date:20180514

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-14 Thread 799

Hello John,

john  schrieb am Di., 15. Mai 2018, 07:23:

> On 05/14/18 14:58, Ángel wrote:
> > (...)
> > Luckily, with Qubes it is easy to set a firewall rule so that your email
> > AppVM can only contact with your email server.
> > NB that some of these leaks are dns-based, so ideally you would not
> > allow it to perform any dns query, either.
> >
> >
> can you give an example to the steps to   make such a fw rule,   if it's
> that simple  please ?
>

You need to find out your Email-Server IPs:

https://github.com/one7two99/my-qubes/blob/master/docs/mail-firewall.md

Then you can use iptables in the Email AppVM to block all traffic as
default rule.
Then only adding the traffic to the allowed IPs and ports.

I can send you my firewall script to allow email for outlook.com and Gmail.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vqaXoC%2BEy8s_40wsOn8a%3D6M_vz%3Dr115-aBxcS_kURGNA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-14 Thread john


On 05/14/18 14:58, Ángel wrote:

This paper is most interesting for the discovery of multiple ways email
client leak information on visualization.
(not clearly stated in the paper: some of them are already fixed, while
in other cases the developers are still working on providing them)

Luckily, with Qubes it is easy to set a firewall rule so that your email
AppVM can only contact with your email server.
NB that some of these leaks are dns-based, so ideally you would not
allow it to perform any dns query, either.

Best regards

can you give an example to the steps to   make such a fw rule,   if it's 
that simple  please ?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cd72c1d8-8293-0143-b6e8-70da0da12a95%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes R4.0 - no internet working in appVM

2018-05-14 Thread john

On 05/12/18 19:46, Qubes Guy wrote:

On Saturday, May 12, 2018 at 4:28:56 AM UTC-4,
niepo...-re5jqeeqqe8avxtiumw...@public.gmane.org wrote:

On Friday, May 11, 2018 at 3:17:05 PM UTC-4, Qubes Guy wrote:

On Friday, May 11, 2018 at 1:17:24 PM UTC,
niepo...-re5jqeeqqe8avxtiumw...@public.gmane.org wrote:

Fresh install of Qubes R4.0 and there is no internet connection in appVM -
firefox just not load websites.

Internet connection actually is ok as I'm able to make update for template VM.

What can be reason of this not working internet in app VM and how resolve this?

Is this still a problem? Did you give your AppVM access to the net VM (set
"Networking" to sys-firewall (preferably) or sys-net in the settings dialog for
the AppVM)?

Yes, problem still exist.

There was sys-firewall connected to appVM as well sys-net and no connection.
I have also tried changing template from fedora to debian -internet not working.
I have also install chromium browser and connection not working.

Very frustrating situation...

One thing I forgot to mention: Do NOT set the "Networking" setting in your template VMs (set it to
"None"). Giving network access to your templates is considered a major security threat (since all
AppVMs you base on them inherit any malware/corruption). If you put "qubes-updates-proxy" in the
services tab of sys-net, you won't need to do this. If you absolutely need to do this anyway, turn it off as
soon as possible...

When I look at the qubes settings -> services in sys-net I see nothing
, would adding qubes-updates-proxy allow me to install manually
software I want to be AppVM-wide , in the Fedora Template?

or exactly how is one Supposed to ever add software to a Template if
there is no networking except for updates ?

Or lets say I add the qubes-updates-proxy to sys-net , then in the
Template can I just sudo dnf installor there more to it ?

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/266b63fa-7754-d3cd-5be0-6f73dd04f607%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes R4.0 - no internet working in appVM

2018-05-14 Thread Qubes Guy

On Monday, May 14, 2018 at 12:55:51 PM UTC-4, niepo...@gmail.com wrote:
> On Sunday, May 13, 2018 at 11:59:16 AM UTC-4, awokd wrote:
> > On Sat, May 12, 2018 7:08 pm,  wrote:
> > > netVM has ok ping to google.com
> > > firewallVM has no pings
> > > appVM has also no pings
> > >
> > > Maybe it's worth to mention: update template VM was done with success
> > > (which is a bit odd as update actually was done with success as firewallVM
> > > has no pings).
> > 
> > Are you using the default templates and AppVMs, or ones you've restored?
> > Try doing a reinstall and testing with the default ones only.
> 
> appVM's are not restored. All is default except I changed to pv mode netVM 
> and firewallVM (in hvm and pvh do not started).
> 
> Looks like i will back to R3.2 as R4.0 is useless for me with no internet in 
> appVM's.

I don't know if this is helpful, but I get Internet via a USB-to-Ethernet 
adapter. I have that (and all of my other USB devices) connected to a single 
internal USB controller connected to the sys-usb VM. sys-usb is an HVM (with 
network-manager in the Services tab). sys-net is connected to sys-usb, and it's 
a PVH (with meminfo-writer, clocksync and qubes-updates-proxy in its Services 
tab). sys-firewall is connected to sys-net, and it's also a PVH (with no 
services in the Services tab). Of course, sys-usb was flagged as providing 
networks services when it was created. Hope that helps...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e6b70863-d701-4480-ba56-9edd5dbe6ce3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-14 Thread Ángel

This paper is most interesting for the discovery of multiple ways email
client leak information on visualization.
(not clearly stated in the paper: some of them are already fixed, while
in other cases the developers are still working on providing them)

Luckily, with Qubes it is easy to set a firewall rule so that your email
AppVM can only contact with your email server.
NB that some of these leaks are dns-based, so ideally you would not
allow it to perform any dns query, either.

Best regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1526345890.1079.63.camel%4016bits.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Networking freezing and impossible to restore without reboot

2018-05-14 Thread Chris Laprise

On 05/14/2018 06:23 PM, Evastar wrote:

Its important to know how you set up the VPN VM. If you used the Qubes

doc, that config can have problems recovering from a disconnected link.
If you used a recent version of Qubes-vpn-support or qubes-tunnel,
restarting the service is simple:
sudo systemctl restart qubes-vpn-handler
or
sudo systemctl restart qubes-tunnel

Thanks for your quick answer. I use my own vpn setup based not on openvpn, but
ethervpn. This qube come from 3.2. I use the same old code. I wrote it based on
old openvpn code. This code add routes on startup, then iptables fules for DNS
some other rules to prevent traffic leak. The same as UP handler from qubes-doc
do.

There are no "recovering setup". How to add this?

Need to delete rules added by this then execute this again? Is it recovery?
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr

I re-checked qubes vpn doc. It's almost the same, but no up/down handler. I
setup rules at rc.local. At 3.2. I do not have this problem. When my VPN loss
connection then it always work after my VPN client reconnected.

Posting back to qubes-users...

Probably there is someone who is familiar with ethervpn who can better
help you.

My advice is to monitor the ethervpn log for warnings/errors when the
blockage occurs. Then perhaps a simpler solution will become clear.

If you are using the same firewall rules as the Qubes doc, try
commenting-out the parts for 'OUTPUT'.

As for the DNAT rules, delete & re-add should only be necessary if the
DNS server changes. Also, when blockage occurs you can try pinging a
known IP address (not domain name) from an appVM; if it doesn't work
then DNAT is probably not the issue.

Finally, if you find the solution involves restarting the ethervpn
client, you may want to run it with 'systemd-run --unit' to give you
better control over the process. You could even try running it with
qubes-tunnel using a drop-in file for the service (see 00_example.conf
and manpages for systemd.unit "overriding vendor settings").

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/f512bce3-685b-c21a-12d4-ba7fff4a0636%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 won't boot via coreboot grub rescue

2018-05-14 Thread awokd

On Mon, May 14, 2018 8:58 pm, taii...@gmx.com wrote:
> I try the usual syslinux_configfile but I get an "out of memory" error
> how am I to do this? ideas?

Can you step through what you are trying to do and where the error
appears? Not sure I'm following.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/83c69ba83c0a782a48db4776ae7a702e%40elude.in.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Networking freezing and impossible to restore without reboot

2018-05-14 Thread Chris Laprise

On 05/14/2018 05:23 PM, 'Evastar' via qubes-users wrote:

Hello,

I still have issues with my proxy/vpn-vms. Something happens, maybe my
vpn lose connection or not (I don't know). I only know that at some
point from timee to time all my AppVms lose network and it's not
possible to restore networking without restarting VPN-VM and all
connected VMs. Any solutions? How to simplify this process?

It's very uncomfortable every time to restart all AppVMs.

And I wrote that I don't know VPN loses connection or not. When I open
VPN-proxy-vm terminal I see that it's CONNECTED to VM, but maybe it's
after reconnection. But after that I don't know how to force all
AppVMs(connected to this proxy) to restore network!

Thank you!

Its important to know how you set up the VPN VM. If you used the Qubes
doc, that config can have problems recovering from a disconnected link.

If you used a recent version of Qubes-vpn-support or qubes-tunnel,
restarting the service is simple:

sudo systemctl restart qubes-vpn-handler

sudo systemctl restart qubes-tunnel

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/a392cf03-d456-ec6d-482f-2102c50f0d8e%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] [Q3] Last dom0 update error: create transaction lock. Resource temporarily unavailable

2018-05-14 Thread 'Evastar' via qubes-users

misspelling. Qubes 4

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/uGhJ41lHpLKWgTtyheoq6l7ud4n8Urii04XVyrE1D0yqbHKLSey-s-dv3ASN5i2g4gC6DBJmWPCCS03DvcfC6a4vtIs1eUw8JUAWEthP_T8%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Networking freezing and impossible to restore without reboot

2018-05-14 Thread 'Evastar' via qubes-users

Hello,

I still have issues with my proxy/vpn-vms. Something happens, maybe my vpn lose 
connection or not (I don't know). I only know that at some point from timee to 
time all my AppVms lose network and it's not possible to restore networking 
without restarting VPN-VM and all connected VMs. Any solutions? How to simplify 
this process?

It's very uncomfortable every time to restart all AppVMs.

And I wrote that I don't know VPN loses connection or not. When I open 
VPN-proxy-vm terminal I see that it's CONNECTED to VM, but maybe it's after 
reconnection. But after that I don't know how to force all AppVMs(connected to 
this proxy) to restore network!

Thank you!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9Od7zxaQDMzzT5YYQqM51NfZ4HcJHDUspYQbahb6j5IeJxdubMvhCG1ejNcvfuQVQxJILxtCeFJoVUymwCFNe8aph0ewFzAu6F_rT6kmxrk%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] [Q3] Last dom0 update error: create transaction lock. Resource temporarily unavailable

2018-05-14 Thread 'Evastar' via qubes-users

Hello,
Thanks for new updates!
I got some error with last dom0 update
https://i.imgur.com/yWQD1lp.png

After ~10 minutes of waiting ( I through that update freeze) this:
https://i.imgur.com/diAOG8V.png

How to fix? What to do next?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/EldzzybfVvtpsy6yWkSs1i-wLvTtJF1lWXE2tpSF8htIMasz57LrClUvBfqUYWSo-hBSSS2mD2PcjWNKcJ4mPvR8TjnNn_3uWNUvVEEf62Q%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes 4.0 won't boot via coreboot grub rescue

2018-05-14 Thread taii...@gmx.com

I try the usual syslinux_configfile but I get an "out of memory" error
how am I to do this? ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f219afae-66b9-2a12-b3e5-c2224f512724%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Ubuntu Xenial Template Build Issues

2018-05-14 Thread Jone

On Monday, May 14, 2018 at 2:05:14 PM UTC-4, morlan...@gmail.com wrote:
> I submitted an issue for this a few weeks ago with no action yet: 
> https://github.com/QubesOS/qubes-issues/issues/3871
> 
> I built a Xenial template successfully by removing those aforementioned 
> lines, and I've yet to experience any issues.

Hello, have you been able to attach USB devices to AppVMs made from the xenial 
template? I'm having issues; the error qvm-usb returns is empty. 

Reference Post: https://groups.google.com/forum/#!topic/qubes-users/uTY32_cvc1I

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/14f37c86-c1a1-48a2-91b8-bc0bf2e8c722%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

2018-05-14 Thread Chris Laprise


On 05/12/2018 02:10 PM, get wrote:

Hi. script not working more on debian-9/fedora-26. Please fix it.

Tested vpn's : mullvad, privateinternetaccess, expressvpn and multiple random 
openvpn.

Guides:
https://github.com/tasket/Qubes-vpn-support
https://github.com/tasket/qubes-doc/blob/tunnel/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-the-qubes-tunnel-service
https://github.com/tasket/qubes-tunnel


This thread is for qubes-tunnel not Qubes-vpn-support.

Also I can't read minds... Can you describe a specific example with one VPN?


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a5cc0aa-4b2e-2584-c0a5-37ce1bbcbde9%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

2018-05-14 Thread Chris Laprise


On 05/12/2018 01:54 PM, dangmad...@gmail.com wrote:

I can get my browser to connect in the ProxyVM only after I manually change 
/etc/resolv.conf to NordVPN DNS servers.


This is as intended: local proxyVM programs running but not using the 
tunnel.


You wouldn't normally use a browser in the proxyVM.



But nothing that uses the ProxyVM as a NetVM can access the internet in any 
way. Cannot ping 8.8.8.8. Can't do anything. Doesn't matter what I do to 
/etc/resolv.conf in the AppVM.


Can you look at the log with 'sudo journalctl -u qubes-tunnel'? Does it 
say "Initialization sequence completed" or an error message?


Also what is the output of 'sudo iptables -v -L PR-QBS -t nat'?

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d9507c1d-e6d5-7a88-3cc6-6ecb349c2047%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes R4.0 - no internet working in appVM

2018-05-14 Thread Sergio Matta

Em segunda-feira, 14 de maio de 2018 13:55:51 UTC-3, niepo...@gmail.com  
escreveu:
> On Sunday, May 13, 2018 at 11:59:16 AM UTC-4, awokd wrote:
> > On Sat, May 12, 2018 7:08 pm,  wrote:
> > > netVM has ok ping to google.com
> > > firewallVM has no pings
> > > appVM has also no pings
> > >
> > > Maybe it's worth to mention: update template VM was done with success
> > > (which is a bit odd as update actually was done with success as firewallVM
> > > has no pings).
> > 
> > Are you using the default templates and AppVMs, or ones you've restored?
> > Try doing a reinstall and testing with the default ones only.
> 
> appVM's are not restored. All is default except I changed to pv mode netVM 
> and firewallVM (in hvm and pvh do not started).
> 
> Looks like i will back to R3.2 as R4.0 is useless for me with no internet in 
> appVM's.

sorry about write qvm-ls, is qvm-prefs, I was sleeping. Now you need to:
1-keep them PV;
2-chmod +x /rw/config/rc.local in sys-firewall and sys-net;
3-In sys-net /rw/config/rc.local insert:
ip link set vif3.0 up
ip addr add [sys-net ip, something like 10.137.0.5]/255.255.255.255 dev vif3.0
ip route add [sys-firewall ip, something like 10.137.0.6]/255.255.255.255 dev 
vif3.0
4-In sys-firewall /rw/config/rc.local insert:
ip link set vif4.0 up
ip addr add [sys-firewall ip, something like 10.137.0.6]/255.255.255.255 dev 
vif4.0
ip route add [vm to route ip, something like 10.137.0.9]/255.255.255.255 dev 
vif4.0
you should repeat the item 4 increasing the vif and changing the ip to support 
other vms.
It will run, not easy. You may consider buy a iommu motherboard.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ae780a8-a5d9-4457-a740-d1d5ef6f776d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

2018-05-14 Thread Chris Laprise

On 05/14/2018 09:09 AM, Chris Laprise wrote:

On 05/12/2018 03:11 PM, JonHBit wrote:

I've updating to 1.4beta4 and switched templates from debian-9 to
fedora-28, but I'm getting the same error - also it seems like openvpn
flag defaults changed, as it now returns an error for the up and down
arguments

Did you mean fedora-26?

Specifically, it parses /usr/lib/qubes/qtunnel-connect up as 2
arguments instead of 1; putting the whole phrase in double quotes
fixes this, which I see you did but for some reason the quotes seem to
be removed when ExecStart runs, i.e. checking systemctl status
qubes-tunnel shows the command without the quotes

I'm a little unclear: Did you get the link working like this?

I have two fedora 26 templates, one was last updated over 10 days ago
and the other updated today. The VPN link won't come up with the latter
one...

I did some tests and there seems to be an intermittent problem with
qubes-firewall on fedora only. This can prevent openvpn from connecting.

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/4c4fdb4a-c529-8cd2-7c68-8fd282a9efad%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

2018-05-14 Thread Chris Laprise


On 05/06/2018 05:24 PM, morlan.aus...@gmail.com wrote:

Worked great for me with Qubes 4.0 and Fedora 26.

I'm unclear on how to use sys-firewall now though. Should it be sys-net -> 
sys-firewall -> VPN -> App?

Thanks.


That arrangement is OK. But you can take sys-firewall out of the path 
(connect VPN directly to sys-net) because a VPN qube configured with 
qubes-tunnel still does the job of a regular proxy qube (like sys-firewall).




--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/95d94842-6f3a-6022-dadb-c97bf040ebfb%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Install/Import KeePass and the Database

2018-05-14 Thread awokd

On Mon, May 14, 2018 5:32 pm, Black Beard wrote:
> Hello awokd,
>
>
> I'm embarrassed but i must ask and know it. Sorry, when i must ask you
> this.
>
> I heard many about templates what exactly are templates under Linux and
> what they do?
>
> Yes, i use Qubes 4 and i was searching the tool under the application
> finder, but found nothing.

No problem! Templates are a Qubes concept, not Linux in general. Check out
this document: https://www.qubes-os.org/doc/software-update-vm/. This one
too; it's a bit more technical, but examine the diagram in particular:
https://www.qubes-os.org/doc/template-implementation/.

Did you deploy the pre-made AppVMs, like work, vault, etc.? If so, go to
Qube Settings on your Vault AppVM, then the Applications tab, then move
KeepassX from the left side to the right and hit OK. That should be all
you need to do to have access to the KeepassX application from the "Q"
menu -> Vault -> KeepassX.

Next, find your KeepassX database (unless you are starting from a new,
blank one), qvm-copy it to your Vault VM, then use KeepassX to open it
directly.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ed79ba0981dc0ba9151a33f9f5a684a7%40elude.in.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Ubuntu Xenial Template Build Issues

2018-05-14 Thread morlan . austin

I submitted an issue for this a few weeks ago with no action yet: 
https://github.com/QubesOS/qubes-issues/issues/3871

I built a Xenial template successfully by removing those aforementioned lines, 
and I've yet to experience any issues.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a96ccb3a-85d5-4ad2-a852-9f091998ede5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Install/Import KeePass and the Database

2018-05-14 Thread Black Beard

Hey,

how install KeepassX on the Debian or Fedora templates?

thx guys

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ddab517-5e62-495c-8871-9f15716f81b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Install/Import KeePass and the Database

2018-05-14 Thread Black Beard

Hello awokd,


I'm embarrassed but i must ask and know it. Sorry, when i must ask you this.

I heard many about templates what exactly are templates under Linux and what 
they do? 

Yes, i use Qubes 4 and i was searching the tool under the application finder, 
but found nothing.

regards and thx for all

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/323d36d1-ce14-4388-a1bd-103bcd7dc081%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-14 Thread 'Leo Gaspard' via qubes-users

On 05/14/2018 02:45 PM, mossy wrote:
> embargo broken early, attack/vulnerability details here --
> https://efail.de/
> 
> (and yes it seems like disabling HTML will mitigate the most
> reliable/least complex attacks)

Incidentally, the GnuPG press release, that raises the point that the
paper may not be totally correct:

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060334.html

Also if I understand correctly the latest exchanges from the GnuPG ML,
Enigmail 2.0 is safe from attack except for 3DES ciphertext, so the
attack could there only turn enigmail as a 3DES-ciphertext-decrypting
oracle.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e69a90c3-0c95-2ece-a356-d2e860b74276%40leo.gaspard.ninja.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] sys-firewall domain start failed

2018-05-14 Thread niepowiem48

On Sunday, May 13, 2018 at 2:30:06 PM UTC-4, para-vak wrote:
> Indeed, yet I rarely input anything without 'sudo' behind it... anyway... 
> Disregard! A fresh install has not reproduced the error! It seems that 
> ensuring proper formatting of the disk is paramount! GParted + a manual 
> partitioning in Qubes setup to be sure.
> 
> On May 13, 2018 12:24 PM, awokd  wrote:
> 
> > On Sun, May 13, 2018 3:52 pm, 'para-vak' via qubes-users wrote:
> > 
> > > Initial install with default template settings:
> > > 
> > > Upon concluding final configuration after 1st reboot, just after all VMs
> > > 
> > > have been created for the first time, right before first booting into the
> > > 
> > > system:
> > > 
> > > ['/usr/bin/qvm-start: 'sys-firewall'] failed: stdout:""
> > > 
> > > stderr:"start failed: internal error: libxenlight failed to
> > > 
> > > create new domain 'sys-firewall', see
> > > 
> > > /var/log/libvert/libxl/libxl-driver.log
> > > 
> > > ISO file integrity has been verified. Media tests during a multiple
> > > 
> > > re-install attempts with different media have passed, and yet the error is
> > > 
> > > reproduced.
> > > 
> > > Following suggestion in error message, reveals log is nonexistent.
> > 
> > That is odd, ordinarily it would be sys-net or sys-usb with issues like
> > 
> > that. I think you might have to be su to see that log file. If you qvm-ls,
> > 
> > what is running? If sys-net fails to start, that might cause sys-firewall
> > 
> > to also fail. Also, do a qubes-hcl-report and check the last 5 lines about
> > 
> > HVM, IOMMU, etc.

you must run firewallVM in pv mode. then most possibe will start.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e7c4dd51-ae12-4664-b5b5-f130622ccf89%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes R4.0 - no internet working in appVM

2018-05-14 Thread niepowiem48

On Sunday, May 13, 2018 at 11:59:16 AM UTC-4, awokd wrote:
> On Sat, May 12, 2018 7:08 pm,  wrote:
> > netVM has ok ping to google.com
> > firewallVM has no pings
> > appVM has also no pings
> >
> > Maybe it's worth to mention: update template VM was done with success
> > (which is a bit odd as update actually was done with success as firewallVM
> > has no pings).
> 
> Are you using the default templates and AppVMs, or ones you've restored?
> Try doing a reinstall and testing with the default ones only.

appVM's are not restored. All is default except I changed to pv mode netVM and 
firewallVM (in hvm and pvh do not started).

Looks like i will back to R3.2 as R4.0 is useless for me with no internet in 
appVM's.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/905972e6-88d4-40b4-b9a1-a14122d07661%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes R4.0 - no internet working in appVM

2018-05-14 Thread niepowiem48

On Sunday, May 13, 2018 at 11:59:16 AM UTC-4, awokd wrote:
> On Sat, May 12, 2018 7:08 pm, wrote:
> > netVM has ok ping to google.com
> > firewallVM has no pings
> > appVM has also no pings
> >
> > Maybe it's worth to mention: update template VM was done with success
> > (which is a bit odd as update actually was done with success as firewallVM
> > has no pings).
> 
> Are you using the default templates and AppVMs, or ones you've restored?
> Try doing a reinstall and testing with the default ones only.

appVM's are not restored. All is default except I changed to pv mode netVM and 
firewallVM (in hvm and pvh do not started). 

Looks like i will back to R3.2 and R4.0 is useless for me with no internet in 
appVM's.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/41706dca-40d1-4c03-98ea-eafae32aa2fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] boot partition on usb stick - how do it?

2018-05-14 Thread niepowiem48

I'm interesting how can be done puting partition /boot on usb stick.

Could anybody write instruction?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5b424d65-76d7-4a29-812f-b9056e3bc559%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Install/Import KeePass and the Database

2018-05-14 Thread awokd

On Mon, May 14, 2018 2:28 pm, Black Beard wrote:
> Hey guys,
>
> thanks for your comments and your helpful feedbacks.
>
> Iam actually a new Linux user and i dont want to make some mistake about
> the installation.
>
> I want install KeepassX and i found on the mainsite the installation
> package(tarball 2.0.3).
>
> Is this the correct tutorial?
>
> " https://www.keepassx.org/howto/setup/inst_source_tar "
>
> About your messages i would be very happy again.

Are you using Qubes 4? Both Debian and Fedora templates come with KeepassX
pre-installed.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8c39dba4f254308a82288302936f2e66%40elude.in.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Install/Import KeePass and the Database

2018-05-14 Thread Black Beard

Hey guys,

thanks for your comments and your helpful feedbacks.

Iam actually a new Linux user and i dont want to make some mistake about the 
installation. 

I want install KeepassX and i found on the mainsite the installation 
package(tarball 2.0.3).

Is this the correct tutorial? 

" https://www.keepassx.org/howto/setup/inst_source_tar "

About your messages i would be very happy again.

regards 


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4cba6542-eb91-44af-86ad-f8a536757700%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

2018-05-14 Thread Chris Laprise


On 05/12/2018 03:11 PM, JonHBit wrote:


I've updating to 1.4beta4 and switched templates from debian-9 to fedora-28, 
but I'm getting the same error - also it seems like openvpn flag defaults 
changed, as it now returns an error for the up and down arguments


Did you mean fedora-26?



Specifically, it parses /usr/lib/qubes/qtunnel-connect up as 2 arguments 
instead of 1; putting the whole phrase in double quotes fixes this, which I see 
you did but for some reason the quotes seem to be removed when ExecStart runs, 
i.e. checking systemctl status qubes-tunnel shows the command without the quotes


I'm a little unclear: Did you get the link working like this?

I have two fedora 26 templates, one was last updated over 10 days ago 
and the other updated today. The VPN link won't come up with the latter 
one...



--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d555adea-6f74-1ebb-36ed-d84a8f124bf6%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Cannot get installer to load, Help and advice welcomed (semi-noob here).

2018-05-14 Thread Stuart Perkins



On Sun, 13 May 2018 20:05:48 -1000
john  wrote:

>On 05/13/18 19:13, cangent05-re5jqeeqqe8avxtiumw...@public.gmane.org wrote:
>> Thank you, it worked. I strongly suggest Qubes staff add these two points on 
>> their website. Perhaps, the second one (enable VT-x etc.) is obvious to 
>> computer engineers, or even the first one (try legacy). However, not all of 
>> us are computer focused individuals. Once again, thank you for your helps.
>> 
>> On Tuesday, May 1, 2018 at 3:30:14 PM UTC+8, awokd wrote:  
>>> On Mon, April 30, 2018 2:38 pm, 
>>> c...-re5jqeeqqe8avxtiumw...@public.gmane.org wrote:  
 Tried Qubes 4.0 installation on two PCs: 1) Asus Aspire S13 laptop, Intel
 i7-6500 CPU @ 2.50GHz 2.60 GHz, 8 GB RAM, 64-bit 2) Asus D620MT desktop,
 Intel i7-6700 CPU @ 3.40GHz, 3.40 GHz, 16 GB RAM, 64-bit.
 For the first one, installation never proceeded further than few seconds
 (after few lines appeared on the screen, the screen was all black and the
 CPU was running at high speed without any progress). Tried both USB and
 CD drive.  
>>>
>>> Try legacy mode or if you have a secondary graphics adapter, disabling it.
>>>  
 For the second one, after selecting the language on the installation
 interface, it warned "unsupported hardware...Missing features:
 HVM/VT-x..."  
>>>
>>> Make sure VT-x etc. are enabled in your UEFI config.  
>>   
>
>Often, if you read enough you'll find that things you thought were in 
>"the docs" actually are.  Happens to me.  Then if you read the last 10 
>days in this usergroup, it's stated  repeatedly,eg  did you check 
>the HCL  for your hardware?
>
>but, welcome to the usergroup and qubes ,  and  . if you read the 
>docs,   try  to   "not top post"  , as I'm sure you'll have  plenty more 
>questions .
>

I understand the "not top post", but it is a departure from normal mailing 
groups.  I retrieve all of my e-mails...25 accounts...with claws-mail, and this 
is the only group I have to scroll down to read what was posted.  Not a bit 
deal on my computer, but I also get some emails on my "smart" phone, and it is 
more difficult there.  Other than the "logical" reason to bottom post...the 
reading is better when you read the history...is there another reason to prefer 
bottom posting?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180514084608.033c3a58%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-14 Thread mossy

mossy:
>>> On 05/14/2018 10:33 AM, magionemagi...@gmail.com wrote:
>>> I know that right now details are sketchy but the advice of disabling
>>> PGP is sound at least until we get to know more information, especially
>>> since it's coming from reputable researchers and the EFF (links below
>>> but I guess everybody here already knows about that), so obviously that
>>> there is ground for worry.
>>>
>>> Do any of the Qubes users or devs know more at present about this
>>> issue or have advice to provide, aside from waiting for the publication
>>> of the research paper tomorrow morning (15th of May) and stopping using
>>> Split-GPG for the time being as a precaution?
>>>
>>>
>>> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
>>>
>>>
>>> https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/
>>>
>>> Thanks.
>> 'Leo Gaspard' via qubes-users:
>> I can't tell for sure for not having read the paper, but it sounds like
>> too much hype for vulnerabilities not so important:
>>
>> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060317.html
>>
>> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
>> (Werner being the maintainer of GnuPG)
>>
>> So I wouldn't worry about (but why not disable automatic
>> decryption/verification of incoming emails in the meantime, doesn't cost
>> much)
>>
>>
> 
> I would expect that if indeed this bug allows exfiltration of PGP
> private keys, then qubes-splt-gpg would defend against this.  Unless "an
> oracle" does something magical that doesn't steal the PGP private key
> directly (see below).
> 
> For our friends/colleagues/comrades who are especially concerned or who
> are not yet qubes or qubes-split-gpg users, if HTML is the problem (as
> Werner suggests) I suggest to mitigate as follows:
> 
> in the Thunderbird menu:
> 1) View -> Message Body As > [*] Plain Text
> 2) View -> [ ] Display Attachments Inline [should be NOT selected]
> 
> As I understand it, this works because split gpg doesn't expose private
> keys to the mail client but instead sends encrypted emails to the vault
> qube/AppVM for decryption.
> 
> My question for more knowledgeable friends here would be, what is meant
> in Werner's message --
> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html -- by
> "an oracle for modified encrypted mails"?  My understanding of PGP is
> that PGP/GPG encrypts/decrypts a short-lived symmetric key that is
> actually used to encrypt/decrypt the message, so analysis of both the
> plaintext and ciphertext of a single message would (at best, if this
> were feasible) give you insight into the symmetric key, and not the PGP
> private key itself.
> 
> But someone who understands more deeply, please enlighten us!
> 
> -m0ssy
> 

embargo broken early, attack/vulnerability details here --
https://efail.de/

(and yes it seems like disabling HTML will mitigate the most
reliable/least complex attacks)

-m0ssy

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/881eb105-f4ce-10c7-8c63-a066d505d4ac%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Run "cd /path/to/file" Command with qvm-run

2018-05-14 Thread cr33dc0d3r

Am Montag, 14. Mai 2018 12:38:34 UTC+2 schrieb Holger Levsen:
> On Mon, May 14, 2018 at 03:34:00AM -0700, cr33dc0d3r wrote:
> > Does anyone know how to use cd command with qvm-run?
> 
> qvm-run --pass-io personal "cd /home/user/Desktop/ ; ls"
> 
> 
> -- 
> cheers,
>   Holger

Works for me

Thanks, 
Jonny

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92f61c8b-3901-447f-8882-95b9077c89d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-14 Thread mossy

>> On 05/14/2018 10:33 AM, magionemagi...@gmail.com wrote:
>> I know that right now details are sketchy but the advice of disabling
PGP is sound at least until we get to know more information, especially
since it's coming from reputable researchers and the EFF (links below
but I guess everybody here already knows about that), so obviously that
there is ground for worry.
>>
>> Do any of the Qubes users or devs know more at present about this
issue or have advice to provide, aside from waiting for the publication
of the research paper tomorrow morning (15th of May) and stopping using
Split-GPG for the time being as a precaution?
>>
>>
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
>>
>>
https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/
>>
>> Thanks.
>'Leo Gaspard' via qubes-users:
> I can't tell for sure for not having read the paper, but it sounds like
> too much hype for vulnerabilities not so important:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060317.html
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
> (Werner being the maintainer of GnuPG)
> 
> So I wouldn't worry about (but why not disable automatic
> decryption/verification of incoming emails in the meantime, doesn't cost
> much)
> 
> 

I would expect that if indeed this bug allows exfiltration of PGP
private keys, then qubes-splt-gpg would defend against this.  Unless "an
oracle" does something magical that doesn't steal the PGP private key
directly (see below).

For our friends/colleagues/comrades who are especially concerned or who
are not yet qubes or qubes-split-gpg users, if HTML is the problem (as
Werner suggests) I suggest to mitigate as follows:

in the Thunderbird menu:
1) View -> Message Body As > [*] Plain Text
2) View -> [ ] Display Attachments Inline [should be NOT selected]

As I understand it, this works because split gpg doesn't expose private
keys to the mail client but instead sends encrypted emails to the vault
qube/AppVM for decryption.

My question for more knowledgeable friends here would be, what is meant
in Werner's message --
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html -- by
"an oracle for modified encrypted mails"?  My understanding of PGP is
that PGP/GPG encrypts/decrypts a short-lived symmetric key that is
actually used to encrypt/decrypt the message, so analysis of both the
plaintext and ciphertext of a single message would (at best, if this
were feasible) give you insight into the symmetric key, and not the PGP
private key itself.

But someone who understands more deeply, please enlighten us!

-m0ssy

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4ce7c9d4-cbf5-59d5-946b-e4e55c5241d1%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Intel ME Backdoor, called Odin's Eye

2018-05-14 Thread Jo

I totally agree with you, finding exploits is way easier, especially
with practically unlimited resources. The whole Me-thing is blown
completely out of porpotion, altough of course you do not want an Me,
especially not me 11/ any closed source remote admin functions you cant
effectively disable nor remove.

Also, please do not mention Purism in the same Sentence with legit
Opensource Projekts like Qubes ore coreboot.This is very offending for
people like the coreboot ore Qubes devs who actually try to make people
free and secure, while others in comparison only scam people by making
them believe their laptops/handys are opensource and with coreboot.

cheers
On 05/12/18 16:46, charly LEMMINKÄINEN wrote:
> Anyway people, even if he was saying the truth. Then why is he silent
> then ? Why doesn’t he have joined purism or coreboot or qubes or
> others to neut the ME?
>
> The difference between reality and what can be real is really thin and
> it’s often easier to believe what could be then what really is.
>
> First you need to indentify the goal and here it is not clear. Do you
> know why ?
> Because it would mean that Chinese could get access to it with enough
> intelligence. Russian could get access to it. And what you are calling
> Odin so the NSA or any other entity, don’t want all that because it
> would mean that even them are at risk ;) which is clearly not the goal.
> You don’t want to implement something that you can not control.
> So it’s easier to find an exploit, there are enough of them. Or to
> create one within software or OS where you can patch it easily than in
> hardware.
>
> The real threat from all time, is not the intelligence services, it’s
> the companies. Anything else doesn’t matter.
>
> Obtenez Outlook pour iOS 
> 
> *From:* qubes-users@googlegroups.com  on
> behalf of awokd 
> *Sent:* Saturday, May 12, 2018 4:38:08 PM
> *To:* qubes-users
> *Subject:* Re: [qubes-users] Intel ME Backdoor, called Odin's Eye
>  
> On Thu, May 10, 2018 12:37 am, dangmad...@gmail.com wrote:
> > On Wednesday, January 10, 2018 at 2:02:36 PM UTC-8, awokd wrote:
>
> >> I don't trust ME either and run me_cleaner but that link is just some
> >> unsubstantiated text. If he'd really been working at Intel 15 years he
> >> should have been able to get copies of internal documentation at least.
> >> A
> >> blacked out W-2 form doesn't cut it either.
> >
> > Do you find that sticking your head in the sand to be a productive form
> > of security?
>
> How does requiring proof instead of an anecdote equate to sticking one's
> head in the sand? Do you believe all scientists are sticking their head in
> the sand when they do research?
>
> > I'm sorry that this information upset you so much, but by denying it
> > you're only putting others in harms way.
>
> What gave you the impression I was upset?
>
> > Maybe you'd like for others to have security vulnerabilities?
>
> No, that's why I encourage them to use Qubes. I think you must be new
> here. Check out some of my other posts.
>
> > Perhaps you are exposing your agenda too much?
>
> Re-read the first sentence of what I wrote above, perhaps more slowly this
> time, then explain what agenda it is you think I have.
>
>
>
> -- 
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/5cca9a5a8bfd3e53a8a53f1e560dfda1%40elude.in.
> For more options, visit https://groups.google.com/d/optout.
> -- 
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users+unsubscr...@googlegroups.com
> .
> To post to this group, send email to qubes-users@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/AM5P190MB03374A2B4B81C19532CBE1EAAB9E0%40AM5P190MB0337.EURP190.PROD.OUTLOOK.COM
> .
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/84ad484c-326e-1

Re: [qubes-users] Run "cd /path/to/file" Command with qvm-run

2018-05-14 Thread Holger Levsen

On Mon, May 14, 2018 at 03:34:00AM -0700, cr33dc0...@gmail.com wrote:
> Does anyone know how to use cd command with qvm-run?

qvm-run --pass-io personal "cd /home/user/Desktop/ ; ls"


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180514103829.ooxq6umifmztdhav%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

[qubes-users] Run "cd /path/to/file" Command with qvm-run

2018-05-14 Thread cr33dc0d3r

Hey All, 

currently tried to change dir in AppVM with qvm-run from dom0.

What I have done:
qvm-run personal "cd /home/user/Desktop/"
qvm-run personal "ls"

However it always returns the /home/user/ instead of Desktop. 

When i try to execute a Script located on Desktop i tried:

qvm-run personal "cd /home/user/Desktop/"
qvm-run personal "./script.sh"

Then it says: sh: ./script :No such file or directory
(Of course not when the cd did not work before)

Same when i tried:
 
qvm-run personal "cd /home/user/Desktop/ ./script"#
or
qvm-run personal "cd /home/user/Desktop/ | ./script"

Does anyone know how to use cd command with qvm-run?

Thanks
Jonny

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7670b28b-b4ee-41d3-af66-4b65e92cd22f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-14 Thread 'Leo Gaspard' via qubes-users

I can't tell for sure for not having read the paper, but it sounds like
too much hype for vulnerabilities not so important:

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060317.html

https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html
(Werner being the maintainer of GnuPG)

So I wouldn't worry about (but why not disable automatic
decryption/verification of incoming emails in the meantime, doesn't cost
much)


On 05/14/2018 10:33 AM, magionemagi...@gmail.com wrote:
> I know that right now details are sketchy but the advice of disabling PGP is 
> sound at least until we get to know more information, especially since it's 
> coming from reputable researchers and the EFF (links below but I guess 
> everybody here already knows about that), so obviously that there is ground 
> for worry. 
> 
> Do any of the Qubes users or devs know more at present about this issue or 
> have advice to provide, aside from waiting for the publication of the 
> research paper tomorrow morning (15th of May) and stopping using Split-GPG 
> for the time being as a precaution?
> 
> https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
> 
> https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/
> 
> Thanks.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/55413b21-14d9-b470-37c1-55433c1db6cf%40leo.gaspard.ninja.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-14 Thread magionemagiara

I know that right now details are sketchy but the advice of disabling PGP is 
sound at least until we get to know more information, especially since it's 
coming from reputable researchers and the EFF (links below but I guess 
everybody here already knows about that), so obviously that there is ground for 
worry. 

Do any of the Qubes users or devs know more at present about this issue or have 
advice to provide, aside from waiting for the publication of the research paper 
tomorrow morning (15th of May) and stopping using Split-GPG for the time being 
as a precaution?

https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0c8632a-0634-4c4a-959d-bb75db115a69%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

39 matches

Mail list logo