From c0d738b15b84d3bbf4f5585f54be1b0e379058ea Mon Sep 17 00:00:00 2001 From: Tommy Date: Sun, 2 Feb 2025 03:28:21 -0700 Subject: [PATCH] Add notes on trivial data exfil Signed-off-by: Tommy --- Quality of Life.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Quality of Life.md b/Quality of Life.md index 83f5c28..0a894eb 100644 --- a/Quality of Life.md +++ b/Quality of Life.md @@ -38,15 +38,19 @@ Lenovo ePrivacy can be controlled through `/proc/acpi/ibm/lcdshadow`. I use the - F6: `sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'` ### FIDO2 policies -The GUI configurator are missing 2 important policies needed for FIDO2 to work correctly, namely ctap.GetInfo and ctap.ClientPin. +The GUI configurator are missing 2 important policies needed for FIDO2 to work correctly, namely `ctap.GetInfo` and `ctap.ClientPin`. Personally, I created `/etc/qubes/policy.d/50-ctap.policy` (note that I don't touch `/etc/qubes/policy.d/50-config-u2f.policy` to avoid it being overwritten by the GUI tool): ``` -ctap.GetInfo * microsoft-edge sys-usb allpw +ctap.GetInfo * microsoft-edge sys-usb allow ctap.ClientPin * microsoft-edge sys-usb allow ``` +### Trivial data exfiltration prevention + +One trivial way for malicious applications to exfiltrate data from an offline VM is to open a link in a disposable VM with a payload. To prevent this, open the VM settings, go to advanced and set the default disposable template to none. + ### Bitwarden & Element Flatpak These apps require the keyring to be created first to work properly. Simply open a browser like Microsoft Edge and set an empty password for the keyring before using them.