[qubes-users] Re: Keepass vault password no worky

[qubester]

On 07/18/2017 02:27 PM, '0brand' via qubes-users wrote:

I've been trying to resolve a problem with both of my Debian-8 vault-appvms.. 
For some reason my Keepass passwords no longer work. When I type in the 
password I get this message:
Unable to open database. Wrong key or database file is corrupt
I have been using the same password for both my Keepass databases for quite 
some time now so the problem isn't due to forgetting or miss-typing my 
passwords. Normally this would not be much of a problem except for the fact 
that restoring from backups is not remedying the issue. I've restored both my 
Keepass vault-appvms and my Debian-8 Template.
Looking back at the day before this happened there is only one thing that I did 
that may have contributed to the problem. I removed my sys-usb (netvm) and 
created a sys-usb (appvm). After I created the new sys-usb I realized that It 
would not run unless I set pci_strictreset to false. This was not acceptable to 
me so I removed the new sys-usb and created a new one with:
sudo qubesctl top.enable qvm.sys-usb
sudo qubesctl top.enable qvm.sys-usb
The reason I think this may have contributed to the problem is because the 
first two times I tried to restore my appVMs things did not go well. The first 
time the Gui completely froze and I was unable to unmount the drive. The second 
time the backup-restore did not complete but at least the screen did not freeze 
up. The third time I used a backup from a couple days prior and everything went 
smoothly. It did not solve the problem though. I still can not unlock my 
Keepass vaults.
I'm not really sure what to do next. Is it possible that my backups are somehow 
being corrupted when I restore them? I'm a little flustered at this point and I 
could use some guidance.
Thanks in advance

Sent with [ProtonMail](https://protonmail.com) Secure Email.



If it makes you feel better, I had the thing fail. with the same 
messages, and I'd swear, I did nothing at all, after that I stopped 
using it . as pretty pointless to use something that MUST be 
reliable and have it fail so easily, whatever caused it  IMHO  of course 
 ; I think mine was in the Vault VM


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5e580987-f554-4a77-776b-22f9072af6a6%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Enigmail not working with Split GPG

[Florian Brandes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 07/18/2017 07:40 PM, Chris Laprise wrote:
> I already have Split GPG working with git, but after following the Split
> GPG doc for Thunderbird I'm getting errors (from the Enigmail
> Preferences dialog):
> 
>> GnuPG cannot be executed with the path provided. Enigmail is therefore
>> deactivated...
> 
> and
> 
>> Cannot connect to gpg-agent. Maybe your system uses a specialized tool
>> for passphrase handling (e.g. gnome-keyring, seahorse-agent, KDE wallet
>> manager, ...). Unfortunately Enigmail cannot control the passphrase
>> timeout for the tool you are using. Therefore the respective timeout
>> settings in Enigmail are disregarded.
> 
> 
> I'm using Debian 9 appVMs. Issue #2170 doesn't appear to be the same as
> this problem.
> 

Hi Chris,

I had the same problem. Thunderbird/Enigmail complained about not finding 
GnuPG. What worked for me (after you followed the steps in the Split GPG 
document and set up your *-gpg VM and added your *-gpg VM to 
/rw/config/gpg_split-domain) was simply restarting my email VM and my gpg VM. 

Just make sure, the /usr/bin/qubes-gpg-client-wrapper is set as a client (even 
though Enigmail complains, it should still stay there). I had to restart 
several times though and have no idea why you had to, but it worked. 

If not, you could try updating your template to "testing". (I have tried that 
with Fedora 23, 24 and 25, all with testing repos activated). 

Hope I could help a bit,

Florian
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQI0BAEBCAAeBQJZbvQ0FxxmbG9yaWFuLmJyYW5kZXNAZ214LmRlAAoJEKf3MHt6
BMRJPTMQAJvhrlUpGFMNIlilyLFnvh9dK9jNPQPbk80cN1X38iVxH+vigP4GFF85
JTO2MToVJjauvX9wlQgGMzlrGh58tALaKo9TLDYgPmNugbg6kH25IxnZf4xAYn81
dYsbs6cgFqgc3BUlr7iDZ4u2s3YdbqjDM5WJxugMaPGoGmuFG3E4X5x3ARjgOrWe
LrxN2eCij+C21tTMIyGAZMbE0YSSNVglRtlDdzU/W0wRG/P9UigAeniZnA+3BU1K
pw42FUeczVsSs21TAHDEk/IaRjcxPJvkT8x4GzLLj6XaQ7ZRFHqMOh3+Cfee8FLZ
PZnWX9u/SJ7clbaZCtaPrQouHk4fhj5dpOTOhMsuCPa6Xnx9xSs52eYR1nJc8g+R
njUOw9vJ3XwgIxPVvxcP4y2J4l3zaB+jObb+HIrMRuY/CDCDGnFsiUncwUvVKDdA
qcDcdy7CtFO6VVvdHfOS6jUQExyYcJHFid2U7vKLeZIjCdD9JpmbJm3ADhwP9D35
mLs7ckYGHkU38H6Os33SBUeQOI2RCyDz5ZZZU+Wd1fCn5kzVm0fodQ9HQ7RMXie6
GspclXUUEesrKzJvoTpMS2qcCkmaC4yK5NsOG0b5K8UxzyLi2gqTpCxmsGJgQVIx
lE09yn6stSM/SfAC2qBt4cMhh7jH66M8WCem/DO/bNitcVfb4scd
=Yqew
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa194a78-2eb0-8246-9235-3255226de594%40gmx.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: heads up, qubes 3.2 still vuln to cve-2016-4484 (minor severity)

[yreb-qusw]

On 07/17/2017 08:15 PM, cooloutac wrote:

On Monday, July 17, 2017 at 8:31:42 PM UTC-4, pixel fairy wrote:

On Sunday, July 16, 2017 at 9:55:55 AM UTC-7, yreb-qusw wrote:

On 07/16/2017 01:27 AM, pixel fairy wrote:

---
In Dom0 install anti-evil-maid:

sudo qubes-dom0-update anti-evil-maid
---

Doesn't sound like 'more work' just doing the above, perhaps there is
more to it, I thought, it mentioned it's better to install via a USB Drive?


https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README

as you can see, its a lot of steps, and only some laptops are compatible. there 
are even new laptops, like the system76 lemur7 (i7 skylake), that cant do AEM.

ideally you can boot from a non usb external device, such as an sd card in your 
purse or wallet. if you do use usb, then you have to disable hiding the usb 
controller for a bit, which gives your attacker a window of opportunity for the 
kinds of things AEM is meant to detect.

this is a small windows of opportunity, but there is the theoretical case that 
a clueless attacker with only a short time boots from their own device, the 
attack fails because usb is locked (and they may not even know this) and your 
laptop is ok. whereas if AEM needed that usb controller enabled to function, 
the attack would succeed, or at least succeed enough to trip AEM.


What would be the "trade off"  and/or  How would I disable it , if it
somehow messes up my Qubes install?


the most obvious trade off is needing your boot device to boot your laptop. so, 
you must protect this device. you'll probably want more than one of them in 
case one is lost or damaged, so you have to protect multiple devices. this is 
fine for cyborgs with implanted, bootable usb devices. but, for the rest of us, 
its something you must consider carefully in your threat model.

a more thorough discussion of all this in the background blog post, 
https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html

if it doesnt work, you wont be able to boot. youd have to reinstall qubes and 
start over. if you want to disable it, you might be able to make a new 
passphrase for luks that doesnt need the keyfile on your aem device. there may 
be other steps required, but i havent tried it.


like pixel said you either can use a usb stick like a yubikey to boot, or use a 
usbvm don't think you can do both.   so in most cases a home desktop pc 
probably would just use usbvm.  but if you someone that travels with a laptop, 
that might be accessible to others, you might want to boot with usb key.

aem can be used on both but without usb key if using usbvm,  but should note 
aem only notifies you that something happened, like pixel said it doesn't stop 
the attack,  like secure boot would in case of hacking teams insyde bios 
attack.  Also the only true option then would be to buy all new hardware if 
such a compromise did happen.  But some people upgrade their hardware every two 
years anyways.  If you careful you can last that long.



So, If I haven't already, I should have secure boot enabled? ;   I saw 
after I posted that, all the steps, I'd probably end up breaking the 
machine or locking myself out of it .


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/30f4e715-6c5b-bb32-92ab-56a3f2266c04%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't access the net via my VpnVM now? (could before)

[Chris Laprise]

On 07/18/2017 06:02 PM, Gaiko wrote:
> On Tuesday, July 18, 2017 at 11:27:00 AM UTC-4, Chris Laprise wrote:
>> On 07/17/2017 07:37 PM, Gaiko wrote:
>>> On Sunday, July 16, 2017 at 9:41:53 PM UTC-4, Chris Laprise wrote:
 On 07/16/2017 09:23 PM, Gaiko Kyofusho wrote:

> Sun Jul 16 21:16:22 2017 us=614593 RESOLVE: Cannot resolve host address:
> vpnprovidermod'dname.com : No address associated with
> hostname
>>
>> Did you put any restrictions on your sys-firewall? Attaching the VPN 
>> directly to sys-net is usually sufficient.
>>
>> Also, you could try removing internal firewall output restriction with:
>> sudo iptables -P OUTPUT ACCEPT
>>
>> then run openvpn again.
>>
>> -- 
>>
>> Chris Laprise, tas...@openmailbox.org
>> https://twitter.com/ttaskett
>> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> 
> So it is safe to connect my vpn directly to sys-net? (I didn't realize that).

Its generally as safe as the VPN service provider you're using -- they
should use certificate validation config like 'remote-cert-tls' as most do.


> 
> Well, that (hopefully) narrows things down a bit more... kinda. the VpnVM 
> works if I just connect it directly to the sys-netvm, though before, places 
> other than my new home setup I was usually able to connect to the net with 
> the appvm->vpn->firewallvm->sys-netvm setup no problem, its a mystery why it 
> would work most other places but not with this ISP (or modem perhaps).
> 


-- 

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4c7b7d72-9e7d-9b65-0e14-1327eff2750d%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Networking problems installing Qubes 3.2 on Intel NUC7i3BNH

[wannabeironman]

On Tuesday, June 6, 2017 at 8:43:03 AM UTC-4, new...@protonmail.ch wrote:
> On Saturday, June 3, 2017 at 11:24:23 PM UTC+1, Unman wrote:
> > On Sat, Jun 03, 2017 at 04:26:56AM -0700, neword via qubes-users wrote:
> > > On Saturday, June 3, 2017 at 9:45:38 AM UTC+1, new...@protonmail.ch wrote:
> > > > Hi,
> > > > 
> > > > I have been frustrated trying to get Qubes fully up and running on the 
> > > > Intel NUC7i3BNH. Strangely, I could not get the install working in 
> > > > Legacy mode. In EFI mode, the installation went through, but Qubes 
> > > > would not boot until I copied the EFI boot files over using the 
> > > > instructions for UEFI troubleshooting (under "Boot device not 
> > > > recognised after installing").
> > > > 
> > > > (1) I still get an error on boot that says EFI_MEMMAP is not enabled 
> > > > and an error that goes by very quickly that says:
> > > > 
> > > > [FAILED] Failed to start Load Kernel Modules
> > > > 
> > > > Do I need to worry about this? How can I fix this?
> > > > 
> > > > (2) However, the system does indeed boot, and I am prompted to enter my 
> > > > LUKS pw and user pw. But, Ethernet is not functioning. I have tried the 
> > > > suggestions mentioned already:
> > > >   in sys-net, 
> > > >  (a) linux-firmware-20160609-66.gita44bc811.fc23.noarch is installed.
> > > >  (b) lspci shows that Intel I219-V rev 21 is there
> > > >  (c) ifconfig does not show ethX in sys-net
> > > > 
> > > > I have tried to manually load e1000e / e1000 using modprobe. but no 
> > > > luck.
> > > > 
> > > > Any pointers please in how to get networking working? Really frustrated 
> > > > as a new Qubes user was really looking forward to this fantastic OS!.
> > > > 
> > > > TIA!
> > > 
> > > P.S. when I manually load e1000e or e1000 I do not get any errors. It 
> > > just shows:
> > > e1000e: Intel Pro/1000 Network Driver - 3.2.6-k
> > > e1000e: Copyright (c) 1999 - 2015 Intel Corporation
> > > 
> > 
> > You can just ignore those warnings on boot.
> > On the network issue, I don't think this is really a Qubes problem. It's
> > an issue with the I219 and affects both Fedora and Debian - a quick
> > search confirms this.
> > 
> > What's worked for me in the past is using the driver from Intel:the
> > I218-LM has a driver for linux (look on downloadcenter.intel.com), which
> > will give you a v3.3.5.3 e1000e driver - Jessie with kernel 4.4.67-12
> > has v3.2.6.
> > Download the driver, extract from tar archive, make install. (I should
> > say I haven't done this in a qube, and you'll need the kernel-headers to
> > match your kernel, but it should be straightforward.)
> > 
> > On the other hand, trying one of the newer kernels might equally fix it
> > for you.
> > 
> > unman
> 
> Thank you Unman. Given that I could not download the required packages on the 
> Qubes pc, I downloaded them to an identical pc running Fedora 24. Having 
> compiled the Intel drivers, I now have a 3.3.5.3 version of the e1000e.ko.
> 
> However, how do I install it into the fedora23 template in Qubes? The 
> /lib/modules/... is readonly and I was unable to mount it as rw to copy the 
> file over. Apologies in advance as this is a newbie question. I have the file 
> in the QubesIncoming directory in the fedora23 template.
> 
> Many thanks!
> -neword

I am having the same NUC NIC issue with the NUC7i7BNH

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ce64bd7d-d4e3-4b07-9beb-b20e7df44a48%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes OS 3.2 NUC7i7BNH network driver issue

[Brian May]

Does the firmware version I stated support Intel I219-V? This is the NIC in
the new NUC i7 gen 7


On Thu, Jul 13, 2017 at 6:34 PM  wrote:

> On Thursday, July 13, 2017 at 4:14:54 PM UTC-4, Grzesiek Chodzicki wrote:
> > W dniu czwartek, 13 lipca 2017 20:34:15 UTC+2 użytkownik
> wannabe...@gmail.com napisał:
> > > NUC7i7BNH 32GB RAM 500GB M2
> > >
> > > I was able to load Qubes 3.2 using a efi bootloader.
> > >
> > > I am assuming with bleeding edge hardware that issues may pop-up here
> and there.
> > >
> > > My current issue is the ethernet driver in sys-net.
> > >
> > > lspci drivers are there and firmware version
> 20160609-66.gita4bbc811.fc23.noarch.
> > >
> > > "Dom0" dmesg output:
> > >
> > > pciback: driver tried to write to read-only configuration space.
> (bolded, not in red) See permissive attributes in sysfs.
> > >
> > > At the moment I am not able to use sys-net when I assign a static or
> dhcp IP.
> > >
> > > Any help would be much appreciated.
> >
> > https://www.qubes-os.org/doc/assigning-devices/
> > Go to possible issues and tr both fixes.
>
> I tried both. I am running Qubes OS 3.2
>
> DMA buffer size: qvm-prefs netvm = "netvm does not exist"
>
> PCI passthrough issues:
> systemctl enable qubes-pre-netvm.service = "Failed to execute operation,
> File exist"
> Do I need to chmod to match qubes_netvm.service?
>
> No luck.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQZTFV2jYBsvhQaKxfAirnfvgCCFmzhv4QRHkPN8261Zi3Pzg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] instalation hardware

[lutstribe]

When get into the booting part of qubes it crashes to text. I don't know how to 
fix that . Also, it said something about storage conf error. My wife and i are 
not  are not tech savy. The goal is to secure our network by having a pc with 
secury geared linux such qubes. My specs are msih97 pc mate i5 5675c and 2tb hd 
8 gb ram. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e10664f4-2e87-4da7-b242-a44987ee8592%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Keepass vault password no worky

['0brand' via qubes-users]

I've been trying to resolve a problem with both of my Debian-8 vault-appvms. 
For some reason my Keepass passwords no longer work. When I type in the 
password I get this message:
Unable to open database. Wrong key or database file is corrupt
I have been using the same password for both my Keepass databases for quite 
some time now so the problem isn't due to forgetting or miss-typing my 
passwords. Normally this would not be much of a problem except for the fact 
that restoring from backups is not remedying the issue. I've restored both my 
Keepass vault-appvms and my Debian-8 Template.
Looking back at the day before this happened there is only one thing that I did 
that may have contributed to the problem. I removed my sys-usb (netvm) and 
created a sys-usb (appvm). After I created the new sys-usb I realized that It 
would not run unless I set pci_strictreset to false. This was not acceptable to 
me so I removed the new sys-usb and created a new one with:
sudo qubesctl top.enable qvm.sys-usb
sudo qubesctl top.enable qvm.sys-usb
The reason I think this may have contributed to the problem is because the 
first two times I tried to restore my appVMs things did not go well. The first 
time the Gui completely froze and I was unable to unmount the drive. The second 
time the backup-restore did not complete but at least the screen did not freeze 
up. The third time I used a backup from a couple days prior and everything went 
smoothly. It did not solve the problem though. I still can not unlock my 
Keepass vaults.
I'm not really sure what to do next. Is it possible that my backups are somehow 
being corrupted when I restore them? I'm a little flustered at this point and I 
could use some guidance.
Thanks in advance

Sent with [ProtonMail](https://protonmail.com) Secure Email.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bxBy0NZ0IKS2x9meswh-rx0RjPWERRA8iXBLHY7WAeLwyuHTuqsn-8HYy4kos7XVKJZxq93krud8pvrgkRHhOYcU3aw2Ecp-s5FTibDCmk0%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] RE: second installation of latest qubes os again without any network to wan

[David Marceau]

Please disregard, it was using a different ethernet port as the default device.
enp0s1
eth0
I had my cable plugged into the wrong port.

Always a user problem 
Sorry.
-Original Message-
From: qubes-users@googlegroups.com [mailto:qubes-users@googlegroups.com] On 
Behalf Of David Marceau
Sent: July-18-17 4:04 PM
To: qubes-users@googlegroups.com
Subject: [qubes-users] second installation of latest qubes os again without any 
network to wan

Hi there,

I installed qubes os (Qubes Release 3.2) twice today:
1)first time used the default automatic disk partitioning and kept additional 
whonix component installation 2)second time used the default automatic disk 
partitioning and did not install the additional whonix component

On both occasions after booting up:
1)attempted to run menu->work->terminal(fedora 23 default current).
Ip link
Shows lo0 and eth0.
Ip -4 addr
Shows 10.137.2.10 for eth0
When I ping google.ca nothing.

2)attempted to run menu->work->firefox(fedora 23 default current).  I got the 
hour glass in firefox.

I can observe the different dependencies between the qubes within the qube 
manager:
-dom0 has the adminvm template
-sys-net has fedora 23 template
-sys-firewall has fedora 23 template, but has the netvm set to sys-net -work 
has fedora 23 template, but has the netvm set to sys-firewall.

It all seems reasonable but where is the configuration from sys-net to point to 
something within the 192.168.0.0(LAN) ?
Where should it be?
Why wasn't Qubes OS unable to figure that out automatically as 
dhclient/networkmanager/nmcli/netctl can do it?

Thank you in advance.

David Marceau

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/014D45927339A4439C53188404C39524703E4E07%40triton.mercury.local.com.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/014D45927339A4439C53188404C39524703E4E22%40triton.mercury.local.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] second installation of latest qubes os again without any network to wan

[David Marceau]

Hi there,

I installed qubes os (Qubes Release 3.2) twice today:
1)first time used the default automatic disk partitioning and kept additional 
whonix component installation
2)second time used the default automatic disk partitioning and did not install 
the additional whonix component

On both occasions after booting up:
1)attempted to run menu->work->terminal(fedora 23 default current).
Ip link
Shows lo0 and eth0.
Ip -4 addr 
Shows 10.137.2.10 for eth0
When I ping google.ca nothing.

2)attempted to run menu->work->firefox(fedora 23 default current).  I got the 
hour glass in firefox.

I can observe the different dependencies between the qubes within the qube 
manager:
-dom0 has the adminvm template
-sys-net has fedora 23 template
-sys-firewall has fedora 23 template, but has the netvm set to sys-net
-work has fedora 23 template, but has the netvm set to sys-firewall.

It all seems reasonable but where is the configuration from sys-net to point to 
something within the 192.168.0.0(LAN) ?
Where should it be?
Why wasn't Qubes OS unable to figure that out automatically as 
dhclient/networkmanager/nmcli/netctl can do it?

Thank you in advance.

David Marceau

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/014D45927339A4439C53188404C39524703E4E07%40triton.mercury.local.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Why doesn't the TemplateVM make the newly installed software present the option to add the shortcut?

[Patrick Bouldin]

On Tuesday, July 18, 2017 at 2:40:06 PM UTC-4, Noor Christensen wrote:
> On Tue, Jul 18, 2017 at 11:22:29AM -0700, Patrick Bouldin wrote:
> > On Tuesday, July 18, 2017 at 2:12:39 PM UTC-4, Patrick Bouldin wrote:
> > > Hi, I added routine software like libre office draw or writer in the
> > > TemplateVM. I am then able to run it in the corresponding appVM -
> > > however, I attempt to "add shortcuts" either on the template or the
> > > appVM they don't show as available. I think I can do it manually but
> > > would like to fix this bug, it wasn't a problem before. I have done
> > > a dom0 update by the way.
> > > 
> > > Thanks,
> > > Patrick
> > 
> > update: I tried to mannually add with the command qvm-sync-appmenus ,
> > and that command is not valid. Is this the problem? How to recover?
> 
> What do you mean with "not valid"? It needs a VM name as its only
> argument, which should be clear from the help output. 
> 
> Try the following in dom0:
> 
> $ qvm-sync-appmenus 
> 
> Replace  with the name of your TemplateVM.
> 
> It will show any errors encountered during the process, which might give
> you a clue of what's wrong.
> 
> -- noor
> 
> |_|O|_|
> |_|_|O|  Noor Christensen  
> |O|O|O|  n...@fripost.org ~ 0x401DA1E0

Thanks noor. I tried that but it said I had to do that in the template VM, 
weird. Tried it there and command wasn't available.

Anyway I decided to update the overall template VM and all of a sudden the 
shortcuts showed up as available - weird again!

So I guess it's solved, sort of :)

Thanks,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5fb9c562-899e-45ad-b37d-04ba434ec9aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Why doesn't the TemplateVM make the newly installed software present the option to add the shortcut?

[Noor Christensen]

On Tue, Jul 18, 2017 at 11:22:29AM -0700, Patrick Bouldin wrote:
> On Tuesday, July 18, 2017 at 2:12:39 PM UTC-4, Patrick Bouldin wrote:
> > Hi, I added routine software like libre office draw or writer in the
> > TemplateVM. I am then able to run it in the corresponding appVM -
> > however, I attempt to "add shortcuts" either on the template or the
> > appVM they don't show as available. I think I can do it manually but
> > would like to fix this bug, it wasn't a problem before. I have done
> > a dom0 update by the way.
> > 
> > Thanks,
> > Patrick
> 
> update: I tried to mannually add with the command qvm-sync-appmenus ,
> and that command is not valid. Is this the problem? How to recover?

What do you mean with "not valid"? It needs a VM name as its only
argument, which should be clear from the help output. 

Try the following in dom0:

$ qvm-sync-appmenus 

Replace  with the name of your TemplateVM.

It will show any errors encountered during the process, which might give
you a clue of what's wrong.

-- noor

|_|O|_|
|_|_|O|  Noor Christensen  
|O|O|O|  n...@fripost.org ~ 0x401DA1E0

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170718184001.rfxjexjwz5jeuy22%40mail.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

[qubes-users] Re: Why doesn't the TemplateVM make the newly installed software present the option to add the shortcut?

[Patrick Bouldin]

On Tuesday, July 18, 2017 at 2:12:39 PM UTC-4, Patrick Bouldin wrote:
> Hi, I added routine software like libre office draw or writer in the 
> TemplateVM. I am then able to run it in the corresponding appVM - however, I 
> attempt to "add shortcuts" either on the template or the appVM they don't 
> show as available. I think I can do it manually but would like to fix this 
> bug, it wasn't a problem before. I have done a dom0 update by the way.
> 
> Thanks,
> Patrick

update: I tried to mannually add with the command qvm-sync-appmenus , and that 
command is not valid. Is this the problem? How to recover?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f823447a-eb51-43a3-95d8-3188da8f6247%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: dislocker in qubes / bitlocker w/ windows HVM

[Milo tG]

ok, gotcha.  I will start looking into that.  Was thinking the same thing
except option 3 since I don't have a lot of data on the other machine and I
suspect the Windows HVM is a huge hassle.  I will give it a shot first,
though.

As for Dislocker I tried to do it again, following the directions even more
carefully this time, and got a "Segmentation Error"

Since I don't know wtf I am doing and am 50% certain that I have already
broken it, I am definitely not going to keep fiddling with it.

-M

On Tue, Jul 18, 2017 at 2:01 AM, cooloutac  wrote:

> On Monday, July 17, 2017 at 9:50:54 PM UTC-4, mil...@gmail.com wrote:
> > Hello all,
> >
> > It's possible this issue has nothing to do with qubes and I am talking
> to dislocker as well, but I didn't find anything about it in the search
> here, so...
> >
> > I am using qubes 3.2 and need to access a Windoh's-10-bitlocker-encrypted
> external hard drive.
> >
> > SOB story so you know why I must do such a silly thing:
> >
> > My windows 10 laptop was locked with syskey configured to read a
> USB-drive as A:, and also encrypted with bitlocker.  That USB drive was
> stolen (thankfully nothing else important on it) but now my windows laptop
> is inaccessible, and to even be able to wipe/restore it I need the
> bitlocker recovery key.  I have the recovery key for the external hard
> drive and within it is the recovery key for the laptop.
> >
> > I had (or thought I had) the recovery key written down but the key is
> not working which has me somewhat concerned the one in the external won't
> either but I have to try.
> >
> > My current usable machine is Qubes-only.  I see three options:
> >
> > 1) use dislocker if possible to decrypt the external hard drive and get
> my data that way
> >
> > 2) set up a windows 10 HVM and use bitlocker from it to open up the
> external
> >
> > 3) Just make a new usb windows10 recovery drive and wipe that way (would
> rather not)
> >
> >
> >
> > link to dislocker:
> >
> > https://github.com/Aorimn/dislocker
> >
> > Currently I am trying option 1 but I think dislocker is having trouble
> with the Qubes filesystem.  I am able to create the dislocker-file.ntfs
> image of the drive with minimal fuss.
> >
> > (Note: external drive is larger capacity than onboard, so I cannot image
> the whole drive onto disk, must use the "fuse" method)
> >
> > However, when I try to mount it, I have to use the -T option or it
> complains about fstab not having the mount point and if I use the -T option
> it says that:
> >
> > /mnt/dislocker-file.ntfs: failed to parse
> >
> > and I'm dead in the water.  It also seems to keep the created file
> active since during an earlier attempt I created a file with no extension
> and was unable to rename it as it was in-use.
> >
> > So, I am concerned that if I delete it I'm going to wipe the external
> drive because of the way dislocker works...
> >
> > As far as I can tell, I am following the dislocker instructions
> precisely. I am also performing all the operations in my sys-usb VM which
> has been tested and works fine otherwise.
> >
> > Is it possible that I need to do some of this in dom0?
> >
> > Any other reason I would be running into this fail?
> >
> >
> >
> > DISLOCKER LOG:
> >
> > sudo dislocker -vvv -l dislocker.txt -r -V /dev/sda1
> -p##-##-##-##-##-##-##-## --
> /mnt/dislocker-file.ntfs
> >
> > Mon Jul 17 20:04:22 2017 [INFO] dislocker by Romain Coltel, v0.5.1
> (compiled for Linux/x86_64)
> > Mon Jul 17 20:04:22 2017 [INFO] Volume GUID (INFORMATION OFFSET)
> supported
> > Mon Jul 17 20:04:22 2017 [INFO] BitLocker metadata found and parsed.
> > Mon Jul 17 20:04:22 2017 [INFO] Stretching the recovery password, it
> could take some time...
> > Mon Jul 17 20:04:23 2017 [INFO] Stretching of the recovery password is
> now ok!
> > Mon Jul 17 20:04:23 2017 [INFO] Used recovery password decryption method
> > Mon Jul 17 20:04:23 2017 [INFO] Found volume's size: 0xe8e0da7e00
> (1000204828160) bytes
> > Mon Jul 17 20:04:23 2017 [INFO] Running FUSE with these arguments:
> > Mon Jul 17 20:04:23 2017 [INFO]   `--> 'dislocker'
> > Mon Jul 17 20:04:23 2017 [INFO]   `--> '/mnt/dislocker-file.ntfs'
>
> I would do option 2.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CALyxYestQ5cav4gqbc1D1B5GWKLdn__ngGRPZdd_0ZQVh9v%3Dtg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitcoin Node on appVM

[Unman]

On Tue, Jul 18, 2017 at 09:08:20AM -0700, Max wrote:
> On Tuesday, 18 July 2017 23:45:13 UTC+8, Unman  wrote:
> > On Tue, Jul 18, 2017 at 08:33:37AM -0700, Max wrote:
> > > Hi,
> > > 
> > > I have installed the Bitcoin Core client and wish to allow inbound 
> > > connections. Has anyone tried doing this? I am able to connect to the 
> > > network with outbound connections but have had no success when trying to 
> > > get inbound connections
> > > 
> > > I have taken these steps:
> > > 
> > > 1) Installed Bitcoin GUI in the template VM
> > > 2) Run it in a dedicated AppVM, downloaded the entire blockchain and am 
> > > in sync
> > > 3) Configured port forwarding on the router, removed the firewall
> > > 4) Followed the port forwarding steps 
> > > (https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world)
> > >  but replaced the port 443 in the instructions with 8333
> > > 5) Tried to Telnet the IP address on the sys-net (appears to be 
> > > 192.168.1.18 on the wlp0s1 and do check node on bitnodes.21.co but it is 
> > > unable to connect to host / says my IP is unreachable
> > > 
> > > Any advice
> > > 
> > > Thanks,
> > > 
> > > Max
> > > 
> > 
> > I'm always worried when I see comments like "removed the firewall", or
> > global changes to firewall rules. This is almost never the right thing
> > to do.You should be able to put new permissive rules in the firewall
> > and retain other protections.
> > 
> > Anyway, 192.168.. is a private address, not routable on the internet.
> > What you want to provide is the EXTERNAL IP address on your router.
> > If you don't know this you can check it using nwtools.com, unless you're
> > using Tor or a VPN, in which case just log in to the router and check.
> > 
> > unman
> 
> Hi Unman,
> 
> Regarding the firewall changes - possibly I wasn't clear.
> 
> The statement removing the firewall was simply me disabling it on the router. 
> I wanted to eliminate this as a possibility before raising my questions here. 
> The only changing of the firewall I have done in the Qubes OS is the iptables 
> changes on the sys-net and sys-firewall VMs.
> 
> As far as I understand, whilst I may have been a bit of a fool to put in my 
> private address in the telnet, the Bitnodes website was testing the correct 
> port on the external IP address I have. I am getting an unreachable message 
> here. I only did the internal address from a different device on the same 
> network.
> 
> Thanks,
> 
> Max
> 

Hi Max,

If you can monitor the router, you should be able to see the inbound
traffic when you run that test.
You can also run 'iptables -L -nv' on sys-net, and watch counters - again,
you should see the counter increment when you run the test. (Watch a
rule that allows traffic to port 8333, obviously)
You can also watch counters on sys-firewall and the target qube.

By doing all this you should be able to see where the traffic is being
blocked, without needing to use a network sniffer or dumping traffic.

Start at the outmost node, and work inwards. At the point where you dont
see traffic you know the problem lies one hop upstream, (unless it
doesn't get to the router obviously).

If you see the traffic inbound at the destination qube, then it's
possible that you are blocking the return traffic on the way out. Just
reverse the process to trace the outbound traffic.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170718181258.sg6v6mn7obfjg2nn%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Why doesn't the TemplateVM make the newly installed software present the option to add the shortcut?

[Patrick Bouldin]

Hi, I added routine software like libre office draw or writer in the 
TemplateVM. I am then able to run it in the corresponding appVM - however, I 
attempt to "add shortcuts" either on the template or the appVM they don't show 
as available. I think I can do it manually but would like to fix this bug, it 
wasn't a problem before. I have done a dom0 update by the way.

Thanks,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/60851780-1c50-4e6f-b500-a7f153d7b057%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Lenovo T540p intermittent network problem

[Unman]

On Tue, Jul 18, 2017 at 05:59:53PM +0200, Barry Du Plessis wrote:
> Hi
> 
> I recently installed Qubes R3.2 on my Lenovo T540p.  It installed and is
> running.  The wifi card in the machine is an Intel Wireless 7260.  Qubes
> does pick this up, and connects to my wifi, BUT the connection is
> intermittend.  If I ping (e.g.) ping www.google.com, I will get a packet
> loss of anything between 20% to 50%.
> 
> I have previously installed Ubuntu on the same hardware, and had a similar
> problem there, which I solved by disabling 802.11n on the wireless (add
> "options iwlwifi 11n_disable=1" to /etc/modprobe.d/iwlwifi.conf).
> 
> However, this does not seem to work on Qubes - I have added the file in
> both a dom0 and net-sys terminal (as root), and in both cases the file
> disappeared after rebooting the system and the problem remains.
> 
> I have searched Google and the qubes groups, but could not find a solution
> to this problem.  Can someone please either tell me how/where to set the
> 11n_disable parameter, or else have another solution for the intermittent
> network problem?  It is at the moment impossible to use the Internet or
> install software because of this.
> 
> Thanks
> 
> Barry
> 

Hi Barry - 
You need to understand a core feature of Qubes - the use of Templates to
back individual qubes. There is a good explanation here:
www.qubes-os.org/doc/getting-started

So you can make a permanent change by altering the Template on which
your sys-net is based.
It's also possible to make individual changes by putting them in to
/rw/config/rc.local in the qube - Look here:
www.qubes-os.org/doc/config-files/
Remember to chmod +x rc.local if you want the changes to take effect on
boot.

There is another mechanism - the use of bind-dirs to have a persistent
config file in a Template-based qube. Again, that's covered inn the
docs.

cheers

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170718180402.de4aw2sfny2n4vcp%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Enigmail not working with Split GPG

[Chris Laprise]

I already have Split GPG working with git, but after following the Split
GPG doc for Thunderbird I'm getting errors (from the Enigmail
Preferences dialog):

> GnuPG cannot be executed with the path provided. Enigmail is therefore
> deactivated...

and

> Cannot connect to gpg-agent. Maybe your system uses a specialized tool
> for passphrase handling (e.g. gnome-keyring, seahorse-agent, KDE wallet
> manager, ...). Unfortunately Enigmail cannot control the passphrase
> timeout for the tool you are using. Therefore the respective timeout
> settings in Enigmail are disregarded.


I'm using Debian 9 appVMs. Issue #2170 doesn't appear to be the same as
this problem.

-- 

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/01e7b4fb-ac0d-c7ca-05fa-74ef09bbbc4a%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitcoin Node on appVM

[Max]

On Tuesday, 18 July 2017 23:45:13 UTC+8, Unman  wrote:
> On Tue, Jul 18, 2017 at 08:33:37AM -0700, Max wrote:
> > Hi,
> > 
> > I have installed the Bitcoin Core client and wish to allow inbound 
> > connections. Has anyone tried doing this? I am able to connect to the 
> > network with outbound connections but have had no success when trying to 
> > get inbound connections
> > 
> > I have taken these steps:
> > 
> > 1) Installed Bitcoin GUI in the template VM
> > 2) Run it in a dedicated AppVM, downloaded the entire blockchain and am in 
> > sync
> > 3) Configured port forwarding on the router, removed the firewall
> > 4) Followed the port forwarding steps 
> > (https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world)
> >  but replaced the port 443 in the instructions with 8333
> > 5) Tried to Telnet the IP address on the sys-net (appears to be 
> > 192.168.1.18 on the wlp0s1 and do check node on bitnodes.21.co but it is 
> > unable to connect to host / says my IP is unreachable
> > 
> > Any advice
> > 
> > Thanks,
> > 
> > Max
> > 
> 
> I'm always worried when I see comments like "removed the firewall", or
> global changes to firewall rules. This is almost never the right thing
> to do.You should be able to put new permissive rules in the firewall
> and retain other protections.
> 
> Anyway, 192.168.. is a private address, not routable on the internet.
> What you want to provide is the EXTERNAL IP address on your router.
> If you don't know this you can check it using nwtools.com, unless you're
> using Tor or a VPN, in which case just log in to the router and check.
> 
> unman

Hi Unman,

Regarding the firewall changes - possibly I wasn't clear.

The statement removing the firewall was simply me disabling it on the router. I 
wanted to eliminate this as a possibility before raising my questions here. The 
only changing of the firewall I have done in the Qubes OS is the iptables 
changes on the sys-net and sys-firewall VMs.

As far as I understand, whilst I may have been a bit of a fool to put in my 
private address in the telnet, the Bitnodes website was testing the correct 
port on the external IP address I have. I am getting an unreachable message 
here. I only did the internal address from a different device on the same 
network.

Thanks,

Max

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8c0ba07f-23b9-4d01-8822-122e346411d9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Lenovo T540p intermittent network problem

[Barry Du Plessis]

Hi

I recently installed Qubes R3.2 on my Lenovo T540p.  It installed and is
running.  The wifi card in the machine is an Intel Wireless 7260.  Qubes
does pick this up, and connects to my wifi, BUT the connection is
intermittend.  If I ping (e.g.) ping www.google.com, I will get a packet
loss of anything between 20% to 50%.

I have previously installed Ubuntu on the same hardware, and had a similar
problem there, which I solved by disabling 802.11n on the wireless (add
"options iwlwifi 11n_disable=1" to /etc/modprobe.d/iwlwifi.conf).

However, this does not seem to work on Qubes - I have added the file in
both a dom0 and net-sys terminal (as root), and in both cases the file
disappeared after rebooting the system and the problem remains.

I have searched Google and the qubes groups, but could not find a solution
to this problem.  Can someone please either tell me how/where to set the
11n_disable parameter, or else have another solution for the intermittent
network problem?  It is at the moment impossible to use the Internet or
install software because of this.

Thanks

Barry

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAFRzxQ3t7B96mwnD9b4C5woR1cqC6J0p7HnXxeNExa3xx0c7mg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitcoin Node on appVM

[Unman]

On Tue, Jul 18, 2017 at 08:33:37AM -0700, Max wrote:
> Hi,
> 
> I have installed the Bitcoin Core client and wish to allow inbound 
> connections. Has anyone tried doing this? I am able to connect to the network 
> with outbound connections but have had no success when trying to get inbound 
> connections
> 
> I have taken these steps:
> 
> 1) Installed Bitcoin GUI in the template VM
> 2) Run it in a dedicated AppVM, downloaded the entire blockchain and am in 
> sync
> 3) Configured port forwarding on the router, removed the firewall
> 4) Followed the port forwarding steps 
> (https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world)
>  but replaced the port 443 in the instructions with 8333
> 5) Tried to Telnet the IP address on the sys-net (appears to be 192.168.1.18 
> on the wlp0s1 and do check node on bitnodes.21.co but it is unable to connect 
> to host / says my IP is unreachable
> 
> Any advice
> 
> Thanks,
> 
> Max
> 

I'm always worried when I see comments like "removed the firewall", or
global changes to firewall rules. This is almost never the right thing
to do.You should be able to put new permissive rules in the firewall
and retain other protections.

Anyway, 192.168.. is a private address, not routable on the internet.
What you want to provide is the EXTERNAL IP address on your router.
If you don't know this you can check it using nwtools.com, unless you're
using Tor or a VPN, in which case just log in to the router and check.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170718154508.ttlrp3zds373qhyz%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Bitcoin Node on appVM

[Max]

Hi,

I have installed the Bitcoin Core client and wish to allow inbound connections. 
Has anyone tried doing this? I am able to connect to the network with outbound 
connections but have had no success when trying to get inbound connections

I have taken these steps:

1) Installed Bitcoin GUI in the template VM
2) Run it in a dedicated AppVM, downloaded the entire blockchain and am in sync
3) Configured port forwarding on the router, removed the firewall
4) Followed the port forwarding steps 
(https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world)
 but replaced the port 443 in the instructions with 8333
5) Tried to Telnet the IP address on the sys-net (appears to be 192.168.1.18 on 
the wlp0s1 and do check node on bitnodes.21.co but it is unable to connect to 
host / says my IP is unreachable

Any advice

Thanks,

Max

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f0bc97d5-7434-4165-817e-5e0d05deacc5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't access the net via my VpnVM now? (could before)

[Chris Laprise]

On 07/17/2017 07:37 PM, Gaiko wrote:

On Sunday, July 16, 2017 at 9:41:53 PM UTC-4, Chris Laprise wrote:

On 07/16/2017 09:23 PM, Gaiko Kyofusho wrote:


Sun Jul 16 21:16:22 2017 us=614593 RESOLVE: Cannot resolve host address:
vpnprovidermod'dname.com : No address associated with
hostname


Did you put any restrictions on your sys-firewall? Attaching the VPN 
directly to sys-net is usually sufficient.


Also, you could try removing internal firewall output restriction with:
sudo iptables -P OUTPUT ACCEPT

then run openvpn again.

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/44474816-db0a-47da-bc22-ef68d8972891%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anyone tried Anbox ('Android in a box') under Qubes

[Steve Coleman]

On 07/17/2017 03:21 AM, 'P R' via qubes-users wrote:

Hello,

I'm interested in running Android as HVM within Qubes.
Has anyone trying to do so already with the code from the Anbox Project?

https://anbox.io



Just did, and it only supports Ubuntu, LinuxMint, neon, elementary at 
the moment. So the fedora-fcNN template/VM's won't work. It refuses to 
install using snap.



/"(...) Anbox puts the Android operating system into a container,
abstracts hardware access and integrates core system services into a
GNU/Linux system. Every Android application will be integrated with your
operating system like any other native application. (...)"/
/
/
I haven't seen it yet, but having the application  integrated with the
OS sounds like what Qubes is doing with AppVMs to the user, so very
user-friendly.

- PhR


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/42e17fe0-0273-d1fc-95f8-4d384296ba4f%40jhuapl.edu.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Ledger Nano S on Qubes OS R3.2

[Dave C]

On Sunday, April 30, 2017 at 3:02:23 AM UTC-7, 0x...@secure.mailbox.org wrote:
> Hi, 
> Does anyone actually make Qubes OS R 3.2 working with Ledger Nano S hardware 
> wallet? 

Yes.

Follow the Qubes instructions: 
https://www.qubes-os.org/doc/usb/#attaching-a-single-usb-device-to-a-qube-usb-passthrough

In your AppVM, follow these extra instructions from ledger: 
http://support.ledgerwallet.com/knowledge_base/topics/ledger-wallet-is-not-recognized-on-linux

What's working for me is these lines appended to `/rw/config/rc.local` in AppVM:

# 
http://support.ledgerwallet.com/knowledge_base/topics/ledger-wallet-is-not-recognized-on-linux

```
#!/bin/bash
echo "SUBSYSTEMS==\"usb\", ATTRS{idVendor}==\"2581\", 
ATTRS{idProduct}==\"1b7c\", MODE=\"0660\", OWNER=\"user\", GROUP=\"plugdev\"" 
>/etc/udev/rules.d/20-hw1.rules
echo "SUBSYSTEMS==\"usb\", ATTRS{idVendor}==\"2581\", 
ATTRS{idProduct}==\"2b7c\", MODE=\"0660\", OWNER=\"user\", GROUP=\"plugdev\"" 
>>/etc/udev/rules.d/20-hw1.rules
echo "SUBSYSTEMS==\"usb\", ATTRS{idVendor}==\"2581\", 
ATTRS{idProduct}==\"3b7c\", MODE=\"0660\", OWNER=\"user\", GROUP=\"plugdev\"" 
>>/etc/udev/rules.d/20-hw1.rules
echo "SUBSYSTEMS==\"usb\", ATTRS{idVendor}==\"2581\", 
ATTRS{idProduct}==\"4b7c\", MODE=\"0660\", OWNER=\"user\", GROUP=\"plugdev\"" 
>>/etc/udev/rules.d/20-hw1.rules
echo "SUBSYSTEMS==\"usb\", ATTRS{idVendor}==\"2581\", 
ATTRS{idProduct}==\"1807\", MODE=\"0660\", OWNER=\"user\", GROUP=\"plugdev\"" 
>>/etc/udev/rules.d/20-hw1.rules
echo "SUBSYSTEMS==\"usb\", ATTRS{idVendor}==\"2581\", 
ATTRS{idProduct}==\"1808\", MODE=\"0660\", OWNER=\"user\", GROUP=\"plugdev\"" 
>>/etc/udev/rules.d/20-hw1.rules
echo "SUBSYSTEMS==\"usb\", ATTRS{idVendor}==\"2c97\", 
ATTRS{idProduct}==\"\", MODE=\"0660\", OWNER=\"user\", GROUP=\"plugdev\"" 
>>/etc/udev/rules.d/20-hw1.rules
echo "SUBSYSTEMS==\"usb\", ATTRS{idVendor}==\"2c97\", 
ATTRS{idProduct}==\"0001\", MODE=\"0660\", OWNER=\"user\", GROUP=\"plugdev\"" 
>>/etc/udev/rules.d/20-hw1.rules
udevadm trigger
udevadm control --reload-rules
```

Note: every time you switch into or out of an "app" on the ledger, the USB 
connection reset.  So you have to run, in dom0, `qvm-block -a ...` much more 
frequently than you might expect.

The Ledger Nano is brand new, so I haven't tested much beyond just getting the 
desktop apps to recognize it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/674fe279-1c17-495c-ba67-6dbf34467f63%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: heads up, qubes 3.2 still vuln to cve-2016-4484 (minor severity)

[cooloutac]

On Monday, July 17, 2017 at 8:31:42 PM UTC-4, pixel fairy wrote:
> On Sunday, July 16, 2017 at 9:55:55 AM UTC-7, yreb-qusw wrote:
> > On 07/16/2017 01:27 AM, pixel fairy wrote:
> > > ---
> > > In Dom0 install anti-evil-maid:
> > >
> > > sudo qubes-dom0-update anti-evil-maid
> > > ---
> > Doesn't sound like 'more work' just doing the above, perhaps there is 
> > more to it, I thought, it mentioned it's better to install via a USB Drive?
> 
> https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
> 
> as you can see, its a lot of steps, and only some laptops are compatible. 
> there are even new laptops, like the system76 lemur7 (i7 skylake), that cant 
> do AEM. 
> 
> ideally you can boot from a non usb external device, such as an sd card in 
> your purse or wallet. if you do use usb, then you have to disable hiding the 
> usb controller for a bit, which gives your attacker a window of opportunity 
> for the kinds of things AEM is meant to detect. 
> 
> this is a small windows of opportunity, but there is the theoretical case 
> that a clueless attacker with only a short time boots from their own device, 
> the attack fails because usb is locked (and they may not even know this) and 
> your laptop is ok. whereas if AEM needed that usb controller enabled to 
> function, the attack would succeed, or at least succeed enough to trip AEM. 
> 
> > What would be the "trade off"  and/or  How would I disable it , if it 
> > somehow messes up my Qubes install?
> 
> the most obvious trade off is needing your boot device to boot your laptop. 
> so, you must protect this device. you'll probably want more than one of them 
> in case one is lost or damaged, so you have to protect multiple devices. this 
> is fine for cyborgs with implanted, bootable usb devices. but, for the rest 
> of us, its something you must consider carefully in your threat model. 
> 
> a more thorough discussion of all this in the background blog post, 
> https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html
> 
> if it doesnt work, you wont be able to boot. youd have to reinstall qubes and 
> start over. if you want to disable it, you might be able to make a new 
> passphrase for luks that doesnt need the keyfile on your aem device. there 
> may be other steps required, but i havent tried it.

like pixel said you either can use a usb stick like a yubikey to boot, or use a 
usbvm don't think you can do both.   so in most cases a home desktop pc 
probably would just use usbvm.  but if you someone that travels with a laptop, 
that might be accessible to others, you might want to boot with usb key. 

aem can be used on both but without usb key if using usbvm,  but should note 
aem only notifies you that something happened, like pixel said it doesn't stop 
the attack,  like secure boot would in case of hacking teams insyde bios 
attack.  Also the only true option then would be to buy all new hardware if 
such a compromise did happen.  But some people upgrade their hardware every two 
years anyways.  If you careful you can last that long.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/32237f50-3bd7-4c17-bcb0-0bb3f83567a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: dislocker in qubes / bitlocker w/ windows HVM

[cooloutac]

On Monday, July 17, 2017 at 9:50:54 PM UTC-4, mil...@gmail.com wrote:
> Hello all,
> 
> It's possible this issue has nothing to do with qubes and I am talking to 
> dislocker as well, but I didn't find anything about it in the search here, 
> so...
> 
> I am using qubes 3.2 and need to access a Windoh's-10-bitlocker-encrypted 
> external hard drive.
> 
> SOB story so you know why I must do such a silly thing:
> 
> My windows 10 laptop was locked with syskey configured to read a USB-drive as 
> A:, and also encrypted with bitlocker.  That USB drive was stolen (thankfully 
> nothing else important on it) but now my windows laptop is inaccessible, and 
> to even be able to wipe/restore it I need the bitlocker recovery key.  I have 
> the recovery key for the external hard drive and within it is the recovery 
> key for the laptop.
> 
> I had (or thought I had) the recovery key written down but the key is not 
> working which has me somewhat concerned the one in the external won't either 
> but I have to try.
> 
> My current usable machine is Qubes-only.  I see three options:
> 
> 1) use dislocker if possible to decrypt the external hard drive and get my 
> data that way
> 
> 2) set up a windows 10 HVM and use bitlocker from it to open up the external
> 
> 3) Just make a new usb windows10 recovery drive and wipe that way (would 
> rather not)
> 
> 
> 
> link to dislocker:
> 
> https://github.com/Aorimn/dislocker
> 
> Currently I am trying option 1 but I think dislocker is having trouble with 
> the Qubes filesystem.  I am able to create the dislocker-file.ntfs image of 
> the drive with minimal fuss.
> 
> (Note: external drive is larger capacity than onboard, so I cannot image the 
> whole drive onto disk, must use the "fuse" method)
> 
> However, when I try to mount it, I have to use the -T option or it complains 
> about fstab not having the mount point and if I use the -T option it says 
> that:
> 
> /mnt/dislocker-file.ntfs: failed to parse
> 
> and I'm dead in the water.  It also seems to keep the created file active 
> since during an earlier attempt I created a file with no extension and was 
> unable to rename it as it was in-use.
> 
> So, I am concerned that if I delete it I'm going to wipe the external drive 
> because of the way dislocker works...
> 
> As far as I can tell, I am following the dislocker instructions precisely. I 
> am also performing all the operations in my sys-usb VM which has been tested 
> and works fine otherwise.
> 
> Is it possible that I need to do some of this in dom0?
> 
> Any other reason I would be running into this fail?
> 
> 
> 
> DISLOCKER LOG:
> 
> sudo dislocker -vvv -l dislocker.txt -r -V /dev/sda1 
> -p##-##-##-##-##-##-##-## -- 
> /mnt/dislocker-file.ntfs
> 
> Mon Jul 17 20:04:22 2017 [INFO] dislocker by Romain Coltel, v0.5.1 (compiled 
> for Linux/x86_64)
> Mon Jul 17 20:04:22 2017 [INFO] Volume GUID (INFORMATION OFFSET) supported
> Mon Jul 17 20:04:22 2017 [INFO] BitLocker metadata found and parsed.
> Mon Jul 17 20:04:22 2017 [INFO] Stretching the recovery password, it could 
> take some time...
> Mon Jul 17 20:04:23 2017 [INFO] Stretching of the recovery password is now ok!
> Mon Jul 17 20:04:23 2017 [INFO] Used recovery password decryption method
> Mon Jul 17 20:04:23 2017 [INFO] Found volume's size: 0xe8e0da7e00 
> (1000204828160) bytes
> Mon Jul 17 20:04:23 2017 [INFO] Running FUSE with these arguments: 
> Mon Jul 17 20:04:23 2017 [INFO]   `--> 'dislocker'
> Mon Jul 17 20:04:23 2017 [INFO]   `--> '/mnt/dislocker-file.ntfs'

I would do option 2.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e374e50f-2603-465b-974b-b1860c52a31f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.