On Sunday, April 9, 2017 at 2:55:01 PM UTC-4, cooloutac wrote:
> I gotta say the dvm template always gets messed up too. So i also only
> consider it untrusted tasks now. but the vault vm is great imo.
>
> Maybe you should post in user devel the people there are not as noob as me.
You type to
I gotta say the dvm template always gets messed up too. So i also only
consider it untrusted tasks now. but the vault vm is great imo.
Maybe you should post in user devel the people there are not as noob as me.
--
You received this message because you are subscribed to the Google Groups
>usability is not a good reason to add or change anything.
I suggest you switch to running Lynx on OpenBSD then. I guarantee you're
running all kinds of horribly insecure stuff on whatever you're using to read
this right now.
Usability has always been a top priority in Qubes and that is a
On Saturday, April 8, 2017 at 6:19:07 PM UTC-4, Shane Optima wrote:
> > Don't be scared.
>
> It's a Shawshank Redemption reference.
>
> >>An additional key combination to insert information into the Dom0 database
> >>from a VM would be a minor convenience that could be put off until the tool
> Don't be scared.
It's a Shawshank Redemption reference.
>>An additional key combination to insert information into the Dom0 database
>>from a VM would be a minor convenience that could be put off until the tool
>>is overhauled (and probably moved out of Dom0 entirely.)
> How many times do
On Saturday, April 8, 2017 at 4:32:05 PM UTC-4, Shane Optima wrote:
> >I wouldn't want a vm inserting anything in dom0.
>
> You're *still* spreading this nonsense? After what I just said?
>
> I don't know how much more clearly I lay this out, but let's give it a shot:
> Nothing is being
>I wouldn't want a vm inserting anything in dom0.
You're *still* spreading this nonsense? After what I just said?
I don't know how much more clearly I lay this out, but let's give it a shot:
Nothing is being 'inserted' into Dom0 and this does not in any way "open up"
Dom0. This is a one-way
On Friday, April 7, 2017 at 6:37:21 PM UTC-4, Shane Optima wrote:
> cooloutac > I'd rather not have such a tool sitting there "enabled". lol
>
>
> First off, you've ignored where I said that this should obviously be an
> opt-in thing that isn't present, as the mechanism is pretty hacky and the
>Here's a super simple (but likely quite effective!) exploit which took me a
>about two minutes to write
It borders on intellectual dishonesty to put this immediately after my bit
about using a browser extension to modify the page title in an unpredictable
manner. Your pseudocode doesn't work
cooloutac > I'd rather not have such a tool sitting there "enabled". lol
First off, you've ignored where I said that this should obviously be an opt-in
thing that isn't present, as the mechanism is pretty hacky and the tool
shouldn't be used by the careless.
But second, it transcends mere
On Thu, Mar 30, 2017 at 6:21 PM, Shane Optima wrote:
> Maybe if you (or someone) could write a Firefox extension to modify all
> browser page titles to be a concatenation of the page title and a short token
> of characters generated from a salted hash of the URL (so that
On Thursday, March 30, 2017 at 5:27:12 PM UTC-4, Chris Laprise wrote:
> I get the feeling when you talk about people contributing, you mean
> /other/ people. That's fine, but in my estimation what you're proposing
> would take under 30 lines of bash code.
I think I've already covered this exact
I get the feeling when you talk about people contributing, you mean
/other/ people. That's fine, but in my estimation what you're proposing
would take under 30 lines of bash code.
You should write it yourself as a way to learn about Linux and Qubes.
--
Chris Laprise, tas...@openmailbox.org
>Yeah, it could be dangerous, but still might be worth writing for oneself if
>the threat model seems appropriate. I wouldn't suggest this as a Qubes feature.
As an out of the box official Qubes feature, no, but it seems like an excellent
stopgap and stepping stone given the ease of
On 03/30/2017 10:34 AM, Jean-Philippe Ouellet wrote:
On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise wrote:
xdotool also lets you inject keystrokes into windows.
With a shortcut-key assignment this can be easily scripted by the user (you
said this was for power users).
On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise wrote:
> xdotool also lets you inject keystrokes into windows.
>
> With a shortcut-key assignment this can be easily scripted by the user (you
> said this was for power users).
Automatically injecting the keystrokes removes
On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise wrote:
> You don't even need to rely on the window title for the security aspect: The
> _QUBES_VMNAME window property will tell you. For example:
>
> $ CUR_WINDOW=`xdotool getwindowfocus`
> $ VMNAME=`xprop _QUBES_VMNAME -id
On Monday, March 27, 2017 at 1:16:10 AM UTC-4, Shane Optima wrote:
> >which may or may not be *detected* by a sharply observant user, but could
> >still not be *prevented* by one
>
> Um, that is incorrect. I'm not sure you understand at all what I'm talking
> about here so let's go over it
Didn't bother reading the anarchical walls of text haha. but Ya I agree with
Jean that sounds like you would be exposing dom0 to stuff for really no
reason...
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and
>which may or may not be *detected* by a sharply observant user, but could
>still not be *prevented* by one
Um, that is incorrect. I'm not sure you understand at all what I'm talking
about here so let's go over it step by step:
A. User visits a site associated with a pre-stored password and
- If we consider a compromised VM with:
- passwords saved in the browser: an attacker can obtain all passwords
- your proposed password manager: an attacker can still obtain all
passwords, just needs to wait for them to be used
- If we consider a non-compromised VM with:
- passwords saved
> This is actually worse than not using a password manager at all,
> because the window you are about to enter the password into has full
> control over its title, and so this opens a race condition where the
> site could change its title right before dom0 checks it (perhaps
> triggered by "I am
On Fri, Mar 24, 2017 at 2:55 AM, Shane Optima wrote:
> However, I justed noticed that R3.2 introduced a Dom0-to-hyperboard[1] copy
> function, and since Dom0 knows the window title text... couldn't there be
> another hypervisor keyboard shortcut that would use the window
I know this isn't an ideal solution, but I suspect it would be pretty darn easy
to implement:
Obviously, the holy grail of password management should involve not storing
passwords (encrypted or otherwise) on any online VM until they instant they are
needed. I've been implementing this via
24 matches
Mail list logo