Re: [qubes-users] R3.2 rc2 blank screen - screenlock issue?

[Drew White]

On Thursday, 1 September 2016 01:54:38 UTC+10, Desobediente  wrote:
> I use KDE (XFCE is installed but never used) and I don't have the option
> of using the keyboard. The num/caps/scroll lock lights won't change and
> the keyboard doesn't seem to respond.
> 
> As I stated, the processes seem to be running, if there's a music
> player, I can still hear it.
> 
> Will check SETUP settings (a.k.a. BIOS/UEFI)

I've had the same issues since Qubes 2, when I first started using Qubes.
So it's an ongoing issue that has yet to be resolved. It has been the topic of 
a few threads.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8c790532-bc7f-4eac-870a-7737bd388b73%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] OSError: [Errno 2] while reinstalling a TemplateVM

[telepherickrick]

I made the mistake to run this command in my debian-8 TemplateVM :

sudo apt-get autoremove gnome-keyring

Then I wasn't able to get a terminal for the debian-8 TemplateVM and all 
appVM's in relation to this TemplateVM.

So, I used this tutorial to reinstall a new debian-8 TemplateVM :

https://www.qubes-os.org/doc/reinstall-template/

The old-debian-8 template is deleted.

The new-debian-8 template is created and updated.

Now here's the problem ...  when I try to change from dummy template to the 
new-debian-8 template I get this message :

[Dom0] Houston, we have a problem ...
OSError: [Errno 2] No such file or directory:
'/var/lib/qubes/vm-templates/dummy/apps.templates'
This is most likely a bug in the Qubes Manager

I want to access my files which are still in the appVM's created with the 
old-debian-8 template.

Thanks for your help

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/879a7872-a280-4082-84ef-3a24ef3c41ff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: epoxy on ram to prevent cold boot attacks?

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Aug 31, 2016 at 10:05:59PM -, johnyju...@sigaint.org wrote:
> I'm curious to some mentions-in-passing about Andrew's hate for USB
> keyboards.  USB-anything isn't good for security, but what in particular
> so much worse about USB?  Both USB and PS/2 can keylog, or play predefined
> scripts to try and exploit the system.  One of the dangers of rogue USB
> devices is that they can suddenly pretend to be a keyboard (which Linux
> will accept without confirmation, something I'm not thrilled about).

It is mostly not about the keyboard itself, but other devices on the
same bus. Anything that can control the bus to which keyboard is
connected, can control the keyboard / pretend to be a keyboard.
In addition, USB is quite complex and as with all complex code there are
bugs. 
If you (or someone else) plug a malicious USB device that will exploit
some bug in one of million USB device drivers, it can do whatever it
want with the other USB devices on the same bus. And if that USB
controller live in dom0, it's game over even without injecting malicious
keystrokes.
PS/2 is much better, because you can't connect anything else than input
devices there, and attack surface is much smaller.

Some mitigation would be to use separate USB controller for USB
keyboard/mouse and have it in dedicated VM (separate form all-purposes
sys-usb).
This will guard you from potentially malicious devices *you* plug into
the system, but not from someone else plugging it instead of keyboard
(so into that keyboard-only USB controller). To plug that hole, that
USB-keyboard VM should be configured to reject any non-keyboard device
before allowing any driver to talk to it. This will still left you
vulnerable for bug in USB stack itself, but the attack surface is much,
much smaller than all the USB devices drivers (some unmanaged for
years).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXx5GcAAoJENuP0xzK19cstXgH/2+qnvTd7y00TSaUuAqjgUUI
waSjgeZnXfuGn8WMIRaGn4sIAqG4VgL1JP8sStWGHzAktOnqU/BHmaMAgipVvDpy
60a0SumEE1kZ8RUbIzINuTlZVmXw/7Dt1NCA0FOJbkjn4UeiuRvCkKceedJXrV9a
m3HoCGTu1qgZB9B4m+TvPtgeqUrUj/bvsLkgPJbVKiOWevIJ7M57cabDk/6P3p0q
QMHT6yPqcEXrA3SKAay/LDTvwP6C67jXjkCsvQYPX1TNrCZzEkvYyA3P4ycblBlM
Pq3MmSlPTLkiHorupOERDZi7mON2lss23aaj0AXvClgO03V8ArPjDnnmxHEWW9A=
=za1M
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160901022532.GE24732%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Salt InterVM Configuration explorations and pitfalls in 3.2-rc2

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Aug 31, 2016 at 03:47:31PM -0700, nekroze.law...@gmail.com wrote:
> Does anyone have any thoughts on a way to template in the IP address of an 
> appVM so it can be used to define a file.managed state with the IP in the 
> filename such as tinyproxy requires?

Take a look at grains - there is a standard `ipv4` available.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXx4zjAAoJENuP0xzK19cs+jYH/2hzpEpQ8WR2/yiMc3KJiUW+
vnuGxoFgM72z7nfQmXswi0g6Q0NY3lo5gGWqRt/ZF5bves8ZXeZ7M81DDPF1gLMZ
fHoBSTmJq58J0PpmBS56ekZiVYndPeNTVqLLpgZGwubgjAAXZeCyyAcZiQvSxqom
4zgs3ev50yEfJ9/PoSAeON3Yf76LVbsyRxEgGN01yg9yssvpdBEdwV5bTQ+ZGe/f
sKiQpJAk0ACByFyJN9z8C2SWqCMAmXnALIteJssDuHVT8oS2L/BRG7Juk0/JMx6V
J4htQO/ZQGbqUWlQCbXJWmc9NVtvmsuMeB/o08BlDnNmBKZltUFsOxbWniD6d5E=
=LLQP
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160901020524.GD24732%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] installing Signal on Qubes mini-HOWTO

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-31 15:50, IX4 Svs wrote:
> On Wed, Aug 24, 2016 at 11:10 PM, Andrew David Wong  
> wrote:
> 
>> 
>> On 2016-08-15 14:43, IX4 Svs wrote:
>>> On Mon, Aug 15, 2016 at 10:19 AM, Andrew David Wong  
>>> wrote:
>>> 
 
 On 2016-08-14 15:22, IX4 Svs wrote:
> Just spent a few minutes to figure this out so I thought I'd
> share.
> 
 
 Thanks, Alex! Would you mind if we added this to the docs at some
 point?
 
 
>>> Not at all - especially if you improve my clumsy way of creating the
>> custom
>>> shortcut (steps 7-12) and use the proper Qubes way that Nicklaus
>>> linked to.
>>> 
>>> Cheers,
>>> 
>>> Alex
>>> 
>> 
>> Added:
>> 
>> https://www.qubes-os.org/doc/signal/
>> 
>> 
> Andrew, thanks for adding this to the documentation.
> 
> I'm afraid my DIY shortcut kludge does not survive some(potentially boot 
> time) script and is wiped away from the taskbar, only to be replaced by a 
> default "Chrome browser" shortcut. I admit I don't quite comprehend what 
> the actual implementation of 
> https://www.qubes-os.org/doc/managing-appvm-shortcuts/#tocAnchor-1-1-1 
> should be.

Neither do I. I've always make my custom shortcuts the same general way you do.

> A worked example that replaces all but the first step of the " Creating a
> Shortcut in KDE" section of https://www.qubes-os.org/doc/signal/ would be
> very much welcome.
> 

Agreed.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXx4J9AAoJENtN07w5UDAw1J8P/0PUipLZrTwzQheBpmhbf5Dv
M0womOAbxLi+obMXQJtIVwQpWEkGEoPT41xfRwYwTeZqgCIMX3RHaRk2KPjDPbiC
tyY/F9FF+5DWV8cuqFAir4uFmBUdaH4orbWQLf+Qai5RbumEonx0ZuwrzH/xQE9r
nE8o+mAYUZnQP9TGUCmKkzm/+Wc2yPDvcWgqwbaVOpz5SHlhNAMVYXMy/9hQ7M+V
6eDlbvgLAe4E78aZ1WIuizGaQlH0pYdsIuZ1mPDT7KGf1p/2tOpRCpsrXF5a1+z5
QdDa88mMZR8MqNJUlbPqSgWPrWq1mAv9KFPF61myb3ZkAVFZQs7BkFclJXP1lJtq
ptfXB7fEVko2eAgmECITmghezk6z7iAkkSTuxmoENQ1Gq1duz/vceRAl5sUsqfN9
LXA2myp3uC7ZjoWhmdzYheEg8nOqQACPn5/J04XBbnPl49uv0T3ITrc9gkPGy380
f67DC+QTwuZkNQSDbt/TUwWJu25Z1TFs6TRKRnc9icuS5qoOKxtNSpVTbIjcApKW
ixEts+Vhu1FguarFW7vsMvwvD2q+RYEf3BYrlCFqChJQDlEdzgibRwkYyz9TTVG0
9D89RvpGiOFJWQ6rwIgNA9Q1IPY2xY0TkiLv5yNPWGOHohJK4mbC/dGhZqNXcgDr
CFeVikKS+OHd78PFVmYj
=x3qa
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b8915080-54ca-1253-29c1-2db48cf2156b%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 rc3 has been released!

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Aug 31, 2016 at 09:18:37PM -, johnyju...@sigaint.org wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Details here:
> > https://www.qubes-os.org/news/2016/08/31/qubes-OS-3-2-rc3-has-been-released/
> >
> > As usual, you can download new image from:
> > https://www.qubes-os.org/downloads/
> >
> > Users of R3.2 rc1 or rc2 can just install updates, no need for full
> > reinstall.
> > For older releases check above page for upgrade instructions.
> 
> Congrats on another milestone.
> 
> For those of us tracking testing, we're automatically swept along with our
> updates (just as users of rc1/rc2), correct?

If you're using 3.1 or older (with testing repos enabled or not), you
need to go through upgrade procedure explicitly to have latest 3.2
version.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXx3deAAoJENuP0xzK19csqGwH+gN0OHompcIDoCKBAdPC7Bqo
SdiEB1yayCRkE/esEnOpD3ajxmtiK2O3bAApPx9ixGaiUEbcCaK5cQ0V6v5w5y+g
fgnCtt7Zn5PLtd1hgbYI7wgYi/+y8SrDMWpPvrwN4QomQ/IPc3711Wdp0NmTbjWh
Sua2blMYRZkWno/6eQ1xSx+TMW7CuJOeMtNhm9BeI7+kxUvYGpS0hhDMGFAoFYRT
rIZP6d7mPQEyP01KhSF7xBZwdWmYakvZWPfrzj9C4G+82FB2bjfOW+S9d8SxSDNs
3BVaQJHhu8x6vVTWD+bouF1muZSFrtYBLRYrKdJk7OXIBRgprD/x7291fq4xg5A=
=2w6z
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160901003335.GA24732%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] installing Signal on Qubes mini-HOWTO

[IX4 Svs]

On Wed, Aug 24, 2016 at 11:10 PM, Andrew David Wong 
wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2016-08-15 14:43, IX4 Svs wrote:
> > On Mon, Aug 15, 2016 at 10:19 AM, Andrew David Wong 
> > wrote:
> >
> >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
> >>
> >> On 2016-08-14 15:22, IX4 Svs wrote:
> >>> Just spent a few minutes to figure this out so I thought I'd share.
> >>>
> >>
> >> Thanks, Alex! Would you mind if we added this to the docs at some point?
> >>
> >>
> > Not at all - especially if you improve my clumsy way of creating the
> custom
> > shortcut (steps 7-12) and use the proper Qubes way that Nicklaus linked
> > to.
> >
> > Cheers,
> >
> > Alex
> >
>
> Added:
>
> https://www.qubes-os.org/doc/signal/
>
>
Andrew, thanks for adding this to the documentation.

I'm afraid my DIY shortcut kludge does not survive some(potentially boot
time) script and is wiped away from the taskbar, only to be replaced by a
default "Chrome browser" shortcut. I admit I don't quite comprehend what
the actual implementation of
https://www.qubes-os.org/doc/managing-appvm-shortcuts/#tocAnchor-1-1-1
should be. A worked example that replaces all but the first step of the "
Creating a Shortcut in KDE" section of https://www.qubes-os.org/doc/signal/
would be very much welcome.

Cheers,

Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAEe-%3DTc-35h1cHsr5kW7cXd_o6M3_Q_4qH0SfK%2B_nHL5O9d%3Deg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] VMs cannot start (Error, 0), eek... and fixed

[Daniel Wilcox]

Hello, I searched the archives and saw this has come up before regarding
firewall rules.
https://github.com/QubesOS/qubes-issues/issues/1570

I had half an email composed when I tried something and it unexpectedly
worked.

So for posterity I wanted to add is that it is possible that *no* VM will
start if you have exceeded the maximum number of firewall rules on *any* VM.

find /var/lib/qubes -name firewall.xml -exec wc -l '{}' \;
# found offending VMs with 38 - 40 lines (and hence 36-38 rules)

On a side note, does anyone have great ideas for dealing with CDNs like
Fastly?  Which allocate the same host IP for a service, say pypi.python.org,
in many /24s.

Big phew! and cheers,

=D

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAGq7KhoxoqSBTFWrWFJBGHWaKz%2BFY%3D2HDYvQehoberARh39iHg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 rc3 has been released!

[johnyjukya]

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Details here:
> https://www.qubes-os.org/news/2016/08/31/qubes-OS-3-2-rc3-has-been-released/
>
> As usual, you can download new image from:
> https://www.qubes-os.org/downloads/
>
> Users of R3.2 rc1 or rc2 can just install updates, no need for full
> reinstall.
> For older releases check above page for upgrade instructions.

Congrats on another milestone.

For those of us tracking testing, we're automatically swept along with our
updates (just as users of rc1/rc2), correct?

Sorry if that's a stupid question.

JJ

>
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJXxzpPAAoJENuP0xzK19cszD4H/j4jPpG9aEaa6xx+FoDN+7cI
> 4P3PU3GtvDO+k97O9at/4Gsq5ziUgyFcJxD+3KId7gTsDML5w7ge93Zyvc5lRms/
> cu+skFnrLpeOKSv+aeRTzeeZQ6EbEePLqXLpgMcLIN93hKiPqN6UPPUJ0ya5Ijhg
> qol6fbEwLYdyazq378QcEmgqAE9C3iEmVpthLl3qw+vITJHIutHtxJgzV7kYR6q+
> euF0dVjijY/qeu0R/Jds6WYlB9WCdzuDRfRGO5BYEc3PtjvrCLW0g02SGyplQwDk
> nFqnrB69czNPMgs6Gsb5arIKco4tm6a9VOUyT+XCgPX5Vbw+4FSH7pw7EsRK4bk=
> =Uo8f
> -END PGP SIGNATURE-
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/20160831201304.GH9166%40mail-itl.
> For more options, visit https://groups.google.com/d/optout.
>


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b13db8d9e8da36a50ab07b75782f0184.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Adding individual partitions from Manager

[johnyjukya]

While qvm-block is a wonderfully handy tool for adding individual
partitions to a VM, the Qubes VM Manager can only add entire devices from
its GUI.

I think that it's a pretty strong argument Qubes' spirit of "protecting
the user from him/herself" to make sure this feature (maybe in a nested
menu or something) is added at some point.

Keeping a VM from pooching a partition table and a whole drive, and at the
very worst messing with a single partition, is a pretty significant
protection of the user from himself, as well as prevention of escalation
of any VM compromise.

If a compromised VM can tamper with the partition table (to hide away its
payload, trash partitions), or worse, modify the boot sector of a drive,
it's a *way* worse end result that's possible that messing with an
individual partition.  (Although they have boot sectors of their own.)

e.g. on a typical Linux drive, mounting /dev/sdx5 with the data to play
around with, while preventing /dev/sdx1 (the /boot partition) or /dev/sdx
(the boot sector/paritition) from being corrupted is a major win for
security (and stupidity) in my books.

I know 4.0 is going to rework (deconstruct?) this stuff a lot, but it'd be
nice to make sure some equivalent feature is in 4.0, in not sooner.

Also, is there a limit to the # of devices you can add to a VM?  I seemed
to hit the wall at /dev/xvdl, which the Qubes VM Manager and qvm-block
seemed to think had been assigned to my VM, but the VM never saw it, and
there was some strange error in dmesg.  (I neglected to save it, sorry.)

Granted, I was doing way more in that one VM that I should have been
(things just got out of hand, lol) and I restarted things and split up the
tasks, and all is well.  Just curious if there is a hard limit.  3 is a
fairly low limit for devices (xvdi/xvdj/xvdk), although there were a lot
of partitions about (one had 7 partitions, another had 5).

Thanks.

JJ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0c8e8cd831a1dc106bc771febeea5a5.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Why not a Whonix (or TOR) Disposible VM?

[Patrick Schleizer]

Adi Carlisle:
> On Saturday, 27 August 2016 18:50:20 UTC+1, Cube  wrote:
>> This would be more in the style of Tails - no persistent state.
> 
> TAILS hvm?
> 

Would require disposable HVM, I don't think Qubes has implemented that
at this time.

Also DispVMs do not feature anti-forensics yet:

https://github.com/QubesOS/qubes-issues/issues/904

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8a5c49fc-4d95-ec65-1c09-cb595a3d2135%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Using Whonix Tor instance from other VMs

[Patrick Schleizer]

Raphael Susewind:
> Is there an easy way to use the Whonix Tor instance from other VMs,
> namely those assigned a different firewall VM?
> 
> I do have a couple of Tor Hidden Services which I'd like to access via
> SSH from my work VM (using connect-proxy). I could of course run my own
> Tor instance within the work VM, but thought why bother if a Tor
> instance is already running elsewhere...
> 

https://www.whonix.org/wiki/Other_Operating_Systems

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cc340dcd-14cb-616a-2481-a2dd57406daa%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] change date

[Eva Star]

On 08/31/2016 04:29 PM, Eva Star wrote:

How to change date/timezone reported by `date` at dom0 terminal and used
by other AppVMs?
Previously, I do this with KDE tools, but now with Xfce I can not find
how to change it correctly.

Now, it's  reported as EDT (not UTC) at dom0... Why? How to change it
for dom0? How to change timezone for all/some AppVms.
Thanks




Found the solution!
Why it does not in the FAQ?

At Dom0 if you want to keep it at UTC (date command will report time at 
UTC, all programs at dom0 will work with UTC time, but you can set up 
XFCE time at the panel from properties.


---command executed at dom0 will set timezone to UTC for dom0. ---
timedatectl set-timezone 'UTC'
--

Then if you want to change you AppVM timezone per VM, you can do it at
1) /rw/config/rc.local
with the following command:
timedatectl set-timezone 'Europe/SomeCity' (get the list from 
timedatectl list-timezones)


2) Or you can do the same at TemplateVM


--
Regards

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a42848dd-0afc-3dcd-187d-6b4f6b5b8b38%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 rc3 has been released!

[Chris Laprise]

On 08/31/2016 04:13 PM, Marek Marczykowski-Górecki wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Details here:
https://www.qubes-os.org/news/2016/08/31/qubes-OS-3-2-rc3-has-been-released/

As usual, you can download new image from:
https://www.qubes-os.org/downloads/

Users of R3.2 rc1 or rc2 can just install updates, no need for full reinstall.
For older releases check above page for upgrade instructions.

- -- 


Qubes Manager systray icon is gone now...

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c93973fa-35d3-3572-ae52-0b5133f24257%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes 3.2 rc3 has been released!

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Details here:
https://www.qubes-os.org/news/2016/08/31/qubes-OS-3-2-rc3-has-been-released/

As usual, you can download new image from:
https://www.qubes-os.org/downloads/

Users of R3.2 rc1 or rc2 can just install updates, no need for full reinstall.
For older releases check above page for upgrade instructions.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXxzpPAAoJENuP0xzK19cszD4H/j4jPpG9aEaa6xx+FoDN+7cI
4P3PU3GtvDO+k97O9at/4Gsq5ziUgyFcJxD+3KId7gTsDML5w7ge93Zyvc5lRms/
cu+skFnrLpeOKSv+aeRTzeeZQ6EbEePLqXLpgMcLIN93hKiPqN6UPPUJ0ya5Ijhg
qol6fbEwLYdyazq378QcEmgqAE9C3iEmVpthLl3qw+vITJHIutHtxJgzV7kYR6q+
euF0dVjijY/qeu0R/Jds6WYlB9WCdzuDRfRGO5BYEc3PtjvrCLW0g02SGyplQwDk
nFqnrB69czNPMgs6Gsb5arIKco4tm6a9VOUyT+XCgPX5Vbw+4FSH7pw7EsRK4bk=
=Uo8f
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160831201304.GH9166%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes R3.2rc3 Schedule

[throw_away]

On 2016-08-31 13:25, "Andrew David Wong"  wrote:

> Yes, we expect to release R3.2-rc3 today:
>
> https://twitter.com/rootkovska/status/770930679882416128

Thank you for the information!  Now, I see it on the FTP site. :-)


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6ae91b7ff1c6f23b64c26c5cc0f352a0.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] [3.2rc2] Pulseaudio 100% CPU load at dom0

[entr0py]

Eva Star:
> 3.2rc2 - clean install (on 3.2rc1 with updates I do not have this problem)
> 
> At dom0 pulseaudio proccess always eat 100% of CPU.
> If I kill it, then it starts again! 
> Please, help. Hot to fix this issue or how to disable pulseaudio start after 
> kill.
> 

Had similar symptoms on Qubes 3.1. If you have multiple audio adapters (ie 
Onboard + HDMI), disable one. (On KDE, it was PulseAudio Volume Control > 
Configuration. Don't know XFCE.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e1451b40-159c-608a-8868-405dd4125441%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: epoxy on ram to prevent cold boot attacks?

[pixel fairy]

On Wednesday, August 31, 2016 at 10:40:23 AM UTC-7, grzegorz@gmail.com 
wrote:

> An actual protection would be some kind of a chemical that would destroy the 
> ram chips if they ever reach certain (lower than room) temperature.

the epoxy is likely to damage them in most means of removal. 

i know of things that can do their damage when they reach a certain temperature 
or higher. never heard of one set off by going below a certain temp.

erasing on power loss would be good too, esp if the attacker doesnt know about 
it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11f811f4-eaaf-41dc-824e-7f39b374bbdd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Unable to assign audio device

[entr0py]

Adi Carlisle:
> OK, update, I reinstalled my Qubes 3.1 but this time I used sys-usb (& 
> sys-net option) Sound worked on all VM's.
> **Didn't get a chance to test it on Win7** because I tested the mute function 
> now it doesn't work again.
> 

https://www.qubes-os.org/doc/windows-appvms/:

> There is currently no audio support for Windows HVMs.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/79f7b675-7f7e-54e9-3d51-17d7576fa8fd%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: epoxy on ram to prevent cold boot attacks?

[grzegorz . chodzicki]

W dniu środa, 31 sierpnia 2016 18:25:33 UTC+2 użytkownik pixel fairy napisał:
> poured some epoxy over where the ram connects to the motherboard, and where 
> the clips are that you would use to take it out. the chips themselves dont 
> have any, just the surrounding pcb.
> 
> this was couple days ago. so far its survived 2 reinstalls of test qubes 
> releases, and is doing one of rc3. 
> 
> i have this feeling im about to find out theres some simple way around this 
> and its not really a protection against cold boot attacks. i know some 
> laptops have easy bios resets, so thats one way.

An actual protection would be some kind of a chemical that would destroy the 
ram chips if they ever reach certain (lower than room) temperature.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/37b7279f-2f8b-4f74-97d7-46171c02a7b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Salt InterVM Configuration explorations and pitfalls in 3.2-rc2

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Aug 30, 2016 at 11:00:30PM +0200, Marek Marczykowski-Górecki wrote:
> On Mon, Aug 29, 2016 at 11:07:33PM -0700, nekroze.law...@gmail.com wrote:
> > Also, I am not sure when, but the pkg.uptodate state does nothing in 
> > templates now. It used to work on this qubes install and it still succeeds 
> > (without changes) each run but if I use qubes-manager to do the update 
> > there is stuff to be done.
> 
> Which template? I use it regularly and it works...

Have you included "refresh: true" option? Otherwise it may simply not
refresh repository metadata.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXxwbQAAoJENuP0xzK19cs0O0IAI6ERhxfjmqEjGwe7ca3HJK8
6mfxtLQPFJnUA0fuSwqoJlPK95jZjg0ergHg4GsPpqWggtht+noeAItei9fLTp/6
or0BW9zeYut+C6GljLmd7hRsU/JzqdXGGP2iMAmvHuoMrzJTglvvBsuczqTBk+WU
yq8Woiv+y5M0hLUw2chqcI0GGXsC154MtBq2Ezk5D3z8YV3UQ+uKceqdF5wM+On4
ZhmIGt6ZdApN+JSe41awlrOdeYNe5Gck+e+uiTWsj9aGavjRDuYjmCe8lueXlbfb
FN//ML6VerD0nUr092yc0T3B0knqjzxd/DKwGasIQPUsNe7Wlu8Zuk5RLhe40cA=
=EYl1
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160831163320.GD11005%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: torvm / whonix / Tor Browser / P.O.R.T.A.L ?

[pixel fairy]

On Wednesday, August 31, 2016 at 8:54:05 AM UTC-7, 
499eph+30e...@guerrillamail.com wrote:
> Hi,
> 
> Which of these tools provides a better privacy and security for a threat 
> model that intends to protect against massive surveillance (the intention is 
> not to protect against state actors as this is barely impossible) and 
> compromised networks? 

the whonix setup provided with qubes should be fine. its functionally 
torbrowser + portal. but, if tor is censored or dangerous in your situation, 
you'll have some extra work to set it up.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/47484ddb-fbe4-4157-84f6-470a141806c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] epoxy on ram to prevent cold boot attacks?

[pixel fairy]

poured some epoxy over where the ram connects to the motherboard, and where the 
clips are that you would use to take it out. the chips themselves dont have 
any, just the surrounding pcb.

this was couple days ago. so far its survived 2 reinstalls of test qubes 
releases, and is doing one of rc3. 

i have this feeling im about to find out theres some simple way around this and 
its not really a protection against cold boot attacks. i know some laptops have 
easy bios resets, so thats one way.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a154edd-c4f9-4ec2-a89e-464ab3d1230e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] R3.2 rc2 blank screen - screenlock issue?

[Desobediente Civil]

I use KDE (XFCE is installed but never used) and I don't have the option
of using the keyboard. The num/caps/scroll lock lights won't change and
the keyboard doesn't seem to respond.

As I stated, the processes seem to be running, if there's a music
player, I can still hear it.

Will check SETUP settings (a.k.a. BIOS/UEFI)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8bf93477-f017-8fc8-abed-4b44cd6475d2%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] R3.2 rc2 blank screen - screenlock issue?

[richard . f . gould]

Hi Doug

That might be the clue.

I waited until it happened again, did Ctrl-F2 and then restarted then 
xfsettingsd process with a kill -HUP.

Ctrl-F1 then got me back to the login for the X without having to reboot or 
restart VMs.

I've only tried this once ... if it's repeatable over the next few days it is 
at least a workaround until it's fixed in Xfce.
--
Richard

On Sunday, 28 August 2016 23:42:11 UTC+1, Doug Hill  wrote:
> 
> Hi, I'm having a similar issue, which I believe may be caused by a bug
> in xfce. I posted about it here in a previous thread:
> 
> https://groups.google.com/d/msg/qubes-users/qwMzj2au6uE/qd_hU6EUBQAJ
> 
> Best of luck!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/45422632-e56c-43db-9588-b92381d9f1ed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Wrong timezone in VMs: where the value for qubesdb-read /qubes-timezone comes from?

[Pablo Di Noto]

El miércoles, 31 de agosto de 2016, 13:02:06 (UTC), Andrew David Wong escribió:
> 
> On 2016-08-31 05:42, Pablo Di Noto wrote:
> > El miércoles, 31 de agosto de 2016, 12:26:42 (UTC), Andrew David Wong 
> > escribió:
> > 
> >> On 2016-08-31 04:48, Pablo Di Noto wrote:
> >>> Hello,
> >>> 
> >>> Somewhere along the update from 3.1 to 3.2rc1 I started to have all my 
> >>> VMs take UTC as their timezone.
> >>> 
> >>> dom0 has the correct "America/Argentina/Cordoba" timezone, but all VMs 
> >>> get incorrectly set to "Argentina/Cordoba", which does not exists thus 
> >>> leaving them at UTC.
> >>> 
> >>> I know may have manually set somehow the wrong timezone (without the 
> >>> required "America/" prefix) at install or update. Now all my templates 
> >>> get set to "Argentina/Cordoba", which is the value they get from 
> >>> "qubesdb-read /qubes-timezone" at every boot by qubes-sysinit.sh
> >>> script.
> >>> 
> >>> I cannot figure out where that values comes from and how to fix it.
> >>> 
> >>> Thanks in advance, ///Pablo
> >>> 
> >> 
> >> It might be worth trying to set the locale in your TemplateVM(s). For 
> >> example, these commands should work on fedora-23 (and some other
> >> distros):
> >> 
> >> To display your currently set locale:
> >> 
> >> $ locale
> >> 
> >> To set a locale:
> >> 
> >> # localectl set-locale 
> >> 
> >> For a list of available locales:
> >> 
> >> $ localectl list-locales
> >> 
> > 
> > Thanks for the suggestion. In fact, something similar is what I use as 
> > workaround into the browsing VMs.
> > 
> > The drawback is that I have to set the correct timezone for each VM upon 
> > booting, each time, as the setting will be overriden at next boot by the
> > init script.
> > 
> > Regards, ///Pablo
> > 
> 
> Two options:
> 
> 1. Change the locale in the TemplateVM instead of the AppVM so that the
> overriding value is the desired one.

There is no difference setting it at the TemplateVM, as it is also overridden 
by the script there.

> 2. Add the command to change to the desired locale to /rw/config/rc.local (in
> the AppVM), then make that file executable (chmod +x). Every command in that
> file is executed as root each time the AppVM is started.

Thanks Andrew!

This works, but still makes you reset the timezone on each TemplateVM when 
traveling. Not a big deal. I will keep trying to find the root cause of this, 
albeit to understand the mechanics behind the scenes.

Regards,
///Pablo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57658dc1-7e46-48ca-a988-c9e57c92e280%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] AMD Zen Secure Encrypted Virtualization (SEV)

[Joanna Rutkowska]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Aug 19, 2016 at 11:58:18AM -0700, kev27 wrote:
> > Secure Encrypted Virtualization (SEV) integrates main memory encryption
> > capabilities with the existing AMD-V virtualization architecture to support
> > encrypted virtual machines. Encrypting virtual machines can help protect
> > them not only from physical threats but also from other virtual machines or
> > even the hypervisor itself. SEV thus represents a new virtualization
> > security paradigm that is particularly applicable to cloud computing where
> > virtual machines need not fully trust the hypervisor and administrator of
> > their host system.
> 
> http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf
> 
> https://support.amd.com/TechDocs/55766_SEV-KM%20API_Spec.pdf
> 

Thanks for the pointers. Next time I suggest to send such stuff to qubes-devel 
;)

> Is this something Qubes OS could work with in the future to improve its 
> security on AMD Zen chips? Maybe something to keep an eye on.

Maybe. For either SGX or SEV to make sense for Qubes OS (i.e. a desktop OS) it
would need to allow some form of protected HID/video from/to the
SGX/SEV-protected VM. Currently none of these technologies seem to support this.
Specifically the white paper you referenced explicitly states:

> One important consideration for an SEV-enabled guest is that DMA into guest
> encrypted memory is not allowed by the SEV hardware for security reasons. All
> DMA, whether from a real hardware or a HV emulated device, must occur to
> shared guest memory. The guest OS can therefore choose to allocate memory
> pages for DMA as shared (C-bit clear), or may copy data to/from a special
> buffer (aka “bounce buffer”) for DMA purposes. Some operating systems have
> existing support for bounce buffers which may be used for this purpose, such
> as the swiotlb Linux functionality.

It's thinkable that the IOMMU could transparently decrypt DMAs (from select)
devices, allowing communication between these devices (XHCI, GPU) and the
protected guest, without the hypervisor being able to sniff or inject the data
(e.g. the actual keystrokes, framebuffers). Let's hope they do that one day.

Cheers,
joanna.
-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJXxtzVAAoJEDOT2L8N3GcYSiYQAL69fzVC4PVInuGNeXPPkhN0
qr8ahmRzDCZECi/b26fqfWZ/GrW9sf569m0cVT8VImL3Ki0gvV2WPcqiCypNjX6E
dMQKKnPmkNAbTpKFtv6IIDsC3PxdtvGjcLXSr/R123DLNpbN2/IN5MvrrYCEhfDz
CpI6YuSzWLwLAEk/MoEfm3Dk+ninRsLY+2bt0YVwfTj2X7/Q+p0VPCY2ImtL1h3k
OhvYCtIKkMTAvrY4t0gV9Ndm3UNxHAHslZkl9Kcj6Gqp/mkC1GXCK1KemolCcLQE
MvW9NUlhscpVYYIBmExnQPOPLb8eyD1DqxiZC0FaJz/UxQUCHhLaX6RCqr4MHqQX
ytPPeNXW/Q3jgfgNewVslbwEOkehWWZgATKuHRMB6W3d/dXtcct7DDSBcqk8pCTr
jn5Bq55zjylMvRE46seIFR4T4lRNVGsSeKe90N5ouO31v51q9fLAUWoEvF6/4rKA
d8m/OrbtZf9DFCCXIsVXdTVI6fDzBDKAZSZOlgSpDTiApZyTfOZox6K2rPXO3RuN
cI3Wf36aCH6gDMJciDOMbWMa2Gf5NxjJJhZ+PXDiqTxIJlf8yzLu2nAvEcGv3XIh
EWQL6sKNxb4xFgRYCZn4Ekl8vBy9/0rYqpxdhSclg9BX5vJGhrCb6XxHfY6yjRJl
ToSrhIQPHr1JUZfCqcDv
=JJWX
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160831133413.GA20414%40work-mutt.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Recover VM

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-31 01:52, katerim...@sigaint.org wrote:
> Hello I have deleted a VM accidentally, is possible to recover it? Thank
> you
> 

Without a backup, there's no straightforward way to recover it. (But the data
forensics experts on this list might have some tips for you.)

If you have a backup, recovery is easy via Qubes Manager (or
qvm-backup-restore). If you're not already making backups, please start now:

https://www.qubes-os.org/doc/backup-restore/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXxtGLAAoJENtN07w5UDAwJTIP+wRHyCFmt10wU2CB0TcbQvzq
j8IjUskib8nO2dKj3ke+yuyE5Kh3GEb/ByKZ+h48UoGi8Ga3JSXGeNYYQW2haasr
0u88vKpKN0M2CVmvNiiOBiBukbo5PYoD/LWEfacaahMYF6DcbgpBnGKWQhPPmI3H
MZqUltDasiEqABEyMqpeJcjV6uUNmM/htzZ+TPpVhUMk1TlWOGgqtWBdXgUqJxfY
E5Y7VVnpiQOEy7HSCW/XXq7+PQGRyTxK8lqW2Fazyml9cRtYp8xUs84bWpXbXh1q
4Py0yrCEHxe8Ds80LbUKcYuFGs2WQapftZmmfMnw+AnWvzR07dw4WSwjuIDA7zD1
iOFw+Q8wZqItflV2DYhpI0qQT6pfVL5HdBHoJ8HxA1mhtm1Xv5FWvxluqouMuEb2
iU6mUAQS8UmxllcKahg7qaPgl4ZvBfPUPE5z20IRd3iuhvpqCmLXI+g7HNm7B2Dw
Ot+gRGEAKK8wKDR9QfO8mbtfVyNmVRUAhstueIpZgQLzZO8M03PIy6l1n/j/3wbK
4Rifl3D41yRRu+qQVTK0PwOy2pNFoyWcUwUpCGuC57cmOc6jEJETBJ/dBdFCI7SA
rg6g5/nd9GiKuxRq+7nfjxXKjOB0+JHGwr/abupTj7Ut9MSNsH5Ejld1cTStdAD2
9UZOkHXS0IXHD00iL9BP
=3SC/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4a86c696-5b06-9429-6bc1-3dd89d96a174%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Wrong timezone in VMs: where the value for qubesdb-read /qubes-timezone comes from?

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-08-31 04:48, Pablo Di Noto wrote:
> Hello,
> 
> Somewhere along the update from 3.1 to 3.2rc1 I started to have all my VMs 
> take UTC as their timezone.
> 
> dom0 has the correct "America/Argentina/Cordoba" timezone, but all VMs get 
> incorrectly set to "Argentina/Cordoba", which does not exists thus leaving 
> them at UTC.
> 
> I know may have manually set somehow the wrong timezone (without the
> required "America/" prefix) at install or update. Now all my templates get
> set to "Argentina/Cordoba", which is the value they get from "qubesdb-read 
> /qubes-timezone" at every boot by qubes-sysinit.sh script.
> 
> I cannot figure out where that values comes from and how to fix it.
> 
> Thanks in advance, ///Pablo
> 

It might be worth trying to set the locale in your TemplateVM(s). For example,
these commands should work on fedora-23 (and some other distros):

To display your currently set locale:

$ locale

To set a locale:

# localectl set-locale 

For a list of available locales:

$ localectl list-locales

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXxst9AAoJENtN07w5UDAw+0cP/RTPei1sTPFIryrOIfzn8HKE
rgi13ApkCAwD/Am7qfvrv39RHuNm1R5n/WA4qZzjgxGNV/vMaKbjgIQZeS5iqG76
WKIHy/1T66a0bvBs0A6IJ29dWtLzFguDeJTio7c/4pCrMdRFK5aMI0BlTJHssn/3
tsAGg/d4zlvTsCt9MoEeRjpIqp7EV9GTZV6+F1id1F8MEzNtYJ/Fk/LL9wyMF384
YWJxqvm/2HrzaIiMDnPepcD4BAPO6krPjfe8iFzJtfyPrKhS3wtXMqwJZ6Ed+keE
8qgtd9p4MWz4J7I+xXw/FCaB/aIWBUomSbtrKGYicGIC5o/Ghw7uzoopl7+TUvgy
6w1dBHpwYWEDqgmqxPCWKDl6KHyyV8pyM3KZ8ni5PtEcvbQxTAewun1WWvRNm+8u
9LRZYOqATWbJFkwlQ63OjRFgmYtlEZYvoY98pg2ul105FCsnmlFGyIbEJhyZOY/R
/AUJgJPU5bKMmYV6/mEolKYQcMsdzt+4WLpX1Q05iPHI/V8H357x0wA5gOxD/A6J
3DgCfl3auVbEWlCl5piWTON9D2gcETyNZQfDKSfflLXrBblIWwYe2WVrbfeRNEd3
LUWp0qmr792lvbezdUWf2Qk3gNZ4IRKBVtEyOjXFEqlHXOueu0WnOTqYQ2D4SBAp
LQEsDV4u3WwIliPdsrPT
=T+WS
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7ba970ef-9d9c-29a7-9ddd-edd626575302%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qvm-run only available from dom0?

[johnyjukya]

> On 2016-08-30 01:16, johnyju...@sigaint.org wrote:
>> Say someone compromises the dom0 encrypted drive password, and
>> then goes shuffling through the private.img file of the AppVM's to
>> get at Firefox's passwords...?  The VM itself wouldn't have to be
>> running corrupt code for that, and keeping the passwords out of
>> Firefox prevents that attack.
>>
>> (Firefox's master password could also help prevent such attack, I
>> guess. Is strong crypto used for that?  It's still a single point
>> of failure, but so is the keepass master password.  At least with
>> keyfiles and physically taking the device with me, that keepass
>> single point of failure is mitigated.)
>>
>
> Qubes is designed with the assumption that if dom0 is compromised, the
> whole system is compromised. So, from a "standard" Qubes perspective,
> it doesn't really make sense to talk about protecting Firefox
> passwords when dom0 is assumed to be compromised. If your threat model
> differs significantly from this assumption, then you may need to
> specify it in more detail.

Understood.  I think most of my security violations in the past were done
remotely, and with dom0 having no networking, that risk is quite low. 
There have been occasions where I suspected physical access and a
keylogger/camera, however.

Notwithstanding "dom0 is compromised and you're screwed," there is one
threat model where Firefox passwords are less safe, possibly:

With a hardware keylogger or an over-the-shoulder-camera, one can glom the
root disk password (and any Firefox master password).  Then when you're
out (or via a network card management mode, BIOS trojan, whatever) get
into the system, go through the .img files to find the Firefox passwords. 
All of your online passwords are revealed at that point.

If the passwords only existed in keepass on a removable USB drive, then
they're safely with you.  Even if that keylogger grabbed your keepass
password, it's no good to any attacker.  And the passwords have never been
typed, so any keylogger/camera doesn't have them.

Yes, an attacker who gets into the system could at that point plant
trojans, but if you have in place other intrusion detection mechanisms
(not necessarily just on the computer) you can be aware of that fact, and
redo the system from a backup.  Your computer may be toast, but your email
and online world is still safe.

I guess if you never typed your Firefox master password, but used keepass
for it, too, and assuming Firefox's password storage is strongly
encrypted, then your passwords are still pretty safe in case of a dom0
violation.  Whenever you start stacking "if's" like that, though, I start
feeling less secure. :)

I do know the passwords can't be stolen if they're not on the system and
have never been typed, short of the system already having been
compromised.  I don't know enough about Firefox's master password
encryption to trust it 100%.  Faulty assumptions have cost me dearly in
the past, so I try to make as few as possible these days.

> P.S. - Please keep the list CCed (unless there's a special need for
> privacy, in which case, use PGP).

I definitely will share the results with the group.  There's won't be
anything in the setup whose revelation would reduce my own security.  :) 
But I appreciate the sensitivity.

> I've noticed that you keep CCing
> "qubes-users@goog" instead of "qubes-users@googlegroups.com".

Apologies.  I'll be more careful cleaning up the To/Cc on mailing list
replies in the future.  sigaint was truncating the field, and I neglected
to notice (until the bounce).

Hey, at least I'm not still top posting.  :)

JJ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31e6bb44f35bf1ca07a10ddc3c8bb34f.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] wacom pressure?

[pixel fairy]

is there a way to turn on tilt or pressure sensitivity for pens?

using qubes 3.2rc2 with xfce (test box, not production)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a9269e09-7c4d-469b-8244-e204263be0d6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Recover VM

[katerimmel]

Hello
I have deleted a VM accidentally, is possible to recover it?
Thank you

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0ac9c468271e8818cf5ea786329f299d.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.