Recent Posts
Categories
Qubes os update, new for windows
Greetings all
Got a nice update to my windows qube during one of the past Qubes-os updates. If you have been following this blog sections, I have been using qubes as my main laptop OS for some months now. So far its been quite enjoyable to use. Yes, a few little things I have had to work around, or do differently, but for the most part its been quite enjoyable to use. The one big issue has been windows usage, things like connecting USB devices to the qube so I can copy off data, have of late been non usable. Its not surprising or unexpected, due to the security focus of the operating system.
But as of a few days ago some of the issues seem to have been solved. From one of the updates, not sure which one, I am now able to connect a USB device to the windows Qube. I am also able to resize the qubes window by using the mouse, that is a nice addition. My windows Qube is win 7 so not sure about any of the newer versions and if they work or not.
Hope the updates keep on this track, I would recommend this operations system if you need a ‘reasonably secure’ system. It can be difficult to configure at times, but its worth the price for what you get.
Thanks again
Status of Tor, I2P and FreeNet install and usage
Status of Tor, I2P and FreeNet install and usage
This entry is an update to the ongoing Qubes OS testing as a usable operating platform. For this I tested the installing of Tor, I2P and Freenet in a Qube and in a standalone VM. I must admit I had better sucess then I expected on all of them. I will first describe my configuration for the test, the Qube and the Standalone VM. Yes, I am running two installs, but only use one for my day to day testing. The day to day testing is the Qube or as the document state an APPVM. The Standalone VM is Ubuntu 12.04, patched up to 14.04 at this time. I am finding a few stability issues with the Standalone VM if I patch up to 16.04 and 18.04. Most of them are graphic problems that most likely are with Xen. The standalone VM is mostly for verify testing that what I have on the AppVM should be working.
The AppVM is a clone of the Debian 9 installed templet that I called SecureMachine. I like to use cloned templets for testing, so I always have a source of clean base templet. Also, backups are easy to run before I do any tinkering with apps on the templet. The following is the sections and what status is for them:
Tor:
- Tor was the easiest of all to install. I did not need to modify the SecureMachine’s templet at all. I just started the AppVM, opened the Firefox browser. and pulled down the Tor bundle from the Tor site. Ran the install and Wala, installed into the private section of my home directory. It is true that I could just use the Whonix AppVM, (which I do most of the time), But it was for a test anyway. I need to run it from a command line currently, other than that it starts the Tor circuit, then Tor browser as required. So am happy with the outcome. I will still be using the Whonix Qube for my primary Tor access. I also set up a Tor hidden service on a StandaloneVM running Ubuntu server. that was least as well. I needed to add the Tor source location into the package list. did an APT install of Tor, modified the Torrc entry for hidden service and rebooted the StandAlone VM to bring the service up. I also set up a connection to one of my normal Personal AppVM to the Ubuntu Standalone VM so it can be reached by that AppVM.
I2P
- The I2P install was a bit more of an issue, I needed to install it first in the templet then again in the AppVM. The reason for this is it needed helper apps first, things like cryptolibs and other special libs. This will depend on your patch lever and apps installed. Then I did a reinstall in the AppVM and it installed in the private directory with no issues. Running I2P needed to be started from the terminal command line, after changing to the i2p directory. It stared the browser, but I needed to modify a setting in the browsers network to use the proper port. Your setup may vary if you need to or not do this. It runs stable and seems to be quick. The peering and gathering of connections have been quick. I was able to install plugins and even set up a page for access by others. I am using the default install settings at the moment, later I may modify a few to see if any speed or operation changes occur.
Freenet
- Freenet was not too bad. I could not use the browser-based install, so I need to do the command line steps. Before that I needed to install java into the Secure_Machine templet. Then install the freenet program into the private home directory section of the AppVM. This as well needed to be down at the command line, so needed to start the terminal. It went well, now to start I need to open a terminal and run the freenet program with java. It runs and opens the browser, it runs quite quickly and stable. As mentioned before I first installed freenet into the StandAlone Ubuntu Desktop VM, using the same general steps as the AppVM for testing. Here as well I am using the AppVM most of the time now.
There is other Dark Web type application I may try later. But for now, I will keep testing with the big three, Tor, I2P, and Freenet.
Have a safe, secure, and anonymous internet exploring in all you do.
Month of using Qubes
Current update using Qubes OS.
Going on a month now of using Qubes OS on a Dell laptop. I can say its quite usable, again as long as you have the hardware for it.
My set up is currently as follows,
Debian 9 templet
Debian 9 kali templet
Fedora 26 templet
Fedora 28 Templet
Whonix 13 gw – org install
Whonix 13 ws – org install
Whonux 14 gw – upgraded from 13
Whonux 14 ws – upgraded from 13
Ubuntu 1604 Server – standalone hvm
Kali 2018.3 – standalone hvm
Parriot 4.x – standalone hvm
Windows 7 – standalone hvm
Windows 10 – standalone hvm
AppVM include, some default and some I created.
Kali using the Debian 9 kali templet – my creation
Securemachine using the Debian 9 secure machine templet – my creation
The default Personal using Fedora 28 templet – default
The default work also using Fedora 28 templet – default
It also includes disposable VM’s for whonux and general use, most of these were installed with base install of system. It also included personal, work, vault as well. I added kali test and secure machine for testing of special apps base on business work.
Windows 7 and Windows 10 were not too difficult to install, it did take a few times to get the disk space correct. You need to expand the disk using the command line in Dom0, just a note if wondering. I am not able to run windows apps seamlessly like in ver 3 of qubes, maybe at later version or I am still missing something. Other than that, the standalone VM works fine. Even works on external monitor. I am having an issue getting USB devices to connect, but it seems like it’s just windows VM’s that are having the issue. I have installed the qubes-tools but no luck. Using apps like word and excel with no problems.
I first tested installing kali in a standalone VM, it works fine, even wireless works, most of the time. It can still give errors that can’t find the driver for my ALFA USB wifi device. Most everything else works fine, I can do pen testing of machines, and it’s quite quick as well in its functions. Then I created a templet using Debian 9 and by following different instructions got a displayVM version working, that allows me to have my seamless apps running, yay. Also, my ALFA wifi works perfectly, no issues or problems. Parrot OS 4.x is still standalone VM, not been able to find instructions that work for me, oh well. So, my pen testing setup is workable.
I created what I called a ‘securemachine’, this I use to test Apples like i2p, tor stand alone, freenet and other security related applications. The application i2p works great, tor stand alone installs but not able to set up a runtime browser instance on the appvm, freenet not even able to install, all kinds of link errors for that so something to look into, I guess.
With the Ubunti1604Server VM, I was able to get it installed with little issues, the main issue was the networking setup. It did not like the way Qubes OS defiend its IP and mask, I had to define it using what they called CNI settings. A mix of dot notification and slash numbers. With a bit of googling I was able to get it to work. I was able to even get tor and a tor hidden service working. Connections qubes VM to each other is on my list to work with so keep tuned for that.
Qubes OS has a built-in backup and restore program, that works nicely so no complaints as of yet.
Templet/OS system updates run fine, I have to do them manually but that is ok, I would prefer to do that anyway. I currently have an issue with the whonix-gw templet not updating. It will start but will not let me run a terminal. So far not an issue because its only for the whonix VM’s. I may reinstall the whonix updates and templets to see if runs any better. I hope to have the 4.1 version out in a few months with all the updates so no need to worry about it.
Still no way yet to easily burn DVD’s, I have read of option but not able to get them to work with my system, again looking into it. My printer and local wifi works, did not have to do any modifying, it just worked.
Still slow to boot and shutdown on the laptop but did expect that, it’s more designed for a powerful desktop but its usable for me. Most of the time I will start the laptop and keep in running for a few hours before shutting down, so it’s not that big of an issue for me anyways.
Qubes OS – My few weeks so far with using it.
This entry I will give some of my notes of using Qubes -OS. It has been a few weeks that I have been testing it on one of may laptops.
Laptop specs (2016)
Dell Inspron 17” model
i5-3337U CPU
16G memory
1T drive (Western Digital blue)
Qubes OS specs
OS version 4.0
Updated fedora 26 to fedora 28 on containers
Updated whonix from 13 to 14
Using debian 9
What is Qubes OS? The sites web page has a number of very well written sections that describe the system. I will let you do a deeper look for your self in that part, but here is a few things. From the Qubes OS (www.qubes-os.com) web sites introduction page it is described as:
Qubes OS is a security-oriented operating system (OS). The OS is the software that runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.
Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes.
This approach allows you to keep the different things you do on your computer securely separated from each other in isolated qubes so that one qube getting compromised won’t affect the others. For example, you might have one qube for visiting untrusted websites and a different qube for doing online banking. This way, if your untrusted browsing qube gets compromised by a malware-laden website, your online banking activities won’t be at risk. Similarly, if you’re concerned about malicious email attachments, Qubes can make it so that every attachment gets opened in its own single-use disposable qube In this way, Qubes allows you to do everything on the same physical computer without having to worry about a single successful cyberattack taking down your entire digital life in one fell swoop.
Moreover, all of these isolated qubes are integrated into a single, usable system. Programs are isolated in their own separate qubes, but all windows are displayed in a single, unified desktop environment with unforgeable colored window borders so that you can easily identify windows from different security levels. Common attack vectors like network cards and USB controllers are isolated in their own hardware qubes while their functionality is preserved through secure networking, firewalls, and USB device management. Integrated file and clipboard copy and paste operations make it easy to work across various qubes without compromising security. The innovative Template system separates software installation from software use, allowing qubes to share a root file-system without sacrificing security (and saving disk space, to boot). Qubes even allows you to sanitize PDFs and images in a few clicks. Users concerned about privacy will appreciate the integration of Whonix with Qubes, which makes it easy to use Tor securely, while those concerned about physical hardware attacks will benefit from Anti Evil Maid.
There are some key things I was looking to do for my testing, some so far have been mostly able to do some have not been able to do.
• Ease of installation and upgrades by me.
• Use of security-oriented web browsing.
• Install and usage of apps, from chat clients, word processing, email, openvpn, some general others special and etc.
• Usage of other OS’s like Ubuntu, Bsd, Windows, etc.
• Use of security and penetration testing apps, namely Kali and Parroit.
• Use of USB devices with different systems qubes. Things like external drives, mice, DVD, wifi systems.
• Ease of setting up qubes and new domains.
• Ease of usage day to day.
So to begin, here is what I have run across so far from using it for a few weeks.
Ease of installation and upgrades by me.
It took about 30 minutes to do the standard install of the OS on the laptop. The questions asked were straight forward and easy to understand. Much of the time to install was just waiting for the system to copy over the programs and creating of the default qubes. I did have a few questions that I needed to look up and make sure I understood what they wanted. For example the usage of multiple qubes for each USB devices. I selected to have one qube handle all the USB devices, so far seems to be working ok for me.
Qubes 4.0 has Fedora 26 not Fedora 28 and whonix 13 not whonix 14 as the default, so they needed updating after I installed the system. The upgrade from Fedora 26 to 28 was quick and relatively simple. The web site has a well explained steps on doing the upgrade, it was easy to understand and following the steps worked without any noticeable problem. Whonix upgrade on the other hand was a bit more problematic as of this entry. If you do not know about whonix, it is two separate sections. One is a Workstation and the other is a Gateway. The workstation qube seemed to upgrade mostly without any issues, I needed to attach a networking VM to get it to fully upgrade. After the upgrade the first time, I have been able to use the VM defined upgrade procedure with no discernible issue so far. The Gateway is still causing me issues in upgrading, many sites its asking for are not available to have app upgrades downloadable. Even with a network VM being connected it still does not fully upgrade all the apps. For now I am using the original Gateway VM, everything seems to be working ok for my tor services. I am hoping that when 4.1 ships it will have all the upgraded systems as default.
Debian 9 only needed the app upgrade and update from the Qubes Manager system, no issues or problems so far with that.
Upgrading the Dom0 went without a hitch, as stated before the command and steps required were well defined in the documentation. No problems so far in any of the upgrades.
Use of USB devices with different systems qubes. Things like external drives, mice, DVD, wifi systems.
So far most everything connected to any of the Qube VM’s with no problems. My USB HDD’s was using exfat, as its format, so I needed to add the extfuse utilities installed on to Fedora 28 Qube. It was easy to do with the yum install system, debian did not need any fuse installs for the HDD. My built in web cam even worked with skype. An issue I have been running into is my WiFi AlfA external usb device. It will not connect to any Debian VM qube, it connects fine to any Fedora MV qube. Still have no idea why yet so that is something to note. I am using am external USB mouse so that works fine so far as well. I am having issues with burning DVD/CD’s currently, to that effect I am not able to burn any using my system. There have been tips to add brasero to the Dom0 and burn that way but I have not given that a try yet. The need to add an external repository to Dom0 seems like a security issue so am going to hold off for now.
Usage of other OS’s like Ubuntu, Bsd, Windows, etc.
To get started from the documentation they say that Windows 7 is the only supported tools version that will allow individual screens for different apps. Windows 10 and other versions are not supported, per the documentation. I have not been able to get Windows 7 or Windows 10 running in a VM qube as of this entry. They seems to crash during the install or mostly install and not find any apps to load. So far I can get most of what I want to use by not using windows, but for people that need windows it may be something to note if you want to use Qubes. Maybe some time a patron will give millions so the people can hire a full crew and have it work.
I was able to get both Ubuntu 16.04 and 18.04 server installed and working. Ubuntu 18.04 uses a different netmask set up and needed to do a bit of googling for the fix. That is less of a Qubes issues and more of an Ubuntu issue, some time change is hard, like this was. 16.04 installed correctly the first time. Note, need to remember that DHCP does not work the same as you would think with Ubuntu. When you set up a VM it will give you the IP, Mask and Gateway and you need to manually add it to the installing system. Kali and Parriot accepted the DHCP entry with no manual entry.
Tried windows xp for a hacking machine test, no luck in full install, still going to try but not currently.
Use of security and penetration testing apps, namely Kali and Parroit.
Good news mostly on this front, bot both Kali 2018-2 rolling and Parroit 4.4 installed and seems to be working except Wifi not working because not able to get my ALFA USB Wifi device mounted to Parroit or Kali MV qube. Like all technology some things need work. Was able to use Fedora for my Wifi testing so maybe in time. Have not done a full test of all the pen testing apps, so far it looks good. Install went simple except the IP creation, but was able to manually add the IP address quickly and easy.
Ease of setting up qubes and new domains.
Creating VM’s, they are different than what I am use to. Programs like VirtualBox, VMware and Parallels are what I am use to doing, so it has taken a bit of a learning curve. It is getting easier to understand now that I have set up a few. It seems to be quicker to set up VM’s with they way they do it. For Qubes creating a usable qube you use what they call a template. Check out the glossary on their page for a deeper description. I set up a VM that I called debian-security that I am using for testing of other security browsing apps. What people may call the dark web apps called i2p and freenet. I made a clone of the default Debian-9 templet then made AppVM running the applications. Installing all the application that I want to run on the cloned templet so it is available in the AppVM. The application i2p install perfect and seems quite fast, freenet still has a few issues I am working on currently, connection to other users will work then crash, so may have to reinstall a few tines to work on the reason why. I also set up testing templets for first installing application then if working install to the main templet application. So far not many issues, all seem quite stable.
Install and usage of apps, from chat clients, word processing, email, openvpn, some general others special and etc.
Using and install of day to day apps like word-processing, chatting, video, mail, browsing, file-system usage. All so far I am happy with ease of installing. Most apps I use are in the repos for Fedora or Debian. When I have needed to load an external app by downloading the app and installing it that way there have not been any issues, so not much to say on this so far. Games are an issue, mostly not able to do. But not an issue for me anyway. Working on setting up a openvpn for my home, will keep you posted as I work with it. I am using Libreoffice for my documents, I will be trying softoffice as well soon. All the office apps seem to work fine and installing was simple, I downloaded the program and did the yum install. Currently I am use Fedora templet as my program templets. Will try Debian as well soon. I use Thunderbird and it works with no issues I have found. It defaults to firefox browser, for now I am happy with it, will be trying chrome and a few others. Working with both skype and Google hangouts, no issues found, I am able to use video and file exchange. A times hangouts has issues with exchanging desktops videos. But I have had that issue before. Using apps like blackboard also has a few issues with exchanging of desktops between people. Added softmaker freeoffice, but it does not work, also can’t seems to remove it. (still no luck on remove)
Ease of usage day to day.
Having separate AppVM’s for different usages and knowing they are functionally separate and seems secure is nice. And being a bit geeky, its cool to use. Booting up and shutting down take time. Booting up the laptop is slow because it needs to load into the background some VM’s like networking, gateways and USB devices. I have a mechanical HDD, a SSD would be faster. Shutting down is slow as well depending on how many VM’s are running.
Back from Penguicon 2016
Back from Penguicon 2016.
Did two presentations this year. One on Tor, its working and hidden services. The other on I2P and its general operations. There was a great keynote from Bruce Schneier on how data and data products, as the business saying goes, “if you’re not paying for it, you are the product”. This is more relevant now than ever with the scooping up of much of your information by business and government agencies. You many think that the information collected has no effect on me if they keep it, but if you really think about the information you are just giving away, once it is out of your hands, you no longer have any control over what is it being used for and in some cases how it is being used against you. Something people should really think about, but unfortunately, they will not until it’s too late. Few other tech talks were fun to be at, same strangeness and interesting people watching as always. May do a few more talks next year, so keep watching for details.
If you have never been to Penguicon, then I recommend checking the next one out.
Here is a link to my presentations
The Dark web Big Three – https://drive.google.com/open?id=0B3AAfAIeWS0KNDBhcnBva0xRcE0
Tor_general – https://drive.google.com/open?id=0B3AAfAIeWS0Ka2otNElOekEwZHM
i2p_general – https://drive.google.com/open?id=0B3AAfAIeWS0KeVZYdkZISkN4MVk
Passwords and file encryption
In this entry I will cover some quick and simple ideas that you can do right now to protect your online presence.
First and perhaps the most important one is the passwords that you use for different places, yes I do mean using different passwords for different sites you log into. Don’t use the same password for everything. If you have been watching the news lately there have been a number of places that have “lost control” of their password file to hackers. I will admit it is a bit more work, but would you rather change only one password if the account has had the password stolen or multiple accounts?
There are programs that will secure your lists of passwords with a password so you only need to remember one to decrypt them. You may say what is the difference between having one password for all accounts and one password for the password holder?. First off you are more likely to have it on a machine that is password protected in the first place, and they will need to know you have a password file there. Most “hackers” are more interested in selling the machine or doing a quick look on what is there then digging deeply into it. It may be true that they may dig deeper for corporate treasures and if that is true it is hoped that your IT has steps and options in place to secure that, more on that later.
The next issue is the type and lengths of the password. There are many papers written about this and many different ideas. As a standard idea, the longer the better, but as long as you do not use dictionary words you can use a little as six letters for the password. As a general rule having special characters like ” @#$%*^$” will make the passwords harder to crack, sadly some systems will not allow these, so if you can, use them.
On the subject of cracking passwords you may have wonders how they do that? If the password encrypting program is well written then most of the time it is easy to encrypt the password but hard to decrypt. There are large databases call “rainbow tables” that have passwords already created and the hackers will take the database and search for a match, so they do not need to decrypt it just match it to a pre-created list. Adding special characters will make the time needed to crack it cost more than the data is worth. That is the key, once it is not cost effective then they will just wipe the machine and sell the hardware.
On the idea of passwords and encryption of passwords, I also want to touch on having your machine use a password to log into and not have it just auto-boot into your account. It may be a nice feature but if it is stolen then your data is open to all. With that being said and you still want to have it auto login to your account then you should at least encrypt the files you want no one to have access to. Setting up a space to save files in an encrypted form will depend on your operating system.
I will start with OSX first because it is the easiest. If you use OSX, it has an option to create an encrypted disk image. Think of it like a folder that will store the files, you then mount the folder like a drive. To create the encrypted image select and launch “Disk Utility” its in the Utilities folder under Applications, Select New Image, Choose a name for your image, then choose the size of the image, I would keep it under 4Gig because any larger you would not be able to burn the image to a DVD. Look for the encryption setting and select 128 or 256 AES its up to you, the higher the number the slower it will be to encrypt the data depending on your machine. Many new machines are fast enough for the higher number. You can also select the locations to create the image, leave the rest of the settings as they are. Select Create and an Authenticate dialog box will appear, give it a password and then retype it for verification. Use a strong password for this, that is numbers letters and the mix. To mount the file just click on it and it will ask you for a password, after you enter the correct password it will mount just like a standard OSX drive.
If you use Linux, Windows or OSX there is a third party application called “truecrypt” it is free, but I would ask you give a donation to them if you would please. I like the program because it open source, that means you can look at the source code for your own personal feel good that there are no backdoors in it. Also it has been look at by many others and there seems to be no security issues. It is on the same lines of having a single encrypted image that you store your files in. I am not going to go into all the features at this time. I will have a full posting at a later date with some cool security features. For this posting it will only go into creating a simple encrypted disk image. First down load the program for you systems from http://www.truecrypt.org/downloads. Select the OS you use and install onto your system. Start TrueCrypt, select Volumes, Create New Volume, keep the Create and encrypted file container selected, click next leaving the Standard TrueCrypt volume open marked. Click Next again and give the volume a name then select Next. For now you can leave the Encryption Algorithm set to AES and the Hash Algorithm set to RIPEMD-160 as well. Select Next and give it a size I would say 4GB max for this so you can burn it to a DVD if wished. you can experiment later with different sizes. Select Next and give it a password, it may give you an error if it thinks the password is to short or easy crack-able you can disregard it but try to create a strong one. Click Next again and give it a format type, the select FAT file system is fine for now, click Next again the Volume Format dialog box will be showing random numbers, move your mouse in the box for a while to create a random set of key numbers, then click Next to create the volume, it will say Volume Create at this point click Exit. It will bring you back to the start screen, to mount the created volume. Make sure one of the slots is highlighted. Click Select File and click on the file you created, select mount and it will ask you for the password then mount the file. Add the files to the mounted volume after done, just un-mount it and it will close.
I Think that is plenty for now so enjoy
Recent Comments