date:20170507

While I sometimes use the arguments “in such case e, attacker gains nothing,
because it assumes you are already compromised”, one has to be careful with
this, because compromise doesn't imply a total compromise.

A simple example (unrelated to ME) of this catch: One might think that giving
user full permissions for all the files does not decrease the security if the
user can simply sudo anything. While this is not mostly true when considering
RCE vulnerabilities (or running a trojan), it doesn't apply to
path-traversal-like vulnerability – attacker is not automatically in the
position where she can simply call sudo.

I don't know ME well, but maybe this catch also applies to ME. Note that whole
ME includes not only some persistently running chip and its firmware, it also
includes some (optional) software for the OS, which is BTW actually recommended
to be removed by the Intel's security advisory. I don't know what is it exactly
capable of, it can probably give the admin access to OS shell, and maybe
something more. (And BTW, you can see it in dom0 by lsmod.) This just
illustrates that ME is actually a complex beast and it's hard to properly
reason about it.

Regards,
Vít Šesták 'v6ak'

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/781d1b38-ec21-40c8-9779-e09f83059462%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HDMI-related threats in Qubes OS

2017-05-07 Thread Chris Laprise

On 05/07/2017 02:14 PM, Vít Šesták wrote:

After some while of inactivity, I've made an experiment and successfully
created an HDMI “condom”. It is the most universal variant intended for
connecting a laptop to some HDMI male.

Ingredients: HDMI-male to DVI-female short cable + DVI-male to HDMI-female
adaptor, both are passive.

Price: Roughly $10 + shipping.

Measurements with ohmmeter: I picked HDMI schema from Wikipedia (and confused
male/female) and checked what pins are connected and what pins aren't. As
expected, CEC and HEAC+ pins are not connected. Surprisingly, also some (all?)
shields weren't connected. Maybe this is due to cheap nature on one or both
parts.

Validation with HDMI TV: With Qubes 3.2, video output works, while sound output
doesn't. With Fedora 25 (and hopefully also with Qubes 4), both audio and video
works. Audio output is something that should not theoretically work with pure
DVI, so I believe it actually uses HDMI.

What can be tested: I haven't has opportunity to test high-resolution output,
which is something that should not work with single-link DVI. It should
theoretically work with my HDMI “condom”, but I can offer nothing but theory
there at the moment.

Regards,
Vít Šesták 'v6ak'

Interesting. Thanks!

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/155a170a-b1a4-6f32-0c41-c0dc24624470%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Windows hanging at starting up screen (changing xen video -> cirrus not working?)

2017-05-07 Thread Drew White

> > > libvirt.libvirtError: internal error: libxenlight failed to create new 
> > > domain 'win7'

I just noticed that the VM is trying to start up "win7" yet the
domain is "win7-x64-template"

Did you change the "" content?
Did you remove or change the "" tag or content in the conf file?

Or is it an AppVM made FROM the Template?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/532dfba5-86e4-4bb1-927c-729bff83fb6d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Windows hanging at starting up screen (changing xen video -> cirrus not working?)

2017-05-07 Thread Drew White

On Monday, 8 May 2017 13:13:48 UTC+10, Gaiko  wrote:
> On Sunday, May 7, 2017 at 3:10:55 PM UTC-4, cooloutac wrote:
> > On Saturday, May 6, 2017 at 10:07:53 PM UTC-4, Gaiko wrote:
> > > No responses? Is there any more information that I could post that might 
> > > make it easier to diagnose this issue?
> > > 
> > > 
> > > For what its worth, I was able to make a non-template winVM on another 
> > > computer (before I quite understood that I could make a WinTemplate) and 
> > > then restored it onto my current computer and it works well enough, but I 
> > > really think the best model for me would be using a wintemplate if 
> > > possible, and was hoping to figure out why the intstalling win7 on this 
> > > win7-x64-template isn't working?
> > > 
> > > 
> > > Thoughts would be apprecaited.
> > > 
> > > 
> > > On Sat, Apr 29, 2017 at 10:34 AM, Gaiko Kyofusho  
> > > wrote:
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > I am trying to setup a win7 template. I started with the:
> > > 
> > > qvm-create --hvm-template win7-x64-template -l green
> > > 
> > > which seemed to work well enough, then tried to install windows (win7 pro 
> > > x64). When I try using:
> > > 
> > > qvm-start win7-x64-template --cdrom=/home/user/win7.iso
> > > 
> > > It
> > >  starts up and then hangs (I've tried leaving it overnight, no progress)
> > >  at the glowing starting windows. I then searched around and found two 
> > > posts and the github work around of
> > > 
> > > cp /var/lib/qubes/appvms/win7/win7.conf /tmp
> > > 
> > > then mod'ing the  line to cirrus then 
> > > running 
> > > 
> > > qvm-start win7-x64-template --cdrom=/home/user/win7.iso 
> > > --custom-config=/tmp/win7.conf
> > > 
> > > now I get an error:
> > > 
> > > --> Loading the VM (type = TemplateHVM)...
> > > Traceback (most recent call last):
> > >   File "/usr/bin/qvm-start", line 136, in 
> > >     main()
> > >   File "/usr/bin/qvm-start", line 120, in main
> > >    
> > >  xid = vm.start(verbose=options.verbose, 
> > > preparing_dvm=options.preparing_dvm, start_guid=not options.noguid, 
> > > notify_function=tray_notify_generic if options.tray else None)
> > >   File 
> > > "/usr/lib64/python2.7/site-packages/qubes/modules/02QubesTemplateHVm.py", 
> > > line 94, in start
> > >     return super(QubesTemplateHVm, self).start(*args, **kwargs)
> > >   File "/usr/lib64/python2.7/site-packages/qubes/modules/01QubesHVm.py", 
> > > line 335, in start
> > >     return super(QubesHVm, self).start(*args, **kwargs)
> > >   File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", 
> > > line 1972, in start
> > >     self.libvirt_domain.createWithFlags(libvirt.VIR_DOMAIN_START_PAUSED)
> > >   File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1059, in 
> > > createWithFlags
> > >     if ret == -1: raise libvirtError ('virDomainCreateWithFlags() 
> > > failed', dom=self)
> > > libvirt.libvirtError: internal error: libxenlight failed to create new 
> > > domain 'win7'
> > > 
> > > thoughts?
> > 
> > sorry man i have no experience making a win7 template only hvm.  There is a 
> > guy around here named Drew white who has experience doing this maybe you 
> > can message him.
> 
> No worries, thanks for letting me know. I will probably try tinkering a bit 
> more and hold off bugging Drew, if figure if he hasn't answered then he 
> probably has a reason. Cheers.



This is an odd one.
Sometimes it just means your computer needs to be rebooted.
Since they are using SystemD for Qubes, that there has many inherent issues. 
They are using a version of Linux that is becoming Windows similar, as in 
everything controlled by the kernel instead of everything being separate.
Thus if there is an issue in SystemD, then everything falls in a heap.

So if that doesn't work, then there is another issue.

If you leave the config as normal, but in the Guest Settings, set RAM to 2048 
Mb and CPUs to 2. Then try starting.

This setup works for me almost 100% of the time.

If it doesn't, then remove the Guest from the Manager, and create a brand new 
one and do another install.

The reason I say this is because the config may have had something go wrong 
using install. Personally, I've only ever had that error when the Guest has not 
cleanly removed itself from Xen.

Because the Domain already exists, it can't be created again.
So give it a different name for the new template, then copy the root.img and 
private.img from the old windows template, and try booting it. if it works 
,then it's the Qubes-Xen interface that has an issue and has not cleared the 
Domain from the system properly on shutdown.

(This also happens for other guests, not just Windows)

FYI, Win7.. Give it 2048 MB RAM assignment, NOT Balanced...
And 2 VCPUs too. that's a must. (at least to begin with)

If that doesn't work, then please enable debugging mode, and upload the logs 
for me to analyse please.
Then we will see where we go from there.

-- 
You received

[qubes-users] Re: Windows hanging at starting up screen (changing xen video -> cirrus not working?)

2017-05-07 Thread Gaiko

On Sunday, May 7, 2017 at 3:10:55 PM UTC-4, cooloutac wrote:
> On Saturday, May 6, 2017 at 10:07:53 PM UTC-4, Gaiko wrote:
> > No responses? Is there any more information that I could post that might 
> > make it easier to diagnose this issue?
> > 
> > 
> > For what its worth, I was able to make a non-template winVM on another 
> > computer (before I quite understood that I could make a WinTemplate) and 
> > then restored it onto my current computer and it works well enough, but I 
> > really think the best model for me would be using a wintemplate if 
> > possible, and was hoping to figure out why the intstalling win7 on this 
> > win7-x64-template isn't working?
> > 
> > 
> > Thoughts would be apprecaited.
> > 
> > 
> > On Sat, Apr 29, 2017 at 10:34 AM, Gaiko Kyofusho  
> > wrote:
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > I am trying to setup a win7 template. I started with the:
> > 
> > qvm-create --hvm-template win7-x64-template -l green
> > 
> > which seemed to work well enough, then tried to install windows (win7 pro 
> > x64). When I try using:
> > 
> > qvm-start win7-x64-template --cdrom=/home/user/win7.iso
> > 
> > It
> >  starts up and then hangs (I've tried leaving it overnight, no progress)
> >  at the glowing starting windows. I then searched around and found two 
> > posts and the github work around of
> > 
> > cp /var/lib/qubes/appvms/win7/win7.conf /tmp
> > 
> > then mod'ing the  line to cirrus then 
> > running 
> > 
> > qvm-start win7-x64-template --cdrom=/home/user/win7.iso 
> > --custom-config=/tmp/win7.conf
> > 
> > now I get an error:
> > 
> > --> Loading the VM (type = TemplateHVM)...
> > Traceback (most recent call last):
> >   File "/usr/bin/qvm-start", line 136, in 
> >     main()
> >   File "/usr/bin/qvm-start", line 120, in main
> >    
> >  xid = vm.start(verbose=options.verbose, 
> > preparing_dvm=options.preparing_dvm, start_guid=not options.noguid, 
> > notify_function=tray_notify_generic if options.tray else None)
> >   File 
> > "/usr/lib64/python2.7/site-packages/qubes/modules/02QubesTemplateHVm.py", 
> > line 94, in start
> >     return super(QubesTemplateHVm, self).start(*args, **kwargs)
> >   File "/usr/lib64/python2.7/site-packages/qubes/modules/01QubesHVm.py", 
> > line 335, in start
> >     return super(QubesHVm, self).start(*args, **kwargs)
> >   File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", 
> > line 1972, in start
> >     self.libvirt_domain.createWithFlags(libvirt.VIR_DOMAIN_START_PAUSED)
> >   File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1059, in 
> > createWithFlags
> >     if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', 
> > dom=self)
> > libvirt.libvirtError: internal error: libxenlight failed to create new 
> > domain 'win7'
> > 
> > thoughts?
> 
> sorry man i have no experience making a win7 template only hvm.  There is a 
> guy around here named Drew white who has experience doing this maybe you can 
> message him.

No worries, thanks for letting me know. I will probably try tinkering a bit 
more and hold off bugging Drew, if figure if he hasn't answered then he 
probably has a reason. Cheers.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa47b56d-83b9-46b2-a9a8-c51f6b06b755%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: cp/mv from win7VM to other VMs?

2017-05-07 Thread Drew White

On Sunday, 30 April 2017 05:25:52 UTC+10, Gaiko  wrote:
> On Friday, April 28, 2017 at 9:58:48 PM UTC-4, Reg Tiangha wrote:
> > On 04/28/2017 07:45 PM, Gaiko Kyofusho wrote:
> > > Appologies if this is obvious but I only saw it was "possible" in the
> > > docs and assumed that I would have the option to cp/mv to another
> > > AppVM in the context menu but it seems that I don't have that in my
> > > win7VM? I believe I went through the windows tools installation
> > > correctly, and I can cp/mv things *into* my win7VM just not out of...
> > > am I missing something?
> > > -- 
> > >
> > The option is buried in the "Send To" menu when you right-click on a file.
> 
> Thanks for the response.
> 
> It seems that its not there either, under the send to menu there seems to be 
> the regular: compress files, desktop, documents, mail
> 
> nothing else... thoughts?

Turn on debug mode, run up, check logs to see if anything has started and 
failed to complete starting. Services could be failing.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/30c039c6-70b4-45a6-9eb2-27d2dac05a84%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: No network connection v2

2017-05-07 Thread babel

On Saturday, May 6, 2017 at 7:38:16 PM UTC+2, menthols wrote:
> Today installed Qubes 3rd release, but no network connection. Spent hours 
> trying to fix it, but to no avail. Network card is recognized. I have two 
> cables connected, no WiFi. I try to put qubes on Dell poweredge, Intel Xeon 
> e3, 8 GB RAM, Broadcom NetXtreme Gigabit Ethernet PCIe, two 1 TB harddrives. 
> I used option "Test and install" at installation, no error message. I have 
> choosed both harddisks at install, hope there is someway to configure the 
> soft raid. Before tried to install other Linux flavors before (Debian-8 and 
> Fedora-23) and none of them had any trouble connecting to the internet 
> immediately (updates downloaded during install). Maybe need to activate some 
> more PCI devices. What's the best I can do? Wait for the next release? Buy 
> another machine? ;-)
> 
> 
> Opened netvm terminal and checked the following things: 
> 
> 1. Does 'lspci' list your network adapter?  
> Yes, i've tried both debian-8 and fedora-23 both list the network cards.
> 
> 2. Do you have interface detected (does 'ifconfig -a' contains en* device)? 
> No, none of them detect the interface using ifconfig.
> 
> 3. Does kernel messages ('dmesg') contains some errors regarding network 
> device initialization? 
> No, there is no message regarding network at all.
> 
> 4. Check if linux-firmware package is installed (rpm -q linux-firmware).
> Yes it is installed.
> 
> 
> Ethernet controller: Broadcom Corporation NetXtreme BCM5720 Gigabit Ethernet 
> PCIe

Same here on a NUC7i3bn...
check 
lspci -nnk
which was shoowing me that the kernel modules for both the ethernet port 
(i219-v intel gigabit ethernet controller) and the 8265 wireless module were 
not loading.  
Sorry to disappoint you, but I still haven't found a solution.  If you have the 
same problem and find a solution, please let me know.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9d70cbc1-ec54-43aa-83fd-ee4b82c15b6b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] OpenWhisper Systems Signal not quite right in Qubes 3.2/Fedora23/Chromium

2017-05-07 Thread Neal Rauhauser



I installed Qubes 3.2 on a Dell Precision M4600 (slick) and I've been trying to 
migrate a portion of my day to day work to it.


I have many contacts who use Open Whisper Systems Signal App for communication. 
I've used the Google Chrome extension on both OSX and Linux without any 
troubles.

Using a Fedora 23 VM I found Chrome installs to be clumsy, while yum install 
chromium just works. The Signal Chrome App installs and runs, but the directory 
function is broke. Existing conversations are fine, but they are with phone 
numbers rather than names, and I can't look up any other contacts to initiate 
conversations, I have to wait for them to come to me.

Has anyone else already resolved this problem? This is a "beachhead issue" for 
me - if I can get Signal going, I can switch a good sized chunk of what I do to 
Qubes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c11e4772-95a3-4635-97d6-249ce6f6a24c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to get trusted iso?

On Sunday, May 7, 2017 at 5:06:14 PM UTC-4, Jean-Philippe Ouellet wrote:
> On Sun, May 7, 2017 at 2:41 PM, cooloutac  wrote:
> > On Monday, May 1, 2017 at 3:03:05 PM UTC-4, Chris Laprise wrote:
> >> On 05/01/2017 02:33 PM, cooloutac wrote:
> >> > I know I can't buy one, so how do I get an a fresh iso if my machine
> >> > is compromised?  Obviously,  someone more prudent would of kept their
> >> > original iso on dedicated usb stick. But I was too cheap.
> >>
> >> I'll go out on a limb and say that Qubes is more about defending against
> >> oncoming threats.
> >>
> >> Pre-existing compromise creates a dilemma for the user, who can
> >> pragmatically try to minimize further compromise by degrees. For
> >> instance, burn a DVD and then verify it on multiple machines (incl.
> >> different architectures). This is not unlike trying to validate the
> >> authenticity of a PGP key using different network channels (not quite
> >> "out of band" but possibly effective).
> >>
> >> >
> >> > So what happens if that was not done,  or how can someone get a
> >> > trusted iso for the first time in the first place?  Is just checking
> >> > key signatures and using dd on a compromised machine enough? I
> >> > imagine that would be dangerous.
> >> >
> >> > Thanks for any suggestions.
> >>
> >> Since you will probably want to start with Qubes on a non-compromised
> >> machine, I suggest to download and verify using that.
> >>
> >> --
> >>
> >> Chris Laprise, tas...@openmailbox.org
> >> https://twitter.com/ttaskett
> >> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> >
> > this post makes me think about healthcare debate lol.  last to universal 
> > healthcare is also last to end slavery. not a coincidence.
> >
> > But ya i'll go out on a limb and say most of us are using Qubes cause we 
> > were already compromised before,  and we are using it still believing we 
> > will be compromised in the future.
> >
> > If there is no way to get a trusted iso there is no point in using Qubes.
> 
> I am not aware of any mechanism by which to have a 100% guarantee, but
> then... do you really need one?
> 
> At some point, you just have to say "well... good enough". Even if you
> were to buy install media, as you suggest, how are you sure your
> physical mail wasn't intercepted?
> 
> I believe the "create read-only media and verify it on diverse
> machines" approach should be sufficient. Breaking it should require
> either some rather versatile exploit for something along the
> (hopefully diverse) set of components involved in reading & verifying
> the media from the multiple systems you use to check it, or for all of
> those machines to be independently targeted, possibly with advance
> knowledge of the DVD you're about to try to verify. IMO that's
> sufficiently unlikely to be worth worrying about.

I think the least likely thing to happen is my physical mail gets intercepted. 
(unless by the gov't or police)

Far more likely criminals and peeping toms have all my machines compromised and 
have advance knowledge i'm going to download Qubes.  Also  far more likely my 
hardware is compromised as well.  I never blame the gov't,  cause they usually 
don't try to destroy computers or steal money from people.

So if I build a new machine and can't buy a Qubes iso,  i'll be ordering 
windows 10 and i'm not going to bother installing Qubes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/16653a78-2b39-4fb8-bab2-18b6442fb7b6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL - Dell XPS 15 9560

2017-05-07 Thread 3k

> However, after updating dom0 things seem to have turned to worse. The 
> graphics have taken a hit and I can observe serious lag. Did you face similar 
> glitches?

I think you should upgrade the kernel to 4.8, use:
sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel kernel-qubes-vm 
--best --allowerasing
(source: https://www.qubes-os.org/doc/software-update-dom0/)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/64b27250-bf75-4ee4-940b-7cf945da840a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Youtube/Video Problem

On 05/07/2017 07:07 PM, cooloutac wrote:
> there is also vlc plugin for firefox browser. vlc uses its own codecs
> don't think it installs anything for systemwide. You have to install
> gstreamer packages for that. Although you shouldn't need to to for
> youtube, but i had to install gstreamer1-libav to play mp4 streams,
> maybe installing some codecs would help you also even though you
> shouldn't have to.
> This happens in all vms? 

This has to be an unrelated-to-codecs problem, because YouTube knows to
serve HTML video + WebM to YouTube.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a29f2d35-88f3-24b3-2f9b-f00f8f4acbe1%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [qubes-devel] Re: QSB #30: Critical Xen bugs related to PV memory virtualization (XSA-213, XSA-214)

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-05-07 16:48, Adrian Jeleń wrote:
> 
>> 
>> 
>> 
> W dniu wtorek, 2 maja 2017 14:10:12 UTC+2 użytkownik Andrew David
> Wong napisał:
>> 
>> For Qubes 3.2: - Xen packages, version 4.6.5-27
>> 
>> The packages are to be installed in dom0 via the
>> qubes-dom0-update command or via the Qubes VM Manager.
>> 
>> A system restart will be required afterwards.
>> 
> 
> 
> I've just tried to install updates but something doesn't work. It
> says that package xen-2001:4.6.4-26.fc23.x86_64 is already
> installed (skipping). Is it available for repos enabled by default
> (fedora, updates or qubes-dom0-current)?
> 

It probably just hasn't landed in stable yet.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJZD6lHAAoJENtN07w5UDAwNXAP/j1UsOzY3l7/VGa4RSiRakFe
o+hGHkX1P+BdsSFrVebq4GpdsKxB/Yfcx2mb7V1VCJpUql78o8BSh0YW5MRIeNsm
FSRZkILf206llRXqNSCP7xRGmcPQUB4HJfgUlokWxN1wUXyu/MwREjv8Pv6tBRvn
NrkJ1eGbxyhYpOMc+7uQxj5uE9CyPHRXhAUJFxfl6Z29VKo1ykdCnBiYrRHE6ZWT
y4jI5kBkLSSE5XRJBVLahSSkf8W1145hZ/K+MAJoQ6Rq7Xy5HV+ZnOz1HKV6ynlD
ZROxquCD8gjX1nAXNsHGKFP18pGbHhM4ufVR8WVh+yrVNIsS6S9hBDJvLsd+wpRx
rMyQLHuvWg9AlDDV7+Pqa5IQZTt1x3wN/miWjmEQPXni2m4y1ALUoPDM8oM9WmaO
OI4nKF5QjJ0GDqErvI9qPr+oIeQn/rQ3bemsVsf8UPMruONmDRDkP7gwSZTjy660
TRb0YxbCKInznOqO9rZVv29eAm/BzuklbCNsnmwHoS5ZfJhCCaH1kEtbkV4gcdR+
/sLA/mo+hgokvm45ch+IQ+CT0CkJ61JAZzKT1Wum3jVfXc00a0BSX8YlNOhkI9Ew
FTJYBuKl8YCwSTvk29olV22umtZQNivLBsWFbVk7wDUNaCay7hpww/uG9AX6Z+2t
QyIctqI4nspLNW2j6aJB
=KxSx
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92aa881a-6b17-e4c7-3d3a-acaaff5b5508%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: First stab at installing qubes 3.2 - Couple of issues.

2017-05-07 Thread devrana

Patrick - I couldn't wait until evening.  :)

Your suggestion worked miracles.  Only point: install, then reboot with VT-d 
_off_ and complete the setup process.  When that's done, follow the 
instructions in your link.

Now looking at the HCL, it's woefully out of date for this machine.  What 
doesn't appear to have ever gotten clear is whether the TPM works with Qubes.  
If you've got any pointers, great.  Otherwise, I'll go digging!

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2877c2e5-1647-4eb6-bcaa-2ee809321222%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Floating windows appear below base windows

2017-05-07 Thread Andrew Morgan

After some time, floating windows (such as right-click menus or the
downloads panel in Firefox) become seemingly invisible. They still pop
up and you can click the items within them, you just cannot see what
you're clicking. It turns out that these floating windows are actually
being rendered behind the base window.

Re-opening the base window (or in the case of Firefox a new browser
window) will cause all floating windows spawned from the new instance to
be rendered in the foreground, while the old ones will still be hidden.

This has caused me to often have to open a new browser window and moving
the tab over from the old one to copy links and save images.

It only happens after a certain period of time, but happens across
different AppVMs. I am running i3-qubes, and my i3 config can be found
here: http://ix.io/t1T

Anyone else having a similar issue or know what might be causing it?

Andrew Morgan

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/oeo3us%24ju2%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Re: Intel ME exploitable

2017-05-07 Thread taii...@gmx.com


On 05/07/2017 03:21 PM, Manuel Amador (Rudd-O) wrote:


Local exploit can talk to the ME via PCI and SMBus.  Only from dom0.

Remote exploit only good against machines with vPro (check your CPU SKU
at the Intel database — I explicitly bought systems without that shit)
because vPro is the prerequisite technology for AMT.  If your machine
does not have AMT / vPro, it cannot be exploited remotely because it is
not listening over network cards.

That isn't entirely true.

The difference between vpro or not vpro is just a different ME image, 
thats it. the nics still have the ability to listen they just aren't 
openly doing it.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4b9f0b56-4278-b5e3-9b27-46d0ff3a3a7c%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: FYI: don't install with username "qubes"...

2017-05-07 Thread Eric Duncan

Humm.  Thanks, but a simple validation error would have sufficed.  :)

I was wondering where to add bugs.  I'll do i there from now on.  

On Saturday, May 6, 2017 at 12:34:15 AM UTC-4, Andrew Morgan wrote:
> On 05/05/2017 04:32 PM, Eric Duncan wrote:
> > ...because after waiting nearly two hours to install onto a USB stick, 
> > you'll get an error at the very end stating the Python script had an error 
> > and installation has been halted.
> > 
> > Error message: can't create user. user already exists (something like that)
> > 
> > I actually went through three installations on two USB sticks until I dug 
> > in to see what the error was.  
> > 
> > It would be nice if the installer stated not to use "qubes" as the username 
> > when creating a user (better yet, have validation that prevents going 
> > forward with that username).  :)  
> > 
> 
> That sounds like a bad bug, but one that can be remedied pretty easily.
> 
> I've created an issue in QubesOS/qubes-issues for this here:
> https://github.com/QubesOS/qubes-issues/issues/2793
> 
> Andrew Morgan

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d62ddd9-6b15-4ab2-84b9-b75a47ca8169%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to get trusted iso?

2017-05-07 Thread Jean-Philippe Ouellet

On Sun, May 7, 2017 at 2:41 PM, cooloutac  wrote:
> On Monday, May 1, 2017 at 3:03:05 PM UTC-4, Chris Laprise wrote:
>> On 05/01/2017 02:33 PM, cooloutac wrote:
>> > I know I can't buy one, so how do I get an a fresh iso if my machine
>> > is compromised?  Obviously,  someone more prudent would of kept their
>> > original iso on dedicated usb stick. But I was too cheap.
>>
>> I'll go out on a limb and say that Qubes is more about defending against
>> oncoming threats.
>>
>> Pre-existing compromise creates a dilemma for the user, who can
>> pragmatically try to minimize further compromise by degrees. For
>> instance, burn a DVD and then verify it on multiple machines (incl.
>> different architectures). This is not unlike trying to validate the
>> authenticity of a PGP key using different network channels (not quite
>> "out of band" but possibly effective).
>>
>> >
>> > So what happens if that was not done,  or how can someone get a
>> > trusted iso for the first time in the first place?  Is just checking
>> > key signatures and using dd on a compromised machine enough? I
>> > imagine that would be dangerous.
>> >
>> > Thanks for any suggestions.
>>
>> Since you will probably want to start with Qubes on a non-compromised
>> machine, I suggest to download and verify using that.
>>
>> --
>>
>> Chris Laprise, tas...@openmailbox.org
>> https://twitter.com/ttaskett
>> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>
> this post makes me think about healthcare debate lol.  last to universal 
> healthcare is also last to end slavery. not a coincidence.
>
> But ya i'll go out on a limb and say most of us are using Qubes cause we were 
> already compromised before,  and we are using it still believing we will be 
> compromised in the future.
>
> If there is no way to get a trusted iso there is no point in using Qubes.

I am not aware of any mechanism by which to have a 100% guarantee, but
then... do you really need one?

At some point, you just have to say "well... good enough". Even if you
were to buy install media, as you suggest, how are you sure your
physical mail wasn't intercepted?

I believe the "create read-only media and verify it on diverse
machines" approach should be sufficient. Breaking it should require
either some rather versatile exploit for something along the
(hopefully diverse) set of components involved in reading & verifying
the media from the multiple systems you use to check it, or for all of
those machines to be independently targeted, possibly with advance
knowledge of the DVD you're about to try to verify. IMO that's
sufficiently unlikely to be worth worrying about.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_BVJXvF5SPtc%2BARSAA9j_ZSpE1tKrO1_y7Yv2tva%3DYbsg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel ME exploitable

On 05/02/2017 05:25 AM, Vít Šesták wrote:
> * There seems to be some MEI PCI device (see lspci | grep -i mei) in dom0 and 
> /dev/mei0. I am not sure how all the parts (network stack, MEI PCI device, 
> MEI software for OS and management while offline) are connected together. I 
> am also unsure if having it in dom0 is good (i.e., it prevents passing 
> malicious inputs to it) or bad (i.e., it adds attack surface). The safest 
> approach seems to be attaching it to /dev/null with IOMMU (VT-d) isolation. 
> Just crerating an autostarted (and maybe also autoshutdown) 
> network-disconnected dummy VM with all ME-related PCI devices should do the 
> trick. The VM would be trusted not to pass any malicious input to MEI, but it 
> would not be trusted for anything else (so that it could absorb attack from 
> MEI). I am unsure if this adds some actual protection or if it is totally 
> hopeless.

I remember a few days ago reading that you can talk to ME via SMBus, and
that is in fact the way ME talks to other components when the system is
off and therefore can't talk over PCI.  PCI is obviously another way to
talk to ME.

Keeping them in dom0 won't hurt anything.  The fact that ME cannot be
exploited locally from a VM (assuming the Qubes OS security model holds)
is enough to protect you from local exploits.  In case of successful
exploitation. the ME has full access to RAM in any case, so moving them
to another VM won't give you any extra security.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/21446e90-3336-4d91-2249-9c60123a2b04%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel ME exploitable

On 05/02/2017 05:25 AM, Vít Šesták wrote:
> Some notes:
>
>
> * I wonder what is the technical distinction between home and SMB/Enterprise. 
> Is it vPro?

I deduced this in the affirmative a few years ago by comparing the SKUs
for various Intel products, and whether they had vPro.


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/163291d6-af6e-50b4-6781-95c6c1e331b2%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel ME exploitable

On 05/01/2017 05:26 PM, Vít Šesták wrote:
> AFAIU, if https://ark.intel.com/ shows “Intel® vPro™ Technology: no”, then 
> the particular CPU is safe. But I am not 100% confident in vPro and related 
> technologies, so I might be wrong. Can someone confirm/deny this claim?

That has been my experience as well.

The typical test is to see if DHCP requests come out of your machine's
network port after it has been "powered off" (it is well known that the
CPU running the ME is separate and doesn't power off).

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d52e0e2-2c62-c029-d56f-b30ba0bb9612%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel ME exploitable

On 05/01/2017 05:14 PM, Reg Tiangha wrote:
> On 05/01/2017 10:38 AM, Jean-Philippe Ouellet wrote:
>> *Sigh*... Yep. We were right to be concerned (of course). And now we
>> have something other than our tin foil hats to point at too:
>>
>> https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/
>>
>> I want my RISC-V laptop already!
>>
> I don't know if it helps things, but I recently disabled the
> CONFIG_INTEL_MEI, CONFIG_INTEL_MEI_ME, and CONFIG_INTEL_MEI_TXE kernel
> options in my kernel branches as soon as I was made aware of their
> existence. My hope is that the ME hardware can't be exploited using
> those methods if they don't exist in the kernel in the first place; that
> someone would have to find another way. But again, I have no idea if
> that's useful or not. For what it's worth, my systems still boot and run
> properly, but the newest machine I have access to is of the Sandy Bridge
> era; I have no idea if newer machines actually need those options baked
> into the kernel in order to run. Can anyone advise?

Local exploit can talk to the ME via PCI and SMBus.  Only from dom0.

Remote exploit only good against machines with vPro (check your CPU SKU
at the Intel database — I explicitly bought systems without that shit)
because vPro is the prerequisite technology for AMT.  If your machine
does not have AMT / vPro, it cannot be exploited remotely because it is
not listening over network cards.

A quick test: connect your machine physically to a router, start
tcpdumping on the router, then power it off.  Do you see DHCP requests
being emitted on the port of the router where your machine is
connected?  If so, then you're screwed.

>
> https://github.com/rtiangha/qubes-linux-kernel
>
> Also, if anyone has any other ideas on kernel options to disable for
> various security concerns (ME related or not), let me know. For the
> moment, I've implemented almost all of the KSPP's recommended settings
> that are applicable to a certain kernel branch, except for the ones
> about loadable modules since I don't know how it affect u2mfn or any
> other user-compiled kernel modules a Qubes user may want to install. I
> haven't encountered any issues on my machines (or at least, any that
> I've noticed), but those could use more testing as well:
>
> https://github.com/rtiangha/qubes-linux-kernel
>
KSPP is good, but it will not protect you from the attack, because the
attack runs *on a different CPU within your machine, which is always on,
even when the machine is off*.

Yes, it's THAT bad.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0361826c-468c-74a5-bd75-0701cd022ab1%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Windows hanging at starting up screen (changing xen video -> cirrus not working?)

On Saturday, May 6, 2017 at 10:07:53 PM UTC-4, Gaiko wrote:
> No responses? Is there any more information that I could post that might make 
> it easier to diagnose this issue?
> 
> 
> For what its worth, I was able to make a non-template winVM on another 
> computer (before I quite understood that I could make a WinTemplate) and then 
> restored it onto my current computer and it works well enough, but I really 
> think the best model for me would be using a wintemplate if possible, and was 
> hoping to figure out why the intstalling win7 on this win7-x64-template isn't 
> working?
> 
> 
> Thoughts would be apprecaited.
> 
> 
> On Sat, Apr 29, 2017 at 10:34 AM, Gaiko Kyofusho  
> wrote:
> 
> 
> 
> 
> 
> 
> 
> 
> I am trying to setup a win7 template. I started with the:
> 
> qvm-create --hvm-template win7-x64-template -l green
> 
> which seemed to work well enough, then tried to install windows (win7 pro 
> x64). When I try using:
> 
> qvm-start win7-x64-template --cdrom=/home/user/win7.iso
> 
> It
>  starts up and then hangs (I've tried leaving it overnight, no progress)
>  at the glowing starting windows. I then searched around and found two 
> posts and the github work around of
> 
> cp /var/lib/qubes/appvms/win7/win7.conf /tmp
> 
> then mod'ing the  line to cirrus then 
> running 
> 
> qvm-start win7-x64-template --cdrom=/home/user/win7.iso 
> --custom-config=/tmp/win7.conf
> 
> now I get an error:
> 
> --> Loading the VM (type = TemplateHVM)...
> Traceback (most recent call last):
>   File "/usr/bin/qvm-start", line 136, in 
>     main()
>   File "/usr/bin/qvm-start", line 120, in main
>    
>  xid = vm.start(verbose=options.verbose, 
> preparing_dvm=options.preparing_dvm, start_guid=not options.noguid, 
> notify_function=tray_notify_generic if options.tray else None)
>   File 
> "/usr/lib64/python2.7/site-packages/qubes/modules/02QubesTemplateHVm.py", 
> line 94, in start
>     return super(QubesTemplateHVm, self).start(*args, **kwargs)
>   File "/usr/lib64/python2.7/site-packages/qubes/modules/01QubesHVm.py", line 
> 335, in start
>     return super(QubesHVm, self).start(*args, **kwargs)
>   File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", line 
> 1972, in start
>     self.libvirt_domain.createWithFlags(libvirt.VIR_DOMAIN_START_PAUSED)
>   File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1059, in 
> createWithFlags
>     if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', 
> dom=self)
> libvirt.libvirtError: internal error: libxenlight failed to create new domain 
> 'win7'
> 
> thoughts?

sorry man i have no experience making a win7 template only hvm.  There is a guy 
around here named Drew white who has experience doing this maybe you can 
message him.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/96f6a327-0ee5-407d-9ea7-aa77d029edd9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Apps not starting on the first try

On Sunday, May 7, 2017 at 11:48:17 AM UTC-4, tel wrote:
> On Sat, May 06, 2017 at 10:41:04PM -0400, Chris Laprise wrote:
> > On 05/06/2017 12:30 PM, Todd Lasman wrote:
> > >
> > >-BEGIN PGP SIGNED MESSAGE-
> > >Hash: SHA256
> > >
> > >This seems to be a new issue on a recent reboot.
> > >
> > >If I try to run a program from a VM that's not yet running, the VM
> > >starts as expected, but the program never runs. Even after the VM is up
> > >and running, I can't get any program to run in that VM. Even opening a
> > >window in dom0 and using the qvm-run command does nothing.
> > >
> > >However, if I kill the VM, the next time I try to run a program (which
> > >reopens the VM), it works perfectly.
> > >
> > >Any thoughts on troubleshooting this?
> > >
> > >Thanks.
> > 
> > This is a long-term issue and the reports usually center around nautilus
> > (Files) because that it the most prone to the behavior.
> > 
> > See https://github.com/QubesOS/qubes-issues/issues/2449
> > 
> > I believe its caused by gnome expecting some session-related daemon to be
> > already running when it tries to start a program.
> > 
> > -- 
> > 
> > Chris Laprise, tas...@openmailbox.org
> > https://twitter.com/ttaskett
> > PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups 
> > "qubes-users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to qubes-users+unsubscr...@googlegroups.com.
> > To post to this group, send email to qubes-users@googlegroups.com.
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/qubes-users/8edee868-fc2b-e0d6-3ec2-0ebf3b1ee684%40openmailbox.org.
> > For more options, visit https://groups.google.com/d/optout.
> 
> Thanks. For some reason, I don't remember this happening in the past,
> but I could be wrong. I'll be patient.
> 
> Todd

Yes it happens to me alot for a while now.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d667babf-a0bb-4d63-9e76-2f9101be3b0c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Youtube/Video Problem

On Sunday, May 7, 2017 at 3:00:23 PM UTC-4, cooloutac wrote:
> On Thursday, May 4, 2017 at 12:33:18 AM UTC-4, Qubr wrote:
> > I've tried on Debian 8 and Fedora 23, then upgraded to Fedora 24 and still 
> > no dice. I tried Youtube, Vimeo, and Dailymotion in Firefox and Chrome. All 
> > of them play ony 1 or 2 frames then the video stops. Same as before, I am 
> > able to skip to different parts of the video but never play.
> > 
> > 
> > 
> > I was able to play a local video in vlc on both Debian and Fedora without a 
> > problem. And flash is not enabled. I thought maybe I was missing some libs, 
> > but I would think installing vlc would have brought everything in that I 
> > needed.
> 
> what if you try that html only youtube extension and see if that works for 
> the hell of it, even though you have flash disabled and it should be doing 
> that in the browser, worth a shot.

there is also vlc plugin for firefox browser.  vlc uses its own codecs don't 
think it installs anything for systemwide.   You have to install gstreamer 
packages for that.  Although you shouldn't need to to for youtube,  but i had 
to install gstreamer1-libav to play mp4 streams,  maybe installing some codecs 
would help you also even though you shouldn't have to.

This happens in all vms? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dbf13779-4227-4cb0-af82-5cc9d0a3e2c2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Youtube/Video Problem

On Thursday, May 4, 2017 at 12:33:18 AM UTC-4, Qubr wrote:
> I've tried on Debian 8 and Fedora 23, then upgraded to Fedora 24 and still no 
> dice. I tried Youtube, Vimeo, and Dailymotion in Firefox and Chrome. All of 
> them play ony 1 or 2 frames then the video stops. Same as before, I am able 
> to skip to different parts of the video but never play.
> 
> 
> 
> I was able to play a local video in vlc on both Debian and Fedora without a 
> problem. And flash is not enabled. I thought maybe I was missing some libs, 
> but I would think installing vlc would have brought everything in that I 
> needed.

what if you try that html only youtube extension and see if that works for the 
hell of it, even though you have flash disabled and it should be doing that in 
the browser, worth a shot.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/75ab6726-a9cb-4af6-a700-5d7c66fe7686%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] ANN: qubes-pass for Ansible — an Ansible lookup plugin for Qubes pass integration

Building on https://github.com/Rudd-O/qubes-pass, the new Ansible Qubes
Pass lookup plugin allows you to create Ansible playbooks and roles that
integrate seamlessly with your Qubes OS pass store.

Check it out at
https://github.com/Rudd-O/ansible-qubes/tree/master/lookup_plugins

Enjoy!

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8a000fc5-01fa-3762-381e-7cb16334ff79%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: qubes-pass — an inter-VM password manager and store for Qubes OS

On 05/07/2017 05:23 PM, Andrew David Wong wrote:
>
> I prefer the security of qvm-backup[-restore], since it allows me to
> keep the vault and its contents permanently offline. The entire VM is
> BZIP compressed, AES-256 encrypted, and HMAC-SHA512 authenticated. The
> integrity verification, authentication, and decryption all happen at
> the dom0 level. The backup is tiny, so the storage overhead is
> inconsequential, and there's no need to worry about file-level
> metadata leakage or the backup file itself being used as an attack
> vector. KeePassX has sufficient built-in versioning for me, and it's
> easy enough to sync Qubes backups across machines with simple scripts.

Git push takes 5 seconds.

qvm-backup requires anywhere between minutes and many hours. 
Additionally, it requires the target VM be off.

Weekly backups are served okay by qvm-backup (I say "okay" because I
have a borg backup setup on my Qubes OS system, and it's far more usable
and performant than qvm-backup).  Git push is much better suited to,
say, syncing your keyring to other systems.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6da3112a-4873-bc02-4cac-34bf329c4a63%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: qubes-pass — an inter-VM password manager and store for Qubes OS

On 05/07/2017 03:23 PM, Andrew David Wong wrote:
> On 2017-05-07 10:10, nickl...@kulinacs.com wrote:
> > What benefit does this have over simply ysing
> > qubes-split-gpg-client-wrapper, like done here:
> > https://github.com/kulinacs/pass-qubes It seems like a lot of
> > overhead for not a lot of gain.
>
> > On May 7, 2017 9:50:26 AM CDT, "Manuel Amador (Rudd-O)"
> >  wrote:
> >> Building on the excellent pass (https://passwordstore.org), it
> >> gives me great pleasure to announce the initial release of
> >> qubes-pass — an inter-VM password manager and store for Qubes
> >> OS.
> >>
> >> Check it out here!
> >>
> >> https://github.com/Rudd-O/qubes-pass
> >>
>
> What are the advantages of either of these over the traditional Qubes
> model of having a normal password manager in a vault VM and using the
> inter-VM clipboard to copy/paste passwords out of it?
>

These programs do not require user interaction as long as the policies
are properly configured.  Thus, they are extremely useful for batch
processes or system orchestration purposes.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e8f22638-8944-b0c4-57f6-e962350fdb8b%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Multi Boot Question

On Saturday, May 6, 2017 at 12:39:29 AM UTC-4, Patrick Bouldin wrote:
> I was attempting to go by the instructions here:
> https://www.qubes-os.org/doc/multiboot/
> 
> Confused on which instructions to execute. First, I repartitioned, then 
> installed Windows 7 - it booted fine. Then I installed Qubes on the other 
> position - and Qubes now boots fine to that partition. With that in mind, do 
> I follow the instructions under Windows or Linux on the guidelines?
> 
> And, if I'm to use the Windows instructions, then when doing a blkid in order 
> to get the volume for windows and substituting that name into the X in the 
> "ntldr (hd1,X)/bootmgr" line of the /etc/grub.d/40_custom  file - I am 
> unclear as to what to use there. If I blkid I see this: 
> 
> /dev/sdal: LABEL="System Reserved" UUID="lotsOfcharacters", and then type, 
> and then PARTUUID="othercharacters".  So, which do I want for the X 
> substitution. Either way upon boot I get "error: hd1 cannot get C/H/S values"
> 
> Thank you,
> Patrick

If you figure out I would be interested to know.  i installed debian just to 
use it as triple boot grub manager lol

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d7c8994d-e230-423c-aba2-d75beec49eff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: qubes-pass — an inter-VM password manager and store for Qubes OS

On 05/07/2017 03:10 PM, nickl...@kulinacs.com wrote:
> What benefit does this have over simply ysing
> qubes-split-gpg-client-wrapper, like done here:
> https://github.com/kulinacs/pass-qubes
> It seems like a lot of overhead for not a lot of gain.

 1. The actual store is stored in a separate VM.  It is never decrypted
in the VM you manage the passwords from.
 2. You do not need to set up your own GPG key, as `qvm-pass init` does
it for you.
 3. There are two different services — one for read-only access and one
for read-write.
 4. There is a get-or-generate feature which is useful for stuff like
https://github.com/Rudd-O/ansible-qubes/tree/master/lookup_plugins


>
> On May 7, 2017 9:50:26 AM CDT, "Manuel Amador (Rudd-O)"
>  wrote:
>
> Building on the excellent pass (https://passwordstore.org), it gives me
> great pleasure to announce the initial release of qubes-pass — an
> inter-VM password manager and store for Qubes OS.
>
> Check it out here!
>
> https://github.com/Rudd-O/qubes-pass
>
>
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity. --
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users+unsubscr...@googlegroups.com
> .
> To post to this group, send email to qubes-users@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/0A765A21-F411-4015-B9C2-790508B1A0C1%40kulinacs.com
> .
> For more options, visit https://groups.google.com/d/optout.


-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c8fc3adc-5fce-46de-05e5-d0aa2946ed6b%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Experiencing intermittent hangs?

On Sunday, May 7, 2017 at 2:50:39 PM UTC-4, cooloutac wrote:
> On Saturday, May 6, 2017 at 10:56:57 AM UTC-4, cubit wrote:
> > 6. May 2017 01:37 by tas...@openmailbox.org:
> > 
> > On 05/05/2017 09:15 PM, Gaiko Kyofusho wrote:I seem to be experiencing 
> > intermittent/temporary (few secs-min) hangs
> > on/between VMs. That is, I can be working on an app in one VM, it will
> > begin to hang, to I usually switch to another VM and work on that for a
> > min or two then come back to the hung VM and it seems to work again.
> > While this is happening in _many_ applications, it seems to be an issue
> > more with chromium. I was thinking this might be related to memory as I
> > am also getting errors about not having enough mem to open up a VM (so I
> > usually close a VM or two then I can)(for the record I have the max my
> > laptop will take, 16gb, the default Qubes install doesn't include swap
> > space does it?)
> > 
> > Anyway, thoughts on this would be appreciated as its really not helping
> > my workflow.
> > 
> > Although I don't use chromium, I'm experiencing temporary graphics freezing 
> > as well. For example, if I start to drag a file from nautilus onto another 
> > app the dragged icon may freeze in transit along with nautilus. Sometimes 
> > it can stay frozen for 30 sec. or more.
> > 
> > 
> > 
> > 
> > 
> > I started a thread about this back in April.  Apparently a known issue with 
> > a fix due some time
> > 
> > 
> > https://groups.google.com/forum/#!searchin/qubes-users/appvm$20window$20freezing|sort:date/qubes-users/q1w05yyCI2k/XWpDFWDrBwAJ
> 
> Yes you are not alone.   
> https://groups.google.com/forum/#!searchin/qubes-users/chrome$20chromium$20freezing%7Csort:relevance/qubes-users/1oL5qyMdFfo/JkECo_bkBQAJ

instead of leaving the vm and coming back temp fix is to start another app in 
the frozen vm, like a terminal and it will unfreeze.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e3e10431-4295-4bbd-80ed-0979df1dfd75%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Experiencing intermittent hangs?

On Saturday, May 6, 2017 at 10:56:57 AM UTC-4, cubit wrote:
> 6. May 2017 01:37 by tas...@openmailbox.org:
> 
> On 05/05/2017 09:15 PM, Gaiko Kyofusho wrote:I seem to be experiencing 
> intermittent/temporary (few secs-min) hangs
> on/between VMs. That is, I can be working on an app in one VM, it will
> begin to hang, to I usually switch to another VM and work on that for a
> min or two then come back to the hung VM and it seems to work again.
> While this is happening in _many_ applications, it seems to be an issue
> more with chromium. I was thinking this might be related to memory as I
> am also getting errors about not having enough mem to open up a VM (so I
> usually close a VM or two then I can)(for the record I have the max my
> laptop will take, 16gb, the default Qubes install doesn't include swap
> space does it?)
> 
> Anyway, thoughts on this would be appreciated as its really not helping
> my workflow.
> 
> Although I don't use chromium, I'm experiencing temporary graphics freezing 
> as well. For example, if I start to drag a file from nautilus onto another 
> app the dragged icon may freeze in transit along with nautilus. Sometimes it 
> can stay frozen for 30 sec. or more.
> 
> 
> 
> 
> 
> I started a thread about this back in April.  Apparently a known issue with a 
> fix due some time
> 
> 
> https://groups.google.com/forum/#!searchin/qubes-users/appvm$20window$20freezing|sort:date/qubes-users/q1w05yyCI2k/XWpDFWDrBwAJ

Yes you are not alone.   
https://groups.google.com/forum/#!searchin/qubes-users/chrome$20chromium$20freezing%7Csort:relevance/qubes-users/1oL5qyMdFfo/JkECo_bkBQAJ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3bf08e62-64bc-47cc-8f7f-89118849319d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Fwd: Us congress hearing of maan alsaan Money laundry قضية الكونغجرس لغسيل الأموال للمليادير معن الصانع

2017-05-07 Thread sady assad

*موقع اليوتيوب الذي عرض فيديوهات جلسة استماع الكونجرس الأمريكي *

* لمتابعة نشاطات غسل الأموال ونشاطات*



*السعودي معن عبدالواحد الصانع*

*مالك مستشفى  وشركة سعد  ومدارس سعد بالمنطقة الشرقية** بالسعودية * * ورئيس
مجلس ادارة بنك اوال البحريني*



 *وتعليق محطة سي ان بي سي التلفزيونية*



*مترجم باللغة العربية*



US Congressional Hearing of

 Saudi billionaire" maan  Al Sanea "

 and Money Laundering

with bank of America



With Arabic Subtitles





http://www.youtube.com/watch?v=mIBNnQvhU8s

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAEfki28OXi%3DZuXrNoT1QB7mVDNco5H9dHG8sW%2BNsBAqJSQaYYQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: No network connection v2

On Saturday, May 6, 2017 at 1:38:16 PM UTC-4, menthols wrote:
> Today installed Qubes 3rd release, but no network connection. Spent hours 
> trying to fix it, but to no avail. Network card is recognized. I have two 
> cables connected, no WiFi. I try to put qubes on Dell poweredge, Intel Xeon 
> e3, 8 GB RAM, Broadcom NetXtreme Gigabit Ethernet PCIe, two 1 TB harddrives. 
> I used option "Test and install" at installation, no error message. I have 
> choosed both harddisks at install, hope there is someway to configure the 
> soft raid. Before tried to install other Linux flavors before (Debian-8 and 
> Fedora-23) and none of them had any trouble connecting to the internet 
> immediately (updates downloaded during install). Maybe need to activate some 
> more PCI devices. What's the best I can do? Wait for the next release? Buy 
> another machine? ;-)
> 
> 
> Opened netvm terminal and checked the following things: 
> 
> 1. Does 'lspci' list your network adapter?  
> Yes, i've tried both debian-8 and fedora-23 both list the network cards.
> 
> 2. Do you have interface detected (does 'ifconfig -a' contains en* device)? 
> No, none of them detect the interface using ifconfig.
> 
> 3. Does kernel messages ('dmesg') contains some errors regarding network 
> device initialization? 
> No, there is no message regarding network at all.
> 
> 4. Check if linux-firmware package is installed (rpm -q linux-firmware).
> Yes it is installed.
> 
> 
> Ethernet controller: Broadcom Corporation NetXtreme BCM5720 Gigabit Ethernet 
> PCIe

what do you mean by no network?  Can you manually connect in network manager? 
DNS internet problem?  is network card not recognized in sys-net at all?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8dd29802-ae65-4fd0-85eb-b67b001016b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to get trusted iso?

On Monday, May 1, 2017 at 3:03:05 PM UTC-4, Chris Laprise wrote:
> On 05/01/2017 02:33 PM, cooloutac wrote:
> > I know I can't buy one, so how do I get an a fresh iso if my machine
> > is compromised?  Obviously,  someone more prudent would of kept their
> > original iso on dedicated usb stick. But I was too cheap.
> 
> I'll go out on a limb and say that Qubes is more about defending against 
> oncoming threats.
> 
> Pre-existing compromise creates a dilemma for the user, who can 
> pragmatically try to minimize further compromise by degrees. For 
> instance, burn a DVD and then verify it on multiple machines (incl. 
> different architectures). This is not unlike trying to validate the 
> authenticity of a PGP key using different network channels (not quite 
> "out of band" but possibly effective).
> 
> >
> > So what happens if that was not done,  or how can someone get a
> > trusted iso for the first time in the first place?  Is just checking
> > key signatures and using dd on a compromised machine enough? I
> > imagine that would be dangerous.
> >
> > Thanks for any suggestions.
> 
> Since you will probably want to start with Qubes on a non-compromised 
> machine, I suggest to download and verify using that.
> 
> -- 
> 
> Chris Laprise, tas...@openmailbox.org
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

this post makes me think about healthcare debate lol.  last to universal 
healthcare is also last to end slavery. not a coincidence.

But ya i'll go out on a limb and say most of us are using Qubes cause we were 
already compromised before,  and we are using it still believing we will be 
compromised in the future.

If there is no way to get a trusted iso there is no point in using Qubes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fbc0dfab-a195-4c8d-9777-f6729ec9d2a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HDMI-related threats in Qubes OS

After some while of inactivity, I've made an experiment and successfully
created an HDMI “condom”. It is the most universal variant intended for
connecting a laptop to some HDMI male.

Ingredients: HDMI-male to DVI-female short cable + DVI-male to HDMI-female
adaptor, both are passive.

Price: Roughly $10 + shipping.

Regards,
Vít Šesták 'v6ak'

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/17c17daf-b494-4c76-afa5-d51dca048d96%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: qubes-pass — an inter-VM password manager and store for Qubes OS

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-05-07 12:23, Andrew David Wong wrote:
> On 2017-05-07 11:33, nickl...@kulinacs.com wrote:
>> On May 7, 2017 10:39:22 AM CDT, Andrew David Wong
>>  wrote: On 2017-05-07 10:32,
>> nickl...@kulinacs.com wrote:
> On May 7, 2017 10:23:54 AM CDT, Andrew David Wong 
>  wrote: On 2017-05-07 10:10, 
> nickl...@kulinacs.com wrote:
 What benefit does this have over simply ysing 
 qubes-split-gpg-client-wrapper, like done here: 
 https://github.com/kulinacs/pass-qubes It seems like a
 lot of overhead for not a lot of gain.

 On May 7, 2017 9:50:26 AM CDT, "Manuel Amador (Rudd-O)"
   wrote:
> Building on the excellent pass
> (https://passwordstore.org), it gives me great
> pleasure to announce the initial release of
> qubes-pass — an inter-VM password manager and store
> for Qubes OS.
>
> Check it out here!
>
> https://github.com/Rudd-O/qubes-pass
>
>
> What are the advantages of either of these over the
> traditional Qubes model of having a normal password manager
> in a vault VM and using the inter-VM clipboard to copy/paste
> passwords out of it?
>
>
> I prefer Pass because it uses GPG for encryption, meaning I
> can manage fewer secrets over all (as it backends into my
> normal GPG key) and then track my password files in git. To
> do this with the traditional Keepass method, you either need
> to back up the password database somewhere secure or remember
> another password for it.
>
> 
>> Why not just back up the entire vault with qvm-backup?
> 
> 
>> Git has less storage overhead (as you're backing up a bunch of text
>> files, not an entire VM), allows proper versioning, so it is
>> trivial to see your passwords at a point in time, and can be used
>> cross platform if you chose to keep your GPG key on another
>> system.
> 
> 
> I prefer the security of qvm-backup[-restore], since it allows me to
> keep the vault and its contents permanently offline. The entire VM is
> BZIP compressed, AES-256 encrypted, and HMAC-SHA512 authenticated. The
> integrity verification, authentication, and decryption all happen at
> the dom0 level. The backup is tiny, so the storage overhead is
> inconsequential, and there's no need to worry about file-level
> metadata leakage or the backup file itself being used as an attack
> vector. KeePassX has sufficient built-in versioning for me, and it's
> easy enough to sync Qubes backups across machines with simple scripts.
> 
> With this setup, considerations like "managing fewer secrets" seem out
> of place. I only have to manage three secrets:
> 
> 1. LUKS passphrase
> 2. Backup passphrase
> 3. Screen locker passphrase
> 

I should add that using the same passphrase for (some subset of) 1, 2,
and 3 would arguably be a very reasonable trade-off between security and
convenience for most users (i.e., a likely negligible drop in security
for a significant gain in the form of having to remember fewer things).

> Managing these three allows me to have an arbitrary number of
> additional secrets in VMs without having to remember anything else. I
> can't replace 1, 2, or 3 with my PGP key(s), because my PGP key(s) are
> inside my PGP VM, which I can't access except via 1, 2, or 3. But
> that's by design. I wouldn't want to make that replacement even if I
> could, since I wouldn't want an attacker who gains access to my (one
> of my) PGP (sub)key(s) to have access equivalent to 1, 2, or 3. I also
> wouldn't want to use my (import) PGP keys on any non-Qubes systems,
> since that would likely defeat the purpose of protecting them via
> Split GPG.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJZD1vAAAoJENtN07w5UDAw0PgP/jZwC1XYgGbXn6Oja5IkDKuF
09sfEZVlWsfUgWB+rT6X6sOX2cpUrxKSL/7e2Zb/YuebCDawwSycZxi1XVsOGP2y
sTxD8fi3k/t86i1LvgVFi7TbwKBjqwzvbP1en575iMrbTa8ye48Vg1tpaLmnt82/
GrDneJNgnQDw79bbjK0GO4Ak/Y3kAhZm9QRvaHNM4rKrdyI0fobDq18TXmaAIKi+
pIJ+fsO+CAemS2pfKuKjaCgzc3dEprzWqOpQgbcOq96dQZ/8t1QPoQqJirpBJ7Tn
Nj06YELPm+IgzPF+9KYRW/EiFJYF2gNBFpA4SNoj4R0fs2nuK2hRb4QCvsiIXGoR
8Bn7Ri5ns4B3Ky8prUWvvnOyXb83XxBe3nZ6q1SaKn4iKKoOYOYEn4KSzDOfH8hL
8edVCWuHNagJS3xXt3j7+xMNBFsYmdYFyuqpiJqq/cgqmiWJnmOp7h4M6y2CZ/9m
CPut/OUw4CFe8zHg7dUDA8Ihc5YGB2Ssegk0hGA3NhpamM3sOsTJ+hDPI/Uq7o1l
8LI4nRhpwC1gLXWKw++X0oPp2wZIYHY/ufB6cgqVnFlZjRhr3FHSpXom8yUOYWGk
dMvWUZM0oJ/Smq6aP4JobX0wBsC5lMhmCVxOf9jQCKh3aoA43Sapm46ekdDDItoP
kszj1eCEzqCrKNMRKki4
=J4QR
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to

[qubes-users] Re: First stab at installing qubes 3.2 - Couple of issues.

2017-05-07 Thread devrana

Patrick - Ok, the main thing in there seems to be to disable VT-d and do the 
install, with some grub trickery to re-enable it later.  I'll try that tonight 
and report back.  Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4e4770d3-a467-4158-8520-ee70f729e079%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: qubes-pass — an inter-VM password manager and store for Qubes OS

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-05-07 11:33, nickl...@kulinacs.com wrote:
> On May 7, 2017 10:39:22 AM CDT, Andrew David Wong
>  wrote: On 2017-05-07 10:32,
> nickl...@kulinacs.com wrote:
 On May 7, 2017 10:23:54 AM CDT, Andrew David Wong 
  wrote: On 2017-05-07 10:10, 
 nickl...@kulinacs.com wrote:
>>> What benefit does this have over simply ysing 
>>> qubes-split-gpg-client-wrapper, like done here: 
>>> https://github.com/kulinacs/pass-qubes It seems like a
>>> lot of overhead for not a lot of gain.
>>> 
>>> On May 7, 2017 9:50:26 AM CDT, "Manuel Amador (Rudd-O)"
>>>   wrote:
 Building on the excellent pass
 (https://passwordstore.org), it gives me great
 pleasure to announce the initial release of
 qubes-pass — an inter-VM password manager and store
 for Qubes OS.

 Check it out here!

 https://github.com/Rudd-O/qubes-pass

 What are the advantages of either of these over the
 traditional Qubes model of having a normal password manager
 in a vault VM and using the inter-VM clipboard to copy/paste
 passwords out of it?

 I prefer Pass because it uses GPG for encryption, meaning I
 can manage fewer secrets over all (as it backends into my
 normal GPG key) and then track my password files in git. To
 do this with the traditional Keepass method, you either need
 to back up the password database somewhere secure or remember
 another password for it.

> 
> Why not just back up the entire vault with qvm-backup?
> 
> 
> Git has less storage overhead (as you're backing up a bunch of text
> files, not an entire VM), allows proper versioning, so it is
> trivial to see your passwords at a point in time, and can be used
> cross platform if you chose to keep your GPG key on another
> system.
> 

I prefer the security of qvm-backup[-restore], since it allows me to
keep the vault and its contents permanently offline. The entire VM is
BZIP compressed, AES-256 encrypted, and HMAC-SHA512 authenticated. The
integrity verification, authentication, and decryption all happen at
the dom0 level. The backup is tiny, so the storage overhead is
inconsequential, and there's no need to worry about file-level
metadata leakage or the backup file itself being used as an attack
vector. KeePassX has sufficient built-in versioning for me, and it's
easy enough to sync Qubes backups across machines with simple scripts.

With this setup, considerations like "managing fewer secrets" seem out
of place. I only have to manage three secrets:

1. LUKS passphrase
2. Backup passphrase
3. Screen locker passphrase

Managing these three allows me to have an arbitrary number of
additional secrets in VMs without having to remember anything else. I
can't replace 1, 2, or 3 with my PGP key(s), because my PGP key(s) are
inside my PGP VM, which I can't access except via 1, 2, or 3. But
that's by design. I wouldn't want to make that replacement even if I
could, since I wouldn't want an attacker who gains access to my (one
of my) PGP (sub)key(s) to have access equivalent to 1, 2, or 3. I also
wouldn't want to use my (import) PGP keys on any non-Qubes systems,
since that would likely defeat the purpose of protecting them via
Split GPG.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJZD1gbAAoJENtN07w5UDAwu14P/2ZzxA5RM4QS/F+GhyafenJM
rQmgmxpZbDIENeiwCrxQGkPxO5vZjGXcIKsACekLlTVeWwNvmRtfOnQa5vvhBDyS
1WGoHYOnuODM7EVe2GZhA4gngRWiJ+iLFvvtRcApG6hMA7BwGqxsLUhl1XbQL3XA
EVYEIfkLZ8CffIe2QuXAwFMMc6uBYMHunTSeZPZHuy7DmGLEHacHuuJvUadxzHqF
r3zncyZeCwrFwUrJFgDE8UTXcrv5azuih4Pr1GN1G3HgsvpjfMTtyYZlfYJX1agQ
JonOQ//N6Fv8B2Fn5tFEGCHJN9hddfc1YW0xMvgHc8AbiBEGN4aUzb+pd+EprL8j
7uEsFnYy/zBs/TXMaQaAecQYIGOln76IDtUMNQhTmBTHdltJoe3yE0RdCP3T2zJj
d5dtP09imbNx2GFoac/6gA3HnmP/4rPeK6qnad7i0y1OyuMl4zTrU2AdqwcG4+S8
N0XGywpBlr+bDUCEuxtGO13pDPomgQXuPoOgZPmJORF/4T/KxEBMKEBEPVs1K81E
nblCCG6n80STe48a4Vk0Gv4IFw9Or/kFYR5M4B4UvnmJCoMaWj1a92VBC/8z8KCG
ck0MkR2y6KbA1wI3CUAF8GkjlIfEE2ewaU8BQcEQqKplL7gNV4NqfRbpMuvLe1LW
TK/sqfLYBdq0r/UsYQ+p
=dZn6
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/76e540df-ef80-cbaa-9ab7-f0aaf8684523%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: First stab at installing qubes 3.2 - Couple of issues.

2017-05-07 Thread Patrick Bouldin

On Sunday, May 7, 2017 at 10:59:09 AM UTC-4, dev...@gmail.com wrote:
> I'm experimenting by installing on a Thinkpad T500, which has integrated 
> (intel) graphics.  Since the install freezes after loading the initrd, I try 
> installing in "basic graphics mode".  A lot of text streams by, of which I 
> can only see the end, but I notice:
> 
> "Not asking for VNC because we don't have a network"  [But we do!]
> "X startup failed, falling back to text mode"
> 
> I try to look at the logs using Alt-Tab, but I don't see any way to scroll up 
> to see above the last page.  Is there some way to do this?  (It looks like 
> screen or tmux.  Is that right?)
> 
> Then, I try setting things up, using the text mode, and find myself stuck on 
> the auto-partitioner.  I've tried various routes through, but using mostly 
> default (/dev/sda, use all space, LVM), I get:
> 
> "Generating updated storage configuration.  
> Storage configuration failed. Autopart failed.
> Encryptation requested for LUKS device sda2, but no ecryption key specififed 
> for this device"
> 
> I've tried dropping to the shell and deleting all partitions (no help), 
> partitioning the disk by hand (no help), then setting up swap and using 
> cryptsetup to make a LUKS partition for root (no help).  I can easily set up 
> the partitions myself, but I don't know how to get it to recognize what I've 
> done. Anyone have thoughts?
> 
> /D

I'm probably a 3 out of 1-10 scale in my expertise on this, hopefully someone 
else can jump it too - but I ran into some similiar issues. Check this out: 
https://www.qubes-os.org/doc/thinkpad-troubleshooting/

Notes like disabling VT-d on the ThinkPads, in the bios. Also had to disable 
some other things - look around there as a start, if you haven't already.

Best,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/56030893-5817-4d6e-80b0-85f59345c6b7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: qubes-pass — an inter-VM password manager and store for Qubes OS

2017-05-07 Thread nicklaus

On May 7, 2017 10:39:22 AM CDT, Andrew David Wong  wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA512
>
>On 2017-05-07 10:32, nickl...@kulinacs.com wrote:
>> On May 7, 2017 10:23:54 AM CDT, Andrew David Wong 
>>  wrote: On 2017-05-07 10:10, 
>> nickl...@kulinacs.com wrote:
> What benefit does this have over simply ysing 
> qubes-split-gpg-client-wrapper, like done here: 
> https://github.com/kulinacs/pass-qubes It seems like a lot
> of overhead for not a lot of gain.
> 
> On May 7, 2017 9:50:26 AM CDT, "Manuel Amador (Rudd-O)" 
>  wrote:
>> Building on the excellent pass (https://passwordstore.org),
>> it gives me great pleasure to announce the initial release
>> of qubes-pass — an inter-VM password manager and store for
>> Qubes OS.
>> 
>> Check it out here!
>> 
>> https://github.com/Rudd-O/qubes-pass
>> 
>> 
>> What are the advantages of either of these over the traditional 
>> Qubes model of having a normal password manager in a vault VM and 
>> using the inter-VM clipboard to copy/paste passwords out of it?
>> 
>> 
>> I prefer Pass because it uses GPG for encryption, meaning I can 
>> manage fewer secrets over all (as it backends into my normal GPG 
>> key) and then track my password files in git. To do this with the 
>> traditional Keepass method, you either need to back up the password
>> database somewhere secure or remember another password for it.
>> 
>
>Why not just back up the entire vault with qvm-backup?
>
>- -- 
>Andrew David Wong (Axon)
>Community Manager, Qubes OS
>https://www.qubes-os.org
>-BEGIN PGP SIGNATURE-
>
>iQIcBAEBCgAGBQJZDz+kAAoJENtN07w5UDAwVdEQAKyEUNffYrCLsTK8TyRvWnyi
>3dz15oDFHAL/PXkUHptcn4NJfU3BrmPBcf8DaBM2ROlXVJQayYZq9QwE1wlftxjr
>+ZblvNOuYbc/+FGxGNpqimc7jSC5TSaaduMW47THp66xemYH55pVChD2WT3X/dk4
>gn51SLYKE7tixnsOaqNEQSawpwbDsVaL4hLDgV4NLDKeZTbhLLxLbFlvikoMsUxY
>BXj19mfje2oJrDAXEDUtDK9qq8tOjttK4EomVG0HQVinyhpKiLn/Nil91xQnKvES
>H8QG9sEUUEGs0/GsYsXIkb3VJqRdkns5A1Cp5FR3/WTiIxBARfewXY3klQKO0UFj
>zTovVZ3OgjuqmqDlkLLGRI5bn1NHZ2k9IFly4+8VUYXPOVBNdkKmIpqS3x0EPhuO
>rFZmg/1OYHeT3FLt6WwDJilNGzN2I/FByx7AbwiEHGgspQYVviDRha2n6eCDGh0R
>uIZ3/8iYj+QA+glXZFGj5ghIKjBiA6rcn7vTh7/r+9rGaOCCDCGY6L4ZrgL8Ao76
>VOw1MnnzVHIOGjGQ0RacDN9qZ8D/YTy2BqZVUdF1RXoBb77LQgAfVfVAeIjzuWg7
>KIlXI9ScIFqEbbcxC7w4SC1LHbEcET81q5B0tNzJUJ+QL0/CZQ9avrPHBOq9kVRs
>NK8zRvknFnPargpog2UK
>=vzjL
>-END PGP SIGNATURE-

Git has less storage overhead (as you're backing up a bunch of text files, not 
an entire VM), allows proper versioning, so it is trivial to see your passwords 
at a point in time, and can be used cross platform if you chose to keep your 
GPG key on another system.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/B06DAF03-3208-4AB4-A0CF-96274F6A4804%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Apps not starting on the first try

2017-05-07 Thread Todd Lasman

On Sat, May 06, 2017 at 10:41:04PM -0400, Chris Laprise wrote:
> On 05/06/2017 12:30 PM, Todd Lasman wrote:
> >
> >-BEGIN PGP SIGNED MESSAGE-
> >Hash: SHA256
> >
> >This seems to be a new issue on a recent reboot.
> >
> >If I try to run a program from a VM that's not yet running, the VM
> >starts as expected, but the program never runs. Even after the VM is up
> >and running, I can't get any program to run in that VM. Even opening a
> >window in dom0 and using the qvm-run command does nothing.
> >
> >However, if I kill the VM, the next time I try to run a program (which
> >reopens the VM), it works perfectly.
> >
> >Any thoughts on troubleshooting this?
> >
> >Thanks.
> 
> This is a long-term issue and the reports usually center around nautilus
> (Files) because that it the most prone to the behavior.
> 
> See https://github.com/QubesOS/qubes-issues/issues/2449
> 
> I believe its caused by gnome expecting some session-related daemon to be
> already running when it tries to start a program.
> 
> -- 
> 
> Chris Laprise, tas...@openmailbox.org
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/8edee868-fc2b-e0d6-3ec2-0ebf3b1ee684%40openmailbox.org.
> For more options, visit https://groups.google.com/d/optout.

Thanks. For some reason, I don't remember this happening in the past,
but I could be wrong. I'll be patient.

Todd

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170507154745.GA17456%40d1stkfactory.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Digital signature

Re: [qubes-users] ANN: qubes-pass — an inter-VM password manager and store for Qubes OS

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-05-07 10:32, nickl...@kulinacs.com wrote:
> On May 7, 2017 10:23:54 AM CDT, Andrew David Wong 
>  wrote: On 2017-05-07 10:10, 
> nickl...@kulinacs.com wrote:
 What benefit does this have over simply ysing 
 qubes-split-gpg-client-wrapper, like done here: 
 https://github.com/kulinacs/pass-qubes It seems like a lot
 of overhead for not a lot of gain.
 
 On May 7, 2017 9:50:26 AM CDT, "Manuel Amador (Rudd-O)" 
  wrote:
> Building on the excellent pass (https://passwordstore.org),
> it gives me great pleasure to announce the initial release
> of qubes-pass — an inter-VM password manager and store for
> Qubes OS.
> 
> Check it out here!
> 
> https://github.com/Rudd-O/qubes-pass
> 
> 
> What are the advantages of either of these over the traditional 
> Qubes model of having a normal password manager in a vault VM and 
> using the inter-VM clipboard to copy/paste passwords out of it?
> 
> 
> I prefer Pass because it uses GPG for encryption, meaning I can 
> manage fewer secrets over all (as it backends into my normal GPG 
> key) and then track my password files in git. To do this with the 
> traditional Keepass method, you either need to back up the password
> database somewhere secure or remember another password for it.
> 

Why not just back up the entire vault with qvm-backup?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJZDz+kAAoJENtN07w5UDAwVdEQAKyEUNffYrCLsTK8TyRvWnyi
3dz15oDFHAL/PXkUHptcn4NJfU3BrmPBcf8DaBM2ROlXVJQayYZq9QwE1wlftxjr
+ZblvNOuYbc/+FGxGNpqimc7jSC5TSaaduMW47THp66xemYH55pVChD2WT3X/dk4
gn51SLYKE7tixnsOaqNEQSawpwbDsVaL4hLDgV4NLDKeZTbhLLxLbFlvikoMsUxY
BXj19mfje2oJrDAXEDUtDK9qq8tOjttK4EomVG0HQVinyhpKiLn/Nil91xQnKvES
H8QG9sEUUEGs0/GsYsXIkb3VJqRdkns5A1Cp5FR3/WTiIxBARfewXY3klQKO0UFj
zTovVZ3OgjuqmqDlkLLGRI5bn1NHZ2k9IFly4+8VUYXPOVBNdkKmIpqS3x0EPhuO
rFZmg/1OYHeT3FLt6WwDJilNGzN2I/FByx7AbwiEHGgspQYVviDRha2n6eCDGh0R
uIZ3/8iYj+QA+glXZFGj5ghIKjBiA6rcn7vTh7/r+9rGaOCCDCGY6L4ZrgL8Ao76
VOw1MnnzVHIOGjGQ0RacDN9qZ8D/YTy2BqZVUdF1RXoBb77LQgAfVfVAeIjzuWg7
KIlXI9ScIFqEbbcxC7w4SC1LHbEcET81q5B0tNzJUJ+QL0/CZQ9avrPHBOq9kVRs
NK8zRvknFnPargpog2UK
=vzjL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1a23c189-47e1-d88d-ff1b-e077b6d920db%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: qubes-pass — an inter-VM password manager and store for Qubes OS

2017-05-07 Thread nicklaus

On May 7, 2017 10:23:54 AM CDT, Andrew David Wong  wrote:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA512
>
>On 2017-05-07 10:10, nickl...@kulinacs.com wrote:
>> What benefit does this have over simply ysing
>> qubes-split-gpg-client-wrapper, like done here: 
>> https://github.com/kulinacs/pass-qubes It seems like a lot of
>> overhead for not a lot of gain.
>> 
>> On May 7, 2017 9:50:26 AM CDT, "Manuel Amador (Rudd-O)"
>>  wrote:
>>> Building on the excellent pass (https://passwordstore.org), it
>>> gives me great pleasure to announce the initial release of
>>> qubes-pass — an inter-VM password manager and store for Qubes
>>> OS.
>>> 
>>> Check it out here!
>>> 
>>> https://github.com/Rudd-O/qubes-pass
>>> 
>
>What are the advantages of either of these over the traditional Qubes
>model of having a normal password manager in a vault VM and using the
>inter-VM clipboard to copy/paste passwords out of it?
>
>- -- 
>Andrew David Wong (Axon)
>Community Manager, Qubes OS
>https://www.qubes-os.org
>-BEGIN PGP SIGNATURE-
>
>iQIcBAEBCgAGBQJZDzwAAAoJENtN07w5UDAwPwYP/A1L6MTJWkSTAkopSLUFQnbg
>bL0/6/YxjMNG7YBRSDhB0k5hAD70WOnHt/W2AyEkr6ihhVDkflmeAkBuc7tZgZNa
>Us/9q3X3bgN/loQ/nCgAlVN+E5EqdzJyo1y94fSF9hrKKXCKPF1/nK+GxweGJl+N
>PLd+oq1XjhQ8YVSI1z2yZhfO0ro5j85YhE3F/btLbNpyjVEu41JVtgdamYmHrz2O
>C72llnuLedHoYJ7uTtw1inurkenndnHnGrRw8QdJFy9l8Lq8o30dOTS2/zqZriig
>NF+LVlwDzJ5kostP1Rx8f/80RGhjqtqsalT+WGbgcSC/mOBzoPxKMi48tiD5BGxx
>wb6hezl0fcl/JKep7DfwZm+LGmEXO/S1KLEyGhACSkiIGmEaKDnzPq3q/nq8DKRj
>7ZDUjp2+chXdK0OxgGuc6/NpQkSrT0fqe3wawH/JZmg8rYi49mMxWMVNfc3Rvfvl
>3d093U+2voFmlr3uyO/3q9TeMV/fRJY9ft+ygXwrMie9zCBLHfKS5bACldzCeaW5
>JXqbkNuSmw48+f/QmS0EeRCPDCtv6cXB2vTN4rzxgKee7ww4p5JV6mqQi7RLA00Y
>bJ7xP9BZb8R8eSXtLbsCmGpkSXMnyPl5NGgrkrFaktz4pYpH7+HGYXVOfvHxJkLG
>I0EO4GdyH2SaXrj9OXke
>=FKB/
>-END PGP SIGNATURE-

I prefer Pass because it uses GPG for encryption, meaning I can manage fewer 
secrets over all (as it backends into my normal GPG key) and then track my 
password files in git. To do this with the traditional Keepass method, you 
either need to back up the password database somewhere secure or remember 
another password for it.

---
kulinacs

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1BBC6F4A-1054-4AB7-87EA-1E1236DB56DB%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: qubes-pass — an inter-VM password manager and store for Qubes OS

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-05-07 10:10, nickl...@kulinacs.com wrote:
> What benefit does this have over simply ysing
> qubes-split-gpg-client-wrapper, like done here: 
> https://github.com/kulinacs/pass-qubes It seems like a lot of
> overhead for not a lot of gain.
> 
> On May 7, 2017 9:50:26 AM CDT, "Manuel Amador (Rudd-O)"
>  wrote:
>> Building on the excellent pass (https://passwordstore.org), it
>> gives me great pleasure to announce the initial release of
>> qubes-pass — an inter-VM password manager and store for Qubes
>> OS.
>> 
>> Check it out here!
>> 
>> https://github.com/Rudd-O/qubes-pass
>> 

What are the advantages of either of these over the traditional Qubes
model of having a normal password manager in a vault VM and using the
inter-VM clipboard to copy/paste passwords out of it?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJZDzwAAAoJENtN07w5UDAwPwYP/A1L6MTJWkSTAkopSLUFQnbg
bL0/6/YxjMNG7YBRSDhB0k5hAD70WOnHt/W2AyEkr6ihhVDkflmeAkBuc7tZgZNa
Us/9q3X3bgN/loQ/nCgAlVN+E5EqdzJyo1y94fSF9hrKKXCKPF1/nK+GxweGJl+N
PLd+oq1XjhQ8YVSI1z2yZhfO0ro5j85YhE3F/btLbNpyjVEu41JVtgdamYmHrz2O
C72llnuLedHoYJ7uTtw1inurkenndnHnGrRw8QdJFy9l8Lq8o30dOTS2/zqZriig
NF+LVlwDzJ5kostP1Rx8f/80RGhjqtqsalT+WGbgcSC/mOBzoPxKMi48tiD5BGxx
wb6hezl0fcl/JKep7DfwZm+LGmEXO/S1KLEyGhACSkiIGmEaKDnzPq3q/nq8DKRj
7ZDUjp2+chXdK0OxgGuc6/NpQkSrT0fqe3wawH/JZmg8rYi49mMxWMVNfc3Rvfvl
3d093U+2voFmlr3uyO/3q9TeMV/fRJY9ft+ygXwrMie9zCBLHfKS5bACldzCeaW5
JXqbkNuSmw48+f/QmS0EeRCPDCtv6cXB2vTN4rzxgKee7ww4p5JV6mqQi7RLA00Y
bJ7xP9BZb8R8eSXtLbsCmGpkSXMnyPl5NGgrkrFaktz4pYpH7+HGYXVOfvHxJkLG
I0EO4GdyH2SaXrj9OXke
=FKB/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/db34d43c-a1a1-1019-1e8a-b6f4303ad025%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] ANN: qubes-pass — an inter-VM password manager and store for Qubes OS

2017-05-07 Thread nicklaus

What benefit does this have over simply ysing qubes-split-gpg-client-wrapper, 
like done here:
https://github.com/kulinacs/pass-qubes
It seems like a lot of overhead for not a lot of gain.

On May 7, 2017 9:50:26 AM CDT, "Manuel Amador (Rudd-O)"  
wrote:
>Building on the excellent pass (https://passwordstore.org), it gives me
>great pleasure to announce the initial release of qubes-pass — an
>inter-VM password manager and store for Qubes OS.
>
>Check it out here!
>
>https://github.com/Rudd-O/qubes-pass
>
>-- 
>Rudd-O
>http://rudd-o.com/
>
>-- 
>You received this message because you are subscribed to the Google
>Groups "qubes-users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to qubes-users+unsubscr...@googlegroups.com.
>To post to this group, send email to qubes-users@googlegroups.com.
>To view this discussion on the web visit
>https://groups.google.com/d/msgid/qubes-users/24c27d7a-e72e-14fc-e388-2f5718d95660%40rudd-o.com.
>For more options, visit https://groups.google.com/d/optout.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0A765A21-F411-4015-B9C2-790508B1A0C1%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Changed resolution, now screen doesn't work?

On 05/01/2017 05:42 PM, almir.aljic1...@gmail.com wrote:
> On Monday, May 1, 2017 at 6:51:51 PM UTC+2, almir.a...@gmail.com wrote:
>> I changed the resolution of my Qubes from 1920x1080 to 1600x1200 (by 
>> accident) and now my screen doesn't show anything when I choose HDMI2 (my 
>> desktop PC is attached to the screen with an HDMI cable). Setting the 
>> resolution to 1280x1024 worked fine, but as soon as I set it to 1600x1200 
>> and clicked "apply" my screen turned black and now all it does is say "no 
>> signal" and I can't see anything on the screen to set it back to 1920x1080. 
>> How do I go about solving this?
>>
>> Thanks.
> I know of a potential solution but then I need help from someone on here.
>
> What you can do is shut down all your windows and left-click the Qubes icon 
> (at the bottom left/top left) then solely use your keyboard to navigate to 
> the Display settings and change resolution. Then send me the exact keyboard 
> strokes you pushed (for example down arrow 2x, right arrow 1x, down arrow 8x, 
> tab 4x etc.) so that I can mimic them and ultimately change my resolution 
> back to 1920x1080.
>
> Thanks in advance!
>
Isn't it easier to launch a terminal using the xfce minicli key combo,
then using xrandr to set the right resolution?

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/75e1a8ce-4b51-9107-ec3e-c5f503a85c3d%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] First stab at installing qubes 3.2 - Couple of issues.

2017-05-07 Thread devrana

I'm experimenting by installing on a Thinkpad T500, which has integrated
(intel) graphics. Since the install freezes after loading the initrd, I try
installing in "basic graphics mode". A lot of text streams by, of which I can
only see the end, but I notice:

"Not asking for VNC because we don't have a network" [But we do!]
"X startup failed, falling back to text mode"

I try to look at the logs using Alt-Tab, but I don't see any way to scroll up
to see above the last page. Is there some way to do this? (It looks like
screen or tmux. Is that right?)

Then, I try setting things up, using the text mode, and find myself stuck on
the auto-partitioner. I've tried various routes through, but using mostly
default (/dev/sda, use all space, LVM), I get:

"Generating updated storage configuration.
Storage configuration failed. Autopart failed.
Encryptation requested for LUKS device sda2, but no ecryption key specififed
for this device"

I've tried dropping to the shell and deleting all partitions (no help),
partitioning the disk by hand (no help), then setting up swap and using
cryptsetup to make a LUKS partition for root (no help). I can easily set up
the partitions myself, but I don't know how to get it to recognize what I've
done. Anyone have thoughts?

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d6f92d6f-7c7e-4346-bd82-0a0026bb6580%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] ANN: qubes-pass — an inter-VM password manager and store for Qubes OS

Building on the excellent pass (https://passwordstore.org), it gives me
great pleasure to announce the initial release of qubes-pass — an
inter-VM password manager and store for Qubes OS.

Check it out here!

https://github.com/Rudd-O/qubes-pass

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/24c27d7a-e72e-14fc-e388-2f5718d95660%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] anaconda échec

2017-05-07 Thread patrice9514

Hello
I can't install qubes os, I get this https://up2sha.re/file?f=2CrDDrQyfcDv 
failure. I have try on any other USB 2.0 and always the same.
As if there is a hardware conflict.
Thank you for your help.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/35f03db7-9045-40ec-98e5-feb7f72e6f0d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] [3.2] Issues with Intel® HD Graphics 620 after update of clean installation

OK, thanks. It seems I have compiled it with slightly newer set of patches 
(4.8.14-12 vs. 4.8.14-9). I haven't noticed the unstable repo 
(https://yum.qubes-os.org/r3.2/unstable/dom0/fc23/rpm/ )… 

I don't see it in official repo. Is it compiled from slightly older version of 
https://github.com/marmarek/qubes-linux-kernel/tree/devel-4.8?files=1 ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a4a02a95-bbad-40e0-8bb9-74592395a2bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HOWTO: Compiling Kernels for dom0