Re: [qubes-users] Updates, security

2017-01-18 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-01-18 18:00, haxy wrote:
> On 2017-01-16 13:22, haxy wrote:
 On 2017-01-14 20:04, haxy wrote: Qubes onion repos have just
 been implemented. Minimal documentation available here:
 
 https://www.qubes-os.org/doc/hidden-service-repos/
 
> 
> 
 First of all, thanks for making the onion repos available!
 
 Following directions to onionize repositories I made a 
 mistake inputting the onion address.  Re-running the 
 commands, dom0 example, "sudo sed -i 
 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' 
 /etc/yum.repos.d/qubes-dom0.repo && cat 
 /etc/yum.repos.d/qubes-dom0.repo" has no effect.  Cat still 
 shows the input made with the incorrect onion repo.  Tried 
 using "sudo sed -i 
 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' 
 /etc/yum.repos.d/qubes-dom0.repo && cat 
 /etc/yum.repos.d/qubes-dom0.repo" with the same results.'
 
 (Noticed the command from the whonix wiki differs slightly 
 from the qubes wiki command. "qubes-yum" vice "yum" before 
 the onion address.)
 
 Was able to get the debian and fedora repos functioning by 
 manually inputting the correct onion address in their 
 respective files but am unable to do that in Dom0. How can I 
 correct this issue in Dom0?
 
> 
> You can do it the same way in dom0: by manually editing the file.
> 
> For example:
> 
> $ sudo vim /etc/yum.repos.d/qubes-dom0.repo (Edit the file, save, 
> and close.)
> 
>> 
>> 
> Thanks Andrew.  Using vim worked. :)
> 
> Do you know why re-running the command, "sudo sed -i 
> 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' 
> /etc/yum.repos.d/qubes-dom0.repo && cat 
> /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite the 
> first incorrect address entry?  Curious if it's reproducible or 
> something on my end only?
> 

It's possible that 'yum.qubes-os.org' was no longer present in the
text and therefore couldn't be found in order to be replaced.

> Also, a couple of other questions.
> 
> 1. Seems there are 2 distinct onion addresses that can be used for 
> the qubes repos, "qubesos4z6n4.onion" or "whonix 
> kk63ava6.onion". Is there any reason to prefer one over
> the other?
> 

No, both point to the same server.

> 2. Which onion address should be used for Qubes website access? 
> "http://qubesos4z6n4.onion/; or 
> "http://qubesosmamapaxpa.onion/;? Looks like the
> "qubesosmamapaxpa" site is not up to date.
> 

http://qubesos4z6n4.onion/ should be used. We don't have any
control over http://qubesosmamapaxpa.onion/ (it appears to be updated
only infrequently).

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYgCMuAAoJENtN07w5UDAwGMsQAJ/eqXk4yOOssNyYvokwkJs+
zvFR4xaX4LillkIceHroYy3yDhl7o7QergoDUPkUZqLhBrl+zakabJjWrPw9jDMV
LWgmldy2vq4mM/1jlU5wfHM9aja/497lpm7kgkMfYSZRHdgeY2eX96h/v3qg6Sqa
L9Xe3K9w5PMMpN4e2QeqNtPj1OMNGF96xx06Z4Kd0kN5fuVDEmf9t5UIjYp21nUD
DtPBS/nJzCcempxPKFsDbKWHrDvNV/kB+hXfzc7OyqlnM69aJPrNyxjsGKQTF7j6
0wQGtDUY3/1dRq4QZgOblMvRUO8KhixnHxgbXg2qXd39WEqPvlc0f5GsNIhaNlYK
6OhrbnABPjOCb7qWLCNDudSjVlBORb+kYHF67R5mwXK09P7on87sbz6pjrTCgZuv
oYR1mPIB+k0xbZc1/+L4fDmvUjg3jLSvY5qvZpG77xzOJhklS1aEpJL69z43Hpkq
nxWynqKGuvpoq1+oeAlICwiaC3pQXPWgPdmcKJLQ7kKDZixF9UL1D5Pq21jnrT0/
nrKNRYDwCVNLbs7oYbIdXTnY9TSR6JLkzQmgXLG17uYRMFRf1yEquCdOgH2cecZx
7+mvxlQBWALcerfe3py5/qYcd9srnaO+eNDadYnNc7AN5p9B1XXrvBMy5ZWtTh27
QuwsQhFCJ0laMXPz0rOP
=BU76
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/41262301-b580-a5b6-77de-aa68ee6e908f%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Updates, security

2017-01-14 Thread haxy
> On Sat, Jan 14, 2017 at 12:08:25AM -, haxy wrote:
>> Going back to the first post.
>>
>> "Qubes repository will allow changing the
>> "http" to "https" in the qubes entry /etc/apt/sources.list.d/."
>>
>> How would one implement that on a qubes-fedora template?
>>
>> Looking at Installing and updating software in VMs
>> "http://qubesosmamapaxpa.onion/doc/software-update-vm/;
>>
>> It looks like https mirrors are used for fedora and that other entries
>> in
>> yum.repos.d including qubes-*.repo could be changed from http to https.
>>
>> Would that work?
>> Although onion service would be preferred, might be a bit better than
>> clearnet after exit node.
>>
>>
> Yes, that will work as you think. The benefits are marginal.
>
>
>
Thanks Unman.
A marginal benefit is still a benefit. Especially if easily done.
Would be nice if the devs could make that change in an upcoming update, at
least until onion service repos are implemented.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ba911d4c9ae83c66a0116d05b3f57af3.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Updates, security

2017-01-13 Thread haxy
Going back to the first post.

"Qubes repository will allow changing the
"http" to "https" in the qubes entry /etc/apt/sources.list.d/."

How would one implement that on a qubes-fedora template?

Looking at Installing and updating software in VMs
"http://qubesosmamapaxpa.onion/doc/software-update-vm/;

It looks like https mirrors are used for fedora and that other entries in
yum.repos.d including qubes-*.repo could be changed from http to https.

Would that work?
Although onion service would be preferred, might be a bit better than
clearnet after exit node.







-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5fcd1f8e782a906fb5d9b1430ee885e7.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Updates, security

2016-12-17 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 12/17/16 17:50, Unman wrote:
> On Sat, Dec 17, 2016 at 06:18:41PM -, johnyju...@sigaint.org wrote:
>> While updates are signed, so even if they come over the wire in cleartext,
>> the fact that they often are sent in the clear (even from debian.net)
>> allows a snooper to know what packages your scanning for metadata or
>> installing.  It reveals a lot about the state of your system.
>>
>> Updating over Tor or a VPN helps a bit.  Updating to debian's hidden
>> service is even more ideal, no https in between with
>> state-actor/CA-forgeable certificates possible, etc..
>>
>> However, Qubes updates aren't available via Tor.
>>
>> I do notice, however, that the qubes repository will allow changing the
>> "http" to "https" in the qubes entry /etc/apt/sources.list.d/.  (You'd
>> have to install "apt-transport-https" too.)
>>
>> Do the Qubes folks have a problem with this?  It'd put extra load on the
>> servers, so I thought I'd ask.
>>
>> I might suggest it would make a good default, if the load wouldn't be
>> unacceptable.
>>
>> Cheers,
>>
>> -d
>>
> This has been under discussion in qubes-issues for some time.
> apt-transport-https is installed by default, so you can change that if
> you want.
> 
> There was a proposal to make debian updates use https by default. It
> wasnt accepted. Debian security updates aren't available by https so
> that part will always come plain.
> You can change the rest to use https.
> The benefits of doing this are almost entirely illusory. It's pretty
> trivial to identify packages being transferred under https, so a
> competent snooper wouldn't be hampered.
> 
> I assume you mean that Qubes updates aren't available as an onion
> service.

Indeed, it is already possible to download all updates (dom0 + templates)
over Tor, but there are no onion services yet for most parts. Nonetheless,
the main benefits of downloading updates over Tor still hold:

1. Network attackers can't target you with malicious updates or
   selectively block you from receiving certain updates. Instead, they're
   forced to either block everyone or serve everyone with the same malicious
   update in the hope that you're among those affected. This makes it much
   more likely that someone will spot the attack.

2. Downloading all updates through Tor preserves your privacy, since it
   prevents your ISP and package repositories from tracking which packages
   you install.

> I offered to set this up some time back but it wasnt thought a
> priority.

Since one of the core tenets of Qubes is that we distrust the
infrastructure,  (i.e., we focus on securing the endpoints before securing
the middle), it makes sense that this would be a lower priority.
Nonetheless, I think it would be fantastic to have this.

> There used to be such a service but it's long out of date
> now.

We had an onion service (back then a "hidden service") mirror of the
website, but I don't think we ever had an onion service package repo
(at least, not that I'm aware of).

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYVe/jAAoJENtN07w5UDAwVGsP/R+bwiXp01nhuVE6TDHE1Rdc
bWd074Lw6V87qiDf2LpAOTZ1BKPqAtWNr7zRuWIjfQwbhl1iCiOlFTPWohEULkDf
HvmWUzsOlMokiVPKnydzEVJ+ehMJ/uXdm6s6jbqbCE7Zo6ivdybyMdExNk9igKIJ
lfgvIM5kBUxnHuecS74S0/VZn5f9XOe/IITX2RyWAB478ze7S8SCMIKfnb3wOAey
knOOtSN22vooB3fKZ2y+T6R1mS6beP5TLsqHA7f63r983llP8ttduM8hZBu98g75
+pP7btNgC1DBUJYQcAmZnW7VXlk33atlZanl+3i3Kf6QBY9XXAqrVQ01htrKFmKc
Ac58JFK5JSw6johyZuxoyuHYA/Uaq7SoG//qV6jt28Db6fwUNIdLQ1A6buUjj17G
zJlnk2ihQAotPPVYICqO440gjwfGtkF2ourBqJA1CPheBozDvyyqjNJZNBueuePj
RN30f3X0Zx/HJIcje+SWglm7Vc4TpG4G/pKM+4xD1ODUE0ozZEj1HQJzCdrOfqWl
2A3wDOHpIPuXomEK++l5XZ7vviOCx9cmWdHR3Y5K3bKYqodA/YJVA0dZWe8vEoXf
mLjQfSBeB5ZAGsnPvX6R/Z6blHMvAl6dTUhhkoc5jwf2An/BXFdcOdVZxCbgf9cX
1Tz3X5KDxR7My05U8JWT
=PAw/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/52e5fb3c-df2c-065b-cf92-b9134aaaf754%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Updates, security

2016-12-17 Thread Unman
On Sat, Dec 17, 2016 at 06:18:41PM -, johnyju...@sigaint.org wrote:
> While updates are signed, so even if they come over the wire in cleartext,
> the fact that they often are sent in the clear (even from debian.net)
> allows a snooper to know what packages your scanning for metadata or
> installing.  It reveals a lot about the state of your system.
> 
> Updating over Tor or a VPN helps a bit.  Updating to debian's hidden
> service is even more ideal, no https in between with
> state-actor/CA-forgeable certificates possible, etc..
> 
> However, Qubes updates aren't available via Tor.
> 
> I do notice, however, that the qubes repository will allow changing the
> "http" to "https" in the qubes entry /etc/apt/sources.list.d/.  (You'd
> have to install "apt-transport-https" too.)
> 
> Do the Qubes folks have a problem with this?  It'd put extra load on the
> servers, so I thought I'd ask.
> 
> I might suggest it would make a good default, if the load wouldn't be
> unacceptable.
> 
> Cheers,
> 
> -d
> 
This has been under discussion in qubes-issues for some time.
apt-transport-https is installed by default, so you can change that if
you want.

There was a proposal to make debian updates use https by default. It
wasnt accepted. Debian security updates aren't available by https so
that part will always come plain.
You can change the rest to use https.
The benefits of doing this are almost entirely illusory. It's pretty
trivial to identify packages being transferred under https, so a
competent snooper wouldn't be hampered.

I assume you mean that Qubes updates aren't available as an onion
service. I offered to set this up some time back but it wasnt thought a
priority. There used to be such a service but it's long out of date
now.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161218015011.GB3954%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Updates, security

2016-12-17 Thread entr0py
johnyju...@sigaint.org:
> While updates are signed, so even if they come over the wire in cleartext,
> the fact that they often are sent in the clear (even from debian.net)
> allows a snooper to know what packages your scanning for metadata or
> installing.  It reveals a lot about the state of your system.
> 
> Updating over Tor or a VPN helps a bit.  Updating to debian's hidden
> service is even more ideal, no https in between with
> state-actor/CA-forgeable certificates possible, etc..
> 
> However, Qubes updates aren't available via Tor.
> 

WIP: https://forums.whonix.org/t/onionizing-qubes-whonix-repositories/3265

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cfa5428c-74d2-9933-ad7c-ef62ce4f5bc1%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Updates, security

2016-12-17 Thread johnyjukya
While updates are signed, so even if they come over the wire in cleartext,
the fact that they often are sent in the clear (even from debian.net)
allows a snooper to know what packages your scanning for metadata or
installing.  It reveals a lot about the state of your system.

Updating over Tor or a VPN helps a bit.  Updating to debian's hidden
service is even more ideal, no https in between with
state-actor/CA-forgeable certificates possible, etc..

However, Qubes updates aren't available via Tor.

I do notice, however, that the qubes repository will allow changing the
"http" to "https" in the qubes entry /etc/apt/sources.list.d/.  (You'd
have to install "apt-transport-https" too.)

Do the Qubes folks have a problem with this?  It'd put extra load on the
servers, so I thought I'd ask.

I might suggest it would make a good default, if the load wouldn't be
unacceptable.

Cheers,

-d

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/617051ede5374543bb82e5f406e1cee9.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.