Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[dhorf-hfre...@hashmail.org]

On Mon, May 11, 2020 at 01:48:58AM -0700, matteochi...@gmail.com wrote:

> Firstly, is it safe to have Windows and Qubes on the same machine? I
> use VeraCrypt for full disc encryption

veracrypt does not support actual full disc encryption.


> Also, I've got a 2TB external HDD, would it be safer to run Qubes from
> that and keep Windows on my internal drive or is that worse?

if that HDD is connected via USB, i would not recommend installing
qubes to it.
while both "install to usb" and "install to hdd" are supported, they
have major drawbacks.


> I want to keep maximum security and keep Windows and Qubes seperate.

this is not possible.
if you multiboot, you are very far from "maximum security".


> Any answers to questions or installation guidance is greatly

https://www.qubes-os.org/doc/multiboot/

[Andrew Sullivan]

Sorry if I have double-posted this...

The link to "multiboot" seems to refer to a conventional dual-boot installation, where the two OSs are on the same disc.  If the OSs were installed n physically separate (internal) drives, would this mitigate the risk (accepting that /boot would be exposed)?

Probably a naive idea, but is it possible to somhow "switch off" or inactivate one disc (short of physically removing it)?

[unman]

On Mon, May 11, 2020 at 11:11:42AM +0200, dhorf-hfre...@hashmail.org wrote:
> On Mon, May 11, 2020 at 01:48:58AM -0700, matteochi...@gmail.com wrote:
>
> > Firstly, is it safe to have Windows and Qubes on the same machine? I
> > use VeraCrypt for full disc encryption
>
> veracrypt does not support actual full disc encryption.
>

Really? It looks to me as if it does, and if you extract the loader from
the MBR and use it elsewhere, cleaning the MBR, it looks good to me.

>
> > Also, I've got a 2TB external HDD, would it be safer to run Qubes from
> > that and keep Windows on my internal drive or is that worse?
>
> if that HDD is connected via USB, i would not recommend installing
> qubes to it.
> while both "install to usb" and "install to hdd" are supported, they
> have major drawbacks.

perhaps you could expand on this? Do you mean security drawbacks, or
usability?
I often run Qubes from usb, both installed and live versions, and dont
hit *major* issues.

>
> > I want to keep maximum security and keep Windows and Qubes seperate.
>
> this is not possible.
> if you multiboot, you are very far from "maximum security".
>

What are the risks here? They will depend on how your system is
configured, and what sort of attack you are open to. And "maximum
security" will change according to your use case.

If you think that it is likely that your machine will be taken, and the
information extracted and used against you, then you will need different
security measures from the case where you are worried about a drive by
attack from a script kiddie.
Assess the risk, and plan accordingly.

>
> > Any answers to questions or installation guidance is greatly
>
> https://www.qubes-os.org/doc/multiboot/
>

+1

[unman]

Not *double* but *top-posted*. Please don't do this.

It's not a naive idea - it's a good one. Depending on your machine you
may be able to find ways to do this, by installing a kill switch, or by
BIOS configuration.
You may find that your BIOS allows you to disable certain devices pre
boot, and this may enable you to switch between active disks. Have a
look.(Depending on what's available this may determine what sort of disk
you use to install Qubes)
I have an x230 with some extra hardware switches installed to allow for
device isolation. With minimal skills you could do the same yourself.
Take a look at what's already there and have a think about what you
might manage to do. If it's important enough you'll find a way.

[taran1s]

unman:

This is quite interesting. Could you be more specific about the extra HW
switches you made for the device isolation? The X230 as far as I
remember has built in HW kill switch for wifi.

[Andrew Sullivan]

Not *double* but *top-posted*. Please don't do this. - oops, sorry; is this the right place?

When I get a suitable laptop (I have a separate post on this) I'll look into that.  Are you able to share

how you implemented hardware switches on your X230? Do you find the X230 "man enough" to run Qubes?  They're not expensive...

[Mark Fernandes]

On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote:

 

.... Depending on your machine you

may be able to find ways to do this, by installing a kill switch, or by
BIOS configuration.
You may find that your BIOS allows you to disable certain devices pre
boot, and this may enable you to switch between active disks. 

....

I'm by no means an expert on Qubes or this particular issue. However, I am in the midst of writing a Wikibooks book on cost-effective end-user security that has a section about this. My thoughts in the book are more like RFCs (requests for comments) rather than definitive ideas (my hope is that other people will further develop, revise, and correct them, as applicable). Please take that into account when reading them. The section is shown below.

---

Qubes OS 4.0.3 side-by-side with other operating systems

Qubes OS 4.0.3 is documented as not coping well with software that specifically benefits from 3D-optimised hardware. Since a user may well want to use such optimisation, the best way to use such optimisation on the same machine might be to do something like, or the same as, the following:

1. Install a Linux operating system, with good security but still with the capacity for being able to utilise 3D-optimised hardware, on an SSD external drive, such that this other operating system is not run over Qubes, but instead run separate to Qubes.

2. When wanting to use this other Linux OS, disable the internal drive (containing Qubes) in either:

1. the BIOS,   

       OR IF WISHING TO BE MORE SECURE,

2. both the BIOS 

as well as by physically disconnecting the internal drive

(this latter option might be a good idea to do 

because malware in a BIOS's firmware 

can still connect to BIOS-disabled drives).

3. Boot off the SSD to run this other Linux.

4. After using the non-Qubes installation, because of the possibility of malware being introduced into the BIOS firmware by the non-Qubes installation, optionally flash the BIOS's firmware to ensure better the Qubes installation isn’t compromised through firmware malware when you next use Qubes.

By following the above steps, and choosing the most secure options in the steps, because of:

• the disabling of the internal drive via the BIOS,

• the physical disconnection of the drive containing the Qubes installation,   and

• the flashing of the BIOS firmware before the ‘reconnection’ of the
  Qubes installation,

any such other OS should not be able to access or even ‘touch’ the Qubes OS installation, thereby hopefully safeguarding the Qubes installation from attacks conducted through the other presumably-less-secure OS.

---

Kind regards,

Mark Fernandes

[Logan]

Would you be willing to share the URL here? If not, could you message me privately? I'm definitely interested in reading it.

-Logan

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be02e5ea-f7a5-473b-9fd0-1d06a9223f0c%40googlegroups.com.

[Logan]

On 5/11/20 11:58 AM, Mark Fernandes wrote:

Would you be willing to share the URL here? If not, could you message me privately? I'm definitely interested in reading it.

-Logan

[unman]

Yes, it is. Thanks.
Inline replies are also fine.

>
> When I get a suitable laptop (I have a separate post on this) I'll look
> into that. Are you able to share
> how you implemented hardware switches on your X230? Do you find the X230
> "man enough" to run Qubes? They're not expensive...
>

I bought the x230 with HW switches and Qubes installed.
There's already a switch for WiFi, and control over the
speakers and Mic.
There's a micro switch to isolate the mSata SSD or main drive.
Another for the camera.
There was option to install a switch to isolate USB/SD slots, but I
haven't seen that, and wouldn't use it much anyway.
Coreboot allows you to control many other components.

The x230 is great - I posted some comparisons here some time back
between x220/x230 with different configurations. Takeaway was that 16GB
RAM and fast SSD are optimal.
As with security, assessing the (wo)manliness of a laptop depends on
what you will use it for. I'm using an x220 tablet right now, and it's
fine for multiple qubes, music/video/compiling. I did some video editing
last week and the x230 was fine. BUT, for various reasons, I don't game, I tend
not to use heavy graphical components, and I work in terminal *a lot*,
so I guess you should factor that in to my view.

unman

[unman]

On Mon, May 11, 2020 at 12:01:49PM +0000, Logan wrote:
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e6af715a-fe00-46ec-ddde-24748076ad2b%40threatmodel.io.

> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
> </head>
> <body>
> <div class="moz-cite-prefix">Would you be willing to share the URL

> here? If not, could you message me privately? I'm definitely

> interested in reading it.<br>
> <br>
> -Logan<br>
> </div>
> <div class="moz-cite-prefix"><br>
> </div>
> <div class="moz-cite-prefix">On 5/11/20 11:58 AM, Mark Fernandes
> wrote:<br>
> </div>
> <blockquote type="cite"
> cite="mid:be02e5ea-f7a5-473b...@googlegroups.com">
> <meta http-equiv="content-type" content="text/html; charset=UTF-8">
> <div dir="ltr">On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote:
> <blockquote class="gmail_quote" style="margin: 0;margin-left:
> 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">??<br>
> </blockquote>
> <blockquote class="gmail_quote" style="margin: 0;margin-left:
> 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">....

> Depending on your machine you

> <br>

> may be able to find ways to do this, by installing a kill
> switch, or by

> <br>
> BIOS configuration.
> <br>

> You may find that your BIOS allows you to disable certain
> devices pre

> <br>
> boot, and this may enable you to switch between active disks.??</blockquote>
> <blockquote class="gmail_quote" style="margin: 0;margin-left:
> 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">....</blockquote>
> <div><br>
> </div>
> <div>I'm by no means an expert on Qubes or this particular

> issue. However, I am in the midst of writing a Wikibooks book
> on cost-effective end-user security that has a section about
> this. My thoughts in the book are more like RFCs (requests for
> comments) rather than definitive ideas (my hope is that other
> people will further develop, revise, and correct them, as

> applicable). <b>Please take that into account when reading
> them.</b> The section is shown below.</div>
> <div><br>
> </div>
> <div><span
> id="docs-internal-guid-5cb878be-7fff-1d6d-bc3d-05d7880773a7">
> <hr></span></div>
> <div><span
> id="docs-internal-guid-83215b1d-7fff-5294-3335-b19118084401"><span style="font-size: 12pt; font-family: Arial; color: rgb(102, 102, 102); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">
> </span>
> <h4 dir="ltr" style="line-height:1.38;text-indent:
> 36pt;margin-top:14pt;margin-bottom:4pt;"><a
> href="https://en.wikipedia.org/wiki/Qubes_OS"
> moz-do-not-send="true"><span style="font-size: 12pt; font-family: Arial; color: rgb(102, 102, 102); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Qubes OS 4.0.3</span></a><span style="font-size: 12pt; font-family: Arial; color: rgb(102, 102, 102); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"> side-by-side with other </span><a
> href="https://en.wikipedia.org/wiki/Operating_system"
> moz-do-not-send="true"><span style="font-size: 12pt; font-family: Arial; color: rgb(102, 102, 102); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">operating systems</span></a></h4>
> <p dir="ltr" style="line-height:1.38;margin-left:
> 36pt;margin-top:0pt;margin-bottom:0pt;"><a
> href="https://en.wikipedia.org/wiki/Qubes_OS"
> moz-do-not-send="true"><span style="font-size: 11pt; font-family: Arial; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Qubes OS 4.0.3</span></a><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"> is </span><a
> href="https://www.qubes-os.org/faq/index.html#can-i-run-applications-like-games-which-require-3d-support"
> moz-do-not-send="true"><span style="font-size: 11pt; font-family: Arial; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">documented as not coping well</span></a><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"> with </span><a
> href="https://en.wikipedia.org/wiki/Software"
> moz-do-not-send="true"><span style="font-size: 11pt; font-family: Arial; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">software</span></a><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"> that specifically benefits from </span><a
> href="https://en.wikipedia.org/wiki/Hardware_acceleration"
> moz-do-not-send="true"><span style="font-size: 11pt; font-family: Arial; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">3D-optimised hardware</span></a><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">. Since a user may well want to use such optimisation, the best way to use such optimisation on the same machine might be to do something like, or the same as, the following:</span></p>
> <br>
> <ol style="margin-top:0;margin-bottom:0;">
> <li dir="ltr" style="list-style-type: decimal; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><a href="https://en.wikipedia.org/wiki/Installation_(computer_programs)" moz-do-not-send="true"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Install</span></a><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"> a </span><a href="https://en.wikipedia.org/wiki/Linux" moz-do-not-send="true"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Linux</span></a><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"> </span><a href="https://en.wikipedia.org/wiki/Operating_system" moz-do-not-send="true"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">operating system</span></a><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">, with good security but still with the capacity for being able to utilise 3D-optimised hardware, on an </span><a href="https://en.wikipedia.org/wiki/SSD" moz-do-not-send="true"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">SSD</span></a><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"> external </span><a href="https://en.wikipedia.org/wiki/Data_storage" moz-do-not-send="true"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">drive</span></a><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">, such that this other operating system is not run over Qubes, but instead run separate to Qubes.</span></p></li>
> <li dir="ltr" style="list-style-type: decimal; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:5pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">When wanting to use this other Linux OS, disable the internal drive (containing Qubes) in either:</span></p></li>
> <ol style="margin-top:0;margin-bottom:0;">
> <li dir="ltr" style="list-style-type: lower-alpha; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">the </span><a href="https://en.wikipedia.org/wiki/BIOS" moz-do-not-send="true"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">BIOS</span></a><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">,??????</span></p></li>
> </ol>
> </ol>
> <p dir="ltr" style="line-height:1.38;margin-left:
> 108pt;margin-top:0pt;margin-bottom:10pt;"><span style="font-size: 11pt; font-family: Arial; color: rgb(153, 153, 153); background-color: transparent; font-style: italic; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">??????????????OR IF WISHING TO BE MORE SECURE,</span></p>
> <ol style="margin-top:0;margin-bottom:0;" start="3">
> <ol style="margin-top:0;margin-bottom:0;" start="2">
> <li dir="ltr" style="list-style-type: lower-alpha; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">both the BIOS??</span></p></li>
> </ol>
> </ol>
> <p dir="ltr" style="line-height:1.38;margin-left:
> 108pt;text-indent: 36pt;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">as well as by physically disconnecting the internal drive</span></p>
> <p dir="ltr" style="line-height:1.38;margin-left:
> 108pt;text-indent: 36pt;text-align:
> right;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial; color: rgb(153, 153, 153); background-color: transparent; font-style: italic; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">(this latter option might be a good idea to do??</span></p>
> <p dir="ltr" style="line-height:1.38;margin-left:
> 108pt;text-indent: 36pt;text-align:
> right;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial; color: rgb(153, 153, 153); background-color: transparent; font-style: italic; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">because </span><a
> href="https://en.wikipedia.org/wiki/Malware"
> moz-do-not-send="true"><span style="font-size: 11pt; font-family: Arial; background-color: transparent; font-style: italic; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">malware</span></a><span style="font-size: 11pt; font-family: Arial; color: rgb(153, 153, 153); background-color: transparent; font-style: italic; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"> in a BIOS's </span><a
> href="https://en.wikipedia.org/wiki/Firmware"
> moz-do-not-send="true"><span style="font-size: 11pt; font-family: Arial; background-color: transparent; font-style: italic; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">firmware</span></a><span style="font-size: 11pt; font-family: Arial; color: rgb(153, 153, 153); background-color: transparent; font-style: italic; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">??</span></p>
> <p dir="ltr" style="line-height:1.38;margin-left:
> 108pt;text-indent: 36pt;text-align:
> right;margin-top:0pt;margin-bottom:5pt;"><span style="font-size: 11pt; font-family: Arial; color: rgb(153, 153, 153); background-color: transparent; font-style: italic; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">can still connect to BIOS-disabled drives).</span></p>
> <ol style="margin-top:0;margin-bottom:0;" start="3">
> <li dir="ltr" style="list-style-type: decimal; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><a href="https://en.wikipedia.org/wiki/Booting" moz-do-not-send="true"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Boot</span></a><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"> off the SSD to run this other Linux.</span></p></li>
> <li dir="ltr" style="list-style-type: decimal; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">After using the non-Qubes installation, because of the possibility of malware being introduced into the BIOS firmware by the non-Qubes installation, optionally </span><a href="https://en.wikipedia.org/wiki/BIOS#Reprogramming" moz-do-not-send="true"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">flash</span></a><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"> the BIOS's firmware to ensure better the Qubes installation isn???t compromised through firmware </span><a href="https://en.wikipedia.org/wiki/Malware" moz-do-not-send="true"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">malware</span></a><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"> when you next use Qubes.</span></p></li>
> </ol>
> <br>
> <p dir="ltr" style="line-height:1.38;margin-left:
> 36pt;margin-top:0pt;margin-bottom:5pt;"><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">By following the above steps, and choosing the most secure options in the steps, because of:</span></p>
> <ul style="margin-top:0;margin-bottom:0;">
> <li dir="ltr" style="list-style-type: disc; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">the disabling of the internal drive via the BIOS,</span></p></li>
> <li dir="ltr" style="list-style-type: disc; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p dir="ltr" style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">the physical disconnection of the drive containing the Qubes installation, ?? </span><span style="font-size: 18pt; color: rgb(153, 153, 153); background-color: transparent; font-style: italic; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size:0.6em;vertical-align:sub;">and</span></span></p></li>
> <li dir="ltr" style="list-style-type: disc; font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">the flashing of the BIOS firmware before the ???reconnection??? of the </span><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">
> </span><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">Qubes installation,</span></p></li>
> </ul>
> <p dir="ltr" style="line-height:1.38;margin-left:
> 36pt;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">any such other OS should not be able to access or even ???touch??? the Qubes OS installation, thereby hopefully safeguarding the Qubes installation from attacks conducted through the other presumably-less-secure OS.</span></p>
> <div><span style="font-size: 11pt; font-family: Arial; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; vertical-align: baseline; white-space: pre-wrap;">
> </span></div>
> </span></div>
> <div><br>
> </div>
> <div><span
> id="docs-internal-guid-5cb878be-7fff-1d6d-bc3d-05d7880773a7">
> <hr><br>
> </span></div>
> <div><span><br>
> </span></div>
> <div><span>Kind regards,</span></div>
> <div><span><br>
> </span></div>
> <div><span><br>
> </span></div>
> <div><span>Mark Fernandes</span></div>
> </div>
> -- <br>

> You received this message because you are subscribed to the Google

> Groups "qubes-users" group.<br>

> To unsubscribe from this group and stop receiving emails from it,

> send an email to <a
> href="mailto:qubes-users...@googlegroups.com"
> moz-do-not-send="true">qubes-users...@googlegroups.com</a>.<br>
> To view this discussion on the web visit <a
> href="https://groups.google.com/d/msgid/qubes-users/be02e5ea-f7a5-473b-9fd0-1d06a9223f0c%40googlegroups.com?utm_medium=email&amp;utm_source=footer"
> moz-do-not-send="true">https://groups.google.com/d/msgid/qubes-users/be02e5ea-f7a5-473b-9fd0-1d06a9223f0c%40googlegroups.com</a>.<br>
> </blockquote>
> <p><br>
> </p>
> </body>
> </html>
>
> <p></p>
>
> -- <br />
> You received this message because you are subscribed to the Google Groups &quot;qubes-users&quot; group.<br />
> To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:qubes-users...@googlegroups.com">qubes-users...@googlegroups.com</a>.<br />
> To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/qubes-users/e6af715a-fe00-46ec-ddde-24748076ad2b%40threatmodel.io?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/qubes-users/e6af715a-fe00-46ec-ddde-24748076ad2b%40threatmodel.io</a>.<br />

Screeds and screeds of HTML.
Can you NOT do this?
Look at your settings and change to "plain text", at least for this
list, please

[Logan]

Sorry to be a nuisance. I believe it is fixed now: I have added
googlegroups.com into my text domains in Thunderbird so it shouldn't
happen again.

>
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200511120904.GB13836%40thirdeyesecurity.org.

[unman]

Cheers, thanks.
Sorry for the grouchiness - stressful times.

[Logan]

No worries mate. It's my first time using a group like this and it's not
unreasonable to assume some Qubes users are using terminal-based
readers. Plaintext never goes out of fashion.

Have a good rest of your day. :)

> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200511122848.GA14188%40thirdeyesecurity.org.
>

[unman]

On Mon, May 11, 2020 at 12:37:18PM +0000, Logan wrote:
> On 5/11/20 12:28 PM, unman wrote:
> >
> > On Mon, May 11, 2020 at 12:25:54PM +0000, Logan wrote:
> > > On 5/11/20 12:09 PM, unman wrote:
> > > > Screeds and screeds of HTML.
> > > > Can you NOT do this?
> > > > Look at your settings and change to "plain text", at least for this
> > > > list, please
> > >
> > >
> > > Sorry to be a nuisance. I believe it is fixed now: I have added
> > > googlegroups.com into my text domains in Thunderbird so it shouldn't happen
> > > again.
> > >
> >
> > Cheers, thanks.
> > Sorry for the grouchiness - stressful times.
> >
> No worries mate. It's my first time using a group like this and it's not
> unreasonable to assume some Qubes users are using terminal-based readers.
> Plaintext never goes out of fashion.
>
> Have a good rest of your day. :)
>

Time for a drink and bed, I think.
Cheers.

[taran1s]

unman:

Could you share where did you buy the X230 with HW switches already
installed? I didn't see the vendor that would offer this. Thank you !

[unman]

On Mon, May 11, 2020 at 01:35:57PM +0000, taran1s wrote:
>
>
>
> Could you share where did you buy the X230 with HW switches already
> installed? I didn't see the vendor that would offer this. Thank you !

I bought it from the folk at Third Eye Security - you could mail
sup...@3isec.com to see what they have available.
They provide customised Thinkpads to order - my x230 had custom switches,
coreboot, 16GB RAM, 500MB SSD, Qubes installed, for 499GBP.
They'll also fit nitrocaster mods to get a more intense screen on the
x230, and are always happy to negotiate price depending on what you have.

That reads like an ad. Hope it's not a problem. I've bought a few
machines from them and they've always been great.

In interest of full disclosure - I now do some work for Third Eye, and
they provide server space for some Qubes repositories, the unofficial
Ubuntu and Arch that I run, and the official Tor mirror.

unman

[Anil]

> I bought it from the folk at Third Eye Security - you could mail
> sup...@3isec.com to see what they have available.
> They provide customised Thinkpads to order - my x230 had custom switches,
> coreboot, 16GB RAM, 500MB SSD, Qubes installed, for 499GBP.

Do they have a website?

Regards,

अनिल एकलव्य
(Anil Eklavya)

[Andrew Sullivan]

A quick update on this.  I've had a look at the User Manuals for some Dell laptops (specifically E5470 and M4800) and it seems that it is possible to deactivate hard drives on an individual basis in BIOS. It is also possible, again in BIOS, to choose what theWiFi on/off switch actually does - it can be set to switch off the WWAN card, so if there is a SSD installed there that could be easily switched off.

I think this could be used to reduce the risk when two OSs are installed on separate drives in the same machine?

Things were easier in the "old days" of PATA drives - I guess you could just put a switch in thepower lead to the drive(s)...