Re: [qubes-users] More information needed about Qubes security

2019-01-14 Thread Alexandre Belgrand
Le lundi 14 janvier 2019 à 07:16 -0500, Chris Laprise a écrit : > Check out Joanna's blog at Invisible Things Lab. Lots of Qubes' DNA > is > there. Got it, thanks: Intel x86 considered harmful https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf -- You received this message because you

[qubes-users] OpenSC smartcards + LVM

2019-01-12 Thread alexandre . belgrand
Dear all, This is my first post, so I would like to thank the community for the hard work around Qubes. Here are some questions before I consider replacing my system with Cubes. 1) OpenSC smartcards I would like to use OpenSC smartcard with pinpad reader to secure my SSH key. The pinpad

[qubes-users] Using OpenBSD as Qubes firewall

2019-01-13 Thread alexandre . belgrand
Dear all, Pardon my ignorance, is it possible to use OpenBSD to provide firewalling to Qubes? I have nearly zero confidence in GNU/Linux although I use it everyday. Kind regards, -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe

Re: [qubes-users] Using OpenBSD as Qubes firewall

2019-01-14 Thread Alexandre Belgrand
Le lundi 14 janvier 2019 à 00:35 +, unman a écrit : > You can find some notes that may help here: > https://github.com/unman/notes/blob/master/openBSD_as_netvm Thanks. This seems very interesting. -- You received this message because you are subscribed to the Google Groups "qubes-users"

Re: [qubes-users] Using a Desktop Computer with Qubes (R 4.0.1)

2019-01-14 Thread Alexandre Belgrand
Le lundi 14 janvier 2019 à 01:52 +, js...@bitmessage.ch a écrit : > It sounds like you've already looked at the docs but here's the link: > https://www.qubes-os.org/doc/usb/ > You have to have sys-usb to attach a usb device like a scanner to an > appvm (unless you can just attach the whole

Re: [qubes-users] Using a Desktop Computer with Qubes (R 4.0.1)

2019-01-14 Thread Alexandre Belgrand
> So in theory you would plug your scanner which should appear in sys- > usb, > and you'd attach ("proxy") it to a VM where you have your scanning > software installed. If you're lucky it will work that way but not > every > USB device works well with proxying and scanners aren't know to be >

Re: [qubes-users] Re: More information needed about Qubes security

2019-01-14 Thread Alexandre Belgrand
Le lundi 14 janvier 2019 à 03:26 -0800, Foppe de Haan a écrit : > can the IME really talk to any NIC? Or just the ones that it has > drivers for (e.g., other intel products)? If the latter, wouldn't an > add-in card (or USB dongle) solve that issue? It seems that the IME is a complete computer

[qubes-users] More information needed about Qubes security

2019-01-14 Thread Alexandre Belgrand
Hello, I am still brooding over before installing Qubes. My first thinking is that since Intel ME backdoors provide full access to authorities, there is no way we can stop government agencies. Recent research (read 1) shows that Intel ME has access to all parts of a computer, even switched-off.

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-26 Thread Alexandre Belgrand
Le mercredi 23 janvier 2019 à 18:05 +0100, Marek Marczykowski-Górecki a écrit : > We have just published Qubes Security Bulletin (QSB) #46: > APT update mechanism vulnerability. Keep in mind that all PGP Debian/Ubuntu signing keys have been stolen and injection may occur during apt-get

Re: [qubes-users] Debian Template APT Vulnerability - A ticking bomb?

2019-01-26 Thread Alexandre Belgrand
Le samedi 26 janvier 2019 à 04:39 -0800, goldsm...@riseup.net a écrit : > If "apt-transport-https" is the magic bullet, why in the past hasn't > it > been implemented by default? And, why for the future, is it not being > implemented immediately by Qubes, Debian et al? Furtermore, very few Debian

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-27 Thread Alexandre Belgrand
Le dimanche 27 janvier 2019 à 13:11 +, Holger Levsen a écrit : > I *believe* they probably misunderstood evil32.com and it's fallout. CAs and GNU/Linux distributions are #1 targets for national intelligence agencies. Debian developers are not using smartcards to store their GPG keys,

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-27 Thread Alexandre Belgrand
Le dimanche 27 janvier 2019 à 16:47 +, unman a écrit : > I'd be interested to know what system has been graced with your > approval. > If you believe all this, then what makes you think that national > intelligence agencies haven't infiltrated *bsd, coreboot and any > other > system you can

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Alexandre Belgrand
Le lundi 28 janvier 2019 à 13:08 -0800, goldsm...@riseup.net a écrit : > I'm intrigued how you know can catagorically state "CAs and GNU/Linux > distributions are #1 targets for national China:

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Alexandre Belgrand
ore valuable documents on a computer when connected to a network. Companies that care about security should have a complete process to manage workstations and internal networks, without access to the Internet. We are back to ancien times. Kind regards, Alexandre Belgrand -- You received this mess

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Alexandre Belgrand
Le lundi 28 janvier 2019 à 13:08 -0800, goldsm...@riseup.net a écrit : > To Alexandre Belgrand > > I'm intrigued how you know can catagorically state "CAs and GNU/Linux > distributions are #1 targets for national > intelligence agencies". This is classified informa

Re: [qubes-users] Intel ME and AEM/HEADS

2019-01-30 Thread Alexandre Belgrand
Le mercredi 30 janvier 2019 à 13:07 +0630, Frank Beuth a écrit : > Apologies if this is getting offtopic, but: one author suggested that > modern > versions of Coreboot could (in absence of Intel ME or AEM) reduce > Evil Maid > attacks to physical attacks requiring the attacker to open the

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-29 Thread Alexandre Belgrand
Le mardi 29 janvier 2019 à 09:51 +0200, Ilpo Järvinen a écrit : > Yeah yeah, the only modification was that chip as claimed in the > article? > Magically all the necessary signal pins were routed to its location > but nothing else was changed (and you cannot have that many pins in > that sized

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-28 Thread Alexandre Belgrand
Le mardi 29 janvier 2019 à 00:59 +0200, Ilpo Järvinen a écrit : > There are many technical reasons raising from plain > physics/electronics > which make an attack chip of that size with the described > capabilities to > seem quite utopistic (and the article therefore bogus). ...But of > course

Re: [qubes-users] Intel ME and AEM/HEADS

2019-01-30 Thread Alexandre Belgrand
Le mercredi 30 janvier 2019 à 15:50 +0700, Frank Beuth a écrit : > Apologies again if this is offtopic, but it sounds like there is a > way to > disable software reflashing of Coreboot entirely? Or am I > misinformed? https://doc.coreboot.org/flash_tutorial/index.html Quoting : "Updating the

Re: [qubes-users] Intel ME and AEM/HEADS

2019-01-30 Thread Alexandre Belgrand
Le mercredi 30 janvier 2019 à 12:38 +0100, Maillist a écrit : > Only if you configure it that way.Also, even if you do, you wanna > make > sure it only accepts updates signed by your personal key. Interesting. Could you point out the documentation explaining how. Thanks. -- You received this

Re: [qubes-users] Intel ME and AEM/HEADS

2019-01-31 Thread Alexandre Belgrand
Le jeudi 31 janvier 2019 à 14:21 +0100, Maillist a écrit : > INTEL_CHIPSET_LOCKDOWN Nice feature. This makes impossible to update BIOS without physical access to the chip. I was unaware of this feature, thanks. -- You received this message because you are subscribed to the Google Groups

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-29 Thread Alexandre Belgrand
Le mardi 29 janvier 2019 à 02:24 -0800, goldsm...@riseup.net a écrit : > To Alexandre > So you found this stuff on the internet and were gullible enough to > swallow it, hook line and sinker, without first verifying its > authenticity. I suppose your allegations against the Debian Team's >