[qubes-users] Re: to firejail or not to firejail
The question as always is, what are you protecting? If it's your user data, compartmentalize differently. If it's some kind of root privilege escalation, that's a lost cause, as the vm sudo page explains. If it's some kind of malware that could get written with root privileges, well, that gets erased by rebooting the VM, unless it's persistent in your user data, but if it is, it's incredibly unlikely to be runable (at least not without explicit user action). I raise these questions because the answer to many of the "OMGWTFBBQ passwordless sudo" threads that appear every so often, come back down to either "whatever you're proposing wouldn't make a difference read the doc again" and "are you sure you read the doc and understood why the decision was made the way it was?" I don't disagree that hardening VMs in general is good practice; I am very sad that Subgraph is MIA and grsecurity patches are no longer available, since they were a great way to harden Linux VMs. In your particular situation, a good compromise might be the dom0 escalation prompt, described at the end of the VM Sudo documenation (no additional code, really, and at least *some* peace of mind that...it would take a few more seconds of extra work to find a root privilege escalation that would get around the prompt requirement?) On Monday, August 28, 2017 at 9:22:48 PM UTC-7, pixel fairy wrote: > firejail , https://firejail.wordpress.com/ > > can be used to restrict and/or contexualize a process with namespaces. i was > thinking of restricting ssh connections with it to prevent the free privilege > escalation qubes gives malicious apps in case of an exploitable hole in ssh. > but, firejail itself is more code to exploit, and though it matters less in > qubes, setuid. > > so what thinks all of you? worth the extra attack surface? > > was also thinking of using firejails logging to flag attempts at sudo etc as > another means to flag a host with problems. this again, means extra code that > itself could be exploited. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/89f60e76-177e-42fe-ba21-2313bff42b2f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] New potential way of disabling ME
Apparently ME has a HAP mode that can be enabled, which disables most of the ME functionality. http://blog.ptsecurity.com/2017/08/disabling-intel-me.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0c7b7077-e213-4c18-8784-3f335d54e73b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] qubes-devel Google Group Web Interface: Banned Content Warning
FYI, trying to view the qubes-devel Google Group on a web browser currently displays this message: Banned Content Warning The group that you are attempting to view (qubes-devel) has been identified as containing spam, malware or other malicious content. Content in this group is now limited to view-only mode for those with access. Group owners can request an appeal after they have taken steps to clean up potentially offensive content in the forum. For more information about content policies on Google Groups, please see our Help Centre article on abuse and our Terms of Service. If you click on "Continue to the group," it shows no messages. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/oo2u05%24khl%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: to firejail or not to firejail
>the free privilege escalation qubes gives malicious apps I dont believe Qubes gives malicious apps free privilege escalation, but if you want a password to be required for privilege escalation on the default user, or any user, you should just be able to require password for sudo i believe its in the documentation here: https://www.qubes-os.org/doc/vm-sudo/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1cca2b2b-a7c9-44d1-982b-4bdffe6208a9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] to firejail or not to firejail
firejail , https://firejail.wordpress.com/ can be used to restrict and/or contexualize a process with namespaces. i was thinking of restricting ssh connections with it to prevent the free privilege escalation qubes gives malicious apps in case of an exploitable hole in ssh. but, firejail itself is more code to exploit, and though it matters less in qubes, setuid. so what thinks all of you? worth the extra attack surface? was also thinking of using firejails logging to flag attempts at sudo etc as another means to flag a host with problems. this again, means extra code that itself could be exploited. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c4ec82af-0ade-4fc0-81db-54d95c40ab80%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: UEFI secureboot issue
On Monday, August 28, 2017 at 3:36:56 PM UTC-4, socks wrote: > > But Qubes still relies alot on user habits, and in fact the user learning > > new habits. So Qubes does require even more discipline then linux or > > windows, to get the full benefits of using it, imo. But I think the avg > > person can easily get used to it. > > > > And like I said it took almost two years to compromise my qubes machine, > > doing the same tasks on a on a windows machine would take a month or two. > > And with linux only days. This is my personal experience since 2008, of > > course I have no proof. If you were to ask me during windows xp days? I > > would immediately say linux is more secure. But times change. > > OK why "only days", I ask because I also have a Linux Mint Box , and who > is "HVM" ? well linux mint is even worse for security then other linux boxes, like fedora or debian. Because the linux mint devs themselves say security is not their priority, and they hold back updates to ensure stability. But that means you are getting patches way later then you should. They forget to sign stuff sometimes, dont' renew their website certs, don't even use good encryption for sig files, A hacker was even putting out backdoored iso on their site last year I believe. If you really want to use linux I would recommend debian, where you can easily encrypt all partitions and the devs take security seriously. Plus its the easiest linux to compile your own hardened kernel for. But like i keep saying it all depends on the user and I am only giving you my personal experiences based on how I've used my own pc. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/584b67ad-051b-4e47-a395-c9dfb14f5f30%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes 4.0rc1 - Resize HVM disk size
The directions on Qubes website used to resize an HVM disk do not work on Qubes4.0rc1 /var/lib/qubes/appvms// has no root.img file in it. the only file in the directory is icon.png How do I resize an HVM disk on 4.0rc1 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6ee08a87-d555-482f-90ab-41563114c0ff%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HCL - Surface Pro 3 (i5-4300U 4Gb)
On Saturday, November 19, 2016 at 6:48:31 PM UTC-8, Johannes Zipperer wrote: > I tested Qubes 3.2 with the Fedora 24 template for about 5 hours intensely. > > Installation: No problems during install. Bootable USB is only accepted > when the Secure Boot keys are removed (hit ESC or DEL during boot for > uefi). TPM Module seems not to be identified but I did put not much > effort into diagnosing the problem. > > Connect wifi: After some trouble of finding the network manager in the > sys-net qube I successfully connected. Oddly the reception bars are red > while there is no issue using the web. > > Whonix: Following the installation wiki for whonix it worked out of the > box to connect to the TOR network verified by check.torproject.org. I > was able to watch a youtube clip with smooth playback and with working > sound. HighDPI scaling has to be configured manually. The performance > concerning web browsing is not much worse from firefox from the > fedora-24 template. > > Windows: using in dom0 the command qvm-start Windows-10 > --cd-rom=fedora-24:/home/user/Downloads/Windows.iso was not successful. > So I gave up for now on that. > > Touchscreen and stylus: both work out of the box. Stylus connected not > very reliably, but drawing lines and writing after that is fine. > Onscreen keyboard is missing and I didn't get florence to type anything. > Annotating PDFs works fairly well in Okular. Volume rocker and power button > works out of the box > > USB-Devices and microSD: Mounted a FAT formatted USB drive successfully. > Cherry DW5000 works out of the box but media keys and super key need > configuring. I have no original type or touch cover to test. exFAT > microSD didn't work. But the same microSD card worked in the built-in > reader when formatted in NTFS (tested transfering and opening a JPG). > Using a USB hub with SD cardreader worked out of the box. > > High DPI scaling: works generally well for touch control. Firefox opens > first time after restart with too big UI elements and text. Icons in > some applications like in Gimp are not scaled and kind of small. The > dom0 and template applications are generally not scaled. > > Audio and Video: sound output works out of the box, playing mp3 in vlc > as well, mp4 in vlc in software decoding mode very choppy. youtube > videos are more fluid but no fullscreen support. streaming youtube > videos in vlc didn't work. Recording audio from the microphone with > pulsecaster works out of the box. > > installing software: I was able to install and use vlc, Okular, > LibreOffice, Inkscape (bad stylus support), Gimp (better stylus > support), Thunderbird, Darktable, I changed the language and keyboard > layout to german sucessfully. Since I installed, tested and configured > everything in the template I have to say something about the use inside > a qube. I didn't test the pulsecaster, florence, Okular successfully in > the "personal" qube. > > suspend reboot and shutdown: shutdown works, but is slow. device shows > black screen after suspending and wakes up when a key is pressed, but I > don't know if it really gets into the lower C states inbetween. reboot > does not work. > > File manager: starting the file manager needs a second click in 50% of > the cases when I wanted to start it. Copying files works. > > Performance and battery life: I assume that it is all rendered in > software, so considering that, I think the performance is decent, maybe > as a 1,3 GHz quad core Android phone regarding application start and tabbed > browsing (sorry for the comparison =/). Battery life is lower > than under windows, I didn't find the brightness controls and the > brightness sensor did not work out of the box, so my battery life was > only around 3 hours. > > Reverting back to windows: I successfully tested installing again Windows 10, > which was previously tied to this device on a certain Microsoft account > (important because of the license server, that works without keys). It was > installed by a USB stick previously formatted by the media creation tool. The > risk is not so high to try Qubes, although I recommend getting accustomed > before using it in production. I hope this helps others. > > Life is good, Jesus is better! > Johannes I just tried installing Qubes 4 RC and it looks like VT is not enabled on my SP3 on first boot after installation. In the EFI settings, I don't see a way to enable it either. How did you get past this? XEN just gives me a CPU 0 error. Any idea how to enable VT? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit
Re: [qubes-users] Options for securing /boot
Just encrypting /boot would bring little, as it would still be possible to modify the unencrypted part of GRUB (that decrypts /boot) to have it overwrite the /boot with malicious kernel images (or even to not use the ones provided). The options I know of are (from IMO strongest to weakest): * AEM, for knowing when someone tampered with /boot * SecureBoot, for restricting the allowed-to-boot images (I don't know about its ease of use with qubes, though) * locking your bootloader with a password and disallow external boot I'd think having all these protections at the same time would be best, using secureboot mostly to avoid having to ditch the laptop after AEM says it's no longer trustworthy (because it may stop the attacker before it can even make the laptop no longer trustworthy). On 08/28/2017 09:48 PM, Unman wrote: > On Sat, Aug 26, 2017 at 08:39:23AM -0700, > cyberian@national.shitposting.agency wrote: >> Does Qubes offer a method of securing /boot? not just against USB evil maid >> attacks, but from tampering in general? >> >> for example, while a laptop is off, what would stop a malicious user from >> live booting to an arbitrary distro and altering kernel or xen images >> located on the unencrypted /boot partition? >> >> Does qubes offer options for encrypting /boot? >> > > The Fedora installer wont allow an encrypted boot partition, but there's > nothing stopping you from encrypting /boot after installation. You will, > of course, have to reconfigure grub to decrypt the new /boot, but that's > straightforward. > > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3bb3a4b8-f63d-5ccd-bdbb-7905c725901e%40gaspard.io. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Secondary drive doc: VM directory doesn't exist
On Monday, August 28, 2017 at 11:58:23 PM UTC+2, Boris Kourtoukov wrote: > After following the instructions outlined here: > https://www.qubes-os.org/doc/secondary-storage/ > > When I run: `qvm-start my-app-vm` > I am getting a: `ERROR: VM directory doesn't exist: > /var/lib/qubes/appvms/my-app-vm` > > Using up-to-date Qubes R3.2 > Trying to store on an internal secondary drive that is mounted to dom0. > All the commands in the doc work as expected. Just can't find the VM. > > link looks like: > > ``` > lrwxrwxrwx 1 me qubes 10 aug 28 17:50 my-app-vm -> my-app-vm > ``` And its apparently late. Just a path issue in the link. Sorry for the spam. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e78d2349-7c27-44b4-b5f8-21a205a42f05%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Secondary drive doc: VM directory doesn't exist
After following the instructions outlined here: https://www.qubes-os.org/doc/secondary-storage/ When I run: `qvm-start my-app-vm` I am getting a: `ERROR: VM directory doesn't exist: /var/lib/qubes/appvms/my-app-vm` Using up-to-date Qubes R3.2 Trying to store on an internal secondary drive that is mounted to dom0. All the commands in the doc work as expected. Just can't find the VM. link looks like: ``` lrwxrwxrwx 1 me qubes 10 aug 28 17:50 my-app-vm -> my-app-vm ``` -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/417db6e5-62a2-47dd-b166-ca906b2215b8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Informational videos about Qubes
On Sun, Aug 27, 2017 at 10:33:16PM -0500, Andrew David Wong wrote: > > That sounds reasonable. Could we perhaps have a link to these > > videos (as well as all other third-party materials about Qubes) > > somewhere on the mailing group/IRC channel so that newcomers can > > get acquainted with them? [...] > As for the IRC channel(s), JPO and Holger (CCed) may be able to take > care of that. surely we can add some link to /topic but I think first and foremost those videos should be linked from qubes-os.org/docs/ and then everyone can find them easily… -- cheers, Holger -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170828201452.GB4484%40layer-acht.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: Digital signature
Re: [qubes-users] Restore volume groups after remove in RO file sytem
On Mon, Aug 28, 2017 at 09:02:40PM +0100, Unman wrote: > On Sat, Aug 26, 2017 at 01:36:41AM -0700, ion.437...@mail.md wrote: > > I wanted to transfer all my data from encrypted HDD(Debian 9) to Qubes OS > > > > 1. I attach HDD and run these commands: > > > > udisksctl unlock -b /dev/xvdi5 > > > > modprobe dm-mod > > > > vgscan > > > > vgchange -ay debian-vg > > > > > > 2. After I copied a couple of file i run this: > > > > lvchange -an debian-vg > > > > vgremove debian-vg > > > > Now after reboot and run from this disk i have this error: > > > > Begin: Runing /scripts/local-block ... > > Volume group "debian-vg" not found > > Skipping volume group debian-vg > > Unable to find LVM volume debian-vg/root > > > > In (AppVM) /etc/lvm is only one file (lvm.conf) > > > > Maybe somewhere in the logs left data about LVM volume or volume group? > > Maybe is possible to mount and restore data? > > > > I'd hope that you have a full backup of the data. > In general I recommend using vgexport instead of vgremove because that > is a destructive operation, (as you've discovered.) > > If possible I would take a full disk clone before doing anything else. > Then you could try to recover the metadata - > without knowing a good deal more about how your disk was organised it's > difficult to be precise. But if you had sda1 as the LVM partition, you > could try poking at the first part of that partition to see if you can > get the data from your volumegroup(VG) > 'dd if=/dev/sda1 of=debian-vg bs=512 count=255 skip=1' > Then open the debian-vg file and look for the configuration data - > delete the extraneous material but make sure that you keep the right > format.(You'll need to use a decent editor that copes with binary data, > like vi) > > Then see if you can restore from the recovered file: > 'vgcfgrestore debian-vg' > > unman > If you did a standard Qubes install and encrypted the disk, you will, of course, have to decrypt the partition before trying this, and make sure that you dd from the decrypted partition. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170828201320.dbtddnyo3dr5pfgj%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Restore volume groups after remove in RO file sytem
On Sat, Aug 26, 2017 at 01:36:41AM -0700, ion.437...@mail.md wrote: > I wanted to transfer all my data from encrypted HDD(Debian 9) to Qubes OS > > 1. I attach HDD and run these commands: > > udisksctl unlock -b /dev/xvdi5 > > modprobe dm-mod > > vgscan > > vgchange -ay debian-vg > > > 2. After I copied a couple of file i run this: > > lvchange -an debian-vg > > vgremove debian-vg > > Now after reboot and run from this disk i have this error: > > Begin: Runing /scripts/local-block ... > Volume group "debian-vg" not found > Skipping volume group debian-vg > Unable to find LVM volume debian-vg/root > > In (AppVM) /etc/lvm is only one file (lvm.conf) > > Maybe somewhere in the logs left data about LVM volume or volume group? > Maybe is possible to mount and restore data? > I'd hope that you have a full backup of the data. In general I recommend using vgexport instead of vgremove because that is a destructive operation, (as you've discovered.) If possible I would take a full disk clone before doing anything else. Then you could try to recover the metadata - without knowing a good deal more about how your disk was organised it's difficult to be precise. But if you had sda1 as the LVM partition, you could try poking at the first part of that partition to see if you can get the data from your volumegroup(VG) 'dd if=/dev/sda1 of=debian-vg bs=512 count=255 skip=1' Then open the debian-vg file and look for the configuration data - delete the extraneous material but make sure that you keep the right format.(You'll need to use a decent editor that copes with binary data, like vi) Then see if you can restore from the recovered file: 'vgcfgrestore debian-vg' unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170828200240.c6k3c7rpf5tvllgf%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Options for securing /boot
On Sat, Aug 26, 2017 at 08:39:23AM -0700, cyberian@national.shitposting.agency wrote: > Does Qubes offer a method of securing /boot? not just against USB evil maid > attacks, but from tampering in general? > > for example, while a laptop is off, what would stop a malicious user from > live booting to an arbitrary distro and altering kernel or xen images located > on the unencrypted /boot partition? > > Does qubes offer options for encrypting /boot? > The Fedora installer wont allow an encrypted boot partition, but there's nothing stopping you from encrypting /boot after installation. You will, of course, have to reconfigure grub to decrypt the new /boot, but that's straightforward. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170828194846.vgnomwjwpl4f6zeg%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can I add a custom panel to xfce?
On Mon, Aug 28, 2017 at 11:41:55AM -0700, Gecko wrote: > Does anybody know if there is a way for me to add a custom panel to xfce? > Like notes / reminders or something similar to Windows "Sticky Notes" feature. > I don't know what "Sticky Notes" is. But you can add a new panel by right clicking on the existing panel, selecting Panel -> Panel Preferences, and then hitting + to add a new panel. Alternatively you can add new items to the existing panel (in the way that a netvm will create a network manager applet) - this may be what you have in mind. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170828193746.zwh5sp4ib3dase5n%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: UEFI secureboot issue
But Qubes still relies alot on user habits, and in fact the user learning new habits. So Qubes does require even more discipline then linux or windows, to get the full benefits of using it, imo. But I think the avg person can easily get used to it. And like I said it took almost two years to compromise my qubes machine, doing the same tasks on a on a windows machine would take a month or two. And with linux only days. This is my personal experience since 2008, of course I have no proof. If you were to ask me during windows xp days? I would immediately say linux is more secure. But times change. OK why "only days", I ask because I also have a Linux Mint Box , and who is "HVM" ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9e86ba89-1eff-ec30-77fd-1ef90f7de20b%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qvm-trim-template alternative?
On Sun, Aug 27, 2017 at 09:28:07PM -0700, Gecko wrote: > I know this has been marked as a bug 11 days ago, I am just wondering if > there is a way to trim a template on 3.2? > I assume you mean on 4.0rc1? You can manually trim the template, applying the same method as for 3.2 - that should work fine. It's covered in the documentation as part of the template updating instructions. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170828193008.jc3cd2al66psltlz%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] root-cow.img.old
On Sun, Aug 27, 2017 at 06:10:04PM -0700, Gecko wrote: > What is the file root-cow.img.old? > > which can be found in the directories /var/lib/qubes/vm-templates/* > > Every directory has a root-cow.img and root-cow.img.old (backup I assume). > Can I safely delete these .old files? As each one is 10GB+ (I don't have a > huge HDD). > The answer is in the documentation: www.qubes-os.org/doc/template-implementation The *old files allow you to roll back any changes to the template. Each file is *NOT* 10GB - if you check the actual size with 'ls -ls' you'll see they are only taking a few MB on disk. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170828192422.symryjlsci7pww6l%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: UEFI secureboot issue
On Tuesday, August 22, 2017 at 1:30:39 AM UTC-4, qubester wrote: > On 08/20/2017 05:48 AM, cooloutac wrote: > > On Sunday, August 20, 2017 at 11:44:42 AM UTC-4, cooloutac wrote: > >> On Sunday, August 20, 2017 at 12:42:55 AM UTC-4, qubester wrote: > >> The guy Brad Spengler already warned dom0 and vms can be compromised by > >> bad system updates. And I believe this happened to me and led to my bank > >> account being hacked. Also just after intel announced their patch for > >> the hardware backdoor that existed for 8 years. > >> > >> Qubes did last almost 2 years for me though(minus gaming), when barebones > >> linux wouldn't last a day and windows wouldn't last a couple months. > >> Simply because I refuse to give up doing the things I own a pc for. The > >> other thing he warned about was using too much of the gpu in qubes... I > >> foresee that coming in the future with people demanding passthrough for it. > >> > >> If you do decide to go back to windows 10, hardenwindows10forsecurity.com > >> also might interest you hardenubuntu.com (scroll down to harden ubuntu > >> section) The user activities and security and trust of the developers > >> become the deciding factor after a point. > >> > >> I don't think any operating system does it all. Just like alot of people > >> didn't think root privilege escalation in > >> vms, being trivial to bypass, was an excuse not to add that layer of > >> protection. I think its even worse not to use secure boot. > > > > also if my hardware is compromised it really doesn't matter what os I use > > at that point either. > > from some Q , I just read with the Pax Spengler, guy, he seemed to be > using windows 7 because "he plays games" , and for convenience, no > mention that it might have something to do with Secure Boot .. > > So, would you feel more secure doing your banking on a Windows Box, > since you think an broken update of Qubes caused you to "be hacked" ? > just curious, not being rhetorical. :) lol... also cause his family hates linux, and because as he has said "he just likes things to work in his old age" He use to be a linux only guy in college, then he grew out of it. He prefers to use vm's in windows for his developing. He prolly feels his project is only for servers and professionals. I've already explained this earlier, I'll try again. It really doesn't matter what os you use, its all about the user. A windows machine would be fine to do online banking on, as long as you are not doing much of anything else on it and not a huge target, imo. Guys like HDM use windows for banking. In his words he doesn't care at all cause its a consumer account not a business bank account so he has financial protections and doesn't care if he gets hacked. I don't look at things that way though, because being hacked would bother me regardless. Alot of offensive hackers like him think everything is a victimless crime till it happens to them. They have to tell themselves that if they have any sort of conscious. A hardened linux boot cd rom would also be ok to use for banking, although all the projects I know of have been abandoned, and I've never used one with secure boot before although I'm sure its possible. But I don't have the patience to compile my own live cd. Qubes definitely fills a gap of people wanting to do a little bit of everything on their computer when its comes to browsers and offline documents. When you are doing random browsing or going to sketchy sites, or want to isolate offline files all on the same machine, isolate certain programs from rest of the system, Qubes is alot easier and more resource friendly to use then setting up your own windows or hardened linux box with vms, Plus there are more security features then the avg person could implement themselves. Experts have problems even implementing similar features on linux system with kvm. But Qubes still relies alot on user habits, and in fact the user learning new habits. So Qubes does require even more discipline then linux or windows, to get the full benefits of using it, imo. But I think the avg person can easily get used to it. And like I said it took almost two years to compromise my qubes machine, doing the same tasks on a on a windows machine would take a month or two. And with linux only days. This is my personal experience since 2008, of course I have no proof. If you were to ask me during windows xp days? I would immediately say linux is more secure. But times change. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit
[qubes-users] Can I add a custom panel to xfce?
Does anybody know if there is a way for me to add a custom panel to xfce? Like notes / reminders or something similar to Windows "Sticky Notes" feature. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/292e267d-2b69-41d9-96df-0e65f0e096cf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Options for securing /boot
On Saturday, August 26, 2017 at 11:39:23 AM UTC-4, cybe...@national.shitposting.agency wrote: > Does Qubes offer a method of securing /boot? not just against USB evil maid > attacks, but from tampering in general? > > for example, while a laptop is off, what would stop a malicious user from > live booting to an arbitrary distro and altering kernel or xen images located > on the unencrypted /boot partition? > > Does qubes offer options for encrypting /boot? This is one reason dual booting is not recommended. There is not much you can do. Maybe disable external boot in bios and make a bios password and lock the case? Don't think that would matter though for remote attacks if dom0 is compromised.Also won't matter if your system has ME/Vpro enabled cause then an attacker then wouldn't need any os at all to comporomise the bios or /boot. Although not all, I still think secure boot is the answer for alot of these type of situations. Its so beneficial even Richard Stallman said its ok to use as a security feature in its current state. Even the closed source proprietary argument doesn't make any sense anymore regarding secure boot. Why some people are still against it I'm not sure. I don't think AEM is a good alternative at all. I keep feeling like we should be able to do both. Joanna's argument against secure boot relates to driver signing which secure boot can verify, and how we have to trust whoever is running the sort of certificate authority. But I'm already trusting ssl certs all over the web, which is alot worse. I still think its better then nothing. I think the real issue is that secure boot is probably very complicated to implement and the ITL team have other priorities. I'm not trying to have privacy as much from the government, as I am security from everyone else. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6cee64ad-a88b-49e9-a3be-0a60cc66d81a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes 4.0rc-1 installation freezes at "installing storagedx86_64 (635/998)"
This little piece of information is not directly related to my current issue but might be relevant : I have previously tried to install Qubes 3.2 on my asus GL552VW, with little success due to graphics not being compatible (it gave me "X startup failed, falling back to text mode" and the text based installer is broken so I couldn't go from there. Trying to install using a kickstart file froze my computer at some point, too). Now, I gave up on installing Qubes 3.2, having realised that my laptop was simply not compatible. But recently, I saw 4.0 had been pre-released, and I decided to try my hand at it. Booting on my USB, I can't see the illustration on the grub menu but I can still navigate and select options. I tried to install Qubes, and thankfully, the graphic installer worked this time! I was able to set everything up and start the installation on a partition of my hard drive. However, during installation, the progress bar froze at step 635/998 "installing storagedx86_64". I can tell it was really frozen because the progress bar, moving steadily, suddenly stops at that one step and stays there for hours (once even overnight) ; the little wheel to the right, also spinning uninterruptedly, stays completely still when it reaches that step ; and while I can still move my mouse cursor, I am no longer able to interact with the UI options "setup root password" or "setup a user" once I get to step 635/998. I imagine the same thing probably happened when I attempted to install Qubes 3.2 with a kickstart file, except I couldn't see what was going on. After that, I have no choice but to force-shut down my PC and reboot. If I try to install Qubes again, I am greeted by "X startup failed, falling back to text mode". I have to completely wipe and re-partition my USB drive, then re-flash the Qubes ISO ; and also completely wipe the partition I was trying to install Qubes on, in order to get the graphic installer to work again. I've tried this many times, tweaking BIOS settings (such as turning fast boot on/off and turning CSM on/off, even though apparently this shouldn't be a problem on this new version of Qubes), using different USB drives, re-downloading and verifying the Qubes 4.0rc-1 ISO... no luck. So of course, any help would be appreciated. It looks like there's no compatibility problems anymore, or at least, there shouldn't be any (I've checked the system requirements and meet all of them, plus with Fedora 25 the dreaded graphics incompatibility is gone). So maybe it's some wrong configuration in my BIOS, or Rufus isn't doing it's job correctly, or there's a problem with my hard drive? Maybe it's just a bug and should be fixed once Qubes 4.0 officially comes out? Has anyone got this problem before? Thanks in advance to anyone who is willing to help me out! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/38dae8a9-22e2-454a-b6b5-1fe612c70e57%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HCL - Lenovo Thinkpad T460p
On Wednesday, August 23, 2017 at 1:10:49 PM UTC+2, mig...@bluefrostsecurity.de wrote: > I was unable to resume from suspend. After closing laptop lid, it is > impossible to wake laptop back up. > > > On Monday, December 26, 2016 at 10:32:38 PM UTC+1, sti...@gmail.com wrote: > > Suspend works fine, resume does not work at all. > > > > Updating from kernel 4.4.x to kernel 4.8.12 from the unstable repository > > reduced idle power usage from ~15 W to 8 W. > > > > Tuning the power usage further with values recommended by powertop reduces > > power usage to 6.8 W. Resume from suspend works fine if you disable Vt-d from BIOS. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/60d32f75-b4b2-4d70-831d-af24314e7374%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
