Re: [qubes-users] HCL Suggestions?

2017-02-07 Thread Jean-Philippe Ouellet
I started an effort to automate HCL updating a few months ago and thought I'd pass on my notes in case anyone finds them useful. First, you'll probably want a complete and incrementally-updateable local mailing list archive. The most reliable way I've found to dump google groups is with [1]

Re: [qubes-users] traveling - best practice

2017-02-08 Thread Jean-Philippe Ouellet
> 2) maybe it woud be nice to have an additional "single cube" > usr/password : when using this user name, one would get a single > disposable untrusted VM, no dom0 acces, no USB, and so forth. Is that > feasable / reasonable? I want something similar to this too, but there are several things

Re: [qubes-users] Re: Question to Mirage OS firewall users

2017-02-08 Thread Jean-Philippe Ouellet
On Sat, Jan 28, 2017 at 9:13 AM, Thomas Leonard wrote: > I'm not sure why my DispVM is Fedora 23 when my default template is Fedora > 24, but anyway... If fedora24 is indeed your default template, try: [user@dom0 ~]$ qvm-create-default-dvm --default-template If that does

Re: [qubes-users] What? Can I access a windows USB drive?

2017-02-08 Thread Jean-Philippe Ouellet
If you install fuse-exfat (from the rpmfusion-free repo) in the template used by sys-usb, then Nautilus (the default file manager) should be able to auto-mount them and they should Just Work(TM). At least... this worked for me. -- You received this message because you are subscribed to the

[qubes-users] Custom qrexec services

2017-01-28 Thread Jean-Philippe Ouellet
>From https://github.com/QubesOS/qubes-issues/issues/910#issuecomment-275872140 (here to not pollute that issue) @marmarek wrote: > BTW I'm curious how many people have custom qrexec services ;) On one of my > machines I have 15 of them. I have at least the following (not all are finished or

Re: [qubes-users] Global updates question

2017-02-16 Thread Jean-Philippe Ouellet
On Thu, Feb 16, 2017 at 10:51 PM, Fabrizio Romano Genovese wrote: > Well, I have considered it, yes, and it's true that launching many terminals > can be resource intensive. But it's also faster: Using & I can launch all > the terminals at the same time, while

Re: [qubes-users] Qubes manager not showing changes, etc.

2017-02-16 Thread Jean-Philippe Ouellet
Not sure if relevant, but I also experienced a case recently where a just-created VM did not show up. Was resolved by simply killing & restarting qubes-manager. Only happened once, so didn't debug. -- You received this message because you are subscribed to the Google Groups "qubes-users"

Re: [qubes-users] Updating packages with salt does not refresh the repositories

2017-02-10 Thread Jean-Philippe Ouellet
On Thu, Feb 9, 2017 at 6:46 PM, wrote: > I have an update.sls with the following content: > > updates: > pkg.uptodate: > - refres: True If that's literally a copy & paste... because you're missing the h in refresh? -- You received this message because you are subscribed

Re: [qubes-users] Re: Amnesic QubesOS

2017-02-14 Thread Jean-Philippe Ouellet
On Tue, Feb 14, 2017 at 9:45 PM, wrote: > There is the option to use a disposable vm for everything if you want? Note that the current implementation of DispVMs does not resist local forensics: - https://www.qubes-os.org/doc/dispvm/#disposable-vms-and-local-forensics -

Re: [qubes-users] Convert live system to VM in Qube OS?

2017-02-09 Thread Jean-Philippe Ouellet
On Sat, Feb 4, 2017 at 7:31 AM, Alex wrote: > First, you may already have thought about it, but the simple > transposition of a work pc to a VM environment (be it qubes or not) does > not give you any additional security benefit. It only increases the > compatibility problems!

Re: [qubes-users] qvm-run fails silently with chromium

2017-02-15 Thread Jean-Philippe Ouellet
Running execsnoop [1] in the AppVM while trying to start chromium may give you more insight into what is actually happening. Tracing observed behavior is often easier than digging through the source. [1]: https://raw.githubusercontent.com/brendangregg/perf-tools/master/execsnoop -- You received

Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2017-02-27 Thread Jean-Philippe Ouellet
On Mon, Feb 27, 2017 at 3:42 PM, Chris Laprise <tas...@openmailbox.org> wrote: > On 02/27/2017 03:11 PM, Holger Levsen wrote: >> On Sun, Feb 26, 2017 at 02:56:53PM -0500, Jean-Philippe Ouellet wrote: >>> I still have issues with suspend/resume. Sometimes it fails to r

[qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2017-02-26 Thread Jean-Philippe Ouellet
In the interest of maximizing list archive utility, I'm attaching a new HCL here (bumped kernel to 4.8.12-12 & xen to 4.6.4). I still have issues with suspend/resume. Sometimes it fails to resume, and sometimes it fails to suspend (leading to a hot backpack and/or quickly dead battery). There is

Re: [qubes-users] How to mount USB with ISO in Windows-Template

2016-09-25 Thread Jean-Philippe Ouellet
And it works!? Please do share how! :) I also have a brand new 4th gen x1 carbon and have spent the past week struggling to get it to a usable state. Do you have the horrible rainbow screen on resume? What kernel are you running in dom0? Was there some magic bios settings combination required

[qubes-users] HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2016-09-26 Thread Jean-Philippe Ouellet
A few notes: The 4.1 kernel R3.1 ships with is not usable due to graphics issues on resume. Update with the unstable repo or use 3.2. I am booting in UEFI mode, and had to follow the advice of https://www.qubes-os.org/doc/uefi-troubleshooting/ in order to get the 4.4 kernel to boot. This was

Re: [qubes-users] How to mount USB with ISO in Windows-Template

2016-09-26 Thread Jean-Philippe Ouellet
On Mon, Sep 26, 2016 at 3:01 PM, martin.forum wrote: > > https://www.qubes-os.org/doc/uefi-troubleshooting/ WOW! That was it... Thank you! I had ignored that page (having come across it several times) because the symptoms it describes did not match the behavior I was

Re: [qubes-users] [feature request] Shutdown template after update

2016-11-07 Thread Jean-Philippe Ouellet
See also https://github.com/QubesOS/qubes-issues/issues/2388 If we have appropriate metadata for each VM, we could automatically shut-down VMs if they were not running prior to triggering the update. This may be a preferable user experience. -- You received this message because you are

Re: [qubes-users] Secure Browsing - browserless?

2016-11-07 Thread Jean-Philippe Ouellet
You are already free to do this in Qubes today, however I suggest that doing so probably does not provide the properties you may expect. You can do X-forwarding over SSH to another machine with your browser, or whatever your preferred supposedly-secure remote-desktoping application is. However,

Re: [qubes-users] Re: Screen recorder for Qubes..?

2016-11-07 Thread Jean-Philippe Ouellet
On Mon, Nov 7, 2016 at 2:29 PM, Chris Laprise wrote: > The framebuffer is being handled by the trusted dom0 graphics stack, so is > actually a trusted input. Perhaps we have run into trusted != trustworthy terminology issues. I meant to say that the content of the

Re: [qubes-users] Re: Screen recorder for Qubes..?

2016-11-07 Thread Jean-Philippe Ouellet
On Mon, Nov 7, 2016 at 2:02 PM, Grzesiek Chodzicki wrote: > In order to capture the whole screen such tool would need to run in dom0 > which is really, really not a good idea. I think it is important to understand the actual risks involved, rather than just saying

Re: [qubes-users] Re: One step foerward, two steps back on Macbook 11,1 - can't boot into Qubes

2016-11-14 Thread Jean-Philippe Ouellet
On Tue, Nov 15, 2016 at 12:17 AM, dumbcyber wrote: > On Tuesday, 15 November 2016 10:28:52 UTC+11, Marek Marczykowski-Górecki > wrote: >> you need to remove 'rd.qubes.hide_all_usb' from kernel parameters. > > Thanks for the info. For me a noob, how do I remove that

Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2016-11-14 Thread Jean-Philippe Ouellet
On Mon, Nov 14, 2016 at 4:16 PM, Marek Marczykowski-Górecki wrote: > You can temporarily set sys-firewall netvm to none. This will allow you > to shutdown/restart sys-net without consequences. Remember to change > sys-firewall netvm back to sys-net afterwards.

Re: [qubes-users] Re: One step foerward, two steps back on Macbook 11,1 - can't boot into Qubes

2016-11-14 Thread Jean-Philippe Ouellet
Alternatively, if you just want to see if things will work at all, IIRC you should also be able to un-check a "use sys-usb" (or similar) checkbox in the installer somewhere, and IIRC rd.qubes.hide_all_usb is only set if this box is checked. -- You received this message because you are subscribed

Re: [qubes-users] Re: Qubes 4.x and Librem 13

2016-11-24 Thread Jean-Philippe Ouellet
On Thu, Nov 24, 2016 at 3:00 PM, Grzesiek Chodzicki wrote: > W dniu czwartek, 24 listopada 2016 20:53:08 UTC+1 użytkownik > rspei...@gmail.com napisał: >> I am interested in purchasing the Purism Librem 13 laptop and noticed that >> it was supported for Qubes R3.x

Re: [qubes-users] Qubes and Rust

2016-11-24 Thread Jean-Philippe Ouellet
On Thu, Nov 24, 2016 at 3:44 PM, wrote: > I would like to use Qubes for development work in Rust. I understand that > Rust can eliminate many different sorts of memory related bugs. Would it be > helpful to use in Qubes OS development for improving security? Are there

Re: [qubes-users] Re: SUCCESS: GPU passthrough on Qubes 3.1 (Xen 4.6.1) / Radeon 6950 / Win 7 & Win 8.1 (TUTORIAL + HCL)

2016-11-24 Thread Jean-Philippe Ouellet
On Thu, Nov 24, 2016 at 8:51 AM, Marek Marczykowski-Górecki wrote: > Actually, generic PCI passthrough should just work in both cases now. > Don't know if GPU passthrough is any special here, but I wouldn't be > surprised if it is... At least for intel-integrated

Re: [qubes-users] Passthrough

2016-11-24 Thread Jean-Philippe Ouellet
On Thu, Nov 24, 2016 at 6:55 PM, Drew White wrote: > Is there any way that I can pass through all real hardware specifics to the > guest to make it not think it's running under xen? (primarily Windows) Malware trying to determine if it's on bare metal will likely always be

Re: [qubes-users] Control Alt Delete

2016-11-28 Thread Jean-Philippe Ouellet
Are only AppVMs frozen? (Can you still interact with dom0?) Can you switch to tty2 (Ctrl+Alt+F2, and Ctrl+Alt+F1 to get back) and log in there? If so, maybe you can figure out what's gone wrong via command line tools? -- You received this message because you are subscribed to the Google Groups

Re: [qubes-users] 2/3 of VMs randomly lose network access; sys-net, sys-firewall, and others normal

2016-11-26 Thread Jean-Philippe Ouellet
On Sat, Nov 26, 2016 at 12:42 PM, Andrew David Wong wrote: > Any ideas for logs or tools I should check to find out what's > failing, or where it's failing? I'd start with: dmesg, ifconfig -a -v, tcpdump, iptables-save. -- You received this message because you are subscribed

Re: [qubes-users] 2/3 of VMs randomly lose network access; sys-net, sys-firewall, and others normal

2016-11-26 Thread Jean-Philippe Ouellet
On Sat, Nov 26, 2016 at 2:25 PM, Jean-Philippe Ouellet <j...@vt.edu> wrote: > On Sat, Nov 26, 2016 at 12:42 PM, Andrew David Wong <a...@qubes-os.org> wrote: >> Any ideas for logs or tools I should check to find out what's >> failing, or where it's failing? > > I'd

Re: [qubes-users] beginner trying to choose a laptop question

2016-11-21 Thread Jean-Philippe Ouellet
On Mon, Nov 21, 2016 at 8:04 PM, taii...@gmx.com wrote: > or go to a store and boot a liveCD then run the HCL. ^ This! It can be fun... You may wish to try to explain to an employee what you are doing, to avoid getting "banned" (thrown out) from that store for "trying to put

Re: [qubes-users] Re: selfsecure systems - redunancy?

2016-11-16 Thread Jean-Philippe Ouellet
On Wed, Nov 16, 2016 at 2:43 PM, '81029438'1094328'0194328'0914328 wrote: > ... idealistic description of heterogeneous computations and validating i/o > proxy ... This method of verification is not the panacea it may appear to be. If an attacker can find

Re: [qubes-users] Incremental / continuous backups?

2016-11-16 Thread Jean-Philippe Ouellet
This is a known problem area. See discussions in: - https://github.com/QubesOS/qubes-issues/issues/971 - https://github.com/QubesOS/qubes-issues/issues/858 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop

Re: [qubes-users] Re: Improvement: check disk space before copy to VM

2016-11-14 Thread Jean-Philippe Ouellet
On Mon, Nov 14, 2016 at 5:49 AM, Sec Tester wrote: > Could open up a vulnerability if not done carefully. > > VM could use it to query and identify other VMs in existence on the system. There are already several timing side-channel ways to do that. Example: AppVM$

Re: [qubes-users] Any chance the freezing could be resolved?

2016-11-20 Thread Jean-Philippe Ouellet
If I were you I would try to see if you can reproduce the issue with upstream xen, and then ask on the xen mailing list. It sounds more like a this-xen-version + this-linux-version on your-hardware problem than a qubes problem. -- You received this message because you are subscribed to the

Re: [qubes-users] Any chance the freezing could be resolved?

2016-11-20 Thread Jean-Philippe Ouellet
On Sun, Nov 20, 2016 at 8:44 PM, Drew White wrote: > How do I reproduce the issue on upstream XEN when I run Qubes and keep > working and doing my stuff without wasting several weeks on testing it on > upstream XEN? I don't know, but seeing as you're the only person who

Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2016-11-13 Thread Jean-Philippe Ouellet
tl;dr - kernel-4.8.7-11 +1 from me! On Thu, Oct 13, 2016 at 1:20 AM, Jean-Philippe Ouellet <j...@vt.edu> wrote: > The laptop fails to resume about once a day and requires a > hold-the-power-button reset > I'm hoping that newer kernels fix this (dom0 currently on 4.4.14-11), Si

Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2016-11-13 Thread Jean-Philippe Ouellet
On Mon, Nov 14, 2016 at 2:02 AM, Jean-Philippe Ouellet <j...@vt.edu> wrote: > kernel-4.8.7-11 from qubes-dom0-testing Err, that should be qubes-dom0-unstable. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscr

Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread Jean-Philippe Ouellet
On Sun, Nov 13, 2016 at 8:36 PM, Eric wrote: > though Intel ME is apparently disabled, which is a win, I guess? You can not "disable" ME. See page 37 of https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf -- You received this message because you are subscribed to

[qubes-users] Where to bulk-download mailing list archives?

2016-11-13 Thread Jean-Philippe Ouellet
Does anyone know of a convenient place to grab the complete archives of this list? (and qubes-devel too?) With the (lets hope indeed temporary) death of gmane and its nntp interface, I lost the only easy way I knew of to bulk-download the entire history of arbitrary mailing lists for offline

Re: [qubes-users] Re: Improvement: check disk space before copy to VM

2016-11-14 Thread Jean-Philippe Ouellet
On Mon, Nov 14, 2016 at 2:42 PM, Jean-Philippe Ouellet <j...@vt.edu> wrote: > On Mon, Nov 14, 2016 at 5:49 AM, Sec Tester <sectesting0...@gmail.com> wrote: >> Could open up a vulnerability if not done carefully. >> >> VM could use it to query and identify oth

Re: [qubes-users] XScreenSaver for dom0 pops up

2016-11-02 Thread Jean-Philippe Ouellet
On Thu, Nov 3, 2016 at 12:50 AM, Andrew David Wong wrote: > So, the fact that you're allowed to see your screen content from yesterday > doesn't constitute any violation of the security model. You're still the same > trusted user as you were yesterday. (If I've misunderstood

[qubes-users] Tracking changes to *which* packages are installed by default

2016-10-12 Thread Jean-Philippe Ouellet
Hello, Is there a recommended way to track default-installed packages on an already-installed system? I just independently re-discovered the fix for the un-muting problem [1][2] and the hard way because the fix [3][4] (patch to qubes-installer-qubes-os) appears to not have propagated to my

Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2016-10-12 Thread Jean-Philippe Ouellet
On Wed, Oct 12, 2016 at 8:17 PM, wrote: > Can you let me know how things function under 3.2? Any improvements? I am > keen to get the X1 4th generation but I want to make sure it has full Qubes > compatibility since that will be it's primary purpose. 3.2 is no different

Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2016-10-12 Thread Jean-Philippe Ouellet
If you're going to get one, I'd say definitely go with 16gb ram, and know that NVMe vs traditional SSDs appear to be equally well supported. The idea of a WWAN module (w/ accompanying free-to-do-whatever baseband) in a laptop is a scary proposition and highly un-recommended, and so are the

Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2016-10-12 Thread Jean-Philippe Ouellet
Also, here are the hashes of the files I used to update my BIOS to 1.18 without ever booting windows following the procedure described here: http://www.floccinaucinihilipilification.net/blog/2011/10/2/updating-the-bios-of-a-thinkpad-x220-using-linux.html $ sha256sum geteltorito.pl

Re: [qubes-users] How do I get past this critical error?

2016-11-29 Thread Jean-Philippe Ouellet
On Tue, Nov 29, 2016 at 7:15 AM, Joshua van den Hoven wrote: > Hello guys, > > I am having a few isses with installing Qubes on my Dell Latitude e6330. I > have checked and i do have the correct chipset and a TPM available but still > get two errors the first is

Re: [qubes-users] Re: How to backup an iPhone under Qubes

2016-12-07 Thread Jean-Philippe Ouellet
On Sun, Dec 4, 2016 at 11:27 AM, Vít Šesták wrote: > Alternatively, you can forward USB to Windows using usbip. Again, you need > iptables rules. I did this in older Qubes version with Linux machines, but it > should work the

Re: [qubes-users] Re: New Kernel Issues?

2016-12-07 Thread Jean-Philippe Ouellet
On Tue, Dec 6, 2016 at 8:12 PM, wrote: > Never mind I figured it out :) > > If anyone has the same issues you can change the booted version by editing > /boot/efi/EFI/qubes/xen.cfg > > Update the default var at the top and reboot. For the archives: this is only true if

Re: [qubes-users] Installing on macOS Macbook

2016-12-10 Thread Jean-Philippe Ouellet
On Fri, Dec 9, 2016 at 7:45 PM, Andrew David Wong <a...@qubes-os.org> wrote: > On 2016-12-08 21:11, Jean-Philippe Ouellet wrote: >> On Thu, Dec 8, 2016 at 6:37 AM, Andrew David Wong wrote: >>> Qubes isn't supported on VirtualBox or on Macbooks >> >> This is th

Re: [qubes-users] Newbie surprises

2016-12-10 Thread Jean-Philippe Ouellet
Another (perhaps hacky solution) is to replace pacat-simple on dom0 with a script which invokes pacat-simple in sys-usb over qrexec. This would have a much smaller attack surface than USB passthrough. You may also need to configure some pulseaudio settings in sys-usb. -- You received this

Re: [qubes-users] Installing on macOS Macbook

2016-12-08 Thread Jean-Philippe Ouellet
On Thu, Dec 8, 2016 at 6:37 AM, Andrew David Wong wrote: > Qubes isn't supported on VirtualBox or on Macbooks This is the first I've heard of MacBooks being "not supported". I know at least one person personally who is currently running Qubes on a recent (<2yo) MacBook, and

[qubes-users] Hardware acceleration in Chrome (or "make google maps great again!")

2016-12-10 Thread Jean-Philippe Ouellet
Hello, Google Chrome disabled the chrome://flags mechanism to disable WebGL some time ago, but now it appears that it is back as "Use hardware acceleration when available" at the bottom of the Advanced section of chrome://settings. Disabling this makes google maps not lag/crash for me! :)

Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-11-30 Thread Jean-Philippe Ouellet
On Wed, Nov 30, 2016 at 11:49 AM, wrote: > Can someone tell me where I can get the files? Any tips or hints when it > comes to running the latest build? I am not aware of any publicly-available full "development builds", however qubes-builder[1] makes it very easy to

Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

2016-12-01 Thread Jean-Philippe Ouellet
On Thu, Dec 1, 2016 at 7:55 AM, wrote: > Also, What about the Tresor mod which saves your encryption key in the cpu? I > really like the idea of being able to prevent people frm extracting the key > from my ram. IMO not worth it in practice. See "TRESOR-HUNT: Attacking

Re: [qubes-users] Qubes and HiDPI

2016-12-01 Thread Jean-Philippe Ouellet
On Thu, Dec 1, 2016 at 2:58 PM, Marc de Bruin wrote: > Doesn't the Qubes VM Manager “window” proportionally scale itself related to > the > occupied pixels of the text due to the font? Or am I missing something? Agh, unfortunately no. Some layout is hard-coded. I

Re: [qubes-users] Re: Qubes and HiDPI

2016-12-01 Thread Jean-Philippe Ouellet
On Thu, Dec 1, 2016 at 6:25 PM, pixel fairy wrote: > On Thursday, December 1, 2016 at 2:58:21 PM UTC-5, Marc de Bruin wrote: > >> Is there a way to get around this? Doesn't the Qubes VM Manager “window” >> proportionally scale itself related to the occupied pixels of the

Re: [qubes-users] console window manager

2016-12-03 Thread Jean-Philippe Ouellet
On Fri, Dec 2, 2016 at 6:58 PM, Eva Star wrote: > xdotool not pre-installed (maybe it's better?) It will be in a future version: https://github.com/QubesOS/qubes-core-admin-linux/blob/be1d984364de9641312f56def13b0af27cfe1cd4/rpm_spec/core-dom0-linux.spec#L51 Pulled in

Re: [qubes-users] Re: Qubes and HiDPI

2016-12-03 Thread Jean-Philippe Ouellet
On Sat, Dec 3, 2016 at 9:12 AM, Marc de Bruin wrote: > With what will it be replaced in Qubes 4? Assuming you mean qubes-manager, then... Discussion here: https://github.com/QubesOS/qubes-issues/issues/2132 WIP code here: https://github.com/bnvk/qubes-manager-new

Re: [qubes-users] Re: How to install Win 7 x64 from a USB stick

2016-11-29 Thread Jean-Philippe Ouellet
It may make more sense to use qvm-block than qvm-usb here. Should in theory have a smaller attack surface and expose better-tested code paths. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving

Re: [qubes-users] [Security] Anti-evil-maid didn't notice Xen update ?

2016-11-30 Thread Jean-Philippe Ouellet
Check if the latest xen version installed is actually the xen version running. I had an issue where the update did not modify the appropriate EFI variables and I was still running the old version after the update. This issue has been addressed, but perhaps not completely. You can check the

Re: [qubes-users] safer typing in public places

2016-11-30 Thread Jean-Philippe Ouellet
On Tue, Nov 29, 2016 at 11:18 PM, pixel fairy wrote: > has anyone here experimented with bluetooth locks? it seems like a lot of > extra scary code to run in dom0, but i like the idea of auto shutdown if > device loses range. or maybe after a timeout period of some

Re: [qubes-users] Anti Evil Maid Idea

2016-12-20 Thread Jean-Philippe Ouellet
If I understand correctly, it would be completely useless. The point of AEM is ultimately to somehow authenticate the computer to the user, rather than the more common direction of authenticating the identify of a user to the computer (which IIUC is all that U2F can provide, where in the U2F case

Re: [qubes-users] Qubes Manager Q4.0 groups

2016-12-20 Thread Jean-Philippe Ouellet
On Mon, Dec 19, 2016 at 6:13 PM, Eva Star wrote: > Hello, > > Will be issue with a lot of virtual machines fixed at new Qubes Manager at > Q4.0? I also have lots of virtual machines, and this is a problem I intend to address eventually unless someone else does it first

Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-20 Thread Jean-Philippe Ouellet
On Tue, Dec 20, 2016 at 3:08 PM, 5n7xyb+qphld0j5ytif4l via qubes-users wrote: > I also don't want to remove the password from my private key since I used it > in different devices and I don't want to use a different template as I have > many things installed on my

Re: [qubes-users] Anti Evil Maid Idea

2016-12-20 Thread Jean-Philippe Ouellet
On Tue, Dec 20, 2016 at 4:00 PM, Jean-Philippe Ouellet <j...@vt.edu> wrote: > Unless you can come up with some cryptographically-sound way to > integrate the information provided by a 2nd factor as a hard > requirement to complete the secrets-unsealing-at-boot process, then &g

Re: [qubes-users] Redox OS

2016-12-20 Thread Jean-Philippe Ouellet
On Mon, Dec 19, 2016 at 11:56 AM, '103948'109438'0194328'0914328098 wrote: > the new rusty security OS, RedoxOS Neat! Thanks for pointing this out. I was not aware of it. My favorite of your random links so far :) -- You received this message because you are

Re: [qubes-users] Anti Evil Maid Idea

2016-12-20 Thread Jean-Philippe Ouellet
On Tue, Dec 20, 2016 at 4:09 PM, Jean-Philippe Ouellet <j...@vt.edu> wrote: > It does now somehow detect that your computer has been evil-maided, nor > prevent it from being so. "does now" should be "does not" It's been a rough day >_> -- You received t

Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-21 Thread Jean-Philippe Ouellet
On Wed, Dec 21, 2016 at 1:11 PM, Jean-Philippe Ouellet <j...@vt.edu> wrote: > I have various others in between, such as one with only a browser (for > online banking and such). I should clarify, this is a template with only a browser, and an individual VM used for only on

Re: [qubes-users] Split GPG: thunderbird+enigmail stopped cache password

2016-12-21 Thread Jean-Philippe Ouellet
On Wed, Dec 21, 2016 at 4:20 AM, 'Gaea' via qubes-users wrote: > Please what are the differences between: > > Minimal: fedora-24-minimal + text editor, openssh, git, zsh, etc. > Extremely Minimal fedora-24-minimal + a text editor -- nothing else > Full ?? VMs

Re: [qubes-users] Re: (Problem copying from dom0?)

2016-12-23 Thread Jean-Philippe Ouellet
2016-12-23 10:07 GMT-05:00 Andrew David Wong : >> J'utilise un pc avec trois disques durs (ssd). L'os (ubuntu ou >> qubes) est installé sur un ssd et mes fichiers importants sur les >> deux autres. >> >> L'ensemble de mes disques durs n'est accessible que via Dom 0 mais >> je ne

Re: [qubes-users] Strategy: Qubes needs flexible automation more than other OSes due to its security-by-separation architecture: Should we initiate a cross-platform project?

2016-12-23 Thread Jean-Philippe Ouellet
On Thu, Dec 22, 2016 at 11:00 PM, Leeteqxv wrote: > (Ref. "I wish there was a magical menu entry that could do this:" > - "Enforce restarting sys-net/sys-Firewall and temporarily take down any > open VM that are blocking the restart, and then subsequently start them all >

Re: [qubes-users] Qubes as Server OS?

2016-12-23 Thread Jean-Philippe Ouellet
On Fri, Dec 23, 2016 at 6:10 PM, wrote: > but if its sole purpose is just being a server then who even cares if dom0 is > compromised or not? I strongly disagree. 1) If your server performs more than one purpose, having strong trust boundaries as (attempted to be) provided

Re: [qubes-users] Qubes as Server OS?

2016-12-23 Thread Jean-Philippe Ouellet
On Fri, Dec 23, 2016 at 6:04 PM, Nicklaus McClendon wrote: > I'm intrigued. How is qrexec utilized? Something which I have not set up yet, but intend to soon, is a split email server model, where the MTA and MDA are in separate VMs, and incoming mail is delivered over

Re: [qubes-users] Qubes as Server OS?

2016-12-23 Thread Jean-Philippe Ouellet
On Fri, Dec 23, 2016 at 7:35 PM, Nicklaus McClendon <nickl...@kulinacs.com> wrote: > On 12/23/2016 07:09 PM, Jean-Philippe Ouellet wrote: >>> If you can't access dom0, qrexec is default allowed, >> >> Uhh What? Can you elaborate? > > qrexec usage is norm

Re: [qubes-users] Re: Fedora Desktop in Qubes

2016-12-24 Thread Jean-Philippe Ouellet
On Sat, Dec 24, 2016 at 12:52 AM, Andrew David Wong <a...@qubes-os.org> wrote: > On 2016-12-23 16:20, Jean-Philippe Ouellet wrote: >> On Thu, Dec 22, 2016 at 1:17 AM, Andrew David Wong >> <a...@qubes-os.org> wrote: >>> You'll want to install Dropbox in you

Re: [qubes-users] More user frindly desktop.

2016-12-07 Thread Jean-Philippe Ouellet
On Wed, Dec 7, 2016 at 8:49 AM, wrote: > I'm new to qubes but how can I make a more user friendly desktop Qubes' patched KDE still worked fine last time I tried it. Perhaps you might find that more friendly? > without installing a few things on dom0 I think the seriousness

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-24 Thread Jean-Philippe Ouellet
On Fri, Mar 24, 2017 at 2:55 AM, Shane Optima wrote: > However, I justed noticed that R3.2 introduced a Dom0-to-hyperboard[1] copy > function, and since Dom0 knows the window title text... couldn't there be > another hypervisor keyboard shortcut that would use the window

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-30 Thread Jean-Philippe Ouellet
On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise wrote: > xdotool also lets you inject keystrokes into windows. > > With a shortcut-key assignment this can be easily scripted by the user (you > said this was for power users). Automatically injecting the keystrokes removes

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-30 Thread Jean-Philippe Ouellet
On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise wrote: > You don't even need to rely on the window title for the security aspect: The > _QUBES_VMNAME window property will tell you. For example: > > $ CUR_WINDOW=`xdotool getwindowfocus` > $ VMNAME=`xprop _QUBES_VMNAME -id

Re: [qubes-users] How much important is TPM?

2017-03-28 Thread Jean-Philippe Ouellet
On Tue, Mar 28, 2017 at 2:40 AM, Vít Šesták wrote: > AFAIU, TPM is useful mostly for AEM. But AEM requires Intel TXT (which is > missing even on some high-end CPUs). But TXT has various vulnerabilities. How > much real protection

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-30 Thread Jean-Philippe Ouellet
On Thu, Mar 30, 2017 at 6:21 PM, Shane Optima wrote: > Maybe if you (or someone) could write a Firefox extension to modify all > browser page titles to be a concatenation of the page title and a short token > of characters generated from a salted hash of the URL (so that

Re: [qubes-users] Security and dispVM firefox customization

2017-03-31 Thread Jean-Philippe Ouellet
If you are concerned about the size of your anonymity set then you ought to be using unmodified TBB in a whonix-ws-based template rather than Firefox in a DispVM. We don't currently make guarantees about the cross-machine uniformity of DispVM browsers. There are ways to fingerprint the default

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

2017-03-24 Thread Jean-Philippe Ouellet
- If we consider a compromised VM with: - passwords saved in the browser: an attacker can obtain all passwords - your proposed password manager: an attacker can still obtain all passwords, just needs to wait for them to be used - If we consider a non-compromised VM with: - passwords saved

Re: [qubes-users] Why does Qubes not work with nested virtualization?

2017-03-24 Thread Jean-Philippe Ouellet
It actually does work for limited use cases. I sometimes run Qubes inside Qubes for quickly testing things ;) The outer VM must be HVM, and the inner-inner VMs must be PVM, or else you must enable some less-tested and potentially dangerous code paths in Xen (nestedhvm=1) which Qubes (on purpose)

Re: [qubes-users] Maybe a silly question

2017-03-24 Thread Jean-Philippe Ouellet
On Fri, Mar 24, 2017 at 10:51 AM, Manuel Cornejo wrote: > Doesn't Qubes need and antivirus? What happend if on Qubes we set a VM with > Windows 7 in it? Would you install antivirus on the virtual machine hoping > that is going to be (the same /more) effective than

Re: [qubes-users] Tip: How to speed up QubesOS shutdown

2017-03-18 Thread Jean-Philippe Ouellet
On Tue, Mar 14, 2017 at 7:11 PM, haaber wrote: > I dont't have any e820 pci device as far as I know, but shutdown is > definitely a problem. xfce shuts down, and then I have a black screen > with a blinking cursor, and, afaik unless I brutally remove electricity. > No clue if this

Re: [qubes-users] feature idea: creat trusted office document

2017-03-15 Thread Jean-Philippe Ouellet
On Tue, Mar 14, 2017 at 7:44 PM, cubit wrote: > - open dom0 terminal > - get dom0 to open a disp terminal in the same dispVM as the disposable doc Ouch. I'd forgotten how annoying that could be. I have a script [1] bound to a keyboard shortcut to open a terminal in the same

Re: [qubes-users] Is it really hard to autogenerate apropos data for all qubes utils ?

2017-03-18 Thread Jean-Philippe Ouellet
Unman is correct. Additionally, mandb index generation may be of lesser quality because our man pages are not actual man pages, but rather lifted from reStructuredText via pandoc, which generate raw *roff formatting macros rather than semantic mdoc (or even man(7)) ones. This is because

Re: [qubes-users] NTP Global alteration.

2017-03-16 Thread Jean-Philippe Ouellet
Qubes only runs an NTP client in the ClockVM (sys-net) and syncs all other domains via qrexec services, so your claim about NTP traffic coming from multiple VMs on a default system is false. As for changing the NTP server used, feel free to submit patches. -- You received this message because

Re: [qubes-devel] Re: [qubes-users] usability major bug?

2017-03-22 Thread Jean-Philippe Ouellet
On Wed, Mar 22, 2017 at 8:08 AM, Oleg Artemiev wrote: > On Wed, Mar 22, 2017 at 1:52 PM, Holger Levsen wrote: >> Hi Oleg, >> >> you missed on important bit of information: >> >> On Wed, Mar 22, 2017 at 12:12:58PM +0300, Oleg Artemiev wrote: >>> I have

Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2017-04-04 Thread Jean-Philippe Ouellet
care :) On Tue, Feb 28, 2017 at 1:29 AM, Jean-Philippe Ouellet <j...@vt.edu> wrote: > On Mon, Feb 27, 2017 at 3:42 PM, Chris Laprise <tas...@openmailbox.org> wrote: >> On 02/27/2017 03:11 PM, Holger Levsen wrote: >>> On Sun, Feb 26, 2017 at 02:56:53PM -0500, Jean-Philipp

Re: [qubes-users] How do I...?

2017-04-04 Thread Jean-Philippe Ouellet
On Tue, Apr 4, 2017 at 8:56 AM, Samuel Hentschel wrote: > Hey Qubes Community, > > I'm a "new" QubesOS user; as in this is my first time trying it to > make it my daily carry. I have a couple questions that you guys may > be able to help me with. Hey Sam, welcome to the

[qubes-users] Re: [qubes-devel] Re: QSB #29: Critical Xen bug in PV memory virtualization code (XSA-212)

2017-04-04 Thread Jean-Philippe Ouellet
On Tue, Apr 4, 2017 at 11:35 AM, Hack wrote: >> Dear Qubes community, >> >> We have just published Qubes Security Bulletin (QSB) #29: >> Critical Xen bug in PV memory virtualization code (XSA-212). >> >> [...] >> >> Discussion >> === >> >> This is another bug

Re: [qubes-users] Is it possible to download Qubes 3.2 from Github?

2017-04-01 Thread Jean-Philippe Ouellet
On Sat, Apr 1, 2017 at 2:23 PM, wrote: > On my network many websites are blocked (to be precise only a handful are > allowed). However one can get access to github.com. > > Is it possible to download Qubes 3.2 from Github? Here you go:

[qubes-users] Re: Custom qrexec services

2017-03-31 Thread Jean-Philippe Ouellet
On Sat, Jan 28, 2017 at 9:04 PM, Marek Marczykowski-Górecki wrote: > 1. write USB - _unidirectional_ service to write an fs image into USB > stick (service into USB VM) I like this idea (mostly got tired of ... | qvm-run -p sys-usb 'dd of=/dev/sda') and wrote my

Re: [qubes-users] How much important is TPM?

2017-04-05 Thread Jean-Philippe Ouellet
On Tue, Apr 4, 2017 at 6:21 PM, taii...@gmx.com wrote: > On 04/04/2017 12:36 PM, Steve Coleman wrote: > >> On 04/04/2017 10:29 AM, taii...@gmx.com wrote: >> >>> Opal is proprietary garbage, >> >> >> Actually its an open standard, not controlled by any government or >>

Re: [qubes-users] realized why I always lose sound in the vms

2017-04-05 Thread Jean-Philippe Ouellet
On Wed, Apr 5, 2017 at 11:29 PM, cooloutac wrote: > The sound mixer app I installed xfe in mutes things when I lower the volume > all the way by accident. Never realized till now lol. I always have to go > into dom0 alsamixer. > > Is there a better plugin to use? Does a

Re: [qubes-users] Qubes 4.0 Alpha release date

2017-04-05 Thread Jean-Philippe Ouellet
On Wed, Apr 5, 2017 at 7:50 AM, wrote: > Hello everyone, > > > First, thanks a lot for working on a reasonably secure operating system > and publish it for free. > > With the recent critical security issue in Xen PV, it would be nice to > consider to release an alpha version

Re: [qubes-users] DispVM Configuration

2017-04-06 Thread Jean-Philippe Ouellet
On Wed, Apr 5, 2017 at 11:59 PM, Sam Hentschel wrote: > Hey all! > > So far so good with QubesOS on my end. Have almost everything up and > running to have this as my daily carry. It's amazing how little RAM all > these VMs actually require; and the CPU! None! > >

  1   2   >