Re: [qubes-users] Qubes 4.0 RC3 (installation) MEGA-HUGE security flaw! (report the bug below or quit the program)
On Wed, 2017-11-29 at 15:59 +, Unman wrote: > In the Fedora documentation there ARE methods described for getting > bug > reports out of the install process, but they require active > intervention > from the user (copy to another drive or scp across network). There's > no > suggestion that these reports would be automatically submitted. > > I've had a quick look through the code and i dont see any mechanism > for > passing on bug reports - but it was a very quick look. Interesting & very good to know this but that would have surprise me a lot from a Qubes OS installation. Have you learned if it is specific to Qubes 4.0 rc3 (perhaps the installation part has been there for a long time before this release) ? 3-4 questions remains for me. If you can learn those answer in the future, I believe this issue would have been truly investigated for me. With an "active" intervention from the user (or if I had connected to the internet and submitted my report from my computer to the computer receiving those reports) 1.1 : Does my passphrase would have been transmitted ? YES/NO ? 1.2 encrypted along the way ? YES/NO ? 2.1 : If YES 1.1, where/who does the passphrase would have been transmitted/ transmitted to 2.2 : Who would have had access to this information ? I am not looking for an immediate answer. However, I am still curious about all this. Such a strange 'Bug Report' to see it like this.. Seems complicated to use those information to comprise the whole system via dom0 (that's good) P-S & It means, I can continue my own little project of giving Qubes usb stick to people around me so they can access their bank account online without having to worry about being on their "vulnerable" (or even worst compromised win10 OS) windows OS. Futhermore, I feel you have made a great job at Qubes OS so it would be simple for me to teach people how to open a disposable-vm for this purpose and this purpose only (without really having to learn about Dom0 or about this fascinating architecture if they are not interessed). Love the Qubes "color code" BTW. It will make my life very easy when I'll explain to people which color they must see on their browser to feel more secure without having to teach to any grandparents about VM, Xen Hypervisor and Dom0 interaction lol) Just using a linux distro would be superior I think.. but Qubes and a disposable-vm seems perfect to be just to "go to the bank online" if you are old and know little about computers. The cost of this is idea is minimal too (really just having a 32gb usb media lying around). I do not think those would have been targeted Qubes user. Qubes does not even need any modification for this project. I will be able to teach to many people in less than <30 minutes I think with one demonstration during the holidays. Better safe than sorry and with no money ! Agree ? :-) Take Care & Thank you -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1511989413.14418.54.camel%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes 4.0 RC3 (installation) MEGA-HUGE security flaw! (report the bug below or quit the program)
Sorry but I almost fainted ! (I even took a picture ! I could not believe this MEGA-HUGE security flaw right in front of my eyes ) An installation error prompt this screen : An unknown error has occurred This program has encountered an unknown error. You may report the bug below or quit the program. (2 buttons:1st 'Report Bug' 2nd 'Quit') More info ... The output below may help determine the cause of the error : [...] #System timezone timezone America/New_York --isUtc #System bootloader configuration bootloader --location=mbr autopart --encrypted --passphrase=X!! type=lvm #Root password rootpw --lock #Partition clearing information [...] // WHAT IS THIS ! I could SEE with my own little EYES my OWN "SECURE" PASSPHRASE as a STRING!!! (translated to you as XXX!) Do I need to repeat this?? (sorry but I even took the picture with my finger in front of it so I would not to store my OWN SECURE PASSPHRASE in a picture!!! I am a dummy but not that dumb... what is this ? Is it a mistake ? Is it supposed to be Qubes OS Untrustable OS or ?? ... Sorry, you are supposed to be good and security expert but you are asking me (THE dumb USER) to report MY OWN PASSPHRASE AS A STRING to help you?? (Such any easy way to get access to my drive! & perhaps use my passphrase to guess other passwords as well...) I believe, without being on the "receiving" side of this report bug process(would need this to be 100% sure) that your OWN reporting bug system is giving you Qubes Users PASSPHRASE as (clear)STRING in the report ... Your Report bug => The needed stuff &&& MY DRIVE SECURE PASSPHRASE so everyone can see it!? This does not look very "secure" too me ... (sorry but lmao) P-S there is also 'Debug' may take you to tty1 & Button "Debug" (lower right corner of my screen) Have a nice day N.B. I will not report this bug "computer" to "computer" as my own Qubes OS drive would not be encrypted at all if everyone at "Qubes OS" has MY own drive password to (de)crypt it. I am very glad your are an opensource software ... If this would have been "Windows" I might not have fainted but I might have an heart attack after reviewing this truly UNSECURED "Report" -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d18652f0-d300-4b92-99c0-a0ecedd93d11%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes for "dummies"
Hi, I did not know about your OS. I think this project is awesome. I do not have the computer knowledge some of you specialist of your field have. I am writing this message to try to contribute in my own way. First, I have also watched "Youtube :Golem and Friends: Data, Security, Scaling and More..." (very interesting too and I am learning more...) The first part the presenter (I understand she is a major contributor to Qubes) says "I would not recommended using a windows OS - internet browsing" this person as superior knowledge... My point of view is this : This lady (and probably all of you even reading my post) are (would be) one of the most secure windows user(s) on this planet ! Regarding to your future project, I am writing this to also tell you about my concerns that people who would NEED you the most, logically, would be the user with LESSER/ALMOST NO computer skills ...! I have a MintLinux server at home (force to use this because of my limited knowledge and the "obnoxious" graphic card chipset of the old laptop that I transformed for my project. (Home network : I have windows clients (for gamers), macOS client & now a new fedora-based client that I wanted to be a Qubes client but ...(2nd topic)) So, if I were to install Qubes on many system, my first choice would be to install it on my friends and family members who do not have a clue what goes on at anything lower "than runlevel 5" (to be more accurate they know what they are seeing and that's almost it and nothing about what goes on "beyond the scene" as far as computers go) 2nd topic : My experience 48h experience with Qubes 3 + another 48h on Qubes 4.0 rc2 on my personal laptop. First, I notice the Qubes manager went away. Not a problem because I was able to master the command-line qvm-backup easily (without knowing everything)) (but using a terminal is now consider "above average" skills by definition) In fact, I had chosen Qubes for this laptop (the hardware had the capacity to handle the OS as far as virtualisation is concerned) and it seems perfect to read online and work on it. I felt my data (my own little projects) would be more secured. Logic for dummies .. => Logic : new laptop have touchscreen ... => Logic : Qubes designer chose not to support gnome => I understand it perfectly*. However, considering, in the future most user will have touchscreen, they will want the OS/software to be able use the hardware capacity they paid for (I think this is logical). The user who would need your work the most will not be able to add touchscreen support to xfce-based Qubes (if it's not included) I know that I was not able to do this myself at first. (is it possible?) I loved your fedora-based system (dnf as opposed to apt-get is not too difficult to adapt too) Therefore I decided to switch my client to the new fedora workstation gnome-shell. I do not think supporting gnome (with all the implication that this have about reviewing internal security/reviewing codes => major hrs and, perhaps, many coffees for everyone is "The Must Way to go" (I do not even think myself there should be any Must Way/One Way. Users should be as free as they can) However, from a user (human) perspective, I needed to read about Qubes. I wanted to read about your project. I used to be a able to use my touchscreen to read faster... and gosh I have needed to read a lot the past for days! Now, I am reading your documentation on fedora (with touchscreen support) and this is much easier for me. I which I could reinstall Qubes (xfce /w touchscreen support like my fedora 27 workstation) in 2018 :-) At this point, I have switched to federa also because Qubes 4 had a nasty bug(s) involving not only the nm-applet but the whole sys-firewall vm /sys-net vm... Dummy perspective : One time, the nm-applet went away I could not start the sys-firewall either ( , Error starting VM: Cannot exeCute qrexec-daemon! in terminal :S ) Then after rebooting two times, my sys-net & sys-firewall were "fine" .. Those problems are completely beyond my current skills .. I switched to fedora 27 but I will continue to closely follow your project/Qubes OS on facebook and read more about this project. If this help someone ... I think you are doing great work (users and developers) and please keep in mind those who would need you (your skills) the most are not even people like myself but users far more vulnerable (even less knowledge)... I understand this from my own field that sometime people with superior skills take for granted (as do I) some of "our" knowledge and tend to forget "obvious" is not the same "obvious" for all users. P-S I have seen Qubes 4.0 rc3 today (I stop with Qubes 4.0 rc2) it will be tempting for me in the future to see if you have solved those strange networking problems (rc2) occurring on my laptop ... Furthermore, I am thinking to create usb keys with Qubes for my family members for xmas
