[qubes-users] xen is relinquishing vga console

[Mark Dymek]

So i am trying to install the latest qubes on my alienware m17 r4. i am getting 
that message and then i get a blank screen. i’ve gone through the documentation 
and i’ve commented out the two lines in the bootx64.cfg file as well as 
changing whichever line from =vga to =none. when i did the =none change qubes 
wouldn’t boot at all and i just got a message that it’s using that file and 
then some hex code.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1c3d4694-9932-488d-966a-19df4bbde37c%40www.fastmail.com.

[qubes-users] Re: Cheap laptops that run Qubes

[Mark Fernandes]

On Wednesday, 6 January 2021 at 00:04:44 UTC anonymou...@danwin1210.me 
wrote:

> I'm looking for a laptop that can run Qubes without stress. I want the 
> cheapest one possible. 
> Please let me know which one I should get. 
>


It just so happens that I've been researching what are the cheapest 
computers to do fairly standard computer things...

I would advise against using a used computer, unless you have strong 
reasons to believe it hasn't been compromised. A used computer can go 
through various owners, and any one of those owners could have been 
targeted to the extent that the computer was hacked, perhaps even to the 
point of hardware tampering. Additionally, the person selling or passing 
the computer on to you, may be involved in a racket where they are 
deliberately passing on hacked computers for bad purposes. Since you want 
to run Qubes, I'm guessing security is important to you, which is why I'm 
generally advising against using a used computer.

If you want to go down the route of a used computer in spite of the above, 
you ought to think about faithfully reinstalling all of the firmware chips. 
You can't necessarily rely on firmware-updating mechanisms provided by the 
existing firmware, as such mechanisms may themselves be compromised. I'm 
going through the same process for my old Chromebook C720 laptop-like 
computer. I've settled on de-soldering the main system firmware chip 
<https://doc.coreboot.org/flash_tutorial/ext_standalone.html> to replace it 
with one securely obtained in anonymous ways (to overcome targeted attacks) 
<https://en.wikibooks.org/wiki/Talk:End-user_Computer_Security/Main_content/Broad_security_principles#Concerning_§⟪User_randomly_selecting_unit_from_off_physical_shelves⟫,_and_add_§⟪Anonymity_based⟫?>
 
that I'll be reprogramming using a brand new, securely obtained, Raspberry 
Pi computer 
<https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-Flashing-with-Raspberry-Pi>,
 
in addition to completely replacing components that have 
potentially-compromised firmware chips 
<https://en.wikibooks.org/wiki/Talk:End-user_Computer_Security/Main_content/Software_based#There_are_other_kinds_of_bootloaders_other_than_BIOSes_and_UEFIs,_as_well_as_similar_security_threats_based_in_other_kinds_of_firmware_(such_as_in_the_firmware_chips_of_graphics_cards)_so_perhaps_material_should_be_extended_and_generalised_to_cover?>
 
(such as the system disk). After taking such firmware-based security 
measures, you probably will mostly have to keep your 'fingers crossed', 
that the hardware hasn't been altered in other ways—such other kinds of 
alteration are probably unlikely though.

On the other hand, if you are looking at a brand new computer, Raspberry Pi 
computers <https://www.raspberrypi.org/products/raspberry-pi-400/>, 
smartphones, and tablets are just about the cheapest brand new computers 
you can get where you are able to do general computing things. As for the 
laptop requirement, you could perhaps think about setting-up a "pseudo 
laptop experience" using such computing devices.


Hope this helps,


Kind regards,


Mark Fernandes



 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9274363b-c168-4407-b935-af11e998749dn%40googlegroups.com.

Re: [EXT] Re: [qubes-users] Is it possible for an intruder to see the passwords that is being sent through a compromised router/networkconnection ?

[Mark Fernandes]

On Monday, 21 December 2020 at 09:15:00 UTC haa...@web.de wrote:

> On 12/21/20 1:08 AM, Ulrich Windl wrote: 
> > On 12/20/20 4:17 PM, Morten Eyrich wrote: 
> >> Okay so if I have been using a https connection, then it's no 
> >> problem... ? 
> > 
> > If they use a wrong certificate for a MITM attack they might decode your 
> > connection... It means nobody between you and the "next endpoint" can 
> > read your password, but how to ensure what the "next endpoint" really 
> is? 
>
> Ulrich is right. First, look at the "certificate story". These are meant 
> ensuring that you can trust your endpoint. ...

...
> Conclusion as usual: if your life depends on it, do not trust https. 
>
>
Just for clarity, if your HTTPS connection is compromised, it probably will 
not matter much whether your router is compromised or not. With such in 
mind, so long as you use an HTTPS connection, you probably don't need to 
worry much about your router. As haa...@web.de implied, not all 
certificates are equal (in respect of risk), and you may personally trust 
some more than others. With respect to the other risks, perhaps using SSH 
and VPNs might be more secure? Using MFA, multi-step authentication, and/or 
regularly changing your password, can help mitigate damage in respect of 
your security credentials being captured. 


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57358980-e7c4-4889-a397-9e9f2d3ed0bfn%40googlegroups.com.

[qubes-users] Re: Are "smart" monitors/TVs a security issue?

[Mark Fernandes]

Hello trueriver,

Thanks for your post. No, you're not being overly cautious. Regarding your 
thoughts on whether there is much point securing the OS, I had the same 
kind of issues after my computer was hacked earlier this year. I realised, 
I couldn't just do a small fix here or there, as the issue of security was 
a bit like a water-carrying pipe with many punctured holes: patching just 
one or a few holes only meant that water came out of some other holes.

The result of my encountering of these issues, was the creation of a Wikibooks 
book on end-user computer security 
<https://en.wikibooks.org/wiki/End-user_Computer_Security>, particularly 
aimed at individuals without much resources (resources such as money)—feel 
free to add/edit its content, as it is a wiki.

On Wednesday, 25 November 2020 at 14:31:55 UTC trueriver wrote:

> ... 

In the days of CRT monitors one way the security of a computer system 
> could be compromised non-intrusively (ie without amending the 
> installed code) was by picking up the radio-frequency leakage ...
>
> Nowadays we do not have to worry about CRT monitors. But TVs are 
> increasingly delivered with their own internet connection, ...  

Clearly there is a computer inside which can be hacked, and if 
> so a remote shoulder surfing attack would be very possible. 
>
>
Getting back to your particular issues, smart TVs (and other 
internet-connected devices), are clearly a security concern, and I am not 
convinced that these issues are adequately dealt with for general 
consumers. Firmware doesn't generally seem to be sufficiently locked-down, 
meaning that middle-men attackers can possibly reprogram devices without 
leaving much evidence that leads personally back to them.
 

> Is the same true of monitors and of TVs that do not have an apparent 
> internet link? ... 
>
>
Regarding microprocessor/micro-controller VDUs without 
wireless-communications tech, they are probably safer. However, because you 
can now even get small WiFi SD cards <https://en.wikipedia.org/wiki/Eye-Fi>, 
even at what appears to be relatively inexpensive prices, I would perhaps 
be concerned over whether such VDUs might have undergone tampering so as to 
be able to steal your information through wireless means.

...if there much point securing the OS when the monitor might be an easier 
> target 
> for those out to (umm) monitor our reading and our keystrokes? 
>
>
There is a point in securing the OS in spite of the other security 
vulnerabilities you've highlighted, but only as part of a comprehensive 
security solution. It only takes the weakest link in the chain...
 

> ... I wonder if there is already some available mitigation? ...
>
>
In terms of available mitigation, the latest idea I've had (not yet 
properly included in the book), is to buy computer hardware with anonymity 
over Amazon (see some notes about it here 
<https://en.wikibooks.org/wiki/Talk:End-user_Computer_Security/Main_content/Broad_security_principles#Concerning_%C2%A7%E2%9F%AAUser_randomly_selecting_unit_from_off_physical_shelves%E2%9F%AB,_and_add_%C2%A7%E2%9F%AAAnonymity_based%E2%9F%AB?>).
 
You could also try using brands you trust more, or that are advertised as 
being more secure than normal. Also, you might think about going 
"barebones" in respect of the VDU: strip out the "bells and whistles" so as 
to reduce the attack surface.


Hope this helps,


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31910182-8bc7-400c-bd63-b389e479feban%40googlegroups.com.

Re: [qubes-users] Digital art & 3D modeling/animation inside of Windows VM on Qubes?

[Mark Fernandes]

On Saturday, 5 September 2020 at 18:26:14 UTC+1 awokd wrote:

> Lazy Lexicographer: 
>
> > ... 

> 
> > So, I am a person who is interested in both digital art and 
> cybersecurity. 
> > ... I plan on switching over to ... [Qubes] ... completely in the near 
> > future. The only reason why I have not so far is because of the 
> > compatibility issue that exists between Qubes and digital art software I 
> > use (much of which is only good for Mac and Windows.) 
> > 
> > ... I plan on obtaining a very powerful computer (24 core CPU and 64GB 
> of RAM) 

> and have thought about running Qubes on it. I  have considered the 
> possibility of 

> creating one Windows 10 VM on it and using it solely for digital art. 

> ...

> using software for digital illustration,  3D modeling/animation and game 
> design 

> will still most likely be a serious issue because of the nature of 
> virtual machines. ...
>
> > I would still like to get anybody's thoughts ...
>
> ... It would be  easiest if you could switch to a Linux based art 
> package...
>  
>

Perhaps if you invested heavily in a large amount of RAM, you could 
consider loading your software and also the OS completely into RAM. Then 
you could have your OS and installed software on a read-only DVD for better 
security (to prevent to some degree malware from invading your set-up). 
Some info on why this may be good for security, can be accessed here 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Digital_storage#Digital_storage_/_Chapter_4>.
 
Doing this would potentially preempt the need to get your graphics software 
to work with Qubes, since the set-up could be secure enough for your 
purposes.

There used to be DOS software called something like `ramdisk` that allowed 
you to convert your RAM into a 'virtual disk'

In regard to buying a brand new machine, you could instead consider 
dual-booting with just your existing machine, in such a way that the 
less-secure system, is not able to corrupt the more-secure system, by using 
means such as digital/electrical/physical isolation. Some info on how you 
might be able to create such a set-up, can be accessed here 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Software_based#Qubes_OS_4.0.3_side-by-side_with_other_operating_systems>
.

If you are interested in cyber-security, it appears that at times using 
open-source software (such as maybe the open-source Blender software [which 
I think can be used for game design, 3D animation, etc.]) can offer 
security advantages over closed-source software. Some info on why this may 
be, can be accessed here 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Software_based#Compiling_from_source>
.


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d6fdb288-d676-46d1-9a8c-1b1c5b9a93a0n%40googlegroups.com.

Re: [qubes-users] Re: Announcement: New community forum for Qubes OS users!

[Mark Fernandes]

On Wednesday, 26 August 2020 at 17:01:20 UTC+1 sv...@svensemmler.org wrote:

>
> ... Google earns almost all their money 
> by selling user data / presenting advertisements. ...
>
> Even if the engineers working on their products have good motivations, 
> as a publicly traded corporation Google's goals are ultimately 
> maximizing "shareholder value"... which you can see by them making 
> compromises for suppressive states (China et al). The same is true for 
> any corporation including Apple. 
>

I'm not so clued-in about the mechanics behind publicly traded 
corporations, but I would have thought that maximising profits (which 
perhaps is what you are implying) is the only goal. Some businesses can 
sacrifice profits for a certain set of ethics...
 

>
> > Chrome OS is cheap and sufficient enough for this particular set of 
> > low-stake needs I have. 
>
> That's perfectly fine. ...
>
 

> What I want to provide is an explanation why people in this forum -- who 
> care a lot about both security and privacy -- have a particular dislike 
> for surveillance capitalistic superstars like Google, Microsoft and 
> Facebook. The basic (lack of) trust argument can be made about all 
> non-open technology. 
>

Whilst there is a relationship between privacy and security, increasing 
security doesn't necessarily mean that you increase privacy. Your arguments 
against Google seem to be significantly in relation to privacy, but 
sometimes security can be increased at the cost of losing privacy.

The cloud-based aspect of Chromebooks means that in those situations where 
you don't consider you have much local on-site security, you can gain extra 
security by keeping things in the cloud, and using cloud software. I cover 
some of the reasons why this is the case, in the "Sandboxing and cloud 
computing" section I wrote in the End-user Computer Security book hosted on 
Wikibooks (which can be accessed here 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Software_based#Sandboxing_and_cloud_computing>
).

Otherwise, Chromebooks can have security advantages because they use an 
open-source secure custom BIOS/UEFI known as Coreboot. Vendor-supplied OEM 
pre-installed closed-source BIOS/UEFI firmware can pose a security 
vulnerability--they can also be hard to replace with a custom firmware 
(which I'm particularly finding at the moment). Some info on the security 
aspects of custom BIOS/UEFI firmware can be found here 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Software_based#Security_of_BIOS/UEFI_firmware>
.

That said, I definitely have security concerns over using the cloud. 
Keeping things on-site would probably be ideal in the case that you have 
strong on-site security.


Kind regards,


Mark Fernandes



/Sven 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/85511eb5-061d-468a-87e5-017d0e37295cn%40googlegroups.com.

[qubes-users] Re: External Fully Encrypted SSD Drive. What do you think?

[Mark Fernandes]

On Tuesday, 28 July 2020 at 12:09:39 UTC+1 load...@gmail.com wrote:

>
> ...
> I am thinking now to buy a Macbook Pro 16' and use this laptop in 2 
> different ways:
>
> 1. *Mac OS* for non-working tasks on internal drive.
> 2. *Qubes OS* for all working process on external encrypted drive.
>
>
> So for External Encrypted Drive I chose:
> ...
>
>
>
> *So I have 2 questions:*
>
> *1. Is this enough for comfort using Qubes OS with this speed of SSD?2. 
> What kind of Hardware Encrypted Drive do you know which has more speed 
> capacity?*
>
>
> P.S.
> I know that most of you could tell me that this is not very smart to do 
> this way, but I have my own reasons why I need external and encrypted 
> drive. When I will finish this setup I will write full guide how I am using 
> Qubes OS and hope it would helps someone to understand which way to use is 
> better for each one.
>


Hello "load...@gmail.com",

Just been perusing the email conversation so far with regard to your 
enquiry. Interesting thoughts. Regarding writing a full guide, I have 
produced some documentation on End-user Computer Security on the Wikibooks 
site here <https://en.wikibooks.org/wiki/End-user_Computer_Security>. I 
would like it to be a general free repository of knowledge, guidance, and 
wisdom. If you are able to add to it in regard to your full guide, that may 
be quite helpful for the general community--even just posting a link to 
your guide there, would probably be helpful.

In respect of which encrypted SSD drive to use, I have no suggestions. 
However, the thought has occurred to me that you might get more security if 
you load Qubes to RAM from a DVD drive. Some info on why this may be the 
case, is shown here 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Digital_storage>.
 
Not sure whether it is feasible though, and your "encrypted SSD" plan might 
be sufficient for your purposes.


Kind regards,


Mark Fernandes















 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0393eb65-cb2e-483a-90b9-9b1a59141df6n%40googlegroups.com.

[qubes-users] Re: Does qubes protect against all firmware viruses ?

[Mark Fernandes]

On Thursday, 2 July 2020 17:51:35 UTC+1, tomas.s...@gmail.com wrote:
>
> Problem with cd is: every time update for browser comes out, you would 
> have to burn qubes on new cd. I don't know if it is okay to run old browser 
> to access bank. How often you should upgrade your browser.
>

 
I should imagine you could likely just download the latest browser 
'on-the-fly' after Qubes starts-up. I suppose it depends on your internet 
connection. You can create a virtual disk in RAM for each Qubes session; 
such data is wiped when the computer is power cycled, so malware threats 
are generally low.

Alternatively, you might be able to create a multi-session DVD, so that 
whenever you have a new Qubes or new browser, you just add it to the 
current DVD (rather than throwing it out and starting afresh).

Would have thought using an old browser wouldn't pose that much of a 
security risk, but it's probably best to get advice from others on this. 
You will also probably find that other Qubes users have specifically 
experienced these issues; I've not encountered such issues (am a Qubes 
newbie). 


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fd91402e-5e30-4c02-b57f-8fc97118f58do%40googlegroups.com.

[qubes-users] Re: Does qubes protect against all firmware viruses ?

[Mark Fernandes]

I recently did a personal study that covered at least some of these issues. 
Ppl can also contribute to the study which is now public and in the form of 
a wiki.

On Monday, 8 June 2020 19:00:17 UTC+1, tomas.s...@gmail.com wrote:
>
> ... I know firmware viruses are rare, but still better safe than sorry. I 
> am looking for safe OS to do online banking from. If i use live usb of 
> QUBES, does that protect me against all firmware viruses ? ... 
>

My opinion is that it probably doesn't when you suspect you may already 
have firmware viruses. If you know you are clean (including that the USB 
memory stick is also clean from firmware malware [because USB memory sticks 
can also have firmware malware 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Digital_storage#General_security_risks_in_digital_storage>]),
 
then you'll probably be safe if you only use Qubes.

A live DVD of Qubes is likely more safe than a live USB memory stick of 
Qubes—see here 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Digital_storage#Rewritable_media_vs_optical_ROM_discs>
.

For users not literate with the technical aspects of computing, who want to 
do online banking securely and safely, I would advise purchasing a brand 
new Chromebook using random physical selection at a physical computer store 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Broad_security_principles#User_randomly_selecting_unit_from_off_physical_shelves>.
 
Chromebooks appear to be quite secure in comparison to many other kinds of 
devices generally labelled as computers (I don't include smartphones in 
this comparison, and I don't know so much about which smartphone one should 
choose for online banking).

If you are more technically minded, and want to do online banking, it still 
might be the case that other "better" solutions are inappropriate for you, 
in the sense that they are all "overkill" solutions. Banks often refund 
monies stolen through fraud... However, if you are more technically minded, 
it probably is a good idea to look through the aforementioned study (the 
contents page can be accessed here 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Preliminaries>).

Some info on the security of BIOS/UEFI firmware (from the study ) is 
documented here 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Software_based#Security_of_BIOS/UEFI_firmware>
.
 

> Also i can't disable all my disks in BIOS, could that be problem ?  So 
> my main OS can't compromise Qubes. ... 
>

Would recommend physical disconnection of unused disks when dual-booting. 
As I think mentioned elsewhere in these mailing lists, you can do that by 
just taking out the power cable of the respective disks. See here 
<https://en.wikibooks.org/wiki/End-user_Computer_Security/Main_content/Software_based#Qubes_OS_4.0.3_side-by-side_with_other_operating_systems>
 
for more information.

 

> ... I wanted to dedicate my old pc for online banking, but Qubes doesn't 
> work there.
>

Might be a good idea to do such dedication. It can be good from a security 
perspective because of the isolation of the device from other systems you 
use. You could consider using the freely-available CloudReady OS 
<http://www.neverware.com/freedownload>,  which is something like ChromeOS 
(used on Chromebooks) for non-Chromebook devices. I've successfully 
installed CloudReady on an old Toshiba laptop.


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cff504f6-1b0b-4798-85f9-5fb42ab6e4a3o%40googlegroups.com.

Re: [qubes-users] Obtaining genuine Qubos installer

[Mark Fernandes]

Hello all,

Finally finished my Wikibooks *End-user Computer Security 
<https://en.wikibooks.org/wiki/End-user_Computer_Security>* book that at 
least partly covers the topic of how to obtain software (such as the Qubes 
OS software) securely.

The book makes specific mention of Qubes, and is accessible at 
https://en.wikibooks.org/wiki/End-user_Computer_Security. Its subtitle is:
 

 '*Inexpensive security for   ⦾ individuals,  ⦾ sole traders,  and   ⦾ 
small businesses*'. 

 [image: 
640px-Electronic-security_artwork_(lock_&_circuit-board_patterns).jpg]
 

The book is more based in ongoing, never-ending, democratic collaborative 
research, than a treatise on an established subject. Particularly because 
of such, you may wish to contribute to the work, even if that be just 
through peer review.

All feedback regarding the book is welcomed.


Kind regards,


Mark Fernandes



On Saturday, 7 March 2020 14:52:57 UTC, tetra...@danwin1210.me wrote:
>
> On Thu, Mar 05, 2020 at 06:33:38PM +, Mark Fernandes wrote: 
> >By the way, I consider that I am being completely reasonable with my 
> >threat 
> >model, whilst also employing critical thinking. How hard is it to go to a 
> >large PC store, and pick at random one Linux distribution, to take home, 
> to 
> >better ensure you have system integrity? 
>
> Sounds like the solution is pretty easy: go to a large PC store, buy a 
> PC and pick a random Linux distribution off the shelf, then use all that 
> to do your verifying. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fa683f51-2c5c-43e0-b171-6f39aa17242a%40googlegroups.com.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[Mark Fernandes]

On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote:
>
>  
>
 Depending on your machine you 
> may be able to find ways to do this, by installing a kill switch, or by 
> BIOS configuration. 
> You may find that your BIOS allows you to disable certain devices pre 
> boot, and this may enable you to switch between active disks. 




I'm by no means an expert on Qubes or this particular issue. However, I am 
in the midst of writing a Wikibooks book on cost-effective end-user 
security that has a section about this. My thoughts in the book are more 
like RFCs (requests for comments) rather than definitive ideas (my hope is 
that other people will further develop, revise, and correct them, as 
applicable). *Please take that into account when reading them.* The section 
is shown below.

--


Qubes OS 4.0.3 <https://en.wikipedia.org/wiki/Qubes_OS> side-by-side with 
other operating systems <https://en.wikipedia.org/wiki/Operating_system>

Qubes OS 4.0.3 <https://en.wikipedia.org/wiki/Qubes_OS> is documented as 
not coping well 
<https://www.qubes-os.org/faq/index.html#can-i-run-applications-like-games-which-require-3d-support>
 
with software <https://en.wikipedia.org/wiki/Software> that specifically 
benefits from 3D-optimised hardware 
<https://en.wikipedia.org/wiki/Hardware_acceleration>. Since a user may 
well want to use such optimisation, the best way to use such optimisation 
on the same machine might be to do something like, or the same as, the 
following:


   1. 
   
   Install <https://en.wikipedia.org/wiki/Installation_(computer_programs)> 
   a Linux <https://en.wikipedia.org/wiki/Linux> operating system 
   <https://en.wikipedia.org/wiki/Operating_system>, with good security but 
   still with the capacity for being able to utilise 3D-optimised hardware, on 
   an SSD <https://en.wikipedia.org/wiki/SSD> external drive 
   <https://en.wikipedia.org/wiki/Data_storage>, such that this other 
   operating system is not run over Qubes, but instead run separate to Qubes.
   2. 
   
   When wanting to use this other Linux OS, disable the internal drive 
   (containing Qubes) in either:
   1. 
  
  the BIOS <https://en.wikipedia.org/wiki/BIOS>,   
  
   OR IF WISHING TO BE MORE SECURE,

   1. 
  
  both the BIOS 
  
as well as by physically disconnecting the internal drive

(this latter option might be a good idea to do 

because malware <https://en.wikipedia.org/wiki/Malware> in a BIOS's firmware 
<https://en.wikipedia.org/wiki/Firmware> 

can still connect to BIOS-disabled drives).

   1. 
   
   Boot <https://en.wikipedia.org/wiki/Booting> off the SSD to run this 
   other Linux.
   2. 
   
   After using the non-Qubes installation, because of the possibility of 
   malware being introduced into the BIOS firmware by the non-Qubes 
   installation, optionally flash 
   <https://en.wikipedia.org/wiki/BIOS#Reprogramming> the BIOS's firmware 
   to ensure better the Qubes installation isn’t compromised through firmware 
   malware <https://en.wikipedia.org/wiki/Malware> when you next use Qubes.
   

By following the above steps, and choosing the most secure options in the 
steps, because of:

   - 
   
   the disabling of the internal drive via the BIOS,
   - 
   
   the physical disconnection of the drive containing the Qubes 
   installation,   and
   - 
   
   the flashing of the BIOS firmware before the ‘reconnection’ of the 
   Qubes installation,
   
any such other OS should not be able to access or even ‘touch’ the Qubes OS 
installation, thereby hopefully safeguarding the Qubes installation from 
attacks conducted through the other presumably-less-secure OS.


--


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/be02e5ea-f7a5-473b-9fd0-1d06a9223f0c%40googlegroups.com.

Re: [qubes-users] Qubes better dove tailed for Journalists, and Human Rights Workers.

[Mark Fernandes]

On Saturday, 9 May 2020 22:03:15 UTC+1, Steve Coleman wrote:
>
>
> On Fri, May 8, 2020 at 7:13 PM Catacombs > 
> wrote:
>
>> A Journalist or a Human Rights investigator, I think are more comfortable 
>> with ease of use, not secure.  
>>
>  
> There is always a trade-off between security and usability for sure.  .
>

I'll just throw-in my two-cents slightly-tangential opinion regarding 
Qube's usability.

I often say about my Chromebook, is that it might not be able to do as much 
as you can with a conventional PC, but what it does do, it does well. I 
think that kind of mindset is important when thinking about Qubes. If it's 
hard to do networking, or play videos, then maybe that should be tolerated, 
in light of it being able to do its other functions pretty well. Sometimes 
we have to work or think around problems, rather than thinking things like, 
I need to use my 3D-optimised hardware under Qubes, so Qubes must be 
further developed to cater for that.

Anyway, that's just my contributed opinion.


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5ac3641a-1064-4adb-abb4-c2d1f1de0742%40googlegroups.com.

[qubes-users] Re: Qubes with limited user authority

[mark . russels]

 is a great merit for an architecture, but sometimes poor 
users (like my self) struggle to connect their little technicalities to the 
general scheme. I believe that Qubes have considerable potential commercially 
and professionally if those forward/backward links between the general scheme 
and daily issues are further   
 clarified and bonded.

Kindest regards,

Mark

On 27/04/2020 20.50, mark@net-c.com wrote:

I'm trying to get my head around possible use of Qubes in small/medium 
enterprise environments, where the system is maintained by an admin and the 
user freedom is limited by the company policies. I understand that the current 
Qubes design does not account for any threat coming for dom0's user, 
By design, a user already has root in the machine where Qubes is installed.

If you want to grant users, say, locked remote access to certain AppVMs, you 
will have to do so remotely by installing something like Qubes network server, 
and making some of those AppVMs available through encrypted VNC.  Then, by 
default, they will not be able to copy things between qubes on the same machine.

-- 
Rudd-O
http://rudd-o.com/






Thank you Rudd-o for the input, good idea indeed! however, it doesn't suite the 
case in hands.
I'm wondering if the direction the developers are taking in 4.1 and subsequent 
releases adopts the authorities isolation with the networked model similar to 
what Rudd-o suggested, or would the GUI-domain helps in providing a less 
powerful login user, than Root.
As Qubes was designed for a single user/root access, I was wondering what 
possibly the "best" ugly solution to the problems presented

Mark





-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ea-mime-5eb33ab5-268b-6835a61a%40www-2.mailo.com.

[qubes-users] Privacy, security, comfort, and Qubes OS

[Mark Fernandes]

CONTINUATION FROM GOING OFF TOPIC @ 
https://groups.google.com/d/msg/qubes-users/hv-meif5_tU/bsNbb8PxAQAJ


> > Here in the UK, we have a pretty effective democracy where different 
> groups (including the general public) can lobby the government. 

. ...


> I don't want to say much on this, but enough information is available
> online. All I can say is that, India, like in almost everything, is in
> a class by itself. It is also one of the most affected by the repeated
> states of exception, some global, some local, in the sense of
> Surveillance Capitalism, very closely tied to the state, across the
> political spectrum. In theory, privacy has recently been declared a
> fundamental right by the courts, but theory is just theory. Sometimes
> it furthers in practice the exact opposite of what it says, because
> you can always point to the theory and say everything is alright and
> the concerns are unwarranted etc.
>
>
>
Yes, theory and practice are two different things. Even here in the UK, 
many people don't take data protection legislation that seriously. I have 
to confess, I have found myself frustrated trying to conform to such 
legislation for my own business activities. 

It's important that practices, systems, and products are secure-by-design. 
In a way Qubes facilitates this by forcing users into certain patterns of 
behaviour that move an organisation towards being more secure. Adding 
security as an after thought can make things too complicated and 
cumbersome. Designing systems that from the get-go have had security in 
mind, and built around security, is important. As an example, in this Qubes 
forum, someone raised the issue that until hardware becomes open-source, 
we're still going to be significantly compromised. If instead, every 
element of the computer system was built with security in mind, from the 
ground up, then perhaps you wouldn't be undermined in such ways.

When I was reading about data protection legislation, I think I read that 
Germany (maybe just a certain state/county/area of Germany) was the first 
or one of the first to implement data protection legislation. The unethical 
use of data was used by the Nazis in their antisemitism, and that's perhaps 
why Germany were such early adopters.

One of the perhaps concerning things, is the rise of social media. Social 
media definitely brings benefits. But then there are many data protection 
issues of concern, especially when users publish so much personal 
information about themselves using it. I can imagine the intelligence 
communities around the world loving social media, because basically, it 
gives them access to indexed databases of information all about different 
persons, and they don't have to fund any of it: the private sector are 
creating these products and users are giving out there information freely, 
in their own free time.


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0031436a-976e-4269-96d0-406e7346348d%40googlegroups.com.

Re: Antw: [EXT] [qubes-users] Re: Erste deutsche Rezension von Qubes OS auf Youtube

[Mark Fernandes]

APOLOGIES FOR GOING OFF TOPIC SOMEWHAT. SHOULD WE MOVE THIS DISCUSSION TO A 
DIFFERENT THREAD?


On Tuesday, 5 May 2020 21:12:43 UTC+1, Anil wrote:
>
> 
> In usage, the words security and privacy are often assumed to be 
> synonymous. This is wrong by a wide margin. They are, in fact, quite 
> often in direct opposition to each other, depending on what kind of 
> security you are talking about. 
>

Totally agree with you that the terms security and privacy are often 
conflated one with the other. Most of the popular public discourse focuses 
on privacy. But for me, and probably many others, this rates fairly low in 
my mind. What is more important, is security: security that your 
communications have not undergone tampering, security that your money isn't 
being stolen, security that no-one is fiddling with your online accounts, 
etc. Privacy is also important, but only as a part of the overall aim of 
achieving security.
 

> ...

It may be obvious, but the answers to the questions about these three 
> lie only partially in technology. Regardless of technology, the 
> critical parts of the answers lie outside the domain of technology. On 
> forums like this, we tend to ignore them, because there is little we 
> can do about them. 


Very true that security is about much more than simply technology. 
Non-technology issues are probably mostly ignored in these forums, because 
these forums are dedicated to a particular piece of technology, and because 
most subscribers are likely technology specialists. It's good to have 
lateral experience of different domains, and also to bring-in people who 
aren't technology specialists, so that their creative input can add extra 
value to the discussions.

One thought I've had is that changing business models, from closed-source, 
to open-source, can sometimes be an effective security solution: if you 
find people are stealing your software, just give it away for free, and 
charge for customisation and support?

... 

One more thing. Businesses and governments will usually find the 
> solutions they want because they can afford them, whether they are 
> right or wrong. It is individuals who need solutions from places likes 
> this forum and from developers of open software/hardware.  ... 


Here in the UK, we have a pretty effective democracy where different groups 
(including the general public) can lobby the government. As such, the 
general public can lobby the government in order to get the government to 
provide more effective cyber-security resources for the general public. Not 
sure about America or India (India is perhaps where you are based?). 
America are strong democracy advocates and India has the largest democracy, 
but I don't know whether their democracies are in reality broken systems
 

Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/25fc2e96-de19-4b7a-a166-7f905dccef84%40googlegroups.com.

Re: Antw: [EXT] [qubes-users] Re: Erste deutsche Rezension von Qubes OS auf Youtube

[Mark Fernandes]

*Quoted quoted reply: Ulrich Windl (on Mon, May 04, 2020 at 09:50:31PM 
+0200)Quoted reply: Sven Semmler (on May 04 06:37PM -0500)*

... 

> I severely doubt you can convince the typical Windows user to use QubesOS 
> for daily work. "Security" is not a product you can buy, and "security" is 
> the "is the opposite of "comfort".


> Security and comfort are more like two opposing poles of a continuum. 

Personally I do think Qubes does a rather excellent job of 
> demonstrating "reasonable security". 

...

 
The terms 'security' and 'comfort' (IMHO) are not so closely related as you 
both imply. You can have high security whilst at the same time maintaining 
comfort, especially when security runs in the background without the user 
having much involvement. It should be noted that even Windows (supposedly 
designed for 'stupid people') does have a certain level of security.

Whilst QubesOS may never be widely adopted, the research artefacts produced 
in the development of QubesOS may end-up being incorporated in other 
popular operating systems (including Windows). From this perspective, 
QubesOS may be a very worthwhile endeavour.

 

> > People want comfort not security. Why else would they use Alexa or 
> Google assistant or Siri, dubious password managers, etc.? 
> ...


People also want security. In fact, they want security in respect of real 
security needs. It just depends on how much security is acceptable.

I think it's important to think about these things in the context of 
'threat models'. In my non-business related activities, I often just don't 
care whether people are spying on me, and also whether they steal 
intellectual property from me. Sometimes, such illicit activities may even 
work to my favour (in a round-about way). Matching security to such a 
threat model, can mean that you only need very low security. On the other 
hand, for my business activities, especially in respect of legal 
requirements, security is very important, both for my business, and my 
clients.

 

> ... Qubes for private use without the user 

recognizing the need is unrealistic. ...
>
>  
Qubes for private use without the user recognising the need may still be 
realistic. Users are often completely oblivious to the functionality of OEM 
software. Manufacturers may choose to pre-install QubesOS regardless of 
whether users recognise the need for security.
 

Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b9948f2e-9b65-424e-9209-868d541ebd83%40googlegroups.com.

[qubes-users] Qubes with limited user authority

[mark . russels]

 scheme. I believe that Qubes have considerable potential commercially 
and professionally if those forward/backward links between the general scheme 
and daily issues are further   
 clarified and bonded.

Kindest regards,

Mark


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ea-mime-5ea7295b-4bb2-65cff407%40www-2.mailo.com.

Re: [qubes-users] Building a new pc for running Qubes OS

[Mark Fernandes]

>
>  ..
>
I am looking for a bit of a work horse (not nessisarily bleeding edge) ...

 
 

> ...  getting something that is 
> highly likely to play nice with Qubes is pretty 
> much at the top of my priority list. 
>

 
Not sure what kind of activities you're planning on undertaking with your 
computer, but if you're doing any kind of activity that benefits from OpenGL 
<https://en.wikipedia.org/wiki/OpenGL>, be aware that Qubes doesn't offer 
any OpenGL virtualisation 
<https://www.qubes-os.org/faq/index.html#can-i-run-applications-like-games-which-require-3d-support>
. 

Also, just wondering whether Qubes is a good fit for you, given that its 
above-average security seems as though it definitely has the potential of 
causing a significant performance hit for "work horse" type activities.


Thanks,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ddc638b5-41bf-4141-a9df-2f735a6e47e8%40googlegroups.com.

Re: [qubes-users] Building a new pc for running Qubes OS

[Mark Fernandes]

>
> > Forgive my ignorance, but I would have thought that if you were planning 
> on 
> > using Qubes OS <https://www.qubes-os.org/>, you would be looking at 
> > obtaining hardware least likely to have been compromised, and so would 
> > probably exclude from consideration such second-hand items. 
> > 
> 
> ... Depends on if and how someone might be targeted. 

For example, shipments with your name on 
> them can be reliably and surreptitiously intercepted and modified, 
> whereas the possibility of second hand hardware bought in person with no 
> advance notice being compromised at the hardware level (i.e. a drive 
> format won't fix it) is relatively slim. 
>
>  
Thanks Awokd for your take on this.

But surely it would be better just to buy it brand new in a shrink-wrapped 
condition over the counter at a physical store, where you randomly select 
the hardware from many alternatives? In the UK, we have a store called PC 
World that seems set-up for such buying strategies in mind.

Any thoughts?


Thanks,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9792deb2-dc15-4475-aa0c-978f2f078b06%40googlegroups.com.

Re: [qubes-users] Building a new pc for running Qubes OS

[Mark Fernandes]

On Wednesday, 8 April 2020 15:43:43 UTC+1, Catacombs wrote:
>
> Six weeks ago I saw workstations at Salvation Army thrift store.  From 
> some company who did video editing.  Windows 7 era.   Xeon, 32 GB RAM.  No 
> keyboard mouse or monitor.   
>
> Usually these have had hard drives removed.  No warranty.  No return. 
>  They have zip ties to keep people from feeling around inside.  So I don’t 
> know if video cards have been removed.   
>
> ...


Forgive my ignorance, but I would have thought that if you were planning on 
using Qubes OS <https://www.qubes-os.org/>, you would be looking at 
obtaining hardware least likely to have been compromised, and so would 
probably exclude from consideration such second-hand items.

If anyone has any contrary insights regarding this, would be very happy to 
be corrected concerning this. Maybe I'm just mistaken?


Thanks,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/389b26a9-aeae-4674-9d75-4679ecf49f34%40googlegroups.com.

Re: [qubes-users] Building a new pc for running Qubes OS

[Mark Fernandes]

On Tuesday, 31 March 2020 19:38:06 UTC+1, Stumpy wrote:
>
> On 2019-11-01 14:57, M wrote: 
> > I’m thinking about building a new pc for running Qubes OS with the 
> following specifications: 
> > 
> 

 

> > 
> > Does anyone know about if this will result in any problems in relation 
> to running Qubes OS besides “the ordinary challenges”, and if so which 
> problems ? 
> > 
> Did you happen to get any responses to this? Or if you already built it 
> how is it working? (I am starting to think about putting a box together 
> so am trying to take notes from others posts) 
>

Hello @Stumpy,

Yesterday, I came across the Novena 
<https://en.wikipedia.org/wiki/Novena_(computing_platform)> open-source 
computing hardware platform whilst surfing. If you're interested in having 
high security in all the hardware of the computer that you use, it might be 
worthwhile having a look at it. Also, the info here 
<https://www.bunniestudios.com/blog/?cat=28>, might additionally be useful 
for you, for the same reasons.

It might be worthwhile you posting about what you end-up doing, so others 
can learn from it.


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5de4fb58-53ca-4967-9ca6-90114ca5b8f3%40googlegroups.com.

Re: [qubes-users] Obtaining genuine Qubos installer

[Mark Fernandes]

On Fri, 6 Mar 2020 at 14:19, Anil  wrote:

> ...



My threat model (to the extent it may be practical to address) is that
> I can't assume any kind of physical security (of devices in
> particular) and I can't rely on passwords or passphrases or software
> based 2FA. More than that I can't reveal.
>
> > What do you trust?
>
> Practically speaking, I have to trust a solution that address the
> above threat model, ...
> --
> अनिल एकलव्य
> (Anil Eklavya)
>
>
>
Hello Anil,

After my security overhaul *(being done because I was recently hacked)*, I
plan on publishing an article on how I've changed my security practices and
what thoughts I have on maintaining security in general. Probably will
publish it on LinkedIn. The article should address your threat model *(at
least to some extent)*.


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANJMFk-c1B2pjhptZ4gg_%3DbUuhSjRRTG9RZyYkg3uvgHs-2r6g%40mail.gmail.com.

Re: [qubes-users] Obtaining genuine Qubos installer

[Mark Fernandes]

On Thu, 5 Mar 2020 at 18:21, Chris Laprise  wrote:

> On 3/5/20 7:31 AM, Mark Fernandes wrote:
> > I want to get a genuine copy of Qubos, from here in the UK (United
> Kingdom).
> >
> > The only way described on the Quebos website at present, appears to be
> > to download the ISO.
> >
> > I have the classic security problem described on the website
> > <https://www.qubes-os.org/doc/install-security/>, where not having a
> > trust-worthy machine, means that I have a never-ending chain of trust
> > issues for each machine that I use in the obtaining of the software.
>
> Many of us work with a threat model that assumes at least some computers
> available by retail are not compromised "out of the box", or else if
> compromised then not at the BIOS/UEFI firmware level. For this model,
> verifying the Qubes ISO with gpg is acceptable.
>
>
Hello Chris,

I've only heard of gpg as a binary running over an operating system. Is it
available as something you can run directly off boot-able media?

In any case, you still need to ensure that gpg hasn't been compromised. If
it has to run off an OS, that OS needs to have not been compromised. If you
need to download gpg, the OS which you use for downloading gpg has to be
not compromised. The website doesn't appear to address these issues. The
security Qubes OS offers may be great. But getting from a position where
you don't have Qubes OS at all, to having Qubes OS installed, appears to be
a serious security concern.


You can also qualify the model somewhat and say that an attacker cannot
> successfully infect all of your (hopefully diverse) computers, so that
> makes checking a signature on several different computers a form of
> reassurance.
>
> OTOH, you may have decided to discard the above threat model because of
> some intent or capability known to you. In that case, I think the Qubes
> community has only two answers: Find a trusted service that can flash a
> known good/uncompromised firmware suite onto one of your machines, or
> find a system vendor like Insurgo or NitroKey that sell re-flashed
> systems and uses anti-interception measures (like tamper-evident
> packaging and signatures) in addition to offering Qubes pre-installed.
>
-- 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>
>
 Thanks for these tips. They are valuable.


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANJMFk8DUVciwtjFs%3DRJQf9EPNHgU1cRWE7N7NfreF9epqCtvA%40mail.gmail.com.

Re: [qubes-users] Obtaining genuine Qubos installer

[Mark Fernandes]

I know what signatures and hashes are. I've just never needed to be so
bothered with them for my activities.  I studied Computer Science at degree
level

I was recently hacked and this is why I'm so concerned about my security.
I'd rather over-kill than under-kill at the moment, because later on, I'd
rather not have to worry about security.

Given that the operating system is such a fundamental aspect of conducting
computing activities, I hardly consider it painless *at all*, to compare
ISO images. I have no idea where you get the idea that doing so is
difficult?

>From what you have elaborated concerning signatures, you just give further
reason to have concerns over trusting signatures. With sufficient computing
power, sufficient time, it just seems absolutely reasonable to be able to
re-hack an OS image so that it produces the same signature but also
contains a security vulnerability. Or am I not enough informed (which I
admit might be the case)?

By the way, I consider that I am being completely reasonable with my threat
model, whilst also employing critical thinking. How hard is it to go to a
large PC store, and pick at random one Linux distribution, to take home, to
better ensure you have system integrity? As said above, the OS is very
important, and it's not as though people tend to install their OS
frequently.

I don't know what you mean about picotech, but I'm guessing you're probably
referring to hardware or devices happening on the picometre level? I
haven't said anything about such threats. but if they are reasonably
plausible (which may be the case), then perhaps certain individuals should
consider them. The diversification of work is oriented to all the different
aspects of it... security work is just another kind of work that sometimes
needs attention. If you can't do something securely, sometimes, you should
just not do it at all, and perhaps do something else, something altogether
different, etc.


Thanks,


Mark Fernandes

On Thu, 5 Mar 2020 at 17:26,  wrote:

> On Thu, Mar 05, 2020 at 03:56:55PM +, Mark Fernandes wrote:
> > Well that's an idea. But still what if the software you are being 'fed'
> is
> > all tampered software, so that after replacing the computer, as soon as
> you
> > use software, you are compromised again?
> > Purchasing a new computer can also be expensive, and still in any case,
> you
> > might find that any software pre-installed on it may have already been
> > compromised.
>
> welcome to "supply chain security is hard".
> please have a seat next to that person posting here in the last days
> how he doesnt trust chips from china...
>
> the end result is still:
> as long as you dont have a computer you trust, the whole rest
> of this is pointless.
> if you have a computer you trust, verifying a signature is a lot
> more useful than variations of "i bought it in a shop while wearing
> a fake beard, so it is certainly legit".
> (which applies to the hardware too!)
>
> and the point of using different sources of info on the master key
> is that an attacker who wants to fool you has to intercept every
> single one of them. if he misses even one, the game is off.
> and getting the master key fingerprint from many different
> directions/sources seems a lot more realistic than doing the same
> for an iso image...
>
> and you dont have to trust any one of these sources, but if you
> add up enough of these untrusted sources, you can still trust
> the end result as long as your threat model doesnt include every
> single of the sources conspiring against you, or being compromised
> by the same attacker...
>
>
> > Eg. suppose you are a person like Edward Snowden, and that you are a
> > targeted individual. Then such intensive manipulation is perhaps entirely
> > plausible.
>
> i am reasonably sure you are not ed snowden.
> (if you are: sorry. i assumed ed snowden to know what a hash and
>  signature are.)
>
> but here is another headache:
> (warning: nerd-sniping and messing-with-tinfoilhats ahead)
>
> you are of course right that checking hashsums or signatures isnt
> 100% safe. what if there are alien quantum computers involved.
>
> lets run numbers, the "basic math" kind:
> the qubes 4.0.3 iso is 38646317056 bits in size.
> the signature is against a 256 bit hash (over 1056 bits of intermediate
> hashes plus some metadata).
>
> so there are about 2**38646316800 different iso images of the same size
> that will match this signature. or 2**38646316000 to match the intermediate
> hashes so you wouldnt have to bother faking the sigfile.
> thats close enough to "infinitely many" for me to not actualy calculate it.
> (hint: thats several times the estimated number of atoms in the universe)
>
> wait. who said the e

Re: [qubes-users] Obtaining genuine Qubos installer

[Mark Fernandes]

On Thu, 5 Mar 2020 at 15:42,  wrote:

> On Thu, Mar 05, 2020 at 03:30:26PM +0000, Mark Fernandes wrote:
>
> > So if your computer has been compromised, the methods you suggest may be
>
> if your computer has been compromised to the point where
> you dont trust it to verify a signature, you need a new
> computer to install qubes on.
>
> once you have a computer you trust enough to install qubes on,
> you can use it to verify the signature.
>
>
Well that's an idea. But still what if the software you are being 'fed' is
all tampered software, so that after replacing the computer, as soon as you
use software, you are compromised again?

Purchasing a new computer can also be expensive, and still in any case, you
might find that any software pre-installed on it may have already been
compromised.

Eg. suppose you are a person like Edward Snowden, and that you are a
targeted individual. Then such intensive manipulation is perhaps entirely
plausible.


Thanks,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANJMFk9nq6N6eHNh4s18RpOx4SfJnXO3%3DFB%2B8jVavydCd%2BVErA%40mail.gmail.com.

Re: [qubes-users] Obtaining genuine Qubos installer

[Mark Fernandes]

On Thu, 5 Mar 2020 at 15:01, Mike Keehan  wrote:

> On 3/5/20 2:40 PM, Mark Fernandes wrote:
> > On Thu, 5 Mar 2020 at 13:30, Mike Keehan  > <mailto:m...@keehan.net>> wrote:
> >
> > On 3/5/20 12:31 PM, Mark Fernandes wrote:
> >  > I want to get a genuine copy of Qubos, from here in the UK
> > (United Kingdom).
> >  >
> >  > The only way described on the Quebos website at present, appears
> > to be
> >  > to download the ISO.
> >  >
> >  > I have the classic security problem described on the website
> >  > <https://www.qubes-os.org/doc/install-security/>, where not
> having a
> >  > trust-worthy machine, means that I have a never-ending chain of
> > trust
> >  > issues for each machine that I use in the obtaining of the
> software.
> >  >
> >  > I suggest that the hyper-linked web-page above, be updated to
> > provide
> >  > further guidance as to how to ensure you have a genuine copy of
> the
> >  > Qubos software. *_Also, can anyone in this news group provide any
> > such
> >  > guidance for myself (and others?)_*
> >  >
> >  >
> >  >
> >  > (Solely) some thoughts on how to help ensure possession of a
> > genuine
> >  > copy of Quebos:
> >  >
> >  >  1. If Quebos is distributed through PC magazine DVDs, users
> can
> >  > purchase a few copies of a particular magazine having
> such a
> >  > DVD, at random, from different stores, in widely different
> >  > locations (different counties, etc.) Users can then
> > compare the
> >  > copies to make sure they are identical.
> >  >  2. Purchase Quebos from a randomly chosen big PC store, that
> has
> >  > perhaps 100 copies of the software on its shelves, on a
> day
> >  > picked at random, by selecting one of the copies at
> > random from
> >  > the shelves.
> >  >  3. If a user believes they are being tracked, what they can
> > do, is
> >  > schedule in their mind (or otherwise), to make such a
> > purchase
> >  > over the next few months, and then when they are doing
> some
> >  > activity (for example visiting a friend in the city),
> > they can
> >  > just as an aside go and purchase a copy of the software.
> >  >  4. Purchase the Quebos software from an online retailer,
> > that uses
> >  > special tamper-evident packaging
> > <https://www.jwproducts.co.uk>,
> >  > and then compare the copy obtained in this way, with
> software
> >  > downloaded from the Quebos website.
> >  >  5. Obtain software in several ways, then compare copies to
> make
> >  > sure they're identical.
> >  >
> >  >
> >  >
> >  > Thanks,
> >  >
> >  >
> >  > Mark Fernandes
> >  >
> >  >
> >
> > Have you read the documentation at
> > https://www.qubes-os.org/doc/installation-guide/ ??
> >
> >
> > I previously skim read what appeared to be the relevant parts from the
> > guide. Just now, I read from the beginning till the following text in
> > the guide:
> >
> > /Once the ISO has been verified as authentic, you should.../
> >
> >
> > The text after that point appears to be irrelevant.
> >
> > The only thing relevant to this topic in the guide, appears to be the
> > information on verifying signatures (which is of course standard
> > practice). In reading information on the Quebos website, there was
> > implicit mention that users may be operating under oppressive
> > regimes/circumstances. With this in mind, I just feel that more guidance
> > is needed on how to obtain authentic copies of the Quebos software. I've
> > hinted at some ideas as to how to do this, in my starting post for this
> > topic.
> >
> >
> > Thanks,
> >
> >
> > Mark Fernandes
> >
>
> And did you thoroughly read the linked "our guide on verifying
> signatures" page?
>
> https://www.qubes-os.org/security/verifying-signatures/
>
> It shows you how to verify that the ISO you download was actually
> created by the 

Re: [qubes-users] Obtaining genuine Qubos installer

[Mark Fernandes]

On Thu, 5 Mar 2020 at 13:30, Mike Keehan  wrote:

> On 3/5/20 12:31 PM, Mark Fernandes wrote:
> > I want to get a genuine copy of Qubos, from here in the UK (United
> Kingdom).
> >
> > The only way described on the Quebos website at present, appears to be
> > to download the ISO.
> >
> > I have the classic security problem described on the website
> > <https://www.qubes-os.org/doc/install-security/>, where not having a
> > trust-worthy machine, means that I have a never-ending chain of trust
> > issues for each machine that I use in the obtaining of the software.
> >
> > I suggest that the hyper-linked web-page above, be updated to provide
> > further guidance as to how to ensure you have a genuine copy of the
> > Qubos software. *_Also, can anyone in this news group provide any such
> > guidance for myself (and others?)_*
> >
> >
> >
> > (Solely) some thoughts on how to help ensure possession of a genuine
> > copy of Quebos:
> >
> >  1. If Quebos is distributed through PC magazine DVDs, users can
> > purchase a few copies of a particular magazine having such a
> > DVD, at random, from different stores, in widely different
> > locations (different counties, etc.) Users can then compare the
> > copies to make sure they are identical.
> >  2. Purchase Quebos from a randomly chosen big PC store, that has
> > perhaps 100 copies of the software on its shelves, on a day
> > picked at random, by selecting one of the copies at random from
> > the shelves.
> >  3. If a user believes they are being tracked, what they can do, is
> > schedule in their mind (or otherwise), to make such a purchase
> > over the next few months, and then when they are doing some
> > activity (for example visiting a friend in the city), they can
> > just as an aside go and purchase a copy of the software.
> >  4. Purchase the Quebos software from an online retailer, that uses
> > special tamper-evident packaging <https://www.jwproducts.co.uk>,
> > and then compare the copy obtained in this way, with software
> > downloaded from the Quebos website.
> >  5. Obtain software in several ways, then compare copies to make
> > sure they're identical.
> >
> >
> >
> > Thanks,
> >
> >
> > Mark Fernandes
> >
> >
>
> Have you read the documentation at
> https://www.qubes-os.org/doc/installation-guide/ ??
>
>

I previously skim read what appeared to be the relevant parts from the
guide. Just now, I read from the beginning till the following text in the
guide:

*Once the ISO has been verified as authentic, you should...*


The text after that point appears to be irrelevant.

The only thing relevant to this topic in the guide, appears to be the
information on verifying signatures (which is of course standard practice).
In reading information on the Quebos website, there was implicit mention
that users may be operating under oppressive regimes/circumstances. With
this in mind, I just feel that more guidance is needed on how to obtain
authentic copies of the Quebos software. I've hinted at some ideas as to
how to do this, in my starting post for this topic.


Thanks,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANJMFk8hfkvRHfBNEJFzxX5fNjM_0cNkFbcw10mAxPt3UsQsHQ%40mail.gmail.com.

[qubes-users] Obtaining genuine Qubos installer

[Mark Fernandes]

I want to get a genuine copy of Qubos, from here in the UK (United Kingdom).

The only way described on the Quebos website at present, appears to be to 
download the ISO.

I have the classic security problem described on the website 
<https://www.qubes-os.org/doc/install-security/>, where not having a 
trust-worthy machine, means that I have a never-ending chain of trust 
issues for each machine that I use in the obtaining of the software.

I suggest that the hyper-linked web-page above, be updated to provide 
further guidance as to how to ensure you have a genuine copy of the Qubos 
software. *Also, can anyone in this news group provide any such guidance 
for myself (and others?)*



(Solely) some thoughts on how to help ensure possession of a genuine copy 
of Quebos:


   1. If Quebos is distributed through PC magazine DVDs, users can purchase 
  a few copies of a particular magazine having such a DVD, at random, from 
  different stores, in widely different locations (different counties, 
etc.) 
  Users can then compare the copies to make sure they are identical.
  2. Purchase Quebos from a randomly chosen big PC store, that has 
  perhaps 100 copies of the software on its shelves, on a day picked at 
  random, by selecting one of the copies at random from the shelves.
  3. If a user believes they are being tracked, what they can do, is 
  schedule in their mind (or otherwise), to make such a purchase over the 
  next few months, and then when they are doing some activity (for example 
  visiting a friend in the city), they can just as an aside go and purchase 
a 
  copy of the software.
  4. Purchase the Quebos software from an online retailer, that uses 
  special tamper-evident packaging <https://www.jwproducts.co.uk>, and 
  then compare the copy obtained in this way, with software downloaded from 
  the Quebos website.
  5. Obtain software in several ways, then compare copies to make sure 
  they're identical.
   


Thanks,


Mark Fernandes


#installation #installer #media #DVD #ISO #tamper #genuine #intercept 
#man-in-the-middle-attack #MITM

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1d4543f7-b4cf-47c9-9926-6ce9a21360d2%40googlegroups.com.

[qubes-users] Re: Which qube is most secure for internet use?

[Mark Newman]

On 8/16/19 12:17 PM, O K wrote:
Well I'm not as concerned about people monitoring/intercepting the 
content of my communications, just about identifying information about 
the hardware of my computer being accessible.  I know it's not easy to 
acquire info about someone's computer from the internet, and if the 
computer's running Qubes I would imagine it's harder, but I think it can 
be done (definitely Mac address but possibly more info).


On Friday, August 16, 2019 at 11:57:19 AM UTC-4, 799 wrote:


On Fri, 16 Aug 2019 at 16:52, O K
> wrote:
 > Which qube is most secure when it comes to keeping any
identifying info about my computer
 > invisible from anyone on the internet (or if not completely,
which qube does this the best)?  Thanks.
I would say that the safest way to assume, that there is no
invisibility.
But using a Whonix DVM -> whonix-dvm-ws-14-dvm will likely be a good
option.
You might want to learn about this here:
https://www.whonix.org/wiki/Qubes/DisposableVM


Addtionally you might want to ask yourself: What are the threads
your protecting against?
And then try to figure out what is the weakest part in your setup.

[799]

--
Actually it is VERY easy to "acquire info about someone's computer from 
the internet".  Also unfortunately, while Whonix does a good job of 
masking your IP address (your location), it does NOT protect you against 
the website you visit from taking and keeping your browser 
"fingerprint".  For more information on your browser fingerprint see:

https://panopticlick.eff.org/
Whether any of this "fingerprint" data is actually gathered depends on 
the website that you are visiting.  It is also possible that a 
well-intentioned website could be unknowingly hacked by a government 
entity to collect just such information.  Further the website could be 
placing a cookie on your machine.
The usual actions here are to make your browser settings more common so 
your "fingerprint" is not unique.  Also using a temporary qube and 
deleting it after use will erase any cookies.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/qj7ulf%2463qf%241%40blaine.gmane.org.

[qubes-users] Re: coreboot on modern hardware?

[Mark Newman]

On 3/23/19 3:03 PM, jrsmi...@gmail.com wrote:

Spent several hours yesterday trying to track down what I would need to do to 
install coreboot on all of my computers, starting with my Qubes box: a Levnovo 
Thinkpad T480.

The bottom line from what I can tell is that if you have an Intel CPU made 
since 2008 (any that have Boot Guard) or an AMD CPU made since 2013 (any that 
have PSP), you are out of luck.  Libreboot spells this out in their docs.  I'm 
not sure if that is because of coreboot itself or something specific to 
Libreboot. I was stuck by how they seemed perfectly fine walling themselves off 
from the present and the future.

I could find nothing indicating that anyone had even tried, much less 
succeeded, in installing coreboot on a T480 and everything I did find was for 
much older hardware.

I read through the coreboot docs where they just wave their hands at the end of the build 
process and say "now go flash".  I also read through the heads docs, which say 
more or less the same thing.

Hackaday has an article on the horrors of installing coreboot on a Toshiba 
laptop.  Not only do they neglect to say which model they used, at the end of 
the article they had it working.

The gist is that the information that's out there is out of date, incomplete, 
misleading, and sometimes just incompetent.

I'm hoping that someone here has first-hand knowledge and can advise me (and 
others who read this).

Thanks,
John Smiley



I don't think Libreboot is "fine with walling themselves off from the 
future", I just think they would rather not have a back door open that 
they cannot close.  See:

https://libreboot.org/faq.html#intel  (scroll down for AMD) and
https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it
For myself, I also only use AMD CPUs prior to 2013. If this means I 
can't run Qubes 4, much as I would like to, I will have to take other 
security precautions, especially since I read that Joanna Rutkowska said 
that using IOMMU does not protect from this remote management attack. 
(Sorry I can't find that reference).




--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3c008fc0-316d-b34a-93c6-463c48d03272%40yandex.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Confused about virtualization's protections

[Mark Newman]

I understand how Xen works to compartmentalize one VM from another. What I 
don't understand is how or if it can help protect from things like rootkits, 
key loggers and especial the Intel Management Engine backdoor. (See:
https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it)
I am not a security professional, and am hoping someone can explain so I can 
understand.
Thanks,

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/18782191554494400%40myt3-c573aa6fc782.qloud-c.yandex.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Tweak Tool not working as expected after upgrade to Fedora 26

[Mark Malcom]

Well guys, just trying to see if anyone is facing the same issue here:

I downloaded fedora-26 template and after that my gnome-tweak-tool is 
completely ignored: no themes, no windows scaling anymore. Not just the Tweak 
Tool, but if I try to change the scale factor with gnomesettings, that is also 
ignored.
This is true for new and existing appVMs and also, an upgrade from Fedora 25 to 
26 with subsequent qubes trimming yields the same result.

It is really annoying as I have a 4K display and now had to downgrade the 
resolution and still getting very small windows.

Maybe could anyone shed a light what can be done to get these settings back 
again? I'm not sure if there is any other package that needs installed and 
configured for the Tweak Tool to work, plus gnome scaling settings.

Thanks everyone.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f535a74-f604-47a0-bca8-bd9252a0248d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Getting Flash Player to work

[Mark Eubanks]

I finally got it to work in Firefox
I tried Chromium but it didn't work and still doesn't work in Chromium
Thanks

On Mon, Sep 11, 2017 at 7:31 PM pixel fairy  wrote:

> try installing google chrome. it has a built in flash engine that chromium
> doesnt come with
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/qubes-users/H4YcmUJz1wk/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/62127ea8-7219-4657-b5eb-653ca424f05f%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANn5qsB5vUO0bxJjP1Na%2B_2UdUXnjsPgxTQw9cuNVqkD2YJ_Bw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: VM:ERROR: insufficient memory

[Mark Eubanks]

On Tuesday, September 5, 2017 at 7:55:44 PM UTC-4, cez...@gmail.com wrote:
> Den tirsdag den 5. september 2017 kl. 23.48.08 UTC skrev Mark Eubanks:
> > On Tuesday, September 5, 2017 at 12:06:28 PM UTC-4, Mark Eubanks wrote:
> > > Can someone explain why I can start the work VM but when I start the 
> > > personal I get the ERROR: insufficient mem .  Even though the memory 
> > > settings are the same 
> > > 
> > > 
> > > thanks
> > 
> > I have 16 gig of ram but if I do a free -m it only shows a total of 1058 
> > used 364 free 26 . I'm not doing anything on any of the VM's its pretty 
> > much a new install and I can't open the personal vm .Anyone have any ideas
> 
> ah, you did this in Dom0 terminal right?
> The reason is because Qubes attempts to automatically balance which AppVM 
> gets more RAM than the other. If you right click on each AppVM in the Qubes 
> Manager (Qubes 3.2), you can see the automatic memory setting under the 
> Advanced tab, near the RAM amount fields. 
> So since each AppVM gets their fair share of the RAM portion, Dom0 will have 
> less memory for itself. This might change dynamically, for example if you run 
> a lot of AppVM's, the amount of RAM Dom0 has may shrink. Wnile not many 
> AppVM's are running, or after a fresh boot, Dom0 should have more memory. 
> If you open the Qubes Manager in Qubes 3.2, you can see the allocated memory 
> to Dom0 and each the VM's. If it isnt visible, then you can make it visible 
> at the top in the "View" menu. 
> 
> Also note that automatic memory dyanamics does not work if a VM has a PCI 
> card passed through. So if you have any with automatic memory dynamics 
> disabled, be careful you don't give it too much of your RAM resources. 16GB 
> is a good amount, but it can still quickly run you if you have the wrong 
> settings, or run unusual memory hungry and intensive programs.

Yes, this was in Dom0 term 

I tried lowering the mem usage per vm and it seem to take care of the problem 
but I rebooted and it was again not allowing any other vm's to start other Dom0 
mem shows 1092 mb sys-net shows 401 mb, sys-firewall 151 mb ( I lowered it) 
sys-whonix, 151 mb ( which I lowered it as well) which comes no where close to 
16 MEG
What's a good number to run the vm's at for mem min and max ? I'm just not sure 
whats taking up all the mem.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fefa52c0-b6f8-463e-bdc0-7f473761eb47%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: VM:ERROR: insufficient memory

[Mark Eubanks]

On Tuesday, September 5, 2017 at 12:06:28 PM UTC-4, Mark Eubanks wrote:
> Can someone explain why I can start the work VM but when I start the personal 
> I get the ERROR: insufficient mem .  Even though the memory settings are the 
> same 
> 
> 
> thanks

I have 16 gig of ram but if I do a free -m it only shows a total of 1058 
used 364 free 26 . I'm not doing anything on any of the VM's its pretty much a 
new install and I can't open the personal vm .Anyone have any ideas

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8b657ef2-72ca-4ff1-aa43-e873596c27cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: VM:ERROR: insufficient memory

[Mark Eubanks]

On Tuesday, September 5, 2017 at 12:06:28 PM UTC-4, Mark Eubanks wrote:
> Can someone explain why I can start the work VM but when I start the personal 
> I get the ERROR: insufficient mem .  Even though the memory settings are the 
> same 
> 
> 
> thanks

Ok.. you can ignore my newb Qubes questions 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1baa4759-ba27-4570-87d4-87b2cf22e513%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] VM:ERROR: insufficient memory

[Mark Eubanks]

Can someone explain why I can start the work VM but when I start the personal I 
get the ERROR: insufficient mem .  Even though the memory settings are the same 


thanks 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fc84ef91-834f-4475-8753-f6fa8b63fab4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Connecting a usb nic and another laptop

[Mark Eubanks]

Thanks for responding.  I'm sure its a firewall issue of some sorts.  it 
doesn't matter which nic I use, the onboard one or the usb I can ping from 
either to the private network outside the vmNETwork fine pinging the adaptors 
connected to the Dom0 doesn't get a reply.  It should be a routing issue that 
the link you sent might fix but the funny thing is that I have Qubes plugged 
into my modem switch and I can see it in the arp table , which you would think 
I could ping it

thanks for trying 


On Monday, September 4, 2017 at 12:37:03 PM UTC-4, cez...@gmail.com wrote:
> Den mandag den 4. september 2017 kl. 13.11.49 UTC skrev Mark Eubanks:
> > On Monday, September 4, 2017 at 8:15:29 AM UTC-4, Mark Eubanks wrote:
> > > I have created a NETVM and I have connect the usb nic to the vm and is 
> > > working. It shows up in Connection manager and I can give it a static IP 
> > > . So I've also connected a different physical laptop with a cross over 
> > > cable to the usb nic going to the NETVM. Both nics are on the same 
> > > network and I can ping from the NETVM to the physical but I don't get a 
> > > reply from the NETVM. I can see both in both arp tables . Any ideas why 
> > > the physical doesn't get a reply?
> > 
> > I agree it sounds like a firewall but I see that it shows allow imcp 
> > traffic. What I'm trying to do is make Qubes a passthrough firewall.. so I 
> > need 2 nics on the laptop
> 
> Apologies for late reply, had a short leave for work.
> 
> I'm not the most knowledgeable on this topic, especially the Qubes firewalls. 
> However I believe NetVM must have a default firewall too, to block 
> unauthorized requests, otherwise it would be quite simple and too easy to 
> attack the NetVM. 
> So it seems to me that the NetVM has a default firewall, (routor firewall 
> behavior like), blocking unauthorized incoming signals. 
> 
> To solve that (Assuming it is indeed the problem), I believe 
> https://www.qubes-os.org/doc/firewall/ might be quite helpful, down in the 
> port forwarding section. Here it seems you should be able to poke a hole for 
> your connection in the NetVM. 
> 
> You separated all this from your other networks right? As far as I know, it 
> should be secure enough if this has no internet connection, while on a 
> separate Qubes network.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c47fa9d2-fe87-4725-aaba-b27b44a15cc0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Connecting a usb nic and another laptop

[Mark Eubanks]

On Monday, September 4, 2017 at 8:15:29 AM UTC-4, Mark Eubanks wrote:
> I have created a NETVM and I have connect the usb nic to the vm and is 
> working. It shows up in Connection manager and I can give it a static IP . So 
> I've also connected a different physical laptop with a cross over cable to 
> the usb nic going to the NETVM. Both nics are on the same network and I can 
> ping from the NETVM to the physical but I don't get a reply from the NETVM. I 
> can see both in both arp tables . Any ideas why the physical doesn't get a 
> reply?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/38fdcc9e-1d2a-4aad-9820-719852b53558%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Connecting a usb nic and another laptop

[Mark Eubanks]

BUMP -- anyone know why the virtual can ping out but the outside can't ping in? 

On Monday, September 4, 2017 at 8:15:29 AM UTC-4, Mark Eubanks wrote:
> I have created a NETVM and I have connect the usb nic to the vm and is 
> working. It shows up in Connection manager and I can give it a static IP . So 
> I've also connected a different physical laptop with a cross over cable to 
> the usb nic going to the NETVM. Both nics are on the same network and I can 
> ping from the NETVM to the physical but I don't get a reply from the NETVM. I 
> can see both in both arp tables . Any ideas why the physical doesn't get a 
> reply?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c8b98635-d699-41e7-93d9-21a17d59109f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Connecting a usb nic and another laptop

[Mark Eubanks]

On Monday, September 4, 2017 at 8:15:29 AM UTC-4, Mark Eubanks wrote:
> I have created a NETVM and I have connect the usb nic to the vm and is 
> working. It shows up in Connection manager and I can give it a static IP . So 
> I've also connected a different physical laptop with a cross over cable to 
> the usb nic going to the NETVM. Both nics are on the same network and I can 
> ping from the NETVM to the physical but I don't get a reply from the NETVM. I 
> can see both in both arp tables . Any ideas why the physical doesn't get a 
> reply?

I agree it sounds like a firewall but I see that it shows allow imcp traffic. 
What I'm trying to do is make Qubes a passthrough firewall.. so I need 2 nics 
on the laptop  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a311db6a-c22b-4af1-946e-f8a7c48da834%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Connecting a usb nic and another laptop

[Mark Eubanks]

I have created a NETVM and I have connect the usb nic to the vm and is working. 
It shows up in Connection manager and I can give it a static IP . So I've also 
connected a different physical laptop with a cross over cable to the usb nic 
going to the NETVM. Both nics are on the same network and I can ping from the 
NETVM to the physical but I don't get a reply from the NETVM. I can see both in 
both arp tables . Any ideas why the physical doesn't get a reply?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b989afdb-b158-4d38-bd72-0ac8a2dd4bb9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Installation on NUC6i7KYK

[Mark Elston]

On Monday, April 17, 2017 at 12:53:36 PM UTC-7, babel wrote:
> On Monday, April 17, 2017 at 9:38:26 PM UTC+2, Mark Elston wrote:
> > I tried searching on this platform and qubes and haven't found anyone yet 
> > who has posted anything so here goes.  I tried to install 3.2 on the Intel 
> > Skull Canyon Skylake NUC with Iris Pro Gfx.  Tried UEFI mode and it seems 
> > to install fine but when I reboot it says "No bootable.." on startup.  If I 
> > try to install in Legacy Mode it seems unable to start graphical installer 
> > and goes into a text-only mode.  So finally I took a working install from a 
> > small/regular NUC that has been working fine, and when it boots it seems to 
> > go into text mode as well.  I'm guessing maybe a gfx driver issue, but not 
> > sure if there is an easy way to update/fix.  Any ideas?
> > 
> > Thanks,
> > Mark
> 
> 
> You are following the guide written at the Qubes website here...
> https://www.qubes-os.org/doc/uefi-troubleshooting/
> Which is not very easy to follow..
> 
> Your problem is either the first or the third (I did not really understand 
> which mine was either, so I followed both).  
> 
> 1) reinstall qubes, and at the end of the install, follow # 4, 5, 11, 12, 
> etc. on the first "problem".  
> 
> 2)  On reboot, boot into a live cd of some sort (anything where you can get a 
> terminal, I used Ubuntu because it's easy on the eyes).  You are now trying 
> to fix the third problem on the "troubleshooting" page.  
> When I tried to copy the /boot/efi/EFI..., I got an fstab error.  Because the 
> drive isn't mounted.  I ran..
> ""
> sudo umount /dev/YourQubesDrive
> mkdir /tmp/MyDrive
> sudo mount -o rw /dev/YourQubesDrive /tmp/MyDrive
> """
> where YourQubesDrive is the drive you have just installed qubes on.  I used 
> gparted to make sure that it was the right one, but you can look where you're 
> installing qubes as you're installing it or there is probably some linux 
> command to do so.  
> I got that info from.. 
> https://askubuntu.com/questions/794468/mount-cant-find-dev-sdb1-in-etc-fstab-or-etc-mtab
> 
> Then you can copy the stuff over from within the folder you made.  reboot 
> after.
> cd /tmp/MyDrive

Thanks babel.  Is your NUC a Skull Canyon NUC?  I have it running on regular 
NUC, but seeing different problems on Skull Canyon.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ce0f8cc3-2329-4d3c-9d55-95eb3fa46fa3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Installation on NUC6i7KYK

[Mark Elston]

I tried searching on this platform and qubes and haven't found anyone yet who 
has posted anything so here goes.  I tried to install 3.2 on the Intel Skull 
Canyon Skylake NUC with Iris Pro Gfx.  Tried UEFI mode and it seems to install 
fine but when I reboot it says "No bootable.." on startup.  If I try to install 
in Legacy Mode it seems unable to start graphical installer and goes into a 
text-only mode.  So finally I took a working install from a small/regular NUC 
that has been working fine, and when it boots it seems to go into text mode as 
well.  I'm guessing maybe a gfx driver issue, but not sure if there is an easy 
way to update/fix.  Any ideas?

Thanks,
Mark

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/748fac3f-0ce4-48a6-92fc-4ea0119cab31%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Save session Fedora-23 AppVM

[Mark Wilson]

Is possible to save session on Fedora-23 AppVM? (In a similar way as dom0.)

Regards



-- 
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/trinity-79afcf39-edc0-4ed2-856a-c8bd953c0407-1489161369997%403capp-mailcom-lxa12.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: 3.2 Install: Error unpacking qubes-template-fedora-23

[mark]

On Thursday, December 29, 2016 at 3:04:53 PM UTC+11, ma...@ibiblio.org wrote:
> My freezes for me are pretty random on dozens of different places during the 
> Legacy and UEFI installs, something more than one RPM is broken. I'm blaming 
> my Gigabyte Z97X Gaming mobo, F7 BIOS. I've ordered an ASRock Z97 Extreme6 
> mobo as that is known to work. I think it's the Gigabyte BIOS that isn't so 
> hot.

Update: I tried installing Qubes 3.2 on my newly installed ASRock Extreme6 this 
morning, using a physical DVD ISO. It froze again during the Anaconda process, 
similar to what occurred on the Gigabyte board. The ISO passed md5sum checking 
so it's very odd. I'll check BIOS revs and try again.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1d6078d3-3101-41e1-b2cb-f8b3abfb500b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: 3.2 Install: Error unpacking qubes-template-fedora-23

[mark]

My freezes for me are pretty random on dozens of different places during the 
Legacy and UEFI installs, something more than one RPM is broken. I'm blaming my 
Gigabyte Z97X Gaming mobo, F7 BIOS. I've ordered an ASRock Z97 Extreme6 mobo as 
that is known to work. I think it's the Gigabyte BIOS that isn't so hot.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/756d0f87-0871-4e28-bd40-4e10b85626fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: 3.2 Install: Error unpacking qubes-template-fedora-23

[mark]

> About halfway through the progress bar, the status reads:
> "Installing qubes-template-fedora-23.noarch (800/930)"
> 
> Switching to tty-1 with ctrl-alt-f1 shows the error message:
> "Error unpacking rpm package qubes-fedora-23-3.0.6-201608081228.noarch"

+1, getting the same issue installing the 3.2 ISO. My system is locked up and 
unresponsive so debugging doesn't appear possible.

It's installing using UEFI, will try a legacy boot instead.

I did try to md5sum /dev/ to verify the (checked) ISO on the USB I'd 
just written, it didn't match but I wasn't sure if it was meant to as new 
partitions seemed to be created by the ISO dd.

host:/var/tmp/qubes root# md5sum -c Qubes-R3.2-x86_64.iso.DIGESTS
Qubes-R3.2-x86_64.iso: OK
md5sum: WARNING: 23 lines are improperly formatted

host:/var/tmp/qubes root# lsblk
NAMEMAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda   8:01  14.9G  0 disk 
└─sda18:11  14.9G  0 part 

host:/var/tmp/qubes root# dd if=Qubes-R3.2-x86_64.iso of=/dev/sda
8294400+0 records in
8294400+0 records out
4246732800 bytes (4.2 GB) copied, 1095.08 s, 3.9 MB/s

host:/var/tmp/qubes root# md5sum /dev/sda
3c3669f4f633bf1adb9f9fe9142fb15d  /dev/sda

host:/var/tmp/qubes root# lsblk
NAMEMAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda   8:01  14.9G  0 disk 
├─sda18:11 4G  0 part 
└─sda28:21  30.8M  0 part 

The USB key did have the original SanDisk vendor default "tools" on it, I'll 
try deleting all data first as well.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/41ba9b6c-cee7-4711-97ed-7420b32ce403%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.