Re: [qubes-users] Done with Qubes
didnt think you were still on this thread. when im stuck on hardware or a workload that qubes doesnt work for, i usually do vagrant with virtualbox or kvm depending. its not as good, of course, so still be careful. use packer to make your vagrant boxes. github has a lot of great starting points to work from. when making your vagrant boxes, make sure you set the mic off in virtualbox, and, of course, disable clipboard sharing. you can temp make it single direction when copying passwords. you can script it with vagrant ssh and X11 commands (xsel / xclip). just make sure your using X11 and not wayland. eventually you'll have to adapt to wayland. they're may be a way to script it with vboxmanage. or virsh if your using kvm. also remember to disable sym links with vboxsf, VAGRANT_DISABLE_VBOXSYMLINKCREATE=1 in shells start up files should work. firejail will be great with wayland. right now, working around x11 is a pain. i used xnest (xephyr) and that seemed ok. xpra was took flakey but maybe its better now. was years ago. if you just want it for tor browser, heres their notes on using apparmor https://www.whonix.org/wiki/AppArmor#Maintain_Tor_Browser_Functionality if you go with vagrant-libvirt, you can run vagrant/virtualbox in it with nested virtualization in case anyone sends you a virtualbox vagrant file. outside of nesting, the two tend to not play well together. should also work with vmware which is pretty solid in nesting. On Tuesday, August 27, 2019 at 11:39:06 AM UTC-7, O K wrote: > > You mean I create a VM with Whonix OS installed (using virtualbox I'm > guessing)? I will have to research that, but yes I do need to use a VM, or > multiple VM's. I'd also like to find a way to use Firejail to sandbox > whatever browser I'm using, if that's possible. > > On Friday, August 23, 2019 at 6:03:55 PM UTC-4, Jackie wrote: >> >> O K: >> > Thanks for all the help but I've been trying to figure out how to get >> Qubes >> > running for months and I've decided it's just a giant waste of my time >> > because every time I get one bug fixed, two more show up to take it's >> > place. I think it's a brilliant idea but it needs a lot of work and >> > streamlining before it's ready for public use. It's a shame because my >> > privacy and anonymity online are a matter of my personal safety and it >> > would be nice to have a secure OS. TAILS is not a fully usable system >> > either. I will have to install Ubuntu. Good luck, everyone. >> >> Hi, >> >> Qubes definitely has a learning curve, but i think it's worth it (and >> i'm definitely no linux expert). >> >> But if you don't want to use qubes, one thing you can do for better >> security and privacy is install debian/ubuntu and use non-qubes whonix >> (you can use virtualbox, which is pretty easy to use). You can have >> multiple whonix workstations, and you can create other VMs like debian >> as well to compartmentalize your workflows. A solution like this is more >> insecure than qubes, but definitely less insecure than just using bare >> metal debian/ubuntu for everything. You still get the benefits of >> virtualization and compartmentalization, but without the extra security >> features of qubes (i'd recommend not using the host os for anything >> directly, and doing everything in VMs). >> > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be537c0e-b591-4853-84f4-8fb28abdb38b%40googlegroups.com.
[qubes-users] Re: slightly off-topic: self-resetting OS idea
You may want to take a look at Fedora's Silverblue immutable desktop operating system. I had problems installing the latest version but conceptually the OS in time will be a good alternative to Qubes which I use as my daily driver. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/80448924-78cc-42c4-9ec2-c21fbed1d181%40googlegroups.com.
[qubes-users] Re: slightly off-topic: self-resetting OS idea
On Monday, August 26, 2019 at 1:24:48 AM UTC-7, panina wrote: > > Hi! > > This is not strictly Qubes-OS related, rather inspired by Qubes. > > I've been struggling with some parts of Qubes usage. Most of the time, > it is overkill for me, and putting some strain on my computer. The > bugginess is also quite annoying, whenever I just need to do some > everyday work. > I've been thinking I'd like some form of dual-boot solution, or possibly > a Live USB that could be used. > Most of the time I work with ssh and webapps, so the only persistent > data I need to work will fit on a smartcard. > > My thought is to have an installation that mounts most of the root > partition as readonly, and uses ramdisks wherever the system wants to > write (e.g /var/log). I'm also thinking it should be possible to get a > fingerprint or somesuch of the root partition, and use my TPM2 to check > this. > > The system should also have a possibility to update itself, that I can > choose to do in environments that I feel is safe. > > I am wondering if anyone knows of an OS that works like this? Or if > anyone knows of tools that might accomplish parts of this? > > <3 > /panina > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5d08f05c-8cbc-4c74-89c2-eeb160079e15%40googlegroups.com.
Re: [qubes-users] Reminder: Please help test new updates and provide feedback!
Dear Andrew, thanks for the reminder. After my last dom0 update ("current testing") my laptop does no longer wake up after lip-close: the screen keeps black, nothing can be done but reboot. That is not very critical, of course. I find no hints in journalctl what could be the reason. Happy to deliver details, please ask. Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/24b89daa-915a-d817-9a30-1dd8f9dc9e97%40web.de.
[qubes-users] errors using snap installed programs
Hi! I've used this instructions to install 2 programs using snap: https://github.com/QubesOS/qubes-issues/issues/2766 Unfortunatelly, it happens on a regulary basis (weekly), that starting these apps results in the following error: [user@b ~]$ slack internal error, please report: running "slack" failed: cannot find installed snap "slack" at revision 17: missing file /var/lib/snapd/snap/slack/17/meta/snap.yaml [user@b ~]$ snap slack error: unknown command "slack", see 'snap help'. I know that there's a fix in testing for classic confinments: https://github.com/QubesOS/qubes-issues/issues/4798 But the same happens also with non-classic confinments. The workaround is to re-install the snap programs. Unfortunatelly, with this you lose all settings of the progs. Any suggestions or ideas? Best, Pete -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8ea4e927-022f-2c8d-5e43-8c709a2f0682%40gmx.de.
Re: [qubes-users] Qubes/class, Was: slightly off-topic: self-resetting OS idea
At 14:04 29/08/2019, unman wrote: >I have to point out that you can run Qubes fine with HDD and 12GB RAM - >even 8GB is doable. >quick ebay suggests you can get x230 with *that* config regularly for less than >$200 - i7 with 16GB went for $175 recently. >If you drop down to an i5 (still workable) you can come in at less than >$100. >I know people who are using burners at these specs they have acquired >for free - worth the UX pain for the added security. There's always a >trade off. Just to throw this out there - not everyone has access to ebay or any thriving second hand market for that matter ;-/ I know I would jump for joy, if I could get my hands on such hardware at THAT price. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/E1i3LDT-0006Hk-IH%40node1.secure-shield.at.
Re: [qubes-users] qvm-create-windows-qube Automatically creates
Couple more: - As windows 7 does not support SCSI unmap, and C and E are on virtual SCSI devices: install sdelete by default and schedule sdelete.exe -z C:\ and sdelete -z E:\ ... largish zero writes are caught at the lvm later and unallocated from storage - plus passed on as discards to physical storage if you’ve enabled this in Qubes (as per testing). - Possibly work an initial defrag run into the deployment but before sdelete as it saved about 1GB of LVM storage per VM (prob related to lvm chunk size). B -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAOajFeeBikBT%2B5HJfts5wGrNvYtpZqdy2beDSBCV6s3K%3Dqq%3DqA%40mail.gmail.com.
Re: [qubes-users] qvm-create-windows-qube Automatically creates
Hi crazyqube, I've used this to generate 20-30 VMs. I've noticed some incomplete installs (50/50). There do seem to be come timing dependencies that sometimes cause failures. I'll be investigating these further next week. I have some thoughts on changes I'll work on, if you're not planning to work on them, that might address some of these: - Defaulting to debug=true so that boot problems can be easily diagnosed, with instructions on how the user should manually disable it when finished. - Increasing the device-stub VM priority from 256 to 1000 during install utilizing xl sched-credit. This dramatically increases the IO throughput for the installation. - Defaulting to no-network. For the most qubes usage, I think many of us won't plan to connect Windows to the internet. - If network is explicitly set, only set it to the given option before/after the final boot cycle, to minimize interference. - Increasing the run-time of the final boot cycle, and possibly overlapping that shutdown with the next creation. Utilize qvm-run shutdown.exe or qvm-run a script instead of qvm-shutdown. - Refactor repeated code into bash functions. - Ensure loop devices in windows-mgmt are removed when finished (keep the qui-devices menu uncluttered) - Perhaps restart windows-mgmt between VM creations. - Automate installation of xenvbd 8.2.2 or 8.2.1 after appropriate Windows 7 updates are installed. - Document that xenvbd is needed for attaching block devices from qui-devices. - Utilize double digit counter instead of single digit. - Option to disable windows update permanantly. - Option to initiate windows update on last reboot (after QWT is installed). - Increase qrexec_timeout to 600 by default. Brendan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aa0b38ae-ec25-40cb-a0c4-0c92b3cd2be7%40googlegroups.com.
Re: [qubes-users] Re: Device showing up in Qubes sys-usb terminal but not devices icon, and attach error in dom0
On Thu, Aug 29, 2019 at 3:02 AM rec wins wrote: > > OTP won't , if the key does more than U2F you may need to get a > configuration application for the key and make sure it's U2F only > slot 1 , 2 etc > Yubikey OTP works through a keyboard-like HID, which are blacklisted by default in Qubes. In order to directly attach a keyboard-like device to a VM you have to override this setting. See: https://www.qubes-os.org/doc/usb-qubes/#enable-a-usb-keyboard-for-login B -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAOajFedSWU1%2BTqk74Y%3DwjeSTV7kDgWnpPJXdr-LHRqQzOA8e_w%40mail.gmail.com.
Re: [qubes-users] Qubes/class, Was: slightly off-topic: self-resetting OS idea
On Mon, Aug 26, 2019 at 05:27:00PM +, qtpie wrote: > panina: > > > > > > On 8/26/19 6:27 PM, 799 wrote: > >> If you buy the right hardware you'll not run into lots of bugs and get > >> enough performance to run qubes. You can buy a Lenovo T530/430, W530, > >> X230 for not much money, add a SSD some RAM and you'll not run into > >> performance problems (normal use). > > > > This is a view that I see quite a lot. It is a whole different > > discussion. Hence the re-subjecting. > > > > Firstly, this view completely lacks class analysis. Not everyone can > > afford to buy the newest shiny. A lot of us have to use whatever we can > > get our hands on. > > Whenever a secure OS is mentioned, Qubes is the go-to. Everyone comes > > here. The approach that you have to buy new, specific hardware to have a > > functioning OS means anyone poor, or in a country with a poor dollar > > exchange rate, is left behind. > Panina, I hate to say this since class awareness is sorely lacking in > tech, but in this case I dont agree with you. You dont need to buy the > latest and/or shiny. If you look up any of the models mentioned > previously on ebay (Lenovo T530/430, W530, X230) and upgrade those with > an SSD you can have a fine Qubes laptop for $300 that will last you many > years. I am personally using qubes for a few years on a laptop from 2014 > just like this. Maybe this could be mentioned more clearly in the docs, > many people seem to think that they need a new i7 with 16GB+ of ram. > That is absolutely not the case. > > $300 is very different from $1500 but still definitely not free. If I > take 'latest and shiny' a little less literal and by 'whatever we can > get our hand on' you mean a laptop you can get for less than $200 or > even for free, then I retract my point. However this is not really qubes > can do something about. Hardware related projects have minimum hardware > requirements, that hardware often (not always) costs money, and money is > a class issue which it shouldnt be. > I have to point out that you can run Qubes fine with HDD and 12GB RAM - even 8GB is doable. quick ebay suggests you can get x230 with *that* config regularly for less than $200 - i7 with 16GB went for $175 recently. If you drop down to an i5 (still workable) you can come in at less than $100. I know people who are using burners at these specs they have acquired for free - worth the UX pain for the added security. There's always a trade off. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190829120425.GB8218%40thirdeyesecurity.org.
Re: [qubes-users] Re: Device showing up in Qubes sys-usb terminal but not devices icon, and attach error in dom0
On Wed, Aug 28, 2019 at 09:01:46PM -1000, rec wins wrote: > On 5/27/19 6:09 AM, Stumpy wrote: > > I am trying to use an onlykey U2F but have run into some issues like it > > showing up in dom0 and sys-usb but seems like i cant use it. > > > > in sys-usb: > > [user@sys-usb ~]$ lsusb | grep Only > > Bus 004 Device 010: ID 1d50:60fc OpenMoko, Inc. OnlyKey Two-factor > > Authentication and Password Solution > > > > and in Dom0: > > [ralph@dom0 ~]$ qvm-usb | grep ONLY ; sudo qvm-usb a sys-usb sys-usb:42 > > sys-usb:4-2 CRYPTOTRUST_ONLYKEY_346etc > > Device attach failed: > > [ralph@dom0 ~]$ > > > > I decided to go with the chrome app but even though sys-usb seems to see > > the onlykey I cant seem to attach it to the chrome appvm i made? > > > > > so in dom0 you did > $qvm-usb > > get the BDM number and do > > $qvm-usb attach chromevm sys-usb:X-X > > U2F keys will work in chromium for google logins with no > complicated passthrough setup necessary > > OTP won't , if the key does more than U2F you may need to get a > configuration application for the key and make sure it's U2F only > slot 1 , 2 etc > Have you looked at the qubes-u2f-proxy package? https://www.qubes-os.org/doc/u2f-proxy After installation in dom0 and the relevant template, you enable the service in the qube you want to use it in, and the device should then be available for use in that qube. You *dont* attach the USB device to the qube. Try that, and see how you get on. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190829114936.GA8218%40thirdeyesecurity.org.
Re: [qubes-users] KERNEL PANIC on booting installation media - Acer TravelMate B116 - Details Inside
Awokd, One of the machines is a B117-M and the other is a B116-M. The previous boot debug is from the B116-M. 1) BIOS was updated to the latest available 1.23 and 1.24 on the B116-M and B117-M respectively - still getting the KERNEL PANIC on both machines. 2) Tried disabling all non essential peripherals in the bios (Audio, Wifi, LAN, Webcam, SDcard reader - leaving only the USB ports enabled), but without any success before and after the BIOS Upgrade. Still getting the KERNEL PANIC. If I had to guess I would point at the intel chipset as the common denominator? Is there a way to tweak the kernel to work around this? A failsafe option? I would really love to give Qubes a try! Thanks for any further insight or pointers. At 23:22 28/08/2019, 'awokd' via qubes-users wrote: >Update BIOS first. Do those Acers have a hardware peripheral in common >between them, like a webcam? If so, disable it in BIOS, then try a >reinstall. If not, disable all possible integrated peripherals (or >enable all if you've disabled something) and try again. > >-- >You received this message because you are subscribed to the Google Groups >"qubes-users" group. >To unsubscribe from this group and stop receiving emails from it, send an >email to qubes-users+unsubscr...@googlegroups.com. >To view this discussion on the web visit >https://groups.google.com/d/msgid/qubes-users/9626ab96-acd6-8d04-346a-3a546c0b7cd3%40danwin1210.me. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/E1i3IQM-0003Om-1J%40node1.secure-shield.at.
[qubes-users] Re: Device showing up in Qubes sys-usb terminal but not devices icon, and attach error in dom0
On 5/27/19 6:09 AM, Stumpy wrote: > I am trying to use an onlykey U2F but have run into some issues like it > showing up in dom0 and sys-usb but seems like i cant use it. > > in sys-usb: > [user@sys-usb ~]$ lsusb | grep Only > Bus 004 Device 010: ID 1d50:60fc OpenMoko, Inc. OnlyKey Two-factor > Authentication and Password Solution > > and in Dom0: > [ralph@dom0 ~]$ qvm-usb | grep ONLY ; sudo qvm-usb a sys-usb sys-usb:42 > sys-usb:4-2 CRYPTOTRUST_ONLYKEY_346etc > Device attach failed: > [ralph@dom0 ~]$ > > I decided to go with the chrome app but even though sys-usb seems to see > the onlykey I cant seem to attach it to the chrome appvm i made? > so in dom0 you did $qvm-usb get the BDM number and do $qvm-usb attach chromevm sys-usb:X-X U2F keys will work in chromium for google logins with no complicated passthrough setup necessary OTP won't , if the key does more than U2F you may need to get a configuration application for the key and make sure it's U2F only slot 1 , 2 etc -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fd0e81b4-68a9-b977-0966-de4df579764a%40riseup.net.