Re: [qubes-users] Windows Tools - save some state

2016-07-05 Thread Eva Star 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


>> * On XFCE it's not possible to somehow "unmaximize" WinHWM
>> window (make it any size). When you resize it, then it become
>> full-size automatically.
> 
> Strange. Does it happen only on XFCE?
> 

Yes. It was possible to manage the size of this window(WinHVM), before
I switched to XFCE.


>> Question: Xen support OpenGL for VMs.
> 
> No. There is a fork of Xen, called XenGT with some support
> multiplexing GPU to the VMs. But it requires a lot of work to make
> it integrated into Qubes (and do not compromise security at the
> same time). And secondly - it's done only for Intel GPUs.
> 
Do not need it in such case :)

> You are probably talking about GPU passthrough (giving a single VM 
> control over the whole GPU - assuming it isn't the only one in the 
> system). Yes, currently it requires running qemu in dom0, we we
> don't want to. To solve this problem, first we need to fix this: 
> https://github.com/QubesOS/qubes-issues/issues/1659
> 

"GPU passthrogh" requests secondary display to be connected to the
GPU? Or VM which control secondary GPU can redirect image to primary
display and only use computing resources of GPU number two ?  thanks

- -- 
Regards
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXfD9VAAoJEGSin3PC/C0A7DgP/idBHRephit/H8tyx4DDOxFB
aXA2FPixCvTU7vrevhVzR0XWEWvc/tG9Vz8oxZK/TC5ywbqTKWiXYQYfrAc4gCyO
FUs0LDrX+5dpguLRgWXidOoNzZLfJVl4pCIs0NB4Q1jSSbws7IP2jS5OiJv5lCNG
wiNIuJG9QnY3hnNVaGKHhInTxqdqogilJrQGobK1pvOQ/egDfw1cPp0e6hWZb/4n
5UGJhJeWByVoHf+6uxeEj/MAqFJDajfMsO1DRMRIGeiDUhFKZAGGRbG2BUX9HWXR
ho8ZztygdxYnTem0twxvKnmHk+TknY4e4XetZEYhAzIsdkzUU7WCG0+oEOK4060r
Cy/MOJ0Is7lqufAz4rjXHj0DiBDNkfLHADGSNgHu8AX/zHsPyHkZSmKNUUQAHeUG
WF4l9AMIQfQpeXKOnYlUh89V3NFR10X4K/l1d263WH7IKgd/YSByPtYHyHbDWnma
dawqdr5pO5XKCbsruHzOe8Kp3Ur6HLRZ/nTj+6dMTLOHwFLuDO4RhHhX6f8AkVU9
t0vbKZ0qUnMQX5z74DB0w8kNA8QowBOYvtGLiDvZXwSbuLVtYkmxMKEsQ0R2aaFG
8V4B80T+vkE2/l/stryu0SI9jKP/UUbuw6ekvOSIXhHii0zL5uZ5eA722L8ey8Bf
f0AFEDzGHOn9KwLdYZU3
=rq4a
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/345ab4cf-f714-cca7-316f-6c9dd66ab2b2%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes top priorities suggestions for me as an user.

2016-07-05 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Jul 05, 2016 at 08:47:33AM -0400, Chris Laprise wrote:
> 
> 
> On 07/05/2016 04:43 AM, Marek Marczykowski-Górecki wrote:
> > This was discussed many times, so search the archive for more detailed
> > answer. In short: GPU will always be able to see the screen content -
> > this is what GPU does. Having GPU passthrough done securely (for example
> > without increasing dom0 attack surface by launching qemu there) is quite
> > hard because GPUs use a lot of non standard tricks and hacks in addition
> > to standard PCI operation.
> > 
> > Implementing this is on our roadmap, but it is hard and will take time.
> 
> I must ask: Does ITL have a list of well-behaved hardware on which this can
> be accomplished? If there are any laptops out there with the kind of
> workstation-class GPUs that would respond to passthrough predictably and
> reliably--even just one model--then maybe it should be plastered on the
> front page of qubes-os.org.

Yes, we'll probably end up with having GPU domain supported only on
selected laptops (and "maybe working" on others, as optional feature).
But we haven't even started working on this feature, so cannot say now
how will it look like. Probably working GPU domain will be just another
column in the HCL table and/or certification requirement.

> Beyond that, I think you know my views about Qubes needing more
> comprehensive hardware focus--even design. From here, Qubes with
> designed-for-Windows PCs looks like a strained marriage that's getting
> worse, and the latter was never the kind of blank canvas that many
> considered it to be.
> 
> BTW, I think jurisdan does have an excellent point on #4. It would be
> prudent to flag anon proxy vms (the way rpm-sourced templates are flagged)
> so that QM and tools can take preventative action under some circumstances:
> Switching any appvm away from an anon-flagged proxy should result in a
> warning dialog.

Whonix workstation will lock itself if not connected to Whonix gateway,
sot a big problem here. But non-Whonix AppVMs will not do that... So it
would be good idea to add such warning, but we don't have any place to
where it should be added properly in 3.x (not some nasty hack in just
qubes manager). It will be trivial in Qubes OS 4.x.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXfDv5AAoJENuP0xzK19csn5IH/iRLC+3P+d+Zs4wKbCOCpsY9
MdO/reZPGYgj9JlR08zgGVj1s2208xOhiuM9PFzul6r34pqOsRoiZ+/oZqleRcTA
yzmYNgtklEYqHyt8LyP7bzxjR011l5dOma7qJ3Bewqc3VWF3rzdcajwzq4Ho8A6M
Ii+QEUCgpLNucqClxwt/QFH7XDZuGhUnQbAlDC2qXqt/lyvbbklya04FVk0rKHyF
PduTvhtffFgLln1J2ow3+hi8xHoscvROT6MsB6J77+PCBdEeqbGVvrsE/g1hlm+c
KHSlEfvFJhhofBtkt8w4hs2uGFv9Rj90TtppgN+fWpnwyIilPesJllDGGMXSJsg=
=NkLc
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160705230009.GE4609%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Windows Tools - save some state

2016-07-05 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jul 06, 2016 at 01:20:49AM +0300, Eva Star wrote:
> 
> >> How VitrualBox tools work in this area? They do not show such
> >> behavior.
> > 
> > We have some partial work on better driver done, but unfortunately
> > it turned out to be much harder than we've expected. Mostly because
> > of really complex Windows GPU driver API and very sparse
> > documentation of it. It looks like a task requiring at least twice
> > bigger team than we have :(
> > 
> > 
> 
> Windows Tools Bugs:
> 
> * On XFCE it's not possible to somehow "unmaximize" WinHWM window
> (make it any size). When you resize it, then it become full-size
> automatically.

Strange. Does it happen only on XFCE?

> * https://i.imgur.com/XhD3huT.png it show some unknown device.

This is virtualized disk (PV). We have specifically disabled the driver
for it, because of some bugs leading to data corruption... It would be
really nice to have it working, but it isn't there yet. And this bug
happens only on Qubes, making it harder to get help from upstream.

> Question:
> Xen support OpenGL for VMs.

No. There is a fork of Xen, called XenGT with some support multiplexing
GPU to the VMs. But it requires a lot of work to make it integrated into
Qubes (and do not compromise security at the same time). And secondly -
it's done only for Intel GPUs.

> Somewhere I read that it's disabled for
> security purposes. Can it be enabled for VM without network? It's very
> usefully to have OpenGL, because it will give the ability to use some
> special software that request it.

You are probably talking about GPU passthrough (giving a single VM
control over the whole GPU - assuming it isn't the only one in the
system). Yes, currently it requires running qemu in dom0, we we don't
want to. To solve this problem, first we need to fix this:
https://github.com/QubesOS/qubes-issues/issues/1659

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXfDh3AAoJENuP0xzK19csXH8H/izcu4uYo4jcREv0ejgpZhbW
KyaR4DQnrccMH2k0/ge6Qk3e5yRcNj70u8adgbXdlWeJCKW9f79yWlkhsCHdz8jz
u9igaVhfGZk9RxxeZ6Mzyg8O5pkHz8sT8YqpLeoXWaIX6riNr2jeIV6XOiFlGJQe
Dlwh1XJKF1blY5VO66oUHgLuZsdlu0BoKCwMFjUOXTR8xxUYntMX/GtJSt/1dLqE
PacR9E/RHQ/AkvemwZDzsbbE0j8Q8rNtIwG6frKenqWRKhbwcY4iBhoC5VUtyL36
APrjsbc9OVuEiyu/PH/VyZ3ePhDB0rQXAb5BUYIOY6nUIk5wRnC4IC3xUuFZhHQ=
=HwbH
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160705224511.GD4609%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)

2016-07-05 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-05 08:03, Chris Laprise wrote:
> Is there an issue open for this yet?
> 
> Chris
> 

I didn't want to open one if I was the only one experiencing the
problem, but since it appears to be affecting others now, I've opened
an issue for it here:

https://github.com/QubesOS/qubes-issues/issues/2155

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXfDYHAAoJENtN07w5UDAwIUkP/2H+yYOQGxGw9X6hJvG5MjsZ
FIZfmRHNC5nWR9sVxvDLOdvr8yyYDAJOW2vHBHGhegY1Td1qtbc+mdqb49wVUCII
aMVHfbFRhUakNNQyVTXGNn5SsK48razcrktoPdPIsc4my4ZWtVOeKUNqq7VpzDzq
LdSIwQMG4GwVD+NxZd+7webkGPoNnX3lydZWmPWEQ70QbE8LljYd1Gs6XUrscLIh
d/Upc5d/EbMXRAbBu4RX89Nseujz/qFVpuXmddEbTeI3y9lrmQ2tXu/KuOpVOJTZ
68Pg9cogwtbggptQkzBoc/rjl8sKlB5e7MSFm3qQoUdS/3PJQEoV8owxb4ghdSDa
Nu18Yt4XI67zZaaW5cwtOD2I58f2kipUCEny7bWrlQHEzqdqIospI28fswYuwGM5
3TDEZgkLhuVlXQ2IQxONWY8tbB2B2slTVZ1gIZK7iuOFQ8o2UfGIOxSME2QS4CBz
xVrPHSkwlHwKVOtdv958pBXnuzSACpq+0w4bhizswf6kpYmzjnJW8ueJMAHpFpaC
wACj4ieyzdfpKjXI9o/a+Dxi/xxCc0duFgKaf3mod24DYnlV0OSYNHvUVFo3/xtp
ENBwkZ5MxPwLMCQPgYoc9o8Rc+xMvLRQQleJBkYRt0uol9sDcTq1ifFCPO8DjdSh
hKzqOjcBlYuumeb6TSyh
=EBfq
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/04e7abd7-247b-b290-2b23-8a9567e47f9c%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Windows Tools - save some state

2016-07-05 Thread Eva Star 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


>> How VitrualBox tools work in this area? They do not show such
>> behavior.
> 
> We have some partial work on better driver done, but unfortunately
> it turned out to be much harder than we've expected. Mostly because
> of really complex Windows GPU driver API and very sparse
> documentation of it. It looks like a task requiring at least twice
> bigger team than we have :(
> 
> 

Windows Tools Bugs:

* On XFCE it's not possible to somehow "unmaximize" WinHWM window
(make it any size). When you resize it, then it become full-size
automatically.

* https://i.imgur.com/XhD3huT.png it show some unknown device.


Question:
Xen support OpenGL for VMs. Somewhere I read that it's disabled for
security purposes. Can it be enabled for VM without network? It's very
usefully to have OpenGL, because it will give the ability to use some
special software that request it.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXfDLCAAoJEGSin3PC/C0AkeMQAMmi2XBz7WOyNosh45EIK5+1
TZQZpGrdKJKP1w8CNJvlf/aS/cuofsXQJXCMVRjZ0s3NWe5aR+tp/F18uILrMcYN
bPZhoxjROyoxKljzfy0ztlSx9AtpZvq9B6wYY2jEuwBdnVvT9bHHVdQGRMFQRtf6
GDazKrSDxPMNVEmDl8GTWI/8FZCXNalJBiuCts1m6DXQpIeyvFOghjnp/Ymve96+
Kkm+YPHQGEMJL2FysVObmwHZL0bpAMtMfmtpCnh2NQuxb2gXYNWHTid77u05xJ0y
2iTo/uXrHFgxCYRyojukGQCG/4EWuFJJ3bh8C24Kja7aCqojvNncB3t31jBd5Z/b
eH/1mkkcVVh5E/sF61H6dbxNKghD23mLdzUZWDM/HUF8w18b5xnuFHdEgczMrSoL
Usc56Q0rKwu4ZLz2QF6Ki4niIhXZ9DjbVp8QSf7NPdjy3i//MC4r3j0f/u1pVRtY
bA76NVJisCmCIQdwu3eCqk4ITEDA5DftcMqVcFrntP60VN0nlYkalQwNLZ2LsYrz
be3cYJawDvVB4ISVjI3/FOlaCyKs5qzPQOeTs/EV/eHnM2pLN+PQSlcx0Qg+MKho
ZxfSxYznGsTaZvaWEBi1+viI7ITzFb0sWoZgwWzHVJ7fYYwcO+Cj5GcwcL0RW3d0
zwU2FKXxfFRMAsCGZ86J
=6nJb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a7c9b94a-0d96-dea8-01bd-68ee88241a94%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes top priorities suggestions for me as an user.

2016-07-05 Thread jurisdan 
Em terça-feira, 5 de julho de 2016 10:23:07 UTC-3, Niels Kobschätzki  escreveu:
> > On July 5, 2016 at 7:46 AM juris...@gmail.com wrote:
> > 
> 
> 
> 
> > 2) Qubes face 2 problems nowadays for engaging new users with real security.
> > 
> > a) Qubes is a system for HIGH END computers with lots of RAM. Usually if 
> > for people that has WINDOWS and GAMES also, a good GPU, and wont waste 
> > their machine on a UNIQUE linux system at least without dual boot.
> 
> Well…my high-end computer is a Thinkpad X201 (2010) with 8GBs of RAM. Qubes 
> runs well, even with close to a dozen of VMs at the same time and a couple of 
> tabs in Chrome. Even KDE5 works on my machine flawlessly (or not worse than 
> with KDE4 on Qubes 3.1).
> 
> Btw. when I want to play (which I obviously can only do with games that have 
> not a lot of requirements) I swap my harddisks and put in the HDD with Win10. 
> My threat-model does not include someone who attacks my Win10 to attack the 
> BIOS to attack me though.
> 
> 
> 
> > 
> > So, XEN is not good for that? consider passing to KVM.
> 
> Isn't the reason that Xen is used the small code-base in comparison to other 
> solutions to reduce the attack-vector(s)?
> 
> Niels

Niels, i agree, but have something to remember also. if we go to BIOS in AHCI 
and you turn off some hard disk, qubes install will not see any disks, at least 
here. So i would have to open manually my case to change disks. And as you can 
see, most people here DO use windows and DO use dual boot and Do play. One way 
or another. Would be so good if we could have windows option totally inside a 
virtual cage, and also the gpu... We could still be windows users, and still 
play, but just for certain activities. For work and serious ones, enjoy the 
isolation.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/058739ea-8a50-495b-866d-b60f0e1eb8c7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes top priorities suggestions for me as an user.

2016-07-05 Thread jurisdan 
Em terça-feira, 5 de julho de 2016 06:54:14 UTC-3, Andrew David Wong  escreveu:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2016-07-04 22:46, juris...@gmail.com wrote:
> > 1) qubes is a system for security and isolation. But when you 
> > install, you have no encryption options.
> 
> Qubes uses full disk enryption by default:
> 
> https://www.qubes-os.org/doc/user-faq/#does-qubes-use-full-
> disk-encryption-fde
> 
> > distros thinks that if a user wants some strong crypto thing, they 
> > must research themselves and do all manually. We dont even find 
> > nothing about qubes encryption in docs. That is wrong.
> 
> I added this page to our docs a week ago:
> 
> https://www.qubes-os.org/doc/encryption-config/
> 
> > [...]
> > 
> > 5) i will use this post to state that tor behaves differently to 
> > connect in windows tor browser, or linux tor browser, compared to 
> > whonix, and i dont know why. Whonix gets always same speed, 250 to 
> > 500 Kbps, (not KBps) with speed of 30 to 60 kB/s of downloads, and 
> > in tor browser outside whonix, i get 500 to 1 Mb kB/s downloads. 
> > Thats really strange and wasn`t expected. I get this behavior for 
> > almost 2 years, and i dont have the expertize to know why. after 
> > some googling, i saw i am not the only one getting different 
> > special routes in tor using whonix.
> > 
> 
> This sounds like something that should be reported to the Tor project
> or Whonix.
> 
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCgAGBQJXe4O8AAoJENtN07w5UDAwVKgP/i1oNbYm7iPRscBw6bk+m5VC
> QJvwPbvXefMq2TBRMCI+J/K/pviRl+OKTXtpEuurq6HOg2fIlGx8H25H4JGIcf0W
> rFREbHo4SLiDIDH3fySzaRGp8SawTwf4ejIlMajRjbBIUzbUhveXC1o3n6jJP9s/
> UkuH34xT0cUIitfhMIXlgLmZsDrConvkm+0ExCTFVXZnUS4Jz96tTkCVerTBuVei
> C85OsqqJBN7guTq79iqMq/XE1r6kho0qF5qaX02MN6/M9NLRslGNI9AXjKoBKxAr
> YPi6t3S2BbglCJuMzQvABNu2UXaTr3k8qSZI/sLbYf+XbIRSeiD21dDEKkLPoW12
> MHrU1GwIex6SDlMfPDlxJ9FLNKDgDHr+LfF7yAOHKWEzoNjChcJtKutLK7zh28MG
> 3ab+0Ahwt/9MY8I/WFUX4eKVxbVLnFMFzMU6AfcxxgU1WdgEATbrUzIt5+vH6YKQ
> 6Mx0+utRDWz/ieE/SdKy02bCRkxVMMHZbcuUXFER27VgSPHh9uXYBtIt90ym6Qzp
> fMQZIhhumbnglCgiS11T5rRal6urw7yAyQCdkLy1p/uOBKnWEnO96Gmuswmet5z3
> x5mSJwDHBXYOx+Qqcnc+4vYFKiABfei1QVORv1h7LAOkGKXd7he3qqakKD6A4xUq
> 8oE0xfcW8xDdDkhaFivx
> =eoZp
> -END PGP SIGNATURE-

Thanks, Andrew. But still... I did not find wich encryption is used by default 
in qubes documentation. And people still has to do it manually. Plus, when i 
went to the advanced partitioning, there were lots of bugs. We need to be able 
to chose serpent, aes, cascade, iteractions, etc. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/768abc8f-ac79-4b68-b97c-abbb3b6d7f77%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes top priorities suggestions for me as an user.

2016-07-05 Thread jurisdan 
Em terça-feira, 5 de julho de 2016 05:44:00 UTC-3, Marek Marczykowski-Górecki  
escreveu:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Mon, Jul 04, 2016 at 10:46:52PM -0700, juris...@gmail.com wrote:
> > 1) qubes is a system for security and isolation. But when you install, you 
> > have no encryption options.
> 
> Full disk encryption is enabled in default installation option.
> 
> > 2) Qubes face 2 problems nowadays for engaging new users with real security.
> > 
> > a) Qubes is a system for HIGH END computers with lots of RAM. Usually if 
> > for people that has WINDOWS and GAMES also, a good GPU, and wont waste 
> > their machine on a UNIQUE linux system at least without dual boot. 
> > 
> > b) Nvidia spy on people, with their streaming @!^@^% they put in new gpus, 
> > network, etc, and people are suspicious amd too. But most consumers are 
> > from nvidia. nvidia now spy on hardware level. Does not matter the system 
> > security. 
> > 
> > The solution? REAL windows virtualization with GPU PASSTROUGH. So, the high 
> > end computers can use windows for what they need and even play games. Plus, 
> > if you do use nvidia in dom-0, they WILL capture the screen on hardware 
> > level. Nouveau is not working right for a long time. Onboard or gpu 1 for 
> > dom-0 and nvidia or amd high end for windows VM. If the person doesnt have 
> > 2 monitors, it can change the vga adapter from 1 to other to use windows 
> > after starting the vm. that would be perfect.
> > 
> > So we give a finger to nvidia and the drivers problems they cause, and we 
> > isolate their spying inside windows vm, plus eliminating the need for a 
> > dual boot and for everyone not using their gaming gpus.
> 
> This was discussed many times, so search the archive for more detailed
> answer. In short: GPU will always be able to see the screen content -
> this is what GPU does. Having GPU passthrough done securely (for example
> without increasing dom0 attack surface by launching qemu there) is quite
> hard because GPUs use a lot of non standard tricks and hacks in addition
> to standard PCI operation.
> 
> Implementing this is on our roadmap, but it is hard and will take time.
> 
> > So, XEN is not good for that? consider passing to KVM.
> 
> This is exactly what would expose dom0 ("host") for huge attack
> surface from qemu...
> 
> > 3) Consider offering PFSENSE as optional firewall vm installed out of the 
> > box. It`s very hard and time consuming to do that inside qubes system 
> > without studying all, for managing internal ip structure etc. It is the 
> > most perfect firewall for use inside a VM, qubes is a system for VMs, and i 
> > did use it even inside windows in virtualbox. But i was in WINDOWS, and 
> > that means, no real security at all.
> 
> Feel free to send patches...
> 
> > I would like also to give 2 more suggestions for people to considerate, 
> > concerning whonix, since patrick is a developer here:
> > 
> > 4) People need a pop-up window to explain them to NEVER use an existing 
> > normal vm trough the whonix proxy vm, just NEW ONES. Because they have 
> > already fingerprints, identifiers, browser behavior, browser plugins 
> > identification, aplication updates, specially in windows. If they connect 
> > that with once used real wan IP, game over for anonymity.
> 
> It depends on use case - you may want to use tor not only for anonymity,
> but also to just hide your traffic from just your local ISP (public wifi
> etc). In that case it's fine to use existing VMs.
> 
> But yes, for anonymity new VMs should be used. I think this is already
> covered in Whonix documentation.
> 
> > 5) i will use this post to state that tor behaves differently to connect in 
> > windows tor browser, or linux tor browser, compared to whonix, and i dont 
> > know why. Whonix gets always same speed, 250 to 500 Kbps, (not KBps) with 
> > speed of 30 to 60 kB/s of downloads, and in tor browser outside whonix, i 
> > get 500 to 1 Mb kB/s downloads. Thats really strange and wasn`t expected. I 
> > get this behavior for almost 2 years, and i dont have the expertize to know 
> > why. after some googling, i saw i am not the only one getting different 
> > special routes in tor using whonix.
> 
> Strange, I haven't noticed such effect.
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJXe3NFAAoJENuP0xzK19csiAMH/1gfCmbwIyfMh4TfvbmWADsE
> 05rB9xXivGvDRCAddAB08LuycAzZxA4mPggrhlR4aaunbwupDUJGwU0sNBHmLTHy
> djpPunx3NRqJCPHQe8p5oqHBLpwGivld+p1mgZnfkl3O1LRzNRCGHG8EB708b+SX
> o0gmPdOvXvVdzQeKBMhzENUqgtY2uaGl7FZosP9KJsQdpwdFDrawS26q3RDBppvf
> uIj5gl5k9CzSU9nswCsGuW+F6NrJ/3itp2ueRiF8K+RSjUeAXwXEJHgtaICjad46
> DNyuM6rWe3rAJQUYf+lf3RXzk10qZ13DTWR4Gf3S+y1y/sAoZAQyhKg/hTdFUwE=
> =tuBS
> -END PGP SIGNATURE-

Thanks! You are a v

Re: [qubes-users] Qubes top priorities suggestions for me as an user.

2016-07-05 Thread jurisdan 
Em terça-feira, 5 de julho de 2016 05:38:30 UTC-3, Francesco  escreveu:
> On Tue, Jul 5, 2016 at 2:46 AM,   wrote:
> 1) qubes is a system for security and isolation. But when you install, you 
> have no encryption options.
> 
> distros thinks that if a user wants some strong crypto thing, they must 
> research themselves and do all manually. We dont even find nothing about 
> qubes encryption in docs. That is wrong. First thing we must do 
> out-of-the-box is to offer strong full disk encryption, like veracrypt ones, 
> with options, iteractions, etc., and inform the user about that. Even tails 
> for just a live browser with storage capability does that. Even distros like 
> PARTED MAGIC for managing partitions now come with veracrypt installed as 
> default in live-cds. To me, Qubes is neglecting what the user wants to read 
> and do in encryption aspects.
> 
> 
> 
> I usually use mint strong encryption. But even that i must do manually. 
> Imagine ALL users trying to do this on their own. They wont. i use appendix A 
> configs from links below, much stronger.
> 
> 
> 
> https://community.linuxmint.com/tutorial/view/2026 (bios)
> 
> https://community.linuxmint.com/tutorial/view/2061 (uefi)
> 
> 
> 
> 2) Qubes face 2 problems nowadays for engaging new users with real security.
> 
> 
> 
> a) Qubes is a system for HIGH END computers with lots of RAM. Usually if for 
> people that has WINDOWS and GAMES also, a good GPU, and wont waste their 
> machine on a UNIQUE linux system at least without dual boot.
> 
> 
> 
> b) Nvidia spy on people, with their streaming @!^@^% they put in new gpus, 
> network, etc, and people are suspicious amd too. But most consumers are from 
> nvidia. nvidia now spy on hardware level. Does not matter the system security.
> 
> 
> 
> The solution? REAL windows virtualization with GPU PASSTROUGH. So, the high 
> end computers can use windows for what they need and even play games. Plus, 
> if you do use nvidia in dom-0, they WILL capture the screen on hardware 
> level. Nouveau is not working right for a long time. Onboard or gpu 1 for 
> dom-0 and nvidia or amd high end for windows VM. If the person doesnt have 2 
> monitors, it can change the vga adapter from 1 to other to use windows after 
> starting the vm. that would be perfect.
> 
> 
> 
> So we give a finger to nvidia and the drivers problems they cause, and we 
> isolate their spying inside windows vm, plus eliminating the need for a dual 
> boot and for everyone not using their gaming gpus.
> 
> 
> 
> So, XEN is not good for that? consider passing to KVM.
> 
> 
> 
> - To create a real secure isolation OS, it`s primal to ensure best disk 
> encryption avaliable, with CHOICE for speed/security, eliminate the windows 
> host multi boot needs, and make good use and usability for windows and gpus. 
> You will reach that when you direct the efforts to adapting the system for 
> what the global user WANTS AND NEEDS, and not adapting the user to the system 
> that 1 person in 1 chair dream for its personal needs. Ubuntu did not follow 
> this lesson with their unity thing and they paid the price.
> 
> 
> 
> 
> 
> I fully agree with the idea of respecting user needs, but why do you think 
> gamers are really interested in strong security? Only because they spend 
> money for expensive computers?  It seems a poor motivation for me. Gamers may 
> just spend money to play games as fast as possible and with less problems as 
> possible and any virtualization system lowers the speed and creates problems 
> for its very nature. Specially using Windows. IMHO gaming and serious 
> security go in opposite directions because the users are different and there 
> is no point trying to unify that in a single machine, specially a laptop 
> which most Qubes users have. It is too difficult or impossible and Qubes 
> developers resources are limited.
> 
> 
> 3) Consider offering PFSENSE as optional firewall vm installed out of the 
> box. It`s very hard and time consuming to do that inside qubes system without 
> studying all, for managing internal ip structure etc. It is the most perfect 
> firewall for use inside a VM, qubes is a system for VMs, and i did use it 
> even inside windows in virtualbox. But i was in WINDOWS, and that means, no 
> real security at all.
> 
> 
> 
> I would like also to give 2 more suggestions for people to considerate, 
> concerning whonix, since patrick is a developer here:
> 
> 
> 
> 4) People need a pop-up window to explain them to NEVER use an existing 
> normal vm trough the whonix proxy vm, just NEW ONES. Because they have 
> already fingerprints, identifiers, browser behavior, browser plugins 
> identification, aplication updates, specially in windows. If they connect 
> that with once used real wan IP, game over for anonymity.
> 
> 
> 
> 5) i will use this post to state that tor behaves differently to connect in 
> windows tor browser, or linux tor browser, compared to whonix, and i dont 
> know why. Whonix gets alw

Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)

2016-07-05 Thread gaikokujinkyofusho 
On Tuesday, July 5, 2016 at 2:53:22 PM UTC-4, gaikokuji...@gmail.com wrote:
> On Tuesday, July 5, 2016 at 2:14:39 PM UTC+4:30, Marek Marczykowski-Górecki 
> wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> > 
> > On Tue, Jul 05, 2016 at 12:52:18PM -0400, Chris Laprise wrote:
> > > On 07/05/2016 11:03 AM, gaikokujinkyofu...@gmail.com wrote:
> > > > On Tuesday, July 5, 2016 at 10:44:03 AM UTC-4, Chris Laprise wrote:
> > > > > On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote:
> > > > > > On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote:
> > > > > > > On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote:
> > > > > > > > No worries, honestly I should have thought of the sudo myself.
> > > > > > > > 
> > > > > > > > Well, running it with sudo and it went swimmingly, it connected 
> > > > > > > > so that is good, another hurdle cleared.
> > > > > > > > 
> > > > > > > > I am now back to one of your earlier posts in this thread, 
> > > > > > > > regarding the qubes-firewall-user-script.
> > > > > > > > 
> > > > > > > > I have to admit that I am not totally clear on needing to run 
> > > > > > > > the groupadd (it seems to be run in the firewall script?) but I 
> > > > > > > > ran it (and it shows up in /etc/group so I guess thats good?) 
> > > > > > > > but then on the next line:
> > > > > > > > 
> > > > > > > > sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config 
> > > > > > > > openvpn-client.ovpn
> > > > > > > > 
> > > > > > > > I get an error saying:
> > > > > > > > Options error: In [CMD-LINE]:1: Error opening configuration 
> > > > > > > > file:openvn-client.ovpn
> > > > > > > > 
> > > > > > > > I don't understand groups and ids very well so am not sure 
> > > > > > > > where there breakdown is here, perhaps I need to set something 
> > > > > > > > regarding the openvpn-client.ovpn file?
> > > > > > > Error message indicates that the filename has a typo:
> > > > > > > 'openvn-client.ovpn' should be 'openvpn-client.ovpn'.
> > > > > > > 
> > > > > > > File ids will be OK if you created them with sudo. Running 
> > > > > > > groupadd
> > > > > > > multiple times with 'f' option is fine, too.
> > > > > > > 
> > > > > > > Chris
> > > > > > Thanks Chris & Eva.
> > > > > > 
> > > > > > I rechecked what I typed (I was typing from one computer the error 
> > > > > > from another computer that time, logged in on the same comp so am 
> > > > > > c/p outputs now) and I actually had typed it correctly.
> > > > > > 
> > > > > > I also tried adding the full paths to the openvpn-client.ovpn files 
> > > > > > as suggested (though I added ca.crt and crl.pem instead of ca.key 
> > > > > > and crl.key, assuming thats ok?). As for my openvpn.config 
> > > > > > (openvpn-client.ovpn right?) being stored in the wrong place, I 
> > > > > > have it in /rw/config/openvpn/ should it be somewhere else?
> > > > > > 
> > > > > > Regardless, after doublechecking what I typed, and adding the full 
> > > > > > path in as suggested the below is what I got, this time a c/p :p
> > > > > > 
> > > > > > [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config 
> > > > > > /rw/config/openvpn/openvpn-client.ovpn
> > > > > > Options error: In [CMD-LINE]:1: Error opening configuration file: 
> > > > > > /rw/config/openvpn/openvpn-client.ovpn
> > > > > > Use --help for more information.
> > > > > > [user@VPN openvpn]$
> > > > > > 
> > > > > > thoughts?
> > > > > > 
> > > > > I have seen SELinux restrictions cause this error. But that shouldn't 
> > > > > be
> > > > > a concern if you're using a regular fedora 23 or debian 8 template. 
> > > > > Did
> > > > > you enable SELinux or Apparmor?
> > > > > 
> > > > > http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file
> > > > > 
> > > > > Can you do 'ls -lZ /rw/config/openvpn' and paste the output here?
> > > > > 
> > > > > Chris
> > > > I am vaugely familar with SElinux and apparmour (hardening?) but I have 
> > > > not enabled it, at least not intentionally (not tinkered with anything 
> > > > realted to it either). But as for output, absoulutely! here it is:
> > > > 
> > > > [user@VPN openvpn]$ ls -lZ /rw/config/openvpn
> > > > total 16
> > > > -rw-r--r-- 1 root root ? 1395 Jul  4 17:56 ca.crt
> > > > -rw-r--r-- 1 root root ?  577 Jul  4 17:56 crl.pem
> > > > -rw-r--r-- 1 user user ?  375 Jul  5 09:58 openvpn-client.opvn
> > > > -rwxr-xr-x 1 root root ? 1088 Jul  3 20:45 qubes-vpn-handler.sh
> > > > [user@VPN openvpn]$
> > > 
> > > That shows the problem, I think. Change the ownership of the ovpn file to
> > > root...
> > > sudo chown root:root /rw/config/openvpn/openvpn-client.opvn
> > 
> > It shouldn't be a problem, as anyone can read the file anyway. And in
> > above cmdline, openvpn is running as root, so just another hint it isn't
> > permissions problem.
> > 
> > It's a typo in file name:
> > /rw/config/openvpn/openvpn-client.ovpn
> > /rw/config/openvpn/openvpn-client.opvn

Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)

2016-07-05 Thread gaikokujinkyofusho 
On Tuesday, July 5, 2016 at 2:14:39 PM UTC+4:30, Marek Marczykowski-Górecki 
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Tue, Jul 05, 2016 at 12:52:18PM -0400, Chris Laprise wrote:
> > On 07/05/2016 11:03 AM, gaikokujinkyofu...@gmail.com wrote:
> > > On Tuesday, July 5, 2016 at 10:44:03 AM UTC-4, Chris Laprise wrote:
> > > > On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote:
> > > > > On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote:
> > > > > > On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote:
> > > > > > > No worries, honestly I should have thought of the sudo myself.
> > > > > > > 
> > > > > > > Well, running it with sudo and it went swimmingly, it connected 
> > > > > > > so that is good, another hurdle cleared.
> > > > > > > 
> > > > > > > I am now back to one of your earlier posts in this thread, 
> > > > > > > regarding the qubes-firewall-user-script.
> > > > > > > 
> > > > > > > I have to admit that I am not totally clear on needing to run the 
> > > > > > > groupadd (it seems to be run in the firewall script?) but I ran 
> > > > > > > it (and it shows up in /etc/group so I guess thats good?) but 
> > > > > > > then on the next line:
> > > > > > > 
> > > > > > > sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config 
> > > > > > > openvpn-client.ovpn
> > > > > > > 
> > > > > > > I get an error saying:
> > > > > > > Options error: In [CMD-LINE]:1: Error opening configuration 
> > > > > > > file:openvn-client.ovpn
> > > > > > > 
> > > > > > > I don't understand groups and ids very well so am not sure where 
> > > > > > > there breakdown is here, perhaps I need to set something 
> > > > > > > regarding the openvpn-client.ovpn file?
> > > > > > Error message indicates that the filename has a typo:
> > > > > > 'openvn-client.ovpn' should be 'openvpn-client.ovpn'.
> > > > > > 
> > > > > > File ids will be OK if you created them with sudo. Running groupadd
> > > > > > multiple times with 'f' option is fine, too.
> > > > > > 
> > > > > > Chris
> > > > > Thanks Chris & Eva.
> > > > > 
> > > > > I rechecked what I typed (I was typing from one computer the error 
> > > > > from another computer that time, logged in on the same comp so am c/p 
> > > > > outputs now) and I actually had typed it correctly.
> > > > > 
> > > > > I also tried adding the full paths to the openvpn-client.ovpn files 
> > > > > as suggested (though I added ca.crt and crl.pem instead of ca.key and 
> > > > > crl.key, assuming thats ok?). As for my openvpn.config 
> > > > > (openvpn-client.ovpn right?) being stored in the wrong place, I have 
> > > > > it in /rw/config/openvpn/ should it be somewhere else?
> > > > > 
> > > > > Regardless, after doublechecking what I typed, and adding the full 
> > > > > path in as suggested the below is what I got, this time a c/p :p
> > > > > 
> > > > > [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config 
> > > > > /rw/config/openvpn/openvpn-client.ovpn
> > > > > Options error: In [CMD-LINE]:1: Error opening configuration file: 
> > > > > /rw/config/openvpn/openvpn-client.ovpn
> > > > > Use --help for more information.
> > > > > [user@VPN openvpn]$
> > > > > 
> > > > > thoughts?
> > > > > 
> > > > I have seen SELinux restrictions cause this error. But that shouldn't be
> > > > a concern if you're using a regular fedora 23 or debian 8 template. Did
> > > > you enable SELinux or Apparmor?
> > > > 
> > > > http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file
> > > > 
> > > > Can you do 'ls -lZ /rw/config/openvpn' and paste the output here?
> > > > 
> > > > Chris
> > > I am vaugely familar with SElinux and apparmour (hardening?) but I have 
> > > not enabled it, at least not intentionally (not tinkered with anything 
> > > realted to it either). But as for output, absoulutely! here it is:
> > > 
> > > [user@VPN openvpn]$ ls -lZ /rw/config/openvpn
> > > total 16
> > > -rw-r--r-- 1 root root ? 1395 Jul  4 17:56 ca.crt
> > > -rw-r--r-- 1 root root ?  577 Jul  4 17:56 crl.pem
> > > -rw-r--r-- 1 user user ?  375 Jul  5 09:58 openvpn-client.opvn
> > > -rwxr-xr-x 1 root root ? 1088 Jul  3 20:45 qubes-vpn-handler.sh
> > > [user@VPN openvpn]$
> > 
> > That shows the problem, I think. Change the ownership of the ovpn file to
> > root...
> > sudo chown root:root /rw/config/openvpn/openvpn-client.opvn
> 
> It shouldn't be a problem, as anyone can read the file anyway. And in
> above cmdline, openvpn is running as root, so just another hint it isn't
> permissions problem.
> 
> It's a typo in file name:
> /rw/config/openvpn/openvpn-client.ovpn
> /rw/config/openvpn/openvpn-client.opvn
>   ^^
> 
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJ

Re: [qubes-users] Windows Tools - save some state

2016-07-05 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Jul 05, 2016 at 06:41:37AM -0700, Eva Star wrote:
> Is it possible to make full "screenshot" of some Windows state (memory & 
> filesystem)? Then use this state when user want to load WindowsOS: only load 
> memoryfile to VM virtual memory instead of going through WindowOS loading 
> process each time? If yes, maybe its a good idea to give the user ability to 
> load HVMs fast from/to some state that users want? Perhaps it is also faster 
> then regular Windows load process.

Currently it isn't possible. And probably will not be in the near
future...

> Why do I always see some WindowsOS background(part of wallpaper) when I 
> quickly move window when WinVM at Seamless mode? Qubes Tools only remove the 
> unnecessary portion of the screen? 

Something like this.

> How VitrualBox tools work in this area? They do not show such behavior. 

We have some partial work on better driver done, but unfortunately it
turned out to be much harder than we've expected. Mostly because of
really complex Windows GPU driver API and very sparse documentation of
it. It looks like a task requiring at least twice bigger team than we
have :(

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXe/xrAAoJENuP0xzK19csyAAH/RzlLGEqKBDXCMjVUKVWPdJl
so8yIcSAM677D4TUvjz7Du5F5Gb46JJP0nCTniXSQwAu2kA7hMRUo8/9sC+xUmNR
juUq8YvKGFYUL4+0lLoBa2gfSZP1WSd2SmoKdc+AF+MZHqo7uMHcOiFZnkV6a3KU
b5XaSOHBEedSQ0D9jgynztr8yIDlsDV/vm855N3y/mAmfWs181JIvLieVtgtL6MY
LoAC3QK3xnXoEjxJyGzSt80P0Km+otvc8BN7dC7LbwsCpL288Ygyu5A+A+P14cWY
qF2un2Dia7PI7VFyVP34/LkvKi+x6yibI1OK2t1jcfH9pnB7GA2ypuLnXjgyXXo=
=/ReG
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160705182858.GZ4609%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes Screenshot Tool with imgurl auto upload available. [beta]

2016-07-05 Thread Eva Star 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

https://i.imgur.com/VkgnMc0.png
Save dialog
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXe/tGAAoJEGSin3PC/C0AaZIP/3Mj5ntzDqOdRboVR6H51cAw
rZdp+qrT9jLPBZI9HiWJ3/m/Ibbgjy5IHQ6cNa4mmEdEnMaMHUuztw/5YYrdXgDz
D5q/Tgga5ckx3q0fOSFlq2KOqLB8d1iqb0C6YltHWCEbSbb55qzIb9yy5D02iegb
yRNMv6HTg0HPkutxTP+6HtVwcf0aRc5BxFxSkuXphtyZLG/qcGRC24hxtOjHeRMA
hN+jZ84gOBAjc8R48OH0kAZTYiikmcULn5Pz0kShZkVUq80PbfrsPl3kkNSJF7kd
MbGRjbSLVCCwZ0UMu7gyPtcCScTKtaSr4Rf/nirnVfPMEygc4fVw9+gWHT6aiMWz
+VQcTwqmrEivBxtFAaA9kGcLdGnfPu/1PsSZmPm+/nc2Es+aNb4ALPHh+EuRlzGq
CEMQdRDbL2Yf0bAnq+YPqVzWCfrGdBrKvVcXr2Sp6wgFttNGZ9Hpa/WIS1m8yK0v
n5OKkvvdOn7R/Vcfi4nD1WXaC7k7myd9kQpJP4pxXjdYz9O+QhL7gPLL09IRIcYr
Acnt+gVPegyclCRUMo6g4+ZPvIsEVCUk2zj4UF0migldHFp8fEu9B/ua/vj7k/Vk
h9mtQ/ugW4xOGD2mMSiu8BfY+lR3iZdyllXvSGNoxbnnCXX/Aa+2bo0IPUgU9mmO
SQI5vT/6pbizVLY9HecT
=PKC7
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5a614940-a259-a6ac-7418-32d047309615%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes Screenshot Tool with imgurl auto upload available. [beta]

2016-07-05 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Jul 05, 2016 at 09:19:28PM +0300, Eva Star wrote:
> 
> > Why using separate filename? I think you can operate on original
> > image - if you do made some modifications - that's ok, but if don't
> > the file will be unchanged.
> Unfortunately, because of IM display tool GUI interface is very ugly
> and it want to get direction from the user on "Save" command.
> Save is work like "Save As", but it also does not show the name of
> already opened file. User must choose the name from full list or type
> the name. This solution show the name of the temp file at the top of
> all others, because the file start with "-" and it's very simple
> to click on it and confirm overwrite. Then Quit from GUI to continue.

Ah, I see.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXe/tmAAoJENuP0xzK19csC5AH/1JFPvIC0odwv0XxHVqMixL7
C56x6BHl3kLxfCOqJbzj/7QqYAApWzvAnjyqj2cZrbmFXiXYF0r3vMsSs1k3G5E+
V1UkEJcxnWY4Ky5kVen6nydlN3vuVwD7zLZi7+Yd6FMsYBC/8lIzyS28Ld1O1n5g
0YmG8Q5zTBeXxq7h9Y+vpi9l553uL1JivsBH6q/PfktC+sphg/A6h9ZU7VkEMoXS
xrqzjAPanTEk52f4yegPatAZZdQReDuFAMx1bJy+N/niS2yWRRW6otSkWDmRQE4n
TDVcyukgpWOycOwjM07qTMP0Xy9YvJpkOv5T6njXa90yLO8lzXTJ2RQW+hyssj8=
=L0wK
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160705182438.GY4609%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)

2016-07-05 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Jul 04, 2016 at 10:26:51AM -0400, Chris Laprise wrote:
> If I replace the kernel with 4.1 from R3.1, it can make it to the AEM target
> and the decrypt prompt. It chokes just after decrypting the volumes, but
> that's to be expected. The 4.4 kernel appears to introduce some factor that
> causes the crash.

Interesting, have you tried 4.2 kernel from R3.1 unstable repository?
Do you have any means of collecting kernel/xen messages? I guess you've
already disabled "quiet" kernel option and also removed "console=none"
from xen cmdline.
If this doesn't help, try adding "noreboot" and "sync_console" to xen cmdline. 

If you have serial console (on docking station?) if would be easier to
reliably get log messages.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXe/qTAAoJENuP0xzK19csNjEIAJlshr1jl/6yHL4hmLbJDxkq
fyA92UjOnMGpt2SHHKQABcEqvqpb0mbXJRCXwNEhVGFjljkYSul4Sr2CDenWdNZC
XRCr0AcxLCy8IYnv6WJAWtTbMKaE1FJozfNW7GdlnhlqdipO/SbFLYIMP6nsTDsk
ADFviMQ7qin6+nHsQYfbfFnmE0gcpX9fTOZrQMo702K77wYyT9VLIIXNiJxveCUz
G31e1IBEnCFx5GFOVdmsAacZDqTip+/UikRTFMEP+qiNrq/9ryJdZBWSHRztJySY
jgBUjlV8MyfvT1rrY01XhA6zRrHH/dJj7uk5gHW783HmlMzlOfW+s/dWdBv+Qw4=
=3sc0
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160705182107.GX4609%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes Screenshot Tool with imgurl auto upload available. [beta]

2016-07-05 Thread Eva Star 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


> Why using separate filename? I think you can operate on original
> image - if you do made some modifications - that's ok, but if don't
> the file will be unchanged.
Unfortunately, because of IM display tool GUI interface is very ugly
and it want to get direction from the user on "Save" command.
Save is work like "Save As", but it also does not show the name of
already opened file. User must choose the name from full list or type
the name. This solution show the name of the temp file at the top of
all others, because the file start with "-" and it's very simple
to click on it and confirm overwrite. Then Quit from GUI to continue.

- -- 
Regards
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXe/owAAoJEGSin3PC/C0Auy4QALqW0Hcp1Lu2KFxrqVS0gzXd
VrVS6K8cfVfVLUdcNg2O/10aLsbgpPlibLVszFfca0sxMKtAvfhe9C0li+OSh9Kc
ghv+MZVAfYry/zsZ2qfMBmVqDdcMnJFGazxFPyZYiFfZrs3/P5KKCu1S5b0SWxut
5LIVipJG9lDhZgzjbMBszesxBVbxYKz3357OSMzn4g1SiCbnEMS9ossf5kPQ7s7b
4p+eS1PRiVAZHJHSjdSShmI8/d8nltDA4VSjvwbUIMhYU0m/GYo283EUIJ0fJ/fZ
JjNFV44yDLKlhrnyItnydyNolsKCIBbIBgK5zY3pTf0YVhzh7ovMl1hVTKU2teXF
DXtymcBrtLe0x8WWxTMPBBUQ3sg/Yc1M7RrZpVU5cxvvG0Xg3wLTYKyoQnK17Lub
hKjPUDcuavoCcYmCTuY9nQ+iBgl1++4Q739dp1/k62wLp9Wr4NXefal++TuHxz6R
/6b68L3hXqD30wKE8zpjQ1sYJXuai7h9DctoMFw8+j9pPPYMCtbatixnGiImK9nh
5n6GpysnzFKmo5jE/snjh5xZlzP/3pvT7fp37kmAIBN4sVzdE0vAgLAWB74UvOAY
GX+irDENOtPnoKsty08NSHmrIjK+y6CZtzefVH+zJAEmLf6RNkJjRCajz/EtZu1J
ybN5fWmFaPSCXK4GNfbt
=v80z
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/701db901-cf98-7a4a-b317-5a8cd6e957f7%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)

2016-07-05 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Jul 05, 2016 at 11:03:10AM -0400, Chris Laprise wrote:
> Is there an issue open for this yet?

I don't see any.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXe/lNAAoJENuP0xzK19csty0H/jnIRi0v3TsLQ6v9YLSOhb2G
7fYDnIFtdc/4aTzJ8dufGkfAtT4AX0NOx4rSngUdp2adxJA9W6hrT2twrcRfkPBk
RFNrhJRiZxwScvdz0S75BW7Mr4V1JdSN8yrZ+GZ2zIhPqzoAWZY/ORxEeglQ11nv
kT3WYlKmfeGh9MiLW75+GDdwXva31FV6UWV558hOX2vMDV5XKB8i0YIDBffcTc62
7EWf0wkK5bXcaZFtpp3eNZRCwVsocqmGkCvu2PyLaPBCpEU2uYrxydlF8ORUnfXZ
X4tOC9YWLKrGtT2OG3TNueGiutOnJ+eV20p26zy4dqIOND0HW9Brn67LcpHfHeg=
=8HHF
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160705181541.GW4609%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)

2016-07-05 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Jul 05, 2016 at 12:52:18PM -0400, Chris Laprise wrote:
> On 07/05/2016 11:03 AM, gaikokujinkyofu...@gmail.com wrote:
> > On Tuesday, July 5, 2016 at 10:44:03 AM UTC-4, Chris Laprise wrote:
> > > On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote:
> > > > On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote:
> > > > > On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote:
> > > > > > No worries, honestly I should have thought of the sudo myself.
> > > > > > 
> > > > > > Well, running it with sudo and it went swimmingly, it connected so 
> > > > > > that is good, another hurdle cleared.
> > > > > > 
> > > > > > I am now back to one of your earlier posts in this thread, 
> > > > > > regarding the qubes-firewall-user-script.
> > > > > > 
> > > > > > I have to admit that I am not totally clear on needing to run the 
> > > > > > groupadd (it seems to be run in the firewall script?) but I ran it 
> > > > > > (and it shows up in /etc/group so I guess thats good?) but then on 
> > > > > > the next line:
> > > > > > 
> > > > > > sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config 
> > > > > > openvpn-client.ovpn
> > > > > > 
> > > > > > I get an error saying:
> > > > > > Options error: In [CMD-LINE]:1: Error opening configuration 
> > > > > > file:openvn-client.ovpn
> > > > > > 
> > > > > > I don't understand groups and ids very well so am not sure where 
> > > > > > there breakdown is here, perhaps I need to set something regarding 
> > > > > > the openvpn-client.ovpn file?
> > > > > Error message indicates that the filename has a typo:
> > > > > 'openvn-client.ovpn' should be 'openvpn-client.ovpn'.
> > > > > 
> > > > > File ids will be OK if you created them with sudo. Running groupadd
> > > > > multiple times with 'f' option is fine, too.
> > > > > 
> > > > > Chris
> > > > Thanks Chris & Eva.
> > > > 
> > > > I rechecked what I typed (I was typing from one computer the error from 
> > > > another computer that time, logged in on the same comp so am c/p 
> > > > outputs now) and I actually had typed it correctly.
> > > > 
> > > > I also tried adding the full paths to the openvpn-client.ovpn files as 
> > > > suggested (though I added ca.crt and crl.pem instead of ca.key and 
> > > > crl.key, assuming thats ok?). As for my openvpn.config 
> > > > (openvpn-client.ovpn right?) being stored in the wrong place, I have it 
> > > > in /rw/config/openvpn/ should it be somewhere else?
> > > > 
> > > > Regardless, after doublechecking what I typed, and adding the full path 
> > > > in as suggested the below is what I got, this time a c/p :p
> > > > 
> > > > [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config 
> > > > /rw/config/openvpn/openvpn-client.ovpn
> > > > Options error: In [CMD-LINE]:1: Error opening configuration file: 
> > > > /rw/config/openvpn/openvpn-client.ovpn
> > > > Use --help for more information.
> > > > [user@VPN openvpn]$
> > > > 
> > > > thoughts?
> > > > 
> > > I have seen SELinux restrictions cause this error. But that shouldn't be
> > > a concern if you're using a regular fedora 23 or debian 8 template. Did
> > > you enable SELinux or Apparmor?
> > > 
> > > http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file
> > > 
> > > Can you do 'ls -lZ /rw/config/openvpn' and paste the output here?
> > > 
> > > Chris
> > I am vaugely familar with SElinux and apparmour (hardening?) but I have not 
> > enabled it, at least not intentionally (not tinkered with anything realted 
> > to it either). But as for output, absoulutely! here it is:
> > 
> > [user@VPN openvpn]$ ls -lZ /rw/config/openvpn
> > total 16
> > -rw-r--r-- 1 root root ? 1395 Jul  4 17:56 ca.crt
> > -rw-r--r-- 1 root root ?  577 Jul  4 17:56 crl.pem
> > -rw-r--r-- 1 user user ?  375 Jul  5 09:58 openvpn-client.opvn
> > -rwxr-xr-x 1 root root ? 1088 Jul  3 20:45 qubes-vpn-handler.sh
> > [user@VPN openvpn]$
> 
> That shows the problem, I think. Change the ownership of the ovpn file to
> root...
> sudo chown root:root /rw/config/openvpn/openvpn-client.opvn

It shouldn't be a problem, as anyone can read the file anyway. And in
above cmdline, openvpn is running as root, so just another hint it isn't
permissions problem.

It's a typo in file name:
/rw/config/openvpn/openvpn-client.ovpn
/rw/config/openvpn/openvpn-client.opvn
  ^^


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXe/kIAAoJENuP0xzK19csyfAH/2RVQ3UFGtnpVtr68xTTTzTb
kNxnpQ4cr1uIc77O772RajrztlD9ouBimahRtOHtZ+8PrMq8pKBjg0EnAvZx8WI3
n3C+rjjFsRcA3Mps4Yc2nf2ptGxWeCrSEUzQ9LX9gUXwofxA9rdbKH6PozF63Bqs
f1WdBMEyOpDwtkJXIoUqtkmKMjrBHPNplUyRnyQ9O6fiZsCPaEbtwbdY8tQYj0px
vsUM5/KxQ3pxKDI+GcbEvgggr5GjEC8N1sWzt1p2TIZXoQuVM7n8/x2

Re: [qubes-users] Re: Qubes Screenshot Tool with imgurl auto upload available. [beta]

2016-07-05 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Jul 04, 2016 at 07:44:25PM +0300, Eva Star wrote:
> Great improvement!
> 
> Now the qvm-screenshot-tool support editing of screenshots before
> uploading them to AppVM or Imgurl !
> 
> You can draw lines, annotate text, additionally crop images, add
> filters, hide some unwanted areas, composite images, draw lines and much
> more!

Nice!

> Please, read documentation how to use editor tool, before use it.
> 
> As you do not like to read. I can say that before exiting from the
> editor you must save your screenshot to predefined slot at
> -SAVE-EDITED-SHOT-HERE-TO-PROCESS.png
>  And if you do so, then new edited image will be uploaded.

Why using separate filename? I think you can operate on original image -
if you do made some modifications - that's ok, but if don't the file
will be unchanged.

> https://github.com/evadogstar/qvm-screenshot-tool/
> 
> Enjoy!
> 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXe/cKAAoJENuP0xzK19csfWoH/0LgK/hhHElYiQvwZInyPHkX
Ff5FR9idVDeGbuyfM6CHcNckHfwCasXJz907J0WETLWZc5HldtEV6njmH3Cg4FVK
83u0fHv5SwPZ5AEic8NO7cLqXMH5sHvyIBNn/b0I4S7PZQlHbNF2+7l5SHlf37pF
C2WpO5bmNmTTmMuHheqsnNad/3rqPW9VAsqdEqrlAX4YlraZOQ7Xy3oLUlkIacsg
dAOozDU8py4ReOBoNF1qu0baFyGi3eove7SD9Rhu69to4qtHorlHcq47NThKhhwL
Db21Zybok9Y93RsNsrpvjWyQpGwCuoSC74mIHubRPcjgBMGXYKzqxtiHW07/RU4=
=uB0o
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160705180602.GT4609%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes Screenshot Tool with imgurl auto upload available. [beta]

2016-07-05 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Jul 05, 2016 at 07:55:36PM +0300, Eva Star wrote:
> On 07/05/2016 07:51 PM, Adrian Rocha wrote:
> 
> >> is it portable way to get PICTURES directory on other unix based
> >> systems?
> > 
> > xdg-user-dir is a freedesktop.org tool. As I know, it works on
> > Linux, Solaris and BSD. In the case of dom0, is a Fedora Linux, so
> > we haven't any problem here. The issue can be with the VMs that
> > doesn't have this command. There have to think in another way for
> > this cases.
> > 
> 
> It's the question to Qubes Team. Will xdg-user-dir available at dom0
> or not.
> But do not worry, I'm already fix this. If there will no tool
> available we will continue with default ~/Pictures directory.

Yes, it is and will be available.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXe/ULAAoJENuP0xzK19csngwH/1Db3ubEw6jWbR0Oj3uyobnE
PD85+ccxqI5yAUsKMbxuA/Zx0bKig9HqFviHf4gtids6/Z18pdLv/k4Mt5IP1S4F
mYw/nks8yLKYkSVzFSoHYhqetq/EZJxMXqDXDEkNbml8Xprlmvrtwpk7QdHymp4G
UgDW7RsGJr5VrT9mJpwQxnIz72nr60NACpoXYI/2iwa4hU4GyZol5sJZO28M7Tby
EH4xAS/bE9dKbWYaW/qeyAtti8KUhy0Nq/J4WH1mgL38ZERE1JC0pNKnnOv7T/iq
iXsYc8CwLPv/zyJjmERnWaF1uvHwltl0XCM0oqgrLCdvG3/wL2bsr7T2ChReEAU=
=ErHX
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160705175731.GS4609%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes Screenshot Tool with imgurl auto upload available. [beta]

2016-07-05 Thread Eva Star 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 07/05/2016 07:51 PM, Adrian Rocha wrote:

>> is it portable way to get PICTURES directory on other unix based
>> systems?
> 
> xdg-user-dir is a freedesktop.org tool. As I know, it works on
> Linux, Solaris and BSD. In the case of dom0, is a Fedora Linux, so
> we haven't any problem here. The issue can be with the VMs that
> doesn't have this command. There have to think in another way for
> this cases.
> 

It's the question to Qubes Team. Will xdg-user-dir available at dom0
or not.
But do not worry, I'm already fix this. If there will no tool
available we will continue with default ~/Pictures directory.


- -- 
Regards
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXe+aIAAoJEGSin3PC/C0AonsP/iUeRT5pyGd6B3HOnTh4rCT5
Yy93W269QfO9I6IeDlrLs4C4+G4/gwriJlVXltb8ctfQj0+26Uub6rtgpdGklrNi
FpD7JXq6LQPdgCO4rekSUJ5masN96Ijn0KNLdasV1jiolhhuk+OKhWQSYK5GkONJ
AQoi1g0px0/SwOwImfR7mi1icHj6gKZ5/YuE5ASAI/dTZWvnCtR91cY74UD3D1kx
GMyaP7Ao/aV+0luM5LhYwt4xvn2PTYYM9AD1XuqNgSw80fvf2DaeHoB0IlUy4jcN
ryMGjcgVKcFsaIEocKTL6znw1vlpPYBIezpKPohYJ3t6tPq3W9Mg9Gzda5GqHKWO
w649trfIBw3HwY6Pq3BDappSIRsDoBK9Z9e8/ip2xftD6dIPW6rG3qS11Nm2ZW5+
aScOBXiITyEw2e42HcV/GXLiJCVNq8e0yFM2yw1CUpOxBgbZapyiFxj35g196bIv
rTO7cJmUgjx50HlmrHVc9tFmL6OJAxWhf1R8T2IlBh0Uof9mfBXvC6SmhIfWMqAi
6zZtCz1w9oXRGRH7xH3PTn1ZqMXnTmDVr2bd+dyKA+LqxuaKm59Q7voKAOyd58+U
IyXy7GO+uSWlG9Uloef+974053wGgoWcDEW/I3fdVJudYwOvnUDMsSf8+0L+Veml
lbkXt4neu55WVeOzP1cL
=27eM
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6d50d438-f2b8-be50-352d-2409054a936c%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)

2016-07-05 Thread Chris Laprise 

On 07/05/2016 11:03 AM, gaikokujinkyofu...@gmail.com wrote:

On Tuesday, July 5, 2016 at 10:44:03 AM UTC-4, Chris Laprise wrote:

On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote:

On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote:

On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote:

No worries, honestly I should have thought of the sudo myself.

Well, running it with sudo and it went swimmingly, it connected so that is 
good, another hurdle cleared.

I am now back to one of your earlier posts in this thread, regarding the 
qubes-firewall-user-script.

I have to admit that I am not totally clear on needing to run the groupadd (it 
seems to be run in the firewall script?) but I ran it (and it shows up in 
/etc/group so I guess thats good?) but then on the next line:

sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn

I get an error saying:
Options error: In [CMD-LINE]:1: Error opening configuration 
file:openvn-client.ovpn

I don't understand groups and ids very well so am not sure where there 
breakdown is here, perhaps I need to set something regarding the 
openvpn-client.ovpn file?

Error message indicates that the filename has a typo:
'openvn-client.ovpn' should be 'openvpn-client.ovpn'.

File ids will be OK if you created them with sudo. Running groupadd
multiple times with 'f' option is fine, too.

Chris

Thanks Chris & Eva.

I rechecked what I typed (I was typing from one computer the error from another 
computer that time, logged in on the same comp so am c/p outputs now) and I 
actually had typed it correctly.

I also tried adding the full paths to the openvpn-client.ovpn files as 
suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, 
assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) 
being stored in the wrong place, I have it in /rw/config/openvpn/ should it be 
somewhere else?

Regardless, after doublechecking what I typed, and adding the full path in as 
suggested the below is what I got, this time a c/p :p

[user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config 
/rw/config/openvpn/openvpn-client.ovpn
Options error: In [CMD-LINE]:1: Error opening configuration file: 
/rw/config/openvpn/openvpn-client.ovpn
Use --help for more information.
[user@VPN openvpn]$

thoughts?


I have seen SELinux restrictions cause this error. But that shouldn't be
a concern if you're using a regular fedora 23 or debian 8 template. Did
you enable SELinux or Apparmor?

http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file

Can you do 'ls -lZ /rw/config/openvpn' and paste the output here?

Chris

I am vaugely familar with SElinux and apparmour (hardening?) but I have not 
enabled it, at least not intentionally (not tinkered with anything realted to 
it either). But as for output, absoulutely! here it is:

[user@VPN openvpn]$ ls -lZ /rw/config/openvpn
total 16
-rw-r--r-- 1 root root ? 1395 Jul  4 17:56 ca.crt
-rw-r--r-- 1 root root ?  577 Jul  4 17:56 crl.pem
-rw-r--r-- 1 user user ?  375 Jul  5 09:58 openvpn-client.opvn
-rwxr-xr-x 1 root root ? 1088 Jul  3 20:45 qubes-vpn-handler.sh
[user@VPN openvpn]$


That shows the problem, I think. Change the ownership of the ovpn file 
to root...

sudo chown root:root /rw/config/openvpn/openvpn-client.opvn

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/805c334c-8f46-b747-0956-8c410381287f%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes Screenshot Tool with imgurl auto upload available. [beta]

2016-07-05 Thread Adrian Rocha 
El martes, 5 de julio de 2016, 5:39:13 (UTC-6), Eva Star escribió:
> > (Instead of "qubed-dom0-update is "qubes-dom0-update")
> 
> thank you
> 
> > As I understand, in some versions of bash, the "\n" don't works as 
> > expected. So, I propose to change "echo" by "printf". You just have to add 
> > a "\n" at the end.
> 
> thanks. I will fix it.
> 
> > 2) I have dom0 in spanish. So, my Pictures folder is /home/user/Imágenes/ 
> > instead of /home/user/Pictures/. But when I run the script, it is saving 
> > the pictures in "/home/user/Pictures/" instead of ".../Imágenes"
> > To obtain the correct directory to save the file you can use this command:
> > xdg-user-dir PICTURES
> > /home/user/Imágenes
> > 
> 
> is it portable way to get PICTURES directory on other unix based systems?

xdg-user-dir is a freedesktop.org tool. As I know, it works on Linux, Solaris 
and BSD. In the case of dom0, is a Fedora Linux, so we haven't any problem 
here. The issue can be with the VMs that doesn't have this command. There have 
to think in another way for this cases.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a6cb9b3d-051e-4df9-af8c-0055773f3cf3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes Screenshot Tool with imgurl auto upload available. [beta]

2016-07-05 Thread Eva Star 
https://github.com/evadogstar/qvm-screenshot-tool/
new version available, fixed issue with different "pictures" directory
name on some languages/systems.
Now Qubes Screenshot Tool will check dom0 "pictures"directory name and
destination VM pictures directory name, before uploading image into it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/nlgobr%246ds%241%40ger.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)

2016-07-05 Thread gaikokujinkyofusho 
On Tuesday, July 5, 2016 at 10:44:03 AM UTC-4, Chris Laprise wrote:
> On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote:
> > On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote:
> >> On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote:
> >>> No worries, honestly I should have thought of the sudo myself.
> >>>
> >>> Well, running it with sudo and it went swimmingly, it connected so that 
> >>> is good, another hurdle cleared.
> >>>
> >>> I am now back to one of your earlier posts in this thread, regarding the 
> >>> qubes-firewall-user-script.
> >>>
> >>> I have to admit that I am not totally clear on needing to run the 
> >>> groupadd (it seems to be run in the firewall script?) but I ran it (and 
> >>> it shows up in /etc/group so I guess thats good?) but then on the next 
> >>> line:
> >>>
> >>> sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config 
> >>> openvpn-client.ovpn
> >>>
> >>> I get an error saying:
> >>> Options error: In [CMD-LINE]:1: Error opening configuration 
> >>> file:openvn-client.ovpn
> >>>
> >>> I don't understand groups and ids very well so am not sure where there 
> >>> breakdown is here, perhaps I need to set something regarding the 
> >>> openvpn-client.ovpn file?
> >> Error message indicates that the filename has a typo:
> >> 'openvn-client.ovpn' should be 'openvpn-client.ovpn'.
> >>
> >> File ids will be OK if you created them with sudo. Running groupadd
> >> multiple times with 'f' option is fine, too.
> >>
> >> Chris
> > Thanks Chris & Eva.
> >
> > I rechecked what I typed (I was typing from one computer the error from 
> > another computer that time, logged in on the same comp so am c/p outputs 
> > now) and I actually had typed it correctly.
> >
> > I also tried adding the full paths to the openvpn-client.ovpn files as 
> > suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, 
> > assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) 
> > being stored in the wrong place, I have it in /rw/config/openvpn/ should it 
> > be somewhere else?
> >
> > Regardless, after doublechecking what I typed, and adding the full path in 
> > as suggested the below is what I got, this time a c/p :p
> >
> > [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config 
> > /rw/config/openvpn/openvpn-client.ovpn
> > Options error: In [CMD-LINE]:1: Error opening configuration file: 
> > /rw/config/openvpn/openvpn-client.ovpn
> > Use --help for more information.
> > [user@VPN openvpn]$
> >
> > thoughts?
> >
> 
> I have seen SELinux restrictions cause this error. But that shouldn't be 
> a concern if you're using a regular fedora 23 or debian 8 template. Did 
> you enable SELinux or Apparmor?
> 
> http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file
> 
> Can you do 'ls -lZ /rw/config/openvpn' and paste the output here?
> 
> Chris

I am vaugely familar with SElinux and apparmour (hardening?) but I have not 
enabled it, at least not intentionally (not tinkered with anything realted to 
it either). But as for output, absoulutely! here it is:

[user@VPN openvpn]$ ls -lZ /rw/config/openvpn
total 16
-rw-r--r-- 1 root root ? 1395 Jul  4 17:56 ca.crt
-rw-r--r-- 1 root root ?  577 Jul  4 17:56 crl.pem
-rw-r--r-- 1 user user ?  375 Jul  5 09:58 openvpn-client.opvn
-rwxr-xr-x 1 root root ? 1088 Jul  3 20:45 qubes-vpn-handler.sh
[user@VPN openvpn]$ 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/459f5ce8-9433-4b51-a340-78b8e4ff62fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)

2016-07-05 Thread Chris Laprise 

Is there an issue open for this yet?

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/82f9adc2-5510-f3f3-db1a-e6d8850a8a6f%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)

2016-07-05 Thread Chris Laprise 

On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote:

On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote:

On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote:

No worries, honestly I should have thought of the sudo myself.

Well, running it with sudo and it went swimmingly, it connected so that is 
good, another hurdle cleared.

I am now back to one of your earlier posts in this thread, regarding the 
qubes-firewall-user-script.

I have to admit that I am not totally clear on needing to run the groupadd (it 
seems to be run in the firewall script?) but I ran it (and it shows up in 
/etc/group so I guess thats good?) but then on the next line:

sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn

I get an error saying:
Options error: In [CMD-LINE]:1: Error opening configuration 
file:openvn-client.ovpn

I don't understand groups and ids very well so am not sure where there 
breakdown is here, perhaps I need to set something regarding the 
openvpn-client.ovpn file?

Error message indicates that the filename has a typo:
'openvn-client.ovpn' should be 'openvpn-client.ovpn'.

File ids will be OK if you created them with sudo. Running groupadd
multiple times with 'f' option is fine, too.

Chris

Thanks Chris & Eva.

I rechecked what I typed (I was typing from one computer the error from another 
computer that time, logged in on the same comp so am c/p outputs now) and I 
actually had typed it correctly.

I also tried adding the full paths to the openvpn-client.ovpn files as 
suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, 
assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) 
being stored in the wrong place, I have it in /rw/config/openvpn/ should it be 
somewhere else?

Regardless, after doublechecking what I typed, and adding the full path in as 
suggested the below is what I got, this time a c/p :p

[user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config 
/rw/config/openvpn/openvpn-client.ovpn
Options error: In [CMD-LINE]:1: Error opening configuration file: 
/rw/config/openvpn/openvpn-client.ovpn
Use --help for more information.
[user@VPN openvpn]$

thoughts?



I have seen SELinux restrictions cause this error. But that shouldn't be 
a concern if you're using a regular fedora 23 or debian 8 template. Did 
you enable SELinux or Apparmor?


http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file

Can you do 'ls -lZ /rw/config/openvpn' and paste the output here?

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/317c583a-f734-cdb1-aede-57932d57fe3f%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)

2016-07-05 Thread gaikokujinkyofusho 
On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote:
> On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote:
> >
> > No worries, honestly I should have thought of the sudo myself.
> >
> > Well, running it with sudo and it went swimmingly, it connected so that is 
> > good, another hurdle cleared.
> >
> > I am now back to one of your earlier posts in this thread, regarding the 
> > qubes-firewall-user-script.
> >
> > I have to admit that I am not totally clear on needing to run the groupadd 
> > (it seems to be run in the firewall script?) but I ran it (and it shows up 
> > in /etc/group so I guess thats good?) but then on the next line:
> >
> > sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config 
> > openvpn-client.ovpn
> >
> > I get an error saying:
> > Options error: In [CMD-LINE]:1: Error opening configuration 
> > file:openvn-client.ovpn
> >
> > I don't understand groups and ids very well so am not sure where there 
> > breakdown is here, perhaps I need to set something regarding the 
> > openvpn-client.ovpn file?
> 
> Error message indicates that the filename has a typo: 
> 'openvn-client.ovpn' should be 'openvpn-client.ovpn'.
> 
> File ids will be OK if you created them with sudo. Running groupadd 
> multiple times with 'f' option is fine, too.
> 
> Chris

Thanks Chris & Eva.

I rechecked what I typed (I was typing from one computer the error from another 
computer that time, logged in on the same comp so am c/p outputs now) and I 
actually had typed it correctly. 

I also tried adding the full paths to the openvpn-client.ovpn files as 
suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, 
assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) 
being stored in the wrong place, I have it in /rw/config/openvpn/ should it be 
somewhere else?

Regardless, after doublechecking what I typed, and adding the full path in as 
suggested the below is what I got, this time a c/p :p

[user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config 
/rw/config/openvpn/openvpn-client.ovpn
Options error: In [CMD-LINE]:1: Error opening configuration file: 
/rw/config/openvpn/openvpn-client.ovpn
Use --help for more information.
[user@VPN openvpn]$

thoughts?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67dc553b-0f50-4627-88df-20de45c27ad9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: how to run Windows quest vm in Qubes on hw without required features (vt-d)?

2016-07-05 Thread grzegorz . chodzicki 
W dniu wtorek, 5 lipca 2016 10:46:02 UTC+2 użytkownik thinkpad user napisał:
> more specific - Lenovo Y580 is listed in hcl as having no proper hw 
> features.(vt-d)
> 
> what for?
> 1) using Qubes instead of non-hypervisor based OS is more safer, even without 
> features like hardware virtualization. .
> 2) using hypervisor is more convenient than using virtualization soft like 
> VirtualBox

It's possible to run Windows-based qube without VT-d. Please keep in mind 
though that it will not be possible to attach external devices to that qube.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/28e3e75f-2125-445d-9fab-7092cd6b0de9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Windows Tools - save some state

2016-07-05 Thread Eva Star 
Is it possible to make full "screenshot" of some Windows state (memory & 
filesystem)? Then use this state when user want to load WindowsOS: only load 
memoryfile to VM virtual memory instead of going through WindowOS loading 
process each time? If yes, maybe its a good idea to give the user ability to 
load HVMs fast from/to some state that users want? Perhaps it is also faster 
then regular Windows load process.

Why do I always see some WindowsOS background(part of wallpaper) when I quickly 
move window when WinVM at Seamless mode? Qubes Tools only remove the 
unnecessary portion of the screen? How VitrualBox tools work in this area? They 
do not show such behavior. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/95ee67d8-c14c-463d-aa67-fe0b206756ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes top priorities suggestions for me as an user.

2016-07-05 Thread niels 

> On July 5, 2016 at 7:46 AM juris...@gmail.com wrote:
> 



> 2) Qubes face 2 problems nowadays for engaging new users with real security.
> 
> a) Qubes is a system for HIGH END computers with lots of RAM. Usually if for 
> people that has WINDOWS and GAMES also, a good GPU, and wont waste their 
> machine on a UNIQUE linux system at least without dual boot.

Well…my high-end computer is a Thinkpad X201 (2010) with 8GBs of RAM. Qubes 
runs well, even with close to a dozen of VMs at the same time and a couple of 
tabs in Chrome. Even KDE5 works on my machine flawlessly (or not worse than 
with KDE4 on Qubes 3.1).

Btw. when I want to play (which I obviously can only do with games that have 
not a lot of requirements) I swap my harddisks and put in the HDD with Win10. 
My threat-model does not include someone who attacks my Win10 to attack the 
BIOS to attack me though.



> 
> So, XEN is not good for that? consider passing to KVM.

Isn't the reason that Xen is used the small code-base in comparison to other 
solutions to reduce the attack-vector(s)?

Niels

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/598447522.14962.1467724981241%40office.mailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] newbie question about port forwarding and remote connection

2016-07-05 Thread Nicola Schwendener 

> > and I've to use photoshop and lightroom (which I've purchased). do they run 
> > in a HVM environment?
> 
> I have not tried to install these applications into windows HVM. I guess that 
> they will run, but with strange usability speed. Because there is no GPU for 
> Photoshop&Lightroom to draw images on Windows HVM. As I know you can 
> pass-through your secondary GPU to Windows and this will work fine, but I do 
> not have secondary GPU and display to test it

You mean I've to install a separated graphic card? well I could try.. then I 
will use in the windows HVM?... I will try...


> Maybe for Photoshop&Lightroom tasks you can boot from the secondary hdd where 
> Windows and applications available?

this could be a solution but I want to secure my entire pc... for a migrating 
period is ok, then I wish to have a "single boot option"

> Or there is some alternative applications at Linux to draw and edit images: 
> GIMP, and I found Krita 3.0 (plane to test it very soon, screenshots looks 
> well)

I know, but since I've already paid for them...

> About Antivirus:
> I do not use them on Windows. I think for your is better to forget about 
> "Windows way" and start to learn the conception of Qubes and use other VM for 
> download and run apps, then open files at disposable VM. And of course 
> install software only from trusted sources.

ok thank you
> 
> About synchronization:
> You can setup some... But are you really sure that you want to share your 
> data across internet? :)  

yes, these are cloud backup (crashplan and sugarsync).
> > there's a way to automount external disks (I've an ssd for the OS, and some 
> > HDD in raid for the data) on HVM.
> 
> Yes, they mount automatically when attached to some Linux based AppVMs. If 
> filesystem is NTFS, then you can work with them. 
> And for today windows HVM does not support this feature :)

... this is the most important question: you mean I cannot attach a second disk 
to my HVM windows? or I cannot attach automatically on startup?

thank you again
best regards
Nick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f2edff87-39fe-4abb-b396-18abc79e1f02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] issues in 3.2

2016-07-05 Thread Drew White 
On Tuesday, 5 July 2016 19:41:53 UTC+10, Andrew David Wong  wrote:
> We agree that this is confusing from a UX perspective, and we are
> working on it:
> 
> https://github.com/QubesOS/qubes-issues/issues/1382


Question... Why is it from so long ago and nothing has happenned about it?

Is it really that hard to alter a tiny tiny tiny bit of code?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e5ea0ec-88b2-472d-8e0d-4969f9207d4b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] feature request: luksAddNuke

2016-07-05 Thread thinkpad user 
On Tuesday, February 17, 2015 at 3:17:08 PM UTC+4, Andrew wrote:
> (and only ever work on clones of your disk).

this will work only with clones of _not corrupted_ data.
ofcourse user can have special method of destroying data, but having such extra 
method encapsulates key data nature (location of headers, ...) from user.

if user somehow has low tech knowledge level, it should design and develop 
tools for traceless data destruction, if failed to find existing. R&D isnt fast 
and easy task.

> Even if you encountered such a miraculously dumb government, you might
> still be exposing yourself to criminal liability (or worse) for
> knowingly causing the destruction.

only in case of provable intentional destruction

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b3c876c2-0568-4500-9e7f-f52c8feb99e8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] issues in 3.2

2016-07-05 Thread Drew White 
On Tuesday, 5 July 2016 19:41:53 UTC+10, Andrew David Wong  wrote:
> Oh, I see. You mean in Qubes Manager, when you right-click on dom0,
> the entry for "Run command in VM" is grayed out (along with almost
> every other entry), yes?
> 
> That is normal, intended behavior. The intended way to run a command
> in dom0 is simply to open a terminal in dom0.
> 
> We agree that this is confusing from a UX perspective, and we are
> working on it:
> 
> https://github.com/QubesOS/qubes-issues/issues/1382

>From a UX perspective, it's a simple thing to fix.
All you have to do is enable it and have it operational.
the only other way to do it from KDE is to open the run widget.
But when you have a bug in KDE where you can't do anything and have no terminal 
access, the 'run command in' is most beneficial.

As for not having them showing, easy as, if that's what you want.


So many things I see that you all are talking about doing, I see so many flaws, 
and so many good things too.

In MOST cases, you need to build it in for both ways around. To have and not 
have. To include and exclude. To show and hide.

I'm a functional person, not a wanky interface person. I'd rather have the run 
as there, that way I can just use that instead of having to open a terminal.
I normally have 15 terminals open anyway. several in Dom0, several in the 
NetVM, and at LEAST 1 in every other guest that I'm running.

Sometimes takes me 5 minutes to find a terminal to run something in, or just to 
get to the desktop space to get access to a terminal.. I'd rather just click on 
the Qubes Manager, Right click on Dom0, then run as. Only because often the run 
widget doesn't function the way I want it to with many things.

The latest KDE isn't built for functionality, it's built for wankyness. that's 
my opinion from seeing it the way it is these days, in Qubes 3.2 at least.

Please remember this... "If it ain't broke don't fix it"

Qubes 3.1 still has a tonne of bugs that aren't fixed, and  that's got a non RC 
version there in the downloads... Still with all the bugs...

Will 3.2 this time be fixed before moving on to a new version?
Will all the critical and important bugs that cause crashes be fixed before 
version 4 comes out?
Because there are still bugs in Qubes stemming from version 2.0 that are still 
there.

So I'm just curious.

WARNING: Don't misunderstand the way that all may sound. It's not actually 
sounding the way you may read it. Just because there is no vocals here means 
that things will be read the way the reader wishes to read it, and not be read 
the way it is intended to be read.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dc638991-6abf-4586-9d96-67e36381afe1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes top priorities suggestions for me as an user.

2016-07-05 Thread Chris Laprise 



On 07/05/2016 04:43 AM, Marek Marczykowski-Górecki wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Jul 04, 2016 at 10:46:52PM -0700, juris...@gmail.com wrote:

1) qubes is a system for security and isolation. But when you install, you have 
no encryption options.

Full disk encryption is enabled in default installation option.


2) Qubes face 2 problems nowadays for engaging new users with real security.

a) Qubes is a system for HIGH END computers with lots of RAM. Usually if for 
people that has WINDOWS and GAMES also, a good GPU, and wont waste their 
machine on a UNIQUE linux system at least without dual boot.

b) Nvidia spy on people, with their streaming @!^@^% they put in new gpus, 
network, etc, and people are suspicious amd too. But most consumers are from 
nvidia. nvidia now spy on hardware level. Does not matter the system security.

The solution? REAL windows virtualization with GPU PASSTROUGH. So, the high end 
computers can use windows for what they need and even play games. Plus, if you 
do use nvidia in dom-0, they WILL capture the screen on hardware level. Nouveau 
is not working right for a long time. Onboard or gpu 1 for dom-0 and nvidia or 
amd high end for windows VM. If the person doesnt have 2 monitors, it can 
change the vga adapter from 1 to other to use windows after starting the vm. 
that would be perfect.

So we give a finger to nvidia and the drivers problems they cause, and we 
isolate their spying inside windows vm, plus eliminating the need for a dual 
boot and for everyone not using their gaming gpus.

This was discussed many times, so search the archive for more detailed
answer. In short: GPU will always be able to see the screen content -
this is what GPU does. Having GPU passthrough done securely (for example
without increasing dom0 attack surface by launching qemu there) is quite
hard because GPUs use a lot of non standard tricks and hacks in addition
to standard PCI operation.

Implementing this is on our roadmap, but it is hard and will take time.


I must ask: Does ITL have a list of well-behaved hardware on which this 
can be accomplished? If there are any laptops out there with the kind of 
workstation-class GPUs that would respond to passthrough predictably and 
reliably--even just one model--then maybe it should be plastered on the 
front page of qubes-os.org.


Beyond that, I think you know my views about Qubes needing more 
comprehensive hardware focus--even design. From here, Qubes with 
designed-for-Windows PCs looks like a strained marriage that's getting 
worse, and the latter was never the kind of blank canvas that many 
considered it to be.


BTW, I think jurisdan does have an excellent point on #4. It would be 
prudent to flag anon proxy vms (the way rpm-sourced templates are 
flagged) so that QM and tools can take preventative action under some 
circumstances: Switching any appvm away from an anon-flagged proxy 
should result in a warning dialog.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/16b80eaa-5d05-fb82-87bc-b0d72d09a0f1%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL AMD A6-6420K APU, Asus A55BM-PLUS

2016-07-05 Thread Benson Muite 
-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/nlg6nk%24ubq%241%40ger.gmane.org.
For more options, visit https://groups.google.com/d/optout.
---
layout:
  'hcl'
type:
  'desktop'
hvm:
  'yes'
iommu:
  'no'
tpm:
  'unknown'
brand: |
  System manufacturer
model: |
  System Product Name
bios: |
  1002
cpu: |
  AMD A6-6420K APU with Radeon(tm) HD Graphics   
cpu-short: |
  FIXME
chipset: |
  Advanced Micro Devices, Inc. [AMD] Family 15h (Models 10h-1fh) Processor Root 
Complex [1022:1410]
chipset-short: |
  FIXME
gpu: |
  
  NVIDIA Corporation GK107GL [Quadro K600] [10de:0ffa] (rev a1) (prog-if 00 
[VGA controller])
gpu-short: |
  FIXME
network: |
  Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit 
Ethernet Controller (rev 0c)
memory: |
  16324
scsi: |
  WDC WD1002FAEX-0 Rev: 1D05

versions:

- works:
'FIXME:yes|no|partial'
  qubes: |
R3.1
  xen: |
4.6.0
  kernel: |
4.1.13-9
  remark: |
FIXME
  credit: |
FIXAUTHOR
  link: |
FIXLINK

---

Re: [qubes-users] Re: Qubes Screenshot Tool with imgurl auto upload available. [beta]

2016-07-05 Thread Eva Star 


> (Instead of "qubed-dom0-update is "qubes-dom0-update")

thank you

> As I understand, in some versions of bash, the "\n" don't works as expected. 
> So, I propose to change "echo" by "printf". You just have to add a "\n" at 
> the end.

thanks. I will fix it.

> 2) I have dom0 in spanish. So, my Pictures folder is /home/user/Imágenes/ 
> instead of /home/user/Pictures/. But when I run the script, it is saving the 
> pictures in "/home/user/Pictures/" instead of ".../Imágenes"
> To obtain the correct directory to save the file you can use this command:
> xdg-user-dir PICTURES
> /home/user/Imágenes
> 

is it portable way to get PICTURES directory on other unix based systems?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ba9eb1d5-1fda-4d81-b57f-4e324e36584c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] newbie question about port forwarding and remote connection

2016-07-05 Thread Eva Star 

> thank you for your reply. Reinstalling the entire windows OS is ok. I've a 
> lot of services running in background right now (synchronization, protection, 
> antivirus, ...). would they work normally? do you recommend to use AV, 
> antimalware, ...? 
> and I've to use photoshop and lightroom (which I've purchased). do they run 
> in a HVM environment?

I have not tried to install these applications into windows HVM. I guess that 
they will run, but with strange usability speed. Because there is no GPU for 
Photoshop&Lightroom to draw images on Windows HVM. As I know you can 
pass-through your secondary GPU to Windows and this will work fine, but I do 
not have secondary GPU and display to test it

Maybe for Photoshop&Lightroom tasks you can boot from the secondary hdd where 
Windows and applications available?

Or there is some alternative applications at Linux to draw and edit images: 
GIMP, and I found Krita 3.0 (plane to test it very soon, screenshots looks well)

About Antivirus:
I do not use them on Windows. I think for your is better to forget about 
"Windows way" and start to learn the conception of Qubes and use other VM for 
download and run apps, then open files at disposable VM. And of course install 
software only from trusted sources.

About synchronization:
You can setup some... But are you really sure that you want to share your data 
across internet? :)  

> there's a way to automount external disks (I've an ssd for the OS, and some 
> HDD in raid for the data) on HVM.

Yes, they mount automatically when attached to some Linux based AppVMs. If 
filesystem is NTFS, then you can work with them. 
And for today windows HVM does not support this feature :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/27ec196f-a7e8-4f43-978b-ad9de73902f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes top priorities suggestions for me as an user.

2016-07-05 Thread Zrubi 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 07/05/2016 10:38 AM, Franz wrote:

> I fully agree with the idea of respecting user needs, but why do
> you think gamers are really interested in strong security? Only
> because they spend money for expensive computers?  It seems a poor
> motivation for me.

I'm playing games - while interested in strong security.
That's why I using Qubes on my laptop and running windows (as a gaming
platform) on my "gamer" desktop :)

But I would never ever mix the two. Not even with dual boot.


- -- 
Zrubi
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXe4n2AAoJEC3TtYFBiXSvRuwP/A637kHTTdnY7gkuJ2IIStNC
DJ+c5rav6BzMgfCZlPJsE0bkOOTYp6h/aHzhE3f+d8fQTEINkWmclp1xjVK2hp32
X36GoadmErrt94jticCtKWZzEVQhCtE32xBKONsRgl6uc2Ig6R76bMreBj7R1JcH
GEGC4fY0DiF5MTedHkaULpKgNvdt8ayIAdtqWvOZT/rNoHpUVImUb7SVNh5AtmiL
9q+vpc1bORnRZy/BlENayeW3wzWzhsfurYUXXAzG69aPQXDf+wZgOpjRF1wLSpHt
IQ5yigOawq7Rk+FpLsgChvRDcu9PZmcuv6JtBUlaw4o32y0Ghq1ILtbszm1+4XtT
NnliW+t1Cay/4MBIyXbnsWVEG2kzVpJx6UglpzhqIVK5jUUnb5dUHYPcP1c90/tr
UYk3zyeA8fXhhNhkdlJJR6XPY4TslcK9Ne/uK95JtXWq6QgdPyoYDKVCuVYo5hpJ
JdHOtYrZlXFyzRtx9ly2e1EzPvNlZaeszthyU+No3lAh3rUIF1ni0TErzKXGB1Bq
NmhkjbFCISvMdaoxeV9zc+ZYnXRSluJq9gyv3XL2fkeoQy3tnKSI1SPXQlvMTRkx
AvHxaWKryICXW9w9n7XMGB7Dcvc1LPNV/BAf73uUlafsx7h+XfxE8kTqY8/lWTrv
Nejzf4uerTet73dzugGI
=V20z
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e3309f91-d2ad-a517-b3e4-089ec1a93f62%40zrubi.hu.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes top priorities suggestions for me as an user.

2016-07-05 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-04 22:46, juris...@gmail.com wrote:
> 1) qubes is a system for security and isolation. But when you 
> install, you have no encryption options.

Qubes uses full disk enryption by default:

https://www.qubes-os.org/doc/user-faq/#does-qubes-use-full-
disk-encryption-fde

> distros thinks that if a user wants some strong crypto thing, they 
> must research themselves and do all manually. We dont even find 
> nothing about qubes encryption in docs. That is wrong.

I added this page to our docs a week ago:

https://www.qubes-os.org/doc/encryption-config/

> [...]
> 
> 5) i will use this post to state that tor behaves differently to 
> connect in windows tor browser, or linux tor browser, compared to 
> whonix, and i dont know why. Whonix gets always same speed, 250 to 
> 500 Kbps, (not KBps) with speed of 30 to 60 kB/s of downloads, and 
> in tor browser outside whonix, i get 500 to 1 Mb kB/s downloads. 
> Thats really strange and wasn`t expected. I get this behavior for 
> almost 2 years, and i dont have the expertize to know why. after 
> some googling, i saw i am not the only one getting different 
> special routes in tor using whonix.
> 

This sounds like something that should be reported to the Tor project
or Whonix.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXe4O8AAoJENtN07w5UDAwVKgP/i1oNbYm7iPRscBw6bk+m5VC
QJvwPbvXefMq2TBRMCI+J/K/pviRl+OKTXtpEuurq6HOg2fIlGx8H25H4JGIcf0W
rFREbHo4SLiDIDH3fySzaRGp8SawTwf4ejIlMajRjbBIUzbUhveXC1o3n6jJP9s/
UkuH34xT0cUIitfhMIXlgLmZsDrConvkm+0ExCTFVXZnUS4Jz96tTkCVerTBuVei
C85OsqqJBN7guTq79iqMq/XE1r6kho0qF5qaX02MN6/M9NLRslGNI9AXjKoBKxAr
YPi6t3S2BbglCJuMzQvABNu2UXaTr3k8qSZI/sLbYf+XbIRSeiD21dDEKkLPoW12
MHrU1GwIex6SDlMfPDlxJ9FLNKDgDHr+LfF7yAOHKWEzoNjChcJtKutLK7zh28MG
3ab+0Ahwt/9MY8I/WFUX4eKVxbVLnFMFzMU6AfcxxgU1WdgEATbrUzIt5+vH6YKQ
6Mx0+utRDWz/ieE/SdKy02bCRkxVMMHZbcuUXFER27VgSPHh9uXYBtIt90ym6Qzp
fMQZIhhumbnglCgiS11T5rRal6urw7yAyQCdkLy1p/uOBKnWEnO96Gmuswmet5z3
x5mSJwDHBXYOx+Qqcnc+4vYFKiABfei1QVORv1h7LAOkGKXd7he3qqakKD6A4xUq
8oE0xfcW8xDdDkhaFivx
=eoZp
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fc9f9e2e-6b97-36ef-4d35-badb9644677c%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)

2016-07-05 Thread Chris Laprise 

On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote:


No worries, honestly I should have thought of the sudo myself.

Well, running it with sudo and it went swimmingly, it connected so that is 
good, another hurdle cleared.

I am now back to one of your earlier posts in this thread, regarding the 
qubes-firewall-user-script.

I have to admit that I am not totally clear on needing to run the groupadd (it 
seems to be run in the firewall script?) but I ran it (and it shows up in 
/etc/group so I guess thats good?) but then on the next line:

sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn

I get an error saying:
Options error: In [CMD-LINE]:1: Error opening configuration 
file:openvn-client.ovpn

I don't understand groups and ids very well so am not sure where there 
breakdown is here, perhaps I need to set something regarding the 
openvpn-client.ovpn file?


Error message indicates that the filename has a typo: 
'openvn-client.ovpn' should be 'openvpn-client.ovpn'.


File ids will be OK if you created them with sudo. Running groupadd 
multiple times with 'f' option is fine, too.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/36fac245-7549-00c2-9fa8-3c21ef2e5392%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] issues in 3.2

2016-07-05 Thread Andrew David Wong 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-05 00:22, Drew White wrote:
>>> 5. Can't even "Run command in VM" on dom0
>> 
>> Can you elaborate? How are you trying to do that, and what (if 
>> anything) is happening instead of the expected behavior?
>> 
>> 
> I mean it doesn't have that option, it's disabled.
> 

Oh, I see. You mean in Qubes Manager, when you right-click on dom0,
the entry for "Run command in VM" is grayed out (along with almost
every other entry), yes?

That is normal, intended behavior. The intended way to run a command
in dom0 is simply to open a terminal in dom0.

We agree that this is confusing from a UX perspective, and we are
working on it:

https://github.com/QubesOS/qubes-issues/issues/1382

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXe4DaAAoJENtN07w5UDAwSBcP/0mV9lG+DUkuI0QsJwMyZFHx
xckNoQJ5tVJy01D/ocfbPfMOJ85LFh8HLFnwWciMiobdm1EJfyQ/ITALpK7ndu2c
KNAQTYNhGvrhHuYhHX+sG7xOk1yrlC3+EoV8lAyyvGAsIfwoZps3HsebLubKEMld
yyuCQhyQYI1S2dlA9jcVgWyJKCU/yA/ZsnkGWlhTzq7MbYAdDmFtr4QetEKzTFis
NYhoznJq6xGzsQ5qzVJ1TE1k0InSlu++CW/BGltmyv6Aype9F80JH36vPYYMQe3P
HM2ssE3ECKNoNmWqFKFfaRxP5aZ03d9LLKIFdFniDdQUKXJHZV0QL0saUp2UR5lx
XdC+P8Gx0WlZOT+W4o6mrEhUfHOjR8SRNN8r0j1aoOyzzQ1a4Xhp+n3Xda/Mblpc
Tx46HsNiJTgk/5gCvwc2prFe/AmGv+taIz6bKWfoXzzCPC4tVSKjOZ06cOpidbRv
d6wv3sq0sPck4mZxs9hRUwZtGFRaBggFzfXAQ7mDg8TuFS6U2D2k8EHyxq5318tK
pfHdZ9DinbCFWz0Q6blD9qC0MTRpMUQ91kJa60i8LfIkZzV5MrwnEyG8ftdaOl71
Dg9TCsLC1ZAc+Xvy/3/U0ete6BZkWAv9dN2cmtwRx1u0XScEgJtA/XhiDROA0G+M
ZCtOwDK0LaC2GOfeiFBy
=M7t1
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f1ad0e96-7946-5ecc-8f78-83393465bfa2%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] how to run Windows quest vm in Qubes on hw without required features (vt-d)?

2016-07-05 Thread thinkpad user 
more specific - Lenovo Y580 is listed in hcl as having no proper hw 
features.(vt-d)

what for?
1) using Qubes instead of non-hypervisor based OS is more safer, even 
without features like hardware virtualization. .
2) using hypervisor is more convenient than using virtualization soft like 
VirtualBox

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5f2547cd-b9ad-472b-9bf1-d5aef957b4be%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes top priorities suggestions for me as an user.

2016-07-05 Thread Marek Marczykowski-Górecki 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Jul 04, 2016 at 10:46:52PM -0700, juris...@gmail.com wrote:
> 1) qubes is a system for security and isolation. But when you install, you 
> have no encryption options.

Full disk encryption is enabled in default installation option.

> 2) Qubes face 2 problems nowadays for engaging new users with real security.
> 
> a) Qubes is a system for HIGH END computers with lots of RAM. Usually if for 
> people that has WINDOWS and GAMES also, a good GPU, and wont waste their 
> machine on a UNIQUE linux system at least without dual boot. 
> 
> b) Nvidia spy on people, with their streaming @!^@^% they put in new gpus, 
> network, etc, and people are suspicious amd too. But most consumers are from 
> nvidia. nvidia now spy on hardware level. Does not matter the system 
> security. 
> 
> The solution? REAL windows virtualization with GPU PASSTROUGH. So, the high 
> end computers can use windows for what they need and even play games. Plus, 
> if you do use nvidia in dom-0, they WILL capture the screen on hardware 
> level. Nouveau is not working right for a long time. Onboard or gpu 1 for 
> dom-0 and nvidia or amd high end for windows VM. If the person doesnt have 2 
> monitors, it can change the vga adapter from 1 to other to use windows after 
> starting the vm. that would be perfect.
> 
> So we give a finger to nvidia and the drivers problems they cause, and we 
> isolate their spying inside windows vm, plus eliminating the need for a dual 
> boot and for everyone not using their gaming gpus.

This was discussed many times, so search the archive for more detailed
answer. In short: GPU will always be able to see the screen content -
this is what GPU does. Having GPU passthrough done securely (for example
without increasing dom0 attack surface by launching qemu there) is quite
hard because GPUs use a lot of non standard tricks and hacks in addition
to standard PCI operation.

Implementing this is on our roadmap, but it is hard and will take time.

> So, XEN is not good for that? consider passing to KVM.

This is exactly what would expose dom0 ("host") for huge attack
surface from qemu...

> 3) Consider offering PFSENSE as optional firewall vm installed out of the 
> box. It`s very hard and time consuming to do that inside qubes system without 
> studying all, for managing internal ip structure etc. It is the most perfect 
> firewall for use inside a VM, qubes is a system for VMs, and i did use it 
> even inside windows in virtualbox. But i was in WINDOWS, and that means, no 
> real security at all.

Feel free to send patches...

> I would like also to give 2 more suggestions for people to considerate, 
> concerning whonix, since patrick is a developer here:
> 
> 4) People need a pop-up window to explain them to NEVER use an existing 
> normal vm trough the whonix proxy vm, just NEW ONES. Because they have 
> already fingerprints, identifiers, browser behavior, browser plugins 
> identification, aplication updates, specially in windows. If they connect 
> that with once used real wan IP, game over for anonymity.

It depends on use case - you may want to use tor not only for anonymity,
but also to just hide your traffic from just your local ISP (public wifi
etc). In that case it's fine to use existing VMs.

But yes, for anonymity new VMs should be used. I think this is already
covered in Whonix documentation.

> 5) i will use this post to state that tor behaves differently to connect in 
> windows tor browser, or linux tor browser, compared to whonix, and i dont 
> know why. Whonix gets always same speed, 250 to 500 Kbps, (not KBps) with 
> speed of 30 to 60 kB/s of downloads, and in tor browser outside whonix, i get 
> 500 to 1 Mb kB/s downloads. Thats really strange and wasn`t expected. I get 
> this behavior for almost 2 years, and i dont have the expertize to know why. 
> after some googling, i saw i am not the only one getting different special 
> routes in tor using whonix.

Strange, I haven't noticed such effect.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXe3NFAAoJENuP0xzK19csiAMH/1gfCmbwIyfMh4TfvbmWADsE
05rB9xXivGvDRCAddAB08LuycAzZxA4mPggrhlR4aaunbwupDUJGwU0sNBHmLTHy
djpPunx3NRqJCPHQe8p5oqHBLpwGivld+p1mgZnfkl3O1LRzNRCGHG8EB708b+SX
o0gmPdOvXvVdzQeKBMhzENUqgtY2uaGl7FZosP9KJsQdpwdFDrawS26q3RDBppvf
uIj5gl5k9CzSU9nswCsGuW+F6NrJ/3itp2ueRiF8K+RSjUeAXwXEJHgtaICjad46
DNyuM6rWe3rAJQUYf+lf3RXzk10qZ13DTWR4Gf3S+y1y/sAoZAQyhKg/hTdFUwE=
=tuBS
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this d

Re: [qubes-users] Qubes top priorities suggestions for me as an user.

2016-07-05 Thread Franz 
On Tue, Jul 5, 2016 at 2:46 AM,  wrote:

> 1) qubes is a system for security and isolation. But when you install, you
> have no encryption options.
> distros thinks that if a user wants some strong crypto thing, they must
> research themselves and do all manually. We dont even find nothing about
> qubes encryption in docs. That is wrong. First thing we must do
> out-of-the-box is to offer strong full disk encryption, like veracrypt
> ones, with options, iteractions, etc., and inform the user about that. Even
> tails for just a live browser with storage capability does that. Even
> distros like PARTED MAGIC for managing partitions now come with veracrypt
> installed as default in live-cds. To me, Qubes is neglecting what the user
> wants to read and do in encryption aspects.
>
> I usually use mint strong encryption. But even that i must do manually.
> Imagine ALL users trying to do this on their own. They wont. i use appendix
> A configs from links below, much stronger.
>
> https://community.linuxmint.com/tutorial/view/2026 (bios)
> https://community.linuxmint.com/tutorial/view/2061 (uefi)
>
> 2) Qubes face 2 problems nowadays for engaging new users with real
> security.
>
> a) Qubes is a system for HIGH END computers with lots of RAM. Usually if
> for people that has WINDOWS and GAMES also, a good GPU, and wont waste
> their machine on a UNIQUE linux system at least without dual boot.
>
> b) Nvidia spy on people, with their streaming @!^@^% they put in new gpus,
> network, etc, and people are suspicious amd too. But most consumers are
> from nvidia. nvidia now spy on hardware level. Does not matter the system
> security.
>
> The solution? REAL windows virtualization with GPU PASSTROUGH. So, the
> high end computers can use windows for what they need and even play games.
> Plus, if you do use nvidia in dom-0, they WILL capture the screen on
> hardware level. Nouveau is not working right for a long time. Onboard or
> gpu 1 for dom-0 and nvidia or amd high end for windows VM. If the person
> doesnt have 2 monitors, it can change the vga adapter from 1 to other to
> use windows after starting the vm. that would be perfect.
>
> So we give a finger to nvidia and the drivers problems they cause, and we
> isolate their spying inside windows vm, plus eliminating the need for a
> dual boot and for everyone not using their gaming gpus.
>
> So, XEN is not good for that? consider passing to KVM.
>
> - To create a real secure isolation OS, it`s primal to ensure best disk
> encryption avaliable, with CHOICE for speed/security, eliminate the windows
> host multi boot needs, and make good use and usability for windows and
> gpus. You will reach that when you direct the efforts to adapting the
> system for what the global user WANTS AND NEEDS, and not adapting the user
> to the system that 1 person in 1 chair dream for its personal needs. Ubuntu
> did not follow this lesson with their unity thing and they paid the price.
>
>
I fully agree with the idea of respecting user needs, but why do you think
gamers are really interested in strong security? Only because they spend
money for expensive computers?  It seems a poor motivation for me. Gamers
may just spend money to play games as fast as possible and with less
problems as possible and any virtualization system lowers the speed and
creates problems for its very nature. Specially using Windows. IMHO gaming
and serious security go in opposite directions because the users are
different and there is no point trying to unify that in a single machine,
specially a laptop which most Qubes users have. It is too difficult or
impossible and Qubes developers resources are limited.

3) Consider offering PFSENSE as optional firewall vm installed out of the
> box. It`s very hard and time consuming to do that inside qubes system
> without studying all, for managing internal ip structure etc. It is the
> most perfect firewall for use inside a VM, qubes is a system for VMs, and i
> did use it even inside windows in virtualbox. But i was in WINDOWS, and
> that means, no real security at all.
>
> I would like also to give 2 more suggestions for people to considerate,
> concerning whonix, since patrick is a developer here:
>
> 4) People need a pop-up window to explain them to NEVER use an existing
> normal vm trough the whonix proxy vm, just NEW ONES. Because they have
> already fingerprints, identifiers, browser behavior, browser plugins
> identification, aplication updates, specially in windows. If they connect
> that with once used real wan IP, game over for anonymity.
>
> 5) i will use this post to state that tor behaves differently to connect
> in windows tor browser, or linux tor browser, compared to whonix, and i
> dont know why. Whonix gets always same speed, 250 to 500 Kbps, (not KBps)
> with speed of 30 to 60 kB/s of downloads, and in tor browser outside
> whonix, i get 500 to 1 Mb kB/s downloads. Thats really strange and wasn`t
> expected. I get this behavior for almost 2 years, and i

Re: [qubes-users] Re: Updating Dom0, Qubes, grumbles, things that need to be fixed and not need to be fixed.

2016-07-05 Thread Drew White 
If the qubes-manager is going to change to that one that's in
GitHub*, could you please let me know how to uninstall the
current manager without breaking anything?

* https://github.com/QubesOS/qubes-issues/issues/1870#issuecomment-223055937

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/41992dda-0554-4aa6-8143-5bd2d24821d9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] newbie question about port forwarding and remote connection

2016-07-05 Thread Nicola Schwendener 
Hi Eva,
thank you for your reply. Reinstalling the entire windows OS is ok. I've a 
lot of services running in background right now (synchronization, 
protection, antivirus, ...). would they work normally? do you recommend to 
use AV, antimalware, ...? 
and I've to use photoshop and lightroom (which I've purchased). do they run 
in a HVM environment?

there's a way to automount external disks (I've an ssd for the OS, and some 
HDD in raid for the data) on HVM.

thank you very much


best regards
Nick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/958e9341-1000-4f5e-b40c-c21545438d6d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Updating Dom0, Qubes, grumbles, things that need to be fixed and not need to be fixed.

2016-07-05 Thread Drew White 

>
> Also let me add the latest KDE's are so buggy and unstable its crazy. 
>  When comparing all the baremetal distros,  debian is the only one that 
> isn't bugged out with my hardware.  It seems to be the only sane distro 
> left in linux.
>

The latest version of KDE is full of the "wanky" stuff. (please excuse the 
language)

I can't get a simple menu any more, I HAVE to have this stupid one.
I want to click on the menu and have a cascading menu that's easy to
follow, not have to click 5 million times to do something.

In 3.1 I had a lovely menu, it was clean and concise and functional, not
this crazy one that's hard to use. I tried to find the basic menu, but it
just wasn't there.

Is it possible to add it back in please?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/45b3b5c1-ed3e-4c55-8309-403a60bfcec8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL Report: HP ProBook 6550b + issues with ProBook

2016-07-05 Thread Drew White 
Any advancement on this issue?

Is it a bug in Qubes 3.1+ or some other issue?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aeaedd4e-5d37-4f33-ba56-1d6d38ae25ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Networking

2016-07-05 Thread Drew White 
On Monday, 4 July 2016 03:51:06 UTC+10, raah...@gmail.com wrote:
>
> Just to clarify so you are talking 100 megabits which is like 10 
> megabytes, roughly.
>

yes, that is correct, Mbps not MB.

 

> I don't think many people are using their qubes machine as a vm lan lab. 
>  I'm not sure devs had that in mind.  That being said are you really using 
> up 100mbits all the time?
>

Well, when I do file transferrs, yes, easily. If I do directly to the NIC I 
get about 30-40 MBps on average.
Often I'll get up to 70 MBps.

When transferring a 40 GB file, it takes forever on a 100 Mbps connection.
 

> On my machine using a full speed all the time my cpu becomes the 
> bottleneck more then anything...
>

I have a HexCore CPU. Separate NIC. The NIC handles all the transferrs and 
such, the CPU just passes it the data.
I use an SSD, so it's got the speed to handle it all.
InterVM at 100 Mbps is fine for networking, because I can send the files 
directly through the Qubes VM to VM system fast enough, so that's not an 
issue. But to only have a 100 Mbps connection to the primary network 
through the VM is just way too slow.

Also, to have 100 Mbps from the ProxyVm to the NetVM is also too slow.
Having 10 VMs running behind the Proxy to talk to the network, that would 
mean there's only 10 Mbps per VM. (If they are using full connection each 
and it load balances correctly.

If it was a gigabit connection in each to the NetVM to go to the network, 
then they'd have 100 Mbps connection each.
THAT is acceptable with load balancing.
If I have 2 VMs using the network fully, and 8 not using it, then I'd have 
500 Mbps per VM using it.

I'll have to check the ProxyVM again though, not sure if it has a gigabit 
connection to the NetVM or not, but from what I've been told, it wouldn't. 
Because some of the VMs have direct connection to the NetVM and only have 
100 Mbps. They have dorect connection to the NetVM becuse they have some 
ports forwarded to them (I'm a programmer), so I need to have external 
connection to test things from other devices. (Since the qubes-os 
developers won't put in ability to have OSX installed under Qubes I have to 
have the MAC running, which means it's costing me more time and power.)

Does all that make sense?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/95e44b3c-20a1-4280-9517-c683dfd9cd68%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: issues in 3.2

2016-07-05 Thread Drew White 


On Saturday, 2 July 2016 23:58:56 UTC+10, Andrew David Wong wrote:
>
> 3.2-rc1 is a release candidate. The purpose of having a release 
> candidate is to test the release. It's available to the public so that 
> any members of the public who wish to test it may do so. If you do not 
> wish to test it, you should not do so. 
>
> Also, please note the warning on the download page immediately above 
> the R3.2-rc1 download links: 
>
> "This is a testing release. We appreciate your desire to help us test 
> Qubes. However, we recommend you use a current and supported release 
> for daily use." 
>

Didn't see that, because I just went directly to the download area.

I went to www.qubes-os.org
Then followed the download link, it currently says 3.1
Then found the link to the FTP directory.
Used that, then downloaded.

Couldn't see anything for 3.2 there.
If I scroll down I can see it there for the download.
But due to the design of the website, it doesn't show everything
immediately, and I already knew how to get to the directory, so
I did.

Such as life. I know now, and will keep it in mind to check for the
future times I download and such. Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6ec95262-f156-4fa0-8c8f-b1e908caee57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] issues in 3.2

2016-07-05 Thread Drew White 
hi folks,

Thanks for the info, I thought it was already a release because it was 
already now out there and available.


On Saturday, 2 July 2016 23:53:47 UTC+10, Andrew David Wong wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA512 
>
> On 2016-07-01 20:40, Drew White wrote: 
> > 
> > 1. During initial configuration, if you don't create the NetVMs 
> > because you want to set everything yourself, it has error running a 
> > command because no matter what, it will try to run the command on 
> > the sys-net and sys-firewall. 
>
> Thanks. Tracking here: 
>
> https://github.com/QubesOS/qubes-issues/issues/2142 
> 
>  
>

No problem, and excellent. 
 

>
> > 2. No desktop 3. No taskpar/panels 
>
> Sounds like this is already being tracked here: 
>
> https://github.com/QubesOS/qubes-issues/issues/2124 
> 
>  
>

This bug is only a small one, I don't think it's really a big bug at all.

Is it the normal way to set it to text login before starting X?
Or is there something else that needs to happen?

 

> > 4. No terminal access, have to go to next window 
>
> Can you elaborate? I'm not sure what you mean. For example, is this 
> happening during the installer or on the desktop after installation? 
> What is "next window"?
>

Yes, incorrect terminology, I apologise, didn't know how else to explain 
it, but it's explained in the bug tracking.
 

> > 5. Can't even "Run command in VM" on dom0 
>
> Can you elaborate? How are you trying to do that, and what (if 
> anything) is happening instead of the expected behavior? 
>
>
I mean it doesn't have that option, it's disabled.


 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c9e27431-35d6-40dc-bfd6-21846334dac7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.