On Sunday, April 9, 2017 at 2:55:01 PM UTC-4, cooloutac wrote:
> I gotta say the dvm template always gets messed up too. So i also only
> consider it untrusted tasks now. but the vault vm is great imo.
>
> Maybe you should post in user devel the people there are not as noob as me.
You type to
I gotta say the dvm template always gets messed up too. So i also only
consider it untrusted tasks now. but the vault vm is great imo.
Maybe you should post in user devel the people there are not as noob as me.
--
You received this message because you are subscribed to the Google Groups
>usability is not a good reason to add or change anything.
I suggest you switch to running Lynx on OpenBSD then. I guarantee you're
running all kinds of horribly insecure stuff on whatever you're using to read
this right now.
Usability has always been a top priority in Qubes and that is a
On Saturday, April 8, 2017 at 6:19:07 PM UTC-4, Shane Optima wrote:
> > Don't be scared.
>
> It's a Shawshank Redemption reference.
>
> >>An additional key combination to insert information into the Dom0 database
> >>from a VM would be a minor convenience that could be put off until the tool
> Don't be scared.
It's a Shawshank Redemption reference.
>>An additional key combination to insert information into the Dom0 database
>>from a VM would be a minor convenience that could be put off until the tool
>>is overhauled (and probably moved out of Dom0 entirely.)
> How many times do
On Saturday, April 8, 2017 at 4:32:05 PM UTC-4, Shane Optima wrote:
> >I wouldn't want a vm inserting anything in dom0.
>
> You're *still* spreading this nonsense? After what I just said?
>
> I don't know how much more clearly I lay this out, but let's give it a shot:
> Nothing is being
>I wouldn't want a vm inserting anything in dom0.
You're *still* spreading this nonsense? After what I just said?
I don't know how much more clearly I lay this out, but let's give it a shot:
Nothing is being 'inserted' into Dom0 and this does not in any way "open up"
Dom0. This is a one-way
On Friday, April 7, 2017 at 6:37:21 PM UTC-4, Shane Optima wrote:
> cooloutac > I'd rather not have such a tool sitting there "enabled". lol
>
>
> First off, you've ignored where I said that this should obviously be an
> opt-in thing that isn't present, as the mechanism is pretty hacky and the
>Here's a super simple (but likely quite effective!) exploit which took me a
>about two minutes to write
It borders on intellectual dishonesty to put this immediately after my bit
about using a browser extension to modify the page title in an unpredictable
manner. Your pseudocode doesn't work
cooloutac > I'd rather not have such a tool sitting there "enabled". lol
First off, you've ignored where I said that this should obviously be an opt-in
thing that isn't present, as the mechanism is pretty hacky and the tool
shouldn't be used by the careless.
But second, it transcends mere
On Thu, Mar 30, 2017 at 6:21 PM, Shane Optima wrote:
> Maybe if you (or someone) could write a Firefox extension to modify all
> browser page titles to be a concatenation of the page title and a short token
> of characters generated from a salted hash of the URL (so that
On Thursday, March 30, 2017 at 5:27:12 PM UTC-4, Chris Laprise wrote:
> I get the feeling when you talk about people contributing, you mean
> /other/ people. That's fine, but in my estimation what you're proposing
> would take under 30 lines of bash code.
I think I've already covered this exact
I get the feeling when you talk about people contributing, you mean
/other/ people. That's fine, but in my estimation what you're proposing
would take under 30 lines of bash code.
You should write it yourself as a way to learn about Linux and Qubes.
--
Chris Laprise, tas...@openmailbox.org
>Yeah, it could be dangerous, but still might be worth writing for oneself if
>the threat model seems appropriate. I wouldn't suggest this as a Qubes feature.
As an out of the box official Qubes feature, no, but it seems like an excellent
stopgap and stepping stone given the ease of
On 03/30/2017 10:34 AM, Jean-Philippe Ouellet wrote:
On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise wrote:
xdotool also lets you inject keystrokes into windows.
With a shortcut-key assignment this can be easily scripted by the user (you
said this was for power users).
On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise wrote:
> xdotool also lets you inject keystrokes into windows.
>
> With a shortcut-key assignment this can be easily scripted by the user (you
> said this was for power users).
Automatically injecting the keystrokes removes
On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise wrote:
> You don't even need to rely on the window title for the security aspect: The
> _QUBES_VMNAME window property will tell you. For example:
>
> $ CUR_WINDOW=`xdotool getwindowfocus`
> $ VMNAME=`xprop _QUBES_VMNAME -id
On Monday, March 27, 2017 at 1:16:10 AM UTC-4, Shane Optima wrote:
> >which may or may not be *detected* by a sharply observant user, but could
> >still not be *prevented* by one
>
> Um, that is incorrect. I'm not sure you understand at all what I'm talking
> about here so let's go over it
Didn't bother reading the anarchical walls of text haha. but Ya I agree with
Jean that sounds like you would be exposing dom0 to stuff for really no
reason...
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and
>which may or may not be *detected* by a sharply observant user, but could
>still not be *prevented* by one
Um, that is incorrect. I'm not sure you understand at all what I'm talking
about here so let's go over it step by step:
A. User visits a site associated with a pre-stored password and
- If we consider a compromised VM with:
- passwords saved in the browser: an attacker can obtain all passwords
- your proposed password manager: an attacker can still obtain all
passwords, just needs to wait for them to be used
- If we consider a non-compromised VM with:
- passwords saved
> This is actually worse than not using a password manager at all,
> because the window you are about to enter the password into has full
> control over its title, and so this opens a race condition where the
> site could change its title right before dom0 checks it (perhaps
> triggered by "I am
On Fri, Mar 24, 2017 at 2:55 AM, Shane Optima wrote:
> However, I justed noticed that R3.2 introduced a Dom0-to-hyperboard[1] copy
> function, and since Dom0 knows the window title text... couldn't there be
> another hypervisor keyboard shortcut that would use the window
23 matches
Mail list logo