Tomster/QubesOS-Scripts
1
0
Fork 0
mirror of https://github.com/tommytran732/QubesOS-Scripts synced 2025-02-08 21:21:33 -05:00
Code

Add notes on trivial data exfil

Browse Source 
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2025-02-02 03:28:21 -07:00 committed by GitHub
parent 4c5913f895
commit c0d738b15b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Quality of Life.md
View File

@ -38,15 +38,19 @@ Lenovo ePrivacy can be controlled through `/proc/acpi/ibm/lcdshadow`. I use the
- F6: `sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'` - F6: `sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'`
### FIDO2 policies ### FIDO2 policies
The GUI configurator are missing 2 important policies needed for FIDO2 to work correctly, namely ctap.GetInfo and ctap.ClientPin. The GUI configurator are missing 2 important policies needed for FIDO2 to work correctly, namely `ctap.GetInfo` and `ctap.ClientPin`.
Personally, I created `/etc/qubes/policy.d/50-ctap.policy` (note that I don't touch `/etc/qubes/policy.d/50-config-u2f.policy` to avoid it being overwritten by the GUI tool): Personally, I created `/etc/qubes/policy.d/50-ctap.policy` (note that I don't touch `/etc/qubes/policy.d/50-config-u2f.policy` to avoid it being overwritten by the GUI tool):
``` ```
ctap.GetInfo * microsoft-edge sys-usb allpw ctap.GetInfo * microsoft-edge sys-usb allow
ctap.ClientPin * microsoft-edge sys-usb allow ctap.ClientPin * microsoft-edge sys-usb allow
``` ```
### Trivial data exfiltration prevention
One trivial way for malicious applications to exfiltrate data from an offline VM is to open a link in a disposable VM with a payload. To prevent this, open the VM settings, go to advanced and set the default disposable template to none.
### Bitwarden & Element Flatpak ### Bitwarden & Element Flatpak
These apps require the keyring to be created first to work properly. Simply open a browser like Microsoft Edge and set an empty password for the keyring before using them. These apps require the keyring to be created first to work properly. Simply open a browser like Microsoft Edge and set an empty password for the keyring before using them.