Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-04-09 Thread 7690
On Sunday, April 9, 2017 at 2:55:01 PM UTC-4, cooloutac wrote: > I gotta say the dvm template always gets messed up too. So i also only > consider it untrusted tasks now. but the vault vm is great imo. > > Maybe you should post in user devel the people there are not as noob as me. You type to

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-04-09 Thread cooloutac
I gotta say the dvm template always gets messed up too. So i also only consider it untrusted tasks now. but the vault vm is great imo. Maybe you should post in user devel the people there are not as noob as me. -- You received this message because you are subscribed to the Google Groups

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-04-09 Thread Shane Optima
>usability is not a good reason to add or change anything. I suggest you switch to running Lynx on OpenBSD then. I guarantee you're running all kinds of horribly insecure stuff on whatever you're using to read this right now. Usability has always been a top priority in Qubes and that is a

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-04-08 Thread cooloutac
On Saturday, April 8, 2017 at 6:19:07 PM UTC-4, Shane Optima wrote: > > Don't be scared. > > It's a Shawshank Redemption reference. > > >>An additional key combination to insert information into the Dom0 database > >>from a VM would be a minor convenience that could be put off until the tool

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-04-08 Thread Shane Optima
> Don't be scared. It's a Shawshank Redemption reference. >>An additional key combination to insert information into the Dom0 database >>from a VM would be a minor convenience that could be put off until the tool >>is overhauled (and probably moved out of Dom0 entirely.) > How many times do

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-04-08 Thread cooloutac
On Saturday, April 8, 2017 at 4:32:05 PM UTC-4, Shane Optima wrote: > >I wouldn't want a vm inserting anything in dom0. > > You're *still* spreading this nonsense? After what I just said? > > I don't know how much more clearly I lay this out, but let's give it a shot: > Nothing is being

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-04-08 Thread Shane Optima
>I wouldn't want a vm inserting anything in dom0. You're *still* spreading this nonsense? After what I just said? I don't know how much more clearly I lay this out, but let's give it a shot: Nothing is being 'inserted' into Dom0 and this does not in any way "open up" Dom0. This is a one-way

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-04-08 Thread cooloutac
On Friday, April 7, 2017 at 6:37:21 PM UTC-4, Shane Optima wrote: > cooloutac > I'd rather not have such a tool sitting there "enabled". lol > > > First off, you've ignored where I said that this should obviously be an > opt-in thing that isn't present, as the mechanism is pretty hacky and the

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-04-07 Thread Shane Optima
>Here's a super simple (but likely quite effective!) exploit which took me a >about two minutes to write It borders on intellectual dishonesty to put this immediately after my bit about using a browser extension to modify the page title in an unpredictable manner. Your pseudocode doesn't work

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-04-07 Thread Shane Optima
cooloutac > I'd rather not have such a tool sitting there "enabled". lol First off, you've ignored where I said that this should obviously be an opt-in thing that isn't present, as the mechanism is pretty hacky and the tool shouldn't be used by the careless. But second, it transcends mere

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-30 Thread Jean-Philippe Ouellet
On Thu, Mar 30, 2017 at 6:21 PM, Shane Optima wrote: > Maybe if you (or someone) could write a Firefox extension to modify all > browser page titles to be a concatenation of the page title and a short token > of characters generated from a salted hash of the URL (so that

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-30 Thread Shane Optima
On Thursday, March 30, 2017 at 5:27:12 PM UTC-4, Chris Laprise wrote: > I get the feeling when you talk about people contributing, you mean > /other/ people. That's fine, but in my estimation what you're proposing > would take under 30 lines of bash code. I think I've already covered this exact

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-30 Thread Chris Laprise
I get the feeling when you talk about people contributing, you mean /other/ people. That's fine, but in my estimation what you're proposing would take under 30 lines of bash code. You should write it yourself as a way to learn about Linux and Qubes. -- Chris Laprise, tas...@openmailbox.org

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-30 Thread Shane Optima
>Yeah, it could be dangerous, but still might be worth writing for oneself if >the threat model seems appropriate. I wouldn't suggest this as a Qubes feature. As an out of the box official Qubes feature, no, but it seems like an excellent stopgap and stepping stone given the ease of

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-30 Thread Chris Laprise
On 03/30/2017 10:34 AM, Jean-Philippe Ouellet wrote: On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise wrote: xdotool also lets you inject keystrokes into windows. With a shortcut-key assignment this can be easily scripted by the user (you said this was for power users).

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-30 Thread Jean-Philippe Ouellet
On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise wrote: > xdotool also lets you inject keystrokes into windows. > > With a shortcut-key assignment this can be easily scripted by the user (you > said this was for power users). Automatically injecting the keystrokes removes

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-30 Thread Jean-Philippe Ouellet
On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise wrote: > You don't even need to rely on the window title for the security aspect: The > _QUBES_VMNAME window property will tell you. For example: > > $ CUR_WINDOW=`xdotool getwindowfocus` > $ VMNAME=`xprop _QUBES_VMNAME -id

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-30 Thread cooloutac
On Monday, March 27, 2017 at 1:16:10 AM UTC-4, Shane Optima wrote: > >which may or may not be *detected* by a sharply observant user, but could > >still not be *prevented* by one > > Um, that is incorrect. I'm not sure you understand at all what I'm talking > about here so let's go over it

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-29 Thread cooloutac
Didn't bother reading the anarchical walls of text haha. but Ya I agree with Jean that sounds like you would be exposing dom0 to stuff for really no reason... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-26 Thread Shane Optima
>which may or may not be *detected* by a sharply observant user, but could >still not be *prevented* by one Um, that is incorrect. I'm not sure you understand at all what I'm talking about here so let's go over it step by step: A. User visits a site associated with a pre-stored password and

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-24 Thread Jean-Philippe Ouellet
- If we consider a compromised VM with: - passwords saved in the browser: an attacker can obtain all passwords - your proposed password manager: an attacker can still obtain all passwords, just needs to wait for them to be used - If we consider a non-compromised VM with: - passwords saved

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-24 Thread Shane Optima
> This is actually worse than not using a password manager at all, > because the window you are about to enter the password into has full > control over its title, and so this opens a race condition where the > site could change its title right before dom0 checks it (perhaps > triggered by "I am

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-24 Thread Jean-Philippe Ouellet
On Fri, Mar 24, 2017 at 2:55 AM, Shane Optima wrote: > However, I justed noticed that R3.2 introduced a Dom0-to-hyperboard[1] copy > function, and since Dom0 knows the window title text... couldn't there be > another hypervisor keyboard shortcut that would use the window

[qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-24 Thread Shane Optima
I know this isn't an ideal solution, but I suspect it would be pretty darn easy to implement: Obviously, the holy grail of password management should involve not storing passwords (encrypted or otherwise) on any online VM until they instant they are needed. I've been implementing this via