Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-28 Thread raahelps
On Tuesday, September 27, 2016 at 9:14:51 PM UTC-4, Jeremy Rand wrote: > raahe...@gmail.com: > > On Tuesday, September 27, 2016 at 5:11:27 PM UTC-4, Jeremy Rand wrote: > >> raahe...@gmail.com: > >>> or just only allow https in the vm firewall settings. > >> > >> I assume you mean whitelisting TCP

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-27 Thread Jeremy Rand
raahe...@gmail.com: > On Tuesday, September 27, 2016 at 5:11:27 PM UTC-4, Jeremy Rand wrote: >> raahe...@gmail.com: >>> or just only allow https in the vm firewall settings. >> >> I assume you mean whitelisting TCP port 443? If so, be aware that while >> this will stop most non-HTTPS traffic,

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-27 Thread raahelps
On Tuesday, September 27, 2016 at 5:11:27 PM UTC-4, Jeremy Rand wrote: > raahe...@gmail.com: > > or just only allow https in the vm firewall settings. > > I assume you mean whitelisting TCP port 443? If so, be aware that while > this will stop most non-HTTPS traffic, there is nothing that

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-27 Thread raahelps
On Tuesday, September 27, 2016 at 5:11:27 PM UTC-4, Jeremy Rand wrote: > raahe...@gmail.com: > > or just only allow https in the vm firewall settings. > > I assume you mean whitelisting TCP port 443? If so, be aware that while > this will stop most non-HTTPS traffic, there is nothing that

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-27 Thread Jeremy Rand
raahe...@gmail.com: > or just only allow https in the vm firewall settings. I assume you mean whitelisting TCP port 443? If so, be aware that while this will stop most non-HTTPS traffic, there is nothing that prevents other protocols from using port 443. It's a fairly well-known attack on Tor's

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-27 Thread johnyjukya
>> Especially if you did the sharing via a separate vpn or ssh tunnel. But >> in general, I don't think Qubes security should be considered much if >> any benefit to adjacent non-Qubes systems. >> >> Chris >> >> > The benefits far outweigh the risks, as long as you don't do most of >> your >> >

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-27 Thread raahelps
On Sunday, September 25, 2016 at 7:32:34 AM UTC-4, Chris Laprise wrote: > On 09/25/2016 07:08 AM, johnyju...@sigaint.org wrote: > >> Let's say I have a Qubes machine connected to a 2nd laptop by Ethernet. > >> > >> The Qubes machine is sharing its Internet connection. > >> > >> Let's say the Qubes

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-25 Thread Chris Laprise
On 09/25/2016 08:12 AM, johnyju...@sigaint.org wrote: Chris wrote: Especially if you did the sharing via a separate vpn or ssh tunnel. But in general, I don't think Qubes security should be considered much if any benefit to adjacent non-Qubes systems. I'm curious as to why you would say this.

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-25 Thread johnyjukya
Chris wrote: > Especially if you did the sharing via a separate vpn or ssh tunnel. But > in general, I don't think Qubes security should be considered much if > any benefit to adjacent non-Qubes systems. This is one of my favorite implicit features of Qubes: Setting up multiple layers of network

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-25 Thread johnyjukya
Chris wrote: > Especially if you did the sharing via a separate vpn or ssh tunnel. But > in general, I don't think Qubes security should be considered much if > any benefit to adjacent non-Qubes systems. I'm curious as to why you would say this. Any additional firewall between a Laptop and the

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-25 Thread Chris Laprise
On 09/25/2016 07:08 AM, johnyju...@sigaint.org wrote: Let's say I have a Qubes machine connected to a 2nd laptop by Ethernet. The Qubes machine is sharing its Internet connection. Let's say the Qubes machine gets hit with a DMA attack. The 2nd laptop is not a Qubes machine, and therefore

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-25 Thread johnyjukya
> If the Qubes machine is hit by a DMA attack, it is compromised and could > thus tamper with the forwarded Internet connection however the attacker > desires. (As well as scraping any credentials you might use in common on > the Qubes box, and carrying out aggressive attacks on anything on your

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-25 Thread johnyjukya
> Let's say I have a Qubes machine connected to a 2nd laptop by Ethernet. > > The Qubes machine is sharing its Internet connection. > > Let's say the Qubes machine gets hit with a DMA attack. > > The 2nd laptop is not a Qubes machine, and therefore doesn't have VT-D for > DMA protection. > > Can

Re: [qubes-users] "Carrying forward" a DMA attack..?

2016-09-25 Thread Chris Laprise
On 09/25/2016 02:34 AM, neilhard...@gmail.com wrote: Let's say I have a Qubes machine connected to a 2nd laptop by Ethernet. The Qubes machine is sharing its Internet connection. Let's say the Qubes machine gets hit with a DMA attack. The 2nd laptop is not a Qubes machine, and therefore