Re: [qubes-users] Qubes in a corporate network behind HTTP proxy [R4.0.x]

[pr0xy]

On 2020-07-16 12:34, unman wrote:
> On Wed, Jul 15, 2020 at 11:41:57PM -0700, pr0xy wrote:
>> On 2020-07-15 09:28, pr0xy wrote:
>> > I have been running R3.2 for about as long as I can. Time to upgrade to
>> > R4.0.x
>> >
>> > Original 2017 thread where I got this working in R3.2:
>> > https://groups.google.com/d/msg/qubes-users/K_etKdhnqLA/KyJ16z8JCwAJ
>> >
>> > It appears that some of the R3.2 tweaks I used to get Qubes to work
>> > nicely with my corporate proxy are no longer valid in 4.0.x. To
>> > summarize, my company network has a very restrictive proxy that forces
>> > internet traffic through an HTTP/HTTPS proxy like:
>> >
>> > proxy.example.com:8080
>> >
>> > In R4.0.x how and where would I set this proxy for the Qubes Updates
>> > Proxy? sys-net? sys-firewall? TemplateVMs?
>>
>> If I understand the documentation correctly...
>> https://qubes-os.org/doc/software-update-domu/#updates-proxy
>> we have TinyProxy running in sys-net, and this proxy is used for
>> TemplateVM updates.
>>
>> In the default R4.0.3 install, sys-net is based on a Fedora 30 template.
>> In the fedora-30 templateVM I tried editing
>> /etc/tinyproxy/tinyproxy.conf to add the IP of my company's HTTP proxy
>> as the upstream proxy
>>
>> Upstream http 10.0.0.1:8080
>>
>> That does not seem to work.
> 
> It would be helpful if you said in what way it does not seem to work.
> 
> Check in dom0, the contents of /etc/qubes-rpc/policy/qubes.UpdatesProxy,
> to make sure which qube is acting as the proxy.
> Check in a template if you are using sources with http:// or https:// -
> look in /etc/yum.repos.d or /etc/apt/sources.list as appropriate
> Confirm that you have DNS resolving in whichever qube is acting as
> proxy.
> 
> Report back.

unman:
> It would be helpful if you said in what way it does not seem to work.

I am unable to update TemplateVMs. Due to the proxy issue they cannot
access updates so I get an error like this:

fedora-30:
---
[user@fedora-30 ~]$ sudo dnf update
Fedora Modular 30 - x86_64  0.0  B/s |   0  B
06:00
Error: Failed to download metadata for repo 'fedora-modular': Cannot
prepare internal mirrorlist: Curl error (28): Timeout was reached for
https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-30=x86_64
[Operation timed out after 30001 milliseconds with 0 out of 0 bytes
received]
---

debian-10:
---
user@debian-10:~$ sudo apt update
Err:1 https://deb.qubes-os.org/r4.0/vm buster InRelease 
  
  Reading from proxy failed - select (115: Operation now in progress)
[IP: 127.0.0.1 8082]
Err:2 https://deb.debian.org/debian buster InRelease
  
  Reading from proxy failed - select (115: Operation now in progress)
[IP: 127.0.0.1 8082]
Err:3 https://deb.debian.org/debian-security buster/updates InRelease
  Reading from proxy failed - select (115: Operation now in progress)
[IP: 127.0.0.1 8082]
Reading package lists... Done
Building dependency tree   
Reading state information... Done
All packages are up to date.
W: Failed to fetch https://deb.debian.org/debian/dists/buster/InRelease 
Reading from proxy failed - select (115: Operation now in progress) [IP:
127.0.0.1 8082]
W: Failed to fetch
https://deb.debian.org/debian-security/dists/buster/updates/InRelease 
Reading from proxy failed - select (115: Operation now in progress) [IP:
127.0.0.1 8082]
W: Failed to fetch
https://deb.qubes-os.org/r4.0/vm/dists/buster/InRelease  Reading from
proxy failed - select (115: Operation now in progress) [IP: 127.0.0.1
8082]
W: Some index files failed to download. They have been ignored, or old
ones used instead.
---

I found that I am able to update Dom0. It is using sys-firewall as
UpdateVM to download updates. 
sys-firewall is based on fedora-30, and the Upstream proxy is set in
TinyProxy. This seems to work.

> Check in dom0, the contents of /etc/qubes-rpc/policy/qubes.UpdatesProxy

In /etc/qubes-rpc/policy/qubes.UpdatesProxy it shows sys-net is being
used for non-Whonix TemplateVMs:
---
# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net

$anyvm $anyvm deny
---

> Check in a template if you are using sources with http:// or https:// - look 
> in /etc/yum.repos.d or /etc/apt/sources.list as appropriate

The fedora-modular.repo has all the http:// lines commented out. Other
repo files also appear to be using  https:// as well.
debian-10 is also using https:// in sources.list

> Confirm that you have DNS resolving in whichever qube is acting as proxy.

DNS appears to be working from both sys-net and sys-firewall qubes. 
cat /etc/resolve.conf from sys-net shows the company DNS servers. I can
ping these from sys-firewall.

awokd:
> https://github.com/QubesOS/qubes-doc/pull/603/files#diff-50cf93c6cf4fa87fc6b6612d706874a1
>  may be useful, but possibly also in need of correction.

I remember when you made that writeup based on my original issue, but I
didn't see it in 

[qubes-users] Re: HCL - Lenovo ThinkPad W520

[brendan . hoar]

On Sunday, July 12, 2020 at 2:51:25 PM UTC-4, pok...@gmail.com wrote:
>
> I have the W520 with CPU type i7-2630QM and Nvidia Quadro 2000M (Lenovo 
> 4284-E78).
>
> https://ark.intel.com/content/www/us/en/ark/compare.html?productIds=52219,53474
>
> This laptop version doesnt have VT-d, but I completed the installation of 
> Qubes R4.0.3 even though there was a warning about this. 
> When booting the system however, the laptop screen goes black and I cant 
> see what's going on. 
>
> Any suggestions?
>
>
For Qubes 4.0 on the W520, I configure the BIOS to use the Integrated 
graphics only, disabling the NVIDIA GPU entirely.

That being said, it'd be worth it to switch to a W520 with a higher feature 
level CPU that does support vt-d.

Brendan

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/37b69690-3b37-4d6e-9eb6-976d1d196de0o%40googlegroups.com.

Re: [qubes-users] File syncing between Qubes

['awokd' via qubes-users]

Michael Haynes:

> *Question: Is there a simple way to setup a dedicated "server" VM*
> *using WebDAV to allow qubes to [automatically / periodically] exchange
> encrypted data even without Internet access?  If so, what are the
> security implications of doing this?  If not, what are some alternative
> ways of automating data transfers between qubes?
> *

Not really a simple way to do it, because like you said, the point of
Qubes is isolation. However, Qubes does have a mechanism (Qubes RPC) to
transfer data between qubes. Look into split-gpg or
https://github.com/freedomofpress/securedrop-proxy, for example. I don't
know if that mechanism could be adapted for your use case. There are
several security implications common to browser extensions in general:

- As an extension, it may have access to your browser history among
other browser contents. Some extensions have been found surreptitiously
phoning home that data.
- Some extensions can uniquely mark your requests, so web browsing
across different qubes could be linked.
- Probably more I'm not thinking of.

Simplest approach might be to only have one Joplin enabled web browser,
then copy & paste links you want to keep to it from browsers in other
qubes. You could then script a qvm-copy to run periodically, or develop
something with qubes-rpc to make it available to other qubes.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/275c600c-90fc-36a4-1b4a-a91dda3055cd%40danwin1210.me.

Re: [qubes-users] USB headset, how to control volume?

[dhorf-hfref . 4a288f10]

On Thu, Jul 16, 2020 at 10:40:47PM +0200, 'cubit' via qubes-users wrote:
> Is there any way to control the sound level once it is passed to an
> AppVM?    It would also be nice to control my mic levels but so far
> people have not complained about me being too quiet so not as
> pressing.

use an audiomixer app (like pavucontrol) inside the appvm.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200716205237.GB210712%40priv-mua.

[qubes-users] USB headset, how to control volume?

['cubit' via qubes-users]

Hello.

I have a logitec USB headset which is plugged into the laptop and then 
connected to my "chat" AppVM.

The audio and mic work in so much that I can hear and be heard. I can not 
however figure out how to control the sound level.

At the moment it's so loud I can not leave the headphones on my ears.

I've trued the in-line volume control,  the dom0 pulseaudio volume control,  
Manager and Preferences but can not change the level

Is there any way to control the sound level once it is passed to an AppVM?    
It would also be nice to control my mic levels but so far people have not 
complained about me being too quiet so not as pressing.

Cu

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/MCOLuQp--3-2%40tutanota.com.

Re: [qubes-users] Qubes in a corporate network behind HTTP proxy [R4.0.x]

[sysad.andes]

 Original message From: "sysad.andes"  
Date: 7/16/20  15:56  (GMT-05:00) To: awokd  Subject: Re: 
[qubes-users] Qubes in a corporate network behind HTTP proxy [R4.0.x]  
Original message From: 'awokd' via qubes-users 
 Date: 7/16/20  15:34  (GMT-05:00) To: 
qubes-users@googlegroups.com Subject: Re: [qubes-users] Qubes in a corporate 
network behind HTTP proxy [R4.0.x] unman:> On Wed, Jul 15, 2020 at 11:41:57PM 
-0700, pr0xy wrote:>> On 2020-07-15 09:28, pr0xy wrote:>>> 
proxy.example.com:8080 >> In R4.0.x how and where would I set this proxy 
for the Qubes Updates>>> Proxy? sys-net? sys-firewall? 
TemplateVMs?https://github.com/QubesOS/qubes-doc/pull/603/files#diff-50cf93c6cf4fa87fc6b6612d706874a1may
 be useful, but possibly also in need of correction.-- Also, besides what's 
listed in all the docs, make sure you have qubes-input-proxy installed in 
whatever template is behind the VM you want to handle updates for your templates

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5f10b64e.1c69fb81.e7294.cf6b%40mx.google.com.

[qubes-users] File syncing between Qubes

[Michael Haynes]

The following question is likely to raise some eyebrows, given that the
point of using Qubes is to achieve security through domain isolation. 
Thus, I'll start with a brief summary of the context to indicate why I'm
interested in this topic--the actual question is printed *in bold*
below.  I should also apologize at the outset for any stupidity in this
question--I'm pretty new at Qubes, and also at networking (e.g., I've
never setup a server of any kind before).

Here's the background:  I use Joplin, a markdown editor and notetaker,
to manage daily notes / TODO's / journal entries / many other things. 
In particular, when I encounter a website or article I'd like to stash
for later reading or reference, I use Joplin's build-in "web clipper"
extension on Firefox to save a MD version of the page to a Joplin
notebook.  Unfortunately, since I tend to do most of my journaling and
personal work in a network-isolated VM, while web clippings end up in
notebooks on networked VMs, I currently have a bunch of fragmentary
Joplin notebooks scattered across several VMs.  I could manually pass
clippings between qubes using qvm-copy, but that's painfully repetitive
and kind of defeats the time-saving purpose of an app like Joplin.

One of the nice things about Joplin is that it offers a number of ways
to cloud-sync notebooks across devices (similar to Evernote, but without
the proprietary software / file formats).  This got me wondering:

*Question: Is there a simple way to setup a dedicated "server" VM*
*using WebDAV to allow qubes to [automatically / periodically] exchange
encrypted data even without Internet access?  If so, what are the
security implications of doing this?  If not, what are some alternative
ways of automating data transfers between qubes?
*

Thanks in advance for any help.

~~Mike
**

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/384a019e-6560-9c66-6f7a-a56967e16092%40gmail.com.


0x54F042B3D26CCD7C.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Re: Does qubes protect against all firmware viruses ?

['awokd' via qubes-users]

tomas.schutz...@gmail.com:
> Wait a minute... How checking account number, can represent security risk? 

https://www.consumer.ftc.gov/articles/0196-automatic-debit-scams

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/45f37846-04e8-b96e-74c7-42c9a4b3a73f%40danwin1210.me.

Re: [qubes-users] Verifying VM updates and packages

['awokd' via qubes-users]

E:
> Logic would dictate that an update is pushed to the all affected VM. 
> But, what I am now concerned with is the update packages that might be
> altered in transit from ISP.
> 
> **Side note, I came to Qubes because I was not satisfied with the
> security protocols offered by MS OS.**
> 
> 
> I will try updating from the terminal session.  can you correct me on
> the command:
> 
> 
> user@VM $ sudo update ???   (are update commands package specific)
> 
> Bizarrely, I've seen some VM are now labeled localhost?
> 
> 
> I am concerned about the file system corruption.  How can I change the
> system, or should I attempt a new install?
> 
> 
> Thanks,
> 
> 
> 
> On 7/14/20 8:19 PM, 'awokd' via qubes-users wrote:
>> E. Foster:
>>
>>> Or do some updates occur because a template VM has been changed in a
>>> repository, and the update package  is then pushed to the respective VMs
>>> using the template?
>> This. Qubes Updater (Qubes menu/System Tools) runs periodically and
>> checks for updates in repos.
>>
>>> Bizarrely, I have a VM and Template VM that keeps requesting to be
>>> updated
>>> and fails.
>> Try updating the template from a terminal session on it.
>>
>>> And lastly, how many times can a device be rebooted before you should be
>>> concerned about Xen issues.
>> Until the hardware fails, I guess. Unless you're talking about hard
>> power offs, in which case I'd be most concerned about file system
>> corruption over any Xen issues.
>>
> 
Preventing packages from being altered in transit relies on the various
distributions' security measures, not anything specific to Qubes. I feel
you can reduce the likelihood of an attack by utilizing onion
repositories where possible. Documentation on how to switch exists.

Update commands are specific to the distribution running in the
template. Debian is apt update then apt upgrade (as sudo). Fedora uses
dnf. These are not specific to Qubes either.

If you have frequently hard powered off Qubes instead of a proper
shutdown and are now concerned about file system corruption, be aware
that fsck runs on every boot. It can often correct minor corruption, but
if you want to be sure, a fresh reinstall choosing to delete and
recreate the disk partitions should resolve it.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/78b7ed09-30f9-a04f-090a-c5e5792a2c71%40danwin1210.me.

Re: [qubes-users] Qubes in a corporate network behind HTTP proxy [R4.0.x]

['awokd' via qubes-users]

unman:
> On Wed, Jul 15, 2020 at 11:41:57PM -0700, pr0xy wrote:
>> On 2020-07-15 09:28, pr0xy wrote:

>>> proxy.example.com:8080 
>>>
>>> In R4.0.x how and where would I set this proxy for the Qubes Updates
>>> Proxy? sys-net? sys-firewall? TemplateVMs?

https://github.com/QubesOS/qubes-doc/pull/603/files#diff-50cf93c6cf4fa87fc6b6612d706874a1
may be useful, but possibly also in need of correction.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f07c8424-0320-e649-8399-93c06406b6fb%40danwin1210.me.

[qubes-users] Re: Does qubes protect against all firmware viruses ?

[tomas . schutz707]

Wait a minute... How checking account number, can represent security risk? 
 
On Tuesday, June 9, 2020 at 5:18:10 PM UTC+2, Catacombs wrote:
>
>
>
> On Tuesday, June 9, 2020 at 9:39:26 AM UTC-5, Catacombs wrote:
>>
>>
>>
>> On Monday, June 8, 2020 at 1:00:17 PM UTC-5, tomas.s...@gmail.com wrote:
>>>
>>> I understand, that Qubes compartmentalizes OS and parts of OS don't have 
>>> access to other parts of the OS. So even if you had virus in your firmware 
>>> of a network card, it wouldn't matter. I know firmware viruses are rare, 
>>> but still better safe than sorry. I am looking for safe OS to do online 
>>> banking from. If i use live usb of QUBES, does that protect me against all 
>>> firmware viruses ? I wonder. Even there is like 0.2% chance of being 
>>> infected with it. Also i can't disable all my disks in BIOS, could that be 
>>> problem ? I mean if i use live-usb and don't boot my main OS, when usb is 
>>> plugged in. So my main OS can't compromise Qubes. And even if disks were 
>>> enabled and i boot up Qubes from live usb, i am not sure if it could get 
>>> infected, because these viruses has to be loaded somehow right ? But if 
>>> they are passively on the disk and you launch 2nd OS from live-usb, not 
>>> sure if it could get infected like this. I wanted to dedicate my old pc for 
>>> online banking, but Qubes doesn't work there.
>>>
>>
>> You might rather look at those webpages which talk about "Threat Model."  
>> Who you might be contending with.   There is, of course, the possibility 
>> that what you are referring to is the fact Intel main processors have 
>> modems which might allow Intel to change the firmware code without your 
>> knowing it.  I have been told, by someone who is much more knowledgeable 
>> about these things, that there are no instances of Intel ever having done 
>> that.   There are some possible problems with USB Keyboards.  
>>
>> You might ask your bank.  I suspect in any case, what you might be more 
>> interested in is reading about VPN's.   Some more expensive that others.  
>> As someone said, don't trust a free VPN, they have to make their money 
>> somewhere, still I use the free version of ProtonVPN.  
>>
>> Hardware that is produced with the goal of no Firmware intrusion includes 
>> - https://puri.sm/  the qubes certified hardware,  
>> https://www.qubes-os.org/doc/certified-hardware/,  notice the Hardware 
>> Compatibility List,  https://www.qubes-os.org/hcl/
>>
>> I guess that is off the subject.  
>>
>> If you use a VPN-  My bank checks the IP of the address the login comes 
>> from.  If the VPN server is say in New York, a thousand miles away, it will 
>> not let me login.  Bank reasons I should have told them I was traveling.  
>> You might find difficulty using Tor, or Whonix to login to your bank.  
>>
>
> I should mention, using a credit card can insulate you from risk.  The big 
> risk of using a bank account is allowing someone to have the checking 
> account number itself, the one on the bottom of all your checks.  
>
> Puppy Linux has a number of Live versions which actually do not have a 
> root, but whose security in the case of a bank account is derived from 
> loading a new fresh version of OS at each re-boot.  If one completely power 
> downs the computer after each bank session, and does not save the partition 
> each time, then.  No way can software get in around you.  Installing a VPN 
> to use with one of the distros of Puppy Linux can be problematic though.   
> Puppy Linux has a friendly forum.  I think you might start with Easy OS, 
> create a multi-save DVD.  Boot then do your banking, power down.   
>
> Not perfect.  If you are a geek type, then use Qubes.  No doubt Qubes is 
> superior in several ways. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/be1703b9-384b-421b-b8ce-9f82ad2c3b41o%40googlegroups.com.

[qubes-users] Re: Does qubes protect against all firmware viruses ?

[tomas . schutz707]

Wait a minute? I never heard of it, that stole account number could 
represent a security risk. What they gonna do with it, to hack your account?

On Tuesday, June 9, 2020 at 5:18:10 PM UTC+2, Catacombs wrote:
>
>
>
> On Tuesday, June 9, 2020 at 9:39:26 AM UTC-5, Catacombs wrote:
>>
>>
>>
>> On Monday, June 8, 2020 at 1:00:17 PM UTC-5, tomas.s...@gmail.com wrote:
>>>
>>> I understand, that Qubes compartmentalizes OS and parts of OS don't have 
>>> access to other parts of the OS. So even if you had virus in your firmware 
>>> of a network card, it wouldn't matter. I know firmware viruses are rare, 
>>> but still better safe than sorry. I am looking for safe OS to do online 
>>> banking from. If i use live usb of QUBES, does that protect me against all 
>>> firmware viruses ? I wonder. Even there is like 0.2% chance of being 
>>> infected with it. Also i can't disable all my disks in BIOS, could that be 
>>> problem ? I mean if i use live-usb and don't boot my main OS, when usb is 
>>> plugged in. So my main OS can't compromise Qubes. And even if disks were 
>>> enabled and i boot up Qubes from live usb, i am not sure if it could get 
>>> infected, because these viruses has to be loaded somehow right ? But if 
>>> they are passively on the disk and you launch 2nd OS from live-usb, not 
>>> sure if it could get infected like this. I wanted to dedicate my old pc for 
>>> online banking, but Qubes doesn't work there.
>>>
>>
>> You might rather look at those webpages which talk about "Threat Model."  
>> Who you might be contending with.   There is, of course, the possibility 
>> that what you are referring to is the fact Intel main processors have 
>> modems which might allow Intel to change the firmware code without your 
>> knowing it.  I have been told, by someone who is much more knowledgeable 
>> about these things, that there are no instances of Intel ever having done 
>> that.   There are some possible problems with USB Keyboards.  
>>
>> You might ask your bank.  I suspect in any case, what you might be more 
>> interested in is reading about VPN's.   Some more expensive that others.  
>> As someone said, don't trust a free VPN, they have to make their money 
>> somewhere, still I use the free version of ProtonVPN.  
>>
>> Hardware that is produced with the goal of no Firmware intrusion includes 
>> - https://puri.sm/  the qubes certified hardware,  
>> https://www.qubes-os.org/doc/certified-hardware/,  notice the Hardware 
>> Compatibility List,  https://www.qubes-os.org/hcl/
>>
>> I guess that is off the subject.  
>>
>> If you use a VPN-  My bank checks the IP of the address the login comes 
>> from.  If the VPN server is say in New York, a thousand miles away, it will 
>> not let me login.  Bank reasons I should have told them I was traveling.  
>> You might find difficulty using Tor, or Whonix to login to your bank.  
>>
>
> I should mention, using a credit card can insulate you from risk.  The big 
> risk of using a bank account is allowing someone to have the checking 
> account number itself, the one on the bottom of all your checks.  
>
> Puppy Linux has a number of Live versions which actually do not have a 
> root, but whose security in the case of a bank account is derived from 
> loading a new fresh version of OS at each re-boot.  If one completely power 
> downs the computer after each bank session, and does not save the partition 
> each time, then.  No way can software get in around you.  Installing a VPN 
> to use with one of the distros of Puppy Linux can be problematic though.   
> Puppy Linux has a friendly forum.  I think you might start with Easy OS, 
> create a multi-save DVD.  Boot then do your banking, power down.   
>
> Not perfect.  If you are a geek type, then use Qubes.  No doubt Qubes is 
> superior in several ways. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f46c2b4-c679-409a-b3af-fc2a18a0d9edo%40googlegroups.com.

Re: [qubes-users] Verifying VM updates and packages

[E]

Logic would dictate that an update is pushed to the all affected VM.  
But, what I am now concerned with is the update packages that might be 
altered in transit from ISP.


**Side note, I came to Qubes because I was not satisfied with the 
security protocols offered by MS OS.**



I will try updating from the terminal session.  can you correct me on 
the command:



user@VM $ sudo update ???   (are update commands package specific)

Bizarrely, I've seen some VM are now labeled localhost?


I am concerned about the file system corruption.  How can I change the 
system, or should I attempt a new install?



Thanks,



On 7/14/20 8:19 PM, 'awokd' via qubes-users wrote:

E. Foster:


Or do some updates occur because a template VM has been changed in a
repository, and the update package  is then pushed to the respective VMs
using the template?

This. Qubes Updater (Qubes menu/System Tools) runs periodically and
checks for updates in repos.


Bizarrely, I have a VM and Template VM that keeps requesting to be updated
and fails.

Try updating the template from a terminal session on it.


And lastly, how many times can a device be rebooted before you should be
concerned about Xen issues.

Until the hardware fails, I guess. Unless you're talking about hard
power offs, in which case I'd be most concerned about file system
corruption over any Xen issues.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f4ffeefa-aaa6-67ea-4902-964736af9aa6%40gmail.com.

[qubes-users] HCL - Lenovo Thinkpad T470p 20J6CTO1WW

['Hammer' via qubes-users]

Everything works, and has been working for many months. No major complaints.

[Qubes-HCL-LENOVO-20J6CTO1WW-20200716-174746.yml]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a239a298526759eb0e1a1dfef4da761a5da0ae13%40hey.com.
---
layout:
  'hcl'
type:
  'notebook'
hvm:
  'yes'
iommu:
  'yes'
slat:
  'yes'
tpm:
  'unknown'
remap:
  'yes'
brand: |
  LENOVO
model: |
  20J6CTO1WW
bios: |
  R0FET50W (1.30 )
cpu: |
  Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz
cpu-short: |
  FIXME
chipset: |
  Intel Corporation Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM Registers [8086:5910] (rev 05)
chipset-short: |
  FIXME
gpu: |
  Intel Corporation Device [8086:591b] (rev 04) (prog-if 00 [VGA controller])
gpu-short: |
  FIXME
network: |
  Intel Corporation Ethernet Connection (5) I219-LM (rev 31)
  Intel Corporation Wireless 8265 / 8275 (rev 78)
memory: |
  32628
scsi: |

usb: |
  1
versions:

- works:
'FIXME:yes|no|partial'
  qubes: |
R4.0
  xen: |
4.8.5-19.fc25
  kernel: |
4.19.128-1
  remark: |
FIXME
  credit: |
FIXAUTHOR
  link: |
FIXLINK

---

[qubes-users] Re: Fw: qubes arch template

[Frédéric Pierret]

On 2020-07-16 16:51, fargubz wrote:
> Hi Frederic,
> 
> Having the https://github.com/QubesOS/qubes-issues/issues/5503 issue.

Hi, please don't ask directly to any member of the Qubes OS project (including 
me :)). Ask to the list directly for which I CC it.
 
> What is the step to fix this?

I'm pretty sure any person who built Archlinux could help you (which is not my 
case).

> Best regards!
> 
> fargubz
> 

Regards,

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f237dd68-db2c-aa63-5954-218ca5dca4b8%40qubes-os.org.


signature.asc
Description: OpenPGP digital signature

[qubes-users] XSA-329 does not affect the security of Qubes OS

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

The Xen Project has published Xen Security Advisory 329 (XSA-329). This
XSA does *not* affect the security of Qubes OS, and no user action is
necessary.

This XSA has been added to the XSA Tracker:

https://www.qubes-os.org/security/xsa/#329

This announcement is also available on the Qubes website:

https://www.qubes-os.org/news/2020/07/16/xsa-329-qubes-not-affected/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8QYKgACgkQ203TvDlQ
MDDpYxAAmXHBx3IZQNtfGtzqfkwEKgEUjfDKIbNY3odVcpcdEH63DyiJE6qSK7zW
X1l6DN+pi2mOPzkcj/tRo/cziuDC0Q4Ray1YXc/Mb5t4tO/wjCLUI4T8nhG1lbc8
/0/7EgzuYStn8N+sglKl+GNcAFAhil7OYE7+MMVeZzz+L1Ydi4YEm/OXJEL7J5Bk
HwpdfRgxKicuVAiLYMNQpyPHBrxAG1aRoHoDVMMpyKawsrGIn8OTIrP3CxnFCs8L
aQn3RpzMBohVJ5q9u7JM8CXERG339wX44zCiao+rXdPTdheeusgk9y/zwyxTlrFc
i6eanpK5wTIsotDQAQiZVJxGiQzlcn51mR3nZaWWj1JD5Szf+pI4DjS5yI2LBNX1
IbxgmXCHZUJbhuMPSUn+cyy/bfi1hP3RnPJf22Fvq7T/Jx/shMoloroUaNZZY4JM
yk9Vu3mEPbqin4ILRHVVFcI+iHTvAZOp9Tu2xfJngq18Wfo4tZquQvjCNqFHAMZV
2LSsb/T/qo9SE8mjmlkT2peoQxMmslfjusBmKQ8mLMTB6z2LpAog8gZlNoLMEwLC
ave0MCjYI6Mn8TnNuNvZ8oY/1/G2/YCS9ILSZ/3L1hKLDC8m/4JG4vTt7mlkUgU1
Y48yb6hLg1jQqmGP24EveLfp9rheIDzAInXxkXO2b1DRIiW6HfE=
=mfYB
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/271cb9e0-2212-c559-432d-846af1de8630%40qubes-os.org.

[qubes-users] How to create application shortcuts for Flatpak apps?

[Alex Lu]

I have a couple AppVMs with flatpak apps installed on them (with a --
user flag) and I can't figure out how to do it. There is guide
explaining how to do it, but it expects you to have flatpak apps
installed in TemplateVM. Is it possible to do?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/801be36725a7f3c6e67b0030a926da5bb452f15e.camel%40cock.li.

Re: [qubes-users] Security advantages of static DVMs for sys-VMs?

[unman]

On Thu, Jul 16, 2020 at 12:26:04PM +0200, Peter Funk wrote:
> fiftyfourthparal...@gmail.com asked:
> > I read about running sys-vms as static disposable VMs on the Qubes 
> > documentation site 
> > ,
> >  
> > then on the Whonix guide to Qubes security 
> > . I have my reservations 
> > about this (but then I'm no expert) and it feels like the outcome will be 
> > unstable and hard to use. However, since this is on both the Qubes and 
> > Whonix sites, this is probably worth looking at. 
> > 
> > What do you think about using static DVMs as sys-VMs?
> 
> I'm no real expert either.  But from my knowledge so far:
> 
> The basic idea of disposable VMs is, that any bad change to
> this virtual machine is disposed (thrown away) after a restart
> by returning to an "known good state" automatically.
> 
> However: If it was possible in the first place that something
> bad happened to this "known good state" then starting over
> will not remove this possibility for future events.
> 
> Throwing everything away will also delete any evidence that
> something bad might have happened to this part of your digital
> life and will make later analysis of the events harder.
> 
> I think those disposable VMs are great if you want to enter
> new unexplored territory and want to keep the risk of your
> experiments under better control.
> 
> However if for example you use an external USB keyboard (as
> most of us must today as the old PS/2 connector is dead) and
> you have this device connected to your Qubes OS laptop using
> the ordinary USB socket then I see not much gain by bothering
> about making sys-usb a static DisposableVM.
> 
> Please correct me if I'm wrong.
> 

54th - static disposableVMS are neither unstable nor hard to use. They
are as stable as a normal sys-VM and transparent in use.

Peter - I think you are missing this point - when you set up (e.g) a
disposable sys-usb you need not start the template before creating the
disposableVM. That means that there is (almost) no prospect of the
"known good state" being compromised.
In the USB case, if someone were to access your computer with a BadUSB,
then they may be able to dump a payload which could then compromise any
other USB devices, or possibly other qubes. Using a disposable sys-usb
reduces this risk.
I routinely cycle my usb qubes after removal of any device.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200716124849.GB22089%40thirdeyesecurity.org.

Re: [qubes-users] Squares instead of Characters in (?)nautilus

[Alex Lu]

Hi, Oleg! Thank you for your input.

I fixed the issue by installing missing packages. Those packages are:
liberation-fonts-common liberation-mono-fonts liberation-sans-fonts
liberation-serif-fonts

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8cb7805f6c8f044048e660752d6c93d8ee47506f.camel%40cock.li.

Re: [qubes-users] Qubes in a corporate network behind HTTP proxy [R4.0.x]

[unman]

On Wed, Jul 15, 2020 at 11:41:57PM -0700, pr0xy wrote:
> On 2020-07-15 09:28, pr0xy wrote:
> > I have been running R3.2 for about as long as I can. Time to upgrade to
> > R4.0.x
> > 
> > Original 2017 thread where I got this working in R3.2:
> > https://groups.google.com/d/msg/qubes-users/K_etKdhnqLA/KyJ16z8JCwAJ
> > 
> > It appears that some of the R3.2 tweaks I used to get Qubes to work
> > nicely with my corporate proxy are no longer valid in 4.0.x. To
> > summarize, my company network has a very restrictive proxy that forces 
> > internet traffic through an HTTP/HTTPS proxy like:
> > 
> > proxy.example.com:8080 
> > 
> > In R4.0.x how and where would I set this proxy for the Qubes Updates
> > Proxy? sys-net? sys-firewall? TemplateVMs?
> 
> If I understand the documentation correctly...
> https://qubes-os.org/doc/software-update-domu/#updates-proxy
> we have TinyProxy running in sys-net, and this proxy is used for
> TemplateVM updates.
> 
> In the default R4.0.3 install, sys-net is based on a Fedora 30 template.
> In the fedora-30 templateVM I tried editing
> /etc/tinyproxy/tinyproxy.conf to add the IP of my company's HTTP proxy
> as the upstream proxy
> 
> Upstream http 10.0.0.1:8080
> 
> That does not seem to work.

It would be helpful if you said in what way it does not seem to work.

Check in dom0, the contents of /etc/qubes-rpc/policy/qubes.UpdatesProxy,
to make sure which qube is acting as the proxy.
Check in a template if you are using sources with http:// or https:// -
look in /etc/yum.repos.d or /etc/apt/sources.list as appropriate
Confirm that you have DNS resolving in whichever qube is acting as
proxy.

Report back.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200716123452.GA22089%40thirdeyesecurity.org.

Re: [qubes-users] Security advantages of static DVMs for sys-VMs?

[Peter Funk]

fiftyfourthparal...@gmail.com asked:
> I read about running sys-vms as static disposable VMs on the Qubes 
> documentation site 
> ,
>  
> then on the Whonix guide to Qubes security 
> . I have my reservations 
> about this (but then I'm no expert) and it feels like the outcome will be 
> unstable and hard to use. However, since this is on both the Qubes and 
> Whonix sites, this is probably worth looking at. 
> 
> What do you think about using static DVMs as sys-VMs?

I'm no real expert either.  But from my knowledge so far:

The basic idea of disposable VMs is, that any bad change to
this virtual machine is disposed (thrown away) after a restart
by returning to an "known good state" automatically.

However: If it was possible in the first place that something
bad happened to this "known good state" then starting over
will not remove this possibility for future events.

Throwing everything away will also delete any evidence that
something bad might have happened to this part of your digital
life and will make later analysis of the events harder.

I think those disposable VMs are great if you want to enter
new unexplored territory and want to keep the risk of your
experiments under better control.

However if for example you use an external USB keyboard (as
most of us must today as the old PS/2 connector is dead) and
you have this device connected to your Qubes OS laptop using
the ordinary USB socket then I see not much gain by bothering
about making sys-usb a static DisposableVM.

Please correct me if I'm wrong.

Best regards, Peter.
-- 
Peter Funk ✉:Oldenburger Str.86, 2 Ganderkesee, Germany; :+49-179-640-8878 
✉office: ArtCom GmbH, Haferwende 2, D-28357 Bremen, Germany
☎office:+49-421-20419-0 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200716102604.GD15925%40pfmaster-P170EM.


signature.asc
Description: Digital signature

[qubes-users] Security advantages of static DVMs for sys-VMs?

[fiftyfourthparallel]

Hi there,

I read about running sys-vms as static disposable VMs on the Qubes 
documentation site 
,
 
then on the Whonix guide to Qubes security 
. I have my reservations 
about this (but then I'm no expert) and it feels like the outcome will be 
unstable and hard to use. However, since this is on both the Qubes and 
Whonix sites, this is probably worth looking at. 

What do you think about using static DVMs as sys-VMs?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/206940d9-3dca-4621-9e25-78505730f662o%40googlegroups.com.

Re: [qubes-users] Qubes in a corporate network behind HTTP proxy [R4.0.x]

[pr0xy]

On 2020-07-15 09:28, pr0xy wrote:
> I have been running R3.2 for about as long as I can. Time to upgrade to
> R4.0.x
> 
> Original 2017 thread where I got this working in R3.2:
> https://groups.google.com/d/msg/qubes-users/K_etKdhnqLA/KyJ16z8JCwAJ
> 
> It appears that some of the R3.2 tweaks I used to get Qubes to work
> nicely with my corporate proxy are no longer valid in 4.0.x. To
> summarize, my company network has a very restrictive proxy that forces 
> internet traffic through an HTTP/HTTPS proxy like:
> 
> proxy.example.com:8080 
> 
> In R4.0.x how and where would I set this proxy for the Qubes Updates
> Proxy? sys-net? sys-firewall? TemplateVMs?

If I understand the documentation correctly...
https://qubes-os.org/doc/software-update-domu/#updates-proxy
we have TinyProxy running in sys-net, and this proxy is used for
TemplateVM updates.

In the default R4.0.3 install, sys-net is based on a Fedora 30 template.
In the fedora-30 templateVM I tried editing
/etc/tinyproxy/tinyproxy.conf to add the IP of my company's HTTP proxy
as the upstream proxy

Upstream http 10.0.0.1:8080

That does not seem to work.

In R3.2 I could switch the NetVM of a template to something that worked,
like sys-whonix. That doesn't seem to work in R4.x. At the moment I
cannot update dom0 or other templates aside from Whonix.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/30cadaa83ba9c35077ca2734898b4e1a%40riseup.net.