Re: [EXT] Re: [qubes-users] Has anyone had a qube compromised?
On 9/6/20 5:32 PM, unman wrote: On Sun, Sep 06, 2020 at 11:12:31AM -0400, Demi M. Obenour wrote: In all of my time using QubesOS, I have never had reason to believe that a qube was compromised. Has anyone here had a qube compromised? Hi! Not quite what you are asking for, but I had this case more than once in tor browser: Clicking on a link "Open in new Tab", the newly loaded page managed to close the _original_ tab (where I had clicked). I think this is absolutely hostile behavior, and I was glad that it was all in a disposable VM... Regards, Ulrich Sincerely, Demi I have had occasion to set a honeypot and use Qubes as a classic Internet-inna-box - ideal for such use, and very instructive. But I guess that wasn't what you were interested in. In normal use, both myself and colleagues have seen compromised qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e132b614-5b33-bce4-4f26-3b3b926733ee%40rz.uni-regensburg.de.
Re: [qubes-users] Has anyone had a qube compromised?
unman: > On Fri, Sep 11, 2020 at 11:03:15AM +, taran1s wrote: >> >> >> unman: >> >> This is interesting. Can you be more specific in regards of settings you >> use? How do you set the tripwire for to run against network connected >> qubes? You also mentioned using mutt in an offline qube. Can you >> elaborate more on this too please? Is the mutt PGP friendly and more >> safer option than Thunderbird? >> > > This warrants a much more detailed answer than I have time for now. > > Tripwire - install in templates, store db in offline vault - I'm looking > for changes in /rw, as well as "normal" directory structures. > > Mutt - varies according to provider. I set this up when I was first > playing with Qubes. > I use 3 qubes: one disposableVM to pick up mail - either offline imap or > rsync mail dirs. That qube is minimal, connects over Tor, and is restricted > to mail provider. > If the sync is in Mbox format, you can use mb2md to convert to Maildir > format. > The mail dirs are synced in to my mutt qube which is offline. I use > qrexec for this. > > Mutt is a great MUA, and has good integration with PGP. I use split-gpg, > of course. I use notmuch integrated with mutt to keep on top of email. > > For sending mails I use msmtp. Actually I queue outgoing in the Mutt > qube, and rsync the queues (over qrexec) in to a sender disposableVM, > which has outgoing traffic restricted to SMTP host. Over Tor of course. > > So the fetch and send are done using disposableVMs, and the message > queues synced in and out of the offline mutt queue over qrexec. The > disposableVMs use minimal templates, have restricted network access, > and use different network routes. > The mutt qube is also based on a minimal template, and has a mailcap > that effectively loads almost all attachments in offline disposableVMs. > I have keyboard shortcuts to trigger the receive and send sides - I > suppose you could do this with cron jobs, but I prefer not to use > automatic processes. > > That probably raises a few more questions. If it does, ask and I'll try to > provide some specifics. > Dear Unman, thank you for your explanation. It is very interesting topic and it could, if transformed into a guide, be a huge added value for "Qubes hardening" section, or even Active Defense approach, in the Qubes documentation. I understand that every advanced user, like you, has his/her own custom secure setup of Qubes and there is no Ring that rules them all. But for the users that would like to move forward to a more active defense approach, already present in the Qubes documentation, this would really be very much enlightening. As if one opens the door to a new area and move forward again. Do you think it could be possible that you share with us the guide so that we can move forward? There is so much to learn, and even if I didn't manage to make run the vpn over tor yet, your setup seems very interesting to try. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1c2c4175-6aee-4f22-c3f1-98f6c305c6db%40mailbox.org. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Has anyone had a qube compromised?
On Fri, Sep 11, 2020 at 11:03:15AM +, taran1s wrote: > > > unman: > > This is interesting. Can you be more specific in regards of settings you > use? How do you set the tripwire for to run against network connected > qubes? You also mentioned using mutt in an offline qube. Can you > elaborate more on this too please? Is the mutt PGP friendly and more > safer option than Thunderbird? > This warrants a much more detailed answer than I have time for now. Tripwire - install in templates, store db in offline vault - I'm looking for changes in /rw, as well as "normal" directory structures. Mutt - varies according to provider. I set this up when I was first playing with Qubes. I use 3 qubes: one disposableVM to pick up mail - either offline imap or rsync mail dirs. That qube is minimal, connects over Tor, and is restricted to mail provider. If the sync is in Mbox format, you can use mb2md to convert to Maildir format. The mail dirs are synced in to my mutt qube which is offline. I use qrexec for this. Mutt is a great MUA, and has good integration with PGP. I use split-gpg, of course. I use notmuch integrated with mutt to keep on top of email. For sending mails I use msmtp. Actually I queue outgoing in the Mutt qube, and rsync the queues (over qrexec) in to a sender disposableVM, which has outgoing traffic restricted to SMTP host. Over Tor of course. So the fetch and send are done using disposableVMs, and the message queues synced in and out of the offline mutt queue over qrexec. The disposableVMs use minimal templates, have restricted network access, and use different network routes. The mutt qube is also based on a minimal template, and has a mailcap that effectively loads almost all attachments in offline disposableVMs. I have keyboard shortcuts to trigger the receive and send sides - I suppose you could do this with cron jobs, but I prefer not to use automatic processes. That probably raises a few more questions. If it does, ask and I'll try to provide some specifics. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200915032523.GF1783%40thirdeyesecurity.org.
Re: [qubes-users] Has anyone had a qube compromised?
unman: > On Tue, Sep 08, 2020 at 09:13:47PM +0200, Qubes wrote: >> On 9/7/20 2:12 AM, unman wrote: >>> On Sun, Sep 06, 2020 at 06:55:01PM +0200, Qubes wrote: On 9/6/20 5:32 PM, unman wrote: > On Sun, Sep 06, 2020 at 11:12:31AM -0400, Demi M. Obenour wrote: >> In all of my time using QubesOS, I have never had reason to believe >> that a qube was compromised. Has anyone here had a qube compromised? >> >> Sincerely, >> >> Demi >> > > I have had occasion to set a honeypot and use Qubes as a classic > Internet-inna-box - ideal for such use, and very instructive. But I > guess that wasn't what you were interested in. > In normal use, both myself and colleagues have seen compromised qubes. > Hi Unman How did you know you're qube was compromised, can you give some details? >>> >>> snort and tripwire. >>> >>> Other IDS are available. >>> >> Hi Unman >> >> What I mean is what made you suspicious to use a tripwire and snort? > > I run them on most of my Qubes installs, almost out of habit. > Because I salt my qubes, its relatively easy to run tripwire against > network connected qubes > But the way in which Qubes allows one to separate out activities really > does minimise risk. Example: read email in mutt in offline qube with > minimal template - any attachments are opened in offline disposableVM. > Anything I want to keep is transferred to an offline storage qube , > again with no significant programs installed. In this sense, it doesn't > matter if attachments have malware because the infection risk is > minimised. > This is interesting. Can you be more specific in regards of settings you use? How do you set the tripwire for to run against network connected qubes? You also mentioned using mutt in an offline qube. Can you elaborate more on this too please? Is the mutt PGP friendly and more safer option than Thunderbird? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba27d2bc-2660-6308-d5d6-754fca5fda6d%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] Has anyone had a qube compromised?
On Tue, Sep 08, 2020 at 09:13:47PM +0200, Qubes wrote: > On 9/7/20 2:12 AM, unman wrote: > > On Sun, Sep 06, 2020 at 06:55:01PM +0200, Qubes wrote: > > > On 9/6/20 5:32 PM, unman wrote: > > > > On Sun, Sep 06, 2020 at 11:12:31AM -0400, Demi M. Obenour wrote: > > > > > In all of my time using QubesOS, I have never had reason to believe > > > > > that a qube was compromised. Has anyone here had a qube compromised? > > > > > > > > > > Sincerely, > > > > > > > > > > Demi > > > > > > > > > > > > > I have had occasion to set a honeypot and use Qubes as a classic > > > > Internet-inna-box - ideal for such use, and very instructive. But I > > > > guess that wasn't what you were interested in. > > > > In normal use, both myself and colleagues have seen compromised qubes. > > > > > > > Hi Unman > > > > > > How did you know you're qube was compromised, can you give some details? > > > > > > > snort and tripwire. > > > > Other IDS are available. > > > Hi Unman > > What I mean is what made you suspicious to use a tripwire and snort? I run them on most of my Qubes installs, almost out of habit. Because I salt my qubes, its relatively easy to run tripwire against network connected qubes But the way in which Qubes allows one to separate out activities really does minimise risk. Example: read email in mutt in offline qube with minimal template - any attachments are opened in offline disposableVM. Anything I want to keep is transferred to an offline storage qube , again with no significant programs installed. In this sense, it doesn't matter if attachments have malware because the infection risk is minimised. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200909004740.GA5118%40thirdeyesecurity.org.
Re: [qubes-users] Has anyone had a qube compromised?
On Sun, Sep 06, 2020 at 06:55:01PM +0200, Qubes wrote: > On 9/6/20 5:32 PM, unman wrote: > > On Sun, Sep 06, 2020 at 11:12:31AM -0400, Demi M. Obenour wrote: > > > In all of my time using QubesOS, I have never had reason to believe > > > that a qube was compromised. Has anyone here had a qube compromised? > > > > > > Sincerely, > > > > > > Demi > > > > > > > I have had occasion to set a honeypot and use Qubes as a classic > > Internet-inna-box - ideal for such use, and very instructive. But I > > guess that wasn't what you were interested in. > > In normal use, both myself and colleagues have seen compromised qubes. > > > Hi Unman > > How did you know you're qube was compromised, can you give some details? > snort and tripwire. Other IDS are available. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200907001259.GB24691%40thirdeyesecurity.org.
Re: [qubes-users] Has anyone had a qube compromised?
On 9/6/20 5:32 PM, unman wrote: On Sun, Sep 06, 2020 at 11:12:31AM -0400, Demi M. Obenour wrote: In all of my time using QubesOS, I have never had reason to believe that a qube was compromised. Has anyone here had a qube compromised? Sincerely, Demi I have had occasion to set a honeypot and use Qubes as a classic Internet-inna-box - ideal for such use, and very instructive. But I guess that wasn't what you were interested in. In normal use, both myself and colleagues have seen compromised qubes. Hi Unman How did you know you're qube was compromised, can you give some details? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1770649a-eddb-8d79-0a1c-63c096292116%40ak47.co.za.
Re: [qubes-users] Has anyone had a qube compromised?
On Sun, Sep 06, 2020 at 11:12:31AM -0400, Demi M. Obenour wrote: > In all of my time using QubesOS, I have never had reason to believe > that a qube was compromised. Has anyone here had a qube compromised? > > Sincerely, > > Demi > I have had occasion to set a honeypot and use Qubes as a classic Internet-inna-box - ideal for such use, and very instructive. But I guess that wasn't what you were interested in. In normal use, both myself and colleagues have seen compromised qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200906153257.GB22327%40thirdeyesecurity.org.
[qubes-users] Has anyone had a qube compromised?
In all of my time using QubesOS, I have never had reason to believe that a qube was compromised. Has anyone here had a qube compromised? Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9a81ba50-23f4-8e6c-20fb-838aadb24663%40gmail.com. signature.asc Description: OpenPGP digital signature