[qubes-users] JeOS?

2016-12-17 Thread johnyjukya
I've converted all my VM's to debian-8, and I'm continuing the never-ending process to trim down the service vm's to the bare minimum underlying template. No sense having cups, pulseaudio, libreoffice, etc, lurking around in a dedicated packet-flinger VM. Especially with the dozens of processes

[qubes-users] OpenVPN and debian-8

2016-12-17 Thread johnyjukya
I've finished my conversion of all VM's to debian-8 (and isolating USB, the sound card, etc.). (Next is dom0, and maybe the replacing the hypervisor, but that's another story. :) ) The last hiccup was getting OpenVPN working in debian-8 in a ProxyVM. It would connect, but then get stupid and

[qubes-users] Updates, security

2016-12-17 Thread johnyjukya
While updates are signed, so even if they come over the wire in cleartext, the fact that they often are sent in the clear (even from debian.net) allows a snooper to know what packages your scanning for metadata or installing. It reveals a lot about the state of your system. Updating over Tor or

Re: [qubes-users] Re: Nvidia drivers in dom0 still works? (need to get a GTX 1070 off the ground)

2016-12-14 Thread johnyjukya
TomL Wrote: > I believe that Nvidia binary drivers do not work under Xen. I spent a > while trying unsuccessfully before reading some documentation to that > effect which I considered reliable at the time, but can't immediately > recall. If you find credible evidence that there's some workaround,

Re: [qubes-users] Qubes-manager refuses to launch

2016-12-14 Thread johnyjukya
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Wed, Dec 14, 2016 at 06:44:35AM -0800, Andrew David Wong wrote: >> On 2016-12-14 06:31, harh...@gmail.com wrote: >> > I did that already, so... >> > >> > That's the point - I can't run any command, cause vm-manager (and >> > the process

Re: [qubes-users] swappiness, caches

2016-10-19 Thread johnyjukya
> Interesting that the Wiki page for swappiness (this kernel parameter is > officially more famous than I am) recommends setting it to at least 1. > > https://en.wikipedia.org/wiki/Swappiness I'm going to stick with vm.swappiness=0 for a few days just to see if any reliability problems or app

Re: [qubes-users] swappiness, caches

2016-10-19 Thread johnyjukya
> Interesting, sounds reasonable. > > Running with absolutely 0 swap however can lead to unexpected problems > from my experience: Interesting that the Wiki page for swappiness (this kernel parameter is officially more famous and I am) recommends setting it to at least 1.

[qubes-users] swappiness, caches

2016-10-19 Thread johnyjukya
It always seemed a bit "off" to me that there should be any swap usage or significant buffers/caches inside VM's. dom0 already caches the virtual .img files, so having the kernel inside each VM also buffering/caching files and metadata is really just a waste of CPU and disk space. More

Re: [qubes-users] Persistant routes on Qubes are not persistant?!

2016-10-17 Thread johnyjukya
> Hello, > > I need to add some static routes since I'm using a network with different > GWs. For that reason I've tried to add some static routes through the > NetworkManager which maps all the configuration into a file called > qubes-uplink-eth0 . Strangely and since this file is within the

Re: [qubes-users] Re: Maybe a provocative question

2016-10-17 Thread johnyjukya
>> Now, about 4.7. Note that the page for only lists individual names, >> does >> not list any company affiliations or employers at all. An odd >> change/omission? > > could there be a simpler explanation? Certainly. Maybe some intern generating the stats page was too lazy to summarize it by

Re: [qubes-users] Re: Maybe a provocative question

2016-10-17 Thread johnyjukya
>> 1) XEN is developed by people working for a company based in >> the U.S. Some fun stats for Xen 4.6 changesets, as used by Cubes: Lines of Code: ~150,000 This is from https://wiki.xenproject.org/wiki/Xen_Project_4.6_Acknowledgements and related pages (and similar pages with 4.6 replaced by

Re: [qubes-users] Re: Unable to uptade templates affer forced all traffic trhough VPN

2016-10-15 Thread johnyjukya
> Ok, so I tried to enable the updates proxy in the sys-firewall > consequently forcing all updates to go through the VPN, I followed the > instructions outlined here - > https://www.qubes-os.org/doc/software-update-vm/#updates-proxy > However, as soon as I try to run the updates on one of the

Re: [qubes-users] Re:Persistant routes on Qubes are not persistant?!

2016-10-15 Thread johnyjukya
>> Does anyone knows how to set static routes persistently into the >> sys-firewall? NetworkManager lets you add static routes for a network card. You might be able to get what you want by adding and checking off the 'network-manager' service for the VM (and restarting), then configuring the

Re: [qubes-users] Re: philosofy on qubes and other environment

2016-10-15 Thread johnyjukya
> Andrew: > This kind of security-first posture is what has made Qubes famous. I agree that Qubes separation is probably the most secure basis for a reasonably usable PC-based platform today. It's all I'll use. (I worry about 4.0 not working on my hardware, tho. And upgrading hardware brings

Re: [qubes-users] Re: Error converting vmdk disk to raw

2016-10-14 Thread johnyjukya
> I'm having same issue, I know there is enough space because df -h shows > 198G available and qemu-img-xen info image.vmdk shows that the virtual > disk size is 8G I've had cases with the qemu tools where it reported a write error because it had trouble reading one of the input files (corrupted,

[qubes-users] Loaded ethernet device modules in dom0, sound

2016-10-12 Thread johnyjukya
(Accidentally posted this to the tail of another thead; I assumed a subject change would create a new thread. Whoops. Reposting.) Why is it that the linux module for my ethernet device is loaded in dom0? There's obviously no networking, /proc/net/dev and ifconfig only show localhost. The

[qubes-users] Low memory, starting machines & assigning devices

2016-10-12 Thread johnyjukya
Hi, Qubers: Wonder if someone could tell me if this is normal/expected behaviour. (3.2rc3): If I have a few AppVM's running, at some point, the manager will refuse to start any more VM's, complaining about low memory. Similarly, assigning devices to running VM's will fail. (Most annoying.)

[qubes-users] 3.2rc3 install on btrfs

2016-09-29 Thread johnyjukya
Finally got around to doing a fresh install of Qubes 3.2rc3 on a btrfs root. It's quite wonderful, being able to clone a template or an AppVM instantly, taking no additional disk space except for changes. However, after the initial install, I had sys-net, sys-firewall and had to create them

Re: [qubes-users] USB VM

2016-09-28 Thread johnyjukya
> Hi JJ, > > Did some more testing, you were right, I only have 3. Hey, that's still pretty handy for separation. In Qubes VM Manager, for a chosen VM, you *should* be able to pick a given PCI USB device and assign it. Only having one USB bus myself, also used for root, I haven't tried this. I

Re: [qubes-users] USB VM

2016-09-27 Thread johnyjukya
> Hi JJ, > > My PC has 10 USB Bus's. > My keyboard and mouse are on bus 10, which is PCI device .XX.X and I > left that one on Dom0. Are they 10 separate PCI devices, 10 separate USB buses? I'd be very surprised if that were the case. But also very impressed, and wanting such a motherboard

Re: [qubes-users] USB VM

2016-09-27 Thread johnyjukya
> It may no longer be the case, but it used to be that most USB keyboards > and mice had controllers that also automatically auto-detected and > supported PS/2, with a simple passive passthrough dongle between the > USB->PS/2 connection. > >

Re: [qubes-users] USB VM

2016-09-27 Thread johnyjukya
> I want to get the USB VMs to work, but I use keyboard and mouse via USB, > not PS/2, so it will not permit me to configure it. > > I wish to attach specific USB Ports to Dom0, which is 1 of the bus's. And > the other USB bus's to the USBVM, but I can't find out what device to > attach to Dom0 to

Re: [qubes-users] Re: Anything else to wipe other than HDD and BIOS..?

2016-09-27 Thread johnyjukya
> You can get a motherboard that has a removable bios chip that you can just > snap in to replace, Then call the company and have them send you one or > two to hold onto for emergency lol. There is also mobos with dualbios, > most ly this is for bringing a bricked board back to life. I actually

Re: [qubes-users] Re: Anything else to wipe other than HDD and BIOS..?

2016-09-27 Thread johnyjukya
> Yeah, Joanna is seriously epic. Upon that, we can all agree. Everything she designs or writes up, seems bang-on (and wonderfully informative) in this increasingly security-threatened world we're living in. She's probably just a fictional character created by the NSA to mesmerize and lure us

Re: [qubes-users] Re: I can't disable ipv6 on Debian Template

2016-09-27 Thread johnyjukya
> My PC's RT clock might drift by a few seconds each week Actually, it's not even that bad. I'm sure I've fired up motherboards or laptops that haven't been touched in years, and their clocks were accurate within a minute. So there's no need for synchronizing your time so frequently. I just

Re: [qubes-users] Re: I can't disable ipv6 on Debian Template

2016-09-27 Thread johnyjukya
> The "listening" services are less of a concern, since the firewall > wouldn't permit any incoming connections to be passed through to start > with. It's the "phone home" style services, like time sync, Samba name > lookups on microsoft servers, and such, that are more concerning, and >

Re: [qubes-users] Re: I can't disable ipv6 on Debian Template

2016-09-27 Thread johnyjukya
> Also just to add qubes devs have fedora template with less listening > process then debian-8 which is not default and more community based. But > if you want to use use debian instead for your sysnet or firewall or w/e. > You can disable all the listening processes yourself. It's an

Re: [qubes-users] Re: Anything else to wipe other than HDD and BIOS..?

2016-09-27 Thread johnyjukya
> How about Google Chromebooks which have a system to auto-restore the OS if > it thinks it's been tampered with..? Doesn't that imply trust in Google, who is known to cooperate with NSA and such (as required by US law)? I have had serious problems with a hacked Android phone, and the

Re: [qubes-users] Re: Anything else to wipe other than HDD and BIOS..?

2016-09-27 Thread johnyjukya
> On Tuesday, September 27, 2016 at 6:51:31 AM UTC-4, neilh...@gmail.com > wrote: >> If I think a computer has been infected, is there anything else I should >> wipe/re-install other than >> >> 1. Hard Drive / Operating System >> >> 2. BIOS This also brings up the question of BIOS vs. EFI, which

Re: [qubes-users] Screen geometry for VMs

2016-09-27 Thread johnyjukya
> I'm back with a brand-new workstation setup to try Qubes on. I bought a > Matrox C680 and hooked up six monitors to its DisplayPort outputs. I'm > using Qubes R3.2 fully updated as of now, with XFCE. Six monitors??? Wow! Can I come over and hang out at your place? JJ -- You received this

Re: [qubes-users] Anything else to wipe other than HDD and BIOS..?

2016-09-27 Thread johnyjukya
> I forget which blackhat event, they showed how you can think you are > flashing a bios. But the malware will remain. That's creepy. Don't most BIOS flashing utilities do a verification? Or perhaps the flashing utility itself is what was compromised in the blackhat demo. Another reason why

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-27 Thread johnyjukya
>> Especially if you did the sharing via a separate vpn or ssh tunnel. But >> in general, I don't think Qubes security should be considered much if >> any benefit to adjacent non-Qubes systems. >> >> Chris >> >> > The benefits far outweigh the risks, as long as you don't do most of >> your >> >

Re: [qubes-users] Anything else to wipe other than HDD and BIOS..?

2016-09-27 Thread johnyjukya
> If I think a computer has been infected, is there anything else I should > wipe/re-install other than > > 1. Hard Drive / Operating System > > 2. BIOS > > Is there anything else that a hacker could possibly infect that needs to > be wiped/re-installed..? Lol, don't get me started... - Any PCI

Re: [qubes-users] Restored, and it's missing so much...

2016-09-26 Thread johnyjukya
> Hmmm, you would probably also need to re-export the app shortcuts to dom0. > This *may* be the best way to do it, but the Qubes devs may have a better > suggestion. Open a terminal in the newly restored VM and run: > > "/usr/lib/qubes/qrexec-client-vm dom0 qubes.SyncAppMenus /bin/sh >

Re: [qubes-users] Restored, and it's missing so much...

2016-09-26 Thread johnyjukya
> I just copied my standalone VM that was working, to back it up. > > Then I restored the .img files, which is the HDD, and now it's telling me > I don't have the dependancies to run the application that I was running > before I copied the img files. > > Why is this broken? > Why will

Re: [qubes-users] Snapshots - Use of CoW

2016-09-26 Thread johnyjukya
> On Monday, 26 September 2016 12:11:56 UTC+10, johny...@sigaint.org wrote: >> AppVM's are designed to toss changes, other than /home, /rw, /usr/local. >> It's a good thing; if one gets compromised, it's a temporary compromise. >> :) >> >> If you want permanent changes, update your template. >>

Re: [qubes-users] I can't disable ipv6 on Debian Template

2016-09-26 Thread johnyjukya
> Really ? No one to find also suspicious a wild init/1 tcp6 port listening > on your templateVM, right out of the box ? This got to be real. ... > I am answering you on my phone just because it seems my old Qubes deleted > partition doesn't like very much my USB key to runs over it, for some >

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-26 Thread johnyjukya
> Wow. Not even 4 GB of compiled drivers for the WiFi. You are saying it's 4 > GB of raw plaintext source code..? > > WOW > > That's INSANELY complex. Apologies, I spoke a bit hastily. What was seeing was 4 million Git objects, not 4G of data (although it may be). And that included all branches

Re: [qubes-users] I can't disable ipv6 on Debian Template

2016-09-26 Thread johnyjukya
> What does "systemctl list-sockets" show? Any services that systemd is > providing a listener for should be listed here. If you do spot a network socket service in that listing, you can stop the current service with "systemctl stop blah.socket", and disable it in the future (next reboot or VM

Re: [qubes-users] I can't disable ipv6 on Debian Template

2016-09-26 Thread johnyjukya
> Thank you guys for your help, but unfortunately I don't think there is a > way to get rid of this process listening on tcp6 on init (systemd... d > standing here for distant...). It is listed as 1 on PID, I don't think you > can't remove it, it is a main process. So I am not interested in using

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-26 Thread johnyjukya
> Please read if you haven't already: > > http://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf > > 2 big takeaways: > > 2. The Physical Gateway needs to be secure not only from attacks from the > Internet but also attacks from the client appVM.

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-26 Thread johnyjukya
> And yes, by all means, I will use Whonix's system rather than my own > custom script. I agree that Whonix is a key component. A NetVM that ensures *all* your traffic goes through Tor, with no leakage, as well as doing secure DNS lookups for you, is a big security plus. They've also put a fair

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-26 Thread johnyjukya
> Well, entr0py, you are correct. > > It does indeed come down, to either Xen, or my networking stack. > > Let me ask... what is the security like for Ethernet..? Anything going over a wire is going to have a far shorter RF leakage range than WiFi. Unless your threat actor is in the house or

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-25 Thread johnyjukya
> OK, so the main takeaway from your answer: > > "The card doesn't have a host CPU and so it doesn't require a firmware > source" > > that seems like the most interesting > > the driver would still need to be bug-free though > > who knows whether any of these have even been audited I think the

Re: [qubes-users] Snapshots - Use of CoW

2016-09-25 Thread johnyjukya
> Hi folks, > > Any chance that there will be added in the feature for snapshots? > even CoW snapshots would be good, then a consolidation option once done. > > I have one issue where I want to do something, but I have to 7z the VM > before I can do anything to it in-case it breaks. > > I know

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-25 Thread johnyjukya
> Yeah... and surely this is exactly what can happen, no..? > > We had 2 Xen exploits in the last 1 year. I expect those exploits have caused a lot more scrutiny of the code, so hopefully such exploits won't be heard of again. Qubes devs are moving away from PVM which should avoid the threat of

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-25 Thread johnyjukya
> If your Tor is running in another appVM, such as whonix-gw does, the worst > a sys-net compromise could do is redirect the *encrypted* Tor traffic from > whonix-gw, which isn't terribly useful for the attacker. Oh, I should mention, as you asked in your original question, that yes, a

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-25 Thread johnyjukya
> OK, but I have already built the script. I have it running in Net VM. It > works. > > I am NOT asking you to make an alternative system. > > I am simply asking whether an attack on the WiFi/Ethernet in the Net VM > could also end up messing up my Tor script. > > Look at the question again: > >

Re: [qubes-users] I can't disable ipv6 on Debian Template

2016-09-25 Thread johnyjukya
> nishiwak...@gmail.com: >> Hello, >> >> I am surprised that there is no way to disable ipv6 on Debian template. >> >> I reinstalled first the template using documentation >> https://www.qubes-os.org/doc/reinstall-template/ >> >> Then I added "net.ipv6.conf.all.disable_ipv6 = 1" in

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-25 Thread johnyjukya
> I'm pretty sure that can be done fairly simply, out-of-the-box via > NetworkManager, not requiring a script: Oh, and another good tip, is to make another NetworkManager show up in a secondary VM (other than just from sys-net), you can manually add "network-manager" (and check it) as a service

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-25 Thread johnyjukya
> In terms of "hotspot" terminology, what it does is, quote from author of > the script: > > "it bridges the two interfaces but uses NAT to achieve it" Ah, so it sets up some iptable nat rules (and maybe tweaks torrc to allow it to listen on a non-local interface; although iptables could do that

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-25 Thread johnyjukya
> OK, it's the original poster here. > The consensus so far is that anything I run inside sys-net should be > vulnerable, and that it is advised not to run programs in sys-net. > > So, in this case, how am I supposed to run my Ethernet Tor hotspot..? I think you're going to have be more specific

Re: [qubes-users] I can't disable ipv6 on Debian Template

2016-09-25 Thread johnyjukya
> I am surprised that there is no way to disable ipv6 on Debian template. > > I reinstalled first the template using documentation > https://www.qubes-os.org/doc/reinstall-template/ > > Then I added "net.ipv6.conf.all.disable_ipv6 = 1" in /etc/sysctl.conf, I > did reboot the Template but it didn't

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-25 Thread johnyjukya
Chris wrote: > Especially if you did the sharing via a separate vpn or ssh tunnel. But > in general, I don't think Qubes security should be considered much if > any benefit to adjacent non-Qubes systems. This is one of my favorite implicit features of Qubes: Setting up multiple layers of network

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-25 Thread johnyjukya
Chris wrote: > Especially if you did the sharing via a separate vpn or ssh tunnel. But > in general, I don't think Qubes security should be considered much if > any benefit to adjacent non-Qubes systems. I'm curious as to why you would say this. Any additional firewall between a Laptop and the

Re: [qubes-users] Why are Ethernet and WiFi in sys-net..?

2016-09-25 Thread johnyjukya
> Simple question: Why are Ethernet and WiFi in sys-net..? > > Is it > > (A) Just for easy access to the same network for all App VMs..? > > (B) Because this is isolating Ethernet and WiFi from the rest of the > system, to stop DMA attacks..? Primarily (B). Any DMA attack or other network

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-25 Thread johnyjukya
> If the Qubes machine is hit by a DMA attack, it is compromised and could > thus tamper with the forwarded Internet connection however the attacker > desires. (As well as scraping any credentials you might use in common on > the Qubes box, and carrying out aggressive attacks on anything on your

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-25 Thread johnyjukya
> Let's say I have a Qubes machine connected to a 2nd laptop by Ethernet. > > The Qubes machine is sharing its Internet connection. > > Let's say the Qubes machine gets hit with a DMA attack. > > The 2nd laptop is not a Qubes machine, and therefore doesn't have VT-D for > DMA protection. > > Can

Re: [qubes-users] New version of Qubes Screenshot Tool (0.5 beta)

2016-09-24 Thread johnyjukya
> Hello, > > New version of Qubes Screenshot tool available. > > https://github.com/evadogstar/qvm-screenshot-tool > > > If you do not know what is it: a tool to easy make screenshots and > upload them to the AppVM and to the web ( imgurl service ). > > Changelog: > - Now, it's possible to re-open

Re: [qubes-users] Re: Dear qubes-users

2016-09-24 Thread johnyjukya
> Mr. Harrison: >> Dear qubes-users, >> >> I am long time qubes follower and user. I apologize in advance if anyone >> feels this request is spam. >> >> I am looking for two invite codes needed to sign up to anonymous >> riseup.net email service. I agree that asking random strangers for Riseup

Re: [qubes-users] BTRFS?

2016-09-22 Thread johnyjukya
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Thu, Sep 22, 2016 at 03:56:57PM -0700, Connor Page wrote: >> In fact, I think the right question is "Will Qubes 4 be compatible with >> btrfs root if vm storage is expected to reside on a LVM thin pool?" > > This is a good question. The

[qubes-users] BTRFS?

2016-09-22 Thread johnyjukya
Has the Qubes team ever considered the use of btrfs? https://en.wikipedia.org/wiki/Btrfs It's been the default root FS for Suse since 2012: https://www.linux.com/news/suse-linux-says-btrfs-ready-rock While reading about its features (and using it) it seems like it would be especially

Re: [qubes-users] Re: NVIDIA GeForce

2016-09-21 Thread johnyjukya
> On Wednesday, 21 September 2016 02:25:15 UTC+10, johny...@sigaint.org > wrote: >> > On Sunday, September 11, 2016 at 11:11:28 PM UTC-4, Drew White wrote: >> >> On Friday, 9 September 2016 18:58:51 UTC+10, Thomas Ernst wrote: >> >> > Hi all, >> >> > >> >> > Does Qubes support NVIDIA GeForce

[qubes-users] Failed device allocation

2016-09-20 Thread johnyjukya
Quite frequently, under Debian-8, when I go to assign a device, it quietly appears to work (Qubes Manager shows it assigned), but the device never shows up, and the VM's dmesg shows things like this: [Tue Sep 20 13:17:09 2016] xenwatch: page allocation failure: order:5, mode:0x240c0c0 [Tue Sep 20

Re: [qubes-users] Re: Booting Cubes, Migration

2016-09-20 Thread johnyjukya
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-09-19 13:36, johnyju...@sigaint.org wrote: >>> I've finally got Qubes set up in a way I'm comfortable working every >>> day. >>> >>> Now I wanted to move that same installation to another drive for its >>> permanent home. >> >> Oh, I

Re: [qubes-users] Re: NVIDIA GeForce

2016-09-20 Thread johnyjukya
> On Sunday, September 11, 2016 at 11:11:28 PM UTC-4, Drew White wrote: >> On Friday, 9 September 2016 18:58:51 UTC+10, Thomas Ernst wrote: >> > Hi all, >> > >> > Does Qubes support NVIDIA GeForce graphics cards? The reason for >> asking is that I am planing to buy a Lenovo ThinkPad T460p Laptop,

Re: [qubes-users] Booting Cubes, Migration

2016-09-19 Thread johnyjukya
> Anaconda is notorious for messing up specific requests for volume > layout. You would stand a much better chance of getting help in a fedora > or redhat forum... they have many more people experienced with this. Cool, thanks. I guess it is a more general grub/luks/lvm issue, and not

[qubes-users] USB hotplug messing up other USB devices?

2016-09-19 Thread johnyjukya
Qubes 3.2rc3-testing (and earlier), AMD Athlon X2, GeForce motherboard, NVidia MCP61 USB controller: I'm currently running Qubes from an external USB drive. (Moving to internal drive as soon as I figure out how to smoothly migrate it.) For now, it works great in general. In the meantime, I've

[qubes-users] Re: Booting Cubes, Migration

2016-09-19 Thread johnyjukya
> I've finally got Qubes set up in a way I'm comfortable working every day. > > Now I wanted to move that same installation to another drive for its > permanent home. Oh, I also meant to ask this: Does all of the Template/VM state live in /var/lib/qubes? Obviously the machines' disks do, and it

[qubes-users] Booting Cubes, Migration

2016-09-19 Thread johnyjukya
I've finally got Qubes set up in a way I'm comfortable working every day. Now I wanted to move that same installation to another drive for its permanent home. The current drive has a standard bios /boot partition (sda1), and an encrypted extended partition (#5) containing lvm with swap and /.

Re: [qubes-users] Re: epoxy on ram to prevent cold boot attacks?

2016-09-02 Thread johnyjukya
> On Wednesday, August 31, 2016 at 10:40:23 AM UTC-7, grzegorz@gmail.com > wrote: > >> An actual protection would be some kind of a chemical that would destroy >> the ram chips if they ever reach certain (lower than room) temperature. > > the epoxy is likely to damage them in most means of

Re: [qubes-users] Re: epoxy on ram to prevent cold boot attacks?

2016-09-01 Thread johnyjukya
>> https://freedesktop.org/wiki/Software/PulseAudio/FAQ/#index15h3 > > I've looked at it few years ago and it was outdated/unmaintained at that > time already. I gave up on setting this on Win 7. I bet now it's even > harder. Yes, weird how neglected it is. Do people not write utility software

Re: [qubes-users] Re: epoxy on ram to prevent cold boot attacks?

2016-09-01 Thread johnyjukya
> This is scary: > > https://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-deluxe?variant=353378649 Related, and (disturbingly) informative: https://github.com/brandonlw/Psychson JJ -- You received this message because you are subscribed to the Google Groups

Re: [qubes-users] Re: epoxy on ram to prevent cold boot attacks?

2016-09-01 Thread johnyjukya
> On Wed, Aug 31, 2016 at 10:05:59PM -, johnyju...@sigaint.org wrote: >> I'm curious to some mentions-in-passing about Andrew's hate for USB >> keyboards. USB-anything isn't good for security, but what in particular >> so much worse about USB? Both USB and PS/2 can keylog, or play >>

Re: [qubes-users] Qubes 3.2 rc3 has been released!

2016-08-31 Thread johnyjukya
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Details here: > https://www.qubes-os.org/news/2016/08/31/qubes-OS-3-2-rc3-has-been-released/ > > As usual, you can download new image from: > https://www.qubes-os.org/downloads/ > > Users of R3.2 rc1 or rc2 can just install updates, no need

[qubes-users] Adding individual partitions from Manager

2016-08-31 Thread johnyjukya
While qvm-block is a wonderfully handy tool for adding individual partitions to a VM, the Qubes VM Manager can only add entire devices from its GUI. I think that it's a pretty strong argument Qubes' spirit of "protecting the user from him/herself" to make sure this feature (maybe in a nested menu

Re: [qubes-users] qvm-run only available from dom0?

2016-08-31 Thread johnyjukya
> On 2016-08-30 01:16, johnyju...@sigaint.org wrote: >> Say someone compromises the dom0 encrypted drive password, and >> then goes shuffling through the private.img file of the AppVM's to >> get at Firefox's passwords...? The VM itself wouldn't have to be >> running corrupt code for that, and

[qubes-users] Re: OSX

2016-08-28 Thread johnyjukya
> Hey, does anyone have any luck with getting any form of OSX to fire up > under Qubes? > > After several other failures, I was able to get some iPC ISO build to get > to a certain point in an HVM, but the mouse didn't work, so I couldn't do > much, and I couldn't figure out how to get it to any

Re: [qubes-users] Qubes VM Manager Suggestions

2016-08-28 Thread johnyjukya
> But I'll Joanna's page a more detailed read when I'm a bit more refreshed. Sorry, not just "Joanna's" page; on a quick scan, I see you contributed to it significantly as well. I very much look forward to giving it a proper read and review tomorrow. Cheers, and thanks, Andrew. :) JJ -- You

Re: [qubes-users] Qubes VM Manager Suggestions

2016-08-28 Thread johnyjukya
> Thanks for the suggestions. Our goal for Qubes 4.0 is to "decmopose" > the current Qubes Manager by integrating its functions more seamlessly > into the desktop environment: > > https://github.com/QubesOS/qubes-issues/issues/2132 > > We hope that this approach will take care of the kinds of

Re: [qubes-users] Security Best Practice: Cache web passwords in custom VM's or not?

2016-08-28 Thread johnyjukya
> On Saturday, August 27, 2016 at 1:50:22 PM UTC-7, johny...@sigaint.org > wrote: >> BTW, keepassx rocks. I'm working on some scripts to make it a little >> less >> painful with all the Ctrl-Alt-C and Ctrl-Alt-V'ing (which also conflicts >> with the standard konsole paste shortcuts). > > I have

[qubes-users] Qubes VM Manager Suggestions

2016-08-28 Thread johnyjukya
These are fairly minor cosmetic issues, and if I ever get some of my current struggles under control, I'll submit patches instead of suggestions. :) I think the Qubes folks work on the VM Manager (and install process, which is amazing) has made major strides in making the system more accessible

[qubes-users] OSX

2016-08-27 Thread johnyjukya
Hey, does anyone have any luck with getting any form of OSX to fire up under Qubes? After several other failures, I was able to get some iPC ISO build to get to a certain point in an HVM, but the mouse didn't work, so I couldn't do much, and I couldn't figure out how to get it to any kind of

Re: [qubes-users] Security Best Practice: Cache web passwords in custom VM's or not?

2016-08-27 Thread johnyjukya
> On 08/27/2016 07:36 PM, Cube wrote: >> On Saturday, August 27, 2016 at 9:31:31 AM UTC-7, Alex wrote: >>> On 08/27/2016 05:59 PM, Cube wrote: For specific services (say, the >>> mentioned Amazon) I keep a keepassx database on the specific AppVM >>> in which the service is expected to be used -

Re: [qubes-users] Qubes VM compromised? - Follow up

2016-08-27 Thread johnyjukya
>> Whether using an "isolating proxy" (multiple machines) or not, using a >> white-listing proxy like Corridor can help ensure all of your traffic >> passes through Tor (Entry Guard, at least). >> > > That's right. Also, using Firefox with those extensions is *not* the same > as > using Tor

Re: [qubes-users] Qubes VM compromised? - Follow up

2016-08-27 Thread johnyjukya
> Am 25.08.2016 um 21:33 schrieb johnyju...@sigaint.org: > >> While it's a bit slower, I prefer booting from DVD, a read-only medium. > > There are verifyably hardware-controlled (physical switch) unwritable > USB storage devices. A bit expensive but you can get one. I might look into that, it

[qubes-users] qvm-block by UUID?

2016-08-25 Thread johnyjukya
Most standard Linux utilities that refer to block devices, allow you to specify by uuid as well (mount, cryptsetup are two examples). The documentation for qvm-block is sparse, but probably because it's a striaght-forward utility. There's no support in qvm-block to assign a device to a VM by

Re: [qubes-users] Qubes VM compromised?

2016-08-25 Thread johnyjukya
> On 08/23/2016 07:25 PM, Chris Laprise wrote: >> What threat model does this fit? If a skilled attacker tricks you into >> thinking you created an account at sigaint, but you later cannot use >> it... what is the advantage of that? The possible gain seems to be >> little or nothing. > > Well,

Re: [qubes-users] Qubes VM compromised? - Follow up

2016-08-25 Thread johnyjukya
> I am too paranoid for using tails other than the reccomended method (two > usb drives updating each other - I have two pairs of three). No aware of the two drive method. Is that just updating to the next version from the previous version, onto another USB drive? While it's a bit slower, I

Re: [qubes-users] Qubes VM compromised? - Follow up

2016-08-24 Thread johnyjukya
> My guess is that Paypal is giving you a hard time just because of the > tor exits you use to interact with their website. Could be. At first I didn't see how/why, but I guess refusing a legit password from what they judge as a dodgy IP address is a possibility. (Although accepting the

Re: [qubes-users] timesync on by default in debian-8 template (3.2-testing)

2016-08-24 Thread johnyjukya
I would say so, yes. I think exim, cups, and possibly some gvfs-samba thing were also all enabled on both the Fedora and debian-8 templates. I personally don't like having those on by default in all the VMs, listening on ports and poking around the network or Internet, as they really should only

Re: [qubes-users] Qubes VM compromised?

2016-08-23 Thread johnyjukya
>> On 08/23/2016 06:01 PM, johnyju...@sigaint.org wrote: >>> Wow, what a weird day. >>> >>> A rather bizarre story, which is possibly a good example as to how >>> Qubes >>> can help protect you from hacking, or at least spot the effects of it. >> >> What threat model does this fit? If a skilled

[qubes-users] Qubes VM compromised?

2016-08-23 Thread johnyjukya
Wow, what a weird day. A rather bizarre story, which is possibly a good example as to how Qubes can help protect you from hacking, or at least spot the effects of it. I use a sigaint address, because of a psycho ex and her corrupt cop buddies. Anyhow, I created another sigaint address today, to

Re: [qubes-users] Qubes for running virtual servers

2016-08-23 Thread johnyjukya
> How does Qubes perform as the host OS in a virtualised server environment? > > I'm thinking of a configuration where the host OS is Qubes with VM's > running for things like a virtualised email server, IDS server, perhaps a > Tor relay etc. I've used Qubes as a desktop host, I'm just curious

[qubes-users] Memory saving techniques

2016-08-23 Thread johnyjukya
I know I may be in the minority with an under-powered machine (4G), but I thought I'd share some tips for getting more room for additional AppVM's that worked well for me: I guess I should state that this really would "void your warrantee" and you shouldn't hassle the Qubes folks with problems

Re: [qubes-users] vif in user ProxyVM?

2016-08-22 Thread johnyjukya
> On 08/22/2016 10:47 AM, johnyju...@sigaint.org wrote: >> I'm trying to create a ProxyVM of my own, to replace sys-firewall. >> >> I'm on 3.2rc2-testing. >> >> When I create a ProxyVM in either fedora23 or debian-8, eth0 shows up, >> but >> no vif interface appears. >> > > vif interfaces appear

Re: [qubes-users] /rw/config/rc.local on debian-8

2016-08-22 Thread johnyjukya
> On 2016-08-22 07:52, johnyju...@sigaint.org wrote: >> /rw/config/rc.local doesn't seem to be run on startup in debian-8 >> (3.2-testing). >> >> What is supposed to launch this? systemd, another startup script, or >> something dom0-related? >> >> I added "/rw/config/rc.local" to "/etc/rc.local"

[qubes-users] timesync on by default in debian-8 template (3.2-testing)

2016-08-22 Thread johnyjukya
I notice in the debian-8 template that network time synchronization seems to be on by default in systemd. systemd-timesyncd.service loaded active running Network Time Synchronization time-sync.target loaded active activeSystem Time Synchronized It's disabled in fedora-23 by

Re: [qubes-users] Oddness in sys-net's VIF startup

2016-08-22 Thread johnyjukya
> In trying to figure out why my ProxyVM has no VIF (on Qubes 3.2-testing) I > was looking at the dmesg's of the servicevm's, and noticed something that > looked a bit odd (running rapidly through vif interface #'s) in sys-net > (fedora23 template). > Similarly, iptables-save shows duplicate rules

Re: [qubes-users] Screen corruption on nvidia

2016-08-22 Thread johnyjukya
> Added testing repos to (clones of) debian-23 and debian-8 templates (as > well as whonix-gw/whonix-ws), did upgrades/dist-updates, restarted, loaded > up a bunch of AppVM's, and have been pounding on things awhile. > > No sign of screen garbage yet! :) > > Looks promising. Day 3 of banging on

  1   2   >