[qubes-users] Re: [Cryptography] Intel Management Engine pwnd (was: How to find hidden/undocumented instructions

2017-11-22 Thread jkitt
On Wednesday, 22 November 2017 13:34:26 UTC, Sandy Harris  wrote:
> From a crypto list, seemed relevant here.
> .
> Oh joy...
> 
> Intel finds critical holes in secret Management Engine hidden in tons
> of desktop, server chipsets
> https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/
> .

So I have my ME "turned off", and I understand off never means off, but can it 
still be remotely exploited? I'm using a wireless NIC.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bb84ce1e-52bd-4da0-a4e4-a1f59b120f30%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Upgrading from rc2 to release.

2017-11-06 Thread jkitt
Is this just a case of running a Dom0 update? Or would I have to manually 
install the stable release?

FYI: I'm still on 3.2.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b4d12e6d-43c3-48e9-80b1-c2b12f2a3b80%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Has anyone tried to activate SELINUX in Fedora 25?

2017-09-21 Thread jkitt
On Wednesday, 20 September 2017 09:41:58 UTC+1, pels  wrote:
> [1.617897] systemd[1]: Failed to mount tmpfs at /run: Permission denied
> [.[0;1;31m!!.[0m] Failed to mount API filesystems, freezing.
> [1.621206] systemd[1]: Freezing execution.

Looks like a tmpfs cannot be mounted at boot. In actual fact: these default 
policies are never in a "ready to deploy" state. You have to run the policy in 
permissive mode - throughout the normal boot process, and typical use of the 
confined binaries. Once you have built a log of fired rules then you have to go 
back and tweak the policy. There are, shockingly, no good tools to parse 
selinux audit logs outwith a couple of hard to get tools - distributed in the 
redhat repos. I think there is a Gentoo overlay that you can reverse engineer, 
or maybe you can find a working tool. But once you have ironed out all the 
policy violations,and you can boot without firing anything of concern, then you 
are ready for enforcing mode.

Here are some good primers on the subject. The first video, in particular, 
shows how to effectively parse audit logs - with the aforementioned redhat tool:

https://www.youtube.com/watch?v=MxjenQ31b70

https://www.youtube.com/watch?v=q_y30qZ_plQ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3f1c9bc5-3b46-4b14-8856-1493f9ea6472%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Just realized one of the major disadvantages of Qubes OS...

2017-01-25 Thread jkitt
On Tuesday, 24 January 2017 11:54:34 UTC, qmast...@gmail.com  wrote:

> I was sad when installed VirtualBox, tried launching it and it said that 
> something like "not supported on Xen hosts"

But why would you want to do that? You already have virtual machines at your 
disposal..

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92fe7061-0ef1-4d28-9ebe-bf9e927f9b39%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Question to Mirage OS firewall users

2016-12-10 Thread jkitt
What's it like to update - is it relatively simple? Would you say it's more 
secure than Debian or Fedora?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/795512a4-318c-46c5-a0fc-1d6afea965e4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] qubes-devel, what are the rules for posting?

2016-12-07 Thread jkitt
Can I ask development related questions there? Or is the mailing list only for 
core developers and contributors? (I'd like to get involved)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3326e88c-6010-413c-86ca-04c40a1af8c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Qubes takes a while to shut down (>30min!), is this normal?

2016-12-07 Thread jkitt
On Wednesday, 7 December 2016 13:37:36 UTC, throwaw...@tutanota.com  wrote:
> Hello everyone! =)
> 
> Usually when I update dom0 and then I shutdown the computer it takes quiet a 
> while to finish, the progress bar reaches the end after nearly 5 min, but 
> then it takes 30min (yes!) for it to completely shut down.
> 
> For info: When I click on Esc to see what happens after the progress bar 
> reaches the end I see:
> 
> [ OK ] Reached target Shutdown
> 
> I have a Sony VAIO with a C2D.
> 
> Thanks in advance for your help.
> 
> 
> 
> Kind regards.

This is a known bug afaik. It would seem that some of the mounted block devices 
are hanging before they can be properly unmounted. You can see this when you 
hit any of the F keys during shutdown.

I wonder if there's a ticket?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/394c54cc-798c-4533-8046-50723bc095f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Issues with debian-8 qrexec service

2016-12-05 Thread jkitt
Fixed.

Quoting marmarek:

"Missing libxen-4.6 update seems to be the cause, just uploaded the update. 
Also, enabling testing repository should be enough (the package was there, but 
I missed uploading it to stable).

So, to fix the issue - start the template, access its console (sudo xl console 
debian-8) and install updates (sudo apt-get update && sudo apt-get -V 
dist-upgrade)."

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/58daabd0-ee97-4d91-ac01-ad8dd10888f5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Issues with debian-8 qrexec service

2016-12-05 Thread jkitt
On Monday, 5 December 2016 05:26:04 UTC, jkitt  wrote:
> I'm not 100% that this is the issue but I'm having troubles running anything 
> with qvm-run on a Debian-8 template/app-vms. This happened after a recent 
> upgrade. Fedora template/app-vms are working fine after some initiation 
> problems (I have to killall qrexec-client in dom0 - possibly because it's 
> hanging)
> 
> Right now I can't run anything, and I don't know if it's related, or an 
> unrelated bug (as I've seen it previous), but the qubes manager indicated 
> remains yellow on debian based VMs.
> 
> I struggle to give you all the information you probably need - I don't know 
> much about Xen or Xen tools.
> 
> Thanks.

typo: indicated = indicator.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0b20bb03-50ef-44d3-a5fd-45b90ce43c7d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Issues with debian-8 qrexec service

2016-12-04 Thread jkitt
I'm not 100% that this is the issue but I'm having troubles running anything 
with qvm-run on a Debian-8 template/app-vms. This happened after a recent 
upgrade. Fedora template/app-vms are working fine after some initiation 
problems (I have to killall qrexec-client in dom0 - possibly because it's 
hanging)

Right now I can't run anything, and I don't know if it's related, or an 
unrelated bug (as I've seen it previous), but the qubes manager indicated 
remains yellow on debian based VMs.

I struggle to give you all the information you probably need - I don't know 
much about Xen or Xen tools.

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/38621bd7-47a1-4224-bb2c-0f852aa64c5b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Qubes 4 with Grsec could make a big splash

2016-11-25 Thread jkitt
On Friday, 25 November 2016 11:38:21 UTC, raah...@gmail.com  wrote:
> can you just tell us the options so we can compile it ourselves?  paste the 
> cfg or something.

https://wiki.gentoo.org/wiki/Hardened/FAQ#Do_I_need_to_pass_any_flags_to_LDFLAGS.2FCFLAGS_in_order_to_turn_on_hardened_building.3F

Also:
 
> Can I add -fstack-protector-all or -fstack-protector in the make.conf CFLAGS?

> No, they will likely break the building of many packages, amongst others 
> glibc. 

in other words these options will break some packages - particularly glibc; 
ulibc is more flexible in that regards.

There's also: https://wiki.gentoo.org/wiki/Hardened/Toolchain

It's not as straightforward as you think. Perhaps you can build selected 
applications as statically linked with PIE, and place it in a grsec chroot 
instead - it would be a lot simpler.

I'd really like to see Gentoo (hardened) support, that and OpenBSD. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/85a85993-5aaa-42a5-b627-3ff158fe456f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Qubes 4 with Grsec could make a big splash

2016-11-23 Thread jkitt
On Tuesday, 22 November 2016 19:49:07 UTC, Ronald Duncan  wrote:
> Will this be using the latest linux kernel since grsecurity only provide the 
> latest version free.

Yes, it will be an "unstable" kernel. A bare metal grsec kernel is actually 
available in Debian's testing repo. However, it is not compiled with optimal 
hypervisor guest options, and will be slow (if working at all) in a Xen guest 
environment. And because it's in the testing repo it probably doesn't receive 
as much attention to security as stable.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/53e4f203-21a9-4f2e-8cc9-b7bca64113de%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Qubes 4 with Grsec could make a big splash

2016-11-23 Thread jkitt
On Tuesday, 22 November 2016 18:58:33 UTC, kev27  wrote:
> On Tuesday, November 22, 2016 at 8:57:56 PM UTC+2, kev27 wrote:
> > I saw this being retweeted by the Qubes account on Twitter. Can Grsec 
> > support still land in Qubes 4.0, or should we expect it for 4.1 or 4.2, etc?
> > 
> > I think if Grsec would be enabled by default in Qubes, it would be no 
> > question that Qubes is the most secure operating system out there.
> 
> Forgot to add the link:
> 
> https://twitter.com/coldhakca/status/801107979126784000

That's great news! Except PAX protections require more than just the kernel - 
they require PIE/PIC compiled binaries/SO's. There's also a number of security 
options that should be enabled in the GCC compiler (see the Gentoo hardened GCC 
profile). This means that the entire userspace would need to be recompiled and 
distributed as a hardened image - someone will need to do the legwork; and it 
will need to be signed by a trusted party.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ef008e2c-4682-43c8-8118-e80435faba97%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Quickest and easiest way to manage updates via command line?

2016-11-23 Thread jkitt
As the title states. Can this be done through salt?

I'm looking for put together something that will manage the updates for all my 
template VMs and even Dom0.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7d1add90-ac73-47b5-8f25-d1e01b578e55%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: beginner trying to choose a laptop question

2016-11-23 Thread jkitt
On Monday, 21 November 2016 16:45:10 UTC, Warren  wrote:
> I'm looking at the "HP Laptop 250 G5 (X9U07UT#ABA) Intel Core i5 6200U (2.30 
> GHz) 8 GB Memory 256 GB SSD Intel HD Graphics 520" at 
> (http://www.newegg.com/Product/Product.aspx?Item=N82E16834266056_re=HP_Laptop_250_G5_%28X9U07UT%23ABA%29-_-34-266-056-_-Product).
>  
> ark.intel.com says that VT-d and VT-x is supported by the processor but I 
> can't find out, so far, whether it's actually enabled or can be enabled. 
> HP site says the chipset is intel SoC. 
> 
> Would anyone care to hazard a guess as to whether or not I could use this 
> laptop to run qubes?
> 
> Thanks

As others have pointed out - the chipset has to also support IOMMU (VT-d). A 
lot of chipsets don't. There is the Qubes HCL that defines a lot of supported 
hardware.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/21f97e0e-de98-4897-b86c-4326f7ac404e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: OpenBSD Xen PHVM

2016-10-22 Thread jkitt
On Friday, 21 October 2016 17:50:47 UTC+1, cubit  wrote:
> 7. Sep 2016 16:33 by jo...@johnrshannon.com:
> From the OpenBSD 6.0 Release Notes:
> The xen(4) driver now supports domU configuration under Qubes OS.
> 
> 
> Has any persons investegated if OpenBSD as a AppVM is likely to possible?

I'd really like to see this.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/85a34a91-27aa-4ebb-b68f-59640fdb3c28%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Security announcement mailing list?

2016-10-21 Thread jkitt
Shouldn't a security focused distro make security announcement in a more direct 
and urgent way? I was surprised to find that Qubes only had a 'users' and 
'development' mailing list.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6ca183be-e33f-4dbd-a001-651f7ec08a78%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Why is whonix-ws necessary?

2016-10-12 Thread jkitt
Wouldn't an appvm, with the tor browser, and netvm set to sys-whonix do the 
same thing?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b71f2309-1d47-4ff4-bff5-3c81602596ab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: how many passphrases and passwords do you need?

2016-10-03 Thread jkitt
it's a stupid mess. People don't deal with it.

It would be nice if there was a specification, other than a shitty vulnerable 
USB, that would allow the plugging in of a key that stored a GPG private key. 
That way even your grandma could automagically sign an authentication token. 
Such a key-fob would have it's own hardware - to receive requests and possibly 
basic PIN authentication; or even fingerprint - if it was completely isolated 
(as in never leaves the device); the authentication module would be on the 
device itself and not through the OS. The idea is that the device itself 
functions like a removable TPM chip.

Although I personally don't trust hardware that stores fingerprint data - it is 
feasible for this method to be implemented rather securely and openly (as in 
libre)

In the meantime, I intend soon to make a firefox addon or plugin that stores a 
salt and domain in the firefox sync database. combine that with a standard 
manually inputted password to create an HMAC; which can be then be encoded with 
ASCII values from a lookup table. The result would be a completely random 
password for every domain. To change the generated pass you would change the 
salt. The salt is stored in firefox sync but your password is not.

I won't get to implement this until I finish UNI in a couple of years. Until 
then I'm stuck with what I have.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/59e98d09-b25f-45d8-80ab-5eed6a448d72%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: hosts file.

2016-09-22 Thread jkitt
On Thursday, 22 September 2016 02:57:39 UTC+1, Drew White  wrote:
> Hi Qubes devs,
> 
> Can you please point out how I can make the system STOP overwriting the HOSTS 
> FILE?
> 
> I have different domains targeted to 127.0.0.1
> then when I boot, you automatically overwrite anything that is...
> 127.0.0.1 mynewdomain.name
> 
> to
> 
> 127.0.0.1 thismachinehostname
> 
> This is really frustrating.
> I'm having to now alter the entire system config to target a hosts file on my 
> RW directory.
> 
> This is a STANDALONE guest, and thus shouldn't have anything like that 
> happening.

you can always set the immutable attribute with: chattr +i.

This will be a guest distro specific issue and not one with Qubes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c81c07bc-d9fe-41f6-81d9-08891e35e070%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Can DMA attacks work against Ethernet... or just WiFi/wireless...?

2016-09-12 Thread jkitt
Any software can have flaws. The only distinction between ethernet and wifi in 
that regards is that WiFi can be exploited by anyone within RF range regardless 
whether they're authenticated to the same network or not; ethernet requires a 
physical connection.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f7f5322d-a304-439a-bb0f-3b122a14d25a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Qubes Security Bulletin #25

2016-09-11 Thread jkitt
> A malicious guest administrator can crash the host, leading to a DoS. 
> Arbitrary code execution (and therefore privilege escalation)

Think this is an example of why it's a good idea to password protect guests?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a794d74d-e95d-4d55-9679-4287fcc1337e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Do Linux browser exploits exist..?

2016-09-11 Thread jkitt
On Saturday, 10 September 2016 19:18:10 UTC+1, neilh...@gmail.com  wrote:
> I've seen some dispute that a Linux browser exploit even exists.
> 
> Like, could you take Chrome or Firefox to a page, and then have a remote 
> shell, that loads a file onto the hard drive to monitor everything?
> 
> I can do this with Metasploit on Windows, but I've actually seen a lot of 
> people saying that it's not even possible on Linux.

Of course they do..

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/24ceb236-d61b-4574-ad8d-4e88daa5aa43%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Can DMA attacks work against Ethernet... or just WiFi/wireless...?

2016-09-11 Thread jkitt
On Monday, 12 September 2016 00:29:14 UTC+1, neilh...@gmail.com  wrote:
> Qubes uses VT-D to protect against DMA attacks on things such as WiFi chip.
> 
> But are there any proven DMA attacks against wired networking, i.e. 
> Ethernet..?
> 
> Hackers can exploit a buffer overflow on the network card's firmware, and use 
> that to take control of the network card, and issue a DMA attack to take 
> control of the entire host computer.
> 
> I previously posted a thread about this on qubes-users ("Question on DMA 
> attacks")
> ... and Marek mentioned WiFi when speaking of DMA attacks.
> 
> Is Ethernet also vulnerable...? Or just WiFi..?
> 
> I say this because I wanted to build a Tor router that sits between Qubes and 
> my main router... so that even if Qubes gets hacked, they can only see what 
> I'm doing, and not WHO I am. The theory being, that there are no exploits for 
> Tor itself, and only for the Firefox browser. Thus, the IP address is always 
> obscured behind the Tor router.
> 
> So my router box is going to have Ethernet only, because if my Qubes is 
> hacked, then it could just use WiFi to scan for nearby routers, including my 
> own WiFi router, and thus identify me.
> 
> So, wired networking is a must.
> 
> And thus, I wanted to know if Ethernet is vulnerable to DMA attacks, because 
> if it is, then I would have to use Qubes for the Tor box in the middle.. or 
> at least, use some OS that supports VT-D, even if it's not Qubes.
> 
> Qubes has high system requirements, thus I'd prefer to have a cheap computer 
> as the Tor router in the middle.. But if there truly are exploits against 
> Ethernet, then I'll just have to use Qubes.

DMA is a privilege given to PCI(e) devices (DMA controllers) - eNIC's run over 
the PCI(e) bus - a lot of eNICs have DMA controllers. RDMA is a specification 
that relies solely on DMA.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6f4d87a1-a09c-4622-ac9d-8c913bc39ca2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Does anyone use a dedicated Tor router box..?

2016-09-10 Thread jkitt
On Friday, 9 September 2016 09:56:36 UTC+1, neilh...@gmail.com  wrote:
> the problem with Qubes, of course, is all the Xen exploits which make it 
> insecure.

Off-topic here but is Qubes really insecure? Should I be worried?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0bf7258b-b7c6-43e3-8e93-6068cf8e7614%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Streisand - AntiCensorship software

2016-09-08 Thread jkitt
On Wednesday, 7 September 2016 14:08:16 UTC+1, Connor Page  wrote:
> agree, when I looked at it some time ago I could not imagine why I would need 
> all of that. too large an attack surface for my taste. however, I did 
> investigate what individual elements are capable of and borrowed some ideas, 
> like using port 636 and tls-auth for openvpn.

Why specifically that port?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e3048098-b29e-44a7-acea-83e79dd53974%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Centrino 6505 hard blocked

2016-07-24 Thread jkitt
I have a Thinkpad t420s and the WiFi card is showing as hard blocked. 

The kill switch, on the side, is in the on position;
I've disabled and removed the card for an extended period of time (20 mins) to 
try and reset potential state corruption;
run rfkill on it with modules unloaded (however, it's hard blocked)

The card went into that state on it's own. I was midway through browsing the 
web. No updates - the card was working for a week without an update. It just 
suddenly stopped working.

Card: Intel Centrino Advanced-N 6205 [Taylor Peak] (rev 34)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9cd5985-67c4-451e-8a78-be5600848927%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Unable to update templates

2016-07-20 Thread jkitt
My netvm is a proxyvm that I've set up. I've just found out about the global in 
which the updatevm can be changed. However, i've set this to my VPN VM yet 
nothing - it's still trying to connect to the same IP. IRRC that IP is a 
non-existent node but it's filtered by a proxy. How do i get that proxy running 
on my VPN VM?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3d749176-bc90-4993-9082-3daa8f838abe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: shared clipboard is inconsistent

2016-07-15 Thread jkitt
On Friday, 15 July 2016 21:32:05 UTC+1, Marek Marczykowski-Górecki  wrote:
> Len 0? VM returned no data for copy request. Are you sure you've copied
> it there (i.e. Ctrl-C before Ctrl-Shift-C)?

Well, therein lies the problem. I wasn't copying it to the clipboard first (for 
some reason I thought Ctrl-Shift-C would do that for me).

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7e437975-035b-4e3a-9caf-d61b89b6b065%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: shared clipboard is inconsistent

2016-07-15 Thread jkitt
On Thursday, 14 July 2016 21:57:23 UTC+1, jkitt  wrote:
> Sometimes it works; sometimes it doesn't. Has anyone else noticed this? 
> 
> v3.1

secure copy
handle_clipboard_data, len=0x0
open /var/run/qubes/qubes-clipboard.bin.xevent: No such file or directory

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/da553b3d-4f3c-40b8-91a5-6e616f1fc9dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] shared clipboard is inconsistent

2016-07-14 Thread jkitt
Sometimes it works; sometimes it doesn't. Has anyone else noticed this? 

v3.1

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/86097665-d4c5-45a0-ae7b-1f550f147448%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: debian firefox and whonix torbrowser can no longer play videos in fullscreen and freeze

2016-06-20 Thread jkitt
The same happens with me. i suspect hardware acceleration. It can be 
switched off in flash with:

sudo su
mkdir /etc/adobe && echo "EnableLinuxHWVideoDecode = 0" > /etc/adobe/mms.cfg

Restart the browser.

For HTML5 videos (YouTube) the media.* configs are for controlling HTML5 
decoding extensions. Particularly "media.hardware-video-decoding.enabled" 
although is still can't seem to fullscreen HTML5 videos without it 
glitching my browser - I wonder if anyone else has fixed this?

On Monday, 20 June 2016 20:50:26 UTC+1, raah...@gmail.com wrote:
>
> If i go to youtube click the fullscreen button on the player,  the browser 
> goes fullscreen but not the video, and the browser becomes unresponsive. 
>
> This is the exact same issue that has always been present with fedora's 
> firefox on qubes.   Something has changed now in debian around the time 
> they dropped iceweasel for firefox esr.  The same issue now also happens in 
> torbrowser.  I don't know why this happens.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ea73f133-cb29-4274-ac06-25c2958491e9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] T420s and pci passthrough

2016-06-19 Thread jkitt
Thanks. I read that in the man page but what does "reset" mean in this 
context?

On Sunday, 19 June 2016 15:07:12 UTC+1, Andrew David Wong wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA512 
>
> On 2016-06-18 17:49, jkitt wrote: 
> > So I was unable to get pci passthrough working for any of the USB 
> > devices without disabling pci_strictreset. What does this option 
> > actually do? 
> > 
>
> "Control whether prevent assigning to VM a device which does not 
> support any reset method. Generally such devices should not be 
> assigned to any VM, because there will be no way to reset device state 
> after VM shutdown, so the device could attack next VM to which it will 
> be assigned. But in some cases it could make sense - for example when 
> the VM to which it is assigned is trusted one, or is running all the 
> time." 
>
> Source: https://www.qubes-os.org/doc/dom0-tools/qvm-prefs/ 
>
> Also available via `qvm-prefs --help`. 
>
> - -- 
> Andrew David Wong (Axon) 
> Community Manager, Qubes OS 
> https://www.qubes-os.org 
> -BEGIN PGP SIGNATURE- 
>
> iQIcBAEBCgAGBQJXZqcKAAoJENtN07w5UDAwdVoQAMi1EtvNDEnfVMUQPaHWV6C5 
> dRZlpOaMrCBk2BtnC7Mu5z1qp1JiM0OyfNtykQnmP06+gyflkIyNHqdjINMFEp38 
> uZiuu40FBVLv4/yNia8BPxBdOlgIMnUP2viisGivJx+EAc1w9tI4Y8N+VMn7Lx3a 
> oM+RGBkt00csizM7sKf8nziYkzjmXVvjF764G0EU2V3MYcPdvjPu9r/YMnyLvSiU 
> h3WwBSBWbH+6t+AKiMh+zH0W2mVBiLvWzvs1AMzUMeAw+yb6wY8fomI2wQElpgkG 
> t3yTlFICEmm9gRXVNLIC+fVbAPw/eIsklSJa9zaw7pc/LRJ34TCryYWvfA6fzQKJ 
> Poq3ODHrFBoSeLls8qtdb7BvIGKWBMCSo1L8aQshsw/RDU/UU0uWknqB/qoh4eDD 
> /3X2q/PEcwEFIody3adOXHrCUd2xjOAThP3yUDU9wRcnEYuNeifQ0XXslcSkA0ux 
> wLQ3L8gskgqlnfA2Zes+bhOp6FYOBgLC5mpeIh6oTdeOnR+h+J31KBHnEjYUqZjo 
> fs1W3JgyrlJZIaSGE76I8LFLabBgcGamS8J5f5dIQyVE1JDHtTITq4QXyi/2/pvd 
> K+zvwxswJ2Sg4X1jh58u+M6MKsychJ00I5p0cQDidyhbMqYnjjq08hpPP9wAQ2t5 
> Ze6FAzGqrG7Hwl1BBL25 
> =0ZD0 
> -END PGP SIGNATURE- 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a65592ee-839f-4ebd-a7e0-646bed8145e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Debian listening sockets and RPC

2016-06-17 Thread jkitt
Bump, okay, the "systemd" process turned out to be a service for scanners. 
However, I'm stil not sure whether qubes requires quests to run rpcbind or 
not.

On Sunday, 12 June 2016 13:38:17 UTC+1, jkitt wrote:
>
> I was wondering what listening sockets are required for qubes guests. 
> Specifically rpcbind and systemd have ports listening. Does Qubes require 
> either of these?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fb3836b7-770d-4c21-8e0f-88635e756c29%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: i3-configs?

2016-06-16 Thread jkitt
I  would share mine but it's pretty much the default. There's not really 
much to tinker with in i3 because it's pretty headless. I was going to 
write some scripts to place some VM info in the bar at the bottom but I 
haven't got round to it yet - I will no doubt post them in this group when 
I do.

On Thursday, 16 June 2016 12:43:43 UTC+1, Niels Kobschätzki wrote:
>
> Hi, 
>
> does anyone have their personal i3-config publicly available for Qubes? 
> I like to look at other peoples config to see what they have done or how 
> they solved certain stuff. 
>
> Niels 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/07f50461-58af-4be2-a7c3-dcd892c579b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Controlling pulse form the command line

2016-06-15 Thread jkitt
So it appears that pactl or pacmd isn't in qubes Dom0 repository. Any 
suggestions on how I can control Pulse Audio through the command line? 
Apparently it can be done with amixer:

amixer -D pulse sset Master mute

However, the device pulse doesn't exist. amixer without arguments displays 
all the devices - no pulse device.

amixer sset Master mute

Works - but that, i think, is setting it through Alsa - and once Alsa is 
muted Pulse Audio remains muted until explicitly unmuted.. which has to be 
done through pavucontrol.

I'm lost. I've never liked sound on Linux.. it makes my brain hurt.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/22f904e1-cc7e-4bf6-b13c-9654d904af39%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Issues with ACPID in Dom0?

2016-06-15 Thread jkitt
Oh thanks! Turns out i wasn't setting the display variable.

On Wednesday, 15 June 2016 08:08:28 UTC+1, Marek Marczykowski-Górecki wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA256 
>
> On Tue, Jun 14, 2016 at 09:11:41AM -0700, jkitt wrote: 
> > Are there any specific issues with ACPID in Dom0? 
> > 
> > For whatever reason the actions are not being executed. acpi_listen is 
> > displaying the event fine though. 
> > 
> > Is there an alternative? 
>
> It works fine for me. Maybe you've forgotten about some configuration? 
> This is mine: 
>
> [marmarek@dom0 ~]$ cat /etc/acpi/events/lid-close 
> event=button/lid LID close 
> action=/etc/acpi/actions/lid-close.sh 
> [marmarek@dom0 ~]$ cat /etc/acpi/actions/lid-close.sh 
> #!/bin/sh 
> 
> su -c 'DISPLAY=:0 XAUTHORITY=/var/run/lightdm/marmarek/xauthority 
> xscreensaver-command -lock' marmarek 
>
>
>
> - -- 
> Best Regards, 
> Marek Marczykowski-Górecki 
> Invisible Things Lab 
> A: Because it messes up the order in which people normally read text. 
> Q: Why is top-posting such a bad thing? 
> -BEGIN PGP SIGNATURE- 
> Version: GnuPG v2 
>
> iQEcBAEBCAAGBQJXYP7jAAoJENuP0xzK19csWREH/R3zZ5JHYZGJetja/cI7/ZNx 
> HXPKnprjA02tugWOyInxP58DlgwPVtEk+MK2U+NO0mEFO3ISY0hBGDwX7o+QJroL 
> q9jQp9Yo+JMR/C4YHEiV7eL6WZE4S92Qm2TFQ0pO/zfBdc5QzL4wwjFLJeR/CsO8 
> vWUDAZ9Rp5MPoZ8XsQohd15+1Xz5y6iips911bfSFPhHajxTH/FtRdrnukGh0hVj 
> wzlD7mESfWkZewJCXStpdUQ4sKy3tsAbGndxduaujQRKN/4WHZn9eixggIOd6GW5 
> 42cuMfbsiuyUYQGdobjVpj/x/nmfN0VD9AtzJpnamtWz/Dgdi53QmbGpvLlNbX8= 
> =MUcT 
> -END PGP SIGNATURE- 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1d8f45a3-389a-41b7-b621-0ca5d80d8d7b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Change WM_CLASS(STRING) on domain windows

2016-06-14 Thread jkitt
That's a good idea - thanks. I will certainly choose something soon enough. 
I'm currently reading through the developer documentation.

Thanks!

On Tuesday, 14 June 2016 21:46:42 UTC+1, Marek Marczykowski-Górecki wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA256 
>
> On Tue, Jun 14, 2016 at 06:39:18AM -0700, jkitt wrote: 
> > Soon is good. Are the qvm-tools something I can contribute to? I will be 
> > making something for myself anyway and it will be properly tested. 
>
> If you just want to work on something useful, take a look at qubes 
> issues with label "help wanted". 
>
> - -- 
> Best Regards, 
> Marek Marczykowski-Górecki 
> Invisible Things Lab 
> A: Because it messes up the order in which people normally read text. 
> Q: Why is top-posting such a bad thing? 
> -BEGIN PGP SIGNATURE- 
> Version: GnuPG v2 
>
> iQEcBAEBCAAGBQJXYG0qAAoJENuP0xzK19csG2oH/A7eDnbWfT6ddel0IyOk3eYt 
> Vv/qg2hFpIFWz4rveDmRUNehotnt5FiqD+0SxRSKykugf5Qka6XgeMpgTubJ/1hM 
> jKhHeybsPHixuxQEM5zphVyohtzE+u7vEL9ytDu+nmK/V1gDHV6N7LAkiVQmqeee 
> LcNl781nINjIf5Mlsj86jB1BQYYZSIlLIaNPt9vcAFpoR3ztvqVrZvGBzMD0hUzG 
> 5/OL2ODP3kIt7Mq7tMuuwo3CqcgZOELX353rzWmMBkbXEK1X+0zeRtGq1IvzSp6s 
> QTJ4BRvaojU4Y3n91yPG1eVkEiNzF/QNtA1Fy4h0fvxz9IU0hlZwGhyl0TKxgV4= 
> =QY9O 
> -END PGP SIGNATURE- 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fedbd925-9102-421d-96c2-ff86aa7d0ed3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Anyone got any interesting scripts for i3wm they wish to share?

2016-06-13 Thread jkitt
Since i3 is without most of th pointy clicky benefits I was wondering if 
any of you guys have any scripts that make life easier. I was thinking 
about writing a python script to control VM applications and domains with 
little effort.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0bdc179-0c95-4ea9-b716-35d71959c26d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.