"zero day" for Qubes :))
283 views
Skip to first unread message
Oleg Artemiev
Jun 5, 2015, 7:47:09 AM6/5/15
to qubes...@googlegroups.com, Joanna Rutkowska, Marek Marczykowski-Górecki, qubes...@googlegroups.com
Please remove ability to set custom lock screen module for locking dom0 screen.
I've hacked my qubes. Subj. :)))) This looks like old days with windows. :)))
--
Bye.Olli.
gpg --search-keys grey_olli
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (mostly in russian): http://grey-olli.livejournal.com/tag/
I've hacked my qubes. Subj. :)))) This looks like old days with windows. :)))
--
Bye.Olli.
gpg --search-keys grey_olli
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (mostly in russian): http://grey-olli.livejournal.com/tag/
Luke Saul
Jul 3, 2015, 11:03:33 AM7/3/15
to qubes...@googlegroups.com, qubes...@googlegroups.com, marm...@invisiblethingslab.com, joa...@invisiblethingslab.com
On Friday, June 5, 2015 at 7:47:09 AM UTC-4, Oleg Artemiev wrote:
Please remove ability to set custom lock screen module for locking dom0 screen.
I've hacked my qubes. Subj. :)))) This looks like old days with windows. :)))
--
Bye.Olli.
Can anybody explain this please? Thank you -- luke saul
Oleg Artemiev
Jul 4, 2015, 3:02:08 PM7/4/15
to Luke Saul, fyodor y, qubes...@googlegroups.com, qubes...@googlegroups.com, Marek Marczykowski-Górecki, Joanna Rutkowska
ошибка в интерфейсе кедов позволяет просматривать контент dom0 .
При этом атакующему доступна функция "открыть" на любом контенте
достуупном для пользователя в Dom0.
PS: this is upstream KDE bug "known for ages".
Oleg Artemiev
Jul 4, 2015, 3:08:17 PM7/4/15
to Luke Saul, fyodor y, qubes...@googlegroups.com, qubes...@googlegroups.com, Marek Marczykowski-Górecki, Joanna Rutkowska
On Sat, Jul 4, 2015 at 10:02 PM, Oleg Artemiev <grey...@gmail.com> wrote:
> On Fri, Jul 3, 2015 at 6:03 PM, Luke Saul <luke...@gmail.com> wrote:
>> On Friday, June 5, 2015 at 7:47:09 AM UTC-4, Oleg Artemiev wrote:
>>> I've hacked my qubes. Subj. :)))) This looks like old days with windows.
>>> :)))
> On Fri, Jul 3, 2015 at 6:03 PM, Luke Saul <luke...@gmail.com> wrote:
>> On Friday, June 5, 2015 at 7:47:09 AM UTC-4, Oleg Artemiev wrote:
>>> I've hacked my qubes. Subj. :)))) This looks like old days with windows.
>>> :)))
>> Can anybody explain this please? Thank you -- luke saul
http://grey-olli.livejournal.com/903037.html
Message has been deleted
Vladimir Shipovalov
Jul 8, 2015, 7:23:31 AM7/8/15
to qubes...@googlegroups.com, fyg...@gmail.com, joa...@invisiblethingslab.com, marm...@invisiblethingslab.com, luke...@gmail.com, qubes...@googlegroups.com
There is upstream bug of KDE interface, which allows the attacker to view the contents of dom0.
Attacker could use the "open" function at any content that is available for user of Dom0.
P.S. This upstream KDE bug is already "known for ages"
( same post on Russian - http://grey-olli.livejournal.com/903037.html )
Radoslaw Szkodzinski
Jul 8, 2015, 8:21:14 AM7/8/15
to Vladimir Shipovalov, qubes...@googlegroups.com, fyg...@gmail.com, Joanna Rutkowska, Marek Marczykowski-Górecki, luke...@gmail.com, qubes...@googlegroups.com
ran in dom0 alongside the windowing system.
To access the lockscreen, you need a direct physical access to a
logged in machine.
If the attacker has direct access to your logged in machine, Qubes
won't help you much, as the AppVMs are not encrypted separately.
Perhaps adding optional encryption to the AppVMs volatile sections
would be beneficial... Not a trivial change to appvm scripts though.
Lockscreens are terrible, we should replace them with a secure alternative.
--
Radosław Szkodziński
Noah Vesely
Jul 8, 2015, 2:35:59 PM7/8/15
to qubes...@googlegroups.com, quickcr...@gmail.com, joa...@invisiblethingslab.com, marm...@invisiblethingslab.com, luke...@gmail.com, qubes...@googlegroups.com, fyg...@gmail.com
Lockscreens are terrible, we should replace them with a secure alternative.
Agreed. I suggested the use of a console instead of X11 screen locker and gave walkthrough on setting physlock here: https://groups.google.com/forum/#!topic/qubes-users/4dnNv5eYgq4
~*~*~*~
Noah
Noah Vesely
Jul 8, 2015, 2:46:08 PM7/8/15
to qubes...@googlegroups.com, qubes...@googlegroups.com, fyg...@gmail.com, marm...@invisiblethingslab.com, joa...@invisiblethingslab.com, luke...@gmail.com, quickcr...@gmail.com
Apologies, a more direct link: https://groups.google.com/forum/#!msg/qubes-users/4dnNv5eYgq4/Cw9gXxNUsnMJ
conp...@gmail.com
Jul 9, 2015, 9:02:23 AM7/9/15
to qubes...@googlegroups.com, qubes...@googlegroups.com, marm...@invisiblethingslab.com, luke...@gmail.com, fyg...@gmail.com, quickcr...@gmail.com, joa...@invisiblethingslab.com
On Wednesday, 8 July 2015 19:46:06 UTC+1, Noah Vesely wrote:
> Apologies, a more direct link: https://groups.google.com/forum/#!msg/qubes-users/4dnNv5eYgq4/Cw9gXxNUsnMJ
Seems like it is somewhat fixed in Plasma 5 and will never be fixed in old versions of KDE. Moreover, nothing built on top of X11 can be secure by definition so they build the screenlocker in window compositor based on Wayland. Could be a challenge to port that to Qubes.> Apologies, a more direct link: https://groups.google.com/forum/#!msg/qubes-users/4dnNv5eYgq4/Cw9gXxNUsnMJ
Oleg Artemiev
Jul 17, 2015, 3:11:07 PM7/17/15
to Radoslaw Szkodzinski, CyberPsychotic, qubes...@googlegroups.com, qubes...@googlegroups.com, Marek Marczykowski-Górecki, Vladimir Shipovalov, luke...@gmail.com, Joanna Rutkowska
You do not need logged in access. Period.
Radoslaw Szkodzinski
Jul 17, 2015, 3:49:22 PM7/17/15
to Oleg Artemiev, CyberPsychotic, qubes...@googlegroups.com, qubes...@googlegroups.com, Marek Marczykowski-Górecki, Vladimir Shipovalov, Luke Saul, Joanna Rutkowska
On Fri, Jul 17, 2015 at 9:11 PM, Oleg Artemiev <grey...@gmail.com> wrote:
> You do not need logged in access. Period.
You need local access to unencrypted dom0 though. Powered up machine,
> You do not need logged in access. Period.
essentially stolen, and the bug is not trivial to exploit.
This is a scenario that is important only if you happen to be a target
of a sting and don't have an automated shutdown set up.
If you can do it remotely, then it's a major issue. If you can do that
to one that is turned off, again, it is major.
Otherwise, it's quite minor - a resourceful attacker can already read
the RAM of the machine (similar to cold boot attack - freeze it and
read it elsewhere) and thus recover encryption keys to read
everything.
This is why you should never leave the PC turned on.
--
Radosław Szkodziński
Oleg Artemiev
Jul 30, 2015, 4:26:10 PM7/30/15
to Radoslaw Szkodzinski, CyberPsychotic, Luke Saul, qubes...@googlegroups.com, Vladimir Shipovalov, Marek Marczykowski-Górecki, qubes...@googlegroups.com, Joanna Rutkowska
I still think that it is major. Especially in customs area this may lead to situation when any person can do that. This may send a user to a prison. ;/
Radoslaw Szkodzinski
Jul 30, 2015, 5:16:41 PM7/30/15
to qubes...@googlegroups.com
30 lip 2015 22:26 "Oleg Artemiev" <grey...@gmail.com> napisał(a):
>
> I still think that it is major. Especially in customs area this may lead to situation when any person can do that. This may send a user to a prison. ;/
>
I am quite sure airport security should only verify that it is indeed a computer. You get to turn it on. No amount of 0day prevention will help against guns or rubber hoses and the machine should be switched off whenever possible, protected by encryption and AEM.
conp...@gmail.com
Jul 31, 2015, 10:53:32 AM7/31/15
to qubes-users, astra...@gmail.com, fyg...@gmail.com, luke...@gmail.com, qubes...@googlegroups.com, quickcr...@gmail.com, marm...@invisiblethingslab.com, joa...@invisiblethingslab.com, grey...@gmail.com
On Thursday, 30 July 2015 21:26:11 UTC+1, Oleg Artemiev wrote:
> I still think that it is major. Especially in customs area this may lead to situation when any person can do that. This may send a user to a prison. ;/
Well, if that user is smart enough to enable lock screen customisation and have the laptop running with the root partition decrypted when crossing a border with any probability of being searched... then maybe he/she deserves a sentence in prison? :)> I still think that it is major. Especially in customs area this may lead to situation when any person can do that. This may send a user to a prison. ;/
Manuel Amador (Rudd-O)
Aug 12, 2015, 2:46:38 AM8/12/15
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
exist, with your electronics powered on. Just normal opsec rule.
- --
Rudd-O
http://rudd-o.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVyuvCAAoJEFmZwbV7vYQ2ejoP/34K/mytVldQ8d3gWkNnIHs8
o7A01E+QWew33nQLWcdpYbrTMG3406w2qD1fmXJFXv/6IChucN+5Y47CvkXlfthr
glNflqRTxY9oimqyBSJi7vu3m5dG0Ii+6LA/QyuMPLHrmykxoOPf1tCuw/+YAxlh
B1YZXjoLkYdwLxS+AezuCIg16d0yR+9h8osHkqJaKTC6Nv4qzmdcgKyGEml7JT9W
1ZBPGoZWmzPjR4S/4etunn9nxW8iTwTwz5hlLKdTjdp/R/eAp422TfXeC2l6NRk2
1OOMkFKr8V877gj9/VD+TzNf58EvjoURgB7RzJXU0aMrRwciK028sxYg4rdN1s0M
AgreWnS0E1U0NLeEU6t07hVx2ck8+0l/5EyW7um5c/kssObT+hbyW58b8wc7XUov
qV0f51SYRRVK92Umjac4R2GPodMMXUKim5xOBj4fEAsGAVB9zNFMuugtKzkC3b+K
BpjBP7JrvGFaQ32l9z1/UqY5t5m9QHpXNir9DRnyBZakW2hCyX7KQcHmBDir1V3L
XrxqJA59dIOQpYzhYXErUous+Fibl5iE18IQ7y6aaQeKtx0ka9l+ADJt2KlmB3yb
dHktE7GOIHV8wQUn4uea2KF1Lxb/XuwXIGH/p3oYjNDx64bBAXxfhX7sEH2Ez7D8
O3XwmFUpCrLs89XgHShL
=xhHh
-----END PGP SIGNATURE-----
jonbrown...@gmail.com
Aug 25, 2015, 10:52:07 PM8/25/15
to qubes-users, qubes...@googlegroups.com, astra...@gmail.com, fyg...@gmail.com, luke...@gmail.com, quickcr...@gmail.com, marm...@invisiblethingslab.com, joa...@invisiblethingslab.com
On Tuesday, August 11, 2015 at 6:51:55 AM UTC-5, thinkpad user wrote:
> this feature is very helpful as it allows user to evade unneeded attention from her/his locked laptop, disguising it for example as windows locked laptop. this is getting even more important in low developed countries where camouflage is crucial (i will not post example here).
>
> to eliminate security breach devs can simply add warning about risks involved with lock screen replacement. the rest is up to user
In the US you can be forced to power on your laptop to ensure it works and is not a decoy. This issue needs to be addressed.
> this feature is very helpful as it allows user to evade unneeded attention from her/his locked laptop, disguising it for example as windows locked laptop. this is getting even more important in low developed countries where camouflage is crucial (i will not post example here).
>
> to eliminate security breach devs can simply add warning about risks involved with lock screen replacement. the rest is up to user
In the US you can be forced to power on your laptop to ensure it works and is not a decoy. This issue needs to be addressed.
Reply all
Reply to author
Forward
0 new messages