date:20200305

I want to get a genuine copy of Qubos, from here in the UK (United Kingdom).

The only way described on the Quebos website at present, appears to be to
download the ISO.

I have the classic security problem described on the website
, where not having a
trust-worthy machine, means that I have a never-ending chain of trust
issues for each machine that I use in the obtaining of the software.

I suggest that the hyper-linked web-page above, be updated to provide
further guidance as to how to ensure you have a genuine copy of the Qubos
software. *Also, can anyone in this news group provide any such guidance
for myself (and others?)*

(Solely) some thoughts on how to help ensure possession of a genuine copy
of Quebos:

1. If Quebos is distributed through PC magazine DVDs, users can purchase
a few copies of a particular magazine having such a DVD, at random, from
different stores, in widely different locations (different counties,
etc.)
Users can then compare the copies to make sure they are identical.
2. Purchase Quebos from a randomly chosen big PC store, that has
perhaps 100 copies of the software on its shelves, on a day picked at
random, by selecting one of the copies at random from the shelves.
3. If a user believes they are being tracked, what they can do, is
schedule in their mind (or otherwise), to make such a purchase over the
next few months, and then when they are doing some activity (for example
visiting a friend in the city), they can just as an aside go and purchase
a
copy of the software.
4. Purchase the Quebos software from an online retailer, that uses
special tamper-evident packaging , and
then compare the copy obtained in this way, with software downloaded from
the Quebos website.
5. Obtain software in several ways, then compare copies to make sure
they're identical.

Thanks,

Mark Fernandes

#installation #installer #media #DVD #ISO #tamper #genuine #intercept
#man-in-the-middle-attack #MITM

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/1d4543f7-b4cf-47c9-9926-6ce9a21360d2%40googlegroups.com.

[qubes-users] Re: Tor not connecting over DSL

2020-03-05 Thread Rafael Reis

Could be and MTU issue. I had trouble with Qubes, VPNs, TOR and PPOE connection 
due to it’s unusual MTU size (lower than 1500). Maybe the experts could shed 
some light into how Qubes deals with MTU across VMs

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f8e96511-d4c3-4d27-9e34-5ae1c247a3ae%40googlegroups.com.

Re: [qubes-users] Re: Tor not connecting over DSL

On Thu, Mar 05, 2020 at 04:54:45AM -0800, Rafael Reis wrote:
> Could be and MTU issue. I had trouble with Qubes, VPNs, TOR and PPOE
> connection due to it’s unusual MTU size (lower than 1500). Maybe the
> experts could shed some light into how Qubes deals with MTU across VMs

qubes? not at all.
the whole setup? 
depends on what kind of network setup you are using.
for example a "linux" netvm is a lot better at dealing with 
pmtu discovery than a "mirage" one. 
assuming you dont "customize" the firewall the wrong ways.
blocking icmp is a pretty reliable way to break things. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200305130913.GL8973%40priv-mua.

Re: [qubes-users] Anyone gotten bitcoind to install via snapcraft on an AppVM?


On Tue, Mar 03, 2020 at 11:17:53AM +, qubenix wrote:

That's true, but using a pruned bitcoind will limit its usefulness as a
backend for other software (eg. electrum servers, block explorers). You
may be able to use it for a specific purpose (eg. joinmarket), but the
point of my guides is that you can keep adding new software that comes
out (eg. btcpayserver, lnd, c-lightning, esplora) and connect it to your
bitcoind VM without having to reindex the chain.


Makes sense.

- it would be really nice to use bind-dirs to avoid creating a second 
 

Whonix WS templateVM (which takes up lots of disk space) --  
unfortunately I haven't figured out how to create a new user and keep  
that user persistent (see prior email)



This is a good point. Unfortunately I don't have a lot of extra
time/motivation currently to make sweeping changes like that. That's why
my btcpayserver branch hasn't been worked on since November.


Yes, I tried to do it (see earlier email in this thread) but it's not 
quite trivial. Bind-dir'ing /etc/passwd and related files seemed to 
break `adduser`.



It's nice to know that someone somewhere is paying attention to work
I've done with these. Thank you for that.


Thank you for doing them!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200305131523.GA1307%40danwin1210.me.

Re: [qubes-users] Manual VPN installation issues


On Tue, Mar 03, 2020 at 09:18:54AM -0500, Chris Laprise wrote:
Assuming nothing's terribly wrong, it may be worth posting your public 
key fingerprint used for code signing somewhere!


The B281C952 key is a subkey of F07F1886; Import both and the former 
will be listed under the latter.


Ok, thanks for clarifying!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200305131627.GB1307%40danwin1210.me.

Re: [qubes-users] Building an X-230 into a Qubes machine.


On Wed, Mar 04, 2020 at 04:51:38AM -0800, ggg...@gmail.com wrote:

As I could not afford a Privacy Beast, I bought a refurbished X-230 Core
I5, 4 GB RAM to convert on my own.  Soon I will get the 16 GB of RAM to put
into it.  I am looking to buy a ch-431a to program it from Amazon.  I know
the guys at Insurgo list on they use from China, but right now, I am not
much interested in ordering one delivered from China.   Not sure when it
would be delivered, and whether I want it into my house.


Most of these products come from China. If you use a Raspberry Pi then 
it comes from the UK, I think.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200305131754.GC1307%40danwin1210.me.

Re: [qubes-users] Why not make it possible to use a custom key combination for changing the keyboard layout when installing Qubes OS ?


On Thu, Mar 05, 2020 at 03:33:54AM -0800, A wrote:

When installing Qubes OS, it’s possible to choose between some predetermined 
key combinations for changing the keyboard layout.

Why not also make it possible for the user to make his or her own key 
combination for changing the keyboard layout when installing Qubes OS ?


I still haven't figured out how to change the key combination once the 
install is complete...


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200305131950.GD1307%40danwin1210.me.

Re: [qubes-users] Obtaining genuine Qubos installer

On Thu, 5 Mar 2020 at 13:30, Mike Keehan  wrote:

> On 3/5/20 12:31 PM, Mark Fernandes wrote:
> > I want to get a genuine copy of Qubos, from here in the UK (United
> Kingdom).
> >
> > The only way described on the Quebos website at present, appears to be
> > to download the ISO.
> >
> > I have the classic security problem described on the website
> > , where not having a
> > trust-worthy machine, means that I have a never-ending chain of trust
> > issues for each machine that I use in the obtaining of the software.
> >
> > I suggest that the hyper-linked web-page above, be updated to provide
> > further guidance as to how to ensure you have a genuine copy of the
> > Qubos software. *_Also, can anyone in this news group provide any such
> > guidance for myself (and others?)_*
> >
> >
> >
> > (Solely) some thoughts on how to help ensure possession of a genuine
> > copy of Quebos:
> >
> >  1. If Quebos is distributed through PC magazine DVDs, users can
> > purchase a few copies of a particular magazine having such a
> > DVD, at random, from different stores, in widely different
> > locations (different counties, etc.) Users can then compare the
> > copies to make sure they are identical.
> >  2. Purchase Quebos from a randomly chosen big PC store, that has
> > perhaps 100 copies of the software on its shelves, on a day
> > picked at random, by selecting one of the copies at random from
> > the shelves.
> >  3. If a user believes they are being tracked, what they can do, is
> > schedule in their mind (or otherwise), to make such a purchase
> > over the next few months, and then when they are doing some
> > activity (for example visiting a friend in the city), they can
> > just as an aside go and purchase a copy of the software.
> >  4. Purchase the Quebos software from an online retailer, that uses
> > special tamper-evident packaging ,
> > and then compare the copy obtained in this way, with software
> > downloaded from the Quebos website.
> >  5. Obtain software in several ways, then compare copies to make
> > sure they're identical.
> >
> >
> >
> > Thanks,
> >
> >
> > Mark Fernandes
> >
> >
>
> Have you read the documentation at
> https://www.qubes-os.org/doc/installation-guide/ ??
>
>

I previously skim read what appeared to be the relevant parts from the
guide. Just now, I read from the beginning till the following text in the
guide:

*Once the ISO has been verified as authentic, you should...*


The text after that point appears to be irrelevant.

The only thing relevant to this topic in the guide, appears to be the
information on verifying signatures (which is of course standard practice).
In reading information on the Quebos website, there was implicit mention
that users may be operating under oppressive regimes/circumstances. With
this in mind, I just feel that more guidance is needed on how to obtain
authentic copies of the Quebos software. I've hinted at some ideas as to
how to do this, in my starting post for this topic.


Thanks,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANJMFk8hfkvRHfBNEJFzxX5fNjM_0cNkFbcw10mAxPt3UsQsHQ%40mail.gmail.com.

Re: [qubes-users] Obtaining genuine Qubos installer

could you please try to at least spell the name right?
this is giving my inner monk a headache...

On Thu, Mar 05, 2020 at 02:40:18PM +, Mark Fernandes wrote:

> The only thing relevant to this topic in the guide, appears to be the
> information on verifying signatures (which is of course standard practice).
...
> authentic copies of the Quebos software. I've hinted at some ideas as to
> how to do this, in my starting post for this topic.

actualy, not the impression i am getting.
if you knew how to verify a signature and what that means, pretty
much all the "ideas" you listed would be obviously useless.

as in, to "verify the installer/iso", all you need is to verify the
signature:  https://www.qubes-os.org/security/verifying-signatures/

that reduces the actual problem to "how to get/verify the qubes master
key", for which suggestions are on that page, and which in general
is a lot easier than trying to verify some multi-GB monster.

for a lot of additional confirmations of the master key, you can
use a searchengine, with/without tor, from different ISPs,
ask in different chats, look at presentation slides/videos 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200305145618.GM8973%40priv-mua.

Re: [qubes-users] Obtaining genuine Qubos installer

2020-03-05 Thread Mike Keehan


On 3/5/20 2:40 PM, Mark Fernandes wrote:
On Thu, 5 Mar 2020 at 13:30, Mike Keehan > wrote:


On 3/5/20 12:31 PM, Mark Fernandes wrote:
 > I want to get a genuine copy of Qubos, from here in the UK
(United Kingdom).
 >
 > The only way described on the Quebos website at present, appears
to be
 > to download the ISO.
 >
 > I have the classic security problem described on the website
 > , where not having a
 > trust-worthy machine, means that I have a never-ending chain of
trust
 > issues for each machine that I use in the obtaining of the software.
 >
 > I suggest that the hyper-linked web-page above, be updated to
provide
 > further guidance as to how to ensure you have a genuine copy of the
 > Qubos software. *_Also, can anyone in this news group provide any
such
 > guidance for myself (and others?)_*
 >
 >
 >
 >     (Solely) some thoughts on how to help ensure possession of a
genuine
 >     copy of Quebos:
 >
 >      1. If Quebos is distributed through PC magazine DVDs, users can
 >         purchase a few copies of a particular magazine having such a
 >         DVD, at random, from different stores, in widely different
 >         locations (different counties, etc.) Users can then
compare the
 >         copies to make sure they are identical.
 >      2. Purchase Quebos from a randomly chosen big PC store, that has
 >         perhaps 100 copies of the software on its shelves, on a day
 >         picked at random, by selecting one of the copies at
random from
 >         the shelves.
 >      3. If a user believes they are being tracked, what they can
do, is
 >         schedule in their mind (or otherwise), to make such a
purchase
 >         over the next few months, and then when they are doing some
 >         activity (for example visiting a friend in the city),
they can
 >         just as an aside go and purchase a copy of the software.
 >      4. Purchase the Quebos software from an online retailer,
that uses
 >         special tamper-evident packaging
,
 >         and then compare the copy obtained in this way, with software
 >         downloaded from the Quebos website.
 >      5. Obtain software in several ways, then compare copies to make
 >         sure they're identical.
 >
 >
 >
 > Thanks,
 >
 >
 > Mark Fernandes
 >
 >

Have you read the documentation at
https://www.qubes-os.org/doc/installation-guide/ ??


I previously skim read what appeared to be the relevant parts from the 
guide. Just now, I read from the beginning till the following text in 
the guide:


/Once the ISO has been verified as authentic, you should.../


The text after that point appears to be irrelevant.

The only thing relevant to this topic in the guide, appears to be the 
information on verifying signatures (which is of course standard 
practice). In reading information on the Quebos website, there was 
implicit mention that users may be operating under oppressive 
regimes/circumstances. With this in mind, I just feel that more guidance 
is needed on how to obtain authentic copies of the Quebos software. I've 
hinted at some ideas as to how to do this, in my starting post for this 
topic.



Thanks,


Mark Fernandes



And did you thoroughly read the linked "our guide on verifying
signatures" page?

https://www.qubes-os.org/security/verifying-signatures/

It shows you how to verify that the ISO you download was actually
created by the Qubes OS team.  (Quebos is not correct the spelling!).

Mike.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1bd112e6-608d-dacc-1aff-d82ae4af1a14%40keehan.net.

Re: [qubes-users] Obtaining genuine Qubos installer

On Thu, 5 Mar 2020 at 15:01, Mike Keehan  wrote:

> On 3/5/20 2:40 PM, Mark Fernandes wrote:
> > On Thu, 5 Mar 2020 at 13:30, Mike Keehan  > > wrote:
> >
> > On 3/5/20 12:31 PM, Mark Fernandes wrote:
> >  > I want to get a genuine copy of Qubos, from here in the UK
> > (United Kingdom).
> >  >
> >  > The only way described on the Quebos website at present, appears
> > to be
> >  > to download the ISO.
> >  >
> >  > I have the classic security problem described on the website
> >  > , where not
> having a
> >  > trust-worthy machine, means that I have a never-ending chain of
> > trust
> >  > issues for each machine that I use in the obtaining of the
> software.
> >  >
> >  > I suggest that the hyper-linked web-page above, be updated to
> > provide
> >  > further guidance as to how to ensure you have a genuine copy of
> the
> >  > Qubos software. *_Also, can anyone in this news group provide any
> > such
> >  > guidance for myself (and others?)_*
> >  >
> >  >
> >  >
> >  > (Solely) some thoughts on how to help ensure possession of a
> > genuine
> >  > copy of Quebos:
> >  >
> >  >  1. If Quebos is distributed through PC magazine DVDs, users
> can
> >  > purchase a few copies of a particular magazine having
> such a
> >  > DVD, at random, from different stores, in widely different
> >  > locations (different counties, etc.) Users can then
> > compare the
> >  > copies to make sure they are identical.
> >  >  2. Purchase Quebos from a randomly chosen big PC store, that
> has
> >  > perhaps 100 copies of the software on its shelves, on a
> day
> >  > picked at random, by selecting one of the copies at
> > random from
> >  > the shelves.
> >  >  3. If a user believes they are being tracked, what they can
> > do, is
> >  > schedule in their mind (or otherwise), to make such a
> > purchase
> >  > over the next few months, and then when they are doing
> some
> >  > activity (for example visiting a friend in the city),
> > they can
> >  > just as an aside go and purchase a copy of the software.
> >  >  4. Purchase the Quebos software from an online retailer,
> > that uses
> >  > special tamper-evident packaging
> > ,
> >  > and then compare the copy obtained in this way, with
> software
> >  > downloaded from the Quebos website.
> >  >  5. Obtain software in several ways, then compare copies to
> make
> >  > sure they're identical.
> >  >
> >  >
> >  >
> >  > Thanks,
> >  >
> >  >
> >  > Mark Fernandes
> >  >
> >  >
> >
> > Have you read the documentation at
> > https://www.qubes-os.org/doc/installation-guide/ ??
> >
> >
> > I previously skim read what appeared to be the relevant parts from the
> > guide. Just now, I read from the beginning till the following text in
> > the guide:
> >
> > /Once the ISO has been verified as authentic, you should.../
> >
> >
> > The text after that point appears to be irrelevant.
> >
> > The only thing relevant to this topic in the guide, appears to be the
> > information on verifying signatures (which is of course standard
> > practice). In reading information on the Quebos website, there was
> > implicit mention that users may be operating under oppressive
> > regimes/circumstances. With this in mind, I just feel that more guidance
> > is needed on how to obtain authentic copies of the Quebos software. I've
> > hinted at some ideas as to how to do this, in my starting post for this
> > topic.
> >
> >
> > Thanks,
> >
> >
> > Mark Fernandes
> >
>
> And did you thoroughly read the linked "our guide on verifying
> signatures" page?
>
> https://www.qubes-os.org/security/verifying-signatures/
>
> It shows you how to verify that the ISO you download was actually
> created by the Qubes OS team.  (Quebos is not correct the spelling!).
>
> Mike.
>
>
>
Hello all,

Firstly, apologies for misspelling Qubes OS (the word is strange, which is
probably why I've been getting confused..)

So if your computer has been compromised, the methods you suggest may be
useless. It doesn't matter whether you use search engines, chat rooms,
different ISPs, etc. to get the keys, in the scenario that some intruder
has control of your machine so that they replace every single instance of
the key you download with their own key matching the tampered-with software.

Another plausible scenario, is that of the Chinese government controlling
the internet of their citizens, where such an entity (without taking
control of a computer), makes sure that only compromised software and keys
are available to their internet

Re: [qubes-users] Obtaining genuine Qubos installer

On Thu, Mar 05, 2020 at 03:30:26PM +, Mark Fernandes wrote:

> So if your computer has been compromised, the methods you suggest may be

if your computer has been compromised to the point where
you dont trust it to verify a signature, you need a new 
computer to install qubes on.

once you have a computer you trust enough to install qubes on, 
you can use it to verify the signature. 




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200305154157.GN8973%40priv-mua.

Re: [qubes-users] Obtaining genuine Qubos installer

On Thu, 5 Mar 2020 at 15:42,  wrote:

> On Thu, Mar 05, 2020 at 03:30:26PM +, Mark Fernandes wrote:
>
> > So if your computer has been compromised, the methods you suggest may be
>
> if your computer has been compromised to the point where
> you dont trust it to verify a signature, you need a new
> computer to install qubes on.
>
> once you have a computer you trust enough to install qubes on,
> you can use it to verify the signature.
>
>
Well that's an idea. But still what if the software you are being 'fed' is
all tampered software, so that after replacing the computer, as soon as you
use software, you are compromised again?

Purchasing a new computer can also be expensive, and still in any case, you
might find that any software pre-installed on it may have already been
compromised.

Eg. suppose you are a person like Edward Snowden, and that you are a
targeted individual. Then such intensive manipulation is perhaps entirely
plausible.


Thanks,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANJMFk9nq6N6eHNh4s18RpOx4SfJnXO3%3DFB%2B8jVavydCd%2BVErA%40mail.gmail.com.

[qubes-users] hybrid graphics laptop over m2 sata egpu good idea or not?

2020-03-05 Thread john redneck

I am owner twicked Acer Aspire. (100% Qubes OS compatibility).
So, that laptop has 32gb ram ddr4, i7-6500, 520 intel hd + nvidia 950m, 
also 1TB m2 sata samsung EVO and intel iommu support.
I can remove m2 wifi module card and replace it with m2 EGPU (for example, 
nvidia 1060 GTX PCI-E card).
Is it possible to gpu passthrouth dedicated eGPU card to debian/fedora 
AppVM or HVM?
Anyone has success or Qubes bad with gpu passthrouth on laptops?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b52cc0ee-d5dd-47e0-860c-8d3d0bcd797f%40googlegroups.com.

Re: [qubes-users] Obtaining genuine Qubos installer

On Thu, Mar 05, 2020 at 03:56:55PM +, Mark Fernandes wrote:
> Well that's an idea. But still what if the software you are being 'fed' is
> all tampered software, so that after replacing the computer, as soon as you
> use software, you are compromised again?
> Purchasing a new computer can also be expensive, and still in any case, you
> might find that any software pre-installed on it may have already been
> compromised.

welcome to "supply chain security is hard".
please have a seat next to that person posting here in the last days 
how he doesnt trust chips from china... 

the end result is still:
as long as you dont have a computer you trust, the whole rest
of this is pointless.
if you have a computer you trust, verifying a signature is a lot
more useful than variations of "i bought it in a shop while wearing
a fake beard, so it is certainly legit". 
(which applies to the hardware too!)

and the point of using different sources of info on the master key
is that an attacker who wants to fool you has to intercept every
single one of them. if he misses even one, the game is off.
and getting the master key fingerprint from many different
directions/sources seems a lot more realistic than doing the same
for an iso image...

and you dont have to trust any one of these sources, but if you 
add up enough of these untrusted sources, you can still trust
the end result as long as your threat model doesnt include every
single of the sources conspiring against you, or being compromised
by the same attacker...

> Eg. suppose you are a person like Edward Snowden, and that you are a
> targeted individual. Then such intensive manipulation is perhaps entirely
> plausible.

i am reasonably sure you are not ed snowden.
(if you are: sorry. i assumed ed snowden to know what a hash and
 signature are.)

but here is another headache:
(warning: nerd-sniping and messing-with-tinfoilhats ahead)

you are of course right that checking hashsums or signatures isnt
100% safe. what if there are alien quantum computers involved.

lets run numbers, the "basic math" kind: 
the qubes 4.0.3 iso is 38646317056 bits in size.
the signature is against a 256 bit hash (over 1056 bits of intermediate
hashes plus some metadata).

so there are about 2**38646316800 different iso images of the same size
that will match this signature. or 2**38646316000 to match the intermediate
hashes so you wouldnt have to bother faking the sigfile. 
thats close enough to "infinitely many" for me to not actualy calculate it.
(hint: thats several times the estimated number of atoms in the universe)

wait. who said the evil iso has to be the same size?! no one. 
so, aeh, there are infinite amounts of infinite piles of iso
images that all match this signature!

but probably even edward snowden is ok with a reasonably sized signature. 
because else we might as well just toss this whole internet
and computer thing out the window. 

(and do i double down now or wait for the likely next round to mention that
the qubes master key might be considered compromised because the qubes 
team never planned for having a senior member leave the team... *coughs* ;)

please dont get me wrong, critical thinking is good, but its also
important to stay somewhat reasonable about your threat model, because 
once you get stuck worrying about class 4+ picotech perversions, you 
wont get much done anymore... 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200305172629.GO8973%40priv-mua.

[qubes-users] HVM sound, webcam, microphone, resolution

2020-03-05 Thread 'Ian' via qubes-users

Hi all,

I've just started using Qubes and I'm trying to ease transition from my current 
virtualbox based setup by just importing my virtualbox VMs as HVMs.

I've imported one which is Linux Mint. But there are a few things I haven't 
been able to get working.

1. Resolution above 1920x1080 (the host is 2560x1440, but xrandr only sees up 
to 1920x1080.
2. Sound in the HVM. Is it possible to get sound working?
3. Attaching a microphone (built-in) to the HVM
4. Attaching a USB webcam to the HVM

Are any of these possible? Thank you in advance for any help. I've trawled 
through the docs, and message archives but nothing seems to help.

--
Dr Ian Preston
Peergos
@peergos
https://peergos.org

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9-8Z4XwKoWVSXhfMB6k7FmFoDy3FZpi5O1k_yDl6q0Wj_TNfFgIej6TEGSC0AAni9-sTFWLCx3KGp_7QvuhVbonoXSUohTU2vZlpCoP3JXE%3D%40protonmail.com.

Re: [qubes-users] HVM sound, webcam, microphone, resolution

On Thu, Mar 05, 2020 at 05:48:36PM +, 'Ian' via qubes-users wrote:
> I've just started using Qubes and I'm trying to ease transition from
> my current virtualbox based setup by just importing my virtualbox VMs
> as HVMs.

good strategy!

> 1. Resolution above 1920x1080 (the host is 2560x1440, but xrandr only
> sees up to 1920x1080.
> 2. Sound in the HVM. Is it possible to get sound working?

actualy all of this should work "out of the box"(*).
as in, if you try xrandr or some audio playback in a hvm domain
like sys-net or sys-usb, it should "just work". 

> 3. Attaching a microphone (built-in) to the HVM
> 4. Attaching a USB webcam to the HVM

you need to attach the mic (device management), and some usb devices
may not work at all with linux usbip ("cable is bad" in dmesg).

> Are any of these possible? Thank you in advance for any help.

your problem is more likely to be lack of xen/qubes support in the
kernel (if you are booting an in-vm kernel) or userland.

try firing up a regular templated appvm instead, and attaching the
mint-image to that as a blockdevice. if you only need "user data"
from the old image, copy things around (or use symlinks). 
if you need the "old system", try to chroot into it.

welcome to qubes and good luck. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200305181106.GP8973%40priv-mua.

Re: [qubes-users] Obtaining genuine Qubos installer

2020-03-05 Thread Chris Laprise

On 3/5/20 7:31 AM, Mark Fernandes wrote:

I want to get a genuine copy of Qubos, from here in the UK (United Kingdom).

The only way described on the Quebos website at present, appears to be
to download the ISO.

Many of us work with a threat model that assumes at least some computers
available by retail are not compromised "out of the box", or else if
compromised then not at the BIOS/UEFI firmware level. For this model,
verifying the Qubes ISO with gpg is acceptable.

You can also qualify the model somewhat and say that an attacker cannot
successfully infect all of your (hopefully diverse) computers, so that
makes checking a signature on several different computers a form of
reassurance.

OTOH, you may have decided to discard the above threat model because of
some intent or capability known to you. In that case, I think the Qubes
community has only two answers: Find a trusted service that can flash a
known good/uncompromised firmware suite onto one of your machines, or
find a system vendor like Insurgo or NitroKey that sell re-flashed
systems and uses anti-interception measures (like tamper-evident
packaging and signatures) in addition to offering Qubes pre-installed.

--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

Re: [qubes-users] Obtaining genuine Qubos installer

I know what signatures and hashes are. I've just never needed to be so
bothered with them for my activities.  I studied Computer Science at degree
level

I was recently hacked and this is why I'm so concerned about my security.
I'd rather over-kill than under-kill at the moment, because later on, I'd
rather not have to worry about security.

Given that the operating system is such a fundamental aspect of conducting
computing activities, I hardly consider it painless *at all*, to compare
ISO images. I have no idea where you get the idea that doing so is
difficult?

>From what you have elaborated concerning signatures, you just give further
reason to have concerns over trusting signatures. With sufficient computing
power, sufficient time, it just seems absolutely reasonable to be able to
re-hack an OS image so that it produces the same signature but also
contains a security vulnerability. Or am I not enough informed (which I
admit might be the case)?

By the way, I consider that I am being completely reasonable with my threat
model, whilst also employing critical thinking. How hard is it to go to a
large PC store, and pick at random one Linux distribution, to take home, to
better ensure you have system integrity? As said above, the OS is very
important, and it's not as though people tend to install their OS
frequently.

I don't know what you mean about picotech, but I'm guessing you're probably
referring to hardware or devices happening on the picometre level? I
haven't said anything about such threats. but if they are reasonably
plausible (which may be the case), then perhaps certain individuals should
consider them. The diversification of work is oriented to all the different
aspects of it... security work is just another kind of work that sometimes
needs attention. If you can't do something securely, sometimes, you should
just not do it at all, and perhaps do something else, something altogether
different, etc.

Thanks,

Mark Fernandes

On Thu, 5 Mar 2020 at 17:26,  wrote:

> On Thu, Mar 05, 2020 at 03:56:55PM +, Mark Fernandes wrote:
> > Well that's an idea. But still what if the software you are being 'fed'
> is
> > all tampered software, so that after replacing the computer, as soon as
> you
> > use software, you are compromised again?
> > Purchasing a new computer can also be expensive, and still in any case,
> you
> > might find that any software pre-installed on it may have already been
> > compromised.
>
> welcome to "supply chain security is hard".
> please have a seat next to that person posting here in the last days
> how he doesnt trust chips from china...
>
> the end result is still:
> as long as you dont have a computer you trust, the whole rest
> of this is pointless.
> if you have a computer you trust, verifying a signature is a lot
> more useful than variations of "i bought it in a shop while wearing
> a fake beard, so it is certainly legit".
> (which applies to the hardware too!)
>
> and the point of using different sources of info on the master key
> is that an attacker who wants to fool you has to intercept every
> single one of them. if he misses even one, the game is off.
> and getting the master key fingerprint from many different
> directions/sources seems a lot more realistic than doing the same
> for an iso image...
>
> and you dont have to trust any one of these sources, but if you
> add up enough of these untrusted sources, you can still trust
> the end result as long as your threat model doesnt include every
> single of the sources conspiring against you, or being compromised
> by the same attacker...
>
>
> > Eg. suppose you are a person like Edward Snowden, and that you are a
> > targeted individual. Then such intensive manipulation is perhaps entirely
> > plausible.
>
> i am reasonably sure you are not ed snowden.
> (if you are: sorry. i assumed ed snowden to know what a hash and
>  signature are.)
>
> but here is another headache:
> (warning: nerd-sniping and messing-with-tinfoilhats ahead)
>
> you are of course right that checking hashsums or signatures isnt
> 100% safe. what if there are alien quantum computers involved.
>
> lets run numbers, the "basic math" kind:
> the qubes 4.0.3 iso is 38646317056 bits in size.
> the signature is against a 256 bit hash (over 1056 bits of intermediate
> hashes plus some metadata).
>
> so there are about 2**38646316800 different iso images of the same size
> that will match this signature. or 2**38646316000 to match the intermediate
> hashes so you wouldnt have to bother faking the sigfile.
> thats close enough to "infinitely many" for me to not actualy calculate it.
> (hint: thats several times the estimated number of atoms in the universe)
>
> wait. who said the evil iso has to be the same size?! no one.
> so, aeh, there are infinite amounts of infinite piles of iso
> images that all match this signature!
>
> but probably even edward snowden is ok with a reasonably sized signature.
> because else we might as well just tos

Re: [qubes-users] Obtaining genuine Qubos installer

On Thu, Mar 05, 2020 at 01:21:47PM -0500, Chris Laprise wrote:

> You can also qualify the model somewhat and say that an attacker cannot
> successfully infect all of your (hopefully diverse) computers, so that makes

the diversity bit is important.
and if its mainly about validating a download, even the most
outdated/underpowered device should work.


> OTOH, you may have decided to discard the above threat model because of some
> intent or capability known to you. In that case, I think the Qubes community

http://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html


> system vendor like Insurgo or NitroKey that sell re-flashed systems and uses
> anti-interception measures (like tamper-evident packaging and signatures) in

i trust a randomly-bought chromebook more than any overpriced device
that has "we are so secure/paranoid we walk funny" as its main selling
point. 





-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200305183721.GQ8973%40priv-mua.

Re: [qubes-users] Obtaining genuine Qubos installer