Re: [qubes-users] traveling - best practice

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-07 05:09, haaber wrote:
> Hello,  I wonder how you behave when traveling, for example in
> places with cameras all around. I feel uncomfortable to enter my
> passwords in such situations. Of course I can simply not turn my
> computer on.  But sometimes you have several hours in an airport ..
> I thought about 3 options.
> 
> 0) Change all (disk / user) pwd before & after traveling (how do I 
> change the disk pwd?).
> 
> 1) Pull out my tails usbkey and surf with that?
> 
> 2) maybe it woud be nice to have an additional  "single cube" 
> usr/password : when using this user name, one would get a single 
> disposable untrusted VM,  no dom0 acces, no USB, and so forth. Is
> that feasable / reasonable?
> 
> how do you cope with that? Thank you, Bernhard
> 

Right now, it's very difficult. I just try to be very careful when
entering passphrases. If I have insufficient privacy, I don't enter
them at all. Once per-VM encryption is implemented, it should help
with many aspects of this problem:

https://github.com/QubesOS/qubes-issues/issues/1293

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYm45hAAoJENtN07w5UDAwEuIP/2tYktkKEBzmPmUZo7Ewb9mR
Pn3xMdF6kFHvrhK+cUTHYqC0+bejXuspV7jEtgLBJxhfkhhBtwhgMoR1cvcwRIAt
heQl+3rhvc/5S8hNYhUGKce2rd1cNTgLwR8P9P1lqTLX0uwU9xaSRimlBssomr1r
XWnrinxnzyXBfBivbDxxK66cwbgwcJBxoCRIwIfYgk9Mcshjr+LTC2ibE6kPhq50
FJQ3Tl9oMFyjtBGEWHijOal1S0oLZeainm/xXfz79X40BrzH2VtSWE44qw8XbWIE
UwLnuxTc7rkEPK4udPfcqQ+fvQqTYNWlmaAD03q9v/pyulbZEARLOWt7DLlQbkpv
k9FPx0Qq24NbqUhwqMHF9322I0+HZhu1BlBL9q/0sgCA392uAcS6dybWya3Xq/Bd
598YEbG1sW5Lvrcm96k1aJPcDiKHSBZwXJdOYcz2BFJwiw8cDL/GnvBOjqzbs3Du
xQDGx8OpZpU2dPGzqfcabmixBQ+//FHI2amWhydsa4gK7+bBrtxLd/4G9y6Il7hO
rPhEE3J3b0ulyutQlyj3f7MdHaimbkpG0G5iQHkYdA6BhBSpSGcTc43qBUaHnU7x
aCYFzfxssrdh18KB8hkiEQWOIfBVd8s5NAyPSlbPOlwHpwUoNQ2rwNbztHRIMtuh
teum5x/tlvZKTJEjugiv
=T7+Z
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a216af0e-023b-22c7-9578-5cd1326d031a%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] traveling - best practice

[Jean-Philippe Ouellet]

> 2) maybe it woud be nice to have an additional  "single cube"
> usr/password : when using this user name, one would get a single
> disposable untrusted VM,  no dom0 acces, no USB, and so forth. Is that
> feasable / reasonable?

I want something similar to this too, but there are several things
which need to be implemented first in order for it to be able to be
implemented securely, particularly splitting out the desktop
environment / window manager / main gui out from dom0.

https://github.com/QubesOS/qubes-issues/issues/833

Progress is being made, albeit rather slowly. More funding would
accelerate this work ;)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_DUoWfv-Bs%3DWthuX4ns8QncxAHA3eoJopb5DRhL%3DbB-6A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] traveling - best practice

[john.david.r.smith]

On 07/02/17 14:09, haaber wrote:

Hello,  I wonder how you behave when traveling, for example in places
with cameras all around. I feel uncomfortable to enter my passwords in
such situations. Of course I can simply not turn my computer on.  But
sometimes you have several hours in an airport ..  I thought about 3
options.

0) Change all (disk / user) pwd before & after traveling (how do I
change the disk pwd?).


i already had the same question.
I think a simple way to do this from dom0 would be nice (simple = one terminal 
call and not digging around in some config files)


1) Pull out my tails usbkey and surf with that?


do you always allow booting from usb? (in my case the bios pw is required and i 
would not want to enter it)


2) maybe it woud be nice to have an additional  "single cube"
usr/password : when using this user name, one would get a single
disposable untrusted VM,  no dom0 acces, no USB, and so forth. Is that
feasable / reasonable?


i think this would be a nice feature

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5ca9cb6c-2f24-3bdb-14ff-377141036562%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] traveling - best practice

[taii...@gmx.com]

On 02/07/2017 03:36 PM, Jake wrote:

On 02/07/2017 08:43 AM, Franz wrote:

>
>
> On Tue, Feb 7, 2017 at 10:09 AM, haaber >
> wrote:
>
> Hello, I wonder how you behave when traveling, for example in places
> with cameras all around. I feel uncomfortable to enter my passwords in
> such situations. Of course I can simply not turn my computer on.  But
> sometimes you have several hours in an airport ..  I thought about 3
> options.
>
> 0) Change all (disk / user) pwd before & after traveling (how do I
> change the disk pwd?).
>
> 1) Pull out my tails usbkey and surf with that?
>
> 2) maybe it woud be nice to have an additional  "single cube"
> usr/password : when using this user name, one would get a single
> disposable untrusted VM,  no dom0 acces, no USB, and so forth. Is that
> feasable / reasonable?
>
> how do you cope with that? Thank you, Bernhard
>
>
> But is the resolution of these cameras high and fast enough to be able to read
> the movements of my 10 fingers all working together and covering the whole
> keyboard?
>
> I installed a high definition security ethernet camera in my home, but
> resolution and speed are not that spectacular.
>
> There are mini-cameras that can be hidden, but resolution is worse.
>
> So cameras can be easily identified and  I suppose it is enough to avoid
> sitting down  having a camera just over your shoulders.

i am a strong proponent of entirely removing both microphones and cameras in all
computing devices. even with a hardware switch, you can't know it's actually
disabled, whereas when you remove the mics and cameras, you can be confident
they are disabled.

this can be done to pretty much any laptop, but it may void your warranty, so if
you care about that kind of stuff, keep that in mind. it typically takes 1-2
hours to disassemble and reassemble a laptop when doing this.

It doesn't void your warranty unless you damage something, the "warranty 
void if removed" stickers have no legal backing in most countries due to 
1970's automobile repair laws in regards to the "authorized repair 
center" bullshit.


It takes around 10 minutes for every laptop I have done it on, certainly 
not hours and hours.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0b69bbd-2ac4-f819-c438-eb4f5321b003%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] traveling - best practice

[Jake]

  
  
On 02/07/2017 08:43 AM, Franz wrote:


  

  On Tue, Feb 7, 2017 at 10:09 AM,
haaber 
wrote:
Hello, 
  I wonder how you behave when traveling, for example in
  places
  with cameras all around. I feel uncomfortable to enter my
  passwords in
  such situations. Of course I can simply not turn my
  computer on.  But
  sometimes you have several hours in an airport ..  I
  thought about 3
  options.
  
  0) Change all (disk / user) pwd before & after
  traveling (how do I
  change the disk pwd?).
  
  1) Pull out my tails usbkey and surf with that?
  
  2) maybe it woud be nice to have an additional  "single
  cube"
  usr/password : when using this user name, one would get a
  single
  disposable untrusted VM,  no dom0 acces, no USB, and so
  forth. Is that
  feasable / reasonable?
  
  how do you cope with that? Thank you, Bernhard
  



But is the resolution of these cameras high and fast
  enough to be able to read the movements of my 10 fingers
  all working together and covering the whole keyboard?
  

I installed a high definition security ethernet camera
  in my home, but resolution and speed are not that
  spectacular.
  

There are mini-cameras that can be hidden, but
  resolution is worse.



So cameras can be easily identified and  I suppose it
  is enough to avoid sitting down  having a camera just over
  your shoulders.

  

  


i am a strong proponent of entirely removing both microphones and
cameras in all computing devices. even with a hardware switch, you
can't know it's actually disabled, whereas when you remove the mics
and cameras, you can be confident they are disabled.

this can be done to pretty much any laptop, but it may void your
warranty, so if you care about that kind of stuff, keep that in
mind. it typically takes 1-2 hours to disassemble and reassemble a
laptop when doing this.


  

  
Best

Fran


  --
  You received this message because you are subscribed
  to the Google Groups "qubes-users" group.
  To unsubscribe from this group and stop receiving
  emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
  To post to this group, send email to qubes-users@googlegroups.com.
  To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8966eb59-45e3-e8d5-9ece-cae31d719f90%40web.de.
  For more options, visit https://groups.google.com/d/optout.

  
  

  
  -- 
  You received this message because you are subscribed to the Google
  Groups "qubes-users" group.
  To unsubscribe from this group and stop receiving emails from it,
  send an email to qubes-users+unsubscr...@googlegroups.com.
  To post to this group, send email to qubes-users@googlegroups.com.
  To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qAizi%2B%2BkUxeCpwiZvT%3DgvEFVPHaDhqDQGWb1AqC2FGjBQ%40mail.gmail.com.
  For more options, visit https://groups.google.com/d/optout.

  




-- 
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2b4d8801-05d7-5c08-11e7-be6a896f507f%40companyzero.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] traveling - best practice

[Connor Page]

if you're afraid of cameras, just cover it all when entering sensitive 
information like citizen four did.
don't ever enter LUKS passphrase if someone else had an opportunity to boot 
your laptop without your direct supervision.in that case yes, a live USB drive 
is your friend until it is safe to confirm that boot sequence wasn't altered 
and you can trust the bootloader, kernel etc.
I am not that paranoid, so just use a yubikey as a second factor for crowded 
places and under cameras.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2fa85933-7a19-4a24-8aa0-8c1a9a534d57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] traveling - best practice

[Connor Page]

if you're afraid of cameras, just cover it all when entering sensitive 
information like citizen four did.
don't ever enter LUKS passphrase if someone else had an opportunity to boot 
your laptop without your direct supervision.in that case yes, a live USB drive 
is your friend until it is safe to confirm that boot sequence wasn't altered 
and you can trust the bootloader, kernel etc.
I am not that paranoid, so just use a yubikey as a second factor for crowded 
places and under cameras.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df582865-94b2-43d3-af6c-77e0d6be401b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] traveling - best practice

[Franz]

On Tue, Feb 7, 2017 at 10:09 AM, haaber  wrote:

> Hello,  I wonder how you behave when traveling, for example in places
> with cameras all around. I feel uncomfortable to enter my passwords in
> such situations. Of course I can simply not turn my computer on.  But
> sometimes you have several hours in an airport ..  I thought about 3
> options.
>
> 0) Change all (disk / user) pwd before & after traveling (how do I
> change the disk pwd?).
>
> 1) Pull out my tails usbkey and surf with that?
>
> 2) maybe it woud be nice to have an additional  "single cube"
> usr/password : when using this user name, one would get a single
> disposable untrusted VM,  no dom0 acces, no USB, and so forth. Is that
> feasable / reasonable?
>
> how do you cope with that? Thank you, Bernhard
>
>
But is the resolution of these cameras high and fast enough to be able to
read the movements of my 10 fingers all working together and covering the
whole keyboard?

I installed a high definition security ethernet camera in my home, but
resolution and speed are not that spectacular.

There are mini-cameras that can be hidden, but resolution is worse.

So cameras can be easily identified and  I suppose it is enough to avoid
sitting down  having a camera just over your shoulders.
Best
Fran

> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/8966eb59-45e3-e8d5-9ece-cae31d719f90%40web.de.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qAizi%2B%2BkUxeCpwiZvT%3DgvEFVPHaDhqDQGWb1AqC2FGjBQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] traveling - best practice

[haaber]

Hello,  I wonder how you behave when traveling, for example in places
with cameras all around. I feel uncomfortable to enter my passwords in
such situations. Of course I can simply not turn my computer on.  But
sometimes you have several hours in an airport ..  I thought about 3
options.

0) Change all (disk / user) pwd before & after traveling (how do I
change the disk pwd?).

1) Pull out my tails usbkey and surf with that?

2) maybe it woud be nice to have an additional  "single cube"
usr/password : when using this user name, one would get a single
disposable untrusted VM,  no dom0 acces, no USB, and so forth. Is that
feasable / reasonable?

how do you cope with that? Thank you, Bernhard

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8966eb59-45e3-e8d5-9ece-cae31d719f90%40web.de.
For more options, visit https://groups.google.com/d/optout.