user...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190220135133.302647ab%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: backup of files in a qube without networking to an internet service

2019-02-20 Thread Stuart Perkins



On Wed, 20 Feb 2019 10:38:15 +
lik...@gmx.de wrote:

>On 2/19/19 6:22 PM, Chris Laprise wrote:
>> On 2/19/19 10:41 AM, liked2-mmb7mzph...@public.gmane.org wrote:  
>>> Hi,
>>>
>>> assume there are files stored in a qube without networking. Furthermore 
>>> assume there's a secured backup server located in the internet. This server 
>>> is only a storage of client-side (before data is sent over the wire) 
>>> encrypted files.  What options do you imagine to backup those files (skip 
>>> the client-side encryption) to the server?
>>>
>>> I can imagine the following options:
>>> 1. enable temporary the network with firewall restricted to the server for  
>>> the (previously offline) qube
>>>   Advantage: no inter-vm copying of files.
>>>  Disadvantage: firewall rules must be setup correctly to avoid to 
>>> bypass any other traffic like icmp/dns etc. I can imaging a potential 
>>> information leakage due to enabling network access.
>>> 2. copy files temporary to another qube (dvm?) with a firewalled internet 
>>> connection
>>>  Advantage: files not being backed up can stay secured in the 
>>> non-network cube. Leakage of data is reduced in comparison to 1.
>>>  Disadvantage: can take time and needs additional disk ressources
>>>
>>> I've learned that you should always find at least 3 options, otherwise you 
>>> haven't thought hard enough. Which options am I missing?
>>>
>>> Which option would you prefer and why?  
>> 
>> Another disadvantage of #1 is that connecting the net to the source qube 
>> exposes it to attack.
>> 
>> Had you thought about using qvm-backup? Also, I'm working on a fast 
>> incremental backup tool that's suitable for Qubes:
>> 
>> https://github.com/tasket/sparsebak
>>   
>
>I've checked qvm-backup. It's an appropriate solution if you don't care about 
>disk space and bandwitdth of the network connection. Saving of a subset of 
>files due to remote space and bandwidth resouces will not work well with 
>qvm-backup.
>
>Also incremental backup is not really possible with qvm-backup.
>
>Regarding the solution you're working on: If I get it right, it's meant to be 
>a disk->disk backup? What I'm looking for is an incremental client-side 
>encrypted backup, similar to the tool duplicati. Also a poor man solution with 
>git+rsync+veracrypt would be possible.
>Can you imagine how sparsebak could be combined with truecrypt? Is there 
>compression support?
>

My backup routine is this.  

Important files are kept in a LUKS encrypted container on specific appVM's, 
mounted when needed.  

A similar LUKS encrypted container is maintained on my home network server.  I 
mount the container on my home server over an ssh connection then use rsync.  

Different appVM's use different paths within the container, so they all backup 
to the same home network based container...which is unmounted when not actively 
being used.  

If I completely lost my current machine setup, it would only take a couple of 
hours to setup a new one...and quite some time to rsync all of the important 
files, but solid and repeatable.  

My encrypted backup contains 30 years of e-mails as well as financial and 
client information.  I also keep another backup of the same information on a 
completely different physical machine, which while not Qubes can actually run 
enough software against the encrypted container to continue with my necessary 
day-to-day tasks.  

I clone my templates before major upgrades or just if there are questionable 
upgrades happening so if there is an issue I can set all of the machines which 
use the template to use the backup while I sort it out.  I may not make a fresh 
backup of a template if the only upgrades are chrome or vivaldi or something 
else non-critical.  

It is hard to beat rsync...just work a method which is appropriate for the 
different appVMs as if they were discrete machines...which they are from a 
logical standpoint.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190220134645.601128dc%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Whonix Yes or No

2019-02-17 Thread Stuart Perkins



On Sun, 17 Feb 2019 22:06:21 +
"'awokd' via qubes-users"  wrote:

>jrsmi...@gmail.com wrote on 2/17/19 9:49 PM:
>> Reading through the post questioning the trustworthiness of Whonix, I can't 
>> tell whether we can continue trusting/using Whonix or not.  Can someone 
>> (preferably in a position to speak for QubesOS), please state, in a 
>> straightforward and unambiguous manner, spell this out for us?
>>   
>
>I don't speak for QubesOS, but yes, Whonix is as trustworthy as any 
>other open source project. I see no reason to discontinue use. Patrick's 
>and Xaver's replies already covered anything I'd add. No point jumping 
>at shadows painted by someone who has never before posted anything here, 
>or anywhere else as far as I can tell.
>

Agreed.  That said, heed the warning of tor itself. No guarantee of "strong 
anonymity".  If it can be transmitted over the internet, it can be hacked.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190217165712.6a967c99%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Is it safe to install Qubes4 on laptop used windows10 before?

2019-02-14 Thread Stuart Perkins



On Thu, 14 Feb 2019 16:12:36 +
unman  wrote:

>On Wed, Feb 13, 2019 at 08:55:01PM +, zxcvw...@scryptmail.com wrote:
>> Hello All,I have a laptop from family that is rarely used,but with windows10 
>> installed on it,arguably the most infamous windows version.If I install 
>> Qubse4.0 on this laptop, would qubes completely wipe windows10 away?  Since 
>> some hardware's ID numbers are registered with microsoft in update 
>> process,and maybe even UUID, would microsoft still be able to track this 
>> laptop when it's online?Second option, is to take off the harddrive with 
>> windows10 and change to a completely new one purely for qubes. with the 
>> concern above still there-the hard ware records---can microsoft track THIS 
>> laptop when it's online?* by installed with windows 10 ---I mean it pressed 
>> the agree button on microsoft agreement when new laptop   switched on, this 
>> stage is offline,  and pressed 'update' button, and fully updated with 
>> microsoft and registered with it, this part is online.Please advise, thank 
>> you
>>   
>
>That's a really good question.
>Certainly MS will have some information about the hardware configuration
>of that laptop. That doesnt mean that MS would be able to track you
>online, but it does raise the issue that IF someone were able to get
>information about the hardware and IF they were able to get information
>from MS THEN they would be able to trace it back to you.
>When you install Qubes there are options to delete existing partitions,
>and if you choose to encrypt Qubes (I seem to recall that) the existing
>partitions will be overwritten, so the old Windows will be gone.
>
>If you are seriously worried about these issues I would recommend
>getting a burner laptop with new drive and look in to the use of
>Whonix-Qubes, or Qubes and Tor. If you are just somewhat concerned then to
>be honest a simple wipe and install of Qubes would be enough.
>
>unman
>

I prefer to go a step farther and use a laptop which can have the bios 
overwritten with coreboot, sans Intel ME.  This limits to laptops of a certain 
age/design, and I currently use a Lenovo T520.  The newest Lenovo laptop which 
ME can be completely removed is the X1 Carbon GEN 1.  After that, the best you 
can do is set the HAP bit...which still relies on some of the "blobs" and the 
early part of the ME.  I have not messed with doing either, and have a "guy" 
who coreboots my bios for me at present.

With the recent revelations about Austrailia's laws and the maintainers of 
Whonix, I would not trust it to provide anonymity.  Nevertheless, coreboot is a 
good start.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190214103136.5e768a06%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: why mail-list?

2019-02-07 Thread Stuart Perkins



On Thu, 7 Feb 2019 06:31:01 -0800 (PST)
billol...@gmail.com wrote:

>On Wednesday, February 6, 2019 at 11:36:12 AM UTC-5, unman wrote:
>> On Wed, Feb 06, 2019 at 10:15:54AM -0600, John Goold wrote:  
>> > -BEGIN PGP SIGNED MESSAGE-
>> > Hash: SHA256
>> > 
>> > On 2/6/19 1:12 AM, 'awokd' via qubes-users wrote:  
>> > > kitchm via Forum:
>> > >   
>> > ...  
>> > >> It is currently illegal by federal law to clear your browser 
>> > >> history.  
>> > > 
>> > > Cite?  
>> > 
>> > What one does with one's browser history, even assuming one's browser
>> > has a browser history, is clearly not governed by law, except perhaps
>> > in countries like China and Russion.
>> > -BEGIN PGP SIGNATURE-
>> > 
>> > iQEzBAEBCAAdFiEEe8Wcf7Po7bts2Rl4jWN9/rQYsRwFAlxbCDgACgkQjWN9/rQY
>> > sRwFfQf+MRGgCma20R/XDSkO0X94ul0kb8p/GfUBQbw7/bbdNKXtawkUtzGqe44I
>> > IExLLsikRRTdHGIMvHVpBXNjQGm2Qh6MdL4v+cd/CN2vtj5Yh2ifk5OF5xt5hb0A
>> > EX+8EYoo5GoF+2urI3IU6NTKBL0tCDiKIcjVIMuxg9ah0mo1QTO5+ewlX5AGlyLS
>> > c2dVDHB3svCIKQ9xrHZxcNLL3WKL6lrOwP/oGuM6NLGJtnBDbS7ihkJA1GMu7m5H
>> > 3hHQFq7vb8/6vNf6L8jqC3MPDbp/zXXwCk1UjLofnbUX+ExVDKPZF43qI8yMiGwN
>> > UkdsgfCZfIQjh1jKGDXhJ2/xyhySvw==
>> > =zjDq
>> > -END PGP SIGNATURE-  
>> 
>> Actually, it may be governed by law in the US, but not in Russia.
>> The  FBI have interpreted Sarbanes-Oxley as creating a
>> felony offence where one deletes browser history where there was
>> reasonable expectation of investigation.
>> It has been used against Matanov, a friend of the Boston bombers, and
>> David Kernell, who hacked Sarah Palin's email.
>> The EFF have highlighted this interpretation of Sarbanes Oxley as
>> egregious, but no doubt the authorities deem it necessary.
>> 
>> Note that it is NOT illegal in the US to clear your browser history:
>> but it may prove a felony offence to do so. In the two cases cited there
>> were reasonable grounds to suppose that a federal investigation would
>> take place.  
>
>It should probably be noted that those 2015 prosecutions were a bit novel, and 
>it has not become common practice.  In fact, the Supreme Court reigned it in a 
>little with Yates v US (2015) in which they threw out the conviction of a 
>fisherman who threw away an illegal catch to avoid prosecution.  
>Sarbanes-Oxley was written for corporate stuff, to stop corporations from 
>deleting emails and shredding documents in order to hide a crime that they 
>knew would be, but had not yet been, moved forward for prosecution.  The 
>application of this to conspiracy to commit terrorist acts is not too 
>far-fetched, but its application was novel, and was not tested in appeal as 
>far as I know.  
>
>In terms of private citizens engaging in routine privacy measures, I know of 
>no such prosecution. Sure, an aggressive DA can charge anybody with anything 
>for any reason, and some pay no attention to truth, precedent or law at all.  
>But if someone has a case of someone as a private citizen who routinely cleans 
>up their files, I'd love to see it.
>
>Since Oxley Sarbanes requires the intent to interfere in the investigation of 
>a  criminal act, it would seem to me that a private citizen who routinely 
>cleans house for privacy reasons while not engaged in such acts would have an 
>affirmative defense that continuing to do so does not indicate such specific 
>intent. For instance, as I mentioned, a professional organization I belong to 
>does not archive its mailinglist specifically to avoid people mining archives 
>to look for embarrassing quotes for use in the newspapers and in court.  The 
>intent there is clearly *not* to cover up a crime, but instead to protect 
>privacy.  I'm no lawyer, of course, but I find it hard to generalize the idea 
>that Oxley Sarbanes is that huge of a threat as it currently is enforced.
>
>I'll also point out that if anything were this kind of violation, then the 
>Hillary email stuff would have been ripe for prosecution under this law, and 
>the DoJ clearly said that the presumption is that there isn't criminal intent, 
>at least with respect to that kind of behavior.  I suspect that most 
>prosecutors know this, which means that egregious overapplication of this law 
>will be unlikely, else it will be repealed -- since most Republicans hate the 
>law as it stands and are looking for an excuse to get rid of it.
>

Sarbanes/Oxley certainly has given me and a lot of other consultants...and 
auditors...a lot of work.  :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190207133636.00eef430%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: why mail-list?

2019-02-06 Thread Stuart Perkins
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On Wed, 6 Feb 2019 12:51:04 -0600
John Goold  wrote:

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>On 2/6/19 10:36 AM, unman wrote:
>> On Wed, Feb 06, 2019 at 10:15:54AM -0600, John Goold wrote: On
>> 2/6/19 1:12 AM, 'awokd' via qubes-users wrote:  
> kitchm via Forum:
>   
>> ...  
>> It is currently illegal by federal law to clear your
>> browser history.  
> 
> Cite?  
>> 
>> What one does with one's browser history, even assuming one's
>> browser has a browser history, is clearly not governed by law,
>> except perhaps in countries like China and Russion.
>> 
>> Actually, it may be governed by law in the US, but not in Russia. 
>> The  FBI have interpreted Sarbanes-Oxley as creating a felony
>> offence where one deletes browser history where there was 
>> reasonable expectation of investigation. It has been used against
>> Matanov, a friend of the Boston bombers, and David Kernell, who
>> hacked Sarah Palin's email. The EFF have highlighted this
>> interpretation of Sarbanes Oxley as egregious, but no doubt the
>> authorities deem it necessary.
>> 
>> Note that it is NOT illegal in the US to clear your browser
>> history: but it may prove a felony offence to do so. In the two
>> cases cited there were reasonable grounds to suppose that a federal
>> investigation would take place.
>>   
>
>I think it should go without saying that anyone that violates a court
>order issued against them is committing an offense.
>
>Hmmm... So, in the U.S., if you are in a position that there was "a
>reasonable expectation of investigation", any attempt to maintain your
>privacy may be construed (at least by the FBI) to be a felony offence?
> Wow! Egregious seems to be an understatement.
>
>It seems a bit surreal. A person was not expecting to be the target of
>a government/justice system investigation, but someone or some group
>say the person should have expected to be investigated... I can see
>this happening in a non-democratic regime, but it seems unreal in a
>nation professing to be at the forefront of democracy.
>
>Anyway, I do not have to worry about this as I do not allow my browser
>to keep track of my browsing history (unless the browser is doing so
>surreptitiously). So I have no browser history to delete. However, I
>suppose if I became the subject of an investigation, any of my
>attempts (all mild) to maintain my privacy would be interpreted as
>nefarious.
>
>Anyway, as you implied, I was making assumptions based on my
>expectations of living in a democracy.
>
>It's an interesting discussion.

Of course the main reason to lunch the ME in bios (for those with systems the 
right vintage, or at least set the HAP bit) and running Qubes to begin with is 
to make it difficult for prying eyes to see what we do on our computers.  Not 
that we are doing anything "nefarious", but as far as I'm concerned, my 
business is exactly that...my business.  It pays to always use...private 
browsing and/or disposable VM for general internet stuff.  That way you never 
overtly act to "hide" anything, so whether or not you have a reasonable 
expectation of being investigated is a non-starter.
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEg3cTCwPFs8wewas+M1E7j4SmKVQFAlxbRToACgkQM1E7j4Sm
KVTNHAf+PYKCKraumNHXgKdIrx/4OUX4vHT16SQ4dCwrn6DkasceILGPqkvPrJwJ
/S8rHcjQlOoVP74GcZSuAryHy/IoKLOP1h2E6sDsQdfpZPmAZ3EAq0CsSK7bNoWs
c7sL1D1tn/YGIrvyrH6eHw3f9KXlcMTL+3LD4F4JMbrsOGAfXfdgdio+FJqGvmwr
T8PqLhte4oCe/JeE3v3qI7Hd0He3jvjRrmvyexc2dRrt/l0RCpUPJIVQgl/W8dAn
94y+bTwD3y5I5dUCyiOroSvoede0jfbpggeNDdAJvNag0E+2SKXN6z8A02hhrrii
LQzeVAgrWYrPI6DLniqCGN6Ga3z6mw==
=5sAN
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190206143609.59f81581%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: why mail-list?

2019-02-06 Thread Stuart Perkins



On Tue, 05 Feb 2019 13:34:04 -0500
kitchm via Forum  wrote:

>Some comments based on what has been posted so far:
>...
> It is currently illegal by
>federal law to clear your browser history.
>...

Illegal for who?  Perhaps a Federal employee...on a work computer.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190206073355.526d1712%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Suggestion about an UI detail

2019-02-05 Thread Stuart Perkins


On Tue, 5 Feb 2019 16:19:47 +0100
Nicklas Avén  wrote:

>On 2/5/19 3:08 PM, Mike Keehan wrote:
>> On Tue, 5 Feb 2019 13:58:17 +0100
>> Nicklas Avén  wrote:
>>  
>>> Hi
>>>
>>>
>>> I am a new happy Qubes user. Getting almost everything to work on a
>>> Dell 7530 with xeon 2186 and Nvidia P3200. Qubes 4.01 made things
>>> quite easy :-)
>>>
>>>
>>> I find Qubes very intuitive to work with, but I have a suggestion
>>> that I have no idea if it is easy or hard to do.
>>>
>>> It is just a work flow thought without any knowledge about what would
>>> be affected.
>>>
>>>
>>> When I work in one qube it is a common task to open other programs in
>>> the same qube. If working in a terminal I want Scite for scratching
>>> for instance.
>>>
>>> Then it would be awesome if there was a quick way to get the
>>> application-list from only that Qube. My suggestion is that I could
>>> find the application list for that specific Qube by right clicking
>>> the top of the application. In the menu about maximizing, minimizing
>>> and so on. With that in place I guess it would be possible to also
>>> put a key-combination on that feature. Since that would be a 1
>>> dimensional list it would be easy to navigate just with up and down
>>> arrows.
>>>
>>> Just a thought since I notice, when I am in the middle of a thought
>>> in some work, it rips away the focus to think about what Qube I am
>>> in, searching the start menu for the right qube and then searching
>>> the application list for the right application.
>>>
>>> I use Qubes primary to separate different customers when I work as a
>>> consultant. Never mixing data from different jobs gives confidence.
>>>
>>> BTW, I became a monthly supporter from today, worth every penny.
>>> Thanks a lot for Qubes OS
>>>
>>>
>>> ATB
>>>
>>>
>>> Nicklas Avén
>>>
>>>  
>> Hi Nicklas,
>>
>> I use a number of xfce Launchers on the taskbar to achieve something
>> similar.  Each of the launchers is for a separate qube, and has only
>> as many individual program entries as I want shortcuts for in that
>> qube.
>>
>> This was described in this list some time ago, but I can't remember
>> who it was unfortunately, nor find the original email.  I think it was
>> in reply to a question about how to organise workflow, or maybe was
>> it possible to edit the main menu.  Anyway, kudos to the guy who
>> described it - it's worked brilliantly for me ever since.
>>
>> Mike.
>>  
>
>Hi Mike
>
>
>Thanks a lot. I will try to find out.
>
>
>/Nicklas
>

I don't believe I wrote anything about it, but I do that myself.  

I begin by dragging a single item from the menu to the top panel to create a 
shortcut there.  I then right click on the shortcut and use properties to add 
other items.  

I rearrange the shortcuts in one so that something innocuous like "x-term" is 
first, and the drop down arrow leads to the other frequently used items.  

I only have keePass2 on "vault" so it has no drop down or other items, but my 
e-mail machine has a few, as does my "money" machine (wouldn't we all like to 
have one of those?  Seriously, I run Gnucash for my business and a dosemu 
execution of an old check book system I wrote in the 80's for my personal 
records, and this appVM is firewalled to ONLY connect to my home system for 
backup.) and my untrusted appvm (mostly just shortcuts to Chromium, Chrome and 
Firefox).  

I also have another machine I use exclusively to connect via VPN to a 
particular client, and the VPN connection is at the top of it as well as a 
shortcut to a windows program running under wine and a terminal session.  

I also have a shortcut for a dom0:terminal on the panel, but otherwise pretty 
much default settings.  This setup allows me to quickly go to what I want most 
of the time without wading through the whole xfce menu.  

I have attached a screenshot of that area of my desktop so you can see how it 
looks.  It is not very cluttered at all.

Stuart

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190205122242.0ea22abc%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Some VMs on an external disk (unavailable at boot)

2019-02-04 Thread Stuart Perkins



On Mon, 4 Feb 2019 21:27:44 +0100
Stefan Schlott  wrote:

>On 2/4/19 5:59 PM, Stuart Perkins wrote:
>
>> I do not know the official stance or method, but I symbolically link from 
>> the standard appVM location to my other drive where I have the larger 
>> appVM's.  Mine is always available so I don't know if Qubes would boot if it 
>> weren't, but it is a thought...obviously the drive would need to be 
>> available to start the appVM's located thereon.   
>
>This is what I did on Qubes 3.2. On Qubes 4.0, I used the new thin pool
>provisioning, so the symlink trick doesn't work anymore...
>
>Stefan.
>
>

Ah, but if the path must be "provisioned" in order to boot qubes itself, that 
sounds like a more difficult way to do it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190204151227.6154deb7%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Some VMs on an external disk (unavailable at boot)

2019-02-04 Thread Stuart Perkins



On Mon, 4 Feb 2019 10:15:28 +0100
Stefan Schlott  wrote:

>Hi,
>
>I'd like to have some VMs on a secondary disk. I successfully followed
>the guidelines from https://www.qubes-os.org/doc/secondary-storage/
>
>Troubles arise when the disk is not available at boot time. I'm working
>on some mount/unmount scripts which adds/removes the storage pools. But
>it seems that this is not enough: Upon reboot (with the pool from the
>secondary disk removed), the qubesd terminates with an exception,
>causing the whole Qubes installation not to boot properly.
>
>First, I added some try-catch in qubes/app.py (line 905) so the qubesd
>starts even if some VMs cause errors. Perhaps this would be a general
>nice behaviour?
>
>After re-adding the pool, all VMs from the secondary disk pointed to the
>primary pool. Manually editing the /var/lib/qubes/qubes.xml fixed the
>issue, so I now have a working system again.
>
>My question: Is there a procedure to properly handle such a second disk
>(unavailable at boot time)?
>
>
>Stefan.
>

I do not know the official stance or method, but I symbolically link from the 
standard appVM location to my other drive where I have the larger appVM's.  
Mine is always available so I don't know if Qubes would boot if it weren't, but 
it is a thought...obviously the drive would need to be available to start the 
appVM's located thereon. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190204105928.033cf805%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Borked template vm

2019-02-02 Thread Stuart Perkins



On Sat, 2 Feb 2019 14:08:27 -0600
Daniel Allcock  wrote:

>Hello all,
>
>I seem to have borked a template vm, to the point that no applications
>will start and I can't even use qvm-run from dom0 to do anything, not
>even touch a file.  There is one directory in 
>the root of the filesystem that contains
>a ton of config info that I would like to recover.  I'd
>appreciate any help.
>
>If I start an app in this vm from the Q menu then
>I get notification that it has started, and the vm does appear in the
>system tray VM management widget, but nothing else seems to happen.
>Halting the vm gives notification
>that the vm is stopping, and then the vm disappears from that widget.
>
>Here is what I have thought of so far. 
>
>(1) I imagine there is a way to mount a template vm's root filesystem, 
>either in dom0 or in another vm.  I couldn't find docs on that.
>
>(2) I made a backup of that vm to another vm, and then used the
>emergency recovery method from
>https://www.qubes-os.org/doc/backup-emergency-restore-v4/
>to produce files containing the borked template's root and private
>filesystems.  Following the instructions there allowed me to mount
>the private filesystem and access its contents.  But the config
>stuff that I want to recover lies in the root filesystem, and I
>was unable to mount it: 
>
>$sudo mount -o loop vm1/root.img /mnt/img
>mount: /mnt/img: wrong fs type, bad option, bad superblock
>on /dev/loop0, missing codepage or helper program, or other error.
>
>(This works fine with root replaced by private.)  As a further 
>strangeness, the "file" command thinks root.img is dos:
>$ file vm1/root.img 
>vm1/root.img: DOS/MBR boot sector, extended partition table (last)
>
>Adding "-t vfat" to the mount command doesn't change the failure.
>On the other hand, "file" recognizes private.img as an ext4
>filesystem.
>
>Am extremely confused and a bit worried!  Help very much appreciated.
>Daniel
>

If all else fails, use qvm-block -A to attach the drive image to a different vm 
in order to recover information off of it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190202152700.6503f1b0%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] why mail-list?

2019-02-02 Thread Stuart Perkins



On Sat, 02 Feb 2019 14:12:53 +0100
Achim Patzner  wrote:

>Am Donnerstag, den 31.01.2019, 11:10 -0600 schrieb Stuart Perkins:
>> Some of us who keep e-mails off line have the additional benefit of having 
>> an archive of all e-mails since joining the list.  
>
>I don't because I immediately erase everything not interesting to me.
>But that's one of the more important aspects of Mail: The simple format
>that makes storage and searching extremely easy.
>
>> I have an archive going back almost 30 years with over 700,000  
>
>Only? I'm obviously still erasing too few. But this is the most
>important part: I still retain ownership of my data not some strange
>"cloud" thing.
>
>
>Achim
>

Yep.  There is no "cloud"...it is just someone else's computer.  Control over 
"my" data is my main reason for such.

My current client has a court order to NEVER delete another e-mail, also from 
about 30 years ago.  My 700,000 is a drop in a bucket compared to what they 
have to retain.  I think theirs are in a database of sorts though, which puts 
them at risk as technology drifts.  Plain text files are plain text files and 
will continue to be plain text files until ...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190202080424.08da55e2%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Debian Template APT Vulnerability - A ticking bomb?

2019-02-01 Thread Stuart Perkins
I have a couple.  One I use a lot, loaded with disinformation.  Two are even 
less complete, but rarely used.

I lost access to a fourth by accidentally trying to login over tor, and it 
insisted on ID to unlock it...so I just ignore that one now.


On Fri, 1 Feb 2019 22:58:31 +
"'awokd' via qubes-users"  wrote:

>unman wrote on 2/1/19 4:05 PM:
>> On Mon, Jan 28, 2019 at 01:44:37PM +, 'awokd' via qubes-users wrote:  
>>> unman wrote on 1/27/19 5:21 PM:  
 (As an aside I'm always baffled by people querying
 how they can use Facebook under Tor or Whonix. What are they thinking?)  
>>>
>>> There are good reasons for it. See
>>> https://www.wired.com/2014/10/facebook-tor-dark-site/ for example. To the
>>> thread's topic, using Debian's onion repositories helps avoid MITM attacks.
>>> Of course, can't protect against compromise of the repositories themselves,
>>> but that's not a problem that can be solved at the communications layer.  
>> 
>> You missed my point because I wasn't clear enough.
>> I know that Facebook is accessible over Tor.
>> But why would anyone concerned with privacy ,(presumably why they are
>> using Tor or Whonix), want to sup with the devil of Facebook? I don't
>> think any spoon is long enough, not even one passing through 3 hops.
>>   
>
>Understood. I'm picturing a pseudonymous female blogger who wants to 
>organize in a country where they aren't allowed to use the internet. Not 
>sure how compatible that noble goal is with Facebook's real name policy.
>A more trite example would be a normal Facebook user who doesn't 
>necessarily want them and all their 3rd party advertisers to know from 
>what location/IP address he's logging in. However, I've never had the 
>desire to create a Facebook account either!
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190201184123.3639af02%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: why mail-list?

2019-01-31 Thread Stuart Perkins



On Thu, 31 Jan 2019 14:52:31 -0500
kitchm  wrote:

>The problem is more fundamental.
>
>In all things, we need to seek more commonality and
>simplicity in our lives.  In computer related issues, I have
>found over the years that people who do not understand how
>things work (thanks to the poor educational systems) simply
>like to add more complexity because they do not know to
>follow industry standards.  The other possibility is that
>some do not want to change to better methodologies because
>of a sad conservative mind-set.
>
>In the case of digital communications, everything is based
>upon voice (telephone), written words (document files and
>e-mail) and the visual (videos and web pages).  When it
>comes to forums, either for discussion and/or for help, the
>interface has traditionally been thru the browser window
>into industry standard forum software, with the e-mail part
>used only for notifications and private messages.
>
>With that said, mailing lists were the old method before
>there was a graphical user interface available.  There is
>little reason for its  use any longer, and quite frankly, I
>cannot think of a good one.
>
>For this day and age, using anything other than standard
>forum software is detrimental to usability and productivity.
> That's just how it is, and there is no reason to go
>backwards in these things.
>
>We do not download forum databases; rather we expect the
>hosts to maintain that for our use.
>

Using software because everyone else is using it sounds very Microsoft to me.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190131145552.30e8a1be%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: hcl for qubes 4.0 or 4.0.1 is it good?

2019-01-31 Thread Stuart Perkins
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On Thu, 31 Jan 2019 19:12:09 +0100
Zrubi  wrote:

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>On 1/31/19 3:32 PM, unman wrote:
>> I know many people using Qubes 4 with 12GB and HDD, without
>> issues. SSD is better, but not a must.  
>
>Technically you are right.
>
>In practice, the user experience (HDD vs SSD) is not even comparable.
>The price difference is is also not an issue, totally worth it.
>
>I would say: today, a newly built desktop PC without SSD is a bad
>decision. Even if running a conventional OS.
>

Obviously, we are dealing with competing needs here.  The overall need for 
security AND the need for "speed".  Obviously, Qubes is a fairly resource 
intensive approach to security, which is acceptable as far as I'm concerned.

I am still using Qubes 3.2 for now.  I have a mixed machine...Lenovo T520 
(coreboot...ME disabled...one of the last ones where this is easy), 160G SSD 
2TB HDD, 16GB Ram.  It works quite well.  

I'm about to move to Qubes 4...

The SSD is encrypted and boot/main OS/dom0 drive, with the templates on the 
encrypted SSD but with some VM images kept on the HDD due to size.  I have 
almost filled up the HDD, so I'm a bit of a disk hog.

Even though the HDD is not itself encrypted, critical data is kept in encrypted 
containers on the appVM's with the key on a memory card.  Scripts in Dom0 mount 
the block device of the memory card to an appVM, then call a script on the 
appVM to mount the block device and decrypt the container using the key, then 
mount the container locally and unmount the key device.  All I do is remove the 
key card and stop the appVM's (or just unmount the encrypted containers) for 
the first level of "security"...when I'm away from my desk for a while, and 
don't trust the screen lock to be adequate (haha...does anyone trust it, even 
though they finally updated it for XFCE4?).  

A full shutdown then requires a valid decryption phrase just to boot up AND the 
key card to get to the important stuff...plus my machine is rarely out of my 
sight.  

It may seem a bit overkill to some, but since I work with HR data a lot and 
sometimes have local copies of sensitive information (I try not to, but 
sometimes tools on my machine make my work MUCH more efficient than just using 
what my client has available),  

The stories of a stolen laptop compromising PI data (Personal 
Identification...SSN's etc...) abound. I consider this a minimal security 
scheme primarily due to the information I have access to and the 
possibility...no matter how remote...of me being lax at the wrong time and 
someone walking off with my laptop.

I also VPN to my home system where I run an openVPN server whenever I gather 
e-mails via pop access with my local client (especially the gmail ones, since 
gmail likes to block access from unknown ip's...which is a royal pain for a 
road warrior) or do certain other stuff.  I have the VPN setup on my mail appVM 
and on sys-firewall, and can run it for just the e-mails or for everything 
(except tor) as desired.  

I plan to continue with this scheme when I go to Qubes 4, except I may also 
encrypt the HDD...I just need to find enough space to put everything in the 
meantime.  :)

Stuart
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEg3cTCwPFs8wewas+M1E7j4SmKVQFAlxTRyAACgkQM1E7j4Sm
KVTOcQf/fodRbzgDBvCBx3Jde8RzyoZI8Eq9eBO+X5nsm+VQT1/dR4M5PRL/VO+t
dECwen3uNJ6KWGFrZdGsSiV7+BrXhHUl9fb1Xpw+7IWSVsnVav+rPlWiw1pfju60
QlQVlx1lYyJPoTgxGm8yTSPCuEVz2wGG3/K2LANhVWVsHBzyXzT5474EPhQlVI0G
zBZymmxqFWVMhWr8N1lyK6E6hbWjlrDV7IKCFGxV874lFhuZeJKJ2AkZTIoWaCuP
PamOIhWEkGCHCv8so6XLLMPW7UwpbPRakJ41yGfUd/H0aZFdOks4P+wZoOrARz1j
cK7UBH1T0v2r3uhv8+A8qxze8AoQCg==
=F4qb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190131130532.2fc14262%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] why mail-list?

2019-01-31 Thread Stuart Perkins



On Thu, 31 Jan 2019 18:01:58 +0100 (CET)
19hundreds <19hundr...@tutanota.com> wrote:

>
>I agree at some level with what you are saying however, the current mailing 
>list has a lot of valuable information so I believe it's gonna be hard to se 
>it replaced with something else.
>
>Beside the unofficial resources listed by others, I add 
>https://reddit.com/r/qubes  (it's SO comfortable!)
>

Some of us who keep e-mails off line have the additional benefit of having an 
archive of all e-mails since joining the list.  I can search them for something 
BEFORE asking a new question.  I have done so with this group a few times 
already and not had to bother asking something which was already asked and 
answered.

I use claws-mail to retrieve all of my e-mails (about 27 different e-mail 
accounts...one paid for [legal expectation of privacy] and several 
gmail/hotmail/yahoo) and since claws-mail is configured to store e-mails as 
discrete files, I can search them with grep and other *nix utilities.  I have 
an archive going back almost 30 years with over 700,000 discrete e-mails from 
the many groups I used to belong to, as well as private stuff.  It is far 
easier to just store them than to sort through them for deletion...but they are 
organized by folders/directories to make it easy to ignore the ones not 
pertinent for the time.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2019013054.64e034c6%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: getting rid of ME on modern CPUs (Re: [qubes-users] QSB #46: APT update mechanism vulnerability)

2019-01-29 Thread Stuart Perkins
Like I said, we need to reverse engineer.

On Mon, 28 Jan 2019 17:56:17 +
Holger Levsen  wrote:

>On Mon, Jan 28, 2019 at 11:46:55AM -0600, Stuart Perkins wrote:
>> Up to a certain manufacture, you can go to coreboot and lose the ME 
>> entirely.  After that point, setting the HAP bit may be your best option.  
>> We need someone to to reverse engineer the ME and implement enough of it in 
>> coreboot to take over so the newer ones will run.  
>
>thats not enough. on modern intel cpus there's boot-guard which will
>prevent booting with coreboot unless it's signed with a secret intel
>key.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190129071645.629953f1%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


pgpW4tGXCZNTw.pgp
Description: OpenPGP digital signature


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Stuart Perkins



On Mon, 28 Jan 2019 16:47:08 +0100 (CET)
 wrote:

>Jan 27, 2019, 5:04 PM by alexandre.belgr...@mailbox.org:
>
>> Le dimanche 27 janvier 2019 à 16:47 +, unman a écrit :
>>  
>>> I'd be interested to know what system has been graced with your
>>> approval.
>>> If you believe all this, then what makes you think that national
>>> intelligence agencies haven't infiltrated *bsd, coreboot and any
>>> other
>>> system you can name. 
>>> imo Qubes does a reasonable job of providing a more secure system
>>> that's usable by ordinary users.
>>>  
>>
>> Simply no x86 system is reasonably secure.
>>  
>>> Spreading unfounded allegations is a disservice to the community.
>>>  
>
>Most of the serious users are very well aware of the IME/AMT vulnerability and 
>are addressing it continuously and publicly. See Joanna Rutkowska and her 
>talks. You are looking for a 100% solution. Big surprise is a 100% solution is 
>not existing and will never be. 
>You can of course use a libre X200 without IME and without real virtualization 
>too, having again to deal with issues of a monolythic system. 
>Tradeoff can be the X230 with more-less disabled IME with proper 
>virtualization.
>
>What do you yourself use?
>
>
>> Qubes is interesting because it is trying to answer security needs and
>> the design is nice. 
>>
>> But think about Intel ME backdoor. Imagine that any officer with a
>> signed certificate of Intel can penetrate dom0 in your computer within
>> seconds and then view your screen, move your mouse and type on your
>> keyboard. This is reality and Qubes cannot change it.
>>  
>Qubes doesn't even claim to change it. You need to address Intel same way as 
>Qubes ppl do and ask them to close the backdoor. 
>
>Are you aware that spreading of the false claims *can be* an intelligence 
>operation to undermine user's support and appreciation of the codes like 
>Debian and Qubes? From leaked materials is known that the US IAs named for 
>example Tails based on Debian as a total apocalypse for intelligence 
>collection for them, if spread. 
>
>Keep in mind, nothing is perfect. But if you have an option for a better set 
>and setting, put it up.
>
>
>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to > qubes-users+unsubscr...@googlegroups.com 
>> > .
>> To post to this group, send email to > qubes-users@googlegroups.com 
>> > .
>> To view this discussion on the web visit > 
>> https://groups.google.com/d/msgid/qubes-users/65d4efc1f6cc5203a5fc0802e2cdff2e9fc992f7.ca...@mailbox.org
>>  
>> >
>>  .
>> For more options, visit > https://groups.google.com/d/optout 
>> > .
>>  
>

Up to a certain manufacture, you can go to coreboot and lose the ME entirely.  
After that point, setting the HAP bit may be your best option.  We need someone 
to to reverse engineer the ME and implement enough of it in coreboot to take 
over so the newer ones will run.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190128114655.7cb7309b%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] looking for quickest way to copy text from dom0-Terminal to another VM

2019-01-26 Thread Stuart Perkins



On Sat, 26 Jan 2019 01:01:44 +0100
haaber  wrote:

>On 1/25/19 9:04 PM, gone wrote:
>> 1st of all, I have read this:
>> https://www.qubes-os.org/doc/copy-from-dom0/
>>
>> Maybe I just draw a mental blank but I can't find a really
>> quick way to copy text (not files) from dom0-Terminal to
>> another VM (into a post like this for instance). I thinking
>> of some easy and logical keyboardcshortcuts like the ones
>> that exist for copying text between domUs.
>> When I've  marked some arbitrary textlines in the dom0
>> terminal and then use "copy" from the right-clic-menu, how
>> can I go on most easily?  
>
>I am annoyed by the same thing, but maybe there is a security
>consideration I do not know. So I copy a text with mouse, cat it in a
>txt file and copy-to-vm it away in my mail-vm for example. Don't know if
>there is faster. Bernhard
>

Since dom0 exists to do the sole job of managing the other VM's, one must 
question why the text you wish to insert into another domain is "in" dom0 to 
begin with.  The less you do with dom0 the better.  Everything you do in dom0 
which is NOT simply managing the other domains is a potential security hole.

Stuart - Qubes 3.2 user on a Ghosted Lenovo T520.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190126073235.3d1aca9d%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qube max storage size

2019-01-07 Thread Stuart Perkins



On Sun, 6 Jan 2019 07:41:35 -0800 (PST)
Plex  wrote:

>On Sunday, January 6, 2019 at 3:20:08 PM UTC, Plex wrote:
>> Is there a technical limitation/reason why a qube private max storage size 
>> can only go to 1048576MiB in qube manager? Is this a limitation with the 
>> qube itself or qube manager?
>> 
>> TIA  
>
>I should RTFM
>
>https://www.qubes-os.org/doc/resize-disk-image/
>

but..asking questions introduces the topic to the rest of the mailing list, and 
does indeed serve a purpose.  :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190107075225.11bcc26e%40D620Debian9.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qvm-restart

2019-01-05 Thread Stuart Perkins



On Sat, 5 Jan 2019 15:43:25 +0100
haaber  wrote:

>> On 1/5/19 1:13 AM, 799 wrote:  
>>>
>>> The restart-function is available in the right-click-menue of a vm in
>>> the Qube Manager. Could this also be provided for the CLI as a
>>> "qvm-restart" command?
>>>
>>> You can easily write a script yourself:
>>>
>>> #!/bin/bash
>>> qvm-shutdown --wait $1 && qvm-start $1
>>>  
>
>This won't work non sys-net, sys-firewall ... for example.  You might 
>want to
>
>1) first find appVMs that use $1 as netvm
>2) set their netvm to "none"
>3) then qvm-shutdown $1
>4) then qvm-start $1
>5) then reset netvm's to back to $1.
>
>steps 3 &4 are clear (see above). Step 1 can be done using Chris' 
>"findpref" command (see https://github.com/tasket/Qubes-scripts ) :
>
>findpref --pref sysnet $1  | cut -f5 -d" "
>
>will output all appVM's that use $1 as sys-net. I am not a real 
>bash-champion, but I'd try
>
> APPVMS=`findpref --pref sysnet $1  | cut -f5 -d" "`
>
>to store the concerned APPVMS in step one in a string. Then I would try
>
>for APPVM in APPVMS; do  findpref --pref sysnet $APPVM none; done
>
>to do step 2  and
>
>for APPVM in APPVMS; do  findpref --pref sysnet $APPVM $1; done
>
>to set them back. So all together:
>
>
>#!/bin/bash
>allAPPVMS=`findpref --pref sysnet $1  | cut -f5 -d" "`
>for eachAPPVM in allAPPVMS; do  findpref --pref  sysnet  $eachAPPVM 
>none; done
>qvm-shutdown --wait $1 && qvm-start $1
>for eachAPPVM in allAPPVMS; do  findpref --pref sysnet $eachAPPVM $1; done
>
>
>I did not test this, spo please re-read the findpref usage first!  Is 
>there some improvement by the community ??   Bernhard
>

I have created several scripts in dom0 for my Qubes 3.2 machine.  I have one 
which stops "most" of the running VM's in order to shut everything down BUT 
dom0.  This is to allow me to leave my machine running without it doing 
unnecessary processing as I have mother board issues which prevent a reliable 
reboot for now.  I have a motherboard on the way and will be doing the surgery 
to replace it then...

Anyway, the stopmost.sh script uses qvm-ls with some sed and grep commands to 
first issue qvm-shutdown for all running appVMs.

It polls the qvm-ls for running appVMs and when it finds they have all stopped, 
it then does the system VM's in order.  It uses one called stopvm.sh which 
detects if the specified VM is running, and if so issues qvm-shutdown for it 
then polls every few seconds until it is "Halted", then it exits.  This allows 
the stopmost.sh script to do...

stopvm.sh sys-whonix
stopvm.sh sys-firewall
stopvm.sh sys-net

without issues, as each stop waits to complete before the next one tries.  If a 
vm is NOT running, it merely echoes that it is Halted and goes on.  I don't 
bother error checking to ensure that a valid VM name is given, but I'm the only 
one using it...

It would be an easy thing to do a "restart" for me by calling the stopvm.sh 
first then issuing qvm-start on the target. 

The stopvm.sh script is...

TARGET=${1}
if [ X${TARGET} == X ]
then exit
fi
STATUS=`qvm-ls|awk -F\| '{print $1 " " $3}'|grep -i ${TARGET}|head -1|awk  
'{print $2 }'`
echo ${TARGET} is ${STATUS}
if [ ${STATUS} != Running ]
then exit
fi
qvm-shutdown ${TARGET}
while [ ${STATUS} != Halted ] 
do
sleep 5
STATUS=`qvm-ls|awk -F\| '{print $1 " " $3}'|grep -i ${TARGET}|head 
-1|awk  '{print $2 }'`
echo ${TARGET} is ${STATUS}
done

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190105124649.28b51037%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: fed29 templates/upgrade

2019-01-05 Thread Stuart Perkins
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On Fri, 4 Jan 2019 21:00:56 -0600
Andrew David Wong  wrote:

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA512
>
>On 1/4/19 1:13 PM, John S.Recdep wrote:
>> On 1/4/19 1:37 AM, Andrew David Wong wrote:  
>>> On 1/3/19 11:31 PM, John S.Recdep wrote:  
 On 1/3/19 2:51 PM,
 22rip-2xk3N/kkaK1Wk0Htik3J/w...@public.gmane.org wrote:  
> Thanks 799...I learned something!
> 
> Similar to 799 but less hardcore...I always download a fresh 
> template(vs upgrade). In my case I ran with a full/fresh 
> Fedora-29 after the Fedora-28 hplip issues, and added any
> new software from fresh:
> 
> https://www.qubes-os.org/doc/templates/
>   
>>> 
>>>   
 hmm, ok let's say I just use the new fresh 29 template, is
 there some way that I can know what non-stock software I
 installed on my Fedora-28 template, as I can't remember all
 that I may have installed   
>>> 
>>> 
>>> This is more of a Fedora question than a Qubes question. As far
>>> as I know, there isn't a clean way to do this. Following Marek's
>>> advice from years ago, I just keep a list of the packages that I
>>> install in each of my templates.
>>> 
>>>   
 So, no advice on upgrading from my 28 template at this time? I
 find it strange that the template is in the dom0 updates
 available, but I see no notice  in the news section on qubes
 website nor here ..  
>>> 
>>> 
>>> See:
>>> 
>>> https://github.com/QubesOS/qubes-issues/issues/4223
>>> 
>>> and
>>> 
>>> https://github.com/QubesOS/qubes-doc/pull/739  
>> 
>> So, Andrew does this mean that although the Fedora-29 Template is 
>> available via sudo qubes-dom0-update  that it still has issues and
>> hence it is not officially advisable to use it ? ( whether via
>> 'fresh' d/l nor 'upgrades' ? )
>> 
>> Forgive me, am just a layman, not sure what I would expect to
>> interpret from the github links (perhaps the fact that there are
>> any issues provides the answer?)
>> 
>> My repos are just the default qubes 4.0+ versions
>>   
>
>Well, you said you found it strange that there was no documentation or
>announcement for the Fedora 29 template. These links show why: the
>documentation is still being worked on, and the necessary steps prior to
>the announcement have not yet been completed. (In fact, at the time of
>this writing, the issue still indicates that the template has not yet
>migrated to the stable repo, which appears to be false.)
>
>In order to avoid this sort of confusion in the future, perhaps we
>should refrain from migrating new templates to the stable repo until
>documentation and an announcement are ready to be published, then do
>it all simultaneously. What do you think, Marek?
>
>- -- 
>Andrew David Wong (Axon)
>Community Manager, Qubes OS
>https://www.qubes-os.org
>
>-BEGIN PGP SIGNATURE-
>
>iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlwwHc0ACgkQ203TvDlQ
>MDC3vxAAojbKj36me1TyU3iC+++fzvbV3Cz0NBideZaLmQkXXkydgmM8XFgVgLrT
>4dgLsSBsg0M9x3FtzVzz653kvPYm/2n1YGjEboNiq19DbByqfvqCeKhEvxPXGwS4
>XP/bFzvtQ9fG/kqRWU03npdqBes9qlhiBOzn2Qnhfc3KNuZvX4U1i5IPTZnipuh+
>FSCqYdbbOq8dnjhu3zChq9A4GFD74f/jnx+bvP9NV0GWjGIFQQ/Y+Iza6HhlcO+y
>gAFLOR3shPFz4PAfJztSKzdaINavIWYqJtU07WIKVb4GJS1dnoU7B0NPyB73wdoa
>2iSKoZkr8Yb2ZamdqvAaZP4JUnyG6QeakpW7fG4xtDWTpJnuKw1BvTxqTFAybJ3F
>sz2A807BmI/ie8znIU7BDCTihFnqw3oXAic550crMhh0WSjR8sYKTc8c3Nmpbv0V
>y9V0p12h+HuljaPQk8AXGa1QA2wviVS3r9gjN1VNKls8R2QwIqjohkitr5v9j9i/
>Hz1X/ctZ9o64h9v8laVwpkLeWeNKjMWxLhD/a0FEqDeVkIxD+sS85uf5x2hkJyaD
>mUaxgax/WduElTaZW5unLPub8ZUOD7nLSjDrz9WZw3iDnuZl4CcG2qUNHBQPl6RT
>eh/Hb3mPTKSp4M+hB1msXa/FaCLy5OI3EiryRE6yXLu3xsx1c6g=
>=mpOV
>-END PGP SIGNATURE-
>

No job is complete until the paperwork is done..  :)
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEg3cTCwPFs8wewas+M1E7j4SmKVQFAlwwl8AACgkQM1E7j4Sm
KVQVVwf/RuriwEawNv4BoIpReNUu4weMmZtFWfekwwy+Z9df1yzNeV0tEnvuveoS
zY9an0s98m0yBRRWRZUcUYj52m/GtRR8SuzPRSlwui4aq+8tFPT+VLwn8jELFxnL
VGZJHsOSxtIauDJZB7i5n1q0aJR6gTRmSt259HUr1H9bxqEL+EoktxxiWLxgXSLO
Z2ttSg62LHguBPpm/Wx3cptFokOVPLHaAO7IOH4fN2i4J9VVMSG6LiHpEnI2PbQU
oDu6vsuNIc+BoAg76YbqdwjyDm6QCgCoJhTH44m/+SICaHjuzRl9Zt7lZdAVE4PQ
E+zoQTDS3ZR7D++1z4aHMJXDvjGL2w==
=Iypo
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190105054047.703c3184%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] old version of xscreensaver

2019-01-04 Thread Stuart Perkins



On Fri, 4 Jan 2019 09:24:50 +0100
haaber  wrote:

>> On 01/03/2019 06:03 PM, Frédéric Pierret wrote:  
>>> We built the upstream package of xscreensaver in current-testing for
>>> both Qubes 3.2 and 4.0.
>>>
>>> Welcome back to XFCE Chris :D !  
>> 
>> LOL, seriously?
>> 
>> The XFCE deficits are too numerous, unfortunately.
>>   
>Dear Chris, for less advanced users it might be helpful to have a 
>non-dogmatic discussion on advantages and disadvantages of both sides. I 
>guess that XFCE has speed on its side, for example. Visual aspects seems 
>on the KDE side (at least for me). I invite you to give us a deeper 
>comparison...  best, Bernhard
>

GUI of choice is a very personal thing.  I am more pragmatic and don't like 
"dancing" icons and starting all of my application names with K...or G for that 
matter...but to each his own.  I am "slightly" impaired visually, and the 
simpler and more clean a GUI, the better for me.  I have to spend many hours in 
front of a screen each day.  

There is a tad more manual effort to get XFCE 'just right', but I like the 
visually simple appearance and would rather devote my computing power to 
function than what I consider fluff.  Now historically I have used older, less 
powerful machinery.  In fact, my Qubes machine is having motherboard issues 
with the power management circuitry and won't boot reliably so I'm actually 
using an old Dell D620 32 bit machine for now...which used to be my wife's 
Windows 7 computer.  The screen is a tad flaky which is why she quit using it, 
but it is at least functional and boots when I ask.  I have a replacement 
motherboard on the way and will be doing the surgery on my T520 once I get it.  
I'm not really a hardware guy, so it will be a learning experience to be sure.  
Even with the additional power of a 2.5Ghz four core processor, I still prefer 
to save the power for actual work.  

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190104090844.58fe687e%40D620Debian9.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-03 Thread Stuart Perkins



On Thu, 3 Jan 2019 19:24:31 +0100
799  wrote:

>Hello Stuart,
>
>On Thu, 3 Jan 2019 at 15:36, Stuart Perkins 
>wrote:
>
>> [...]
>> have an appVM which I use to connect via openconnect to a client's Cisco
>> VPN.  I installed the openconnect connection in that specific
>> appVM...program in the general template, but connection configuration only
>> in that appVM.
>> [...]
>>
>
>very interesting...
>... working within IT I also have the same need to connect to our office
>from outside and also to certain customers (who are also using Cisco gear)
>I have been able to install Cisco AnyConnect in a fedora-28-work template
>and have created AppVMs from it, which I use to connect via Cisco
>Anyconnect.
>Unfortunately I have been unable to create something like a Proxy VM.
>Do you mind sharing your setup how you're using OpenConnect to connect to
>Cisco VPNs?
>
>- O.

I execute open connect with a command of the form...

sudo /usr/sbin/openconnect "client's vpn server domain...'xx.yyy.com'" --config 
~/Client.conf

The only thing in the Client.conf file is authgroup and user, authgroup being 
the AD domain and user being my login network id.  

authgroup=DOMAIN-name
user=user-AD-id

I give my AD password when prompted and the shell stays active running the 
connection.  This allows me to connect where I used to have to use the Cisco 
VPN client under windows.  I close the connection with "ctrl-c" in the terminal 
window.  I've done this for years.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190103143321.0fbfbe89%40D620Debian9.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help setting up a expressvpn proxy VM

2019-01-03 Thread Stuart Perkins
On Wed, 2 Jan 2019 22:28:25 +0100
799  wrote:

>Hello,
>
>I'm trying to setup ExpressVPN with Qubes.
>In their howto the suggestion is to install the Expressway Client in the
>sys-net VM.
>But I'd like to use an own AppVM so that I am more flexible and I can
>choose that only certain AppVM will use the expressvpn as netvm.
>
>What I did so far:
>1) clone the template I am also using for my sys-firewall to a new template
>which has qvm-prefs set to netvm True
>
>2) installed expressvpn client app in this template, described here:
>https://www.expressvpn.com/de/support/vpn-setup/app-for-qubes-os/
>
>3) Created an AppVM from this new template and run through the setup
>expressvpn connected successfully
>
>4) I then created a normal appvm and choose the expressvpn AppVm as netvm.
>
>but unfortunately this AppVM is unable to connect to the internet, even
>when expressvpn netvm is connected.
>
>Setup is:
>
>sys-net (netvm)*  <-- sys-expressvpn (netvm)** <-- AppVM***
>
>* and ** = can connect to the internet
>*** = no internet connection
>
>Am I missing something?
>
>- O
>

I have a similar need.  Using Qubes 3.2, Fedora 28 and Debian 9 templates.

I have an appVM which I use to connect via openconnect to a client's Cisco VPN. 
 I installed the openconnect connection in that specific appVM...program in the 
general template, but connection configuration only in that appVM.

I also have a need to VPN into my home network in order to gather my e-mails 
via pop3 and/or imap access.  I have a few G-mail addresses and they like to 
"block" access from "new" ip addresses.  I also maintain my home system from 
wherever I find myself, which entails updating a Drupal installation and 
maintaining two Debian 9 VM's (one for the Drupal site and one for openvpn into 
my network), an old XP VM (monitors my solar electric system) and the Debian 9 
"server" (actually an old Dell laptop).  

Initially, I setup a proxyVM to use for the home VPN and defined it as the 
network VM for my mail appVM and had sys-firewall as its net VM.  I have since 
simply added the home VPN connection script and config to the mail appVM, and 
openvpn client to the template.  This allows me to connect my mail appVM to my 
home VPN and my client specific appVM to my client's Cisco VPN independently 
and simultaneously. Both the client specific appVM and the mail appVM use 
sys-firewall as their net VM.

The biggest issue is various default installed network management systems 
lunching DNS.  I disable avahi services to get around that.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190103083626.7e8791e6%40D620Debian9.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [R4.0] CPU Freq Scaling, or "Why am I stuck at 2.1 Ghz?"

2018-12-09 Thread Stuart Perkins



On Sun, 9 Dec 2018 17:13:54 +
Mike Keehan  wrote:

>On Thu, 6 Dec 2018 15:54:17 -0800 (PST)
>Eric Duncan  wrote:
>
>> Finally received my new Thinkpad X1 Yoga 3rd gen.
>> 
>> i7-8650U up to 4.2 Ghz Turbo
>> 
>> How can I debug/check that my CPU governor/frequency is scaling
>> correcting under Qubes R4?
>> 
>> So far, the only thing I've found is xentop/xl top that lists the CPU
>> - as a never-changing 2.1 Ghz.  Maybe this isn't the best way to
>> measure CPU freq under dom0?  All other tools seemed to want to use
>> xfce4 tools, which seemed to only be specific to that fedora VM - and
>> not the xen host.
>> 
>> /TL;DR
>> 
>> 
>> I let Windows 10 register itself before wiping the disk and
>> installing Qubes R4.  Under Windows, Google Chrome benchmarked around
>> 5300 pts with the online tool I was using.  As a test, I also
>> installed Arch Linux briefly to test Chrome performance, and it came
>> in around 4500 pts.  I chalk that up to not optimizing anything on
>> the system - just a raw install and no tweaks.
>> 
>> Now, under Qubes R4.0, I'm still noticing a lot of
>> sluggishness/slowdowns just like my older Thinkpad Helix has always
>> had under Qubes R3.2 (and one of the reasons why I waited for this
>> quad core CPU to upgrade my Qubes install).  I could never benchmark
>> Chrome under that Helix dual-core low-powered device.
>> 
>> I loaded up Chrome on a new debian-9 VM and... Almost the same
>> extremely sluggish performance.  Google Chrome can't even get
>> partially through the benchmarks without timing out, much less finish
>> them.  
>> 
>> I've tried assigning 4 and even 8 vcpus to try to max things out.
>> 
>> I am wondering where to start to debug this.  
>> 
>> Is it a dom0 cpu scaling thing?  
>> 
>> Does Qubes impose some artificial throttling?
>> 
>> Is it a lag in iGPU rendering through the DisplayVM?  (this DisplayVM
>> is a new concept to me, still trying to figure it out)
>> 
>> I've spent about 3 days on this device with various other issues to
>> get to this point (no S3 sleep yet, pixel-perfect scaling of the HDR
>> 1440p 14" display, etc).  I few duckduckgo searches hasn't turned
>> anything up yet; so, i'll continue when I have some time.
>> 
>> Thanks!
>> -E
>>   
>
>Hi Eric,
>
>If your Chrome benchmarks involve 3D acceleration using the GPU, then
>they won't work under Qubes.
>
>Each Qube VM renders it's windows in software, which is then copied to 
>dom0 for display on the Xwindow system.  Only dom0 has access to the
>GPU, and you are not supposed to run applications on dom0 for security
>reasons.   (And of course, dom0 has no internet connection anyway.)
>
>Mike.
>

Qubes is a "security oriended" OS.  If you want to game, use a different 
physical system.  Gaming by its very nature is best done NOT in a VM.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181209141257.1656323c%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Custom Indicator

2018-12-06 Thread Stuart Perkins
List.  I'm using Qubes 3.2/XFCE4 and I want to add an indicator to show a 
status based on the contents of a file in dom0.  

I can set the contents of the file to 1 or 0, Yes or No, etc...from the vm 
where I am running a VPN connection.  I want the panel to indicate if I am 
running the VPN connection or not.  

I have tried the "Generic Monitor" which allegedly shows the output of a 
command, as it would be logical to cat the file with a certain frequency and 
update the displayed results, but the only thing the "Generic Monitor" displays 
is the label given it.

Are there other options which will actually function?

Thanks in advance.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181206101811.269b9bf5%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Confidential email from fludalt

2018-11-23 Thread Stuart Perkins



On Fri, 23 Nov 2018 16:52:57 +0100 (CET)
 wrote:

>Hello,
>
>You have just received a confidential email via Tutanota 
>(https://tutanota.com). Tutanota encrypts emails automatically end-to-end, 
>including all attachments. You can reach your encrypted mailbox and also reply 
>with an encrypted email with the following link:
>
>Show encrypted email
>
>Or paste this link into your browser:
>https://mail.tutanota.com/#mail/LS0GXlF--F-1DQum1tyjXR9t5X3xZRFnTQ
>
>This email was automatically generated for sending the link. The link stays 
>valid until you receive a new confidential email from me.
>
>Kind regards,
>fludalt
>
>--
>You received this message because you are subscribed to the Google Groups 
>"qubes-users" group.
>To unsubscribe from this group and stop receiving emails from it, send an 
>email to qubes-users+unsubscr...@googlegroups.com.
>To post to this group, send email to qubes-users@googlegroups.com.
>To view this discussion on the web visit 
>https://groups.google.com/d/msgid/qubes-users/LS0GXvt--R-1%40tutanota.com.
>For more options, visit https://groups.google.com/d/optout.

Following links in e-mail is something you are unlikely to get folks on this 
list to do.  :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181123134808.1f0f775d%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Removing KDE

2018-11-14 Thread Stuart Perkins
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On Mon, 12 Nov 2018 14:49:51 +0100
donoban  wrote:

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>On 11/12/18 1:03 AM, unman wrote:> Though why you would want to remove
>Plasma? So easy to configure and
>> customize, and really enhances Qubes experience.
>> 
>> unman  
>
>Yeah! I hope someday KDE will be default desktop again. Unfortunately
>there are some bugs with tasks tray and domains/devices widget.
>

I hope it stays with XFCE.  I despise the bloat of KDE.  :P

Stuart
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEg3cTCwPFs8wewas+M1E7j4SmKVQFAlvsCHcACgkQM1E7j4Sm
KVQ4Sgf/aXlE8uopB7qBH/2IawVpkostjMsF/Err78bMawDbEdI6HfkNhoVxIHvj
UHPI03EtQLwjCiiSTn+9loljzJFutZonkNiX4KeM8hyF9sXfRc2y7jlNnvbap3uB
3lt/PIAp6oWhsn2YHbrhU+kXYjiZZ3JnosGpVuY1lqkmrpzMsSBVv9hz8EgBtoI0
4h3spQwmjx34fZtt+xizI5qLpF156l9iRXQ6o0g8bSmjkLrSS0zd1XFnupJZdAsA
RPoCWRVY7VpQuprOZ752oLWbLilwD1BAZP3ilXDiYaLIWjtIEep14/Z1EU4yhNYk
cWOpQb0JWvYxX8D1LPPO16/9Cd+FIg==
=3D67
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181114053519.5f37e0a7%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes 3.2: No Internet Connection, neither with Wi-Fi, neither with Ethernet. HELP PLEASE!

2018-11-09 Thread Stuart Perkins



On Fri, 9 Nov 2018 10:45:06 -0500
LMiller M <56lmil...@gmail.com> wrote:

>Ok back with the laptop. During boot up, dom0 green state, sys-net green
>state. WiFi connection good, and can reboot! Lol
>
>But with that said nothing else auto loads. I have to start fedora-26 and
>it will.
>
>When trying to start sys-firewall I get error ( PCI device 02:00.0 is in
>use by driver xenlight domain sys-net
>Log: /var/log/libvirt/libxl/libxl-driver.log
>
>I don’t see this log listed with sys-net, there are no logs with
>sys-firewall. I don’t see this listed in the Qubes log either.
>
>I have looked up help, but others have usb issues. I don’t have any
>attached and not trying to do anything with them as stated .
>
>I tried command qvm-pci attach —persistent —option permissive=True —option
>no-strict-reset
>
>But I’m missing something so it’s not working. I’m in the right direction?
>I need to reset pci and set no restrictions?
>
>
>On Wed, Nov 7, 2018 at 9:32 PM LMiller M <56lmil...@gmail.com> wrote:
>
>> Ok so I figured out how to see the logs.
>>
>> I have been able to figure out why the laptop wasn’t responding to the OS
>> correctly. Now it’s working and updating as needed.
>>
>> I will explain more as I learn more.
>>
>> I do appreciate the guidance. I think there is more that can be shown, to
>> help newbies.
>>
>> I’m going to put something together from my view point to see if you all
>> agree. Maybe it can be useful to all new qube users like me. Lol anyway, I
>> wouldn’t have figured it out as fast for myself with out your help.
>>
>> Thank you for helping me.
>>
>> I’m still figuring things out, but this build is awesome and so much to
>> learn with it.
>> On Tue, Nov 6, 2018 at 4:43 PM LMiller M <56lmil...@gmail.com> wrote:
>>
>>> Ok on first boot after install Qubes will show the kernel failure and
>>> bypass and boot into dom0.
>>>
>>> Once there, in the Qubes manager dom0 has green state.
>>>
>>> Lol ok don’t laugh too hard. So I checked devices like have been, sys-net
>>> as you mentioned. Both Ethernet and WiFi devices are there. So I just
>>> removed my Ethernet from device selection and bingo sys-net green state!
>>>
>>> So I will try now to run system updates for dom0 and fedora.
>>>
>>> Thanks again for point things out. Sometimes you look at something so
>>> crazy and just need a second thought.
>>>
>>> So, can you show me how to check logs if I run into issues? Lol please
>>> and thanks
>>> On Tue, Nov 6, 2018 at 4:09 PM 'awokd' via qubes-users <
>>> qubes-users@googlegroups.com> wrote:
>>>

 LMiller M:
 > Update: Kernel failure during boot install OS 4.0
 >
 > After the install booted into dom0, checking Qubes kernel package to
 see
 > what three were stored or available. Mine only list one kernel.
 >
 > 4.14.18-1
 >
 > I checked using the rpm -qa ‘kernel-Qubes-vm*’
 >
 > Using the install update option I get:
 >
 > Unable to reset pci device :03:00.2:
 >
 > Trying to apply the device to the selected box: error: device tab:
 can’t
 > attach pci device to VM in pvh mode
 >
 > Does that mode need to be changed?
 >
 > Stupid question but because honestly I don’t know. How do you check the
 > logs? I’m the terminal?
 >
 > I downloaded the new kernel to cd, can install from the cd? I don’t see
 > anything on the Qubes kernel page except download from internet throw
 > Qubes. With internet I can’t.
 >
 >
 > On Tue, Nov 6, 2018 at 10:39 AM LMiller M <56lmil...@gmail.com> wrote:
 >
 >> So, after looking more into the kernel issue. I see on the Qubes site
 some
 >> instructions for trying to change the kernel. I’m going to do a
 reinstall
 >> of the 4.0 os to get back into Dom0 and try it out. I will post back
 >> hopefully with success..
 >> On Mon, Nov 5, 2018 at 8:02 PM LMiller M <56lmil...@gmail.com> wrote:
 >>
 >>> Ok so one more if I can please, this is on a Asus K56c laptop and it
 has
 >>> a kernel failure on boot with Qubes Os 4.0. On the first install it
 shows
 >>> the kernel failure and it boots to the OS don0. If I turn off or
 reboot it
 >>> shows my kernel failure and won’t load into the os.
 >>>
 Glad you got your other computer working at least! So on this one, where
 are you getting this kernel failure exactly? If it's booting to dom0,
 I'm not following where you're having trouble. There's a message on boot
 about failed to load kernel modules that can be safely ignored.

 To update dom0, you want to use "sudo qubes-dom0-update". You should
 rarely need to update the kernel by itself.

 Is that when you are getting the PCI reset error? Is your sys-net
 started? Check in Qube Manager. Then, check sys-net's Qube
 Settings/Devices to see what's attached there and if 03:00.2 is one of
 the devices. If so, see what it is.

 --
 

Re: [qubes-users] Installation Problem

2018-10-30 Thread Stuart Perkins



On Mon, 29 Oct 2018 15:32:41 -0400
Andy Powell  wrote:

>Well that clears it up! Thanks!!!
>
>Very surprising...guess I’ll go to another distro. Bye Qubes!
>
>> On Oct 29, 2018, at 2:51 PM, Fidel Ramos  wrote:
>> 
>> ‐‐‐ Original Message ‐‐‐  
>>> On Monday, October 29, 2018 6:20 PM, Andy Powell  wrote:
>>> 
>>> Hello Qubes group!
>>> 
>>> I’m trying to install Qubes but it fails after “Test this media & install 
>>> Qubes R4.0” at “Loading initrd.img”
>>> 
>>> I’m on a 2012 MacBook Pro, running Parallels (which I guess may be the 
>>> issue, as 100% of your documentation refers to VirtualBox...do you support 
>>> other hypervisors?)
>>> 
>>> I’ve followed everything as best I can and am stuck in an infinite loop. No 
>>> issues running other major OS VMs (Ubuntu, Mint, Fedora, various Win, etc)
>>> 
>>> Please help! Thank you!
>>> 
>>> —Andy  
>> 
>> Running QubesOS inside a virtual machine is not supported, and as you found 
>> out it won't work in most configurations.
>> 
>> If you want to try out Qubes in your machine you could install it into a USB 
>> drive or USB HDD (i.e. put the installer into a USB drive, boot the 
>> installer, then install into a *different* USB drive). It will be slower, 
>> but you can see if it works with your hardware.  
>

Qubes is, essentially, a Xen hypervisor (bare metal virtual machine host).  It 
has added complexity to provide a more complete separation of programs and 
data, and further compartmentalize different areas of sensitivity such as 
general web browsing, password safe keeping, etc.  You can configure different 
application VMS for different purposes and keep your information more secure 
than even a general virtual machine host such as Unix/VirtualBox or 
Windows/VMWare.

Attempting to run a Xen hypervisor inside of a VirtualBox or VMWare VM is 
illogical.

Qubes is not just another flavor of Linux.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181030065821.4e07e89f%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] My touchpad and mouse didn't work

2018-10-14 Thread Stuart Perkins


On Sat, 13 Oct 2018 13:13:58 -0700 (PDT)
Máté Kovács  wrote:

>Hi
>Somehow I turned off my touchpad in Qubes, and it get stucked in the middle of 
>the screen.
>How can I navigate myself to dom0 console with my notebook's keyboard?
>

For a command line console, ctl-alt-F2 (or F3,4,5,6,7) and login with the admin 
account.

You can do whatever you can do from a command line except start a graphical 
program.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181014074753.64644927%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [Qubes-4.0] Vanishing Packages on TemplateVMs

2018-10-10 Thread Stuart Perkins



On Wed, 10 Oct 2018 19:14:01 +
"'Modprobe' via qubes-users"  wrote:

>** General intro stuff, not terribly important, tl;dr as appropriate **
>Hi, all! Qubes newbie here; I installed Qubes on my new laptop just to see 
>what happens and now I'm bumbling my way along, using it and reading docs, 
>trying to get a feel for how things get done. For the most part, it's kind of 
>awesome, but every now and then there's something that confuses me, and right 
>now the most seriously confusing thing is that packages which I installed have 
>a nasty tendency to uninstall themselves, and I'm not sure why...
>
>Now a relevant bit of context is that I'm one of those nasty users who never 
>does things according to the official guidelines and stuff, so I've made a 
>number of tweaks to my installation to fit my habits. I'll do my best to keep 
>track of what's unusual on my box and make those things clear up front, but I 
>might forget something I've done, so please bear with me.
>
>** Quirks about my Environment **
>Right now, the main quirk on my box, I think, is that I really, really don't 
>seem to like Fedora, and I really, really do like Arch, so I'm using the Arch 
>template for most of my AppVMs. Building and installing the Arch template on 
>Qubes 4 was a bumpy process (I used the instructions for Qubes 3.2 
>[here](https://www.qubes-os.org/doc/building-archlinux-template/), and had to 
>improvise a fair bit as things didn't work), and I'm not 100% sure it went 
>totally right, but I got to the end of the instructions and mostly it seems to 
>work...
>
>** My actual issue **
>Except for the vanishing packages. So every now and then, I install a package 
>into the TemplateVM (NOT the AppVM; I expect those packages to vanish when I 
>reboot the AppVM, but packages in the TemplateVM should stick around until I 
>remove them, yeah?) and it works and shows up correctly for a while, but some 
>time later (often, I'm pretty certain, without any kind of reboot in the 
>interim), the package is simply gone. I have to reinstall it cuz it's just not 
>there anymore. I'm pretty darn sure this is not expected behavior, but maybe 
>I'm just not understanding something.
>
>It seems to be more prevalent for some packages than others; for instance, 
>I've had AUR builds fail because `patch` wasn't installed, so I install patch 
>and try again, and it works. The automake and autoconf packages do it too, but 
>less often than patch. I've installed patch several times on my Arch 
>TemplateVM by now, but it keeps disappearing behind my back:
>
>> [user@archlinux ~]$ history | grep patch
>>57  pikaur -S patch
>>   200  pikaur -S patch
>>   204  pikaur -S patch
>>   276  pikaur -S patch
>>   291  pikaur -S automake patch autoconf
>>   292  history | grep patch
>
>So that's my main confusion with Qubes right now; I'm hoping someone can help 
>me understand what's going on. Am I making some dumb mistake? Thanks for your 
>time! =)
>
>--
>Nathan
>

In Qubes, the Templates are where software is installed.  If you install 
software in an appVM, it will go away when you shutdown the appVM.  This is to 
implement a separation of software and data, and is one of the foundations of 
Qubes.

If you want software available in a template based appVM, you need to install 
it in the template.  You can install uncertain software in an appVM for 
evaluation and not worry if it doesn't work, as it will go away when you 
poweroff the appVM...but then you need to install that same software in the 
Template in order to make it available in the appVM.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181010151349.06191f0e%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Enabling OpenVPN auto start

2018-09-26 Thread Stuart Perkins



On Wed, 26 Sep 2018 00:24:29 -0500
Stuart Perkins  wrote:

>On Tue, 25 Sep 2018 22:34:12 -0400
>Chris Laprise  wrote:
>
>>On 09/25/2018 05:27 PM, Stuart Perkins wrote:  
>>> 
>>> On Tue, 25 Sep 2018 12:52:16 -0700 (PDT)
>>> Ninja-mania via qubes-users  wrote:
>>> 
>>>> Dude I actually love you (no homo).
>>>>
>>>> Spent 20+ trying to set vpn up (Big ass noob) and never came across the 
>>>> Qubes tunnel. It’s awesome. You’re awesome.
>>
>>Glad to help!
>>
>>  
>>> I have two separate VPN's on my Qubes 3.2 laptop.
>>> 
>>> One Cisco VPN running via OpenConnect in a dedicated appVM for a client.
>>> One OpenVPN running in a secondary copy of sys-net which I switch to when I 
>>> need it.  I run the server OpenVPN on a VM on my home server (Debian and 
>>> VirtualBox).
>>> 
>>> When I want to connect EVERYTHING to the VPN, I switch out and run the copy 
>>> of sys-net with the VPN credentials and scripts.
>>> 
>>> When I want to access the client, I start the appVM with the OpenConnect 
>>> Cisco VPN client and credentials.  I also use this appVM to run client 
>>> specific software through Wine for most of my work on their equipment, 
>>> although I do a fair amount of straight up command line stuff on their 
>>> system as well.  I can run this on top of the other VPN if absolutely 
>>> necessary, but performance is not fast since my home connection is not fast.
>>> 
>>> Haven't had occasion to try the Qubes tunnel.  Is there a particular reason 
>>> to?
>>
>>Its good practice to use a Qubes-specific tool like qubes-tunnel to 
>>ensure that DNS packets (and everything else) gets routed through the 
>>tunnel and never _around_ it even when the link goes down. This is 
>>important for Qubes because any service VM (NetVM or ProxyVM) that runs 
>>VPN software is acting like a router, not a PC, and Qubes also has 
>>special requirements for proper routing of DNS in this situation.
>>
>>In your case the AppVM with OpenConnect acts like a PC endpoint and is 
>>probably not a security issue. But the sys-net copy is acting like a 
>>router as previously mentioned and that's an issue on Qubes; to improve 
>>security you could move your openvpn config to a ProxyVM and use 
>>qubes-tunnel.
>>
>>There is also the issue of VPN passwords or keys being stored in a 
>>sys-net type VM, since these VMs are considered vulnerable to attack. 
>>Moving the VPN to a ProxyVM increases the security of your VPN secrets.
>>  
>
>I will try and get the qubes-tunnel to work, as this makes sense.  


Well, got the proxyVM created.  Based it on Fedora-28.  Have it squeezed 
between sys-firewall and sys-net.  It runs automatically due to the dependency, 
but the vpn does not run automatically, which is what I want.  I setup a 
shortcut to start the open vpn and another to kill it.  It seems to work, but 
my ability to test it out is not complete right now.  I'll know more after I 
test it some more tomorrow.  That keeps my storage of VPN credentials away from 
sys-net, while still enabling sys-firewall.  That is the part I need to test 
more fully.  I have one appVM firewalled to only access my home system for 
backup purposes as well as other appVMs with full access.  I'll do some serious 
testing tomorrow and report the results.  I can synthesize being away from home 
by using my smartphone for internet.  I will need to access my home network 
when connected to the VPN, which I ought to be able to, and a traceroute should 
go through my home system's DNS server.  This may be the best solution for my 
need for now.  It is better than the previous sys-net hosted openvpn instance.  
Thanks to Chris for the explanation as to why to use qubes-tunnel.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180926193803.7eb70ee5%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Enabling OpenVPN auto start

2018-09-25 Thread Stuart Perkins



On Tue, 25 Sep 2018 22:34:12 -0400
Chris Laprise  wrote:

>On 09/25/2018 05:27 PM, Stuart Perkins wrote:
>> 
>> On Tue, 25 Sep 2018 12:52:16 -0700 (PDT)
>> Ninja-mania via qubes-users  wrote:
>>   
>>> Dude I actually love you (no homo).
>>>
>>> Spent 20+ trying to set vpn up (Big ass noob) and never came across the 
>>> Qubes tunnel. It’s awesome. You’re awesome.  
>
>Glad to help!
>
>
>> I have two separate VPN's on my Qubes 3.2 laptop.
>> 
>> One Cisco VPN running via OpenConnect in a dedicated appVM for a client.
>> One OpenVPN running in a secondary copy of sys-net which I switch to when I 
>> need it.  I run the server OpenVPN on a VM on my home server (Debian and 
>> VirtualBox).
>> 
>> When I want to connect EVERYTHING to the VPN, I switch out and run the copy 
>> of sys-net with the VPN credentials and scripts.
>> 
>> When I want to access the client, I start the appVM with the OpenConnect 
>> Cisco VPN client and credentials.  I also use this appVM to run client 
>> specific software through Wine for most of my work on their equipment, 
>> although I do a fair amount of straight up command line stuff on their 
>> system as well.  I can run this on top of the other VPN if absolutely 
>> necessary, but performance is not fast since my home connection is not fast.
>> 
>> Haven't had occasion to try the Qubes tunnel.  Is there a particular reason 
>> to?  
>
>Its good practice to use a Qubes-specific tool like qubes-tunnel to 
>ensure that DNS packets (and everything else) gets routed through the 
>tunnel and never _around_ it even when the link goes down. This is 
>important for Qubes because any service VM (NetVM or ProxyVM) that runs 
>VPN software is acting like a router, not a PC, and Qubes also has 
>special requirements for proper routing of DNS in this situation.
>
>In your case the AppVM with OpenConnect acts like a PC endpoint and is 
>probably not a security issue. But the sys-net copy is acting like a 
>router as previously mentioned and that's an issue on Qubes; to improve 
>security you could move your openvpn config to a ProxyVM and use 
>qubes-tunnel.
>
>There is also the issue of VPN passwords or keys being stored in a 
>sys-net type VM, since these VMs are considered vulnerable to attack. 
>Moving the VPN to a ProxyVM increases the security of your VPN secrets.
>

I will try and get the qubes-tunnel to work, as this makes sense.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180926002429.7a135069%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Enabling OpenVPN auto start

2018-09-25 Thread Stuart Perkins


On Tue, 25 Sep 2018 12:52:16 -0700 (PDT)
Ninja-mania via qubes-users  wrote:

>Dude I actually love you (no homo). 
>
>Spent 20+ trying to set vpn up (Big ass noob) and never came across the Qubes 
>tunnel. It’s awesome. You’re awesome.
>

I have two separate VPN's on my Qubes 3.2 laptop.

One Cisco VPN running via OpenConnect in a dedicated appVM for a client.
One OpenVPN running in a secondary copy of sys-net which I switch to when I 
need it.  I run the server OpenVPN on a VM on my home server (Debian and 
VirtualBox).

When I want to connect EVERYTHING to the VPN, I switch out and run the copy of 
sys-net with the VPN credentials and scripts.

When I want to access the client, I start the appVM with the OpenConnect Cisco 
VPN client and credentials.  I also use this appVM to run client specific 
software through Wine for most of my work on their equipment, although I do a 
fair amount of straight up command line stuff on their system as well.  I can 
run this on top of the other VPN if absolutely necessary, but performance is 
not fast since my home connection is not fast.

Haven't had occasion to try the Qubes tunnel.  Is there a particular reason to?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180925162733.74084bda%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] A few tips on installing Qubes 4.0

2018-09-23 Thread Stuart Perkins



On Mon, 24 Sep 2018 02:30:50 +
"'William Pate' via qubes-users"  wrote:

>‐‐‐ Original Message ‐‐‐
>On Sunday, September 23, 2018 8:56 PM, Patrick  
>wrote:
>
>> Hi,
>>
>> I had already istalled 4.0 on my laptop and decided to upgrade a workhorse 
>> desktop running 3.0. So I just boot to a usb stick with a validated 4.0 iso. 
>> Actually, that's the first tip, make sure you're using the "dd" option when 
>> creating the iso (like the doc says anyway). That made a big difference in 
>> just getting the boot right.
>>
>> I loaded it, had issues, tweaked some things, wasted time here and there but 
>> what what worked well was:
>>
>> 1 - boot to and loading a disk partioner like https://gparted.org/
>> - then I just removed all existing partitions.
>>
>> 2 - booting to and load a disk wipe program like killdisk: 
>> http://www.killdisk.com/
>> I don't know, I felt like there was just something existing on the disk that 
>> was causing a problem, and when I erased and wiped the drive and then did 
>> another 4.0 install it worked perfectly, no issues at all.
>>
>> PS - I had issues trying to get dban working, for some reason.
>>
>> Hope that helps some folks.
>>
>> Patrick
>>
>>  
>
>
>
>My fresh installation of Qubes 4.0 was similarly trouble-free. I put it on a 
>Dell Latitude E7240 laptop. It took a while. I only partitioned the disk -- 
>now to just figure out how to extend Qubes' partition over Windows'. Oh, and 
>more RAM would be nice. (I jumped straight from no-Linux-knowledge to Qubes. 
>It's taking a while to learn.)
>
>Next up: Lenovo W520.
>
>
>
>
>William Pate
>willp...@pm.me
>512-947-3311
>www.wopate.com
>
>
>
>
>--
>>
>> You received this message because you are subscribed to the Google Groups 
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to qubes-users@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/qubes-users/5bf26b3e-4c55-4c2e-8885-55e518151ec5%40googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.  
>
>

Kinda like Ross Perot and Donald Trump's political careers...start by running 
for President.

Just get a good grasp of the architecture of Qubes...separate programs from 
data with templates...separate tasks with appVMs...restrict network exposure to 
ONLY the tasks which require it...it works very well as long as you keep that 
in mind when are working with it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180923225303.3949844e%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: New to Qubes having issues logging into my vpn service despite following the Qubes instructions

2018-09-18 Thread Stuart Perkins



On Tue, 18 Sep 2018 10:17:25 -0700 (PDT)
Wolf moon  wrote:

>On Tuesday, 18 September 2018 10:46:44 UTC+1, Антон Чехов  wrote:
>> On Tuesday, September 18, 2018 at 10:37:06 AM UTC+2, Wolf moon wrote:  
>> > On Saturday, 15 September 2018 04:21:53 UTC+1, Wolf moon  wrote:  
>> > > Hi guys New to Qubes ( which is an amazing feat of cyber security 
>> > > engineering ) all working fine and learning my way around it. 
>> > > 
>> > > My only issue is logging into my vpn service. 
>> > > 
>> > > I have followed the Qubes instructions ( which the images are different 
>> > > to Qubes 4.0 and after searching the net on this matter someone said 
>> > > that this is a shot of the previous Qubes so not helpful there ) I also 
>> > > contacted my vpn service on the matter. They read up on the Qubes 
>> > > instructions and emailed me back a step by step guide but still no joy. 
>> > > 
>> > > My vpn service works well on my Raspberry Pi 3 in the command line ( 
>> > > which I found simple instructions for elsewhere on the internet ) and 
>> > > works fine on my windows 10 system as its got an app interface you 
>> > > download.
>> > > 
>> > > Its just Qubes I am having issues with. I am by no means a hardcore 
>> > > techy, I am learning and not afraid or unfamiliar using the command line 
>> > > in linux. 
>> > > 
>> > > I have contacted the Qubes team after trying my best effort to resolve 
>> > > this on my own as I know they are a small team of 5 or so last time I 
>> > > checked.
>> > > 
>> > > Any help and advice would be greatly appreciated.
>> > > 
>> > > Best,
>> > > 
>> > > Wolf Moon  
>> > 
>> > Okay guys so I am signed up to Nordvpn. ( To note: I always update 
>> > everything in Qube manager )
>> > 
>> > I started off by google searching how to set up a vpn on qubes. I dont 
>> > have every forum page be it google groups or reddit page saved I read 
>> > unfortunately. 
>> > 
>> > But they generally instructed me to do go through the steps to set up a 
>> > vpn as Qubes instructs on their page 
>> > https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-networkmanager
>> > 
>> > Specifically Set up a ProxyVM as a VPN gateway using iptables and CLI 
>> > scripts
>> > 
>> > What I was referencing referring to the diagram/photo being outdated or of 
>> > the old version of Qubes prior to 4.0 was the Dom0 create a new Vm. It 
>> > just comes up looking different which is what one of the OPs mentioned on 
>> > one of the how to guides I found. 
>> > 
>> > Moving forward.
>> > 
>> > Certain commands didn't work like sudo which after googling one forum 
>> > posted in Qubes you dont use sudo much, dnf ( what ever that is ) is used 
>> > instead which is what I used.
>> > 
>> > I created a Qube named it Nordvpn > Template > Fedora-26 > Networking > 
>> > sys-net 
>> > Appvm
>> > 
>> > From there the rest of the instructions didn't work on Qubes for me.
>> > 
>> > Apart from downloading the nord config files successfully which are in my 
>> > nordvpn documents folder with all the server addresses as txt files eg 
>> > uk648.nordvpn.comtcp443.ovpn
>> > 
>> > Also was instructed to download nano reader and a few other things.
>> > 
>> > My cd ls in my nordvpn terminal is as follows 
>> > 
>> > DesktopMusic  Templates   nano.save
>> > Documents  Pictures   Videos  openvpn-client.ovpn.txt
>> > Downloads  Public  auth-user-pass  pass.txt
>> > 
>> > ( To note and jumping ahead: following tasket's Reddit page on Qubes vpn 
>> > set up instructions I added vpn-handler-openvpn to services in the appvm I 
>> > named Nordvpn )
>> > 
>> > So from there comes Nordvpns reply ( they were very helpful before helping 
>> > me successfully setting up my vpn link on my Raspberry Pi )
>> > 
>> > I received this email: 
>> > 
>> > Hello, Adam,
>> > 
>> > I have checked your OS documentation and it would be great if you could 
>> > test out the following setup:
>> > Disable any auto-starting service that comes with the software package. 
>> > For example for OpenVPN.
>> > sudo systemctl disable openvpn.service
>> > You may also wish to install nano or another simple text editor for 
>> > entering the scripts below. Now run the following command to create VPN 
>> > directory:
>> > sudo mkdir /rw/config/vpn
>> > Enter the directory using the following command:
>> > cd 
>> > /rw/config/vpn
>> > 
>> > Then our website - https://nordvpn.com/servers/#recommended , on the 
>> > server picker you will see recommended server number. Then open 
>> > https://nordvpn.com/ovpn/ website and download recommended server file. 
>> > You can download directly to device and transfer to your VM or use command 
>> > to download from the hyperlink:
>> > sudo wget 
>> > https://downloads.nordcdn.com/configs/files/ovpn_legacy/servers/us1310.nordvpn.com.udp1194.ovpn
>> > (Change the last line of server name to download the correct file). Then 
>> > rename downloaded file to client.ovpn
>> > The VPN client 

Re: [qubes-users] Installed software gets remove after reboot

2018-09-17 Thread Stuart Perkins



On Sun, 16 Sep 2018 23:47:08 -0700 (PDT)
Hugo Costa  wrote:

>Hey,
>
>I couldn't find the answer to this problem that has been annoying me for a 
>while. Basically, Qubes 4.0, fedora 28 and PVH qubes. 
>Problem is simple. I install something in qube X, I reboot my machine and it's 
>not there anymore. I've tried several ways but this always happens. The only 
>way for me to have a piece of software constantly in my qubes is by installing 
>it in the template. 
>
>Is there a way to make sure the software stays installed in the qube without 
>having to install it on the template?
>
>Regards,
>
>Hugo
>

That would defeat the purpose of the template.  If you only want this software 
in ONE qube, consider creating a special template.  The whole template concept 
is to prevent changes to the software from persisting unless done in the 
template (intentionally).  Separation of software and data.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180917043219.71cdc2dd%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] New to Qubes having issues logging into my vpn service despite following the Qubes instructions

2018-09-16 Thread Stuart Perkins



On Sun, 16 Sep 2018 12:30:47 +0100
unman  wrote:

>On Fri, Sep 14, 2018 at 08:21:53PM -0700, Wolf moon wrote:
>> Hi guys New to Qubes ( which is an amazing feat of cyber security 
>> engineering ) all working fine and learning my way around it. 
>> 
>> My only issue is logging into my vpn service. 
>> 
>> I have followed the Qubes instructions ( which the images are different to 
>> Qubes 4.0 and after searching the net on this matter someone said that this 
>> is a shot of the previous Qubes so not helpful there ) I also contacted my 
>> vpn service on the matter. They read up on the Qubes instructions and 
>> emailed me back a step by step guide but still no joy. 
>> 
>> My vpn service works well on my Raspberry Pi 3 in the command line ( which I 
>> found simple instructions for elsewhere on the internet ) and works fine on 
>> my windows 10 system as its got an app interface you download.
>> 
>> Its just Qubes I am having issues with. I am by no means a hardcore techy, I 
>> am learning and not afraid or unfamiliar using the command line in linux. 
>> 
>> I have contacted the Qubes team after trying my best effort to resolve this 
>> on my own as I know they are a small team of 5 or so last time I checked.
>> 
>> Any help and advice would be greatly appreciated.
>> 
>> Best,
>> 
>> Wolf Moon
>>   
>
>Hi Wolf Man
>
>Welcome to Qubes.
>
>It would be easier to help if you gave some idea of what the problem is:
>"still no joy" doesn't mean anything.
>
>Also, "the Qubes instructions" cover a number of different approaches.
>Which one did you try?
>How did the instructions provided by your provider differ from the Qubes?
>
>Can you say what provider is involved, and what flavour of vpn you are
>trying to put in place.
>Look in the log files for the service, and post relevant extracts - I
>mean take some time to review the log yourself and then post.
>
>The more relevant information you provide, the easier it will be to
>help.
>
>cheers
>
>unman
>
>

I have two different VPN's I use for different purposes.  I have a cisco 
provided VPN for a client which I connect to via openconnect from within a 
dedicated appVM, and I run an OpenVPN server on my home network and connect to 
it through the OpenVPN client when not at home from a clone of sys-net for the 
purpose.  I switch which sys-net I run based on if I need to connect to home or 
not, or I simply don't run the OpenVPN client if I'm using the sys-net with the 
OpenVPN client but don't need to connect.  There are quite a few different ways 
to skin this cat.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180916091900.5849eec1%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Qubes 3.2 Whonix-14?

2018-09-13 Thread Stuart Perkins
I deleted the whonix vms and went to install whonix-14 and it won't work.  The 
salt command continues to say that the community repo is unknown.  What am I 
missing?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180913223610.41a2deea%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] wifi password storage

2018-09-13 Thread Stuart Perkins


On Wed, 12 Sep 2018 22:16:01 -
"awokd"  wrote:

>On Wed, September 12, 2018 8:39 pm, Chris Laprise wrote:
>
>> Another alternative would be to configure a single sys-net with either
>> dispVM or Qubes-VM-hardening so that neither passwords nor malware would be
>> retained when sys-net is restarted.  
>
>Was going to suggest a dispVM as well, per
>https://www.qubes-os.org/doc/dispvm-customization/#using-static-disposable-vms-for-sys-
>.
>
>> Then you could control wifi
>> connections from a dom0 script.  
>
>How would you do that? qvm-run some nmcli command(s), passing along the
>wifi credentials?
>

My approach is with the presumption that he does not want to have to re-enter 
his work wifi credentials every workday morning.  Making sys-net disposable 
would forget everything every reboot...which would work...but he would have to 
re-enter work credentials every workday morning.

By separating work and general sys-net instances, he would not expose his work 
wifi credentials and would also not have to re-enter them every workday 
morning.  By creating a shutdown script to set to the generic sys-net on the 
way down, it would prevent accidentally connecting to an insecure wifi with the 
work sys-net instance.

I have zero 4.0 experience, as I rely on my machine far too much to attempt an 
upgrade from 3.2 at this time.  My approach would work well with 3.2, and would 
likely also work with 4.0.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180913110903.2438f748%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] wifi password storage

2018-09-12 Thread Stuart Perkins
I would do this without a separate network device.  Create a clone of a clean 
(no saved passwords) sys-net.  

First set sys-net and sys-firewall to NOT autostart.  Starting an appVM which 
uses them will start them first anyway.

Create a shutdown script which...

stop all appVMs
stop sys-firewall
update sys-firewall to use the insecure, general sys-net
complete shut down

Use this shutdown script for all shut downs.

Then when you turn your machine on "not at work", it will be using the insecure 
sys-net by default...you won't accidentally expose your work wifi credentials.  

Startup at work will require running a script from dom0 to...

stop all appVMs if any are running
stop sys-firewall
stop sys-net
update sys-firewall to use work-sys-net
start work-sys-net
start sys-firewall
start usual work appVMs

All done without an additional network device

Clear out any saved work wifi credentials in sys-net

This is how I would approach this issue.



On Wed, 12 Sep 2018 11:26:57 -0700 (PDT)
daniel  wrote:

>Thank you for your advice and quick reply, Alex.
>
>My question isn't just abstract security paranoia.  Most wifi passwords don't 
>really matter.
>But my university in its wisdom uses a one-per-user username/password combo 
>for *everything*.
>So someone who gets my work wifi password can also change student grades and 
>redirect
>my paycheck.  (There is 2FA for some things, but still.)  And I can't do 
>anything about this policy.
>
>So I'd rather not have that particular password stored in a VM which qubes 
>expects to be subverted.
>I don't think this is paranoia, just part of the data-flow thinking that qubes 
>users are expected to do.
>
>I like your suggestion for a separate usb wifi device.  Then when I want to 
>connect at work I would
>just change the networking VM for sys-firewall from sys-net to sys-net-work.  
>Would appreciate any
>pointers to docs helpful for actually doing this.  (Haven't delved into the 
>usb system yet.)
>
>And still open for suggestions from all, to my original broader question as 
>well as the current how-to-protect-a-single-wifi-password question.
>
>Best,
>Daniel
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180912144406.2bba3184%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qubes in doctors office as server for clients?

2018-08-06 Thread Stuart Perkins
The security model of Qubes may not be what you want for a "server" primarily 
due to the relative inaccessibility of an appVM from "outside".

On Mon, 6 Aug 2018 20:27:39 +0200
evo  wrote:

>Hey!
>
>Does it make sense to install qubes OS as the server for the doctors
>office and connect clients to it, or is it to complicated or even a bad
>idea?
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180806145232.3ecff30d%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: Fedora updates break appvms and templates (Re: [qubes-users] Deleted Pulseaudio from dom0 and broke every VM)

2018-08-02 Thread Stuart Perkins



On Tue, 31 Jul 2018 12:42:17 -0500
Stuart Perkins  wrote:

>On Tue, 31 Jul 2018 11:29:01 -0400
>Steve Coleman  wrote:
>
>>On 07/31/18 07:41, cubit wrote:  
>>> 31. Jul 2018 11:16 by cu...@tutanota.com <mailto:cu...@tutanota.com>:
>>> 
>>> 17. Jul 2018 13:40 by marma...@invisiblethingslab.com
>>> <mailto:marma...@invisiblethingslab.com>:
>>> 
>>  
>>> 
>>> to answer my own question, it's still broken on R3.2 if you do "dnf 
>>> update --best --allowerasing"
>>> 
>>> 
>>> Does anyone know the best way to fix this long term?
>>
>>I'm no expert in RPM management, but the core of the issue appears to be 
>>this:
>>
>>A) pulseaudio-qubes-4.0.11-1.fc28.x86_64 requires = pulseaudio-*12.0*
>>B) pulseaudio Version *12.2-1* is available already
>>C) pulseaudio Version 12.0 is *not available anywhere*
>>D) Qubes package pulseaudio-qubes apparently does *not* accept anything 
>>greater than 12.0 for some reason.
>>E) Any attempt to use --allow-erasing will badly break your system by 
>>permanently removing a necessary qubes component(s) (e.g. gui-agent or 
>>pulseaudio)
>>
>>I believe that the pulseaudio-qubes-4.0.11-1 package needs have its 
>>dependencies updated to permit pulseaudio >=  12.0 to satisfy its own 
>>requirements. If republishing pulseaudio-qubes with the same version 
>>number is not possible then a minor version bump would do the trick.
>>
>>The pulseaudio version numbering is already ahead of qubes requirement, 
>>and this "version gap" is only going to get wider until pulseaudio-qubes 
>>own dependency requirement is updated to catch up to the current version 
>>in the public repository, unless they want to publish their own version 
>>of it in the qubes repository (that could get messy).
>>
>>Why the fedora public repository skipped 12.0 altogether I have no clue, 
>>but one of them needs to change. Either the fedora repository needs to 
>>back populate itself with version 12.0, even though 12.2-1 is already 
>>available, or the pulseaudio-qubes package needs to be updated to 
>>include dependencies up to and including 12.2.*
>>
>>
>>btw - After some update testing I lost my sound again yesterday and 
>>recovered it by:
>>
>>$ sudo dnf downgrade pulseaudio-qubes
>># then catch up on regular patches, ignoring broken
>>$ sudo dnf update
>>
>>My dependencies are still broken, but at least I have my sound back.
>>
>>  
>
>Interestingly enough, the last time I tried to upgrade the fedora-28 template 
>{--allowerasing --best) (Qubes 3.2), it uninstalled the pulseaudio-gui etc...  
>I reinstalled it before shutting down the template, and sys-net and 
>sys-firewall came up just fine.  There are definitely some dependency issues 
>here.

Still having this problem trying to upgrade the fedora-28 template on Qubes 3.2.

[user@fedora-28 ~]$ sudo dnf upgrade
Last metadata expiration check: 0:14:59 ago on Thu 02 Aug 2018 10:03:52 AM CDT.
Dependencies resolved.

 Problem 1: cannot install the best update candidate for package 
qubes-gui-vm-3.2.22-1.fc28.x86_64
  - nothing provides pulseaudio = 12.0 needed by 
qubes-gui-vm-3.2.23-1.fc28.x86_64
 Problem 2: package qubes-vm-dependencies-3.2.3-1.fc28.noarch requires 
qubes-gui-vm, but none of the providers can be installed
  - package qubes-gui-vm-3.2.22-1.fc28.x86_64 requires pulseaudio = 11.1, but 
none of the providers can be installed
  - cannot install both pulseaudio-12.2-1.fc28.x86_64 and 
pulseaudio-11.1-18.fc28.x86_64
  - cannot install both pulseaudio-11.1-18.fc28.x86_64 and 
pulseaudio-12.2-1.fc28.x86_64
  - cannot install the best update candidate for package 
qubes-vm-dependencies-3.2.3-1.fc28.noarch
  - cannot install the best update candidate for package 
pulseaudio-11.1-18.fc28.x86_64
  - nothing provides pulseaudio = 12.0 needed by 
qubes-gui-vm-3.2.23-1.fc28.x86_64
 Problem 3: problem with installed package qubes-gui-vm-3.2.22-1.fc28.x86_64
  - package qubes-gui-vm-3.2.22-1.fc28.x86_64 requires pulseaudio = 11.1, but 
none of the providers can be installed
  - package pulseaudio-11.1-18.fc28.x86_64 requires 
libpulsecommon-11.1.so()(64bit), but none of the providers can be installed
  - cannot install both pulseaudio-libs-12.2-1.fc28.x86_64 and 
pulseaudio-libs-11.1-18.fc28.x86_64
  - cannot install both pulseaudio-libs-11.1-18.fc28.x86_64 and 
pulseaudio-libs-12.2-1.fc28.x86_64
  - cannot install the best update candidate for package 
pulseaudio-libs-11.1-18.fc28.x86_64
  - nothing provides pulseaudio = 12.0 needed by 
qubes-gui-vm-3.2.23-1.fc28.x86_64
 Problem 4: problem with installed package 
qubes-vm-dependencies-

Re: [qubes-users] Re: Updating Fedora 27 errors in Qubes 4.0?

2018-08-01 Thread Stuart Perkins
What I did was in a command window on the template...Qubes 3.2

sudo dnf upgrade --allowerasing --best

and note the modules removed.

Then I installed the modules in the same window...

sudo dnf install puleaudio  (I forget their exact names right now, but 
there were two)

This appears to have worked, as I am now running that fedora-28 template for 
sys-net, sys-firewall, sys-usb etc... with no bootup issues.

Just be sure and clone it before you do in case you have to restore it.

It still doesn't work with a straight "upgrade" from the VM manager.

If this doesn't work for 4...  well, that's why you clone it first.


On Wed, 1 Aug 2018 09:25:27 -0700 (PDT)
sm...@tutamail.com wrote:

>While this seems to be a Fedora issue, I am still getting stuck on updating my 
>now new fedora 28 templates(I had to reinstall my Qubes OS due to a crash). It 
>appears that not being able to update pulse audio is preventing all the other 
>updates in my Fedora 28 template.
>
>Is there a recommended solution?
>
>I am a newbie so any basic commands would be surely appreciated
>
>Thx
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180801122821.5815cc14%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Fedora-27 Template Issues, Qubes 3.2

2018-05-24 Thread Stuart Perkins

Now that the Fedora 27 template is available, I downloaded and installed it 
without issue.  Modifying sys-net and sys-firewall to use it fails miserably 
though..no network connectivity.  Anybody else get this?

Qubes OS 3.2, Thinkpad T520...

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180524153116.75544a2c%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Cannot get installer to load, Help and advice welcomed (semi-noob here).

2018-05-14 Thread Stuart Perkins


On Sun, 13 May 2018 20:05:48 -1000
john  wrote:

>On 05/13/18 19:13, cangent05-re5jqeeqqe8avxtiumw...@public.gmane.org wrote:
>> Thank you, it worked. I strongly suggest Qubes staff add these two points on 
>> their website. Perhaps, the second one (enable VT-x etc.) is obvious to 
>> computer engineers, or even the first one (try legacy). However, not all of 
>> us are computer focused individuals. Once again, thank you for your helps.
>> 
>> On Tuesday, May 1, 2018 at 3:30:14 PM UTC+8, awokd wrote:  
>>> On Mon, April 30, 2018 2:38 pm, 
>>> c...-re5jqeeqqe8avxtiumw...@public.gmane.org wrote:  
 Tried Qubes 4.0 installation on two PCs: 1) Asus Aspire S13 laptop, Intel
 i7-6500 CPU @ 2.50GHz 2.60 GHz, 8 GB RAM, 64-bit 2) Asus D620MT desktop,
 Intel i7-6700 CPU @ 3.40GHz, 3.40 GHz, 16 GB RAM, 64-bit.
 For the first one, installation never proceeded further than few seconds
 (after few lines appeared on the screen, the screen was all black and the
 CPU was running at high speed without any progress). Tried both USB and
 CD drive.  
>>>
>>> Try legacy mode or if you have a secondary graphics adapter, disabling it.
>>>  
 For the second one, after selecting the language on the installation
 interface, it warned "unsupported hardware...Missing features:
 HVM/VT-x..."  
>>>
>>> Make sure VT-x etc. are enabled in your UEFI config.  
>>   
>
>Often, if you read enough you'll find that things you thought were in 
>"the docs" actually are.  Happens to me.  Then if you read the last 10 
>days in this usergroup, it's stated  repeatedly,eg  did you check 
>the HCL  for your hardware?
>
>but, welcome to the usergroup and qubes ,  and  . if you read the 
>docs,   try  to   "not top post"  , as I'm sure you'll have  plenty more 
>questions .
>

I understand the "not top post", but it is a departure from normal mailing 
groups.  I retrieve all of my e-mails...25 accounts...with claws-mail, and this 
is the only group I have to scroll down to read what was posted.  Not a bit 
deal on my computer, but I also get some emails on my "smart" phone, and it is 
more difficult there.  Other than the "logical" reason to bottom post...the 
reading is better when you read the history...is there another reason to prefer 
bottom posting?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180514084608.033c3a58%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Move Firefox Bookmarks between AppVMs - Help with Script

2018-05-06 Thread Stuart Perkins
I would accomplish bookmarks within disposable vm by...

Create an exported tar file of a profile, including the control file for 
firefox which defines the default profile.
Start the disposable vm for terminal.
qvm-copy-to-vm the tar file
extract tar
run script
start firefox

It would be a little bit "manual" but would accomplish the goal.  The tar file 
would be recreated when bookmarked site login info changed etc...

Just my take on it.

On Sat, 5 May 2018 22:44:44 +0200
"[799]"  wrote:

>Hello,
>
>following a recent discussion in the qubes-community github repository, Ivan 
>has written an interesting script for handling links and disposable VMs.
>This has inspired me to look how to move firefox bookmarks to other AppVMs.
>While disposable VMs are great, sometimes it is handy to have bookmarks 
>available in an AppVM.
>
>I was able to import bookmarks into other Appvms by transfering the 
>places.sqlite file which holds the bookmarks.
>
>In the target AppVM which has the bookmarks:
>qvm-copy-to-vm  
>/home/user/.mozilla/firefox/*.default/places.sqlite
>
>then in the destination VM you only need to move the file from QubesIncoming 
>to the profile path.
>While this works, I like to add some error checking and I would also like to 
>kill a running firefox in the destination AppVM.
>
>I was able to kill firefox running:
>
>   kill `ps -A | grep firefox | gawk '{ print $1 }'`
>
>no I tried to run further command based on the fact if firefox is running or 
>not.
>I thereof tried to do something like this:
>
>if [`ps -A | grep firefox | gawk '{ print $1 }'` \> 0]; then
>   echo "Run this when PID is > 0 and thereof Firefox is running"
>else
>   echo "Run this when firefox is not running"
>fi
>
>Unfortunately this doesn't work. Can somone point me into the right direction?
>What is the right approach to run certain commands based on the fact that a 
>program is running or not?
>
>Sorry for this off-topic question but playing with Qubes gives so much options 
>for building own scripts and I am still a beginner here.
>
>[799]
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180506114259.631ccc40%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Difference between Whonix Workstation and Debian/Fedora?

2018-05-03 Thread Stuart Perkins


On Thu, 3 May 2018 05:51:01 -0700 (PDT)
"Daniil .Travnikov"  wrote:

>Thank you very much for your clarify about Whonix-Workstation. Now I 
>understand how it is working much better.
>
>
>> 3. Use regular firefox in a debian/fedora based appVM connected to
>> sys-whonix (no tor over tor, and all traffic from the VM is routed
>> through tor, but it would be easier for adversaries to fingerprint you
>> because most tor users use tor browser, not firefox, so you're more
>> unique this way)  
>
>Totally agree with all ways, but it has 1 more way about which I know:
>https://trac.torproject.org/projects/tor/ticket/15800
>
>When you change on 'false' in network.proxy.socks_remote_dns TorBrowser 
>setting.
>
>And this type of browsing you could use in a debian/fedora based appVM 
>connected to sys-whonix. And it will be the same like in your 1 way (tor 
>browser in a whonix-ws) without any fingerprint, because it is the same Tor 
>Browser.
>

The tor browser as a lot of other defaults as well, such as not running 
scripts...https everywhere etc...  The pair of whonix-ws and whonix-gw have 
been developed together (even for use with other virtualization platforms) to 
minimize exposure to fingerprint detection.  For maximum privacy, I would use 
the whonix-ws tor browser with the whonix-gw for tor browsing.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180503100503.0d9427f7%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Connect sys-usb to network

2018-05-01 Thread Stuart Perkins
Assign the USB device to your untrusted appvm.

Open a qvm terminal...

qvm-usb -l

to list the usb things...

qvm-usb -a untrusted sys-usb:2-1.6  <===identify the one from the -l which is 
your card

when done, use...

qvm-usb -d sys-usb:2-1.6

to disconnect it from the appVM.

This should give you what you want without changing the sys-usb setup.

Stuart

On Tue, 1 May 2018 19:10:35 -0300
Franz <169...@gmail.com> wrote:

>Hello,
>
>is it possible to connect sys-usb to network? It seems impossible using
>Qubes manager on 3.2.
>
>Reason to do that is that sys-usb already has USB controller assigned and
>this is useful to use USB audio cards and play youtube music with decent
>quality.
>
>Is this a security problem? I imagine it is not since sys-usb is already
>untrusted. It may even be possible to add a firewall rule to connect only
>to youtube.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180501201834.2d7485ab%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Remote Control Question

2018-04-30 Thread Stuart Perkins


On Sun, 29 Apr 2018 10:39:21 -0400
Ed <e...@edjusted.com> wrote:

>On 04/28/2018 08:50 PM, Stuart Perkins wrote:
>> Hi list.
>> 
>> I'm considering setting up Qubes capable server at my home.  What I need, 
>> however, is to be able to remotely control it. Updates...reboot/stop/start 
>> system and app vm's etc.  Is this even possible with Qubes?  I currently run 
>> a Ubuntu powered old laptop as a "server" and have it hosting a couple of 
>> VM's with virtualbox.  I can ssh into it and even have an sshuttle setup for 
>> VPN over SSH functionality for when I need to do something "gui" remotely.  
>> One of my VM's is an old XP system which monitors my solar electric. One is 
>> a ubuntu install hosting a Drupal website.  One is also installed which is a 
>> full blow VPN server for when I need to do more than just simple things...I 
>> rarely use this one.
>> 
>> I will be upgrading my "server" hardware to a real server class platform one 
>> of these days, and I would like something specific to running independent 
>> VM's, but the remote maintenance might be a Qubes eliminating need...
>> 
>> Anybody here attacked a remote console to dom0 before, or does it so 
>> completely violate the philosophy of Qubes that it is an absolute 
>> no-way-in-hell thing?
>> 
>> Stuart
>>   
>
>Hi Stuart,
>
>Philosophies aside, you can do whatever you want :)  Adding networking 
>to dom0 is certainly defeating a lot of the hardwork/security that went 
>into qubes.  If you wanted to go this route you might consider just 
>running Xen directly?  Especially if you are putting this in your 
>closet/basement?
>
>There is another issue however, aside from just giving dom0 network 
>access, and that's the LUKS password.  If you needed to reboot the 
>machine entirely from remote, you'd be stuck if you had LUKS encryption 
>on the disk with no way to enter it remotely.
>
>Unless you do what I did, and hook up a Raspberry Pi to the serial 
>console of my machine, and update the kernel boot line in grub to use 
>the serial console (Note: This REQUIRES you to use the serial console to 
>enter the LUKS password, you lose the ability to enter it from your 
>keyboard locally).
>
>Stating the obvious, if someone gets access to the Raspberry Pi I'd be 
>in a bit of trouble, though as long as I remember to log out of the 
>shell at the serial console on the Pi, someone compromising that machine 
>does not immediately give them access to the Qubes box, they would have 
>to guess my password or wait for me to log back in and enter it if I 
>didn't know they were there and they could capture it.  I run OSSEC on 
>this PI to help combat that issue.
>
>Also considering defense in depth, I can only access that Raspberry Pi 
>via VPN, I do NOT expose it directly to the internet, it also sits on 
>it's own VLAN which I leave isolated, so when I do have to do remote 
>administration I first have to grant access to that VLAN from my router 
>console.
>
>So at the end of the day, less secure? Yes.  Added convenience? Yes. 
>Added complexity? Yes...
>
>You can draw the line wherever you want :)
>
>Ed
>

Thanks for the detailed answer.  I may consider a straight up xen hypervisor 
host for those reasons.  Physical compromise is unlikely.  I have no 
neighbors...at least none who would care to hack my computer system.  The only 
one even remotely capable is a trusted friend...who I would call to physically 
touch something if needed.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180430085825.420cd021%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Remote Control Question

2018-04-28 Thread Stuart Perkins
Hi list.

I'm considering setting up Qubes capable server at my home.  What I need, 
however, is to be able to remotely control it. Updates...reboot/stop/start 
system and app vm's etc.  Is this even possible with Qubes?  I currently run a 
Ubuntu powered old laptop as a "server" and have it hosting a couple of VM's 
with virtualbox.  I can ssh into it and even have an sshuttle setup for VPN 
over SSH functionality for when I need to do something "gui" remotely.  One of 
my VM's is an old XP system which monitors my solar electric. One is a ubuntu 
install hosting a Drupal website.  One is also installed which is a full blow 
VPN server for when I need to do more than just simple things...I rarely use 
this one.

I will be upgrading my "server" hardware to a real server class platform one of 
these days, and I would like something specific to running independent VM's, 
but the remote maintenance might be a Qubes eliminating need...

Anybody here attacked a remote console to dom0 before, or does it so completely 
violate the philosophy of Qubes that it is an absolute no-way-in-hell thing?

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180428205015.2f9042b8%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] To use Windows 7 OEM as a Qubes VM; which hardware metadata is needed?

2018-04-25 Thread Stuart Perkins


On Wed, 25 Apr 2018 09:05:59 +0200
Teqleez Motley <teqleez.gmx@motley.cloud> wrote:

>On Tue, Apr 24, 2018, at 18:40, Stuart Perkins wrote:
>> In that case, I would consider pulling the hard drive and using usb 
>> adapter to access the information without concern for battery life.
>
>Hm, I thought that in order to get such metadata out, one would have to access 
>the BIOS/hardware info directly?
>For example, the serial number or the like of the motherboard, graphics card, 
>etc.
>The hard drive of that laptop is long gone (reused), no Windows installation 
>left.
>I just have the licence key, and hopefully the possibility to get to the 
>hardware serial numbers, etc. via some tool...
>
>Regards,
>Teqleez
>

Ah, I see what you are after.  I doubt an OEM licensed Windows can be used on a 
different piece of hardware, but it is worth a shot.  You may be stuck buying a 
"license".  I run Win-7 by downloading the VBox VM from "modern.ie" for 
IE11/Win7.  it is only 32 bit (so no Qubes Windows tools), but it can be 
re-armed 5 times for 90 days each plus initial activation for 540 days before 
having to start over.  I have a bulk licensed version of XP and the registry 
hack to get security updates until June of 2019 as well...also 32 bit though.

Someone may have hacked the Windblows registry for those things...not sure 
where to find that information though...such a hack would let you update the 
registry to match the new "hardware", but I've never hacked that deep into it.  
:)

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180425092438.20e86782%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] To use Windows 7 OEM as a Qubes VM; which hardware metadata is needed?

2018-04-24 Thread Stuart Perkins


On Tue, 24 Apr 2018 18:28:19 +0200
Teqleez Motley  wrote:

>(Btw, I do of course have the license key, and I am NOT going to use that VM 
>online, so I do hopefully not need security updates or the like.)
>
>
>Regards,
>Teqleez
>

In that case, I would consider pulling the hard drive and using usb adapter to 
access the information without concern for battery life.  This is independent 
of whether or not you can cause the VM to think it is the original 
hardware..which I actually doubt at this point.

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180424124008.23d8049f%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] USB Device Question

2018-04-20 Thread Stuart Perkins


On Thu, 19 Apr 2018 22:14:08 +0300
Ivan Mitev <i...@maa.bz> wrote:

>On 04/19/2018 08:39 PM, Stuart Perkins wrote:
>> PITA.  I used to be able to mount this very phone as a USB drive and RSYNC 
>> it for backup.  I can still drag and drop with the file manager, but I have 
>> to take the whole thing every time and can't just maintain an up-to-date 
>> copy with rsync.  
>> 
>> not all change is progress.  :/  
>
>maybe you'll have better luck with simple-mtpfs
>
>from the package's info:
>
>SIMPLE-MTPFS (Simple Media Transfer Protocol FileSystem) is a file
>system for Linux (and other operating systems with a FUSE
>implementation, such as Mac OS X or FreeBSD) capable of operating on
>files on MTP devices attached via USB to local machine. On the local
>computer where the SIMPLE-MTPFS is mounted, the implementation makes use
>of the FUSE (Filesystem in Userspace) kernel module. The practical
>effect of this is that the end user can seamlessly interact with MTP
>device files.
>
I had forgotten about "go-mtpfs" in the Debian repositories...it does the job.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180420082835.07fa65a2%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] USB Device Question

2018-04-19 Thread Stuart Perkins
>
>maybe you'll have better luck with simple-mtpfs
>
>from the package's info:
>
>SIMPLE-MTPFS (Simple Media Transfer Protocol FileSystem) is a file
>system for Linux (and other operating systems with a FUSE
>implementation, such as Mac OS X or FreeBSD) capable of operating on
>files on MTP devices attached via USB to local machine. On the local
>computer where the SIMPLE-MTPFS is mounted, the implementation makes use
>of the FUSE (Filesystem in Userspace) kernel module. The practical
>effect of this is that the end user can seamlessly interact with MTP
>device files.
>
Thanks.  I'll check that out.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180419161904.71b88e3c%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] USB Device Question

2018-04-19 Thread Stuart Perkins
PITA.  I used to be able to mount this very phone as a USB drive and RSYNC it 
for backup.  I can still drag and drop with the file manager, but I have to 
take the whole thing every time and can't just maintain an up-to-date copy with 
rsync.  

not all change is progress.  :/

On Thu, 19 Apr 2018 16:38:43 +0100
Mike Keehan <m...@keehan.net> wrote:

>On Sun, 15 Apr 2018 15:34:20 -0400
>Stuart Perkins <perkins.stu...@gmail.com> wrote:
>
>> I have the following setup:
>> 
>> Qubes 3.2, xfce4 interface
>> sys-usb
>> 
>> I want to be able to connect my Android phone to a vm and rsync its
>> contents.  I can connect the phone and "qvm-usb -a" it to the VM, and
>> it appears available under the File Manager application as
>> "mtp://[usb:002,004]/" but I cannot locate a mount point to use for
>> rsync.  It does not appear under /run/user/[uid]/gvfs.  Any idea
>> where it mounts so I can use rsync to reference it?
>> 
>> Thanks in advance...
>> 
>> Stuart
>>   
>
>"mtp://" is the clue :)  mtp is a protocol for communication between a
>phone and a computer.  I don't think rsync supports mtp.
>
>(My old phone used to 'mount' OK when I connected it, but my new phone
>doesn't - it shows up as an mtp: device.)
>
>
>Mike.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180419133926.741cb35a%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: USB Device Question

2018-04-16 Thread Stuart Perkins
I am able to browse and copy the phone's file system via the file manager 
application, but the path is mtp://[usb:002,004]/Phone/ which won't work with 
rsync.  I don't see it under "run" anywhere...or under any of the file system 
starting at root.  It is like it really isn't mounted at all.  It shows up 
under file manager as a network location though.  How would I tell rsync to 
reference it as a network location?

On Mon, 16 Apr 2018 06:43:17 -0700 (PDT)
cooloutac <raahe...@gmail.com> wrote:

>On Sunday, April 15, 2018 at 3:34:25 PM UTC-4, Stuart Perkins wrote:
>> I have the following setup:
>> 
>> Qubes 3.2, xfce4 interface
>> sys-usb
>> 
>> I want to be able to connect my Android phone to a vm and rsync its 
>> contents.  I can connect the phone and "qvm-usb -a" it to the VM, and it 
>> appears available under the File Manager application as 
>> "mtp://[usb:002,004]/" but I cannot locate a mount point to use for rsync.  
>> It does not appear under /run/user/[uid]/gvfs.  Any idea where it mounts so 
>> I can use rsync to reference it?
>> 
>> Thanks in advance...
>> 
>> Stuart  
>
>usually in /run/media I think.  If worse comes to worse you can just copy the 
>files to sys-usb and then transfer it to your media vm.
>
>ALso usually when you click it in the file manager,  you then have to click 
>allow on the phone itself before you can access the directories.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180416120655.76c932ed%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] USB Device Question

2018-04-15 Thread Stuart Perkins
I have the following setup:

Qubes 3.2, xfce4 interface
sys-usb

I want to be able to connect my Android phone to a vm and rsync its contents.  
I can connect the phone and "qvm-usb -a" it to the VM, and it appears available 
under the File Manager application as "mtp://[usb:002,004]/" but I cannot 
locate a mount point to use for rsync.  It does not appear under 
/run/user/[uid]/gvfs.  Any idea where it mounts so I can use rsync to reference 
it?

Thanks in advance...

Stuart

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180415153420.3eb2a6fc%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] New here. New to Qubes. Swap and tmp question on VM's

2018-04-05 Thread Stuart Perkins
Thanks Ivan.  I got /tmp increased.  Working on swap now.  With Qubes
3.2, swap on a VM is xvdc1, so it is a mounted image from the main
system.  I just need to figure out what/where that is so I can bump it
up a bit...or take the VM controlled approach you call "ugly".  :)

On Thu, 5 Apr 2018 18:53:26 +0300
Ivan Mitev  wrote:

>On 04/05/2018 06:19 PM, perkins.stu...@gmail.com wrote:
>> Hi.  I'm new to Qubes, and I have an issue.  I am attempting to
>> create a VM template for a software package which needs a larger
>> swap and /tmp space in order to install.  Where are those controlled
>> and how can I provision a Fedora VM with larger/non-standard swap
>> and /tmp?  
>
>fedora's /tmp uses tmpfs ; it's mounted by systemd at boot time.
>
>see `systemctl status tmp.mount` and
>`/usr/lib/systemd/system/tmp.mount.d/30_qubes.conf to increase its size
>
>alternatively you can increase the size afterwards with
>
>mount -o remount,size=5G /tmp/
>
>if you need to have a disk based tmp you'll have to mask the systemd
>unit (`systemctl mask tmp.mount`) and put a fstab entry for /tmp ; but
>maybe it'll break stuff...
>
>no idea about how to increase swap from dom0 on R3.2 ; alternatively
>you can add swap with a file inside the vm but it's a bit ugly:
>
>dd if=/dev/zero of=swapfile bs=1M count=1000
>mkswap swapfile
>swapon swapfile
>
>
>hope this helps
>
>ivan
>
>
>
>> 
>> Thanks in advance.
>>   
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180405130241.594e7a06%40gmail.com.
For more options, visit https://groups.google.com/d/optout.