Re: [qubes-users] Difference between Whonix Workstation and Debian/Fedora?

2018-05-03 Thread entr0py
Daniil .Travnikov:
> Could anybody help me to understand what is the difference between Whonix 
> Workstation and Debian/Fedora? (I mean Templates VM in Qubes).
> 
> When I want to use one of my Debian VM through TOR, I am turn on 
> Whonix-Gateway.
> 
> And I am asking beacuse I don't understand for what I must use 
> Whonix-Workstation?
> 

See discussion here:
https://forums.whonix.org/t/qubes-whonix-and-stream-isolation-understanding-for-non-default-applications/4676/3

For additional questions, please search:
https://forums.whonix.org
https://www.whonix.org/wiki/Documentation

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ac2f6759-a4ea-f592-d21f-ff183f4453f5%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [Newbie] RDP client unable to connect to server through vpn

2017-12-16 Thread entr0py-qubes
Gustavo Lapido Loureiro:
> I setup a vpn connection following tasket's Qubes-vpn-support. 
> (https://github.com/tasket/Qubes-vpn-support)
> 
> I was able to connect to the vpn remote server and browse its web server 
> content with Firefox.
> 
> However, when I try to use Remmina to connect to the remote rdp server, it 
> times out.
> 
> Is this something being blocked by the firewall?
> 
> I understand that this isn't some purelly Qubes issue, and it probably isn't 
> an issue after all, just some setting that should be tinkered (firewall?).
> 
> The point is that, with all these qubes I'm kind of lost where to start 
> debugging, what to change and where.
> 

If you want to tunnel your RDP connection through your VPN connection, then try 
connecting to the RDP server via its tun0 (private LAN) IP address. Example: 
openvpn's default subnet IIRC is 10.8.0.0/24 which means that the RDP server on 
your VPN server is listening on 10.8.0.1:3389.

Make sure your server is accepting incoming connections on port 3389. There 
shouldn't be any issues sending traffic out from Qubes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/82e8e0f6-d3cc-6133-5e8e-de69549d67ed%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] vpn's log option

2017-12-13 Thread entr0py-qubes
charly LEMMINKÄINEN:
> Le mercredi 13 décembre 2017 15:55:39 UTC+1, Chris Laprise a écrit :
>> On 12/13/2017 08:38 AM, charly LEMMINKÄINEN wrote:
>>> is there any possibility to put a log option in the vpn scripts described 
>>> in the wiki? To know the reason why a vpn has been disconnected for example?
>>>
>>
>> You can use 'sudo journalctl' to see openvpn log activity.
>>
>> If you're experiencing disconnects and openvpn exits without trying to 
>> reconnect, you may need to comment-out the "persist tun" parameter in 
>> your config. This fixes it sometimes. If you're on Qubes 3.2 a more 
>> robust workaround is to use this service-based setup instead:
>>
>> https://github.com/tasket/Qubes-vpn-support
>>
>> This will ensure openvpn gets re-started anytime it exits.
>>
>> -- 
>>
>> Chris Laprise
>> https://github.com/tasket
>> https://twitter.com/ttaskett
>> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> 
> I was more hoping about that : 
> https://askubuntu.com/questions/276664/where-are-the-openvpn-connection-logs-and-configuration-files
> so since there is no /var/log/syslog .I don't know the reason for that. Or is 
> in another directory? 
> Can I use the --log option in the rc.local ?
> 

You can send logs to any file you want (ie /var/log/openvpn).

Put `log `, `verb <1..5>` in your .ovpn/.conf openvpn configuration or

Use `--log ` & `--verb <1..5>` in your rc.local launch parameters.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bab48252-2475-a22f-c814-90917f6e71ee%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Windows 10 on Qubes (freeRDP)

2017-12-01 Thread entr0py
alvaro.ran...@hotmail.com:
> Hi!
> 
> Thanks so much for writing this down. 
> 
> On step 2, these instructions to establish inter VM networking [1] seem to be 
> aimed at linux vms. It says we should use iptables and and edit the rc.local 
> file on both vms. Any tip on how we could do that on the windows 10 qube?
> 
> [1] 
> https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes
> 

In case you haven't gotten past this hurdle yet, the general idea is that the 
following rules need to be in place:

1. windows vm needs to allow input (port 3389)
2. proxy vm needs to allow forwarding of port 3389 from linux vm to windows vm
3. linux vm needs to allow output (port 3389)

Nearly every OS has the same defaults when it comes to firewalls. Allow output, 
block input, block forwarding.

That's the reason the documentation you referred to only specifies rules for #1 
& #2.

You have several options for allowing port 3389 input on the windows vm:

1. Simply enabling Remote Desktop in the System control panel will usually 
prompt you with the "Allow program through firewall" dialog

2. Start menu -> Firewall, advanced settings -> create a rule to allow port 
3389 input.

3. Start menu -> Firewall. Disable the entire firewall in Windows and let your 
proxy vm handle it.

(obviously no rc.local on windows. not needed since windows will remember 
changes to firewall.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0f0036e3-2c1c-0354-38ad-97ccabc20d19%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: sys-whonix / tor / thunderbird

2017-11-25 Thread entr0py
Desobediente:
> I think the most straightforward way to achieve this would be to leave the
> arm terminal open
> 
> KDE/XCFE Menu > sys-whonix > Arm - Tor Controller
> 
> Then press 'n' for a new identity whenever desired.
> 
> This will make a new tor circuit for every AppVM connected to sys-whonix.
> 
> For the AppVM level, you may do as suggested - use the "new identity"
> feature on a Tor Browser inside the same AppVM as thunderbird is running.
> It could be anon-whonix, a clone of anon-whonix or any other AppVM using
> whonix-ws as template.
> 
> You could clone whonix-ws and install needed software in the cloned
> template as well.
> 

Not sure what you mean by "AppVM level" but "New Identity" marks ALL circuits 
dirty regardless of where it's invoked. So using "New Identity" in 
anon-whonix-6 is the same as using it in sys-whonix for purposes of generating 
new circuits for Thunderbird. TorButton (in Tor Browser) performs a few 
additional tasks as described in link below compared to arm, but as it relates 
to circuits, they both send SIGNAL NEWNYM.

https://stem.torproject.org/faq.html#how-do-i-request-a-new-identity-from-tor
https://www.torproject.org/projects/torbrowser/design/#new-identity

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fb1af417-a554-7abd-26fd-9480fe9c39ae%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: sys-whonix / tor / thunderbird

2017-11-25 Thread entr0py
haaber:
> On 11/24/17 13:47, entr0py wrote:
>> Yuraeitha:
>>> On Friday, November 24, 2017 at 9:01:24 AM UTC, Bernhard wrote:
>>>> Hello,
>>>>
>>>> one of the most useful features of tor-browser is Ctl-Shift-L to change
>>>> the tor-path (and so, with high proba, the exit node IP) : this way,
>>>> websites that block a specific exit node for a certain time can be still
>>>> loaded (of course some fascist websites block all tor-exits and so that
>>>> this measure does not help) .
>>>>
>>>> I feel that the same feature would be useful in other applications (in
>>>> particular in thunderbird). How can this be done? Maybe a "forced
>>>> reconnect" of IMAP connections suffices, but apart totally restarting
>>>> thunderbird I don't see how this can be done. Any hints? Or is there
>>>> good reason not to torify mail-fetching? Or never via IMAP?
>>>>
>>>> thank you, Bernhard
>>
>> Each request to your Tor client (in sys-whonix) via SocksPort is accompanied 
>> by a SOCKS username and password. By clicking "New Tor Circuit for this 
>> Site" in Tor Browser, you are changing the password component, which causes 
>> the Tor client to generate a new circuit for the same first-person domain 
>> when a request is received.
>>
>> Thunderbird is torrified by an extension called TorBirdy. Your requested 
>> feature has been tracked for quite some time (5 years) but appears nearing 
>> implementation now that Thunderbird-related roadblocks have been cleared. 
>> (https://trac.torproject.org/projects/tor/ticket/6359) Also, the main reason 
>> for that ticket is not circuit swapping but stream isolation. At present 
>> (Whonix bonus), each different email server you connect to is given a 
>> different circuit. With #6359, multiple accounts at the same email provider 
>> can also be isolated by circuit.
>>
>> Currently, you can generate new circuits for all future Tor requests by 
>> using the "New Identity" feature via one of the following equivalent options:
>> 1. From anon-whonix, use "New Identity" in Tor Browser. (applies to all Tor 
>> connections, not just the browser.)
>> 2. From sys-whonix, use arm/nyx (monitoring tool) to send New Identity 
>> request
>> 3. From sys-whonix, send SIGNAL NEWNYM via telnet to 127.0.0.1:9051
> 
> Thank you for this detailed answer. I read over the ticket & it seems
> that socks was the problem & should be fine now. I wanted to copy the
> "network-connections" config form tor-browser into a thunderbird, but I
> do not understand anything there. It uses
>  file:///var/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock
> This folder contains a lot of 0-byte special files that are past my
> understanding. Link [4] Did not help me :(
> 
> Or should I better run thunderbird inside anon-whonix? Or clone
> anon-whonix and run it there?
> 
> Thanks, Bernhard
> 

Wait, what are we talking about? I thought you were asking about "New Tor 
Circuit for this Site".

Do you need help torrifying Thunderbird? If you are using Thunderbird in a 
non-whonix-workstation VM, you can install the TorBirdy extension and point it 
to your sys-whonix IP and Port 9102.

Thunderbird is installed and torrified by default in anon-whonix already. You 
can use anon-whonix, clone it, make a new appVM based on whonix-ws, whatever 
fits your needs.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/94de539b-9760-e3cf-5e20-70283ab60e05%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: sys-whonix / tor / thunderbird

2017-11-24 Thread entr0py
Yuraeitha:
> On Friday, November 24, 2017 at 9:01:24 AM UTC, Bernhard wrote:
>> Hello,
>>
>> one of the most useful features of tor-browser is Ctl-Shift-L to change
>> the tor-path (and so, with high proba, the exit node IP) : this way,
>> websites that block a specific exit node for a certain time can be still
>> loaded (of course some fascist websites block all tor-exits and so that
>> this measure does not help) .
>>
>> I feel that the same feature would be useful in other applications (in
>> particular in thunderbird). How can this be done? Maybe a "forced
>> reconnect" of IMAP connections suffices, but apart totally restarting
>> thunderbird I don't see how this can be done. Any hints? Or is there
>> good reason not to torify mail-fetching? Or never via IMAP?
>>
>> thank you, Bernhard

Each request to your Tor client (in sys-whonix) via SocksPort is accompanied by 
a SOCKS username and password. By clicking "New Tor Circuit for this Site" in 
Tor Browser, you are changing the password component, which causes the Tor 
client to generate a new circuit for the same first-person domain when a 
request is received.

Thunderbird is torrified by an extension called TorBirdy. Your requested 
feature has been tracked for quite some time (5 years) but appears nearing 
implementation now that Thunderbird-related roadblocks have been cleared. 
(https://trac.torproject.org/projects/tor/ticket/6359) Also, the main reason 
for that ticket is not circuit swapping but stream isolation. At present 
(Whonix bonus), each different email server you connect to is given a different 
circuit. With #6359, multiple accounts at the same email provider can also be 
isolated by circuit.

Currently, you can generate new circuits for all future Tor requests by using 
the "New Identity" feature via one of the following equivalent options:
1. From anon-whonix, use "New Identity" in Tor Browser. (applies to all Tor 
connections, not just the browser.)
2. From sys-whonix, use arm/nyx (monitoring tool) to send New Identity request
3. From sys-whonix, send SIGNAL NEWNYM via telnet to 127.0.0.1:9051


> More specially towards the question at hand, I think it's tricky to do 
> something like that in Thunderbird, but I'm not a programmer, so I wouldn't 
> know for sure. However, if you think about how it works in Qubes/Whonix/Tor, 
> then the Tor browser appears to be tunneling Tor-Browser within 
> Tor(Sys-whonix), basically doubling the onion layers compared to a regular 
> Tor browser. I'm not entirely sure if this is the case, it's just something I 
> figured must be the case. 

This is not correct. Tor-over-Tor is discouraged[1] and unlikely to work in the 
future[2]. Whonix prevents Tor-over-Tor.[3][4]

[1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#ToroverTor
[2] https://trac.torproject.org/projects/tor/ticket/2667
[3] https://www.whonix.org/wiki/DoNot#Prevent_Tor_over_Tor_Scenarios
[4] https://www.whonix.org/wiki/Dev/anon-ws-disable-stacked-tor

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0c44e747-e282-14fd-e2cb-9dc7ea8f7bf9%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] When transferring file between Qubes, MD5 changes.

2017-11-16 Thread entr0py
vegetarianst...@gmail.com:
> I am transferring a windows ISO file between qubes.. however, the file's MD5 
> sum changes every time I complete the transfer.  
> 
> Why might this be so?
> 


Shouldn't be happening. I suspect faulty checksum tools in Windows. Use one of 
the following options:

1. (cmd.exe) CertUtil -hashfile  SHA256

2. (PowerShell 4 or higher) Get-FileHash -Algorithm SHA256 

Compare with `sha256sum` in Linux.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6feedb94-cd4f-445b-40aa-0903fe3b%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] IP Redirection to localhost in AppVM

2017-11-10 Thread entr0py
Michael Strasser:
> Hi!
> 
> I have an AppVM (Standalone) in which I would like to redirect all (TCP)
> traffic going to a specific IP address to localhost. I'm using the AppVM
> for Malware Analysis, so I usually have no NetVM connected. I've tried a
> few iptables commands that I found via web search, but none of them did
> the trick.
> 
> Could someone show me how to do this in Qubes 3.2?
> 
> 
> Best regards,
> 
> Michael
> 
> 

IIUC you have malware in AppVM trying to connect to $badIP. You want to capture 
those packets in AppVM on port $monitorPort.

Try:
iptables -t nat -A OUTPUT -d $badIP -p tcp -j REDIRECT --to-port $monitorPort

Add to rc.local if you want on reboot.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cc4a653c-4f44-fe22-3746-d614f88085a3%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] External VM?

2017-01-02 Thread entr0py
Loren Rogers:
> Hi all,
> 
> I have a VM that I use for Calibre to read ebooks, and my library is getting 
> quite large. Rather than putting the books on an external drive and 
> connecting that to my Calibre VM, would it be possible to move the entire VM 
> to an external drive? It doesn't need to be fast. (It's just a bunch of 
> books.) At the moment, I just have all my documents on my HD, which is a bit 
> of a waste of SSD. I'm only going to access these files through this VM, so 
> it would be handy if I could just have them all collected together in one 
> place.
> 
> I imagine that this feature doesn't exist today, and it may be somewhat 
> complicated because of the integration with dom0. But I figure this ability 
> may be useful to folks who have large VMs for specific tasks that aren't used 
> very often. Is there a better way to approach this?
> 
> Thanks!
> Loren
> 

I like to keep my data on separate volumes detached from any specific OS - but 
I may be peculiar in that so take what I say with a grain of salt. Here are the 
steps I followed: 
https://groups.google.com/d/msg/qubes-users/c-XQTfa_l-Y/IkY8x3u6BwAJ

It's easy to adapt that for an internal drive. Might be slightly more 
complicated for a USB drive, depending on your personal USB strategy. Also, my 
storage images are not covered by Qubes backup so be careful if you are the 
nuking type.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ecf91d70-86b0-2abb-1c11-9080431896b4%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Atheros ath9k wireless pci-e not functional in Fedora-24 template

2016-12-18 Thread entr0py
Marek Marczykowski-Górecki:
> On Sat, Dec 17, 2016 at 10:56:12AM -0800, 3n7r0...@gmail.com wrote:
>> On Friday, December 16, 2016 at 8:36:53 PM UTC, 3n7r...@gmail.com wrote:
>>> ath9k is a well supported driver in Linux. Present in kernel since 2.6. 
>>> (https://wireless.wiki.kernel.org/en/users/drivers/ath9k) Card is 5+ year 
>>> old implementation.
>>>
>>> Tested and working in a Fedora-25 LiveCD without any additional 
>>> configuration. (Kernel 4.8)
>>>
>>> In Qubes 3.1, added as PCI device to a Fedora-24 TemplateVM. (Kernel 4.1) 
>>> ath9k driver is correctly loaded but device does not show up in `iwconfig`.
>>>
>>>
>>> $ lspci -k | grep -A 3 -i network
>>> 00:00.0 Network controller: Qualcomm Atheros AR5418 Wireless Network 
>>> Adapter [AR5008E 802.11(a)bgn] (PCI-Express) (rev 01)
>>> Kernel driver in use: ath9k
>>> Kernel modules: ath9k
>>>
>>>
>>> $ iwconfig
>>> lono wireless extensions.
>>>
>>>
>>> [1.980648] pcifront pci-0: Installing PCI frontend
>>> [1.980706] pcifront pci-0: Creating PCI Frontend Bus :00
>>> [1.980732] pcifront pci-0: PCI host bridge to bus :00
>>> [1.980736] pci_bus :00: root bus resource [io  0x-0x]
>>> [1.980740] pci_bus :00: root bus resource [mem 
>>> 0x-0xf]
>>> [1.980743] pci_bus :00: root bus resource [bus 00-ff]
>>> [1.980877] pci :00:00.0: [168c:0024] type 00 class 0x028000
>>> [1.981171] pci :00:00.0: reg 0x10: [mem 0xf7d0-0xf7d0 64bit]
>>> [1.983450] pci :00:00.0: supports D1
>>> [1.984459] pcifront pci-0: claiming resource :00:00.0/0
>>> [2.028350] alg: No test for crc32 (crc32-pclmul)
>>> [2.07] intel_rapl: Found RAPL domain package
>>> [2.033344] intel_rapl: Found RAPL domain core
>>> [2.131727] EXT4-fs (xvdb): mounted filesystem with ordered data mode. 
>>> Opts: discard
>>> [2.140627] cfg80211: Calling CRDA to update world regulatory domain
>>> [2.146866] cfg80211: World regulatory domain updated:
>>> [2.146873] cfg80211:  DFS Master region: unset
>>> [2.146875] cfg80211:   (start_freq - end_freq @ bandwidth), 
>>> (max_antenna_gain, max_eirp), (dfs_cac_time)
>>> [2.146898] cfg80211:   (2402000 KHz - 2472000 KHz @ 4 KHz), (N/A, 
>>> 2000 mBm), (N/A)
>>> [2.146903] cfg80211:   (2457000 KHz - 2482000 KHz @ 2 KHz, 92000 
>>> KHz AUTO), (N/A, 2000 mBm), (N/A)
>>> [2.146908] cfg80211:   (2474000 KHz - 2494000 KHz @ 2 KHz), (N/A, 
>>> 2000 mBm), (N/A)
>>> [2.146912] cfg80211:   (517 KHz - 525 KHz @ 8 KHz, 16 
>>> KHz AUTO), (N/A, 2000 mBm), (N/A)
>>> [2.146918] cfg80211:   (525 KHz - 533 KHz @ 8 KHz, 16 
>>> KHz AUTO), (N/A, 2000 mBm), (0 s)
>>> [2.146923] cfg80211:   (549 KHz - 573 KHz @ 16 KHz), (N/A, 
>>> 2000 mBm), (0 s)
>>> [2.146927] cfg80211:   (5735000 KHz - 5835000 KHz @ 8 KHz), (N/A, 
>>> 2000 mBm), (N/A)
>>> [2.146932] cfg80211:   (5724 KHz - 6372 KHz @ 216 KHz), 
>>> (N/A, 0 mBm), (N/A)
>>> [2.176424] ath9k :00:00.0: Xen PCI mapped GSI17 to IRQ31
>>> *[2.314703] BUG: unable to handle kernel paging request at 
>>> c96c0040
>>> *[2.314712] IP: [] iowrite32+0x38/0x40
>>> [2.314718] PGD 3fdd1067 PUD 3fdd0067 PMD 3ade1067 PTE 8010f7d00075
>>> *[2.314723] Oops: 0003 [#1] SMP 
>>> [2.314726] Modules linked in: ath9k(+) ath9k_common ath9k_hw ath 
>>> mac80211 cfg80211 rfkill intel_rapl iosf_mbi x86_pkg_temp_thermal coretemp 
>>> crct10dif_pclmul crc32_pclmul crc32c_intel pcspkr xen_pcifront xenfs 
>>> dummy_hcd udc_core xen_privcmd u2mfn(O) xen_blkback nf_conntrack_pptp 
>>> nf_conntrack_proto_gre nf_conntrack xen_blkfront
>>> *[2.314748] CPU: 0 PID: 214 Comm: systemd-udevd Tainted: G   O  
>>>   4.1.24-10.pvops.qubes.x86_64 #1
>>> [2.314763] RSP: e02b:88003cab7870  EFLAGS: 00010296
>>> [2.314766] RAX:  RBX: 88003c2ed3a0 RCX: 
>>> 0004
>>> [2.314769] RDX: c96c0040 RSI: c96c0040 RDI: 
>>> 
>>> [2.314772] RBP: 88003cab78a8 R08: 000186a0 R09: 
>>> 88003d001800
>>> [2.314775] R10: 88003d001800 R11: 5dc5 R12: 
>>> 
>>> [2.314778] R13: 0100 R14: a027b550 R15: 
>>> 88003c910028
>>> [2.314783] FS:  7f502afb68c0() GS:88003f80() 
>>> knlGS:
>>> [2.314788] CS:  e033 DS:  ES:  CR0: 80050033
>>> [2.314791] CR2: c96c0040 CR3: 3c9a5000 CR4: 
>>> 00042660
>>> [2.314794] Stack:
>>> [2.314797]  a02910b5 8098  
>>> 88003c910028
>>> [2.314802]  88003c910078 0100 a027b550 
>>> 88003cab78c8
>>> [2.314807]  a0239de2 88003c910078 88003c910028 
>>> 88003cab78e8
>>> [2.314813] Call Trace:
>>> [2.314820]  [] ? 

Re: [qubes-users] Updates, security

2016-12-17 Thread entr0py
johnyju...@sigaint.org:
> While updates are signed, so even if they come over the wire in cleartext,
> the fact that they often are sent in the clear (even from debian.net)
> allows a snooper to know what packages your scanning for metadata or
> installing.  It reveals a lot about the state of your system.
> 
> Updating over Tor or a VPN helps a bit.  Updating to debian's hidden
> service is even more ideal, no https in between with
> state-actor/CA-forgeable certificates possible, etc..
> 
> However, Qubes updates aren't available via Tor.
> 

WIP: https://forums.whonix.org/t/onionizing-qubes-whonix-repositories/3265

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cfa5428c-74d2-9933-ad7c-ef62ce4f5bc1%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes Windows 7 HVM & Windows update

2016-12-17 Thread entr0py
Andrew David Wong:
> On 2016-12-17 03:44, Swâmi Petaramesh wrote:
>> Hi there,
> 
>> I have attempted several installations of Windows-7 in a HVM (32 or
>> 64 bits, with or without Qubes Windows tools for the 64-bit
>> version...) and it "basically works", which means that Windows
>> starts, I can use the explorer, I have Internet access, etc.
> 
>> BUT, on *ALL* installations I attempted, Windows cannot use
>> "Windows Update" : When starting Windows update, the Win7 VM will
>> stay at the "Checking for updates" phase forever, without any
>> visible progress, until the VM eventually crashes.

Make sure you have enough RAM. Min 2 GB but I'd go with 4 GB until upgrades are 
done. You can lower it back afterwards.
And disk space. 7 GB initial install can balloon to 30 GB during upgrade 
process before settling in around 20 GB.


> 
> This is a longstanding Windows problem:
> 
> https://superuser.com/questions/951960/windows-7-sp1-windows-update-stuck-checking-for-updates
> 
> 

Fixed! (for now)

https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-solution/f39a65fa-9d10-42e7-9bc0-7f5096b36d0c

Windows downloads full list of needed upgrades in minutes. Only one (or two) 
patches needed.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4caa6572-9657-743d-5fc3-34a5c3b65ac3%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: Enigmial and Splig GPG2 (previously Re: [qubes-users] Upgrading from Split GPG1 to Split GPG2?)

2016-11-20 Thread entr0py
Marek Marczykowski-Górecki:
> On Sat, Nov 19, 2016 at 09:11:21PM -0800, Andrew David Wong wrote:
>> On 2016-11-19 03:43, Andrew David Wong wrote:
>>> On 2016-11-17 10:05, cubit wrote:
 17. Nov 2016 15:33 by dmoer...@gmail.com:
>>>
> On Wednesday, November 16, 2016 at 10:21:33 PM UTC-5, george wrote:
>> Yes. I get the same issue too. I can read the message, but I can't 
>> write, and I'm also in Debian-8 VM on Qubes 3.2, with Enigmail and 
>> Thunderbird. I can READ messages, but I can't send them, nor 
>> verify/encrypt/sign them. I'm not sure what to do with this...
>
> What template are you using for the gpg VM? 
>
  For me both my vault VM and thunderbird VM are sharing the same Debian 8 
 template.   This template does have gnupg-agent 2.0.26-6+deb8u1  installed
>>>
>>>
>>> Sorry, this is a known issue. Enigmail 1.9 is incompatible with Split GPG 
>>> on Debian 8:
>>>
>>> https://github.com/QubesOS/qubes-issues/issues/2170
>>>
>>> Until this is resolved, I recommend using the Fedora template instead.
>>>
> 
>> Update: 3n7r0p1 has pointed out that this is not an issue, since Enigmail 
>> 1.9 is not contained in the Debian 8 repos to begin with.
> 
> Isn't it possible to install enigmail directly from thunderbird/icedove?
> That would result in the most recent version.
> 

Marek is correct.

When installed from the repo, enigmail updates are disabled. However, newer 
versions can be installed through the addons manager and such versions can also 
be updated via that method.

Issue should be re-opened or docs should advise Debian users to install via 
apt-get (not a bad practice anyway).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0eb05b6c-d586-829c-b021-ab93e60f2366%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: Enigmial and Splig GPG2 (previously Re: [qubes-users] Upgrading from Split GPG1 to Split GPG2?)

2016-11-20 Thread entr0py
Marek Marczykowski-Górecki:
> On Sat, Nov 19, 2016 at 09:11:21PM -0800, Andrew David Wong wrote:
>> On 2016-11-19 03:43, Andrew David Wong wrote:
>>> On 2016-11-17 10:05, cubit wrote:
 17. Nov 2016 15:33 by dmoer...@gmail.com:
>>>
> On Wednesday, November 16, 2016 at 10:21:33 PM UTC-5, george wrote:
>> Yes. I get the same issue too. I can read the message, but I can't 
>> write, and I'm also in Debian-8 VM on Qubes 3.2, with Enigmail and 
>> Thunderbird. I can READ messages, but I can't send them, nor 
>> verify/encrypt/sign them. I'm not sure what to do with this...
>
> What template are you using for the gpg VM? 
>
  For me both my vault VM and thunderbird VM are sharing the same Debian 8 
 template.   This template does have gnupg-agent 2.0.26-6+deb8u1  installed
>>>
>>>
>>> Sorry, this is a known issue. Enigmail 1.9 is incompatible with Split GPG 
>>> on Debian 8:
>>>
>>> https://github.com/QubesOS/qubes-issues/issues/2170
>>>
>>> Until this is resolved, I recommend using the Fedora template instead.
>>>
> 
>> Update: 3n7r0p1 has pointed out that this is not an issue, since Enigmail 
>> 1.9 is not contained in the Debian 8 repos to begin with.
> 
> Isn't it possible to install enigmail directly from thunderbird/icedove?
> That would result in the most recent version.
> 

Marek is correct.

When installed from the repo, enigmail updates are disabled. However, newer 
versions can be installed through the addons manager and such versions can also 
be updated via that method.

Issue should be re-opened or docs should advise Debian users to install via 
apt-get (not a bad practice anyway).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3deb9340-2909-d6d2-9123-a56f0ecbef58%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Android-x86 on Qubes

2016-11-19 Thread entr0py
Torsten Grote:
> On 11/11/2016 06:01 PM, entr0py wrote:
>> Thanks! With that, some progress... Deleting `> bus='xen'/>` from the config file results in usbtablet being
>> replaced with ps/2 mouse device.
> 
> I finally got around to try that and it works indeed!
> 
>> Now, the pointer tracks mouse movements automatically instead of
>> requiring manual dragging. However, the mouse acceleration doesn't
>> match and the two pointers become de-synced.
> 
> Yes that has other usability issues than the drag pointer. I wonder if
> it is possible to change the mouse speed somehow. Maybe just temporarily
> in dom0?
> 
>> The mouse problem is not a Xen/Qubes issue. Android-x86-4.4-r5 
>> (KitKat) works perfectly on Qubes. Input handling has changed somehow
>> in Lollipop/Marshamallow. I would be perfectly content to use KitKat
>> but (of course), that version doesn't emulate OpenGL (under Qubes)
>> which breaks many Android apps
> 
> For me the problem with Android 4.4 is that it doesn't support ADB over
> IP, so there seems to be no way to connect with the debug bridge to it.
> 
>> @Torsten: Did you see my last comment on the issue tracker? Other 
>> than that, make sure partition is bootable and use a compatible vga 
>> mode.
> 
> Yes, I saw that, but I still can't boot the installed version. If I boot
> into the system right after installation it works, but if I shut it down
> and try to boot later, it just maxes out the load on one CPU and hangs
> at "Booting from Hard Disk..."
> 
> The partition is bootable and I installed GRUB and tried EFI GRUB 2 as
> well. It doesn't even seem to reach GRUB, so maybe an incompatible vga
> mode is not the problem. Do you use GPT? Which filesystem?
> 
> When trying around I could even once get GRUB2 to start only to then
> fail with an error 17.
> 
> I have the same issue with Android 4 and 6. Do you remove the "CD" from
> the VM config after the installation or do you always boot from the ISO?
> 
> Kind Regards,
> Torsten
> 

GPT: no
GRUB: yes
EFI GRUB2: no
Filesystem: whatever is the latest, EXT3/4
System: read/write (most likely irrelevant)

I always `Reboot` after install. When the GRUB loader appears, I kill the VM 
and clone if necessary at that point. I vaguely recall having had problems by 
Launching right after install.

It appears the video mode incompatibilities have been resolved since I last 
played with this. You should be able to proceed straight to the desktop. 
RemixOS is much more usable on the desktop and also has an option to disable 
screen timeout in Marshmallow. Damn mouse though...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3c88ddd2-cd09-ea1c-d9a5-0a6f1d7e3d4e%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Replacing Dolphin on Whonix-ws

2016-11-17 Thread entr0py
Sec Tester:
> I Really dislike Dolphin. Thumbnail previews dont even seem to work,
> and its kinda annoying to use. I'd like to swap it out for something
> lite and simple (like the fedora-23 file browser)
> 
> Just wanted to check thats not going to break anything?
> 
> Looking at the package removal list, i think it probably will...
> 

I see you're still intent on breaking your templates. I think you want to get 
comfortable with `apt-rdepends`.

try: `apt-rdepends -r dolphin`

Looks like most of those packages are meta-packages but I wouldn't waste time 
trying to figure it out. Just leave it and install nautilus (gnome file 
manager) if that's what you want. thunar (xfce) is also popular.

Before you install, type: `apt-get -s install nautilus` and make sure you want 
to pull in all those gnome/gtk dependencies.

As for Dolphin, I love it's customizability. The thumbnails are likely disabled 
as a security precaution. I was about to say that it was restricted by apparmor 
but it looks like there isn't a profile - strange, kind of remember one in the 
past.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fe75f76f-4b7b-1abe-5fe1-0cc6c5014a50%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread entr0py
entr0py:
> taii...@gmx.com:
>> On 11/14/2016 03:12 PM, Eric wrote:
>>> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
>>>> Eric:
>>>>> On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
>>>>> tai...@gmx.com wrote:
>>>>>> Forgot to say: Purism is just an overpriced quanta/oem
>>>>>> whitebox laptop, it takes 5mil+ of startup funds to do a
>>>>>> small run of *just a motherboard* let alone an entire laptop
>>>>>> computer including the fab for a fancy aluminum case - it is
>>>>>> quite obvious that their components are not "hand selected"
>>>>>> and that they just called up some chinese OEM and asked them
>>>>>> what they had kicking around.
>>>>>>
>>>>>> I can't understand if they are scammers or just really
>>>>>> naive, Instead of making an OpenPower or ARM laptop and
>>>>>> having it be 100% libre from the start they instead do the
>>>>>> dishonest "you'll go to disneyworld one day poor johnny" - If
>>>>>> google can't convince intel to open up FSP/ME then nobody can
>>>>>> - coreboot with FSP is just shimboot (black box FSP - 95% of
>>>>>> the bios work)
>>>>>>
>>>>>> It bothers me quite a lot that they are on the list of
>>>>>> approved vendors when they are a dishonest company.
>>>>> Whoa. Ok, hold on a sec. I did not buy a Purism computer,
>>>>> though not for those reasons - putting a 28W TDP proc in a
>>>>> 15inch "workstation" is absurd to me. as is their lack of a
>>>>> screen configuration. I hear your anger at the gap between what
>>>>> they promise and what they deliver; I'm more displeased on the
>>>>> hardware side of things (though I do like HW kill switches.
>>>>> I've looked into what they promise and understand very well
>>>>> that they don't actually have a very free computer at all,
>>>>> especially on the bios/firmware side.
>>>>>
>>>>> What I actually ordered (and have now cancelled), was a Dell
>>>>> XPS 15". There is no vPro option in the configure menu, though
>>>>> it does support VT-d and SLAT. I've read all of Joanna's
>>>>> papers, and understand the concerns about Intel ME very well.
>>>>> However, on the Dell order, it claimed "ME Disabled." Perhaps
>>>>> they simply meant that vPro/AMT/TXT was disabled, and that was
>>>>> mine and Dell's fault for wishful thinking and false naming,
>>>>> respectively. Please see linked photo: https://d.pr/Q0YZ
>>>>>
>>>> Moral considerations aside, why not buy that Dell and pair it
>>>> with a portable router/firewall like this
>>>> (https://www.compulab.co.il/utilite-computer/web/products)?
>>>> Shouldn't that effectively block out any ME-related mischief or
>>>> do I have a fundamental misunderstanding? It doesn't seem
>>>> possible otherwise to get the type of processing power you're
>>>> looking for in a laptop form-factor.
>>> Also, the concern for me is not ME shenanigans. I'm more concerned
>>> about having TXT for AEM and measured boot, and the consumer Dell
>>> model does not have that (the processor and chipset don't support
>>> it). The other option aside from the Precision 5510, would be a
>>> ThinkPad T460 or T460p, but the downside there is performance (only
>>> SATA-3 SSD), and also the screen quality is terrible.
>>>
>>> Much as I dislike proprietary anything, I might take a second look
>>> at the new MacBook Pros, and run things that need higher security
>>> in a VM or in Whonix.
>>
>> Why would you buy a macbook? You realize those have regular intel processors 
>> and ME too right?
>>
>> Lenovo is owned by the chinese, and dell business laptop (their consumer 
>> line is garbage) is a way better choice than either.
>>
>> It seems you do have (as you said) a fundamental misunderstanding of how 
>> security actually works, and how a router/firewall operates. - thus I don't 
>> think that anyone would be targeting you specifically with a ME exploit.
> 
> (top-posting fixed)
> 
> Despite my "fundamental misunderstanding of how security actually works", I 
> am able to read a thread and keep track of who said what - a skill you seemed 
> to have mis

Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread entr0py
taii...@gmx.com:
> On 11/14/2016 03:12 PM, Eric wrote:
>> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
>>> Eric:
>>>> On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
>>>> tai...@gmx.com wrote:
>>>>> Forgot to say: Purism is just an overpriced quanta/oem
>>>>> whitebox laptop, it takes 5mil+ of startup funds to do a
>>>>> small run of *just a motherboard* let alone an entire laptop
>>>>> computer including the fab for a fancy aluminum case - it is
>>>>> quite obvious that their components are not "hand selected"
>>>>> and that they just called up some chinese OEM and asked them
>>>>> what they had kicking around.
>>>>> 
>>>>> I can't understand if they are scammers or just really
>>>>> naive, Instead of making an OpenPower or ARM laptop and
>>>>> having it be 100% libre from the start they instead do the
>>>>> dishonest "you'll go to disneyworld one day poor johnny" - If
>>>>> google can't convince intel to open up FSP/ME then nobody can
>>>>> - coreboot with FSP is just shimboot (black box FSP - 95% of
>>>>> the bios work)
>>>>> 
>>>>> It bothers me quite a lot that they are on the list of
>>>>> approved vendors when they are a dishonest company.
>>>> Whoa. Ok, hold on a sec. I did not buy a Purism computer,
>>>> though not for those reasons - putting a 28W TDP proc in a
>>>> 15inch "workstation" is absurd to me. as is their lack of a
>>>> screen configuration. I hear your anger at the gap between what
>>>> they promise and what they deliver; I'm more displeased on the
>>>> hardware side of things (though I do like HW kill switches.
>>>> I've looked into what they promise and understand very well
>>>> that they don't actually have a very free computer at all,
>>>> especially on the bios/firmware side.
>>>> 
>>>> What I actually ordered (and have now cancelled), was a Dell
>>>> XPS 15". There is no vPro option in the configure menu, though
>>>> it does support VT-d and SLAT. I've read all of Joanna's
>>>> papers, and understand the concerns about Intel ME very well.
>>>> However, on the Dell order, it claimed "ME Disabled." Perhaps
>>>> they simply meant that vPro/AMT/TXT was disabled, and that was
>>>> mine and Dell's fault for wishful thinking and false naming,
>>>> respectively. Please see linked photo: https://d.pr/Q0YZ
>>>> 
>>> Moral considerations aside, why not buy that Dell and pair it
>>> with a portable router/firewall like this
>>> (https://www.compulab.co.il/utilite-computer/web/products)?
>>> Shouldn't that effectively block out any ME-related mischief or
>>> do I have a fundamental misunderstanding? It doesn't seem
>>> possible otherwise to get the type of processing power you're
>>> looking for in a laptop form-factor.
>> Also, the concern for me is not ME shenanigans. I'm more concerned
>> about having TXT for AEM and measured boot, and the consumer Dell
>> model does not have that (the processor and chipset don't support
>> it). The other option aside from the Precision 5510, would be a
>> ThinkPad T460 or T460p, but the downside there is performance (only
>> SATA-3 SSD), and also the screen quality is terrible.
>> 
>> Much as I dislike proprietary anything, I might take a second look
>> at the new MacBook Pros, and run things that need higher security
>> in a VM or in Whonix.
> 
> Why would you buy a macbook? You realize those have regular intel processors 
> and ME too right?
> 
> Lenovo is owned by the chinese, and dell business laptop (their consumer line 
> is garbage) is a way better choice than either.
> 
> It seems you do have (as you said) a fundamental misunderstanding of how 
> security actually works, and how a router/firewall operates. - thus I don't 
> think that anyone would be targeting you specifically with a ME exploit.

(top-posting fixed)

Despite my "fundamental misunderstanding of how security actually works", I am 
able to read a thread and keep track of who said what - a skill you seemed to 
have misplaced in all your wizardry. Also, on your crusade to dismantle Intel 
and Google, it might behoove you to take a slightly less agressive tack with 
people who generally share your beliefs cause it seems you're significantly 
outnumbered as it is.

Now if you'd like to respond without the obligatory disdain

Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread entr0py
Eric:
> On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com
> wrote:
>> Forgot to say: Purism is just an overpriced quanta/oem whitebox
>> laptop, it takes 5mil+ of startup funds to do a small run of *just
>> a motherboard* let alone an entire laptop computer including the
>> fab for a fancy aluminum case - it is quite obvious that their
>> components are not "hand selected" and that they just called up
>> some chinese OEM and asked them what they had kicking around.
>> 
>> I can't understand if they are scammers or just really naive,
>> Instead of making an OpenPower or ARM laptop and having it be 100%
>> libre from the start they instead do the dishonest "you'll go to
>> disneyworld one day poor johnny" - If google can't convince intel
>> to open up FSP/ME then nobody can - coreboot with FSP is just
>> shimboot (black box FSP - 95% of the bios work)
>> 
>> It bothers me quite a lot that they are on the list of approved
>> vendors when they are a dishonest company.
> 
> Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not
> for those reasons - putting a 28W TDP proc in a 15inch "workstation"
> is absurd to me. as is their lack of a screen configuration. I hear
> your anger at the gap between what they promise and what they
> deliver; I'm more displeased on the hardware side of things (though I
> do like HW kill switches. I've looked into what they promise and
> understand very well that they don't actually have a very free
> computer at all, especially on the bios/firmware side.
> 
> What I actually ordered (and have now cancelled), was a Dell XPS 15".
> There is no vPro option in the configure menu, though it does support
> VT-d and SLAT. I've read all of Joanna's papers, and understand the
> concerns about Intel ME very well. However, on the Dell order, it
> claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT
> was disabled, and that was mine and Dell's fault for wishful thinking
> and false naming, respectively. Please see linked photo:
> https://d.pr/Q0YZ
> 

Moral considerations aside, why not buy that Dell and pair it with a portable 
router/firewall like this 
(https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that 
effectively block out any ME-related mischief or do I have a fundamental 
misunderstanding? It doesn't seem possible otherwise to get the type of 
processing power you're looking for in a laptop form-factor.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9007159-2961-d96f-1c21-9d5e70de6aec%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-14 Thread entr0py
entr0py:
> taii...@gmx.com:
>> On 11/13/2016 07:39 PM, entr0py wrote:
>>> taii...@gmx.com:
>>>> You can use a VMM with a pfsense VM and separate driver domains
>>>> for the network interfaces, qubes isn't a router operating
>>>> system...
>>> 
>>> Is there an inherent reason that Qubes should not be used as a
>>> router?
>> 
>> - I really don't know how to reply to this
> 
> I can't tell if your reticence is indignance or if my question just
> can't be answered for some reason but it was meant to be a sincere
> question. Admittedly I know very little about this but AFAIK pfSense
> is just a front-end to manage filters with extensibility features. I
> don't know enough to discuss the relative merits of PF vs iptables,
> but I don't see any reason why a Qubes router wouldn't work since
> Debian based "router operating systems" do exist. Is it a question of
> reliability, complexity, ...? I just need a machine that can route
> and filter traffic and not get compromised in the process - or am I
> missing something? I wouldn't know the first thing about BSD or
> virtual driver domains, whereas I've become comfortable chaining
> Qubes proxyVMs and using iptables.
> 

>From advice I've received: the overhead introduced by Qubes (inter-vm 
>operability, gui features) aren't necessary in a router that is largely 
>non-interactive and headless.

My guess is that a cost-effective solution for now would be to use 2012 AMD 
hardware running Xen / KVM. Analogous to Qubes, it would have fat net VMs, 
minimal proxy VMs and a firewall VM (BSD or otherwise) in-between.

Both Xen & KVM support ARM so the forward-looking solution might be to combine 
Xen with something like MirageOS appliances 
(https://mirage.io/wiki/xen-on-cubieboard2) on an ARM device.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4495f539-a266-736a-6ab7-7505d7aa8762%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread entr0py
Eric:
> On Tuesday, February 23, 2016 at 1:54:30 AM UTC-8, Marek Marczykowski-Górecki 
> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> On Tue, Feb 23, 2016 at 04:11:55AM +, Rusty Bird wrote:
>>> marmarek:
 On Mon, Feb 22, 2016 at 08:52:43PM +, Rusty Bird wrote:
> Though even now it should be possible to use AEM without TXT?
> Just don't install the SINIT blob, in which case *only* the LUKS 
> header(s) would be protected by the TPM.

 But not having xen/kernel/initrd measured means AEM is pretty 
 useless. The whole purpose is to verify the thing that prompt you
 for LUKS passphrase. Without such measurement you'll have no way
 to really know if those binaries were even loaded from your USB
 stick (and not from some additional one plugged in by the attacker,
 for example).
>>>
>>> If the order is fixed, i.e. USB before SATA, and you don't see another
>>> USB drive sticking into the notebook you left at home, then the part in
>>> parentheses wouldn't apply?
>>
>> It is easy enough to hide USB device inside the USB socket itself (those
>> devices are small these days). Or inside your notebook (for example
>> instead of bluetooth card, which is also USB device in most cases).
>>
>> Some more sophisticated attack would be installing some "USB proxy" in
>> USB socket. Which would hijack only initramfs reads. You'll not see
>> any additional USB device in the system in that case.
>>
 Such replaced initrd script can present still unmodified LUKS
 header to TPM, unseal the secret, show it to you, then record LUKS 
 passphrase.
>>>
>>> But Xen/kernel/initrd are on the AEM stick you take with you, so the
>>> attacker would have to modify the BIOS. In which case TXT wouldn't help
>>> much, because a BIOS rootkit can effectively hide itself from TXT if I
>>> understand Joanna right.
>>
>> But attack hidden from TXT is much more complex than attack simply
>> changing boot order. It all depends on your threat model.
>>
> If a per-boot BIOS password has been set, maybe this kind of
> setup is even sort of reasonable?

 You are joking, aren't you?
>>>
>>> Not really. If these assumptions are correct:
>>>
>>> 1. a BIOS rootkit can hide itself from TXT;
>>> 2. an attacker who can boot their own medium can, more and more
>>>probably, also persist such a rootkit in the BIOS;
>>> 3. there are no BIOS master password lists anymore (are there?),
>>>or other easy password prompt bypasses (are option ROMs loaded
>>>early enough from ExpressCards?);
>>
>> I wouldn't rely on BIOS password protection. It failed so many times
>> in the history, so I can't assume that magically now BIOS vendors
>> learned how to do it properly.
>>
>>> then it seems to me that a per-boot BIOS password without TXT could work
>>> out better than the converse, TXT without a PBBP. Not to say that both
>>> together aren't best though!
>>>
>>> AEM protecting the LUKS header would still be (barely) worthwhile
>>> without TXT, if it's easier / faster / less conspicuous for the attacker
>>> to take out the HDD and rewrite a few blocks than to infect the BIOS.
>>>
>>> (BTW Marek, regarding VM random seeds: Have you considered somehow
>>> harnessing whatever it is that Thunderbird+Enigmail use to place line
>>> breaks in my mails after I hit send)
> 
> Just bought a laptop with a Skylake processor for running Qubes, and from 
> looking around on Intel's website it appears that no Skylake Core-branded 
> processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
> point? Can I use a YubiKey to store hashes of the xen/initramfs and use that 
> for AEM? (probably not, since it's a USB device?)
> 

I was just looking around for information on AMT/ME a minute ago. It appears 
that some Skylake Core i5/i7's do support TXT. (On their website, TXT might 
fall under the umbrella of vPro.)

https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2
https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b9cd97d6-0b62-01bd-1f3f-256fa6f029e6%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread entr0py
taii...@gmx.com:
> VT-d is intels marketing term for IOMMU, you can buy an AMD system
> that has IOMMU (AMD-Vi) (but not FM2/AM4 as that has PSP). Qubes
> needs IOMMU not "VT-d"

Thanks for reply. I understood this previously but I'm not familiar with AMD's 
offerings and didn't realize they had a current lineup that fits this category. 
It also seems that Skylake i3's have IOMMU without vPro.


> You can use a VMM with a pfsense VM and separate driver domains for
> the network interfaces, qubes isn't a router operating system...

Is there an inherent reason that Qubes should not be used as a router?

 
> x86/wintel is only a small subsection of the computing world, you can
> buy for instance an IBM OPOWER8 workstation or the Tyan Palmetto
> (also OPOWER8) - they have open source firmware and no ME type stuff.
> - OPOWER has an IOMMU equivalent.
> 
> The newish and readily available blob free x86 amd boards are high
> performance level (kgpe-d16) I don't know what your connection is
> like so if you want something lower power you could go with a
> coreboot board with the features you want and simply not include the
> blobs (which could mean no video, no fan control and no USB3 - but
> none of those are needed on a passively cooled router anyways and you
> can install/control via serial)
> 
> There is the apu2 from pcengines, which has no blobs (AFIAK, ask
> them) although it doesn't have an IOMMU.

Small subsection? I guess I need to get out and see more of the computing 
world. Thanks for the suggestions. I'll do some reading!


> I find it ironic that you apparently value your privacy but you are
> using gmail - if you do not pay for a service YOU are the product.

Yes, and that maxim applies to every website you visit that doesn't cost you 
any money. Everyone uses Google. Just because there's no "g" in the url doesn't 
mean that you're free of Google's tentacles (and fingerprinting).

Yes, I use this gmail address to access groups.google.com and nothing else, in 
a dedicated vm, over Tor. But you are correct - a non-gmail address, in a 
dedicated vm, over Tor would be considerably better. But I fail to see the 
irony. This pseudonym has long-ago broadcast several hundred words onto the 
Internet so it would be naive to think that it's still an anonymous identity. 
The stylometry is out there for anyone that wants to look. The distinction is 
that I have other pseudonyms that aren't quite so vociferous. :) Of course, 
Google probably has them all linked already anyway...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c80109ea-f5f9-13f7-f1e1-ebac37436c5a%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread entr0py
taii...@gmx.com:
> Ideally you would want a blob free coreboot system with no Intel ME or AMD 
> PSP type backdoors.
> https://www.coreboot.org/Binary_situation
> Intel is actively trying to nerf free software with Boot Guard/ME, if you buy 
> a computer with those features it isn't really your computer.
> 
> A backdoor in a modem is irrelevant, it is post WAN and should be considered 
> part of the "internet".
> 

Right, I've always followed the advice to secure each pc as if it were 
connected directly to the internet and not to rely on the router for any 
security.

But now I'm interested in actually building a secure router. One reason is what 
you mentioned regarding Intel ME. Since Qubes 4.0 will require VT-d (and 
unavoidably Intel ME) and the fact that it's cool to use new hardware, I'd like 
to place a physical barrier to block ME signals.

I had always imagined repurposing a Qubes PC to serve as a router, especially 
because of the flexibility it has with chaining and branching multiple 
transparent proxy VMs. But obviously now, it doesn't make any sense to use an 
ME equipped machine as a router.

So if I had a budget (for argument's sake) of $2000 to build a secure router 
for 10-15 clients in a small business environment where maximum throughput is 
not really an issue, what would you all advise? A libreboot machine? but then 
what kind of OS could it run that could meaningfully isolate sys-net and 
provide similar routing capabilities?

TIA.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/651811bc-0423-bae3-5949-7ae67d781fb8%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Genymotion in Qubes

2016-11-12 Thread entr0py
Sec Tester:
> pl1...@sigaint.org:
>> Good day
>> I want to install an android emulator in Qubes and reading some review,
>> Genymotion is the best. The issue is that it run in Virtualbox, how can I
>> install it in Qubes?
>> 
>> Thanks
>> 
> Nice question. I would also like to know.
> 
> Have you setup a Win7 HVM?
> 
> This maybe be the best place to try setup Genymotion.
> 

https://www.genymotion.com/faq/

May be theoretically possible but not for the faint-of-heart.

You would need to patch Xen to allow nested HVM, then use VGA-passthrough to 
give Genymotion a GPU.

Android on Qubes is not well supported (and probably shouldn't be).

There is a current thread discussing Android-x86 / RemixOS:
https://groups.google.com/forum/#!topic/qubes-users/frK8xaBh9pI

and Github issue:
https://github.com/QubesOS/qubes-issues/issues/2233

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f871c8ab-27e8-8509-c5fd-d93e9c44bd19%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Leak Problems with VPN ProxyVM + AirVPN & Network lock

2016-11-11 Thread entr0py
Sec Tester:
> On Saturday, 12 November 2016 04:22:37 UTC+10, Chris Laprise  wrote:
>>>
>>
>> A tip for stopping DNS leaks with the GUI: You have to run a script like 
>> 'qubes-setup-dnat-to-ns' (in Qubes) or 'qubes-vpn-handler.sh' (in the 
>> VPN doc) after the client connects or else DNS packets won't get 
>> forwarded through the tunnel. Looking at the airvpn program, you could 
>> probably symlink its 'update-resolv-conf' to point to 
>> 'qubes-vpn-handler.sh' and it should work. Just don't click on the 
>> 'Activate Network Lock' as that will overwrite the firewall rules.
>>
>> Chris
> 
> Im interested in building a script to work around AirVPN GUI, as opposed to 
> OpenVPN. I would really have to research and understand exactly what each 
> line of the current script is doing to manipulated it to work with AirVPN.
> 
> This is currently out of my ability. I would welcome collaboration on this 
> task. If i do eventually get something working, i will be sure to post it 
> back here
> 

You might get more interest if you explained which features of the AirVPN GUI 
are worth having. The Github README is blank.

I think most openvpn users are content to use the official client since it's 
simpler and better audited. The current fail-close solution has also been 
reviewed by some intelligent (and paranoid) people. Once the VPN is up, the GUI 
is hidden behind your work so I'm not sure what advantage it has.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eb6d225f-9b81-a707-07e7-12bce457338b%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Clean install Windows 7 HVM fails after installing qubes-windows-tools 3.2.2-3

2016-11-11 Thread entr0py
pooosi...@vfemail.net:
> 1) Create new HVM with 20Gb disk space and 2Gb RAM, Install Win7.

You'll need closer to 40GB if you plan to fully update the OS.

> 7) Manually start machine. Machine boots fine, but... nothing happens. 
> Seamless mode is disabled, but I cant see machine's window (screen). Looks 
> like GUI start fail.

Always run VM in debug mode until it's stable. You'll get lots of BSODs and the 
only way to know is if you have debug mode on.

> 11) Ok so i try to: "qvm-start --debug win7" and machine runs great! It's 
> work! But still looks like it's dont load Videodriver? Because I cant switch 
> to Aero theme.

No VM under Qubes has hardware graphics acceleration. HVM has no sound support. 
Qubes' primary focus is not compatibility with all OS. If you require a 
near-native virtualized Windows, your best bets are Hyper-V, VMWare, 
VirtualBox. I run Office in a non-networked Win7 because I'm too lazy/old to 
switch to LibreOffice. Qubes is great for this because you don't have to expose 
your buggy, leaky Windows to the world. But you'll probably run into trouble 
with anything more intense. For example, Photoshop will struggle with anything 
but trivial images.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/82dd7a80-710b-9216-bac0-f7230f76aaa7%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Android-x86 on Qubes

2016-11-11 Thread entr0py
Marek Marczykowski-Górecki:
> On Tue, Nov 08, 2016 at 11:09:37PM -0200, Torsten Grote wrote:
>> On 11/07/2016 08:54 PM, 3n7r0...@gmail.com wrote:
>>> AFAICT, it's an issue with how QEMU is implemented in Xen. The input
>>> device in question is passed via `-usbdevice tablet` instead of being
>>> left to the default PS/2 emulation. There doesn't seem to be any easy
>>> way to disable that parameter from within Xen?
> 
>> I would also be very interested in that! Marek, do you know?
> 
> It is possible to modify config in /var/lib/qubes/appvms/, but for that
> you need to copy it first, then pass its new location to qvm-start
> --custom-config=... 
> 

Thanks! With that, some progress... Deleting `` 
from the config file results in usbtablet being replaced with ps/2 mouse 
device. Now, the pointer tracks mouse movements automatically instead of 
requiring manual dragging. However, the mouse acceleration doesn't match and 
the two pointers become de-synced.

The mouse problem is not a Xen/Qubes issue. Android-x86-4.4-r5 (KitKat) works 
perfectly on Qubes. Input handling has changed somehow in 
Lollipop/Marshamallow. I would be perfectly content to use KitKat but (of 
course), that version doesn't emulate OpenGL (under Qubes) which breaks many 
Android apps - even non-3D things like Gallery, Maps, Chrome...

@Torsten: Did you see my last comment on the issue tracker? Other than that, 
make sure partition is bootable and use a compatible vga mode.
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/99c29989-f671-2444-3bd2-87666dbafb94%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Whonix Gateway and normal AppVM behind?

2016-11-03 Thread entr0py
Drew White:
> Hi folks,
> 
> If I'm using the Whonix Gateway guest, and I have it as a ProxyVM, is it safe 
> to assume that if I use a normal AppVM, (non-whonix) behind it, then that 
> means that everything is still going through the Tor network?
> 
> (Just wanting to make 100% sure)
> 
> Sincerely,
> Drew.
> 

Drew, I know you only concern yourself with the most complex, technical 
details; but every once in a while, you should come see how us small-minded, 
non-dev "little people" live:

Google "Whonix"
|
https://www.whonix.org/
|
https://www.whonix.org/wiki/
|
https://www.whonix.org/wiki/Documentation
|
https://www.whonix.org/wiki/Other_Operating_Systems

BTW, all 20 of the questions in your qubes-devel thread (which incidentally has 
nothing to do with qubes-devel) are also answered in the docs.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5bb9502a-93de-fb0a-c2c7-bc41f8dcc369%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Can't Install KB3177467 on Windows HVM Template

2016-10-15 Thread entr0py
John Marrett:
> I've been running windows template HVMs for some time now and it's working
> quite well once you get past the initial patch installation.
> 
> I now have an issue where I can't successfully install the 11/10/2016
> update to KB3177467. After each installation and the required reboot the
> patch continues to detect as uninstalled and prompt to reboot to install it.
> 
> I'd welcome any guidance people can offer and I'm ready to test possible
> solutions.
> 
> Thanks in advance for your help,
> 
> -JohnF
> 

I just checked my Windows HVM Template and it did successfully install 
KB3177467.

Sorry, I don't have any advice to offer other than the usual "check disk space, 
RAM, etc."

I am running Windows 7 SP1 with 40 GB system storage and 2 GB RAM and the old 
stable versions of Qubes 3.1 and QWT 3.0.4.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d351f22f-80c2-c5e9-f48e-298ee9edc977%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Why is whonix-ws necessary?

2016-10-12 Thread entr0py
jkitt:
> Wouldn't an appvm, with the tor browser, and netvm set to sys-whonix do the 
> same thing?
> 

No. You can see which differences are applicable to you here:
https://www.whonix.org/wiki/Other_Operating_Systems#Security_Comparison:_Whonix-Download-Workstation_vs._Whonix-Custom-Workstation

Some of the more notable things include:
* no Tor-over-Tor (for Tor Browser Bundle)
* stream isolation
* fingerprinting defenses
* secure time sync

Whonix is under continual development. Ongoing projects include defending 
against side-channel attacks and obfuscating keystroke fingerprinting.

If all you want is an isolated gateway to transparently torrify your traffic, 
then you can use any OS you prefer as your workstation. (with TBB configured 
not to launch Tor). In any case, it's advisable to avoid easily fingerprintable 
(ie leaky) distributions like Ubuntu or Windows.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5fcdf657-50ed-dea0-9d2a-358eaac8a883%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Needed Packages for sys-usb on Fedora-minimal

2016-10-04 Thread entr0py
Fabrizio Romano Genovese:
> Hello everyone,
> 
> I have installed the fedora-24-minimal template and I'm loving it. I'm using 
> it as the underlying template in my Netvm and FirewallVM, I just followed the 
> guide on Qubes website and everything went well. I'd like to do the same for 
> my sys-usb vm but I'm clearly missing something, since if I plug a USB key in 
> it doesn't get recognized. Any suggestion about what packages may I need for 
> a smooth usb experience on this template?
> 
> Thanks for your help,
> Fab
> 

The minimal template is great! Had the same issue: 
https://github.com/QubesOS/qubes-issues/issues/2018

I can't test F24 but I assume that usbVM still has a perl dependency since the 
issue is still open. 
(sudo dnf install perl)

You may optionally want to install qubes-input-proxy-sender as well.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a466b12c-5c39-d70e-99af-20602c038bac%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes Windows Tools

2016-09-28 Thread entr0py
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

It gives me no pleasure (well...) to gang up on a guy who obviously doesn't 
have the slightest notion of what it means to possess even a modicum of social 
grace. But in the absence of a downvote button, how else do you voice your 
disapproval of a community member that is as ignorant as he is arrogant and who 
repeatedly insults fellow users that try to help? 



[BTW, it's all Marek's fault for having the extraordinary patience to indulge 
this buffoon with a straight face.]

Drew White:
> On Wednesday, 28 September 2016 18:33:25 UTC+10, Dave Ewart  wrote:
>> On Wednesday, 28.09.2016 at 01:06 -0700, Drew White wrote:
>>> On Wednesday, 28 September 2016 17:47:01 UTC+10, Foppe de Haan 
>>> wrote:
 On Wednesday, September 28, 2016 at 8:20:29 AM UTC+2, Drew 
 White wrote:
> Does QWT require any specific version of Windows 7?  Or will 
> they work with all versions of Windows 7?
 
 covered here: all. 
 https://www.qubes-os.org/doc/windows-tools-3/
>>> 
>>> Doesn't even BEGIN to answer the question.
>> 
>> It *completely* answers your question.  In the first line: "Only 
>> 64-bit Windows 7 (any edition) is supported".  So you need Windows 
>> 7 64-bit, but the edition doesn't matter (e.g. Home, Enterprise, 
>> whatever).
> 
> I said VERSION, not EDITION.

You should have stuck to Edition and just said, "Thanks for the answer", 
because now you look like a bigger idiot than when you began. A Windows 
version/build/release is just a collection of installed updates. That means 
that whatever version you install changes the moment you update it. Did you 
expect the devs to test every possible combination of Windows updates? Or to 
test a buggy old release?
 

> Why does QWT require TESTSIGNING to be turned on?  Is that 
> because Win7 requires things to be signed?
 
 https://www.qubes-os.org/doc/windows-appvms/ "Before
 ...
>>> 
>>> Still doesn't answer that question either.
>>> 
>>> I said "hi devs" because I needed someone with the knowledge of 
>>> WHY, not just an end user reason, but a dev description that is 
>>> technical.
>> 
>> Again, that really *does* answer your question.  Windows 7 requires
>> drivers to be signed by a recognised certificate.  The Qubes Tools
>> drivers are *not* signed by a recognised certificate, so to make
>> them work one needs to toggle the TESTSIGNING flag so that Windows
>> 7 no longer cares about their certificates.
> 
> Okay, it seems you can't understand a simple questions so I will 
> rectify it to be more the way I would have normally asked it before
> I started asking the questions in a way that more people can 
> understand, again, you are not a dev...
> 
> Why do you need testsigning on when you can easily get a certificate 
> for signing your software when people could intercept with unsigned 
> software that will cause harm instead of goo and cause that guest 
> machine to be infected and  mean that qubes wasn't doing things
> right security wise?
> 
> Does that better clarify the question that I'm asking as to the WHY?

Perfectly. Drew, thank you for refining your initial question to make it more 
"technical". 
Because now, the answer is... 
EXACTLY THE SAME as the one Foppe gave you at the outset. 


>>> So please, refrain from answering my questions with details that 
>>> don't answer anything. If the website had the information, I 
>>> would not be asking.
>> 
>> It sounds like the web site *does* include the information, you 
>> failed to find it (or didn't look), someone answered by pointing 
>> you at the right information and you merely insulted them in
>> reply. Glad to see you're still trolling here, Drew... :-/
> 
> If you read my current reply, you will see that it doesn't answer
> the question(s)
> ...
> True, but he wasn't a dev, so I saw no reason to give more information.
> ...
> The question was perfectly stated, I was after a technical WHY, not an 
> end-user WHY.
> ...
> That is precise to an end-user, but I wanted a technical explanation. As I 
> said in a recent post, which may be worth you reading that sentence that also 
> relates here.

My bad, here's the technical version coming from an end-user: RTFM. (The answer 
starts with R- and ends with -PM.) I know it's hard to believe but, #IAmNotADev.


>>> That only tells me what you assign to a Windows Guest.
>>> What it doesn't tell me is what the tools require in seamless mode, 
>>> including but not limited to the Windows Guest and Dom0.
>>
>> I'm sorry, but what I'm missing here is your explanation/indication as to 
>> what you have already tried yourself, and why the information you seek could 
>> not be retrieved by you installing a w7 VM, installing the tools, and 
>> checking ram use in a running VM; and secondly, if you had indeed checked 
>> that out before asking it here, why that information wasn't 
>> useful/sufficiently informative to you.
> 
> That information doesn't tell me enough.
> 

Re: [qubes-users] I can't disable ipv6 on Debian Template

2016-09-25 Thread entr0py
nishiwak...@gmail.com:
> Hello,
> 
> I am surprised that there is no way to disable ipv6 on Debian template.
> 
> I reinstalled first the template using documentation 
> https://www.qubes-os.org/doc/reinstall-template/
> 
> Then I added "net.ipv6.conf.all.disable_ipv6 = 1" in /etc/sysctl.conf, I did 
> reboot the Template but it didn't change the outcome, I still had ipv6 ports 
> opened using "netstat -antp"
> 
> I even added "sudo ip6tables -P INPUT DROP" in "/rw/config/rc.local", but I 
> still got those distant servers listening when I check using commands like 
> "sudo lsof -i6" or "netstat -antp" on my Debian Template.
> 
> What is rpcbind, avahi-dae and why you got this ipv6 bound to systemd on PID 
> 1 ? Looks suspicious, I thought Ipv6 was disabled by default on Qubes.
> 
> Regards
> 


"all" never worked for me. Disable each interface separately as documented here:

https://wiki.debian.org/DebianIPv6#How_to_turn_off_IPv6

`netstat -anltp` shows ports that are (L)istening.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5e1f765f-ee22-1752-69fc-6ff0f4e8c2d9%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes Windows 7 / 10

2016-09-20 Thread entr0py
Pawel Debski:
> W dniu niedziela, 18 września 2016 17:21:47 UTC+2 użytkownik ludwig jaffe 
> napisał:
>> On Saturday, September 17, 2016 at 3:55:58 AM UTC-4, Pawel Debski wrote:
>>> Folks,
>>> 
>>> I have Qubes 3.2 up, updated &
>>> running like a charm. Now the Microsoft challenge. The doc @
>>> https://www.qubes-os.org/doc/windows-appvms/ instructs to use
>>> Windows 7. Do you suggest to stick with version 7 or go ahead to
>>> 10 / 8?
>>>
>>>   
>>> 
>>> -- 
>>>
>>>   
>>>
>>> Z powazaniem / Best Regards
>>>
>>> Mit freundlichen Gruessen / Meilleures salutations
>>>
>>> Pawel Debski
>>
>> Hi I run windows10 w/o windows tools and I replace cut and paste with an 
>> editor to generate a file and then I ssh to the other machines.
>> Also files I can tar.gz and ssh.
>>
>> Here it is good to install cygwin on the windows10, and 
>> also you want to install classic shell and remove cortana, the spy.
>> I did this and it works
> 
> Now I have Windows 7 up and running, but I have some minor stability problems 
> - I used testing version of Qubes Windows Tools as there was no stable 
> version avaiable.
> 
> Did I do something wrong or indeed there is no stable version of Qubes 
> Windows Tools?
> 

There is no version of qubes-windows-tools in the stable repo. The latest 
testing version is 3.2.1-3 and the prior testing release series was 3.0.4-1.

After much testing with Windows 7 on Qubes R3.1, I was unable to get QWT 3.2 
working in a stable fashion. I don't want to lead you astray - this is very 
much YMMV. Everyone seems to have their own personalized experience with 
Windows on Qubes. I think part of the reason for this is that stability is also 
a function of which Windows updates are installed.

I downgraded to QWT 3.0 without PV disk drivers and now have a stable Win 7 
running MS Office with full inter-VM operability.

(Some of the BSODs received while running QWT 3.2:
RDR_FILE_SYSTEM
DRIVER_POWER_FAILURE
QUOTA_UNDERFLOW
BAD_POOL_HEADER
MEMORY_MANAGEMENT
A device driver has pool.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fb104277-85a9-76e1-1015-46c9fe83e114%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Streisand - AntiCensorship software

2016-09-06 Thread entr0py
amadaus:
> Hi
> Some of you may be interested in setting up your own personal VPN using
> streisand software? I first read obout this in Ars Technica [
> http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/]
> and have since tried it out in a dedicated Streisand VM.
> To me, it seems to offer very high levels of security and anonominity.
> Does anyone else have any views on this software? - it can be accessed
> via github https://github.com/jlund/streisand.
> 

I wasn't aware of streisand before you mentioned it.

Normally, I would suggest that the best method for setting up a personal VPN, 
is to set up a personal VPN. Even for pure novices, there are many 
comprehensive, user-friendly guides that will set you up with a secure 
configuration. (Digitalocean & Linode have nice tutorials, like this one: 
https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server). 
In the process, you can also learn about firewalls, authentication, services, 
etc.

On the other hand, there's definitely a place for turnkey solutions with safe 
defaults. It's a shame though that the streisand installer is currently not 
able to selectively install services 
(https://github.com/jlund/streisand/issues/23). The security best practice of 
only enabling needed services to minimize attack surface is overshadowed by 
usability concerns. A full streisand install consists of "L2TP/IPsec, 
OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge" 
plus a webserver!

If you connect to a VPS anonymously, one nice advantage of using an 
out-of-the-box preconfigured solution is that it may give you a measure of 
deniability. Certainly more than you would get by applying your own unique 
iptables rules + comments in Swahili that would fingerprint you as sysadmin.

Seems like streisand is a project worth following. Plus it's important to 
remember that its purpose is to configure a censorship circumvention server, 
not provide network security and/or anonymity. Unless bypassing censorship is 
your only goal, IMO its services should be used before and/or after Tor. (and 
obviously, not both on the same server).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/850ea210-4ff3-f392-9360-c24f5d771146%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [3.2rc2] Pulseaudio 100% CPU load at dom0

2016-09-02 Thread entr0py
David Hobach:
> On 08/31/2016 08:14 PM, entr0py wrote:
>> Eva Star:
>>> 3.2rc2 - clean install (on 3.2rc1 with updates I do not have this
>>> problem)
>>> 
>>> At dom0 pulseaudio proccess always eat 100% of CPU. If I kill it,
>>> then it starts again! Please, help. Hot to fix this issue or how
>>> to disable pulseaudio start after kill.
> 
> Same problem here, only by updating though.
> 
>> Had similar symptoms on Qubes 3.1. If you have multiple audio
>> adapters (ie Onboard + HDMI), disable one. (On KDE, it was
>> PulseAudio Volume Control > Configuration. Don't know XFCE.)
> 
> I also have multiple (incl. external). Disconnecting the external one
> does not appear to help though.
> 
> Pulseaudio child processes constantly die and get started again, i.e.
> the PID is changing every 1-2s. I guess that's not normal? Sound in
> VMs is stuttering.
> 
> rsyslogd also eats quite a lot of CPU, but I bet it's due to the
> pulse logs.
> 
> Sample log and /etc/pulse/default.pa attached.
> 
> Anyone got an idea?


In my case, the Onboard and HDMI adapters kept trying to connect, kicking out 
the other adapter. The machine would basically lock up every few seconds and 
CPU would max out. Same symptoms as you describe with the PIDs.

What I did specifically was go to Configuration tab and set Profile to 'Off'. 
One of the dom0 updates caused this setting to revert to its default. Perhaps 
you've got another adapter besides the USB, or the machine keeps looking for 
the disconnected adapter?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31a88ccf-899f-1748-385f-ff90b5d3b778%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [3.2rc2] Pulseaudio 100% CPU load at dom0

2016-08-31 Thread entr0py
Eva Star:
> 3.2rc2 - clean install (on 3.2rc1 with updates I do not have this problem)
> 
> At dom0 pulseaudio proccess always eat 100% of CPU.
> If I kill it, then it starts again! 
> Please, help. Hot to fix this issue or how to disable pulseaudio start after 
> kill.
> 

Had similar symptoms on Qubes 3.1. If you have multiple audio adapters (ie 
Onboard + HDMI), disable one. (On KDE, it was PulseAudio Volume Control > 
Configuration. Don't know XFCE.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e1451b40-159c-608a-8868-405dd4125441%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Unable to assign audio device

2016-08-31 Thread entr0py
Adi Carlisle:
> OK, update, I reinstalled my Qubes 3.1 but this time I used sys-usb (& 
> sys-net option) Sound worked on all VM's.
> **Didn't get a chance to test it on Win7** because I tested the mute function 
> now it doesn't work again.
> 

https://www.qubes-os.org/doc/windows-appvms/:

> There is currently no audio support for Windows HVMs.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/79f7b675-7f7e-54e9-3d51-17d7576fa8fd%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Missing config files after Backup / Restore

2016-08-17 Thread entr0py
> On 08/17/2016 03:20 PM, entr0py wrote:
>> Just migrated my Qubes 3.1 system to new hardware and it went surprisingly 
>> smoothly :)
>>
>> I noticed however that my KDE Window Rules did not get backed up / restored 
>> (not sure which).
>>
>> It's kind of irrelevant at this point since we're moving away from KDE but 
>> I'd still like to know why that happened and if there are other config files 
>> that I need to copy over manually.
>>
>> Most of the files in ~/.kde/share/config/ have permissions user:user 600 so 
>> it shouldn't be a problem to back up. Is a KDE lock on those files 
>> preventing them from being overwritten on the restore? Any other files I 
>> should bring back manually? (Just noticed some keybindings not working...)
>>
>> Thanks.
> 
> If the KDE version stayed the same (4.x) then I'd expect the dom0
> restore to include window rules and keybindings.
> 
> Did you restart the system after the restore?
> 
> Chris 

Yes, more details:

1. Backed up the entire system (all up-to-date): dom0, all templates, all vms;
2. Installed fresh Qubes 3.1 with no pre-configuration (seems fedora-23 was 
installed anyway)
3. Did an incremental restore as follows:
   a. restored dom0 - noticed that the following did not restore: desktop 
background, sound prefs, 
  application menu settings (application menu entries were correct)
   b. reboot
   c. restored service templates & service vms
   d. updated dom0 - noticed window rules were not restored
   e. reboot
   f. restored dom0 AGAIN - thinking that dom0 update might have some effect
  window rules did not restore BUT desktop background did.
   g. restored all other templates & vms
   h. noticed that keybindings did not restore

I think all of these KDE settings are stored in ~/.kde/share/config/. 
Specifically, the window rules are located in kwinrulesrc. I guess I could 
reconnect backup drive and go find out if files were backed up to begin with. 
My hunch is that the problem is on the restore end. How can I tell if files are 
locked? And if locked can Qubes restore overwrite them?

-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57acba4a-c8ec-323b-9a52-6e73dc24438e%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Missing config files after Backup / Restore

2016-08-17 Thread entr0py
Just migrated my Qubes 3.1 system to new hardware and it went surprisingly 
smoothly :)

I noticed however that my KDE Window Rules did not get backed up / restored 
(not sure which).

It's kind of irrelevant at this point since we're moving away from KDE but I'd 
still like to know why that happened and if there are other config files that I 
need to copy over manually.

Most of the files in ~/.kde/share/config/ have permissions user:user 600 so it 
shouldn't be a problem to back up. Is a KDE lock on those files preventing them 
from being overwritten on the restore? Any other files I should bring back 
manually? (Just noticed some keybindings not working...)

Thanks.

-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3c2b0cac-082d-cd14-7baa-13909dc1f23a%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Unable to Remove Template / Preun: Domain not found

2016-08-17 Thread entr0py
New Qubes 3.1 installation with Advanced (No Configuration) option.

After restoring dom0 + serviceVMs + serviceTemplates, tried to 
`sudo yum remove qubes-template-fedora-23`

Received: Error in PREUN scriptlet in rpm package...
   libvirt.libvirtError: Domain not found [from libvirt.py line 4066 
lookupByName]

`sudo yum list qubes-template-fedora-23` shows template installed from 
@anaconda/R3.1 repo.

`sudo qubes-dom0-update qubes-template-fedora-23` returns
   "No Match for argument qubes-template-fedora-23"

Thanks for help.


-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e411cdcc-675e-cf97-6590-c8f95998c4f3%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] 3.2rcX Default Display (Login) Manager

2016-08-16 Thread entr0py
entr0py:
> donoban:
>> On Mon, 15 Aug 2016 12:06:36 -0700 (PDT)
>> 3n7r0...@gmail.com wrote:
>>
>>> I haven't had a chance to try out 3.2rc yet. Can someone please tell
>>> me what the default DM is to launch XFCE4? Thanks!
>>>
>>
>>
>> It is the same of Qubes 3.1, lightdm if I'm not wrong.
>>

>From 
>https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/conf/comps-qubes.xml
> :

xfce-desktop-qubes
Xfce4
A lightweight desktop environment that works well on low end 
machines.
true
false

  xfce4-panel
  xfce4-session
  xfce4-settings
  xfce4-settings-qubes
  xfconf
  xfwm4
  xfdesktop
  
  lightdm-gtk

Going with lightdm then unless someone tells me otherwise... Thanks.

-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9b615b61-1402-803a-5eec-e58741c4c3ed%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] 3.2rcX Default Display (Login) Manager

2016-08-16 Thread entr0py
donoban:
> On Mon, 15 Aug 2016 12:06:36 -0700 (PDT)
> 3n7r0...@gmail.com wrote:
> 
>> I haven't had a chance to try out 3.2rc yet. Can someone please tell
>> me what the default DM is to launch XFCE4? Thanks!
>>
> 
> 
> It is the same of Qubes 3.1, lightdm if I'm not wrong.
> 

Thanks. Somewhat confused though - I thought 3.1 was KDM? KDM would have many 
dependencies for an XFCE system...



-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/882836ea-4e2a-bde9-e357-bfd5d460ba9f%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Bad GPG Signature is Good on 2nd Try?

2016-08-05 Thread entr0py
Andrew David Wong:
> On 2016-08-05 16:21, entr0py wrote:
>> After downloading Qubes 3.1 iso, I attempted to verify with Release 3
>> Signing Key:
> 
>> user@host:~/Downloads$ gpg --verify Qubes-R3.1-x86_64.iso.asc gpg: assuming
>> signed data in `Qubes-R3.1-x86_64.iso' gpg: Signature made Wed 09 Mar 2016
>> 03:40:56 AM UTC gpg:using RSA key 0xCB11CA1D03FA5082 gpg:
>> BAD signature from "Qubes OS Release 3 Signing Key" [unknown]
> 
> 
>> I verified the hash .DIGESTS:
> 
>> user@host:~/Downloads$ gpg --verify Qubes-R3.1-x86_64.iso.DIGESTS gpg:
>> Signature made Wed 09 Mar 2016 11:35:48 AM UTC gpg:using
>> RSA key 0xCB11CA1D03FA5082 gpg: Good signature from "Qubes OS Release 3
>> Signing Key" [unknown]
> 
> 
>> I compared checksums:
> 
>> user@host:~/Downloads$ sha1sum Qubes-R3.1-x86_64.iso 
>> 990b7765ee209b42b3cad78673463daae769c729  Qubes-R3.1-x86_64.iso
> 
>> user@host:~/Downloads$ cat Qubes-R3.1-x86_64.iso.DIGESTS | grep
>> 990b7765ee209b42b3cad78673463daae769c729 
>> 990b7765ee209b42b3cad78673463daae769c729 *Qubes-R3.1-x86_64.iso
> 
> 
>> So tried verifying the .iso again:
> 
>> user@host:~/Downloads$ gpg --verify Qubes-R3.1-x86_64.iso.asc
>> Qubes-R3.1-x86_64.iso gpg: Signature made Wed 09 Mar 2016 03:40:56 AM UTC 
>> gpg:using RSA key 0xCB11CA1D03FA5082 gpg: Good signature
>> from "Qubes OS Release 3 Signing Key" [unknown]
> 
> 
>> What am I missing? Is the 2nd argument necessary even though gpg found the
>> signed data properly the first time?
> 
> 
> Is it possible that the ISO hadn't completely finished downloading when you
> tried to verify it the first time?
> 
> 
> 

I don't think so, because then it would have had the .part extension. Is there 
a long write after the download completes?

RAM / HD limitations? 4.7 GB iso vs 1.0 GB RAM, 10 GB Private storage.

Not sure it's important but kinda unnerving to be producing different results :/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/82efc921-c394-63b7-1f5b-cad9fbad45b2%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] No sound with VoIP

2016-07-30 Thread entr0py
ghbouchard...@gmail.com:
> I try to use Tox for having a VoIP software but unfortunately I can
> not have any sound. Here is my setup : (I use Qubes 3.2)
> 

Is this a VOIP-issue or do you not have any sound in general? Can you listen to 
audio files, watch youtube videos, etc?

Some things to check:

In dom0, go to System Settings -> PulseAudio Volume Control -> verify all 
settings are correct

appVM settings will be dependent on OS & DE. I won't pretend to know how all 
the sound subsystems interact. In my Debian (KDE) appVM, I can adjust volumes 
using `alsamixer` and `kmix`. Gnome has a sound panel of its own.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d26b73a4-bc3d-456c-81ff-55c72f27da27%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: PulseAudio Connection Terminated

2016-07-30 Thread entr0py
Marek Marczykowski-Górecki:
> Maybe it is related to HDMI audio output? Try to disable it (for example
> unload snd-hda-codec-hdmi kernel module).

Thanks Marek! I figured it out this morning but `Replied` to Myself :/ Sorry to 
waste your time.


> On Sat, Jul 30, 2016 at 04:11:50 AM UTC, 3n7r0...@gmail.com wrote:
> 
> Issue resolved (not sure if Qubes related or not):
> 
> 2 sound devices are present: HDMI-Audio via graphics card & Integrated Intel 
> HD Audio
> Launch `pavucontrol`. For HDMI-Audio, disable Profile (set to `off`).
> 
> This means either:
> 1. I had the profile off originally and a recent update reset the setting 
> or...
> 2. I had the profile on but a recent update requires that it be off.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4c4e7dcb-6227-7345-75bf-d58fb31c6674%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] PulseAudio Connection Terminated

2016-07-29 Thread entr0py
On a freshly rebooted Qubes 3.1, dom0 pulseaudio process consumes 100% cpu 
every 5 secs. Pulseaudio Manager shows a connection to server for a split 
second before announcing `Failure: Connection terminated`. This cycles 
continuously.

Not sure what triggered this issue. May have been recent updates and/or 
"Attaching audio-input to VM". Have not experienced this in the prior year of 
using Qubes. "Detaching audio-input" does not work.

Tips to troubleshoot? TIA.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1b7f8322-fac3-d8ea-b575-167fe90394f9%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Networking

2016-07-12 Thread entr0py
Drew White:
> On Saturday, 9 July 2016 22:13:30 UTC+10, Marek Marczykowski-Górecki  wrote:
>> There is no other limit than your hardware. 
> 
> If this is true, then please, why is mine only 100 Mbps behind the NetVM when 
> I have a 1Gbps NIC?
> 
> I have multiple things monitoring the network activity, and it only ever gets 
> to 100 Mbps.
> Even if I have 3 running, there are 3 VIF+ interfaces running at 100 Mbps AND 
> the external is moving data at the same speeds.
> 
> If you can find the resolution for it, I'd be very happy.
> 

Driver?



-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ef11756d-cfe9-c729-2f2c-1484dfeaaa41%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: whonix gateway metapackage missing

2016-06-23 Thread entr0py
digitaldi...@tutanota.com:
> Turns out whonix still runs, or at least sys-whonix does, I'm in the 
> process of updating dom0, and arm for sys-whonix is showing plenty of 
> activity that I couldn't get before(when I was trying to update Whonix-gw 
> template vm
> 
> On Thursday, June 23, 2016 at 10:13:45 AM UTC-5, digita...@tutanota.com 
> wrote:
>>
>> hi, I rebooted my computer this morning and had a prompt saying that the 
>> whonix gateway metapackage is missing, which prevents me from updating 
>> dom0, as well as whonix(tried to do that to fix the issue). I have two 
>> questions:
>>
>> what caused this? or what possibly caused this?
>>
>> how do I fix it?
>>
>>
> 

Most likely you upgraded from Whonix 12 to Whonix 13 without knowing it.
Follow these instructions: 
https://www.whonix.org/wiki/Upgrading_Whonix_12_to_Whonix_13
If this resolves your issue, then there's no need for concern.


-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/576C16CE.7030507%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Adding New Disk Image to VM

2016-06-20 Thread entr0py
Marek Marczykowski-Górecki:
> On Mon, Jun 20, 2016 at 06:35:14PM +0000, entr0py wrote:
>> 3. add file as disk device to /var/lib/qubes/appvms/myappvm.conf:
>>
>>   
>>   
>>   
>>
> 
> This config file is regenerated each time the VM is started, so your
> changes will have no effect...
> 
> Recently I've posted an instruction about triggering qvm-block on VM
> startup to achieve the same effect. Take a look here:
> https://groups.google.com/d/topic/qubes-users/RogG5rXG_Pw/discussion
> 

Thanks! Saw that but didn't realize it was relevant (and this would have been 
easier :/ )


Andrew David Wong:
> On 2016-06-20 11:35, entr0py wrote:
>> Would appreciate if someone could check that I'm not doing
>> something stupid... (Don't see any docs regarding this.)
> 
> I think the reason there are no docs for this is that this seems like
> going out of your way to use Qubes in a way that it was not intended
> to be used. (Of course, you're perfectly within your rights to do that.)
> 
>> Use case: I want to store my Documents on a separate .img (on same 
>> Qubes SSD) so that only config files remain on my appVM. This
>> should ease the upgrade process when I want to start with fresh
>> appVMs and reduce chances of user error / corruption of frequently
>> moving large existing files.
> 
> So, as you probably know, Qubes is designed with the expectation that
> users will store their data (and config files) in AppVMs. Normally,
> there's not much reason to need to "start with fresh AppVMs" due to
> the way TemplateVMs work. (You already "start fresh" with respect to
> the root filesystem each time you restart an AppVM anyway.)
> 
> I'm not saying any of this to try to dissuade you from doing what you
> want to do. I'm just offering another perspective and suggesting that,
> depending your goals, this might not be necessary.
> 

Your input is always appreciated.

I don't think what I'm trying to do is un-Qubes-like at all. After all, we are 
trying to isolate and compartmentalize independent aspects of our systems. 
(This benefits not just security but scalability as well). (Isn't StorageVM on 
the horizon?) My Documents (perhaps Archives would be a more contrastful term) 
should **never** need to be moved because of any change in the underlying 
Operating System - regardless of how rarely such events might occur.

(Perhaps due to my ignorance, or unwillingness to research how config files 
function for each component of my Template,) I tend to perform fresh installs 
of my appVMs with any major change in the underlying Template. For example, 
moving from Debian Jessie to Stretch may involve any or all of the following: 
Whonix 13 -> 14, LibreOffice 4 -> 5, KDE 4 -> 5, etc. These are major upgrades 
and I don't want to assume that the devs have correctly anticipated all the 
prior configs that will work properly or optimally. In addition, appVMs can get 
polluted with scripts and bind-directories in /rw. I could just manually delete 
config directories but like I said, I can't anticipate what unintended 
consequences that might have unless I actually research it.


> In the rare case where we actually need to migrate all the data from
> one AppVM to a new one, and there's a large amount of that data, I
> think it makes sense to use conventional data-integrity-verification
> tools to do that (just as you would if migrating the data from one
> conventional OS to another).
>

Could you suggest some tools? I've been using tar --verify, qvm-copy, shasum, 
then hoping! that tar -xf doesn't corrupt anything :( Also, since I want to 
re-use some of the same VM names, and since I've had mixed results with 
renaming VMs in the past (in R2.x, not all .xml files got updated properly), I 
usually have to copy twice: first copy to an intermediary VM, delete original 
VM, create new VM with same name, copy from temp to new VM.

Again, this would be fine for several GBs but not something I should ever have 
to do for 100's of GBs. Even migrating to another OS should not require moving 
troves of data, since most data these days is OS-agnostic.


-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57685560.7070403%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Adding New Disk Image to VM

2016-06-20 Thread entr0py
Would appreciate if someone could check that I'm not doing something stupid... 
(Don't see any docs regarding this.)

Use case: I want to store my Documents on a separate .img (on same Qubes SSD) 
so that only config files remain on my appVM. This should ease the upgrade 
process when I want to start with fresh appVMs and reduce chances of user error 
/ corruption of frequently moving large existing files.

Steps:

1. create sparse file in dom0:
   `dd if=/dev/zero of=/var/lib/qubes/storage/myfiles.img bs=1024k seek=1 
count=0`

2. create filesystem on sparse file:
   `mkfs -t ext4 myfiles.img`

3. add file as disk device to /var/lib/qubes/appvms/myappvm.conf:
   
  
  
  
   

4. add /dev/xvde to /etc/fstab in appVM:
   /dev/xvde   /home/user/storage   ext4   defaults,noatime   0 0

5. start appVM

Any issues? TIA!

-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57683762.7020308%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Apt attempting to remove packages in whonix-gw

2016-06-13 Thread entr0py
entr0py:
> jkitt:
>> I'm trying to remove some applications that I don't need (like VLC).
>>
>> The problem is that apt attempts to remove a number of packages that I'm 
>> not sure if i need or not - some of the whonix-gw/qubes specific packages 
>> seem reasonably important. 
>>
>> 1. Are these packages needed? What are the for - the initial install?
>>
>> 2. Also would it be safe to autoremove? Given the huge list of packages in 
>> the autoremove section.
>>
>> The last time i done autoremove the whonix-gw complained that the 
>> "qubes-whonix-gateway" package was missing.
>>
>> Thanks.
>>
>>
> 
> Some things to consider:
> 
> * Always experiment on Cloned VMs, preferably off-line. For Whonix-GW, make 
> sure no VMs are associated with it - no child VMs (if template), no upstream 
> VMs (if proxyVM).
> 
> * Relevant documentation (including links to package lists): 
> https://www.whonix.org/wiki/Whonix_Debian_Packages#Why_is_package_X_installed.3F
> 
> * Figure it out yourself using apt-cache rdepends. Try `sudo apt-cache 
> --recursive rdepends vlc` and you'll see just how many packages rely on vlc 
> at some level. Doesn't necessarily mean it can't be removed but you'll have 
> broken dependencies unless everything in that list is removed also.
> 
> * Feel free to ask here: 
> https://forums.whonix.org/t/more-unwanted-packages/2155 (I would answer here 
> but I don't know.)
> 


Should have mentioned in last post:
use the `--installed` option to only see packages installed on your system so:
`sudo apt-cache --installed rdepends vlc`
`sudo apt-cache --installed rdepends phonon-backend-vlc`
`sudo apt-cache --installed rdepends phonon`
uh-oh...

On bare-metal, Whonix Gateway can be built as `Terminal-Only`, but I don't know 
if that's possible with Qubes. Some GUI needs to be present to communicate with 
dom0 WM. Or maybe not if `xl console` is used exclusively?

-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/575EE842.7020905%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] If using the same Whonix GW, does all Wonix WS get the same "identity"?

2016-06-08 Thread entr0py
Andrew David Wong:
> On 2016-06-08 00:14, Albin Otterhäll wrote:
>> I'm assuming that if you connect to Tor using the same Whonix
>> gateway (e.g. "sys-whonix"), you get the same "identity" (IP, etc.)
>> on both your workstations. Is this correct?
> 
> 
> Not entirely. By default, stream isolation applies to different
> workstations and to any supported apps in those workstations. This
> means that every VM connected to sys-whonix will (and every supported
> app in those VMs) will use a different circuit through the Tor
> network, hence a different exit node, hence have a different IP address.
> 
> However, there are still side-channel attacks that can be used to
> correlate multiple workstations running on the same host (stressing
> hardware and observing the effects in all workstations, clock skew,
> network timings, etc.).
> 
> Details:
> https://www.whonix.org/wiki/Multiple_Whonix-Workstations
> https://www.whonix.org/wiki/Stream_Isolation
> 
> 

What Andrew said. Some nitpicking:

There is no guarantee that you will have a different exit node (or even a 
different circuit). It's random so you might wind up with the same but not 
intentionally.

Also, Tor Browser has stream isolation features of its own, such as separate 
circuits per tab and new circuits after a set time interval.

Finally, non-stream-isolated (meaning non-tor-proxified) apps in the *same* 
workstation will share the same circuit since they will route through 
Whonix-Gateway's Transparent Proxy Port (TransPort). The TransPort can be 
disabled to prevent this. (Instructions in Andrew's links).

-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57586A08.1050606%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] using a vpn through tor

2016-05-28 Thread entr0py
tom.tomson:
> since many sites discriminate tor users (aka block them, e.g.: 
> https://blog.torproject.org/category/tags/cloudflare), i want to use a vpn 
> after i routed through tor. (since i get the vpn anonymously per tor and 
> bitcoin, i should still be anonym (or is there a mistake?)).

More likely pseudonymous - safer assumption anyway. 
https://www.whonix.org/wiki/DoNot#Do_not_confuse_Anonymity_with_Pseudonymity.


> the vpn uses udp.
> and i think this is the problem, it seems these packages get blocked and my 
> vpn can't open.

Tor does not support UDP traffic.


> any idea how i can fix this? 

Use TCP.
https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN



-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/574A297D.7050406%40vfemail.net.
For more options, visit https://groups.google.com/d/optout.