Re: [qubes-users] X230 vs Purism - real world attack probability

2019-05-25 Thread taii...@gmx.com
On 05/21/2019 09:52 AM, scurge1tl wrote:
> I have a question related to the decision about what laptop is the
> better option for Qubes usage, from the security point of view, in the
> real world.
> 
> The question is related to the IME on Intel, PSP on AMD and other
> Hardware holes. I took these laptop examples to sample the differences
> somehow.
> 
> Pose the non-existent micro controllers updates, like in case of X230
> with IME disabled and corebooted, which doesn't but get these updates
> anymore, 

What updates? who told you that? What micro controllers?

> higher risk than only partial disabling of the IME by Purism
> which still but gets the micro controllers updates? Or is it a vice
> versa?
> 
> If I would like to have a strong security position, in case of the
> laptop Hardware with Qubes, and would decide in between the two, which
> variant will be more prone to the real world attacks? What attack
> vectors are available in both cases? For example, is one of the cases
> more resistant to the remote exploitation. Is one of the options
> forcing an attacker more to execute an attack with physical access
> than the other option?
> 

pur.company is junk, they are an incredibly dishonest company that sells
"coreboot open firmware librem" machines that have a hw init process
that is entirely performed via the Intel FSP binary blob.

The x230 is far more free than anything pur.company could sell you,
freeing intel fsp won't happen due to how difficult it would be without
documentation and how long it would take and it is both impossible and
illegal to free Intel ME.

Illegal? Yes - ME/PSP is a DRM mechanism and bypassing them is illegal
in the usa where they are based.

But since the 230 still has an ME abit more nerfed than the purijunk you
should get a G505S which has no ME/PSP and is the most free laptop option.

Pur.junk = me kernel+init code run (not disabled), HW init 100% blobbed
- performed via Intel FSP
X230 = me init code runs (not disabled), HW init is open source
G505S = No ME/PSP, CPU/RAM hw init is open source, graphics/power mgmt
requires blob but IOMMU prevents them from messing with stuff. - the
most free

pur.company lies by claiming their ME is "disabled" when the kernel and
init code still run.


I don't want to say their name as they send someone out of the woodwork
to defend them and waste my time every time someone mentions them in a
negative light they go and start claiming that they are "doing their
best" - whereas various other much newer companies are actually selling
owner controlled libre firmware trustworthy general computing hardware
proving their claims of "doing our best" to be bullshit.

If you want more info see my other posts as I have made many of them re:
pur.company or laptop/desktop/workstation selections.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cbcead23-63af-c5b7-26c5-99ba40047341%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature


Re: [qubes-users] Re: off topic - invite codes to 'riseup'

2019-05-07 Thread taii...@gmx.com
I can't believe how many people these days think that:
* Elite staff (for maximum security) very expensive
* Lawyers (privacy focused right? well you gotta have those for that)
* Servers and electricity to run them
* Bandwidth

Are all free, and that thus the email should be free and that they
should be willing to go to federal prison for you all for free and that
someone they can make money without selling your data.

Want good email? BUY IT! and ask questions of the provider before you do
such as do they use outside services, do they use any third party junk
like google analyitics, googleapis etc.

Anything "privacy focused" is probably not very good since they are
simply riding on that marketing similar to how most organic snacks taste
like crap because they're just riding on organic whereas if you are in
the conventional food market you have to actually be good for people to
buy your stuff, no paid business grade email service is going to sell or
give away your data since no one would buy from them after that thus
they are all "privacy focused".

I hate the big tech companies that got people used to wanting "free"
stuff, I know folks who make over 100K/yr who would rather have their
data sold than pay $5/mo for professional paid email and it makes
absolutely no sense to me.

I wonder how many here have read the wiki page for riseup

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/14866144-6575-82ce-ac8a-c7efae2635c2%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Help with a good laptop!

2019-05-07 Thread taii...@gmx.com
Just get a T430 and replace the various you facing components like the
keyboard, armrest, cover etc so it looks new. This is guaranteed to work
and is easy to upgrade.

If you want you can later install coreboot/mecleaner

(I don't think he really wants to do coreboot etc and its best not to
dry up the limited G505s availability for those who won't appreciate
what makes it special)

On 04/29/2019 05:44 PM, Chris Laprise wrote:> Purism, System76 do sell
Linux-specced laptops; for>
> the brands that separate consumer/gaming/business like the first three,
> try to stick with business models.
I wouldn't recommend two of the most dishonest companies in the
computing business even dell looks ethical compared with them.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9e3967d1-1993-2a22-4310-9f081d9107b5%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: How risky is GPU pass-through?

2019-04-27 Thread taii...@gmx.com
On 04/09/2019 08:53 AM, unman wrote:
> On Mon, Apr 08, 2019 at 02:32:04PM -0400, taii...@gmx.com wrote:
>> On 02/25/2019 04:02 PM, John Mitchell wrote:
>>> If I may ask what OS do you use for the host?
>>>
>>
>> Devuan, it is debian without systemd.
>>
>> I compile most of the related packages though like libvirtd, qemu etc
>> cause the ones from the distro are way too outdated to support what I
need.
>>
>> You should get a new non-gmail email btw.
>>
>
> Do you run Qubes?
Of course.

> On what hardware?
>
* Lenovo X220 with coreboot
* KCMA-D8 with Opteron 4284 cpu and coreboot-libre.

I have a bunch of computers so much that I need a server rack soon :D

On 04/10/2019 03:13 PM, jrsmi...@gmail.com wrote:
> To be concrete and transparent, the mobo with PS/2 is a Gigabyte X299
>Designare ex with four USB controllers and a header for a hardware TPM,
>which I’ve populated. >The other mobo is an ASUS X299 Prime Deluxe II
>with no PS/2, five USB controllers and only supports a firmware TPM.
>Both are fantastic boards,

They are propriatary with ME and no libre firmware so I wouldn't put
them in the great board area.

> but one is going back. If isolating USB kb and mouse to one controller
>that dom0 has exclusive access to is actually more secure than native
>PS/2 then I would lean  > toward keeping the ASUS and do without TPM.
>

TPM's are proprietary black boxes and to my consideration pointless it
would be better to do your own code signing deal with coreboot and grub
signing your owner kernels and having a write-locked flash chip load
grub which loads your signed kernels only, you would then lock the
computer case with a high security lock.

I also suggest using keyboard and pointing device without re-writable
firmware, to my knowledge only the (usa made!) Unicomp keyboards fit
that bill and they have ones with pointing devices both a trackball and
a laptop style trackpoint.

Anyone who thinks that chinese made and usa made electronics are equal
on a security footing is naive, china gets caught implanting backdoors
in hardware all the time whereas to my knowledge with US made hardware
that has never happened and here you can say no without getting put in
prison.

RaptorCS/RaptorEngineering was doing some cool work with an open foss us
made security product like a TPM called FlexVER if anyone is interested
in an alternative, no idea when it will be released though and it will
probably only work on the OpenPOWER stuff.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c7962b1c-f32d-19ae-df81-705866c68973%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Help with hardware

2019-04-27 Thread taii...@gmx.com
On 04/27/2019 05:08 AM, 'mathab' via qubes-users wrote:
> Also I am considering buying a laptop is there any laptop that is under 300 
> euro (can be used) that will run this os?
> Where I live there is a lot of used thinkpads.

I would get a g505s or a T430 (and install a T420 keyboard if you hate
the island/chiclet style kb)

Both can run coreboot but the g505s has no me/psp and is owner
controlled whereas the T430 has ME. (note: coreboot doesn't always mean
freedom/open source firmware)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f6be7b20-ac29-9d48-895a-3515c1417314%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] GPU vs NIC: firmware security

2019-04-27 Thread taii...@gmx.com
On 04/15/2019 12:28 AM, demioben...@gmail.com wrote:
> My laptop (Lenovo P51) works fantastically with QubesOS.
>
> It has two GPUs: Intel integrated graphics and a discrete NVIDIA card.  For 
> gaming, I am interested in pass-through of one (NOT both) to a VM.

Impossible.

Optimus works via muxing the dGPU signal through the iGPU which results
in you being able to the same muxing with an eGPU if you have one set up
and only an iGPU etc.

>
> I believe that the integrated graphics controls the internal monitor, and 
> that all external monitors are connected to the dedicated graphics card.  Can 
> someone confirm this, and can this be changed?
>
> I will not give another VM control of my primary display, for obvious 
> reasons.  I also consider the VM that I would like to give GPU access to to 
> be highly untrustworthy and potentially compromised, since it will be running 
> untrustworthy games.  My current plan is to give the gaming VM access to one 
> monitor, while I use the other monitor for normal operation of QubesOS.
>
> My main questions are:
>
> * How feasible are firmware attacks on the graphics card,

Very Expert level, it is not easy to do and still have it be a graphics
card.

You probably don't have anything that valuable to steal or hack.

I have only heard of hacked nics, serial cards etc more simple stuff not
gpus.

Messing around with the option rom is alot easier though but you can set
the VMM to not pass that memory region so afaik it can't be flashed.

> if I choose the NVIDIA card?  I trust that the IOMMU will keep me safe from a 
> compromised card.

Not on a system with black boxes and proprietary firmware, for DRM
reasons the iGPU and dGPU are tightly linked to the ME - and the ME is
not subject to IOMMU controls.

All new x86 stuff is not owner controlled thus ones libre-IOMMU options
are limited to some older x86 stuff in the narrow window between IOMMU
becoming available and AMD closing up their firmware or OpenPOWER (like
blackbird/talos) etc although there aren't many POWER games right now
unfortunately so it is a workstation/server platform.

>but only if the compromise does not persist across reboots.  In the  > case of 
>the integrated graphics, the GPU has no persistent storage, but I am nervous 
>about >possible compromise of the internal display, which would be fatal. For 
>the > dedicated graphics, I am worried that the graphics card’s firmware could 
>be overwritten.  >Is this possible without PCI configuration space access?
>
> Finally, can NVIDIA cards work with PCI pass-through?

Yeah but its way more difficult and finicky than with AMD.

Laptop gaming sucks anyway just pick up a KCMA-D8, Opteron 4386
(microcode update req otherwise 4284), 32GB RAM and a RX590 8GB then
install coreboot-libre and play games at max settings.

This is a very affordable libre firmware gaming setup that can play
games in a VM at max at 1080p with smooth FPS as long as they can use
all 8 cores which almost everything new can, ironically new stuff like
GTA5 runs better than old stuff and it uses all 8 cores at max.

Since you would have more PCI-e slots to spare you can also pop in
another single slot GPU for your primary desktop since the onboard sucks.

The D8 has dual onboard usb controllers and can be obtained for $50-100
on fleabay used, the 4386 is the best C32 CPU and is $50-100 as well.

You also need an at least 3U (pref 4U) tower cooler for it let me know
if you can't find one and I can help (some Socket F coolers are compatible)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7e3b6655-164b-e49b-ffd3-82d2c563616b%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: PS/2 Keyboard and Mouse via USB?

2019-04-08 Thread taii...@gmx.com
I have stated this many times before.

The PS/2 thing is from 2011 which is 8 years ago and applies to systems
without more than one USB controller.

Using PS/2 sends your keystrokes out on the ground wire.

It is far better to purchase a motherboard with a second USB controller
with separate IOMMU groups or a PCI-e supporting USB card with one
controller per port and an ACS PCI-e switch to tie them together, of
course all must have libre firmware and preferably made somewhere
trustworthy.

I would only trust hardware Made in USA or Switzerland since both are
the only places in the world right know where you can say no to a demand
to put a backdoor in your product and have nothing come of it. (Heres to
hoping for Xen/Qubes on OpenPOWER for usa made computing) Unfortunately
recent cases have proven the EU majority no longer has freedom of speech
(such as the man who went to jail for criticizing a certain foreign
leader in germany) and code is speech, hdls are speech and freedom of
speech means freedom to be silent (and thus not code a backdoor)

Ideally you would have 4 IOMMU separate usb controllers total.

USB controllers:
dom0/sys-usb-keyboard (you enter your passwords and then it gets
assigned to sys-usb-inputs later which is for your keyboard and mouse)
sys-usb-mouse (off at boot - since I know of no secure mice it should be
separate)
sys-usb-trusted-stuff (off at boot, assigned to sys-usb later) your
flash drives
sys-usb-untrusted-stuff (off at boot, assigned to sys-usb later) other
peoples flash drives

I use a PCL/PS network printer so I don't need a 5th for that.

In terms of USB devices you want stuff without re-writable firmware
which many keyboards have and AFAIK the only OEM that attests to its
products security and lack of re-writable firmware is Unicomp (and of
course the original Model M's can't be re-written either)

The most secure input device is the USB Unicomp Model M pointer which is
an made in usa mechanical keyboard with a laptop style mouse nub in the
middle of the keyboard and two mouse buttons - unicomp makes the rare
high quality keyboard that will never break and never need replacing due
to wear.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/46ede858-5cb6-57b6-ed48-2ce4bbd81211%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: How risky is GPU pass-through?

2019-04-08 Thread taii...@gmx.com
On 02/25/2019 04:02 PM, John Mitchell wrote:
> If I may ask what OS do you use for the host?
>

Devuan, it is debian without systemd.

I compile most of the related packages though like libvirtd, qemu etc
cause the ones from the distro are way too outdated to support what I need.

You should get a new non-gmail email btw.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/13c47fa1-fc93-a745-238e-e9e509607625%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Responding to the Whonix trolls...

2019-04-08 Thread taii...@gmx.com
On 03/01/2019 09:21 PM, unman wrote:
> On Fri, Mar 01, 2019 at 07:27:08PM +, Achim Patzner wrote:
>> On 28.02.2019 15:10:21, "unman"  wrote:
>>
>>
>>> On Thu, Feb 28, 2019 at 11:03:12AM +0100, Achim Patzner wrote:
  On 20190227 at 22:30 -0800 cooloutac wrote:

  Whenever I accidentally read a posting by raahelps@ I'm wondering what
  crime we committed to have to bear something like this and what could
  be done to avoid attracting people like that...

  Do us all a favour and go troll somewhere else
>>> I don't think this is helpful
>>
>> I guess I'm of a different opinion in that case. Sometimes someone has to
>> speak up and draw a line in the sand.
>
> All you are doing is perpetuating the problem.
>
>>
>>> Please consider the guidelines and be respectful and polite to others.
>>
>> Unlike others I strongly believe that respect has to be earned and it can be
>> retracted. The user in question spent nearly all his time on this mailing
>> list. And _none_ of his postings ever enriched any discussion.
>
> I don't agree. I have my own problems with that user, but he has in the
> past provided help on the list, and will do in the future.

His "help" is always terrible and potentially dangerous for people who
security is a life and death matter such as journalist in a third world
country and when someone provides constructive criticism he freaks out
and sends them 5 replies.

I hate elitist places that are almost dead because they wish to exclude
people but you gotta have standards.

On 03/03/2019 04:01 AM, cooloutac wrote:
> It's not very different than fascism, in particular the Gestapo,
Yay godwins law.

If it really was like that you'd be on the train to siberia by now.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ac36fbf0-89d8-bd4c-1451-4555105dfc80%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Could Qubes Installation Configuration Be More User Friendly?

2019-04-08 Thread taii...@gmx.com
On 03/05/2019 03:22 PM, cooloutac wrote:
> I agree with Chris its more a compatibility issue then an installation issue.
>
> You really have to research the machine on linux before using it in Qubes.  
> And have to make sure the bios has the nescessary options before purchase,  
> which is one of the things Qubes docs suggest doing.

This won't do anything since there are many BIOS that provide an "IOMMU"
option that doesn't work for various reasons, I myself have some of
these boards.

The best choice is to purchase something that has open source firmware
and that is owner controlled so that any issues can be fixed.

>
> And disable security features to make a system compatible might defeat the 
> purpose of using Qubes.
>
> What model laptop do you have that you can't disable the nvidia gpu?  You 
> sure it has an onboard one to use in its place?

Many do not provide this options especially the ones per-offically
supported dual GPU like optimus and the AMD equivilant.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3d6ccee4-484e-edf9-652d-9af553b7ab97%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] i9-9980XE or i9-7980XE on Gigabyte X299 DESIGNARE EX or AMD 2990WX TR on Gigabyte X399 DESIGNARE EX?

2019-04-08 Thread taii...@gmx.com
On 03/15/2019 07:11 PM, jrsmi...@gmail.com wrote:
> There's nothing even close to these on the HCL, but would like to know if 
> anyone has attempted either of these with 4.0.1 and succeeded.  These are 
> essentially the same base hardware as given in the BoM for the recently 
> announced System76 Thelio Major open source hardware desktop systems.
>

System76 is lying/a scam there is no such thing as a new x86 system that
is "open source hardware" it is simply impossible due to ME, FSP,
hardware code signing enforcement etc and the lack of documentation. Not
to mention their lies about "made in usa" which is impossible since
there are no american made x86 cpus, motherboards, components etc. They
made a metal case in the us and claimed it as a great accomplishment as
if a computer is a metal case and nothing else.

If you want an american made computer with open source computer you buy
OpenPOWER from raptorcs - they are the only honest company out there the
rest are lying but for some reason they get zero publicity but the tech
media loves the hipster pur.idiots and shitstem76.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4bd0dde5-5aef-bd44-bd3a-07e5cd6516ae%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-04-08 Thread taii...@gmx.com
System seventysuck, pur.idiots etc are LYING about having "open source
firmware"

System seventysuck also lies about having "made in usa" hardware
literally all they did was make a metal case here and somehow a metal
box equals a computer in their world.

Their "coreboot" is nothing more than a wrapper layer for Intel FSP
binary blobs, it doesn't init any hardware and just like their "made in
usa" claims is entirely bullshit.

New AMD hardware has PSP which is their version of ME and just as terrible.

New x86 hardware will NEVER be free since intel/amd not only refuse to
provide documentation and sources but also lock down their systems more
and more with ME, boot "guard", "secure" boot etc.


If you want owner controlled open source firmware hardware buy an
OpenPOWER system from RaptorCS like the Blackbird or TALOS 2 both of
which provide better performance and features than enterprise x86
systems you would get for the same price.

Someday there will even be AAA games on POWER just like people said that
there would never be DRM free AAA linux games and now there are many, as
of now there are a few meh open source 3D games and the unreal tech demo
but gaming is the only thing you sacrifice and you can always have an
older pre-PSP AMD owner controlled system for that like I do.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5505a2ee-23e2-43cd-9e0c-2b88a16f11f1%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: How risky is GPU pass-through?

2019-02-25 Thread taii...@gmx.com
One of the reasons I hate the qubes mailinglist is because of the large
amount of people here who claim to be experts while being absolutely
clueless.

I max out new games in a VM on my libre firmware piledriver opteron
IOMMU-GFX setup.

I would say the performance is almost native and that I don't have any
complaints in regards to FPS.

I can also run other VM's on another NUMA node or on another CPU without
noticing.


BUT WAIT! Because some new guy with an annoying and weird name hasn't
seen it done himself I must be lying and so is red hat - we are part of
the the vm gaming conspiracy trying to entice mere mortals in to buying
expensive enterprise grade hardware for no reason!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/906ca129-7040-209a-1381-42cae9621e0a%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] g505s BIOS settings for installing 4.0.1

2019-02-25 Thread taii...@gmx.com
On 01/10/2019 10:27 AM, cyber.citi...@tutanota.com wrote:
> Hello everyone,
> 
> I'd like to install Qubes 4.0.1 on a g505s, but the installation routine is 
> telling me that IOMMU/Vt-d/AMD-Vi, and Interrupt Remapping are not available. 
> I've tried every possible combination of BIOS settings I can imagine (such as 
> enabling SVM support and toggling between Legacy boot and UEFI boot), but 
> nothing is working. I've seen a lot of posts on this discussion forum saying 
> that the g505s is compatable with Qubes 4.0, so I'm confused. Might someone 
> toss me a clue?
> 
> Thank you.
> 

You need to install coreboot and MAKE SURE that you have included the
microcode updates otherwise it won't work and you will have no security.

The issue is a lack of microcode updates without them IOMMU won't work,
this has been posted many times before FYI.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/61bfebf9-5483-c74a-665d-72400d229a59%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] why mail-list?

2019-02-25 Thread taii...@gmx.com
If you are not smart enough to use a mailinglist you are not smart
enough to use linux.

Catering to the lowest common denominator is an impossible task that
shouldn't be tried as it always comes at the expense of everyone else.

ML's are the most secure and best method of communication even better if
they aren't hosted by the evil spyware google.

I provide many of the answers here and I refuse to use reddit or
anything else that requires javascript or what not - reddit also engages
in censorship and the owners stealth-edit the posts of others and
endorse politically motivated moderation tactics. Yet another "used to
be cool" type of place now played out and all the original users have
migrated to other places like voat where speech is still free.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8644b369-ed82-8734-2521-a7e47189669d%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Best ideal laptop for Qubes?

2019-02-25 Thread taii...@gmx.com
Get a G505S and install coreboot.

no me/psp, 16gb ram max, open cpu/ram init etc. good choice.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/79c215d8-8708-eb93-9bb3-c1cd5127722b%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] HCL - Purism Librem 15 v4

2019-02-25 Thread taii...@gmx.com
Nice ad.

When will you guys finally admit that you aren't selling owner
controlled computers and change the name "librem" since they aren't at
all libre?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/929bec0c-8227-962c-8f39-9a08d95e27a6%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes with newer hardware and error messages still safe enough?

2018-12-14 Thread taii...@gmx.com
On 12/14/2018 03:42 PM, Achim Patzner wrote:
> On 20181213 at 19:20 -0800 Sphere wrote:
>> If only I could establish my own CPU production company I would definitely 
>> support libre hardware/libreboot/coreboot and such but sadly we are in a 
>> world with high demands to processing and stuff and due to how there is 
>> hardly any support for libre hardware, the processing needs are hardly 
>> filled out and even more so with limited budget.
> 
> You could have bought a Power 9-based board and (4-core/16-thread) CPU
> for less than $1000 a few weeks ago.

Yeah they're made in usa, fully owner controlled and the raptorcs
OpenPOWER9 boards like the TALOS 2 and Blackbird have real open source
firmware with open hw init directly from the factory.
The prices are pretty good vs non-free intel/amd server hardware in the
same performance/feature class

OpenPOWER is now the only owner controlled performance cpu arch.

Note that qubes/xen doesn't currently run on it but you can use
POWER-KVM/POWER-IOMMU/POWER-IOMMU-GFX virt in the meantime.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bafd0829-a6a7-e56e-6af8-df774ea6a47d%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes with newer hardware and error messages still safe enough?

2018-12-13 Thread taii...@gmx.com
On 12/12/2018 09:11 PM, Sphere wrote:
> On Thursday, December 13, 2018 at 9:59:27 AM UTC+8, tai...@gmx.com wrote:
>> On 12/12/2018 03:56 PM wrote:
>>> New to Qubes with basic Linux knowledge i installed successfully a desktop 
>>> system with follwing configuration:
>>>
>>> Qubes 4.0, CPU Ryzen 5 2400G, MB ASRock B450 Pro4, GPU Radeon R7 370, 32 GB 
>>> RAM
>>>
>>> I can update templates and install appvms without issues. Everything works.
>>>
>>> My question is now: On Boot screen i get some error messages (see following 
>>> screen). Possibly there is a lack of safety i can not estimate. Everything 
>>> works but under the surface i did not know if it is as safe as it should 
>>> be. Are there some basic tests which should be made? Or is it enough when 
>>> the system works?
>>>
>>
>> Well you are stuck with a system that has a very obvious frontdoor
>> backdoor called AMD PSP platform "security" processor (as in security
>> from you) that prevents you from doing as you please with the system
>> firmware hence it is not really your computer.
>>
>> If you want one that is owner controlled and has free (as in freedom)
>> open source firmware I have written many walls of text on this subject
>> so just use a non-google search engine to find my previous posts.
>>
>> You also are using gmail which is really bad if you care about not being
>> put of of work or murdered by a robot - your emails and re-captcha
>> solves are fed in to a massive database that helps googles AI research
>> including killer robots like project maven and also of course sold to
>> advertisers and anyone else who can pay.
>>
>> I do not load images from random people if you want help you have to
>> send text only.
> 
> How about give us keywords to help us search this and have it at the first 
> search result?

KGPE-D16 KCMA-D8 g505s coreboot - your keywords :D

Just search my email address and look at what I post on threads asking
for board recommendations

> 
> As for stefanne's inquiry, here are my thoughts:
> It's usually normal to see error messages on start of a linux system cause 
> consumer motherboards production processes still have no proper arrangement 
> to fully support Linux operating systems much to our dismay.
> To check the level of your safety, I recommend you produce one of these and 
> see the results:
> https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports
> 
> If it's a yes on HVM, IOMMU, and SLAT then that means your hardware works 
> very well on Qubes. To further increase security, I recommend you to turn off 
> SMT (Simultaneous Multi-threading) as recently there's been a high surge of 
> vulnerabilities involving multi-threading/hyperthreading and will probably 
> haunt us for years to come.

Nah that only applies to intel's HT and he has an AMD system.

> 
> Additionally, if you have an entry of IOMMU=no
> Go search around your BIOS setup for an option like AMD-Vi or IOMMU and set 
> that to enabled.
> Product another report to check and see if the entry changes to IOMMU=yes
> IOMMU is essential because it protects you from alot of complex attacks like 
> Direct Memory Access (DMA) attacks.
> 
> Lastly, check for updates everyday and never neglect them for maximum 
> security!
> After all this, you may want to configure a VPN.
> 
> As for the Platform Security Processor, well it's an option for people 
> whether or not they would go with it.

It is not an option - it can't be disabled!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b7cb4ce5-550e-27f2-6a16-8339cfc47658%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes with newer hardware and error messages still safe enough?

2018-12-12 Thread taii...@gmx.com
On 12/12/2018 03:56 PM, stefanneuhaus2...@gmail.com wrote:
> New to Qubes with basic Linux knowledge i installed successfully a desktop 
> system with follwing configuration:
> 
> Qubes 4.0, CPU Ryzen 5 2400G, MB ASRock B450 Pro4, GPU Radeon R7 370, 32 GB 
> RAM
> 
> I can update templates and install appvms without issues. Everything works.
> 
> My question is now: On Boot screen i get some error messages (see following 
> screen). Possibly there is a lack of safety i can not estimate. Everything 
> works but under the surface i did not know if it is as safe as it should be. 
> Are there some basic tests which should be made? Or is it enough when the 
> system works?
> 

Well you are stuck with a system that has a very obvious frontdoor
backdoor called AMD PSP platform "security" processor (as in security
from you) that prevents you from doing as you please with the system
firmware hence it is not really your computer.

If you want one that is owner controlled and has free (as in freedom)
open source firmware I have written many walls of text on this subject
so just use a non-google search engine to find my previous posts.

You also are using gmail which is really bad if you care about not being
put of of work or murdered by a robot - your emails and re-captcha
solves are fed in to a massive database that helps googles AI research
including killer robots like project maven and also of course sold to
advertisers and anyone else who can pay.

I do not load images from random people if you want help you have to
send text only.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a2e9400b-89b3-3aa4-62f7-a7935081bd2a%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How many gigabytes of memory is required for G505s?

2018-12-06 Thread taii...@gmx.com
On 12/05/2018 06:19 PM, '我' via qubes-users wrote:
> Hello.
> 
> When reading this list I thought G505s A10 is the best laptop for Qubes.
> So I'd like to purchase it, but I am wondering how many memory to put in.
> 
> Could you give me some advice?
> 

2x8GB DDR3 1600mhz SODIMM's so 16GB

and yes it is the best - remember to install coreboot with microcode
updates btw (check binary only repo + generate microcode from tree)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4901408e-f3b0-6a12-69ac-21eda8960240%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Possible to fix? Qubes (4.0 and earlier) freezes on sleep on a System76 Oryx Pro laptop

2018-12-02 Thread taii...@gmx.com
On 12/01/2018 08:16 PM, Chris Laprise wrote:
> On 12/01/2018 05:52 PM, Bryan Beus wrote:
>> There's good news. It appears to be a brightness display problem only.
>>
>> First thing I tried was to leave a youtube video playing before suspend.
>>
>> When I awoke, the screen remained dark, but the youtube video resumed
>> playing.
>>
>> Just need to figure out how to get the brightness back.
>>
>> This runs on an Nvidia 1080 GPU. I wonder if installing the proprietary
>> driver would help.
>>
> 
> Your laptop probably also has integrated Intel graphics. The simplest
> solution may be to disable the Nvidia in BIOS so the system uses the
> integrated GPU instead. Nvidia hardware is not well supported.
> 
> If you're wondering whether this makes any performance difference, for
> Qubes the answer would be 'no'.
> 

I have integrated graphics on my x220 and have the same issue disabling
"Power management enabled" fixes it but then I don't get a
screensaver/lock screen. If it is on then the screen stays off upon
resuming from S3.

:<

Ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/049f746c-b2d1-82ff-af99-68b7ed202202%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Anyone bought a Dell laptop recently that works with V4

2018-11-29 Thread taii...@gmx.com
IMO buy a W520 and install a quad core ivy bridge CPU - 32GB RAM and you
can use open source and open cpu/ram hw init coreboot[1] firmware and
also me cleaner to nerf the ME. (disabling ME is impossible)

It is easy to find components to refurb it yourself with a new
battery/keyboard/palmrest/lid etc for not much money.

Don't buy new blobbed junk, all new x86 stuff can't ever be made owner
controlled hence it isn't really your computer.

[1] Coreboot is not always open source firmware - a certain company
dishonestly peddles "open source coreboot firmware" laptops where the
hardware init process is entirely performed via binary blobs and
coreboot is just a wrapper layer.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/85e1405d-eb6e-9dcd-6931-52285cf0a4db%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Razor Blade 15

2018-11-26 Thread taii...@gmx.com
On 11/02/2018 05:58 AM, claudas...@gmail.com wrote:
> Has anyone sampled the new super machine razor blade 15 with qubes 4.0?
> What were your barriers? can you get close to getting full use out of the 
> laptop with qubes?
> 
> I have already checked the hardware-compatability list and there's no input 
> yet. So chancing it here =)
> 
> Thanks
> 

I wouldn't buy a machine stuck with ME and proprietary firmware, get a
g505s instead (no me/psp, open cpu/ram init via coreboot) or a W520
(open cpu/ram init, can nerf the ME via mecleaner - note ME/PSP can
never be disabled on a modern PC no matter what)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/42a9111a-c904-807b-244f-90bf576400e9%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Manjaro Spitfire laptop with Qubes 4.x?

2018-11-26 Thread taii...@gmx.com
On 11/11/2018 09:19 PM, Stumpy wrote:
> On 11/11/18 9:15 PM, 22...@tutamail.com wrote:
>> Interesting and very coolEuro laptop! Seems intriguing but I could
>> not find some of the questions I was wondering:
>>
>> 1) Are the BIOS proprietary? Same as Librem..

>> 2) Has the manufacturer said it is compatible with Qubes? Seems they
>> would want to test this themselves.
>>
>> Have you reached out to them? Was tempted to do it myself...
>>
> good questions, but:
> 1) Dont know, but good question.
> 2) Didnt reach out, but they had a bunch of different distros as an
> option to install, including fedora and debian if I remember correctly
> (though I am sure not Qubes nor xen).
> 
> While I am not holding my breath on the BIOS, I am happy enough that at
> least some comptuers (purism and sy76) are inching thier way towards
> non-prop firmware.

What they state they will do is impossible and they are setting the
freedom computing movement back by years by brainwashing people in to
thinking that modern x86 hardware can be free.

They could have made an OpenPOWER laptop that is actually owner
controlled and libre from the factory but they simply refuse to do
anything like that.

Doesn't anyone find it odd how the tech media loves those two to the
point where they issue glorified press releases but never covers their
honest competitors? Seriously those so called journalists do zero
research on their claims of things like "disabled me" "open source
firmware" and "made in usa" both of which are not at all true.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0bbc42a0-0328-e9ab-13cc-36d53a231f9f%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Gaming on Qubes 4.0

2018-11-26 Thread taii...@gmx.com
On 11/19/2018 04:16 AM, Black Beard wrote:
> 
> Hey guys,
> 
> i updated all of my Domains and bought Crossover Linux. This Software i 
> installed on my Fedora 29 Domain. 
> 
> An example
> 
> I wanted buy a game yesterday via bank transfer and I automatically forwarded 
> to the appropriate page. 
> 
> Unfortunately, I can not see the opened page properly and therefore cant do 
> anything. Only if I click  chaoticall on it, i see that there is content.
> 
> Is it even possible to game on the domain, or would I have to install a 
> separate HVM or similar?

Look up vfio/xen gaming.

It is possible but maybe difficult or impossible depending on your
hardware...which is?

> 
> About messages i happy.
> 
> regards and thx in advance
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5ff50d54-8236-cde1-938e-b2c7bae2fe93%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Thinkpad T400s RYF

2018-11-26 Thread taii...@gmx.com
On 11/13/2018 05:43 AM, qubes-...@tutanota.com wrote:
> Outch, bad news :-( Basically I have only two options than: run reasonably 
> secure QubesOS on a flawed-by-design-HW, or use RYF HW with not so secure OS. 
> I am not maximalist, but you know, one doesn't go on boat that has holes in 
> it, even he has nicely and safely packed cookies on board.
> 
> Or is there any other RYF laptop which could run QubesOS? Sad days, these 
> days.
> 

pre-sandy/ivybridge intel stuff IOMMU doesn't work on coreboot and would
be almost pointless anyways as it is a very poor implementation security
wise.

I would get a G505s (AMD FT3 platform w/o ME/PSP), it isn't RYF but it
is owner controlled and the video and power management blobs can
theoretically be removed and as the cpu/ram hw init code is foss via
coreboot agesa the IOMMU would theoretically protect you from issues. It
is currently the best choice with the second best being the various
sandy/ivybridge laptops that run coreboot with open cpu/ram init and a
nerfed ME via mecleaner (disabling ME is impossible).

I have gotten like 10+ people to buy them so there is a nice little
community of people to help you with the process including myself if you
run in to any issues.

The main issue that people have is forgetting to properly enable
microcode updates which is required on almost every x86 device.

Installing coreboot isn't that difficult and someone with the aptitude
to use linux can surely pull it off you just need a screwdriver, a USB
CH341A flasher and a SOIC-8 tester clip so like $20 of stuff to do it.

In terms of workstation hardware for qubes there are many more choices
than laptops though and one can really have 100% such as
KGPE-D16/KCMA-D8 etc libreboot/openbmc compatible boards and of course
for non-qubes virt with kvm-qemu there is OpenPOWER.

awokd: Let us not use intel's marketing terms - Qubes requires IOMMU >:D

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/08c89301-42cd-825e-7e37-4bddc042d7c9%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] HCL - Purism Librem 13 v2

2018-11-26 Thread taii...@gmx.com
On 11/17/2018 02:23 AM, 799 wrote:
> Hello,
> 
> Am Sa., 17. Nov. 2018, 02:50 hat taii...@gmx.com 
> geschrieben:
> 
>> [...]
>> ME/PSP is impossible to disable on modern x86 anyone who tries is
>> wasting money and setting back the freedom computing movement but the
>> pur.idiots seem to not really care about that anyways.
>>
> 
> So do you think it is better for the freedom computing movement if my
> neighbour who is not an "IT guy" buys a Windows 10 surface book or a
> MacBook instead of a Purism Laptop?

I think it is better to not support dishonest companies period.

> Maybe he wants to choose exactly between this laptops because he don't want
> to buy old hardware (which is exactly the freedom he should have).
> 
> 
> If not, im sure you know a few me modules more ore less is completely
>> irrelevant from a security point of view.

It is relevant.

Don't take offense but if you lack understanding of how firmware does
hardware initiation you should not be talking about this.

C2Q era: can really disable the ME, no code/blobs, doesn't load at all.
ivy/sandybridge core era: ME can be nerfed to

> 
> 
> Why is this irrelevant? Is itbalso irrelevant to run Coreboot?
> 
> Also, i wasnt able to find a statement of Purism about the fact that, in
>> the beginning, they claimed the ME was "completely disabled and removed". I
>> mean, that was > obviously not true right?

They say "disabled ME" everywhere and it is in many news articles just
like system76's "made in usa" computer where only the case is made here
as if it is an accomplishment to make a metal box in america - note that
other companies do in fact sell motherboards/cpus that are made here
like raptorcs (openpower cpus are made in fishkill ny and the board is
made in texas) although I bet even they probably still would not make
the legal standard and they should note that some components are
imported (although at least the cpu is from here it is the most
important part)

>>
> 
> Which quote on the website are you arguing against 

"open source coreboot firmware" "librem" "disabled me" so on and so on
not to mention "our pureos libre distro" but it is just a debian clone
and it still has binary blobs.

> and have you asked them
> in a nice way to change it so that users are more informed that Intel ME
> can't be fully disabled?

I have.

They still refuse to be honest and up front.

> What was the answer from Purism?

That they think their marketing is fine and won't be changing anything.

> 
>>
> They do claim that it is "disabled" which it is not and they also claim
>> they have "open source coreboot firmware" which they don't since the hw
>> init process is entirely blobbed making coreboot nothing more than a
>> simple wrapper layer.
>>
> 
> I don't know enough about the coreboot details, basically the coreboot
> Purism is using is less (reasonable) secure than the coreboot installation
> we are running on X2xx, T4xx etc.?

It is much less secure since it is not open source.

> What is the difference? I am really interested.

10 years ago coreboot meant open source firmware but now new hardware
has its hardware initiated via binary blobs as intel/amd don't release
code or documentation required to make code

coreboot/intel fsp is an 10%/90% work situation.

Pretty much purisms "coreboot" is just a wrapper layer (it does no
actual hw init) for the intel fsp binary blob that does all the work of
initiating the hardware.

Let me know if you have any more questions.
> 
> but advertising hardware which runs almost entirely on closed source
>> software (certainly, all the important parts do), that just sound highly
>> dishonest in my ears
>>
> 
> Do you really think that the biggest attack vector is the not fully
> disabled Intel Me stuff/Blobs?

There is plenty of time for dirty tricks in Intel FSP plus the not
actually disabled ME (Mask ROM, plus the Bup/kernel layer)

The kernel, mask roms and the hw init blob still runs hence me is not
disabled.

> In this case it wouldn't make a difference if users run Windows on top of
> Purism hardware.

No it would, obviously running windows is an *up front* security issue
rather than simply theoretical backdoors intentional or otherwise in
intel firmware which is what we are talking about.

> Hardly to believe.
> 
> Puridiots pretend as though making a modern, fast and affordable owner
>> controlled libre computer simply can't be done which isn't true and
>> various companies do it (raptor computing systems, various riscv
>> sellers, bunnylabs etc)
>>
> 
> Will those computers hav

Re: [qubes-users] HCL - Purism Librem 13 v2

2018-11-26 Thread taii...@gmx.com
On 11/17/2018 02:06 AM, 799 wrote:> Hello Taiidan,
>
> Am Sa., 17. Nov. 2018, 03:21 hat taii...@gmx.com 
> geschrieben:
>
>> [...]
>> I am the counterpart to you guys somehow getting the tech media to
>> publish glorified press releases for you and everything I say is true.
>>
>
> Which articles do you mean?
Here are two examples of how the tech media glorifies them

https://www.zdnet.com/article/purism-adds-open-source-security-firmware-to-its-linux-laptop-line/

https://www.pcworld.com/article/2860446/this-freedom-loving-laptop-discovered-how-to-make-intel-cpus-boot-without-closed-firmware.html
>
> People need to know the truth about what they would be purchasing, this
>> issue isn't and never was the fact that you are selling non-free laptops
>> - it is that you are claiming they are somehow open source
>> firwmare/libre/me disabled when they are not and could never be.
>>
>
> So a free laptop is a laptop that has everything Purism does but including
> disabled ME?
No, a free laptop has no hardware enforced code signing, no me/psp and
100% open source hardware init - purism has none of those.

> At the same time you're saying it is impossible to do so?
Impossible with new x86 hardware.

> So Purism would be the most free laptop you can buy today from shelf, is
> this correct?
No you can buy a g505s (owner controlled) or one of the various
ivy/sandybridge laptops that run coreboot all of which are more free.

> Doesn't sound to bad to me ;-)
>
> Remember any code exploit for ME is illegal in the US and buying new
>> intel/amd x86 hardware supports further anti-feature development...why
>> not make an OpenPOWER laptop? nothing is stopping you besides the false
>> belief that it is somehow impossible to make and sell owner controlled
>> hardware that is fast and modern - other companies are doing instead of
>> trying.
>>
>
> Where can I buy a OpenPOWER Laptop and how will this help me and will
Qubes
> OS run on it (today)?
There aren't any thats what I am trying to say - but it is possible and
since other companies are creating real owner controlled hardware with
Risc-V, OpenPOWER, etc (not laptops tho) since those two archs CPU's
have TDP's in the laptop range there is nothing stopping them.

>
> The business model of somehow keeping up open source firmware releases
>> with new x86 hardware without any vendor cooperation is impossible - it
>> would take years and millions to reverse engineer FSP thus x86 will
>> never be free.
>>
>
> This maybe correct, but then there is no need to use this argument in
every
> discussion.
> We must try to do what is currently possible.
> This is also how I understand the "reasonable" in the quote "reasonable
> secure".
> Best effort and delivering is most time a better approach than trying
to be
> perfect.
>
> Get an A10 quad core G505s (no ME/PSP) IMO it isn't that hard to compile
>> and install coreboot - myself and various others are willing to help
>> owner controlled system users for free if you run in to trouble.
>>
>
> The G505s is a very ugly have and old machine which seems to be a consumer
> notebook.
> In my opinion (!) I totally respect that others have a different opinion.
> But please do also accept that some people just don't want to buy this
> laptop for their own personal reasons.
>
> Todd weaver started and owns the company so he isn't mis-informed he is
>> simply used to making claims he can't deliver because he has no ethics,
>> no real technical skills and he still fails to listen to those who do.
>>
>
> Do you know Todd? What is the problem for blaming people. I think it's
> great that people have choices!!
> You have even the choice to setup your own company ;-)
I don't have millions in VC so no I can't set up my own company I can
barely feed myself since no one hires native people where I live these days.

>
>
> I really don't understand why there is so much engagement blaming purism.
> I think it is really great if people have the chance to by "other"
laptops.
> And a Purism Laptop is "very likely higher on the reasonable secure" scale
> than a normal Windows Laptop and even from a laptop running Qubes without
> Coreboot and Co.
I simply want them to stop lying! - have them stop being dishonest
marketing!

>
> Honestly I wouldn't feel much more secure even if Intel ME is completely
> gone, I think that  the attack surface is reduced when running Qubes,
> Coreboot or if I buy purism.
>
> Purism is good in marketing and this is not a crime.
It is a crime since it is very dishonest - in america that is considered an
anti-c

Re: [qubes-users] Donation costs

2018-11-16 Thread taii...@gmx.com
Using alipay is super bad considering you would be supporting a country
that censors the internet and imprisons people for viewing the "wrong"
things.

Alibaba's jack ma also invests in and sells surveillance technology
which is a real shame because he used to be someone deserving of respect.

Crypto payments and cash in mail to trusted qubes people (with secret
shoppers to help ensure honesty) are the least terrible option.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1bca9ba0-d11a-93f9-bf3f-43ba223ff056%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] HCL - Purism Librem 13 v2

2018-11-16 Thread taii...@gmx.com
RE: people who work for purism say i am being unfair

I am the counterpart to you guys somehow getting the tech media to
publish glorified press releases for you and everything I say is true.

People need to know the truth about what they would be purchasing, this
issue isn't and never was the fact that you are selling non-free laptops
- it is that you are claiming they are somehow open source
firwmare/libre/me disabled when they are not and could never be.

Remember any code exploit for ME is illegal in the US and buying new
intel/amd x86 hardware supports further anti-feature development...why
not make an OpenPOWER laptop? nothing is stopping you besides the false
belief that it is somehow impossible to make and sell owner controlled
hardware that is fast and modern - other companies are doing instead of
trying.

The business model of somehow keeping up open source firmware releases
with new x86 hardware without any vendor cooperation is impossible - it
would take years and millions to reverse engineer FSP thus x86 will
never be free.

On 11/13/2018 06:03 AM, qubes-...@tutanota.com wrote:
> Sorry to jump out of the Purism thing. Some weeks ago I put here the
question too and it was bit stormy, so I keep it aside.
>
> Mate, you mention the "Lenova 400 series". That was my question short
before in my post. I am planning to buy this guy:
https://tehnoetic.com/tet-t400s  It is
RYF and so the ME and AMT is completely removed. My question was, if I
could run Qubes 4 on it. The answer was it is too old to have the
required virtualization needed to run Qubes 4.
>
> Now, do you think the RYF T400s above, which si T400 series you
mention, could run the Qubes 4? This would be great. One could run the
reasonably secure OS on reasonably secure HW. Yay!
>

It can't since there is no working IOMMU with coreboot and it lacks real
security due to intels first gen iommu being terrible.

X230 can't have ME disabled like T400 only nerfed the hw init "bup"
module still runs (although more than skylake stuff where the kernel
runs and then is politely asked to shut off)

Get an A10 quad core G505s (no ME/PSP) IMO it isn't that hard to compile
and install coreboot - myself and various others are willing to help
owner controlled system users for free if you run in to trouble.

The g505s and other AMD FT3 systems are the only owner controlled qubes
4.0 compatible laptops and they don't have the huge performance penalty
the intel stuff does due to the spectre fixes.

Todd weaver started and owns the company so he isn't mis-informed he is
simply used to making claims he can't deliver because he has no ethics,
no real technical skills and he still fails to listen to those who do.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fc5ab310-4e30-7e39-7996-8004ffb23b5a%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] HCL - Purism Librem 13 v2

2018-11-16 Thread taii...@gmx.com
On 11/10/2018 01:33 PM, 'casiu' via qubes-users wrote:
> 
> "We have four ME modules remaining to liberate (and anyone with access to our 
> BIOS ROM or our BIOS build script
>  can confirm those claims)."
> 
> Last time i checked Intel still did not hand you over their signing-keys ?
> Im happy to change my mind, please educate me.:) Is the ME completely shut 
> off BEFORE the kernel boots up?

The ME kernel and init code still run before they shut off thus there is
more than enough time and abilities to perform dirty tricks.

ME/PSP is impossible to disable on modern x86 anyone who tries is
wasting money and setting back the freedom computing movement but the
pur.idiots seem to not really care about that anyways.

> If not, im sure you know a few me modules more ore less is completely 
> irrelevant from a security point of view.
> 
> Also, i wasnt able to find a statement of Purism about the fact that, in the 
> beginning, they claimed the ME was "completely disabled and removed". I mean, 
> that was > obviously not true right?

They do claim that it is "disabled" which it is not and they also claim
they have "open source coreboot firmware" which they don't since the hw
init process is entirely blobbed making coreboot nothing more than a
simple wrapper layer.

> 
>>From what i see, despite Purism claims they will liberate it probably 
>>sometime , purism-bios still only initializes proprietary blobs, which also 
>>defeats the purpose. Im not one for great conspiracy theories, and also at 
>>least for now willing to accept the term "opensource-hardware" for something 
>>with one or two small irrelevant blobs because they cant be avoided,
> but advertising hardware which runs almost entirely on closed source software 
> (certainly, all the important parts do), that just sound highly dishonest in 
> my ears.
> 

It sounds highly dishonest since it is.


> Last one: Would you honestly recommend people  buying your products to 
> improve their security RIGHT NOW, not someday in the future when and if your 
> products will be > completely open source. If so, wy?

Puridiots pretend as though making a modern, fast and affordable owner
controlled libre computer simply can't be done which isn't true and
various companies do it (raptor computing systems, various riscv
sellers, bunnylabs etc)

Nothing is stopping them from making an OpenPOWER laptop since the
latest OpenPOWER9 code supports laptop level power saving but they say no.

> If you could provide me an answer to those Questions, i would be very 
> grateful. I read this post twice , and i hope nobody finds it offensive in 
> any way, 

People will but they're just paid shills so ignore them.

> im actually trying to get a productive discussion here.
> Please dont let this go emotional, rather provide people with actual, 
> verifiable TECHNICAL  FACTS.

Sad how few people do that.

> 
> Happy to learn something new, Casiu.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1dee8016-05a2-f50e-ec54-807262aa5c37%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Motherboard recommendations

2018-10-29 Thread taii...@gmx.com
I have answered this question over 20 times - search before you post!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cefe4d82-1105-002b-009e-80299b14eb27%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Additional USB controllers for a laptop expresscard to PCI-slots

2018-10-27 Thread taii...@gmx.com
On 10/24/2018 01:41 AM, 'awokd' via qubes-users wrote:
> 
> 
> Unman:
>> On Mon, Oct 22, 2018 at 10:40:23AM -0300, Franz wrote:
>>> On Mon, Oct 22, 2018 at 10:29 AM unman 
>>> wrote:
>>>
>>>> On Mon, Oct 22, 2018 at 09:13:46AM -0300, Franz wrote:
>>>>> On Mon, Oct 22, 2018 at 12:42 AM taii...@gmx.com 
>>>> wrote:
>>>>>
>>>>>> No it won't.
>>>>>>
>>>>>> Expresscard > PCI-e
>>>>>>
>>>>>> PCI anything WILL NOT WORK - ALL IN SAME IOMMU GROUP.
>>>>>>
>>>>>> Save money buy one marketed for egpu gaming for $100 or so from bplus
>>>>>> tech taiwan - expresscard>pci-e then buy a Sonnet Allegro Pro
>>>>>> which is
>>>> 4
>>>>>> separate USB controllers which will work fine AS LONG AS YOUR LAPTOPS
>>>>>> ROOT PORTS SUPPORT ACS otherwise it won't work they will all be the
>>>> same
>>>>>> group. I have no idea what laptops do however.
>>>>>>
>>>>>>
>>>>> It seems my processor i7 3520m does not support ACS. So this should
>>>>> mean
>>>>> that even if I use 4 different PCI cards, in the best case scenario
>>>>> they
>>>>> can only be assigned to the same VM.
>>>>>
>>>>> On the same laptop Lenovo x230 a similar problem was that it has two
>>>> native
>>>>> USB controllers, but there is some connection between them so that
>>>>> they
>>>> can
>>>>> only be assigned to the same VM.
>>>>>
>>>>
>>>> Not in my experience with x230. Three controllers, and you can separate
>>>> ports on Left and Right between two usbVM.
>>>>
>>>
>>> with 3.2 or 4?
>>> I tried various times with 3.2 and it replies something like that it
>>> does
>>> not want to do that because the two controllers are somehow connected
>>> and
>>> therefore there is a security risk isolating them when they are not
>>> really
>>> isolated.
>>>
>>> But of course you understand all that much better than me Unman :-)
>>>
>>
>> Blind leading the blind, I'm afraid.
>>
>> This is with 4. I'll try it with 3.2.1 in the morning.
>>
> @taiidan- I based that from some code I saw in Xen that seemed to
> support classic PCI passthrough. See also the last entry on this page
> for example: https://wiki.xen.org/wiki/Xen_PCI_Passthrough. Agree it's
> not the most secure approach with Qubes, if it works at all.

All of the controllers all be in the same IOMMU group in that case due
to a PCI bridge so pointless for what he wants aka separate usb controllers.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/59fc7419-0d2b-d27a-056b-61768683fbd8%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Replacement for Lenovo x230 (coreboot'able + high res)

2018-10-27 Thread taii...@gmx.com
On 10/26/2018 07:28 PM, 799 wrote:
> Hello,
> 
> I have used two x230 (i5 and i7) in the last email years to run Qubes.
> While I love the form factor and battery runtime I would like to move to a
> device which has a better screen resolution.
> I'd like to have something between 12 and 14inch as I have already a bigger
> 15,4" laptop which has a great resolution (3K) but bad battery runtime
> (Workstation Laptop).
> 
> Do you have a suggestion which fits into my wishlist:
> 
> - Coreboot'able
> - Qubes 4 compatible
> - FullHD Resolution 1.920x1.080 or similar
> - 16 GB RAM
> - optional LTE WAN Card
> - 12 or 14 inch
> - good battery runtime

Get a T430 (get a better kb from *20 series) or a W520 and install an
ivy-bridge CPU and a screen upgrade if you can't find one that comes
with the res you want - there are some nice aftermarket ones from china
and taiwan but the W series should have a 1920 oem model. Of course get
one without the dGPU to save battery power...you can get an eGPU via
ExpressCard if you want more video juice etc.

There is a wwan pci-e port card and a sim slot on both afaik and since
it is restricted via IOMMU there should not be any security issues.

You can install a second slice battery on the bottom.

Both work fine with coreboot-openhwinit and me cleaner to nerf the me
(disabling always impossible) and will work with qubes 4.0 features.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67291288-b86b-7dba-1a05-44e89b3ce9d7%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] My farewell to Qubes OS!

2018-10-27 Thread taii...@gmx.com
No!! comp-sci angel D: you are IMO the best computer security
person on the planet and now you leave us :'[

You can't trust the "cloud" - it will always be someone elses computer

SGX etc is DRM and a proprietary wintel technology that shouldn't be
trusted.

You should look in to intergricloud and FlexVER which are made by raptor
computing systems the makers of the OpenPOWER TALOS 2, Blackbird and
various libre firmwares.

Heres to hoping for qubes on POWER, which is the only owner controlled
high performance computing platform and freer than x86 ever was with
more documentation than x86 ever had.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/53c1799a-5d36-28ed-9945-9b466a2ba72d%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes 4.0 on high(er) end workstations?

2018-10-21 Thread taii...@gmx.com
On 10/19/2018 03:55 AM, shizo wrote:
> https://store.vikings.net/vikings-d16-workstation
> https://minifree.org/product-category/desktop-pcs/
> https://tehnoetic.com/desktops/tet-d16ws
> 
> you can still see it, but they have crazy prices
> and for some reason, the video card is nvidia, not amd
> 

Yeah low volume pre-builts always have high prices...DIY or die.

You can just buy a new one for $150 off fleabay atm no reason to pay
MSRP for anything most of the time, get used cpu ram too unless new is
not too much more such as here.

6276 trash for gaming, get one or two 6328 ($60/ea brand new on fleabay)

Search my many posts going years back for information and if you have
any non answered questions email me...but as I currently make minimum
wage in real life I charge bitcoin for answering the same questions
repeatedly (all the info you need to do this I and others have already
posted many many times) or corresponding with people who use gmail (as
gmail violates many of my beliefs...and wanting a special security
workstation while still using gmail is silly)

I game on my D16 but you need a decent CPU like 6328 (best), 6287SE
6386SE - MUST INSTALL MICROCODE UPDATES BTW or either nothing will work
or it will be very insecure. In coreboot check binary only repo+generate
microcode from tree.

If you buy a new D16 you get a ASMB4/5 modules which you can install
OpenBMC FOSS remote access on in addition to coreboot-libre, it also
controls your fans otherwise use fancontrol/pwmconfig to slow them down
from max speed.

Nvidia anything is junk as they hate linux - AMD RX580 works fine with
D16 gaming in a VM both linux and windows guests on a linux host even
Crossfire xDMA also works in a VM.

IF you properly configure everything and do nothing else on those CPU
cores (dedicated and pinned cores) your performance will be only 1% less
than bare metal, if you want to do other stuff on the device you need to
buy more than one CPU probably so dual 6328 instead of just one...but
they are cheap so is the G34 140W tower 3U/4U coolers right now.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/764c74b4-58a0-5e6a-9156-949add210e15%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Additional USB controllers for a laptop expresscard to PCI-slots

2018-10-21 Thread taii...@gmx.com
No it won't.

Expresscard > PCI-e

PCI anything WILL NOT WORK - ALL IN SAME IOMMU GROUP.

Save money buy one marketed for egpu gaming for $100 or so from bplus
tech taiwan - expresscard>pci-e then buy a Sonnet Allegro Pro which is 4
separate USB controllers which will work fine AS LONG AS YOUR LAPTOPS
ROOT PORTS SUPPORT ACS otherwise it won't work they will all be the same
group. I have no idea what laptops do however.

If you want 4 external laptop PCI-e slots via EC for other stuff or what
not there is one made by amfeltec, but it will probably cost a bunch.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d4c76947-7025-b427-4e39-adc4f9837a39%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Backup verification error

2018-10-17 Thread taii...@gmx.com
Considering how long it takes and the chance for errors I also make a
post fsck dd backup of the entire drive/partition and then sha1sum it
just in case, which has saved me a few times.

I wish there was a choice to use more RAM to make it go faster or what not.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5297d787-63b2-5814-39c3-30e94bb31484%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes 4.0 on high(er) end workstations?

2018-10-16 Thread taii...@gmx.com
On 10/16/2018 12:21 PM, Yethal wrote:
> W dniu wtorek, 16 października 2018 01:22:58 UTC+2 użytkownik tai...@gmx.com 
> napisał:
>> On 10/15/2018 02:09 PM, Yethal wrote:> It also has a PS/2 port
>> (extremely important in Qubes and often overlooked)
>> Misinformation.
>>
>> You instea dwant more than one USB controller on a system so you can
>> have both trusted for keyboard/mice and untrusted for random stuff (all
>> my recs in my other reply have this, the D16/D8's have a second
>> controller via a few onboard usb headers)
>>
>> PS/2 is not secure at all - your keystrokes are outputted on the ground
>> wire.
>>
>> I suggest purchasing a usb keyboard that doesn't have firmware such as
>> the excellent us made unicomp model m mechanical keyboard, to prevent
>> use of a keyboard virus.
>>
>> Definitely agreed with not buying nvidia junk though, they artificially
>> hamper virt with their geforce stuff and they also hate linux drivers
>> and FOSS.
> 
> If I have more than one USB controller and I leave one controller in dom0 and 
> all the other ones in sys-usb that is all fine and dandy except there is 
> still a usb controller in dom0 which kinda defeats the purpose of even having 
> sys-usb unless the keyboard and mouse wires were to be soldered directly to 
> the ports. 
> Also, if an attacker is capable of tapping into the ground wire of your 
> keyboard to listen to the keystrokes then they are more than capable of 
> simply plugging a usb keylogger and/or usb hub and a flashdrive. IMHO a usb 
> controller in dom0 poses much bigger security risk due to reduced attack 
> complexity.
> 

Why would you have one in dom0? the idea is that you make one sys-usb
per controller so for example one trusted for inputs and one not trusted
for random stuff.

Ground wires where I live go far away from where I am sitting as they do
in any large office complex so that is not so good. Any secure facility
has ground wire isolation for that reason.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0795d50b-a829-2fa9-9c9b-ee37369b4986%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes 4.0 on high(er) end workstations?

2018-10-15 Thread taii...@gmx.com
On 10/15/2018 02:09 PM, Yethal wrote:> It also has a PS/2 port
(extremely important in Qubes and often overlooked)
Misinformation.

You instea dwant more than one USB controller on a system so you can
have both trusted for keyboard/mice and untrusted for random stuff (all
my recs in my other reply have this, the D16/D8's have a second
controller via a few onboard usb headers)

PS/2 is not secure at all - your keystrokes are outputted on the ground
wire.

I suggest purchasing a usb keyboard that doesn't have firmware such as
the excellent us made unicomp model m mechanical keyboard, to prevent
use of a keyboard virus.

Definitely agreed with not buying nvidia junk though, they artificially
hamper virt with their geforce stuff and they also hate linux drivers
and FOSS.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a0badb09-b836-05d4-d370-98110a27fe72%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes / Xen i5 and i7 socket LGA1151 mobo recomendations

2018-10-15 Thread taii...@gmx.com
On 10/15/2018 12:38 PM, Aaron Gray wrote:
> Hi,
> 
> I have found my Intel based Z270 Motherboards do not support Qubes, or Xen as 
> of yet.

No consumer board will without difficulty.

> Therefore I am asking for suggestions for i5 and i7 socket LGA1151 DDR4 based 
> motherboards that will run Qubes / Xen; as a stop gap until they do.
> 
> Regards,
> 
> Aaron
> 

Why do you want that black box wintel junk?

Get a libre motherboard instead (see my recent post "Re: [qubes-users]
Qubes 4.0 on high(er) end workstations?" for info and very affordable
yet quality suggestions.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4b816481-88cf-6c07-7a61-24c6dbc4b715%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0 on high(er) end workstations?

2018-10-15 Thread taii...@gmx.com
I have many posts on this but since you have an .edu and made a long
post yourself here are two great options.

You wanna assemble stuff yourself which is pretty easy - I did my first
at age 12 and it worked on the first power on.

Libre motherboards that work with qubes 4:

* KCMA-D8 (90 used on fleabay from china) and one or two 8 core socket
C32 4386 opteron CPU's plus ECC RDIMM RAM in 8GB sticks (for 64 total)
or 16gb (for 128 total)

* KGPE-D16 ($130 on fleabay brand new) and one or two 16 core 6386 CPU's
or 8 core 6328 CPU's (60 on fleabay brand new) which supports up to
192GB RAM.

Since they support libre firmware it doesn't matter that you are getting
used hardware although I believe newegg still has the KGPE-D16 if you
must have new hardware.

Both support Crossfire xDMA and IOMMU-GFX for gaming or cad in a VM, all
the devices have their own IOMMU groups and it supports ACS.

The D8 and D16 are the last and best owner controlled x86 motherboards
and they support coreboot-libre or libreboot, and also OpenBMC for
secure libre remote access with the ASMB4 or ASMB5 chip - it comes with
the new in box KGPE-D16 but they also crop up time to time on fleabay
for a few bucks.

I would say that TPM's/AEM is a not needed if you implement
kernel/initramfs code signing in grub as a coreboot payload, set the
write lock bit on the flash chip and then put a lock on your case but if
you still want a TPM it has a header for a v1.2 device make sure to buy
a supported model.

Other options are the Raptor Computing Systems Libre Firmware OpenPOWER
systems such as the TALOS 2 and the more affordable Blackbird which are
the future of owner controlled computing[1] although currently qubes/xen
doesn't have a POWER port so you would have to use POWER-KVM which
arguably is better security wise than xen+black boxed x86 junk and again
is the future not a dead platform.

I am an expert on this topic, let me know if you need any help and if
you think my advice is patron-grade.

[1]x86 is dead freedomwise, both AMD and intel have a variety of
anti-features that make you just a licensee not an owner - OpenPOWER is
the only owner controlled performance CPU arch luckily it is now more
affordable than equivilant x86 performance enterprise hardware and you
get more features+freedom :D

It is impossible to disable ME/PSP or make libre firmware for a new gen
x86 system.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/febf11d7-74fe-63fc-142a-02f3ae7009a7%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Keyboard backlight color based on active qube

2018-10-13 Thread taii...@gmx.com
Very cool!

This is very innovative for security, to prevent typing in the wrong window.

I wish unicomp made a keyboard with colors as I can't give up my model M
tho :[

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d1a2b9dd-cb40-9daa-fc00-62a399424aa5%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Fujitsu Lifebook U757

2018-10-13 Thread taii...@gmx.com
Just get an a10 g505s and install coreboot (follow awokd's guides), I
have made many posts about laptop reccs you can search for with more
reccs in case that doesn't work for you for whatever reason.

On 10/12/2018 08:38 PM, Chris Laprise wrote:
> 
> My advice is to start looking for a Qubes laptop on the HCL page below
> and/or look at business models from the 'big 3' manufacturers Dell

Their consumer models are terrible and don't work with linux fyi, many
of their business models don't either.

> Lenovo 
Lenovo installs backdoors in the firmware on their new laptops, they
have been caught 4 times doing this. Don't support them.

>  HP

They couldn't care less about linux.

> in addition to Linux-focused System 76
Dishonest - they lie and claim their laptops are "made in usa" which is
absolutely impossible for an x86 device what they are doing is a simple
screwdriver assembly which legally doesn't even qualify for "assembled
in usa"

> and Purism 

VC funded scammers who sucker people in to buying faux-libre laptops
with a not actually disabled ME.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b34749d5-36db-5a98-782b-8becef8b0a81%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Question before buying a new laptop

2018-10-09 Thread taii...@gmx.com
On 10/06/2018 03:07 PM, ben.thomp...@vfemail.net wrote:
> Thanks for your reply.
> 
>>> I have a few questions:
>>> How well does passing a dedicated graphics card to a vm work / is gaming
>>> in a vm feasible or do i still need dual-boot?
>>
>> Yeah very feasible many people do it including me.
> 
> So what games are possible and are you using a windows or linux guest?
> (Sadly there are games not running with wine.)

Windows without networking to avoid the spying features.

There are however a variety of AAA DRM free games that run native on
linux these days.

On my KGPE-D16 I just finished the two wolfenstein games and the new
prey on max settings I have RX580 and 6328 cpu with 14gb ram assigned to
the VM. I suggest purchasing 8gb ecc rdimm sticks as they are the most
affordable per gb if you get one. The KCMA-D8 is also a good choice and
with that you don't have to deal with NUMA issues.

> 
>> Of course you need the right system you would need an eGPU capable
>> laptop such as the W520 which you should install an quad core ivy bridge
>> cpu in so you get pci-e 3.0 for the expresscard slot. As always I
>> recommend installing coreboot - the ivy/sandy coreboot port has open
>> cpu/ram init and supports me cleaner to nerf your me (again disabling is
>> impossible)
> 
> Well the W520 is from 2011 and can't be bought anymore and i don't like
> to buy hardware second hand.

Whats wrong with second hand hardware? You can replace the worn out
parts like the keyboard/armrest/lid very easily to the point where you
couldn't tell the difference between a new and used laptop.

I don't think a circa 2013 cpu is that bad considering what you gain
from using it.

> Also the processor is a bit weaker.

A quad core ivy bridge cpu will be fine I guarantee it.

> I know the problem with new CPUs is a ME which can't be properly
> deactivated anymore (at least as far as i know), but it seems i have to
> accept this, if i want a powerful processor for gaming / work.

No you don't have to.

What do you want to run that couldn't run on an older laptop but could
run on a newer one?

> Hence the W520 is not really an option for me (Although it is the better
> option from a security standpoint).
> 
> So do you have a suggestion for newer hardware in the same price-range?

I don't recommend blatantly insecure hardware which is what new x86 is -
it is all junk. See for instance the recent china spying scandal where
they inserted a backdoor chip on the motherboard and that is probably
just the tip of the iceberg.

The future of real owner controlled, open source firmware, high
performance hardware is non-x86, such as POWER systems like the raptor
talos 2, raptor blackbird, etc. Of course made in usa is a must for
security reasons and the OpenPOWER9 CPU's are made here as well as those
boards. I hope that xen/qubes will soon support POWER - but I argue that
POWER-KVM is more secure than xen on a black box x86 platform.

In terms of gaming you aren't going to get good performance on a laptop
which is why I always suggest obtaining an owner controlled no psp/me
libre-firmware available desktop system board like the KCMA-D8/KGPE-D16
(runs qubes 4.0 great)
plus a g505s for your no psp/me owner controlled laptop which has open
cpu/ram init via coreboot.

For laptop gaming via eGPU you can re-direct the output to the internal
screen if both the iGPU and the eGPU are assigned to the same VM - very
difficult though and of course graphics assignment weakens your security
in a variety of ways so I would simply have a dedicated gaming device if
you can afford it.

Let me know if you find this advice helpful - I am always pleased to
answer the expert questions.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/105b2ee6-b32e-7d7e-52fd-d5eb9c48509a%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Installation, no AMD-vi, interrupt mapping, etc.

2018-10-04 Thread taii...@gmx.com
Most consumer mobos have broken IOMMU, I suggest instead of wasting your
time trying to make it work you simply buy a KCMA-D8 or KGPE-D16 plus
used cpu and install coreboot-libre.

Without HVM/IOMMU your security will suck.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/048b7372-e140-1150-9d08-a07a0e414b89%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Question before buying a new laptop

2018-10-02 Thread taii...@gmx.com
On 10/02/2018 04:53 AM, ben.thomp...@vfemail.net wrote:
> Hi,
> some time ago i discovered qubes, but my laptop did not support it and i
> did not follow the developments.
> Now my old laptop is broken and i am about to buy a new one.

This question has been asked and then answered like 20+ times by me,
twice in the last week.

> 
> I have a few questions:
> How well does passing a dedicated graphics card to a vm work / is gaming
> in a vm feasible or do i still need dual-boot?

Yeah very feasible many people do it including me.

Of course you need the right system you would need an eGPU capable
laptop such as the W520 which you should install an quad core ivy bridge
cpu in so you get pci-e 3.0 for the expresscard slot. As always I
recommend installing coreboot - the ivy/sandy coreboot port has open
cpu/ram init and supports me cleaner to nerf your me (again disabling is
impossible)

I would probably just pick up a workstation board like the KCMA-D8
though as laptop dgpu gaming needs an external monitor if you want to do
it in a VM.

> 
> Did anyone try a Lenovo Legion Y530 and can me write how well it works
> with qubes? (i would upgrade the ram to 16 or 32 GB)
> (I did not see any entry in the list (https://www.qubes-os.org/hcl/).)
> 
> Best
> ben
> 
> 
> -
> 
> ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of
> the NSA's hands!

Haha.

> $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No
> bandwidth quotas!

No such thing as a lifetime account FYI, eventually these services get
too top heavy and run out of money.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fd16a5c6-5ee7-04e2-8e50-a76aaa05fb5a%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Purchase advice, Qubes laptop: ASUS ROG Strix GL503GE ?

2018-09-27 Thread taii...@gmx.com
This laptop advice question has been asked around 5 times in the past
two weeks and I have answered all of them :D

On 09/21/2018 02:43 AM, KajMagnus wrote:
> What do you think about installing Qubes OS on this?:
> 
> ASUS ROG Strix GL503GE

Gaming laptops are baaad news - in a few years the battery life will be
1hr and lugging around a heavy laptop will be feeling worse and worse
and you will be consuming more and more ibuprofen for your back pain!

> It has this I5-8300H processor, 8th gen core i5, apparently with VT-x and 
> VT-d yes:

It depends on more than just the cpu - in terms of this laptop IOMMU
probably won't work on it unless you are buying workstation hardware
they almost always fuck up the implementation of it.

> https://ark.intel.com/products/134876/Intel-Core-i5-8300H-Processor-8M-Cache-up-to-4_00-GHz
> 
> I read that a IGP is recommended:

That information is outdated, anything but the junk nvidia is fine -
intel and AMD make linux drivers that are quasi open source in that they
require a binary blob but they work with no BS.

> "Intel IGP (strongly preferred)" (here: 
> https://www.qubes-os.org/doc/system-requirements/ )  Do all laptops typically 
> include an IGP? This laptop has an IGP, you think, 

Most do yes it is the cheapest option as it is integrated in the CPU

> although it has an NVIDIA Geforce GTX 1050 Ti card?

Nvidia hates:
* Linux (unless you buy a quadro)
* Open source anything - not only do they fail to provide open source
drivers as their competitors do they intentionally ruin the efforts of
the nouveau project.
* Virtualization (unless you buy a quadro) in that they intentionally
add bugs to make it harder to attach graphics card to a VM.

1050 is slow and not really worth it - it would be better to get an eGPU
setup if you want a GPU instead of lugging around a heavy gamer laptop.

> (I do software development. Will use the laptop to compile code, takes 10 - 
> 100 seconds, and run stress tests, and open 100 browser tabs. And ... during 
> development, > I don't feel good about pulling down 1 000 Node.js libs and 
> typing `npm start` unless in a Qubes virtual machine :- ))
I suggest a W520 which you install 32gb ram and the best compatible ivy
bridge quad core cpu - then install coreboot with me cleaner (to nerf
the me).

Buy the one with the IGD and no dGPU so it is more battery efficient and
that you can later buy an ExpressCard eGPU adapter and potentially not
have to use an external monitor to play video games on it. (with the
dGPU model you cant re-direct the output through the iGPU and thus to
the laptops internal screen - very cool stuff)

It isn't owner controlled like the G505S that I usually suggest but it
will be fine and has more features (dock, more ports, expresscard) ram
(g505s only 16gb) etc. It is much more free than newer laptops and there
aren't any binary blobs besides the ME blob.

Note disabling ME is impossible and anyone who says otherwise is lying.

New x86 hardware is only licensed not bought, if you want to truly own
your hardware and have computing freedom with no ME/PSP and libre
firmware you must get non-x86 stuff or older x86 hardware.

> (I also asked in https://www.reddit.com/r/Qubes a while ago)

What you have to understand is that most of the qubes user community are
know it all little kids who suck at computers and refuse help - if 90%
of them weren't using qubes they would be using linux mint and they
couldn't really care less about actual security only the perception of
security which is why so many of them endorse stupid DRM shit like MS's
"secure" boot (no linux distro is complete without a MS product lol!)
TPM's, ME, a scammy company that starts with the letter p, etc.

Users whom you want to listen to are me, awokd, ivan ivanov and a few
others. I am always available to email in case no one else has an answer
for your obscure expert level linux question.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4bb5d3ab-b1ff-6044-fdd8-8e9fd557b2a1%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Gaming with qubes

2018-09-17 Thread taii...@gmx.com
On 09/15/2018 12:01 AM, David Schissler wrote:
> 
> What is IOMMU-GFX?  I can't find any references to the GFX part.
> 

IOMMU for Graphics, it is much more complex to assign a graphics device
than a regular device such as a NIC, HBA, etc.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c732498c-154d-3b4b-a12a-24f30762c553%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] HCL - Purism Librem 13 v2

2018-09-17 Thread taii...@gmx.com
On 09/16/2018 02:51 AM, 'awokd' via qubes-users wrote:
> On Sat, September 15, 2018 10:30 am, qubes-...@tutanota.com wrote:
>> Hi, during my email conversation with the Todd Weaver 

That liar comes out of nowhere with his super slick marketing and sets
the computing freedom movement back 10 years.

At first I thought it was just being naive but now as he persists it
seems more like malice.

puri.junk does NOT respect you, it is fully blobbed and the ME is not at
all disabled.

Todd weaver is a lying fraudster.

>> in the
>> pre-IME-disabled time, he told me they will fully disable the IME and AMT
>> within next week. After about a week they announced they did just that.
>> Are this links a lie?
>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu
>> ter/
>> > puter/>
>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana
>> gement-engine/
>> > agement-engine/>
> 
> "Lie" depends on your definition of "completely". Skylake onwards
> processors can have much of ME disabled. I believe Purism with Heads and a
> handful of other manufacturers are using the technique here:
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html, but as you can
> see there are still some modules required for initialization before the
> HAP bit takes effect and skips the remainder. Additionally, there is an
> FSP blob needed for init. Currently shipping AMD CPUs are no better.

Skylake kernel still runs, that is not disabled and there is more than
enough ability to play dirty tricks like SMM rootkits or what not.

HAP is asking politely.

> 
>> Talking about alternatives: how the Qubes 4.0 stand with RYF certified
>> X200? Like for example this one: https://tehnoetic.com/laptops/tet-x200s
>>  and others like T400 and T500,
>> which can be found there as well. Working well? Any issues known? Thank
>> you
> 
> At present, RYF has not certified any laptops with hardware capable of
> running Qubes 4.0, but there are a couple older AMDs that can. A scale of
> hardware openness/owner control from most to least would be something
> like:
> 
> 10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't
> run on either

Since you mention power and there aren't currently any laptops do you
mean laptops or desktops? In terms of desktops there are a variety that
qubes 4.0 can run on.

The future is POWER for all...

> 8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works
> on these and the rest listed
> 6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules
> required
> 4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI
> config- more blobs and modules required

That doesn't disable it! you are simply asking nicely for it to shut off
and hoping that it does so. It is not at all equivilant to say pre-core
intel systems where one really could disable it or even better one that
doesn't have any black boxes like the talos.

> 0: Intel/AMD x86 with no tweaks- most shipping volume today
> 
> ARM (& possibly RISC) is a special case in that the integrator can decide
> where on the scale they want to deliver their product, but neither support
> Qubes 4.0.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c8670cee-80f5-1b08-0a82-8ffb60641867%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Time for Laptop Upgrade

2018-09-16 Thread taii...@gmx.com
If you want a laptop get a W520 and install coreboot along with the best
available ivybridge CPU plus 32gb ram.

You can nerf the me but of course it is not equivilant to actually
disabling it which is 100% impossible despite what some might say.

If you want a libre desktop or workstation selection let me know.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/15860385-b8af-8374-5bfb-d0a176745049%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Gaming with qubes

2018-09-14 Thread taii...@gmx.com
On 09/14/2018 01:34 PM, card...@cypher.fi wrote:
> Hey. 
> I recently built new pc with Asus PRIME Z370-P, i7-8700k and gtx 1060. I care 
> about privacy and security

If you really do next time don't buy a blobbed and ME'ed PC along with a
graphics card from the anti-freedom nvidia that actively prevents the
development of the nouveau open source drivers (vs amd making their own)
and adds "bugs" to prevent people from using IOMMU-GFX with geforce
cards (which wasted me 4 hours when I had a geforce card)

> but i would also like to game (mainly rainbow six siege and pubg).

Still possible.

I play the latest games at max settings in a VM with my libreboot
firmware KGPE-D16 with a RX580 (must get an 8gb+ gfx card) and 6328 cpu
(with a gpu bottleneck) The KCMA-D8 and KGPE-D16 server/workstation
boards work well with qubes 4.0 and they support
coreboot-libre+libreboot, OpenBMC[1] and of course IOMMU-GFX

They even theoretically support Crossfire xDMA in a VM, one of the cool
things that can be done is to normally use crossfire but if a friend
comes over assign the second graphics card to another VM so you can game
at the same time on the same machine.

While computing freedom is dead on x86 (new hardware is not owner
controlled) some day there will be games ported to POWER - already
people with the owner controlled libre-firmware TALOS 2 are playing
multiplayer games together on linux.

People said there would never be linux gaming - now many AAA games
support linux native!

[1](the facebook version of OpenBMC not the better ibm version found on
the OpenPOWER machines like the talos 2 but still quite usable for
secure owner controlled foss lights out remote access) note the kcma-d8
does not come with the module required to install openbmc it must be
purchased separately.

> Is my hardware even compatible? 
No idea maybe, most consumer boards lack IOMMU support or it is broken.

> Is it possible to game in windows 10 vm without sacrificing performance too 
> much?

Sure if done right it is not noticeable (ie: no stuttering or w/e) and
you only lose 1-3 FPS.

> If someone has done this please post your experience and tutorial. 
I suggest reading the tutorials and information on the xen wiki or for
kvm/qemu on the vfio blog. (qubes uses xen)

I would suggest however gaming in a VM on a separate computer rather
than your qubes computer for performance, security and the fact that it
is harder to get it working on qubes apparently.

If you have any difficult questions you can't find the answer to
anywhere else let me know - I enjoy answering the hard questions.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0fa47323-9e17-75a7-f181-800bd7e6c46b%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Intel Releases New BSD-Licensed Open-Source Firmware Implementation

2018-09-14 Thread taii...@gmx.com
On 09/14/2018 06:20 PM, taii...@gmx.com wrote:
> On 09/14/2018 03:01 PM, David Schissler wrote:
>> https://www.phoronix.com/scan.php?page=news_item&px=Intel-Slimbootloader
>>
>> This could be an improvement if someone takes the firmware and deletes tons 
>> of unnecessary stuff.  Hopefully this will be rolled out over many lines.
>>
> 
> It is nothing new!
> 
> This is NOT "Open Source Firmware" it is shimboot coreboot - all the
> hardware initiation work is done via FSP and coreboot is just there as a
> wrapper layer for FSP.
> 
> More misdirection from intel trying to strangle their IBM OpenPOWER
> competitors in the crib now that they see there is a real market for
> owner controlled hardware.
> 
> Buy a TALOS 2 if you want legitimately owner controlled, real FOSS,
> libre, "open source firmware" hardware that is both fast and brand new.

I always assume people know the difference but I figure I should mention
that unfortunately qubes/xen does not yet support the POWER arch as
there is a bit of an impasse in the developer community - thus your best
choice if you must have qubes is the KCMA-D8/KGPE-D16 libre firmware
available workstation/server boards or the g505s coreboot open cpu/ram
init laptop all of which are pre-PSP AMD and while comparatively slow
the kcma-d8 with a 4386 can max out the latest games on libreboot with a
suitable graphics card such as a rx580 8gb.

I would however argue that an OpenPOWER machine with
POWER-KVM/POWER-IOMMU virt is more secure than xen running on blobbed
propriatary wintel junk that soon won't allow you to install linux at all.

I am old enough to remember the fact that smartphones didn't used to be
walled gardens, soon that anti-feature concept will come to desktop
computers and one will only be able to install linux or their non-MS
"approved" programs if they pay for a "developer edition" computer. MS
already tests the waters with their ARM PC's that have full "secure"
boot (aka secure from you the owner) locking you out from removing
windows or even installing a new version of windows.

Every time someone purchases a new non-owner controlled blobbed
intel/amd hardware you support future DRM efforts, even if someone
figures out a ME jailbreak some day intel will quickly patch it and with
every release their methods of preventing jailbreaking get better and
better.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fc4e9079-9cef-de44-c01e-ba78dcccb7c5%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] HCL - Purism Librem 13 v2

2018-09-14 Thread taii...@gmx.com
Everyone please be aware that purism's marketing is dishonest.

Their products do not have open source firmware[1] and the ME is not
disabled (the kernel still runs along with mask roms and the me hw init
code)

Intel chips or any new x86 for that matter do NOT respect your privacy!

[1]Their coreboot is simply a shim loader layer for Intel's FSP binary
blob that performs the hardware initiation - these days coreboot doesn't
necessarily mean open source firmware.

In terms of laptops it is much better to purchase for instance an owner
controlled pre-PSP AMD G505S[2] which has open cpu/ram init via coreboot
or one of the ivy/sandy thinkpads which while not owner controlled are
significantly more free than puri.crap as they have open cpu/ram/gpu
init via coreboot and their ME can be nerfed down to the BUP layer which
while is not at all equivilant to not having an ME at all such as on
non-x86 arches or pre-PSP AMD it is still much better.

All of my laptop recommendations here work great with Qubes 4.0 and
there is a nice little qubes g505s community.

[2](for the best user experience make sure to get the highest end quad
core A10 model if you buy one - although the less expensive A6 quad core
models are still quite usable)


I do not have an issue with purism selling non-free laptops - I have an
issue with them being dishonest.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Intel Releases New BSD-Licensed Open-Source Firmware Implementation

2018-09-14 Thread taii...@gmx.com
On 09/14/2018 03:01 PM, David Schissler wrote:
> https://www.phoronix.com/scan.php?page=news_item&px=Intel-Slimbootloader
> 
> This could be an improvement if someone takes the firmware and deletes tons 
> of unnecessary stuff.  Hopefully this will be rolled out over many lines.
> 

It is nothing new!

This is NOT "Open Source Firmware" it is shimboot coreboot - all the
hardware initiation work is done via FSP and coreboot is just there as a
wrapper layer for FSP.

More misdirection from intel trying to strangle their IBM OpenPOWER
competitors in the crib now that they see there is a real market for
owner controlled hardware.

Buy a TALOS 2 if you want legitimately owner controlled, real FOSS,
libre, "open source firmware" hardware that is both fast and brand new.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7dec5f5b-4233-56a4-52fd-6b19be0e4745%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Best Laptop for Qubes 4+ and Heads

2018-09-05 Thread taii...@gmx.com
> So, idea  - gpu passthrouth to hvm ?! unsuccessful

You can't pass a primary GPU.
> 
> I have 16GB ram - Xentop says 15GB are used 
> 
> 11 domains: 2 running, 9 blocked, 0 paused. 
> 
> Mem 16696288k total, 15389884k used, 1306404k free.
> 
> which is quite enough, but hvm maybe eat more ram.

RAM is dynamically allocated as part of ram sharing - if you launch
another VM it will take a little bit away from the ones currently active.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2b9fc74d-6034-699b-8e9d-265f585ef05f%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: cpu

2018-09-05 Thread taii...@gmx.com
On 09/04/2018 04:24 PM, Roy Bernat wrote:
> On Monday, 3 September 2018 13:13:23 UTC-4, Foppe de Haan  wrote:
>> I'm afraid so, yeah.
> 
> Thank you for your answer . 
> 
> i am already 1.5 year with qubes and always hope to better performance . 
> 
> i dont know how  i will move to other system but the performance are very bad 
> 
> and making my work not so easy .   
> 
> Roy
> 

Why not buy an owner controlled libreboot supporting pre-PSP KCMA-D8 or
KGPE-D16? They are the last and best owner controlled x86 systems, as of
now OpenPOWER (cpu arch on TALOS 2 libre server/workstation) is the only
owner controlled cpu arch and we must try to get qubes ported to it.

If you want a laptop the G505s is the last and best owner controlled
pre-psp x86 laptop (it supports coreboot with open cpu/ram init)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/da16fece-bf3e-f038-951f-11bb62321d05%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes V4 and Windows7-hardware

2018-09-05 Thread taii...@gmx.com
On 09/04/2018 11:20 AM, josefh.maier via qubes-users wrote:
> Hello forum.
> Actual Intel CPU's do not anymore support Windows 7 and Qubes 4 does
> require modern hardware...

Thats a myth created by microsoft to force people to buy windows 10 no
matter if they want it or not.

It is an artificial limitation - all they did was stop driver
development for the various peripherals (nic, usb, etc) and add a
windows update blocker which can be removed.

> Question:
> Are Windows 7 based AppVMs supported on "Windows10-only" hardware?
> Thank's for your feedback!

Yeah of course its not like new cpus lack old instruction sets or what not.

Although I would recommend you instead purchase a system without ME/PSP
such as the owner controlled libre firmware KGPE-D16/KCMA-D8. New x86 is
dead for freedom/security - let us hope that qubes is soon ported to
OpenPOWER so we can run on a libre firmware TALOS 2 (OpenPOWER is
currently the only owner controlled cpu arch)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e4a0175d-5793-dffa-1f18-1cd9e8d52096%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #43: L1 Terminal Fault speculative side channel (XSA-273)

2018-09-02 Thread taii...@gmx.com
Yet another reason to port qubes to POWER - the last owner controlled
performance CPU arch.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f7f2072f-2b4e-7fa5-c1f3-9afe29b88088%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Researchers Detail Two New Attacks on TPM Chips

2018-08-30 Thread taii...@gmx.com
No surprise there - TPM's are a proprietary "security" gimmick probably
invented for DRM.

One doesn't really need them if you use coreboot with an embedded kernel
or with grub and kernel code signing and of course write-lock the flash
chip.

Raptor Engineering/Raptor Computing System's FlexVER is something worth
looking in to - pretty much an advanced and much-better-than-TPM
security device that is owner controlled.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af24ea95-449f-7a33-0a89-7f53bcadb520%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: USB Printer

2018-08-30 Thread taii...@gmx.com
For future reference I suggest to all to obtain a network printer that
supports open command languages for printing such as PS/PCL so that you
don't need to rely on USB junk that requires non-free firmware and or
will eventually break due to no driver updates for new distros.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b5593c84-8ab5-abaa-a4fb-d7f397cba5eb%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Qubes 4.0 SSD Encryption

2018-08-25 Thread taii...@gmx.com
On 08/24/2018 11:44 AM, brendan.h...@gmail.com wrote:
> 
> And if your OPAL drive is backdoored by the manufacturer for a government, 
> your drive is backdoored whether you're using OPAL or not and depending on 
> what you wanted > to keep private, you're already screwed.

Wrong - if you have an IOMMU and the drive is software encrypted then
you are absolutely fine and it can't do anything but randomly delete
your data.

In that case you can boot from coreboot-grub to a 100% encrypted ssd or
directly load the kernel from coreboot which then decrypts the drive.

You can also buy an OpenSSD from the OpenSSD project if you want a drive
with libre firmware - what is cool about them too is that you can
upgrade the flash modules without changing the controller.

If one installed an OpenSSD on a TALOS 2 then you could have a system
that is entirely open source and documented.

> No security mechanism exists in a vacuum. Layer them as necessary. I want to 
> prevent both remote firmware tampering and out-of-sight boot tampering. So I 
> utilize the > SED hardware security. I also enable software volume 
> encryption, when available, as well.

If someone has the ability to modify your device firmware they already
have root or physical access and it is game over, additionally anyone
with the capability to re-write drive firmware[1] probably has a bypass
exploit too.

[1] Such a thing is VERY difficult as there is no available
documentation for them and you need documentation+spec sheets to write
device firmware - interesting fact most drives these days have a multi
core ARM processor.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/88a11ba1-8181-16d2-9ddd-245a58805839%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] how to forward webcam to a VM?

2018-08-23 Thread taii...@gmx.com
On 08/17/2018 05:08 PM, 'awokd' via qubes-users wrote:
> On Fri, August 17, 2018 12:54 pm, Aliaksandr Kavaliou wrote:
>>
>> Hey Guys!
>> after some time i installed Qubes 4.0 and here the usb-proxy goes over the
>> grafic icon. But i still can not run my webcam Logitech C920. I attach it
>> to the webcam-VM, run the software (tox, but also cheese), but there is no
>> device found.
> 
> With some USB devices, I have to assign a spare USB controller (not the
> one you're using for the keyboard/mouse!) directly to the VM before they
> will work. This is not the best solution because you lose the benefits of
> Qubes isolation, but might be the only way.

This actually is the best way to go about it as it is both faster and
more secure than a usb proxy that passes via dom0.

USB controllers short of a very poorly designed one that I don't know
about lack any onboard firmware so as long as it is truly separate from
your other "Trusted" controllers[1]  and has FLR you are good to go.

[1] Intel laptops have shared resources for their usb controllers so
they aren't really separate.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4cbc18ab-1b8e-58c8-6e84-8d41b8d20158%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: Best Laptop for Qubes 4+ and Heads

2018-08-23 Thread taii...@gmx.com
On 08/20/2018 01:21 PM, stallmanro...@gmail.com wrote:
> 
> ME disabled (works!)

It is a nice laptop and I recommend it sometimes BUT:

As someone with your screen-name I would hope you know that it is
impossible to disable ME.

In your case the BUP module still runs along with any mask roms - more
than enough to add a backdoor to your machine.

Of course in terms of laptops it is still better than newer intel stuff
like the skylake puri-craptops where the bup AND the kernel run on their
"disabled" ME - they changed the definition of disabled just like they
did with the definition of "open firmware" :[

The best and most free laptop is the lenovo G505S of which there is a
thriving little coreboot-qubes4 community thanks to me telling many
people to get it :D

G505S:
* pre-PSP AMD quad core cpu (the A10 model - the others suck)
* coreboot with open cpu/ram init (unlike the blobbed puri-craptop hw
init via the intel fsp binary blob)
* IOMMU that works with qubes 4.0 (Must apply latest microcode updates
or qubes wont work)
Blob status: video+EC but people are apparently working on freeing them
and the IOMMU protects you from any DMA issues.

In terms of other laptops the X230t (with better *20 series non chiclet
keyboard) I recommend if someone wants a tablet and the W520 if someone
wants a mobile workstation with 32GB RAM - both are of course a much
better choice than a puri-craptop as they have open source hardware init
via coreboot and the ME can be nerfed.


> 
> 2. Tomu support (30$ ) (works fine!)
> https://www.crowdsupply.com/sutajio-kosagi/tomu
> 
> porting gnuk to tomu (opensource analog yubikey, needed to use heads)
> 
> https://github.com/osresearch/heads-wiki/blob/master/GPG.md
> 
> Dev: https://github.com/aze00/gnuk/tree/efm32
> PR: https://github.com/im-tomu/tomu-samples/pull/35
> Issue: https://github.com/im-tomu/tomu-samples/issues/4
> 
> Alternative - Nitrokey
> https://shop.nitrokey.com/shop/product/nitrokey-start-6 (based on gnuk)
> 
> 3. https://inversepath.com/usbarmory nice compatibility (works without any 
> issues)
> 
> 4. for good work you need a bundle i7 2gen, 16 RAM and good SSD disk ( I 
> completely lack 256 gigabytes )
> 
> main templates : 
> archlinux
> artful
> bionic
> centos-7
> debian-9
> dev (buster)
> fedora-28
> kali-rolling
> void-template
> whonix-ws-14
> whonix-gw-14
> 
> works fine and easy build from https://github.com/QubesOS/qubes-builder
> 
> + 8-10 services (vpn,tor,wireguard etc)
> + 3-4 disp vm's (internet browsing)
> + 8+10 domains
> 
> Total disk usage : 20.4%
> lvm : 36.2%  77.4GB/213.8GB
> 
> So, 256GB is enough.
> 
> 5. You can use it like tablet ;)
> 
> https://github.com/martin-ueding/thinkpad-scripts
> 
> rotate/touchscreen works great and works on every VM machine.

Nice! glad that still works

Did you install coreboot?

> 
> 6. TPM ownership/reset (work!)
> 
> 7. 10 open vms
> 
> temp 52 
> fan 3496 rpm
> 
> 8. +3G modem or raspberry pi features

The RPI is not an open source firmware device FYI and I recommend
instead purchasing a beagleboard or novena.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b13a5dc1-e446-888c-4d96-1e62abdf7e0b%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Qubes 4.0 SSD Encryption

2018-08-23 Thread taii...@gmx.com
On 08/23/2018 01:35 PM, brendan.h...@gmail.com wrote:
> On Thursday, August 23, 2018 at 10:30:17 AM UTC-4, Jonathan Seefelder wrote:
>> If you keep wear-leveling in mind, and encrypt the ssd before you fill
>> it with sensitive data, id suggest an ssd. Ideally, you should encrypt
>> /boot also.
> 
> I've posted recommendations on how to add hardware drive encryption on top of 
> Qubes' software encryption on this list before, so I won't repost that.
> 
> In summary, 
> 
> Use an SSD that supports T13 ATA SANITIZE and TCG OPAL, and also remember to 
> enable trim in dom0 ( https://www.qubes-os.org/doc/disk-trim/ ). Enable HW 
> encryption (but also enable QUBES' software encryption).
> 
> Bonus: using SSDs with the above features, when you are done with the system 
> you can instantly (< 2s) erase all user data on the SSD by issuing either an 
> ATA SANITIZE - CRYPTO SCRAMBLE EXT command or an OPAL PSID REVERT command 
> (the latter requires the code printed on the drive label).
> 

Anything TCG is bad news - it was spawned by microsofts project
palladium "trusted computing" concept and it is not owner controlled.

Do you trust proprietary closed source firmware to protect you? I don't
- those kinds of things have many holes.

There is no reason to use an SED drive.

In terms of encrypting boot that is generally impossible without the use
of coreboot so I suggest to obtain an owner controlled pre-PSP laptop
G505S with owner controlled firmware enforced grub kernel code signing
(you sign your own kernels, initramfs etc) its like MS's "secure" boot
but it is actually secure because it is yours not theirs.

The G505S has open cpu/ram init and people are apparently working on
freeing the video/EC blobs but in the mean time IOMMU protects you.

There is a nice little Qubes 4 G505S community.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4493cef5-dc3a-e4cf-3ee9-e164c5efbd82%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] New Foreshadow exploits CPU bug

2018-08-20 Thread taii...@gmx.com
SGX is another ME service slash intel marketing gimmick invented for DRM
not security.

If the person who purchased the computer can't examine the VM's running
on it then they are not owning it simply licensing it which is why SGX
is a bad technology and people shouldn't buy x86.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0d778ab5-12b9-12db-9600-e63b676dbab7%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Incredible HD thrashing on 4.0

2018-08-17 Thread taii...@gmx.com
On a NUMA system it could also be swapping pages from an efficient node
to a less efficient distant node.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d3a0006c-ef4c-ed8e-05d3-870437e01f82%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: X470 and IOMMU Groups...

2018-08-16 Thread taii...@gmx.com
On 08/16/2018 10:18 AM, FaB wrote:
>>
 Hi, Taiidan! The OP seemed to recognize it was ideal to have devices in
>>
>>> separate IOMMU groups, so I assumed he was familiar with the warnings in
>>> https://www.qubes-os.org/doc/assigning-devices/#pci-passthrough-issues and
>>> just wondering if it was technically possible.
> 
> I am fully aware of the security problematics of PCI passthrough, but until
> there is a secure solution to passthrough GFX to a VM (Qubes 4.1 I hope !)
> I am going to continue this way and accept the security decline.

There won't really be.

The issue mainly comes from:

* Hostile firmware re-writes.
* Lack of FLR on most graphics devices.
* The additional complexity of IOMMU-GFX assignment vs regular IOMMU
assigned devices like a network device or HBA.

It isn't that bad if you only assign a single card to a single VM and if
you need it you need it.

Practical reality is that short of being assange or some other very high
profile person no one is going to waste such a high tech exploit on you
when there are much easier ways to go about things.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d956988e-d697-3585-0468-adfa912f6c19%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: X470 and IOMMU Groups...

2018-08-16 Thread taii...@gmx.com
On 08/16/2018 07:47 AM, Marcus Linsner wrote:
>>
>> I've observed that Qubes installation rarely ever succeeds on X370 
>> motherboards so I believe the same case applies to X470 motherboards with a 
>> higher chance of failure since it is newer. The reason for this I believe is 
>> because these high-end gaming motherboards have alot of functionalities/bugs 
>> that break/interfere with Qubes installation which is an awful letdown.
> 
> I've had no issues installing Qubes R4.0 several times(for fun) on Asus PRIME 
> X370-A motherboard. 
> 
> As an aside, this motherboard even has a setting to use Z370's Trusted 
> Platform Module (TPM) [1] - BIOS setting "Firmware-based Trusted Platform 
> Module (fTPM)", so I assume that I can set up Anti Evil Maid in Qubes but 
> haven't tried yet. 
> 
> [1] shown as Intel® Platform Trust Technology (Intel® PTT) [2] in this link: 
> https://www.intel.com/content/www/us/en/products/chipsets/desktop-chipsets/z370.html
> [2] PTT to TPM mapped in this link: 
> https://www.intel.com/content/www/us/en/support/articles/07452/mini-pcs.html
> 

fTPM is an ME application - it is fake security and usually won't work
with anything that wants a real TPM.

I of course always recommend purchasing a device with no black box
supervisor processors like ME/PSP.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/72c2fe14-4d70-082f-fb57-42070ca3720e%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] MSI-x support in domU

2018-08-15 Thread taii...@gmx.com
On 08/07/2018 06:41 PM, perme...@gmail.com wrote:

> Q: if a domU kernel enables VF devices in a mapped PF device instance, will 
> the dom0 kernel discover the VF devices?  IE: what is the mechanism whereby a 
> kernel discovers the need for a bus-walk?
> This has to work correctly for Xen, no?

What do you mean by bus walk?

SR-IOV must be enabled in dom0 (but doesn't require networking packages
just enabling on the device to create the VF's)

I would of course look at a xen guide and tweak for your pleasure but
SR-IOV with more than one VM assigned to the same port will decrease
security as would using a multi port networking asic as opposed to one
with a separate chip per port.

Of course every device must have separate IOMMU groups including each VF.

I think SR-IOV is one of the coolest technologies out there and would
love to find out how to get it working for my LSI HBA's as well but I
would like to note there is only one way that it can improve qubes
security and that is by the restricted VF device parameters and also
thus not being able to perform hostile firmware updates from the guest etc.

Do you already have the nics? FYI you definitely don't want to buy a
first gen SR-IOV NIC as they have problems.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bccb3de4-6a4f-1276-a20f-408c9c146c46%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] X470 and IOMMU Groups...

2018-08-15 Thread taii...@gmx.com
On 08/12/2018 03:36 PM, 'awokd' via qubes-users wrote:
> 
> No experience with that exact configuration. You can often passthrough
> devices individually even if they are in the same IOMMU group (older
> versions of Xen had trouble).

This is a bad recommendation security wise and I expect better from you.

:<

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/949f0171-5ed8-0d14-971e-a8b8e87ef4b1%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] X470 and IOMMU Groups...

2018-08-08 Thread taii...@gmx.com
I would instead consider the purchase of an owner controlled KCMA-D8 or
KGPE-D16 motherboard which you can install libre board+bmc firmware on.

They support qubes 4.0 very well and all devices have their own IOMMU group.

They are a much better choice than a proprietary firmware PSP laden
non-owner controlled new intel/amd system and are the last and best
owner controlled x86 motherboards...now the only new performance CPU
arch that is owner controlled is POWER such as the TALOS 2 system which
currently doesn't have a xen port although it supports other virts such
as KVM/QEMU.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/03915a86-7cbe-344e-05eb-909bad715f90%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] When 4.1? I want Heads - issue #3388 + Rowhammer?

2018-08-08 Thread taii...@gmx.com
On 08/08/2018 02:18 PM, Andreas Moreiro wrote:
> github.com/QubesOS/qubes-issues/issues/3388
> I hope you guys will fix the issue in 4.1. I would do it myself, but don't
> have experience.
> 
> Has there been any talk of Qubes and the older Rowhammer attack?
> Becase Xen is probably vulnerable:

"Xen" isn't vulnerable this is not a software issue it is a cheap (as in
poor manufacturing standards not price) RAM issue and it only really
effects laptops with high density ram not desktops and servers.

If you want security you can buy a workstation such as the KCMA-D8 or
KGPE-D16 boards that have available libre board/bmc firmware and support
ECC memory which means you are immune to all known rowhammer attacks if
you purchase decent ram (again quality not price)

The above two boards work great with qubes 4.0 and are the last and best
owner controlled x86 boards.

Another option if you aren't using xen/qubes is the TALOS 2 running an
OpenPOWER9 CPU - POWER is now the only owner controlled CPU arch and
what I recommend for new systems. It is arguably more secure to use
POWER with trustworthy open source POWER-KVM virt and set up a virt
environment that mimics the qubes features than have an ME/PSP qubes
system and I very much hope qubes/xen will be ported to POWER soon.

If you want a laptop the best choice is the G505S which is an older
pre-PSP AMD system that supports open source cpu/ram init coreboot[1] -
after the rowhammer issue went public the ram refresh rate was increased
as a patch for rowhammer which makes it much harder to exploit (this is
the same thing the major OEM's did

[1]There are dishonest companies selling new intel "open firmware
coreboot" systems but in reality the hardware init is entirely performed
by the Intel FSP binary blob instead of coreboot and their ME is not
actually disabled (It is impossible to disable ME - the kernel and init
code still run on those "disabled" systems)

> https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_xiao.pdf
> https://www.wired.com/2016/08/new-form-hacking-breaks-ideas-computers-work/
> 
> I belive RAM encryption to be a good 

It isn't.

Don't drink the wintel kool-aid - intel/amd's ram crypto is made for DRM
and DRM only and it is easily defeated by malicious applications.

Both intel/amd's "feature" is yet another ME/PSP application that is not
owner controlled.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b531b2f7-efe3-bf17-a49b-daf167312f47%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: What CPU are you running for Q 4.0?

2018-05-22 Thread taii...@gmx.com
Generally NVIDIA hates linux so it would be a good idea to purchase an
AMD card instead in the future to avoid problems...

NVIDIA artificially hobbles IOMMU-GFX on their geforce products by
adding bugs to their drivers and they have ruined the nouveau project in
a variety of ways.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3cd7de00-d9e8-72d2-4db9-af7e64d5ee92%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: What CPU are you running for Q 4.0?

2018-05-22 Thread taii...@gmx.com
I would suggest a pre-PSP AMD 16 core 6386SE on a KGPE-D16 board running
coreboot-libre or libreboot - 100% open source firmware with no blobs,
the D16 and D8 also have cool stuff like OpenBMC, IOMMU-GFX etc. An 8
core 6328 is also a good fast choice.
The D16 supports max 2x16 cores, so 32 cores and 192GB RAM total.
I play the latest games in a VM at max settings on mine and they support
crossfire for maximum graphics power.

For a laptop there is also the G505S pre-PSP with the only blobs for
video, EC and power management - there is a free EC replacement in progress.

This would be the best, most secure and most free option for qubes 4.0 -
the above are all the last and best owner controlled x86_64 options; the
future of freedom performance computing is OpenPOWER eg: the TALOS 2 but
xen doesn't support POWER so you would have to use it for your non-qubes
virtualization needs.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4eabbd34-ea4f-344d-fece-0efd10f6a604%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-05-21 Thread taii...@gmx.com
*ML thread reply*
Hey guys you can install the latest microcode now from linux-firmware,
no NDA or w/e I believe this is the latest version.
See my thread on the coreboot ML for more info.

Remember folks the G505S has a piledriver cpu and thus it NEEDS a
microcode update to have IOMMU (and thus work for V4) and be secure due
to various exploits.

before:
microcode: CPU0 patch_level=0x0600084f

after:
microcode: CPU0: new patch_level=0x06000852

I think this is the latest version but I don't know for sure.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e14e74a7-044f-41c2-0dad-90438aacc1cf%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Ram Limit

2018-05-18 Thread taii...@gmx.com
On 05/15/2018 11:01 PM, awokd wrote:

> I think Thomas is saying he's setting a minimum of 400MB but sees the VM
> dropping to 320MB and crashing. Your solution of setting a fixed memory
> size and disabling memory balancing on the VM should also work in that
> case!

Oh no I don't mean that :[ such a thing should only be done for critical
applications VM's not all of them, but I had the same issue which was
caused by some kind of memory leak now I must restart every so often or
else I am only able to run a dwindling amount of appVM's on qubes 3.2

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/25a94924-5110-6d22-b6c5-93e9b2b92ee9%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-16 Thread taii...@gmx.com
On 05/15/2018 01:22 AM, john wrote:

> On 05/14/18 14:58, Ángel wrote:
>> This paper is most interesting for the discovery of multiple ways email
>> client leak information on visualization.
>> (not clearly stated in the paper: some of them are already fixed, while
>> in other cases the developers are still working on providing them)
>>
>> Luckily, with Qubes it is easy to set a firewall rule so that your email
>> AppVM can only contact with your email server.
>> NB that some of these leaks are dns-based, so ideally you would not
>> allow it to perform any dns query, either.
>>
>> Best regards
>>
> can you give an example to the steps to   make such a fw rule,   if
> it's that simple  please ?
I would suggest simply only allowing the ports you need for your email
client.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c3f24013-dfa6-a25e-1b25-11976b39ef8b%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: Desperately want Qubes, but can't install on Asus Sabertooth x79

2018-05-16 Thread taii...@gmx.com
On 05/16/2018 03:35 PM, Mindus Amitiel Debsin wrote:

> OK, I got Qubes installed and it seems to be working fine. It's not on my 
> primary SSD drive, but it is working fine on an external SATA drive I 
> connected. I had to do a UTC time fix to make Whonix work, but I did and now 
> it works.
>
> So I have a couple questions now as to whether or not I can use Qubes as a 
> primary OS:
>
> 1) Is it true that only Windows 7 can be installed as a qube?
Nah you can use any windows.
> 2) I have a brand new GTX 1080 TI graphics card on the way: will there be any 
> driver support on qubes for this, or will I suffer dramatically reduced 
> performance?
You don't need nor benefit from any 3D acceleration in the host windows
but due to nvidias hate of linux and the nouveau project you would
probably be forced to install the *unsigned* proprietary drivers which
adds many security risks to get even just 2D acceleration of the window
manager.

If you can I would return it for an AMD card - they are much more
friendly when it comes to linux and of course playing games in a VM,
nvidia introduced a "bug" in their drivers to make it more difficult.
> 3) Will Steam and it's games work on a Windows 7 qubes VM?
Yeah you can probably do that.
I use qemu on another PC and play my games at max settings in a VM on my
libre firmware KGPE-D16 board, if done properly there will be no
stuttering or reduced performance vs bare metal.

Keep in mind most "consumer" boards have broken IOMMU and or IOMMU-GFX
due to firmware bugs, but you might be able to work around that by using
the coreboot sandybridge/ivybridge autoport utility to make a port for
your board if the hardware is supported - or of course just buying a
KCMA-D8 or KGPE-D16 and installing the very good
libreboot/coreboot-libre port.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0f60928-5fd0-b057-883e-75a1f740468f%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Qubes 4.0 won't boot via coreboot grub rescue

2018-05-15 Thread taii...@gmx.com
On 05/14/2018 06:25 PM, awokd wrote:

> On Mon, May 14, 2018 8:58 pm, taii...@gmx.com wrote:
>> I try the usual syslinux_configfile but I get an "out of memory" error
>> how am I to do this? ideas?
> Can you step through what you are trying to do and where the error
> appears? Not sure I'm following.
Sure :D

I wish to install qubes 4.0 via the coreboot grub payload.

So I try to boot qubes 4.0 DVD via the grub coreboot payload which
provides one with a grub-rescue console, normally the command
"syslinux_configfile (ahci1)/isolinux/isolinux.cfg" or what not will
launch the iso as normal but instead I receive an out of memory error
and for some reason the grub.cfg included in the isolinux folder doesn't
work either.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3b4edbd7-01ce-a683-b0be-82d5e4d4d4be%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Ram Limit

2018-05-15 Thread taii...@gmx.com
On 05/15/2018 11:07 AM, Thomas Druilhe wrote:

> Hi,
>
> We are using Qube-os 3.2 and sometimes we got a problem with RAM usage.
Corporate user?
> We set up minimum limit at 400Mo but sometimes RAM drop to 320 Mo causing 
> crash of the application.
>
> How the amount of RAM can be under the limit fixed in the settings of the VM ?
Well you can have as much as you please via the pre-allocate option
disabling memory scaling.

If you are using memory balancing the issue is probably not having
enough on the host thus you are memory starved.

I suggest pre-allocation for critical applications VMs, such as if one
was using xen (not qubes ofc) for a domain controller, DNS, etc.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f40b1ba2-3c51-3a45-3624-2f337a9f2fa6%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


[qubes-users] Qubes 4.0 won't boot via coreboot grub rescue

2018-05-14 Thread taii...@gmx.com
I try the usual syslinux_configfile but I get an "out of memory" error
how am I to do this? ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f219afae-66b9-2a12-b3e5-c2224f512724%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] 2 Xeon Gold vs i9 for Qubes-OS?

2018-05-12 Thread taii...@gmx.com
On 05/11/2018 04:30 AM, olegden...@gmail.com wrote:

> What will be better for Qubes-OS - i9 or Xeon Gold? Does it support two cpu 
> based system? Thanks.
>
I wouldn't waste your money on new spyware filled intel junk.

I suggest instead purchasing a KGPE-D16 or KCMA-D8 board
With the D16 you have max 32 cores 192GB RAM, D8 max 16 cores 128GB RAM.
(note the D16 comes with the module you need for OpenBMC the D8 doesn't)
On both there is no ME/PSP, they are owner controlled and support
libreboot plus OpenBMC and there are a variety of ports including two
usb controllers (second via board header) and multiple PCI-e slots in
case for instance you want to play video games in a VM like me.
AMD g34/c32 platforms are the last and best owner controlled x86_64
devices, the future of high performance owner controlled computing is
POWER but unfortunately qubes needs xen and xen doesn't support POWER
(although if you have non-qubes virtualization needs the TALOS 2 is a
and very fast freedom choice)
Qubes can use as many CPU's as you have - but I imagine 16 cores will be
more than enough so I would start with only one CPU and 32GB RAM.

In the end you will save a lot of money and have much better security by
doing this vs buying an overpriced xeon, you will also have enough cash
left over to buy the G505S running the FT3 platform which is the last
and best x86_64 laptop platform without ME/PSP, it is owner controlled,
has open cpu/ram init and people are working on an open source EC
replacement.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/52725919-e3d8-65bb-a8f7-546b34ccbb3d%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] No Qubes 4 without VT-x?

2018-05-12 Thread taii...@gmx.com
On 05/07/2018 02:56 PM, evo wrote:

> Hello!
>
> Do i understand it correctly, that there is no sense to try Qubes 4.0
> without having VT-x?
>
> On my Thinkpad W530 I just have VT-d but no VT-x.
>
> There will be Qubes 3.2.1 for just VT-d machines, isn't it?
Your laptop has both you need to either enable it in the CMOS or install
coreboot - I highly recommend installing coreboot for a variety of
reasons (let me know if you want help)

I also recommend installing the superior *20 series keyboard/palm-rest
so that you have a real keyboard not a crappy island keyboard.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a74b552f-015c-597d-bf11-b7836797ae3c%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Well supported laptops with 64GB system memory?

2018-05-04 Thread taii...@gmx.com
There are no laptops with that much memory let alone one that isn't full
of firmware problems your best choice is the W520 (with an ivy bridge
cpu) which has open hardware init coreboot with a nerfable ME and 32GB
MAX RAM.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ff03f003-9572-238c-deb9-2070aad15fd5%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: Qubes Os4 very slowly comparing to Qubes 3.2

2018-04-30 Thread taii...@gmx.com
On 04/30/2018 04:54 PM, cooloutac wrote:

> On Monday, April 30, 2018 at 3:10:30 PM UTC-4, frkl...@gmail.com wrote:
>> That could be a good idea John! 
>>
>> I have only one problem. I can not disable Speedstep in the Bios- Uefi 
>> because there is no Speedstep configuration. 
>>
>> Does anyone know how to disable speedstep outside of the Bios at qubes os? I 
>> didn't find any solution.
> disable c-states option if there is one.  just make sure your pc doesn't run 
> significantly hotter.
When intel first introduced power saving measures people always thought
that was the reason their computer was running slowly, but if frequency
scaling is working properly all it does is save you money on your power
bill - in your case it probably isn't functioning right and you should
investigate in dom0.
> also as previous poster said 8 gb of ram is too small and 4.0 uses more 
> resources then 3.2 as well.  ssd also helps.
I use 8GB RAM and no swap without any issues, you can't run too many
VM's especially with resource consuming firefox but it isn't that terrible.

PVH should be just as fast as PV, I would investigate frequency scaling
and of course install the spectre microcode updates (very difficult
thanks to the good people at intel/amd not really releasing them)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/33b46779-69ea-b1c7-4982-7e6d4b4d443f%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] AMD? threadripper / ryzen?

2018-04-30 Thread taii...@gmx.com
On 04/30/2018 08:09 PM, pixel fairy wrote:

> ready to ditch intel on desktop (and maybe laptop if anyone has a good 
> recommendation) 
>
> my understanding is that some amd lines dont have PSP or any such equivalent 
> to intelME or AMT.
The older stuff like socket g34 and c32.
> about to jump down the rabbit hole of figuring this out. 
>
> has anyone tried ryzen or threadripper? 
They have PSP - impossible to disable it just like ME.
> is there another line worth looking at?
>
> what im looking for,
>
> * no psp, ME, amt etc
> * no speculative execution vulnerabilities (at least no known ones)
You gotta install the latest microcode updates anyways it seems so a
43xx/63xx CPU is what to get with the boards I mentioned.
> * at least 32gigs of ram (yes, i actually use that)
> * at least 8 cores or threads.
> * ps2 mouse/keyboard or more than 1 usb bus.
I would get a KCMA-D8 ($315) or KGPE-D16 ($415) they check all your
boxes and more - they are what all the experts use, leah rowe from
libreboot paid for them to be ported to coreboot-libre a few years ago.
D16 max 192GB RAM with 32 cores, and it also has OpenBMC support, two
separate usb controllers (btw you need breakout cables for second
controller/more ports) etc.

The PS/2 security idea thing is from idiots who have no idea what they
are doing, using PS2 sends all your keystrokes out on the ground wire as
I have mentioned previously.
I would get a unicomp keyboard with trackpad, as then you have input
devices where the firmware can't be internally flashed like most
keyboards can.
> gpu support for tensorflow would be nice, but will probably make a second, 
> dedicated box when that time comes.
>
> free bios support (coreboot, libreboot etc) would be nice too.
>
> and before anyone suggests it, no, im not porting xen to talon.
*Talos 2
It seems you have read my other posts? in that case why do you ask? I
have already answered all these questions many times.
> a laptop like the above would be awsome if its light and has good battery 
> life, but thats not something im going to hold my breath for.
The G505s has 4 cores and 16GB RAM, the FT3 platform is the last and
best x86_64 laptop platform without PSP/ME that supports IOMMU, open
init for ram/cpu etc.
There are a few FT3 coreboot laptops but this is the best supported/most
popular.

I am pleased you are smart enough to avoid the fraudulent companies out
there.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ae81b3cc-b94b-de6d-ecf2-a204ecdbe80c%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-30 Thread taii...@gmx.com
On 04/30/2018 08:49 PM, Andrew B wrote:

> OK, just to clarify, if I am to build the coreboot image, I need to do that 
> on the G505s by say running Debian or Ubuntu (presumably could use a Live 
> disc/USB) or similar and building the image as shown here?
> https://www.coreboot.org/Board:lenovo/g505s#Building_a_coreboot_image
Yeah.
But you need another PC in case something goes wrong.
> Then I take the created coreboot.rom file and load it onto a separate 
> computer where I can externally flash the G505s as shown here: 
> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate
Get a USB CH341A, they're easier.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6a4db6a2-96a8-b6fc-9130-b3416111cc65%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

2018-04-13 Thread taii...@gmx.com
Hey guys you don't need a VGA ROM for the integrated graphics - they use
coreboot native init.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/83815341-1da4-75ae-87d3-e4f841bcc967%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Keyboard not working: How to make the buying decision?

2018-04-13 Thread taii...@gmx.com
On 04/13/2018 03:01 PM, 00010age...@gmail.com wrote:

> Is there a way to know which keyboards are incompatible with QubesOS?
>
> Or do we just need to keep on buying keyboards until one works?

You need to enable the keyboard sys-usb forwarding permission in qubes
settings files, there is a guide on the website for that.

> I'm asking because I bought the (IMHO best ergonomic mouse/keyboard combo; 
> wireless) "Microsoft Sculpt Ergonomic Desktop" [0], but only the mouse works 
> (and only once you have logged into your QubesOS session), not the keyboard.
>
> So based on what is one supposed to make the buying decision?
>
The best keyboards are made in a first world country and have firmware
that can't be internally flashed - the unicomp keyboards fit the bill
here and are much more secure as the firmware can't be re-written and
they are made in usa thus more trustworthy than one that is made in china.

The price is very reasonable as they are expected to last for 30 years
or so - mine is over a decade old and it still looks good as new after I
clean it and it has also survived spills thanks to the drain holes and
design that prevents water ingress.

Mechanical keyboards are great :D

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/408b21ce-9ffc-ecc9-b2f7-af2699444ac0%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Offtopic :: reasonable secure routers?

2018-04-12 Thread taii...@gmx.com
On 04/12/2018 09:21 AM, Steve Coleman wrote:

> On 04/12/18 05:32, Jo wrote:
>> My suggestion would be the Turris Omnia. Im using it myself in
>> various cases and im very happy with it.
>
> I second this opinion. Its Open Source (OpenWrt), downloads its own
> patches to keep up with any security issues or exploits in the wild.
> Unless of course you choose to be paranoid enough to do your own
> builds/patches.
It is not open source because it does not have libre firmware nor actual
schematics.

I can't believe peoples standards have fallen so far down that simply
letting you run linux and publishing the board diagram is considered
"open source hardware"

On 04/12/2018 02:04 AM, Giulio wrote:

> In my opinion the best affordable option is using a PC Engines APU2 with 
> OpenBSD https://www.pcengines.ch/apu2.htm (but of couse you can use 
> linux/FreeBSD too).
The APU2 has AMD PSP so I would not get it, whereas the APU1 doesn't.

On 04/12/2018 02:01 AM, 799 wrote:

> having a reasonable secure OS and maybe some additional freedom by using
> Coreboot is great, but might not be enough.

I would use a KCMA-D8 running a libre version of coreboot and OPNSense.
It has two quality onboard nics and various pci-e slots.

pfsense is now controlled by an evil corporation that is forcing
undesired changes and privacy violations on people such as:
* Mandating AES-NI to arbitrary make older computers not work with it,
to try and encourage people to buy their pre-built routers.
* Adding a phone home function that sends your serial numbers and
various data to rubicon communications - this setting is on by default
and for some reason turns back on randomly.
* Ignoring basic security concepts such as signed updates and .isos
because "we have a hash hosted on two separate servers" and insulting me
when I protested.
* Insulting their competitors by making a website full of lies, nazi
images and porn clipart.

https://en.wikipedia.org/wiki/OPNsense
https://opnsense.org/opnsense-com/
"In November 2017, a World Intellectual Property Organization panel
found that Netgate, the copyright owner of pfSense, had been using the
domain opnsense.com in bad faith to discredit OPNsense, and obligated
Netgate to transfer the domain to Deciso. The Netgate party tried to
invoke the fair use clause and claimed that the domain name "has been
used for a parody website"; it was rejected on the basis that free
speech does not cover registration of domain names.[6]"

Does that sound like a trustworthy company lead by mature individuals?

I suggest the use of OPNSense instead of pfsense - the founder of
pfsense has not been in control of the project for a long time.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7171dd4b-f7b8-3e65-b775-6e49fa5830f3%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Q4 Laptops...

2018-04-12 Thread taii...@gmx.com
On 04/12/2018 08:49 AM, cooloutac wrote:

> In my case I found uefi mode works better for Qubes.   For example using 
> legacy bios mode i have many wake from sleep problems,  such as usb mouse in 
> sys-usb not working after sleep.  system becoming unresponsive.
>
> Booting in uefi mode I dont' have those problems.  I think eventually we will 
> have no choice but to use uefi cause all hardware will be designed for it.
>
Commodity hardware in the future will suck and won't allow you to run
your own distro, or even your own programs unless you pay for a
"developer" computer. This is the goal of microsoft.

The future for owner controlled high performance devices is POWER, the
TALOS 2 is now in full production and the benchmarks indicate that it
costs thousands less than an intel/amd system with equivilant performance.

For once we have a unicorn - a libre firmware system that is actually
fast and brand new.
> Unfortunately using uefi mode does not give any security benefits since Qubes 
> doesn't support secure boot
>
Oh boy here we go again with
linux-distro-sucks-unless-it-supports-microsoft-technology
https://www.phoronix.com/scan.php?page=news_item&px=UEFI-Kernel-Lockdown-Concerns

Linus describes Secure Boot as being "pushed in your face by people with
an agenda."
Even linus agrees with me that these things aren't happening in a vacuum.

Remember guys if something is truly good it doesn't need to be forced on
you "for your own good"
> or secure flash.
>
Operating systems should not be modifying EEPROM settings - you are free
to use flashrom to do that yourself if you so desire.

I grow increasingly tired of your uninformed comments.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1dd081d-1541-eec3-29b3-165368dcdf5e%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Another thread on Qubes 4 machines....

2018-04-11 Thread taii...@gmx.com
On 04/11/2018 01:21 PM, Andrew B wrote:

> Sorry to beat a dead horse. I am sure folks here are sick of answering 
> hardware questions. 
>
> So I understand the dev team currently seems to like the Lenovo Thinkpad X1 
> Carbon 5th gen. I assume best to get with 16GB RAM (max) and an SSD. I assume 
> you get with Windows10 or 7 and wipe it clean for your Qubes install or even 
> need to install some new BIOS? 
The only carbon that supports coreboot is the first gen model, but it is
pretty much a crappier thinkpad.
> I know some folks here have recommended for example the W520 or W530 but 
> these would have to be bought used since they are no longer for sale?
Yes but you can still buy CPU upgrades and the parts on fleabay to
replace worn keyboards, armrest etc.

There are also some companies selling already refurbished ones that look
new in case you don't wish to do it yourself but of course that costs more.
> Would we expect the X1 to have similar feature compatibility with Qubes 4 as 
> the W520 or W530? Better the 5th Gen than the newest 6th Gen?
It could work yes but you would be stuck with lenovos proprietary
firmware full of bugs and backdoors.

The most free Q4 laptop option is the G505S which has no ME/PSP plus
coreboot with open hw init for the cpu/memory.

Laptop options from best to worst:
Lenovo G505S (no ME/PSP, blobbed video/power control BUT they are
controlled via IOMMU)
W520 (ivy bridge cpu upgrade suggested - 32GB RAM max available)
X220
T420 (ivy bridge cpu upgrade suggested)

Libre firmware desktops:
KCMA-D8
KGPE-D16 (still easily available new for MSRP)
D8/D16 can play new video games in a VM at max settings via IOMMU-GFX.
they are great.
The D16 comes with the ASMB4 or ASMB5 module you need for the OpenBMC
open source secure remote access firmware.

For your non-qubes virtualization needs there is also the TALOS 2 which
is a brand new very fast libre firmware workstation/server platform
running a POWER9 CPU with the IBM OpenBMC (better than the D16's
facebook OpenBMC)
x86 is dead freedomwise, the future is POWER which is now the only owner
controlled performance CPU arch, if you have the money I would get it as
it is really great and you can set up a nice secure virtualization
platform it also supports IOMMU-GFX for video acceleration in VM's.

Puricrap isn't on the list because they falsely claim their laptops have
open source firmware which they don't, and that their ME is disabled
which it isn't.
> I want Qubes because I am interested in security and therefore am willing to 
> pay more for the right machine. An ideal machine might be more oriented to 
> open source than the Lenovo machines.
If you have money to burn I would buy a KGPE-D16 and a G505S.

And of course for your non qubes computing needs the Talos 2 is the most
free computer on the market right now, it is the first computer sold
with libre firmware from the factory and the first that is released
along with its CPU arch thus it is brand new -  POWER9 is incredibly
fast and has 4 SMT threads per core.
> In that vein I looked at the Thinkpenguin Y machine, which seemed to have 
> nice specs plus the ability to get 32GB RAM
> https://www.thinkpenguin.com/gnu-linux/penguin-y-gnulinux-laptop
> however Thinkpenguin sales told me: 
>
> "I wouldn't expect it to work right given Qubes4 is based off an older driver 
> stack. If there is a rolling update to the driver stack I'm not aware of it. 
> I believe the core is based on Fedora which has frequent releases rather than 
> a rolling driver stack which I think means based on the version of Fedora 
> currently used Qubes4 is slightly too far out of date to have support for the 
> latest generation hardware. I think even the latest release of Fedora might 
> not be adequate as I don't think its listed on either laptop as a supported 
> distribution but that might just be the result of nobody checking thus far."
Thinkpenguin is an honest company, way better than the dishonest
puri.diots and system76 (now S76 claims they make their laptops in
america which is a lie as there are no us made intel CPU's)
> Is that right? So is it generally better to try and setup older hardware with 
> Qubes from a strict features-compatibility standpoint?
Generally yes.

Hey feel free to email me directly for libre computing advice.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/02438013-09d4-1c14-ed3b-299144714f3f%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] X230 won't boot into Qubes after installing 4.0

2018-04-11 Thread taii...@gmx.com
On 04/11/2018 08:57 AM, berto0...@gmail.com wrote:

> Hi 799,
>
> just to be clear, my only intention was to help fellow newbie Andreas not to 
> jump on your attempt to help.
>> I am using Coreboot with SeaBIOS as Payload and everything works supernice 
>> and like the best Laptop I have ever had.
> The Thinkpad X230 is a good laptop -- that's why I bought it after all. A 
> solution that asks for opening your laptop case with a screwdriver and a 
> connect a  hardware IC flasher to the motherboard is just not practical for 
> everyone. I might try some time in the future, though ;)
It is very easy to do - just buy a USB CH341A plus the correct SOIC8
clip with a cable and make sure it is properly oriented should cost you
around $10-20 for both.
It takes only around 10 minutes to do and I highly recommend it.

I also suggest buying a *20 series non-chiclet keyboard while you are at
it, it is a good mod.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d9e6c4bb-d4f4-b869-d18a-79a6bb16bb3e%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Q4 Laptops...

2018-04-11 Thread taii...@gmx.com
On 04/11/2018 03:19 AM, Drew White wrote:

> On Wednesday, 11 April 2018 16:55:48 UTC+10, tai...@gmx.com  wrote:
>> The best you will get is a W520 or W530 where you can install coreboot
>> (open hw init + nerfed ME) and have 32GB RAM.
>
> FYI, I'm happy to see you went with Lenovo.
> Best End User devices in general. (Or used to be)
Lenovo is an evil company that continually inserts backdoors in to their
firmware.
They simply ride the coat-tails of IBM which is why so many still use
their stuff.
The W520, G505S (no PSP/ME!) etc were from before they got really shitty.

It is a damn shame, they continually remove the thinkpad features that
people like in the new stuff just chasing apple removing all the useful
ports, thinklight, mouse nub, non-chiclet keyboard, trackpad buttons etc

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/82527d04-9051-8ee5-70b7-bd8fcd985a7d%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Q4 Laptops...

2018-04-11 Thread taii...@gmx.com
On 04/11/2018 03:14 AM, Drew White wrote:

> On Wednesday, 11 April 2018 16:55:48 UTC+10, tai...@gmx.com  wrote:
>> What you ask for is impossible, it simply isn't made - no one has a
>> laptop with 64GB RAM and 12 threads let alone one that is old enough to
>> not have UEFI.
> I know that they exist, and I would have one if I had enough money. But they 
> do exist. As for UEFI (Microsofts shit invention) if I can disable it or else 
> just replace it with an actual REAL BIOS, then I will.
You can't do that unless the computer supports coreboot and the new
stuff doesn't.
>> The best you will get is a W520 or W530 where you can install coreboot
>> (open hw init + nerfed ME) and have 32GB RAM.
> Can the CPU be upgraded in those though?
Yeah its socketed.

I suggest buying a W520 and installing the best ivybridge CPU you can,
then you get the better non-chiclet keyboard and it is also better
supported in coreboot the port for the W530 was never upstreamed.
>> Purism is not libre - their "open source firmware" has hardware
>> initiation done entirely via binary blobs and their ME is certainly not
>> disabled as the kernel still runs along with any hypothetical backdoor.
>> Their marketing is incredibly dishonest and I simply don't understand
>> why they get so much air time.
> lol, then the only way I can get around it is to disable it myself by editing 
> the CPU firmware? Or is there something else that controls that? (I'll have 
> to look into it.)
Disabling ME/PSP is impossible, it simply can't be done without
intervention from intel/amd.
The puridiots claim they will eventually be able to convince intel to do
it because some sales guy at a convention said so (they will say
whatever to get you to buy stuff) - however google tried a few years
back and even them as a billion dollar company wasn't able to convince
intel to do it.

ME cleaner nerfs it even with the hap bit it isn't disabled because the
kernel still runs it simply shuts off after the kernel runs but that is
more than enough time to set up any potential backdoor and perform a
variety of dirty tricks.

NSA/MSS/FSB says: "oh no they removed the networking module what will we
do now D: D: D:"
> If their information is wrong, then I'll report them for false advertising. 
> Thanks for letting me know.
I don't know who you could report them to but thanks anyway I would like
that very much their marketing is very sleazy and dishonest.
Like I said I simply don't understand why I am the only critical voice,
the tech media frequently publishes glorified press releases for them
with absolutely no criticism or real facts about how their computers are
not and can't ever have free firmware or free hardware...

https://goblinrefuge.com/mediagoblin/u/onpon4/m/what-purism-s-road-to-fsf-ryf-endorsement-chart-should-look-like/
https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/
https://web.archive.org/web/20161010040458/https://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/
https://web.archive.org/web/20161010100959/https://blogs.coreboot.org/blog/2015/08/09/the-truth-about-purism-behind-the-coreboot-scenes/
(Gotta love their insulting of their honest competitors and donating to
their own crowdfunding campaign)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9231e87b-887a-b226-68bd-ac1c3573559b%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Q4 Laptops...

2018-04-10 Thread taii...@gmx.com
What you ask for is impossible, it simply isn't made - no one has a
laptop with 64GB RAM and 12 threads let alone one that is old enough to
not have UEFI.
The best you will get is a W520 or W530 where you can install coreboot
(open hw init + nerfed ME) and have 32GB RAM.

Purism is not libre - their "open source firmware" has hardware
initiation done entirely via binary blobs and their ME is certainly not
disabled as the kernel still runs along with any hypothetical backdoor.
Their marketing is incredibly dishonest and I simply don't understand
why they get so much air time.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0fa7a062-1f63-36ce-8714-673a001ca657%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: Cloudflare DNS-over-HTTPS in Qubes?

2018-04-07 Thread taii...@gmx.com
On 04/05/2018 04:54 PM, 799 wrote:

> Hello,
>
>
> On 5 April 2018 at 22:38, taii...@gmx.com  wrote:
>
>> Wow people are actually falling for cloudflares "privacy respecting"
>> bullshit from a service that uses for example browser fingerprinting on
>> every computer that it serves and blacklists sites based on how the CEO
>> is feeling that morning. [...]
>>
> Can your provide some additonal information to cover this?
> Regarding the blacklisting you are refering to the "Daily Stormer" case?
> Discussed also here;
> https://blog.cloudflare.com/why-we-terminated-daily-stormer/
Yes - today the lunatic fringe next the normal you and me websites - ex:
now in court the rights enforcement companies are using that decision to
argue that cloudflare can and should remove websites see the ALS-Scan case.

I don't trust a company that makes choices based on the CEO's feelings
instead of boardroom policy.
> What exactly do you mean by browser fingerprinting?
You have to have javascript enabled to view a cloudflare website because
it wants to fingerprint your computer.
> Are you talking about Browser Integrity Checks?
Oh yeah its for our own good and companies never lie.
> https://support.cloudflare.com/hc/en-us/articles/200170086-What-does-the-Browser-Integrity-Check-do-
>
> "[...] Cloudflare's Browser Integrity Check (BIC) is similar to Bad
> Behavior and looks for common HTTP
>  headers abused most commonly by spammers and denies access to your page.
> It will also challenge
>  visitors that do not have a user agent or a non standard user agent (also
> commonly used by abuse
>  bots, crawlers or visitors) [...]"
>
> You wrote: "They are a front for an intelligence agency"
>
> In general I'd like to that see claims - no matter which - are based on
> evidence or at least facts.
> How do you come to this conclusion?
Because they are now able to monitor most of the internet? Tell me that
isn't an absolutely perfect situation.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cceea20e-d466-cfbb-43a1-c21880915653%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

2018-04-06 Thread taii...@gmx.com
On 04/06/2018 05:22 AM, 799 wrote:

> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.
Assuming you set the write-lock on the flash descriptor and have a
physical anti-tamper sticker on the case screws.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0e680bd-ac5c-c295-1630-7cbfa0956e78%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


  1   2   3   4   5   >