I've converted all my VM's to debian-8, and I'm continuing the
never-ending process to trim down the service vm's to the bare minimum
underlying template.
No sense having cups, pulseaudio, libreoffice, etc, lurking around in a
dedicated packet-flinger VM. Especially with the dozens of processes
I've finished my conversion of all VM's to debian-8 (and isolating USB,
the sound card, etc.). (Next is dom0, and maybe the replacing the
hypervisor, but that's another story. :) )
The last hiccup was getting OpenVPN working in debian-8 in a ProxyVM. It
would connect, but then get stupid and
While updates are signed, so even if they come over the wire in cleartext,
the fact that they often are sent in the clear (even from debian.net)
allows a snooper to know what packages your scanning for metadata or
installing. It reveals a lot about the state of your system.
Updating over Tor or
TomL Wrote:
> I believe that Nvidia binary drivers do not work under Xen. I spent a
> while trying unsuccessfully before reading some documentation to that
> effect which I considered reliable at the time, but can't immediately
> recall. If you find credible evidence that there's some workaround,
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Wed, Dec 14, 2016 at 06:44:35AM -0800, Andrew David Wong wrote:
>> On 2016-12-14 06:31, harh...@gmail.com wrote:
>> > I did that already, so...
>> >
>> > That's the point - I can't run any command, cause vm-manager (and
>> > the process
> Interesting that the Wiki page for swappiness (this kernel parameter is
> officially more famous than I am) recommends setting it to at least 1.
>
> https://en.wikipedia.org/wiki/Swappiness
I'm going to stick with vm.swappiness=0 for a few days just to see if any
reliability problems or app
> Interesting, sounds reasonable.
>
> Running with absolutely 0 swap however can lead to unexpected problems
> from my experience:
Interesting that the Wiki page for swappiness (this kernel parameter is
officially more famous and I am) recommends setting it to at least 1.
It always seemed a bit "off" to me that there should be any swap usage or
significant buffers/caches inside VM's.
dom0 already caches the virtual .img files, so having the kernel inside
each VM also buffering/caching files and metadata is really just a waste
of CPU and disk space.
More
> Hello,
>
> I need to add some static routes since I'm using a network with different
> GWs. For that reason I've tried to add some static routes through the
> NetworkManager which maps all the configuration into a file called
> qubes-uplink-eth0 . Strangely and since this file is within the
>> Now, about 4.7. Note that the page for only lists individual names,
>> does
>> not list any company affiliations or employers at all. An odd
>> change/omission?
>
> could there be a simpler explanation?
Certainly. Maybe some intern generating the stats page was too lazy to
summarize it by
> Ok, so I tried to enable the updates proxy in the sys-firewall
> consequently forcing all updates to go through the VPN, I followed the
> instructions outlined here -
> https://www.qubes-os.org/doc/software-update-vm/#updates-proxy
> However, as soon as I try to run the updates on one of the
>> Does anyone knows how to set static routes persistently into the
>> sys-firewall?
NetworkManager lets you add static routes for a network card. You might
be able to get what you want by adding and checking off the
'network-manager' service for the VM (and restarting), then configuring
the
> Andrew:
> This kind of security-first posture is what has made Qubes famous.
I agree that Qubes separation is probably the most secure basis for a
reasonably usable PC-based platform today. It's all I'll use. (I worry
about 4.0 not working on my hardware, tho. And upgrading hardware brings
> I'm having same issue, I know there is enough space because df -h shows
> 198G available and qemu-img-xen info image.vmdk shows that the virtual
> disk size is 8G
I've had cases with the qemu tools where it reported a write error because
it had trouble reading one of the input files (corrupted,
(Accidentally posted this to the tail of another thead; I assumed a
subject change would create a new thread. Whoops. Reposting.)
Why is it that the linux module for my ethernet device is loaded in dom0?
There's obviously no networking, /proc/net/dev and ifconfig only show
localhost.
The
Hi, Qubers:
Wonder if someone could tell me if this is normal/expected behaviour.
(3.2rc3):
If I have a few AppVM's running, at some point, the manager will refuse to
start any more VM's, complaining about low memory. Similarly, assigning
devices to running VM's will fail. (Most annoying.)
Finally got around to doing a fresh install of Qubes 3.2rc3 on a btrfs root.
It's quite wonderful, being able to clone a template or an AppVM
instantly, taking no additional disk space except for changes.
However, after the initial install, I had sys-net, sys-firewall and had to
create them
> Hi JJ,
>
> Did some more testing, you were right, I only have 3.
Hey, that's still pretty handy for separation.
In Qubes VM Manager, for a chosen VM, you *should* be able to pick a given
PCI USB device and assign it.
Only having one USB bus myself, also used for root, I haven't tried this.
I
> Hi JJ,
>
> My PC has 10 USB Bus's.
> My keyboard and mouse are on bus 10, which is PCI device .XX.X and I
> left that one on Dom0.
Are they 10 separate PCI devices, 10 separate USB buses?
I'd be very surprised if that were the case. But also very impressed, and
wanting such a motherboard
> It may no longer be the case, but it used to be that most USB keyboards
> and mice had controllers that also automatically auto-detected and
> supported PS/2, with a simple passive passthrough dongle between the
> USB->PS/2 connection.
>
>
> I want to get the USB VMs to work, but I use keyboard and mouse via USB,
> not PS/2, so it will not permit me to configure it.
>
> I wish to attach specific USB Ports to Dom0, which is 1 of the bus's. And
> the other USB bus's to the USBVM, but I can't find out what device to
> attach to Dom0 to
> You can get a motherboard that has a removable bios chip that you can just
> snap in to replace, Then call the company and have them send you one or
> two to hold onto for emergency lol. There is also mobos with dualbios,
> most ly this is for bringing a bricked board back to life.
I actually
> Yeah, Joanna is seriously epic.
Upon that, we can all agree.
Everything she designs or writes up, seems bang-on (and wonderfully
informative) in this increasingly security-threatened world we're living
in.
She's probably just a fictional character created by the NSA to mesmerize
and lure us
> My PC's RT clock might drift by a few seconds each week
Actually, it's not even that bad. I'm sure I've fired up motherboards or
laptops that haven't been touched in years, and their clocks were accurate
within a minute.
So there's no need for synchronizing your time so frequently.
I just
> The "listening" services are less of a concern, since the firewall
> wouldn't permit any incoming connections to be passed through to start
> with. It's the "phone home" style services, like time sync, Samba name
> lookups on microsoft servers, and such, that are more concerning, and
>
> Also just to add qubes devs have fedora template with less listening
> process then debian-8 which is not default and more community based. But
> if you want to use use debian instead for your sysnet or firewall or w/e.
> You can disable all the listening processes yourself.
It's an
> How about Google Chromebooks which have a system to auto-restore the OS if
> it thinks it's been tampered with..?
Doesn't that imply trust in Google, who is known to cooperate with NSA and
such (as required by US law)?
I have had serious problems with a hacked Android phone, and the
> On Tuesday, September 27, 2016 at 6:51:31 AM UTC-4, neilh...@gmail.com
> wrote:
>> If I think a computer has been infected, is there anything else I should
>> wipe/re-install other than
>>
>> 1. Hard Drive / Operating System
>>
>> 2. BIOS
This also brings up the question of BIOS vs. EFI, which
> I'm back with a brand-new workstation setup to try Qubes on. I bought a
> Matrox C680 and hooked up six monitors to its DisplayPort outputs. I'm
> using Qubes R3.2 fully updated as of now, with XFCE.
Six monitors??? Wow!
Can I come over and hang out at your place?
JJ
--
You received this
> I forget which blackhat event, they showed how you can think you are
> flashing a bios. But the malware will remain.
That's creepy. Don't most BIOS flashing utilities do a verification? Or
perhaps the flashing utility itself is what was compromised in the
blackhat demo.
Another reason why
>> Especially if you did the sharing via a separate vpn or ssh tunnel. But
>> in general, I don't think Qubes security should be considered much if
>> any benefit to adjacent non-Qubes systems.
>>
>> Chris
>>
>> > The benefits far outweigh the risks, as long as you don't do most of
>> your
>> >
> If I think a computer has been infected, is there anything else I should
> wipe/re-install other than
>
> 1. Hard Drive / Operating System
>
> 2. BIOS
>
> Is there anything else that a hacker could possibly infect that needs to
> be wiped/re-installed..?
Lol, don't get me started...
- Any PCI
> Hmmm, you would probably also need to re-export the app shortcuts to dom0.
> This *may* be the best way to do it, but the Qubes devs may have a better
> suggestion. Open a terminal in the newly restored VM and run:
>
> "/usr/lib/qubes/qrexec-client-vm dom0 qubes.SyncAppMenus /bin/sh
>
> I just copied my standalone VM that was working, to back it up.
>
> Then I restored the .img files, which is the HDD, and now it's telling me
> I don't have the dependancies to run the application that I was running
> before I copied the img files.
>
> Why is this broken?
> Why will
> On Monday, 26 September 2016 12:11:56 UTC+10, johny...@sigaint.org wrote:
>> AppVM's are designed to toss changes, other than /home, /rw, /usr/local.
>> It's a good thing; if one gets compromised, it's a temporary compromise.
>> :)
>>
>> If you want permanent changes, update your template.
>>
> Really ? No one to find also suspicious a wild init/1 tcp6 port listening
> on your templateVM, right out of the box ? This got to be real.
...
> I am answering you on my phone just because it seems my old Qubes deleted
> partition doesn't like very much my USB key to runs over it, for some
>
> Wow. Not even 4 GB of compiled drivers for the WiFi. You are saying it's 4
> GB of raw plaintext source code..?
>
> WOW
>
> That's INSANELY complex.
Apologies, I spoke a bit hastily. What was seeing was 4 million Git
objects, not 4G of data (although it may be). And that included all
branches
> What does "systemctl list-sockets" show? Any services that systemd is
> providing a listener for should be listed here.
If you do spot a network socket service in that listing, you can stop the
current service with "systemctl stop blah.socket", and disable it in the
future (next reboot or VM
> Thank you guys for your help, but unfortunately I don't think there is a
> way to get rid of this process listening on tcp6 on init (systemd... d
> standing here for distant...). It is listed as 1 on PID, I don't think you
> can't remove it, it is a main process. So I am not interested in using
> Please read if you haven't already:
>
> http://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf
>
> 2 big takeaways:
>
> 2. The Physical Gateway needs to be secure not only from attacks from the
> Internet but also attacks from the client appVM.
> And yes, by all means, I will use Whonix's system rather than my own
> custom script.
I agree that Whonix is a key component. A NetVM that ensures *all* your
traffic goes through Tor, with no leakage, as well as doing secure DNS
lookups for you, is a big security plus.
They've also put a fair
> Well, entr0py, you are correct.
>
> It does indeed come down, to either Xen, or my networking stack.
>
> Let me ask... what is the security like for Ethernet..?
Anything going over a wire is going to have a far shorter RF leakage range
than WiFi. Unless your threat actor is in the house or
> OK, so the main takeaway from your answer:
>
> "The card doesn't have a host CPU and so it doesn't require a firmware
> source"
>
> that seems like the most interesting
>
> the driver would still need to be bug-free though
>
> who knows whether any of these have even been audited
I think the
> Hi folks,
>
> Any chance that there will be added in the feature for snapshots?
> even CoW snapshots would be good, then a consolidation option once done.
>
> I have one issue where I want to do something, but I have to 7z the VM
> before I can do anything to it in-case it breaks.
>
> I know
> Yeah... and surely this is exactly what can happen, no..?
>
> We had 2 Xen exploits in the last 1 year.
I expect those exploits have caused a lot more scrutiny of the code, so
hopefully such exploits won't be heard of again. Qubes devs are moving
away from PVM which should avoid the threat of
> If your Tor is running in another appVM, such as whonix-gw does, the worst
> a sys-net compromise could do is redirect the *encrypted* Tor traffic from
> whonix-gw, which isn't terribly useful for the attacker.
Oh, I should mention, as you asked in your original question, that yes, a
> OK, but I have already built the script. I have it running in Net VM. It
> works.
>
> I am NOT asking you to make an alternative system.
>
> I am simply asking whether an attack on the WiFi/Ethernet in the Net VM
> could also end up messing up my Tor script.
>
> Look at the question again:
>
>
> nishiwak...@gmail.com:
>> Hello,
>>
>> I am surprised that there is no way to disable ipv6 on Debian template.
>>
>> I reinstalled first the template using documentation
>> https://www.qubes-os.org/doc/reinstall-template/
>>
>> Then I added "net.ipv6.conf.all.disable_ipv6 = 1" in
> I'm pretty sure that can be done fairly simply, out-of-the-box via
> NetworkManager, not requiring a script:
Oh, and another good tip, is to make another NetworkManager show up in a
secondary VM (other than just from sys-net), you can manually add
"network-manager" (and check it) as a service
> In terms of "hotspot" terminology, what it does is, quote from author of
> the script:
>
> "it bridges the two interfaces but uses NAT to achieve it"
Ah, so it sets up some iptable nat rules (and maybe tweaks torrc to allow
it to listen on a non-local interface; although iptables could do that
> OK, it's the original poster here.
> The consensus so far is that anything I run inside sys-net should be
> vulnerable, and that it is advised not to run programs in sys-net.
>
> So, in this case, how am I supposed to run my Ethernet Tor hotspot..?
I think you're going to have be more specific
> I am surprised that there is no way to disable ipv6 on Debian template.
>
> I reinstalled first the template using documentation
> https://www.qubes-os.org/doc/reinstall-template/
>
> Then I added "net.ipv6.conf.all.disable_ipv6 = 1" in /etc/sysctl.conf, I
> did reboot the Template but it didn't
Chris wrote:
> Especially if you did the sharing via a separate vpn or ssh tunnel. But
> in general, I don't think Qubes security should be considered much if
> any benefit to adjacent non-Qubes systems.
This is one of my favorite implicit features of Qubes:
Setting up multiple layers of network
Chris wrote:
> Especially if you did the sharing via a separate vpn or ssh tunnel. But
> in general, I don't think Qubes security should be considered much if
> any benefit to adjacent non-Qubes systems.
I'm curious as to why you would say this.
Any additional firewall between a Laptop and the
> Simple question: Why are Ethernet and WiFi in sys-net..?
>
> Is it
>
> (A) Just for easy access to the same network for all App VMs..?
>
> (B) Because this is isolating Ethernet and WiFi from the rest of the
> system, to stop DMA attacks..?
Primarily (B). Any DMA attack or other network
> If the Qubes machine is hit by a DMA attack, it is compromised and could
> thus tamper with the forwarded Internet connection however the attacker
> desires. (As well as scraping any credentials you might use in common on
> the Qubes box, and carrying out aggressive attacks on anything on your
> Let's say I have a Qubes machine connected to a 2nd laptop by Ethernet.
>
> The Qubes machine is sharing its Internet connection.
>
> Let's say the Qubes machine gets hit with a DMA attack.
>
> The 2nd laptop is not a Qubes machine, and therefore doesn't have VT-D for
> DMA protection.
>
> Can
> Hello,
>
> New version of Qubes Screenshot tool available.
>
> https://github.com/evadogstar/qvm-screenshot-tool
>
>
> If you do not know what is it: a tool to easy make screenshots and
> upload them to the AppVM and to the web ( imgurl service ).
>
> Changelog:
> - Now, it's possible to re-open
> Mr. Harrison:
>> Dear qubes-users,
>>
>> I am long time qubes follower and user. I apologize in advance if anyone
>> feels this request is spam.
>>
>> I am looking for two invite codes needed to sign up to anonymous
>> riseup.net email service.
I agree that asking random strangers for Riseup
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Thu, Sep 22, 2016 at 03:56:57PM -0700, Connor Page wrote:
>> In fact, I think the right question is "Will Qubes 4 be compatible with
>> btrfs root if vm storage is expected to reside on a LVM thin pool?"
>
> This is a good question. The
Has the Qubes team ever considered the use of btrfs?
https://en.wikipedia.org/wiki/Btrfs
It's been the default root FS for Suse since 2012:
https://www.linux.com/news/suse-linux-says-btrfs-ready-rock
While reading about its features (and using it) it seems like it would be
especially
> On Wednesday, 21 September 2016 02:25:15 UTC+10, johny...@sigaint.org
> wrote:
>> > On Sunday, September 11, 2016 at 11:11:28 PM UTC-4, Drew White wrote:
>> >> On Friday, 9 September 2016 18:58:51 UTC+10, Thomas Ernst wrote:
>> >> > Hi all,
>> >> >
>> >> > Does Qubes support NVIDIA GeForce
Quite frequently, under Debian-8, when I go to assign a device, it quietly
appears to work (Qubes Manager shows it assigned), but the device never
shows up, and the VM's dmesg shows things like this:
[Tue Sep 20 13:17:09 2016] xenwatch: page allocation failure: order:5,
mode:0x240c0c0
[Tue Sep 20
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2016-09-19 13:36, johnyju...@sigaint.org wrote:
>>> I've finally got Qubes set up in a way I'm comfortable working every
>>> day.
>>>
>>> Now I wanted to move that same installation to another drive for its
>>> permanent home.
>>
>> Oh, I
> On Sunday, September 11, 2016 at 11:11:28 PM UTC-4, Drew White wrote:
>> On Friday, 9 September 2016 18:58:51 UTC+10, Thomas Ernst wrote:
>> > Hi all,
>> >
>> > Does Qubes support NVIDIA GeForce graphics cards? The reason for
>> asking is that I am planing to buy a Lenovo ThinkPad T460p Laptop,
> Anaconda is notorious for messing up specific requests for volume
> layout. You would stand a much better chance of getting help in a fedora
> or redhat forum... they have many more people experienced with this.
Cool, thanks. I guess it is a more general grub/luks/lvm issue, and not
Qubes 3.2rc3-testing (and earlier), AMD Athlon X2, GeForce motherboard,
NVidia MCP61 USB controller:
I'm currently running Qubes from an external USB drive. (Moving to
internal drive as soon as I figure out how to smoothly migrate it.) For
now, it works great in general.
In the meantime, I've
> I've finally got Qubes set up in a way I'm comfortable working every day.
>
> Now I wanted to move that same installation to another drive for its
> permanent home.
Oh, I also meant to ask this:
Does all of the Template/VM state live in /var/lib/qubes? Obviously the
machines' disks do, and it
I've finally got Qubes set up in a way I'm comfortable working every day.
Now I wanted to move that same installation to another drive for its
permanent home.
The current drive has a standard bios /boot partition (sda1), and an
encrypted extended partition (#5) containing lvm with swap and /.
> On Wednesday, August 31, 2016 at 10:40:23 AM UTC-7, grzegorz@gmail.com
> wrote:
>
>> An actual protection would be some kind of a chemical that would destroy
>> the ram chips if they ever reach certain (lower than room) temperature.
>
> the epoxy is likely to damage them in most means of
>> https://freedesktop.org/wiki/Software/PulseAudio/FAQ/#index15h3
>
> I've looked at it few years ago and it was outdated/unmaintained at that
> time already. I gave up on setting this on Win 7. I bet now it's even
> harder.
Yes, weird how neglected it is. Do people not write utility software
> This is scary:
>
> https://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-deluxe?variant=353378649
Related, and (disturbingly) informative:
https://github.com/brandonlw/Psychson
JJ
--
You received this message because you are subscribed to the Google Groups
> On Wed, Aug 31, 2016 at 10:05:59PM -, johnyju...@sigaint.org wrote:
>> I'm curious to some mentions-in-passing about Andrew's hate for USB
>> keyboards. USB-anything isn't good for security, but what in particular
>> so much worse about USB? Both USB and PS/2 can keylog, or play
>>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Details here:
> https://www.qubes-os.org/news/2016/08/31/qubes-OS-3-2-rc3-has-been-released/
>
> As usual, you can download new image from:
> https://www.qubes-os.org/downloads/
>
> Users of R3.2 rc1 or rc2 can just install updates, no need
While qvm-block is a wonderfully handy tool for adding individual
partitions to a VM, the Qubes VM Manager can only add entire devices from
its GUI.
I think that it's a pretty strong argument Qubes' spirit of "protecting
the user from him/herself" to make sure this feature (maybe in a nested
menu
> On 2016-08-30 01:16, johnyju...@sigaint.org wrote:
>> Say someone compromises the dom0 encrypted drive password, and
>> then goes shuffling through the private.img file of the AppVM's to
>> get at Firefox's passwords...? The VM itself wouldn't have to be
>> running corrupt code for that, and
> Hey, does anyone have any luck with getting any form of OSX to fire up
> under Qubes?
>
> After several other failures, I was able to get some iPC ISO build to get
> to a certain point in an HVM, but the mouse didn't work, so I couldn't do
> much, and I couldn't figure out how to get it to any
> But I'll Joanna's page a more detailed read when I'm a bit more refreshed.
Sorry, not just "Joanna's" page; on a quick scan, I see you contributed to
it significantly as well.
I very much look forward to giving it a proper read and review tomorrow.
Cheers, and thanks, Andrew. :)
JJ
--
You
> Thanks for the suggestions. Our goal for Qubes 4.0 is to "decmopose"
> the current Qubes Manager by integrating its functions more seamlessly
> into the desktop environment:
>
> https://github.com/QubesOS/qubes-issues/issues/2132
>
> We hope that this approach will take care of the kinds of
> On Saturday, August 27, 2016 at 1:50:22 PM UTC-7, johny...@sigaint.org
> wrote:
>> BTW, keepassx rocks. I'm working on some scripts to make it a little
>> less
>> painful with all the Ctrl-Alt-C and Ctrl-Alt-V'ing (which also conflicts
>> with the standard konsole paste shortcuts).
>
> I have
These are fairly minor cosmetic issues, and if I ever get some of my
current struggles under control, I'll submit patches instead of
suggestions. :)
I think the Qubes folks work on the VM Manager (and install process, which
is amazing) has made major strides in making the system more accessible
Hey, does anyone have any luck with getting any form of OSX to fire up
under Qubes?
After several other failures, I was able to get some iPC ISO build to get
to a certain point in an HVM, but the mouse didn't work, so I couldn't do
much, and I couldn't figure out how to get it to any kind of
> On 08/27/2016 07:36 PM, Cube wrote:
>> On Saturday, August 27, 2016 at 9:31:31 AM UTC-7, Alex wrote:
>>> On 08/27/2016 05:59 PM, Cube wrote: For specific services (say, the
>>> mentioned Amazon) I keep a keepassx database on the specific AppVM
>>> in which the service is expected to be used -
>> Whether using an "isolating proxy" (multiple machines) or not, using a
>> white-listing proxy like Corridor can help ensure all of your traffic
>> passes through Tor (Entry Guard, at least).
>>
>
> That's right. Also, using Firefox with those extensions is *not* the same
> as
> using Tor
> Am 25.08.2016 um 21:33 schrieb johnyju...@sigaint.org:
>
>> While it's a bit slower, I prefer booting from DVD, a read-only medium.
>
> There are verifyably hardware-controlled (physical switch) unwritable
> USB storage devices. A bit expensive but you can get one.
I might look into that, it
Most standard Linux utilities that refer to block devices, allow you to
specify by uuid as well (mount, cryptsetup are two examples).
The documentation for qvm-block is sparse, but probably because it's a
striaght-forward utility.
There's no support in qvm-block to assign a device to a VM by
> On 08/23/2016 07:25 PM, Chris Laprise wrote:
>> What threat model does this fit? If a skilled attacker tricks you into
>> thinking you created an account at sigaint, but you later cannot use
>> it... what is the advantage of that? The possible gain seems to be
>> little or nothing.
>
> Well,
> I am too paranoid for using tails other than the reccomended method (two
> usb drives updating each other - I have two pairs of three).
No aware of the two drive method. Is that just updating to the next
version from the previous version, onto another USB drive?
While it's a bit slower, I
> My guess is that Paypal is giving you a hard time just because of the
> tor exits you use to interact with their website.
Could be. At first I didn't see how/why, but I guess refusing a legit
password from what they judge as a dodgy IP address is a possibility.
(Although accepting the
I would say so, yes.
I think exim, cups, and possibly some gvfs-samba thing were also all
enabled on both the Fedora and debian-8 templates.
I personally don't like having those on by default in all the VMs,
listening on ports and poking around the network or Internet, as they
really should only
>> On 08/23/2016 06:01 PM, johnyju...@sigaint.org wrote:
>>> Wow, what a weird day.
>>>
>>> A rather bizarre story, which is possibly a good example as to how
>>> Qubes
>>> can help protect you from hacking, or at least spot the effects of it.
>>
>> What threat model does this fit? If a skilled
Wow, what a weird day.
A rather bizarre story, which is possibly a good example as to how Qubes
can help protect you from hacking, or at least spot the effects of it.
I use a sigaint address, because of a psycho ex and her corrupt cop buddies.
Anyhow, I created another sigaint address today, to
> How does Qubes perform as the host OS in a virtualised server environment?
>
> I'm thinking of a configuration where the host OS is Qubes with VM's
> running for things like a virtualised email server, IDS server, perhaps a
> Tor relay etc. I've used Qubes as a desktop host, I'm just curious
I know I may be in the minority with an under-powered machine (4G), but I
thought I'd share some tips for getting more room for additional AppVM's
that worked well for me:
I guess I should state that this really would "void your warrantee" and
you shouldn't hassle the Qubes folks with problems
> On 08/22/2016 10:47 AM, johnyju...@sigaint.org wrote:
>> I'm trying to create a ProxyVM of my own, to replace sys-firewall.
>>
>> I'm on 3.2rc2-testing.
>>
>> When I create a ProxyVM in either fedora23 or debian-8, eth0 shows up,
>> but
>> no vif interface appears.
>>
>
> vif interfaces appear
> On 2016-08-22 07:52, johnyju...@sigaint.org wrote:
>> /rw/config/rc.local doesn't seem to be run on startup in debian-8
>> (3.2-testing).
>>
>> What is supposed to launch this? systemd, another startup script, or
>> something dom0-related?
>>
>> I added "/rw/config/rc.local" to "/etc/rc.local"
I notice in the debian-8 template that network time synchronization seems
to be on by default in systemd.
systemd-timesyncd.service loaded active running Network Time
Synchronization
time-sync.target loaded active activeSystem Time Synchronized
It's disabled in fedora-23 by
> In trying to figure out why my ProxyVM has no VIF (on Qubes 3.2-testing) I
> was looking at the dmesg's of the servicevm's, and noticed something that
> looked a bit odd (running rapidly through vif interface #'s) in sys-net
> (fedora23 template).
> Similarly, iptables-save shows duplicate rules
> Added testing repos to (clones of) debian-23 and debian-8 templates (as
> well as whonix-gw/whonix-ws), did upgrades/dist-updates, restarted, loaded
> up a bunch of AppVM's, and have been pounding on things awhile.
>
> No sign of screen garbage yet! :)
>
> Looks promising.
Day 3 of banging on
I'm trying to create a ProxyVM of my own, to replace sys-firewall.
I'm on 3.2rc2-testing.
When I create a ProxyVM in either fedora23 or debian-8, eth0 shows up, but
no vif interface appears.
There are iptables entries for 10.137.4.*, so the firewall mechanism seems
to be doing (part of) it's
1 - 100 of 116 matches
Mail list logo
