Valid Concerns Regarding Integrity of Whonix Project

[teresard...@gmail.com]

Summary: I have reason to believe the possibility that Mig5 (the new SysAdmin on Whonix project) could be compelled under federal law to provide assistance is high and the threat to the security and anonymity offered by the project could be compromised as a result is also high.

I recently visited the Whonix community website for an unrelated purpose and discovered something that I think in honest to good faith deserves public discussion.

I was alarmed and shocked to see my post abruptly deleted and my account permanently disabled.

I would like to post my thoughts here to the Qubes User community for further scrutiny and discussion and perhaps maybe get the attention of the project maintainer who I do see regularly participate on this channel.

Below is a copy paste of the submission which was deleted from the Whonix community forum.

[Quote]
This post is in no way doubting the integrity or calling into question the character of Mig5 the new sysadmin for the whonix project.

But I do feel it is necessary to point out that the new sysadmin is Australian (or resides in Australia). Under Australian law, he can be compelled through threat of imprisonment to cooperate with the Australian government. This law is designed to compel individuals that work on projects such as Whonix to insert or write code that permits lawful access. If a person is served with such enforcement, they are required to keep it secret or risk imprisonment.

This law was only recently introduced and is already being used to great effect according to recent reports.

While Whonix is an open-source project it is important to remember that open source does not imply greater security. One only needs to consider one of the most widely used and scrutinized open source projects (OpenSSL) had a backdoor that went undetected for several years. It was just two lines of code. It literally broke the internet.

I deeply regret having to bring this to the attention of the community please do not interpret my thoughts here as a question of Mig5's character. I value all contributions but believe the circumstances and severity of the consequences warrant public discussion. The bottom line is, as the law is written, he would be required to cooperate and in secret. I think someone like him, in a position he now occupies, represents a textbook example of why this law was written in the first place. In my opinion, it is not a question of "if" he is compelled but rather just a matter of "when".

Unfortunately it is not uncommon for Whonix to be encountered by forensic analysts who have the regrettable job of investigating computer equipment seized by suspects charged with child abuse related offenses. At least not in Australia. I can say with certainty this project already has high visibility among specific cyber investigative divisions within both state and federal AG. I do not have any classified information I can share and if I did I would not share it but I can provide some information in private to Patrick that taken to its logical conclusion would suggest this project is likely to be a high priority target for these new laws.

[/Quote]

[haaber]

Are canaries now "illegal" in Aussi law as well ???

[unman]

Please dont top post.

Whonix does not use canaries, as you can see here:
https://forums.whonix.org/t/whonix-warrant-canary/3208

[nosugar...@gmail.com]

'This law was only recently introduced and is already being used to great effect according to recent reports.'

Great effect? Where are your sources? I can't take you seriously without proper sources. Gut feelings, suspicions, it all means nothing without evidence. Should we all bust out the tin foil while we're here, too?

In what ways could Whonix be modified to pose a threat to us? They can't modify Tor, and any change they do to the OS is in clear visibility. How will they back door it? Any existing case examples?

[Patrick Schleizer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

* I was advised in private e-mail by @mig5 about this new law before
it took effect beforehand, and @mig5 offered to step aside because of
it. It was my decision to not to change anything. Below I will explain
why.

* I might have reacted in a better way by protectively discussing this
subject in public but that is really hard without nonproductive
discussions and without badmouthing @mig5 in unintended ways.

* @mig5 doesn't moderate Whonix's forums. That thread wasn't deleted
by @mig5.

* I've not researched that Australian law. And I like to avoid it. If
I had to bet, I guess their interpretation is reasonable. For
practical purposes explained below it wouldn't matter.

* From a security enthusiast perspective it's a reasonable question.
No one or only a few have the complete picture.

* The issue with one asking this question are the hidden presuppositions
.

* The presupposition is that the server location is somehow secure.

** That's not true.

** Assume a regular commercial server host.

** I don't know any people working there.

** I couldn't even find the place without navigation software.

** Just because it's from the Whonix project, doesn't mean server
security magically is a lot better than server security of let's say,
facebook. (And these are even known to have a front- and backdoor.)

* Regarding the server, it's easy to demand better security. Easy to
demand, that I pay for it rather than using a sponsored server, or to
demand other security enhancements. I'd be happy to do all of this,
but then please also provide reliable funding for it.

* We have a wiki page dedicated explaining all the attack vectors that
are related to the risks introduced since we are forced to trust
humans. [1]

* Whonix, same as Qubes, operates already on the assumption that the
infrastructure is compromised.

** The wiki page has a chapter "Should I Trust This Website?". [2] The
short answer is "no".

** Similarly the Qubes project has a chapter "What does it mean to
“distrust the infrastructure”?" [3]

** If a server administrator (such as mig5) were compelled to replace
an Whonix download, the OpenPGP verification of the file (iso, ova or
libvirt image) would fail (when using the project OpenPGP signing key
for OpenPGP signature verification).

** If a server administrator was compelled to also replace the OpenPGP
signature of that file, all the usual rules would apply: users should
verify the validity of the OpenPGP key by looking for it published in
different places, etc. The same advice provided by the Qubes project
for their isos.

** The Whonix server doesn't host the source code. A server
administrator cannot "insert code" into the Whonix project.

** Github is an organization with many Australian engineers. The same
threat applies there - perhaps even more so, in that Australian
engineers could be coerced into modifying git repository data directly
- - not just of Whonix, but Qubes too - and be unable to even tell their
boss.

** In such a situation, the threat of coercion or interference is
indeed real. The protection against that, seems to be all the usual
things: cryptography, ‘many eyes’, etc.

** The same argument could be made against developers, server
administrator or similar from USA and perhaps other countries as well?

** UK has Investigatory Powers Act, similar?

** Tor Project might have Australian developers and/or server
administrators, too? The point is that if you go down that road, there
really is no end. Whonix not special in this regard.

* As bad as that new law might be, I don't see that anything relevant
changed.

** Whatever circumstances do apply to @mig5 now, might have applied to
@mig5 before that new law as well.

** Even without that law directly applying to me, and while I've never
been in any territory of the USA, and while their laws may formally
not apply worldwide, yet USA laws are enforced worldwide. And as a
non-USA citizen even outside of USA, legal defense is even more
difficult than for USA citizen inside USA.

* What I witnessed over time is, that many users assume that security
focused projects are already very mature in all aspects and nothing
much needs to be done. This assumption is wrong.

** We don't have reproducible / deterministic builds; we don't have
automatic verification of deterministic builds; our repositories
aren't using multisig.

** We could use more code reviewers, auditors, unit tests, automated
tests, and whatnot.

** We don't have a volunteer server admin. [6]

** port Whonix package build process to Qubes package build process [7]

** See also our FAQ entry "Is the Linux User Experience Comparable to
Commercial Operating Systems?" [4]

** I'd like to tackle all of these issues.

* I am not really eager to build Whonix packages, Non-Qubes-Whonix
downloads, maintain whonix.org server, hold Whonix signing keys.

** Fun: development, source code, testing, design, answering good
questions

** Not so much fun but necessary: legal, funding, server, releases,
uploads, signing keys, announcements

Meaning: Please contribute - then everything can be improved.

I'd be happy to hand over upload rights / package builds / server
administration to a more qualified organization that is strong in
legal defense, computer security and reliable funding. But at the
moment, I don't see anything like that emerging.

Cheers,
Patrick

[1] https://www.whonix.org/wiki/Trust
[2] https://www.whonix.org/wiki/Trust#Should_I_Trust_This_Website.3F
[3]
https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastr
ucture
[4]
https://www.whonix.org/wiki/FAQ#Is_the_Linux_User_Experience_Comparable_
to_Commercial_Operating_Systems.3F
[5] Some US laws apparently apply worldwide.

* Kim Dotcom, a German/Finish dual national, permanent resident of and
physically present in New Zealand at the time of the alleged copyright
infringement by USA had his assets seized, worldwide bank accounts
frozen, arrested and may be extradited to USA, ongoing legal proceedings
.
* US sanctions laws apparently apply worldwide. Including non-US
citizen outside of US territory. Chinese citizen arrested during
flight layover in Canada by Canadian authorities to be extradited to
USA. -
https://edition.cnn.com/2018/12/11/business/huawei-cfo-arrest-details/in
dex.html
* Ulrich Wippermann, German citizen, apparently resident in Germany at
the time, employed by a company did not break any German laws.
Nevertheless, he got put on an US restricted persons blacklist, in resul
t:
* lost his job in a leading position,
* could not find a new job in a leading position because employers
feared repercussions,
* got his bank accounts and credit cards terminated,
* got denied an Apple phone from its mobile carrier,
* got denied shipping services.
* Sources:
[FAZ](https://www.faz.net/aktuell/politik/deutscher-auf-usa-terrorliste-
wegen-exporten-nach-iran-14552747.html),
[NDR](https://daserste.ndr.de/panorama/archiv/2016/Imperiales-Gehabe-der
- -lange-Arm-der-US-Gesetze,wirtschaftskrieg100.html)
* Comment: Given the public available information. He had a higher
income than most people. Yet, he unfortunately did neither not attempt
or failed to defend himself using the legal system from harassment
inside Germany. Rather, he unfortunately did neither attempt, or
failed, it didn't have any option, to use the legal system to force
his removal from the blacklist. This is not a criticism of his person.
This is a criticism of the unfairness of the legal system. If he can't
defend himself using the legal system, what are the chances that
people with less income can.

[6]
https://forums.whonix.org/t/new-sysadmin-saying-hello/5446/12?u=patrick
[7] https://phabricator.whonix.org/T709
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEbpebKKbzfEO+MK+hy41Qu3e7PEgFAlxmdfVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDZF
OTc5QjI4QTZGMzdDNDNCRTMwQUZBMUNCOEQ1MEJCNzdCQjNDNDgACgkQy41Qu3e7
PEgl6RAAj/vtGm3ZgqPOX+oHPuuOLHUdtviI7spaSUU0v1fvmHRTTJPsGzRaXazi
fv64+Ux7CR2MqkF79viCzmib7ixnGU4K0l2b21D/eFgYuNVMedZ6hqLilPcXKIH2
AKqzk77ba/cjX9NEm0qlk0mLxWItTUALNcThIefgjpXF3R7tB61sR8/es6Z8G8wf
fcsY1I5m51O2ejnTWSRbNX17clZVaGi//sJ2Ceb0mbNW+kldUGWO1QBf/2R2/rAu
H7A7RzOPP/ub6qofheAsCz0RblsaRWJ3VQUdhlmkS8Jm6pyUWJaqOcrx6TDov0hN
3VZTNxgqPU6L8VcZ2ut6jVBGToZg4hqVVgnNH3IcSB6hbCd87/thZlSJYeM2td5w
wF3/xLTCwEBPHFwEZwAebgfyr8QF6SHeY4g/Vj8MWAzp9oavJbDEKxNZhr1O+xpg
fOfDxGXGtwWa62uuxwTS2OcrYTdJncp7jyurDcfva5WI/G/GyBxKayuuXXB1jDSl
Xyp60oJJwJ0Gr2U83cN50sOFU7JWeVqqs9iTxXhBJ4BNIHkSd34r8Mv/urYVp0TO
Ljhus0QU6TvZGrAZEYlH2xokwgqxHo9zBtJGZiD+LaLIwsojgjaIuLDiQ8V1z85N
hq51CnYYvKBv/eaxSg6AXpsIW67Bl5ViUTtqglJrbVpR0gFI8ug=
=ZJwd
-----END PGP SIGNATURE-----

[qube...@tutanota.com]

Dear Patrick,

I appreciate your answer and understand your point of view. On the other side, the issue raised by the law in Australia (and GCHQ asked for that too, like the request of ghost user in all the "encrypted" conversations) is an important security concern and should be taken into consideration in the thread/trust model not only with Whonix, but with all the HW, SW, infrastructure and personnel. As of today, it is not.

Existing thread models are currently not considering this form of attack. Same way as the existing thread models, including those of Qubes, TAILS, Whonix and others, are not covering the thread of being forced on the border to GB or US to hand over all the keys to all your digital devices under the thread of imprisonment. There is no Hidden OS functionality mentioned, and no known development in this area, even the thread exists and ppl are already successfully exploited by these attacks.

This is but not an issue of Whonix. It is an issue of not addressing the new, emerging attacks clearly. The FMECA, which is constantly not updated, becomes obsolete, and continuously useless. From my personal experience, if people are sub-aware that some FMECA points could be very difficult to address and solve reasonably, they tend to avoid to put it in to the FMECA and start to care.

Concerns related with that Ausie law and similar activities of some entities, are based on reality. Before the law was here, it was more difficult to successfully reach forced cooperation. Usually it was through blackmail, convincing, threads or similar activities, to forge the canaries and insert the dirt in the code or HW. There was still quite good space for an effective resistance of the personnel, if one wanted. The personnel was protected by law. The kind of moral part today is killed there completely. Today they just come and bring you the lawful request and you must comply with it and fulfill the request, or go directly to jail ( I think it is 5 years?), and at the same time you are bound not to tell anyone, by any means be it your corporate employer, your teammate, brother or development project partner. They effectively created from every citizen a potential agent, which cant deny to become one if requested.

Quite easy countermeasures were possible, if the devs (in this case), were anonymous. But they are not so much, right? Therefore are open to this particular attack that just emerged. How and when will it be added to the thread model and covered, together with other new emerging threads, by respective tams, is the only question to be answered.

[Xaver]

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Friday, February 15, 2019 10:58 PM, <qube...@tutanota.com> wrote:

> Dear Patrick,
>
> I appreciate your answer and understand your point of view. On the other side, the issue raised by the law in Australia (and GCHQ asked for that too, like the request of ghost user in all the "encrypted" conversations) is an important security concern and should be taken into consideration in the thread/trust model not only with Whonix, but with all the HW, SW, infrastructure and personnel. As of today, it is not.

While this threat is certainly a concern it is nothing new. Although new in Australia, many other countries have had similar laws and/or don't have any laws that would prevent the govts from forcing a person to do pretty much what ever they want. With ever evolving threats it would be near impossible to keep up. Once a mitigation is found for one, two more emerge. How do you combat adversaries that have near unlimited resources? Trust model/concerns have been considered in https://www.whonix.org/wiki/Trust. (Has anyone bothered to read it?)

>
> Existing thread models are currently not considering this form of attack. Same way as the existing thread models, including those of Qubes, TAILS, Whonix and others, are not covering the thread of being forced on the border to GB or US to hand over all the keys to all your digital devices under the thread of imprisonment. There is no Hidden OS functionality mentioned, and no known development in this area, even the thread exists and ppl are already successfully exploited by these attacks.

If anyone can come up with a mitigation to an adversary putting a gun to a developers head and asking nicely for their private key - id like to hear it. How exactly does someone overcome an impossible situation? How do you you cover a - do as is say or die- threat model? Holy shit! It was here all along! https://www.whonix.org/wiki/Trust#Free_Software_and_Public_Scrutiny

>
> This is but not an issue of Whonix. It is an issue of not addressing the new, emerging attacks clearly. The FMECA, which is constantly not updated, becomes obsolete, and continuously useless. From my personal experience, if people are sub-aware that some FMECA points could be very difficult to address and solve reasonably, they tend to avoid to put it in to the FMECA and start to care.
>
> Concerns related with that Ausie law and similar activities of some entities, are based on reality. Before the law was here, it was more difficult to successfully reach forced cooperation. Usually it was through blackmail, convincing, threads or similar activities, to forge the canaries and insert the dirt in the code or HW. There was still quite good space for an effective resistance of the personnel, if one wanted. The personnel was protected by law. The kind of moral part today is killed there completely. Today they just come and bring you the lawful request and you must comply with it and fulfill the request, or go directly to jail ( I think it is 5 years?), and at the same time you are bound not to tell anyone, by any means be it your corporate employer, your teammate, brother or development project partner. They effectively created from every citizen a potential agent, which cant deny to become one if requested.

Yes, before the law other means would be necessary to compel a developer to backdoor software in **Australa**. Now the laws says the govt can force a person, or go to jail. Some would choose jail (then the cats out of the bag. Everyone would then know why they went to jail. common sense). Others might not have much of a choice. Regardless, this and other emerging attacks has been consider and covered.... (not necessarily whonix specific)

* https://www.whonix.org/wiki/Trust#Free_Software_and_Public_Scrutiny

* https://www.whonix.org/wiki/Trust#Trusting_Debian_GNU.2FLinux

* https://www.whonix.org/wiki/Trust#Trusting_Tor

* https://www.whonix.org/wiki/Trust#Evil_Developer_Attack

>
> Quite easy countermeasures were possible, if the devs (in this case), were anonymous. But they are not so much, right? Therefore are open to this particular attack that just emerged. How and when will it be added to the thread model and covered, together with other new emerging threads, by respective tams, is the only question to be answered.

Already covered.

My questions: When will the people who bring these issues up (valid issues) realize this is a shared burden - both devs and community. Why didn't the OP feel compelled to put forth the effort to research and understand this problem before crying wolf? This issue is not new. This same issue (developers backdooring) had been discussed and beaten into the ground countless times.

Here is what is comes down to. Developers can be forced to alter/backdoor software in **many** countries. It makes no difference how its done, threat of jail or violence makes no difference. This is an impossible situation to 100% solve. It could be solved but not likely due to the lack of support (financial, code contributions, audits etc.. ) from communities from **every** project.

FWIW I'd like to give the OP a round of applause for singling out a well respected dev when this is not just Whonix issue. Not only for that but also deciding (for the dev) that he would just cave in if encountered with this law/situation. This is an attack on his character if i ever saw one. This problem applies to Tor, Qubes, Whonix, DropBox, devs that live in any country that doesn't have laws that protect people or have laws that can compel them to cooperate.

OK I'm done with my rant. ;)
>
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LYnNVQl--3-1%40tutanota.com.
> For more options, visit https://groups.google.com/d/optout.

[qube...@tutanota.com]

Feb 16, 2019, 4:08 AM by xa...@protonmail.com:

>
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

> On Friday, February 15, 2019 10:58 PM, <> qube...@tutanota.com <mailto:qube...@tutanota.com>> > wrote:
>
>> Dear Patrick,
>>
>> I appreciate your answer and understand your point of view. On the other side, the issue raised by the law in Australia (and GCHQ asked for that too, like the request of ghost user in all the "encrypted" conversations) is an important security concern and should be taken into consideration in the thread/trust model not only with Whonix, but with all the HW, SW, infrastructure and personnel. As of today, it is not.
>>
>

> While this threat is certainly a concern it is nothing new. Although new in Australia, many other countries have had similar laws and/or don't have any laws that would prevent the govts from forcing a person to do pretty much what ever they want. With ever evolving threats it would be near impossible to keep up. Once a mitigation is found for one, two more emerge. How do you combat adversaries that have near unlimited resources? Trust model/concerns have been considered in > https://www.whonix.org/wiki/Trust <https://www.whonix.org/wiki/Trust>> . (Has anyone bothered to read it?)
>

I am not talking about magical 100% protection or 10$-wrench-decryption. I believe this attack is different by its implications and consequences. Sure many govs using different methods today, many of which are but un-lawfull. Doing this can ruin any case be it getting to the court. By having these laws in place, like the ones in Australia, this attack yesterday unlawful, is lawful today. This has high consequences. To ruin any project today it is enough that they come and ask you for your keys, or ask to plant a backdoor. If not, you go to jail. Project is over, perfectly fit with law. Yesterday it wasn't possible so simply, they had to be on border with or cross the law, considering morality of the dev constant.

>> Existing thread models are currently not considering this form of attack. Same way as the existing thread models, including those of Qubes, TAILS, Whonix and others, are not covering the thread of being forced on the border to GB or US to hand over all the keys to all your digital devices under the thread of imprisonment. There is no Hidden OS functionality mentioned, and no known development in this area, even the thread exists and ppl are already successfully exploited by these attacks.
>>
>

> If anyone can come up with a mitigation to an adversary putting a gun to a developers head and asking nicely for their private key - id like to hear it. How exactly does someone overcome an impossible situation? How do you you cover a - do as is say or die- threat model? Holy shit! It was here all along! > https://www.whonix.org/wiki/Trust#Free_Software_and_Public_Scrutiny <https://www.whonix.org/wiki/Trust#Free_Software_and_Public_Scrutiny>
>

As an example, if developer is anonymous, one can point gun at his own head only. This should be part of the thread model, mitigations and contingency plans. You are again trying to find 100% solution for everything, and if not available, you call it impossible situation. It is possible situation and must be analyzed separately from other threads with different characteristics.

>> This is but not an issue of Whonix. It is an issue of not addressing the new, emerging attacks clearly. The FMECA, which is constantly not updated, becomes obsolete, and continuously useless. From my personal experience, if people are sub-aware that some FMECA points could be very difficult to address and solve reasonably, they tend to avoid to put it in to the FMECA and start to care.
>>
>> Concerns related with that Ausie law and similar activities of some entities, are based on reality. Before the law was here, it was more difficult to successfully reach forced cooperation. Usually it was through blackmail, convincing, threads or similar activities, to forge the canaries and insert the dirt in the code or HW. There was still quite good space for an effective resistance of the personnel, if one wanted. The personnel was protected by law. The kind of moral part today is killed there completely. Today they just come and bring you the lawful request and you must comply with it and fulfill the request, or go directly to jail ( I think it is 5 years?), and at the same time you are bound not to tell anyone, by any means be it your corporate employer, your teammate, brother or development project partner. They effectively created from every citizen a potential agent, which cant deny to become one if requested.
>>
>
> Yes, before the law other means would be necessary to compel a developer to backdoor software in **Australa**. Now the laws says the govt can force a person, or go to jail. Some would choose jail (then the cats out of the bag. Everyone would then know why they went to jail. common sense). Others might not have much of a choice. Regardless, this and other emerging attacks has been consider and covered.... (not necessarily whonix specific)
>

> * > https://www.whonix.org/wiki/Trust#Free_Software_and_Public_Scrutiny <https://www.whonix.org/wiki/Trust#Free_Software_and_Public_Scrutiny>
>
> * > https://www.whonix.org/wiki/Trust#Trusting_Debian_GNU.2FLinux <https://www.whonix.org/wiki/Trust#Trusting_Debian_GNU.2FLinux>
>
> * > https://www.whonix.org/wiki/Trust#Trusting_Tor <https://www.whonix.org/wiki/Trust#Trusting_Tor>
>
> * > https://www.whonix.org/wiki/Trust#Evil_Developer_Attack <https://www.whonix.org/wiki/Trust#Evil_Developer_Attack>
>

But they would have been in jail. Heroes, but in jail. And the project is over. If the target of the project is becoming a hero, than your attitude is ok. But the sec projects like Qubes, TAILS and similar, don't have it in their description. They are supposed to be resistant to the threads, mentioned in their thread model. I am saying lets include these there too. Projects like Qubes and TAILS, Whonix are about endpoint protection. The hidden operating system and hidden files ( an example), plausible deniability, and similar features, are as well the endpoint protection. Without it, in today's world you cant build reasonable security model. If crossing certain state borders, airports, or living in some states breaks your security completely with one question from an official, one has to ask what realy is the durability of such solution. Considering existing real-world threads, is it enough to have just Veracrypt with that functions, or we need to have a look deeper into the matter? I believe we need to go deeper and mitigate these risks

>> Quite easy countermeasures were possible, if the devs (in this case), were anonymous. But they are not so much, right? Therefore are open to this particular attack that just emerged. How and when will it be added to the thread model and covered, together with other new emerging threads, by respective tams, is the only question to be answered.
>>
>
> Already covered.
>

Seeing all the faces in all the conferences and dev meetings and photos and videos everywhere, I humbly doubt you are right :)

>
> My questions: When will the people who bring these issues up (valid issues) realize this is a shared burden - both devs and community. Why didn't the OP feel compelled to put forth the effort to research and understand this problem before crying wolf? This issue is not new. This same issue (developers backdooring) had been discussed and beaten into the ground countless times.
>

Shared burden, YES! Lets share this-particular-attack(s?) in the thread/trust models, mitigations and contingency plans. First step is to put it in. If you feel you don't need to, because they both ways come with the wrench and break your bonese, your thread model is covering only one attack, which both ways is extremely difficult to mitigate. Lets enlarge it a bit. FMECA loves multitudes, even some points just remain opened.

> Here is what is comes down to. Developers can be forced to alter/backdoor software in **many** countries. It makes no difference how its done, threat of jail or violence makes no difference. This is an impossible situation to 100% solve. It could be solved but not likely due to the lack of support (financial, code contributions, audits etc.. ) from communities from **every** project.
>

"makes no difference." I believe it makes a lot of difference. To kill you or torture you, needs very different reasons, resources and determination, than to kindly ask you to do things, or face perfectly lawful action in fashion ties, with you not being able to win.
No one is asked to solve anything 100%. This is the magic of FMECA and similar tools. If you are honest, professional and really good, you will not be able to cover all the points 100%. That's the magic and pain of true OPSEC, based on reality. I agree with you, it is really related to every project and therefore it should be covered in every project.

>
> FWIW I'd like to give the OP a round of applause for singling out a well respected dev when this is not just Whonix issue. Not only for that but also deciding (for the dev) that he would just cave in if encountered with this law/situation. This is an attack on his character if i ever saw one. This problem applies to Tor, Qubes, Whonix, DropBox, devs that live in any country that doesn't have laws that protect people or have laws that can compel them to cooperate.
>

I believe, that honest risk assessment of the new situation in Australia (it is new, simply is) needs to be done correctly. I must be done and doing it is not an attack of the character of the dev. New attack, can but challenge the character in a different way, than expected before the law was approved. Take into consideration please, that in the thread model you must consider also probability that certain attack happens, and determination of the attacker.

To use torture, murder or any other violent or unlawful measures, (to get the same effect as following Ausie law today), needs completely different attacker's determination, very different and rare, highly specialized resources to do that job, and there is much lower probability for this measure to be executed in real life. How many sec devs were tortured and killed this year, because they denied to hand over their keys?
To execute the attack today with law in hand is incomparably simpler, with the same or even higher effect. It needs incomparably much less determination from the attacker, largely available, non-specialized resources can be used to do the job, and so the probability to execute the attack is much higher too.

Do you get my point now?

>
> OK I'm done with my rant. ;)
>

Done too :)

>>
>> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> You received this message because you are subscribed to the Google Groups "qubes-users" group.

>> To unsubscribe from this group and stop receiving emails from it, send an email to >> qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>>> .
>> To post to this group, send email to >> qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>>> .
>> To view this discussion on the web visit >> https://groups.google.com/d/msgid/qubes-users/LYnNVQ...@tutanota.com <https://groups.google.com/d/msgid/qubes-users/LYnNVQl--3-1%40tutanota.com>>> .
>> For more options, visit >> https://groups.google.com/d/optout <https://groups.google.com/d/optout>>> .
>>

[mig5]

Hi,

I'm the 'mig5' referred to in the original post.

A couple things keep appearing in this and the other thread that need debunking.

Constant reference to 'the dev', 'dev handing over keys', etc.

I'm not a dev on the Whonix project.

Patrick already covered this in his reply - really all that needed to be said, but seems people didn't read it.

Here are again some concise points:

1) The Whonix server doesn't host the source code. That's at Github. I have no access to it. I, myself, have as much chance of adding a backdoor to the Whonix source code, as the original poster - the same chance we both have at sneaking a backdoor into the Linux kernel upstream. As Australians say: 'bugger all!'.

2) There are no signing keys, or master keys, stored on the server. I can't 'hand over' the keys used to sign the Whonix binaries, apt packages etc. I simply don't have them.

3) Packages are not built or signed on the server. This happens somewhere else with no involvement from me, and then those are uploaded to the (already assumed compromised) server.

4) Therefore, the only threat is the ability to tamper with the binaries/apt packages once they're uploaded - both of which would immediately compromise the cryptographic verification. You *do* verify your binaries against the signature, check that the signing/master key has been published in different places, etc, right? It's the same instructions Qubes, and other projects like Tor, Tails, Debian, provide.


5) **The threat of tampering with the binaries, doesn't require a sysadmin, let alone an Australian one**. Anyone hacking the Whonix website/wiki/forum, or something in Linux itself (remember attacks like Shellshock etc), or someone with physical access to the server (which I don't have), would result in the same compromise. This was already the case, and is the same risk affecting all upstream components you rely on when you run Whonix: (Debian infrastructure, Tor Project infrastructure, Github Mozilla infrastructure for TB's Firefox base, Qubes if you use it with Whonix, etc).

I trust the OP has sent equivalent emails to all the above, as well as the hardware providers/firmware developers of the device they use, because if you've decided you need to trust the Whonix infrastructure, you need to also trust all the above too (at all times, since forever, and forever more), otherwise it's a moot point.

To reiterate:

1) the ways in which the server could already be compromised, don't even require the sysadmin, regardless of their nationality. Assume it's already compromised (as Qubes says about their own infrastructure)
2) tampering with the binaries/apt packages would be evident by them no longer verifying properly, cryptographically - the same defense that all projects, including Qubes, rely on.
3) the sysadmin can't modify the source code and has no access to signing or master keys

> honest risk assessment of the new situation in Australia (it is new, simply is) needs to be done correctly

Done, see above.

I greatly appreciate the OP's concern, if genuine. It's a dreadful law and I hope it's repealed. I think it's great that people want to discuss it - more of that needs to happen. Especially in Australia.

But the OP looks to have made a critical error in assuming (without merely asking first) that one of the above points is not the case. Further confusion has persisted about 'the dev' when in fact the sysadmin is not a Whonix dev. These are wrong assumptions. There is no new threat that didn't already exist, and that doesn't even require a sysadmin to carry out.

Cheers
Mig

[cooloutac]

I read that whonix thread. Still not sure why whonix doesn't have a canary. What could it hurt? Any aspect of the project could be compromised for any reason. Thats the same as people saying I have nothing to hide so why worry. In the other thread Patrick says US laws affect all countries.

And don't feel bad. Patrick banned me from the forums too once a long while ago. I told him I'd never post there again and never did. lol.

I was constantly having issues with whonix. You are a target just for using it. You really have to pay attention when you are updating it.

Sill never understood why the user qubes-whonix left the project in flamboyant fashion claiming it was just a "cool experiment" and its "security was not taken seriously" ...

I stopped using whonix after the annoying clock issue. And then couldn't be troubled to install the latest version and just removed it instead.

I'm sure it has its purposes and some people need it. But I don't. The websites I use qubes for ban tor or it just has no benefit. Anonymity is different then privacy.

[qube...@tutanota.com]

I trust Whonix the same as I trust Qubes and TAILS, or Debian, Fedora, Xen. I don't have enough intelligence, that would convince me otherwise. And I do research quite often when periodically adjusting my FMECA. Which is just a professional deformation.
Every project, however secret, secure, top notch it seems to be, is vulnerable this or that way, and will always remain so. Some of the attacks are common, some are specific. Once old attacks are covered, new emerge. That is life. Disregard a project, only because one of the emerging attacks, is pathetic (I know not your case, you have different reasons mentioned), as this attack (ausie law like, or malicious dev) is possible for every other project too, including your refrigerator, assembled on the production line with malicious guy, willing to do evil. Living somewhere in cave is not a solution.

Interestingly I don't have much problem with Whonix in Qubes, and I like it very much. Working very well. I use it on daily basis as my primary template in Qubes, for my company management, email, chat, browsing, research, and privately as well, because I believe that anonymity is a very strong security attitude to thread mitigation, even I understand well the limitations of Tor and Whonix as well. They are clear about what they can do and what not. Are they a magical wand, solving all problems of the world? No, and they don't claim that.
Most of the time I try to prefer connections to .onion websites rather than clearnet, because I don't see any benefit from exposing myself to surveillance capitalism. I like v3 onions, and prefer to use it wherever possible. I love to see myself as a person, not as a product. When chatting on XMPP with OTR I use .onion server for my identity and ask the other site to do the same, as I don't see any benefit using clernet server. Tor allows me to mitigate some risks, and of course opening me to another ones. This comparison is still putting the weight *for-tor-whonix-in-qubes*. Others may have it different, depending on ones OPSEC and ones willingness to give his/her life away for free to any random observer.

I hope Whonix will go on further with their excellent job, same as Qubes or TAILS or Torproject.

I would just stress out the importance to include the high-risk, high-impact emerging threads into their thread model and try to mitigate these risks same way, as other risks included there already - recognized. If you set up your bullet-proof environment and than by crossing a nation border just breaks it down by one simple question of the officer, than resistance of your security setup is extremely weak and breakable any time. More and more states will go on with this attacks in the near future. Australia is only the first one to make it so clear. There are tools and ways available for mitigation, for Plausible Deniability for example, like Hidden Operating System, Hidden Volumes, but are not included in the standard package of the projects yet. If I was a programmer, I would sure contribute, but I am not. And so the only point is to mention it, and try to stress it enough, to motivate people with skill-set to contribute for all of us.




Feb 20, 2019, 6:15 AM by raah...@gmail.com:

> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .

> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/db18e185-a602-4b05...@googlegroups.com <https://groups.google.com/d/msgid/qubes-users/db18e185-a602-4b05-8111-0cae75355cdd%40googlegroups.com>> .

[Patrick Schleizer]

cooloutac:

> I read that whonix thread. Still not sure why whonix doesn't have a canary. What could it hurt? Any aspect of the project could be compromised for any reason. Thats the same as people saying I have nothing to hide so why worry. In the other thread Patrick says US laws affect all countries.
>

> Patrick banned me from the forums too once a long while ago. I told him I'd never post there again and never did. lol.

"banned" is wrong. Ban referring to a block from posting to Whonix
forum. That was never the case.

Reference:

https://forums.whonix.org/t/forward-and-reverse-dns-dont-match-up/2147

[cooloutac]

Ok well then I banned myself before flipping out lol. I'm sure I have more threads then that.

But I for one wouldn't trust you the same as trusting someone like Marek. And thats what it boils down to. You are a little too emotional and have multiple agendas in your life. But at least you're not as bad as the subgraph os guy. And hey I wouldn't trust me if I was running a project either lol.

Nor would I trust it as much as a project like debian that has so many more free software eyes on it.

Everytime I came to you with a problem you had an attitude. I never experienced that on qubes forums. And updating whonix is so sketchy and such a pain in the ass I gave up on it. I have no need for it. I think it creates more security problems then it solves in qubes.

[cooloutac]

You could live like a monk. Which is the only way to be truly secure, but you would be missing out on many life experiences. But to each his own.

LIke I said, I was using tor to check certificates and update my qubes. But its so dam slow, the whonix qubes is always so sketchy with errors, and there isn't much support help for it. So I stopped using it.

I'm a gamer and I'm talking to you from a non hardened windows 10 machine right now lmao.. Qubes is my family machine and for more sensitive tasks. And mostly for sites that block tor. Like banking, I shop online for example, download files from USB disks, its for daily tasks besides entertainment.

Don't most IRC networks even block tor now? Tor to me is almost dangerous to use.

I'd only use tor as my daily connection right now if I was fearing for my life or fear of imprisonment. And then I'd probably be using tails with a disposable flash drive.

I think alot of the problems in society stem from the fact we apply different principals and morals to the physical world from the digital realm. They really are not different at all no matter how much people treat them differently. Now these false sense of entitlements are carrying over to the physical world and its scary. When it really should be the other way around.

The reason why I say privacy and anonymity are two diff things. And way apart from security. is For example if I log into a facebook .onion site. Its still my identity. All that information about you is still being sold to ad agencies. Governments are still watching it. The only benefit I can see, is again, people hiding their location for fear of their life or imprisonment.

And actually be using it you are using up bandwidth those people could be using, just to feel special.

[cooloutac]

and it would still require alot more discipline and restraint not to post exposing information about yourself online, that would defeat the purpose of using something like facebook or twitter imno. Again not something I could see practical for daily life. Are there propagandists and government agents on these sites. Of course, but even they have a separate personal digital life somewhere. The world is getting faker by the minute, we don't need more fakes.

[Patrick Schleizer]

cooloutac:

> The reason why I say privacy and anonymity are two diff things. And way apart from security. is For example if I log into a facebook .onion site. Its still my identity. All that information about you is still being sold to ad agencies. Governments are still watching it. The only benefit I can see, is again, people hiding their location for fear of their life or imprisonment.

Alternative end-to-end encryption without TLS certificate authorities
involved.

> And actually be using it you are using up bandwidth those people could be using, just to feel special.

Citation required.

At no point Tor Project had the position that people should limit
themselves if possible, except for Bittorrent traffic. On the contrary.
They welcome Tor adaption.

See PDF:

Anonymity Loves Company: Usability and the Network Effect

By Roger Dingledine and Nick Mathewson (Tor founders and core developers)

https://freehaven.net/anonbib/cache/usability:weis2006.pdf

[Patrick Schleizer]

Reminds me, would be good to have OpenPGP signed websites all over the
internet. Unfortunately there is no project working towards it.

https://www.whonix.org/wiki/Dev/OpenPGP_Signed_Website

[awokd]

cooloutac:

> The reason why I say privacy and anonymity are two diff things. And way apart from security. is For example if I log into a facebook .onion site. Its still my identity. All that information about you is still being sold to ad agencies. Governments are still watching it. The only benefit I can see, is again, people hiding their location for fear of their life or imprisonment.

You listed one of the more common Tor benefits in your own paragraph-
many people also use it for every day browsing to avoid most of that
commercial information gathering and resale.

[cooloutac]

Meanwhile you are taking up bandwidth from people who are fearing for their life or imprisonment. Maybe you're getting someone killed to stick it to the ad agencies. Seems selfish and silly to me, and not a reason to be using tor.

[cooloutac]

Meanwhile without ad agencies we wouldn't prolly even have an internet. I can get into that if you want lol. But i'm more worried about my medical history being sold. My credit and personal and financial information... Not what I browse or shop for. come on...

[haaber]

I cannot follow your argument. On the contrary: one cannot well hide
inside a system that contains *only* people who need to hide, right?
Correlations of users and packets are too high and one is immediately
uncovered. This means that a good amount of traffic is literally
*needed* so that some people who rely on it have a chance to disappear
in the haystack ! Using the tor network for standard browsing is
therefore good, and encouraged. It is also encouraged to support the tor
infrastructure (by a donation, for example) :))

[cooloutac]

well thats a good point. and you do need people around the world to use it I guess even in countries of people that do not fear imprisonment.

The thing is so slow though that i'm sure people die every day relying on it.

[cooloutac]

It needs expanding, I'd say theres too many people using it that don't need to.

[cooloutac]

I can definitely see journalists in these times in America needing to use it. activists, etc...

[awokd]

cooloutac wrote on 2/28/19 5:45 PM:
> [Tor] needs expanding,
>
Sounds good to me! But there is plenty of spare bandwidth already:
https://metrics.torproject.org/bandwidth-flags.html.

I believe there are occasional hostile exit nodes, but if you have to
trust the infrastructure/Internet in general, you are doing it wrong.
Like a lot of things in security, you have to figure out the trade-offs
and develop a solution that works for you. If performance is more
important in your application than anonymity, then Tor is probably not
the right choice for you. However, others have different priorities.

[cooloutac]

Why is it so painfully slow then. It doesn't seem practical to use at all for daily activities. Even using it to update fedora was horrible. Not to mention whonix constantly timing out. I can't be alone in thinking this.

If you are actually waiting 5 mins to log into facebook, you better be fearing for your life. Not trying to stop google from tracking you lmao...

10 mins can also cost a life.

[cooloutac]

I mean I do know alot of debian users who never log into anything online. They don't shop online, bank online, facebook, twitter, would never dare step foot on a google mailing list. They don't do anything on their pc basically. I would of committed suicide a long time ago living like that.

I can't be anonymous online I guess is my point for most of my daily activites, and nobody is hunting my physical location. And even if they were they could find me easily.

I care more about performance for sure. And the security of my hardware and data from remote attacks.

[cooloutac]

I really believe using tor actually puts my hardware and data more at risk.

You say tor has plenty of bandwidth to go around, but it certainly doesn't feel like that. and I don't want to be using up bandwidth somebody else truly needs.

I was using tor sometimes for updating qubes, but it was too slow. I was using tor to go to youtube, so videos I watched didn't pop up on my family's screen on the same ip.

But from this day forth i will abstain from using tor in the future.

[qube...@tutanota.com]

Feb 23, 2019, 12:17 AM by raah...@gmail.com:

> On Wednesday, February 20, 2019 at 4:17:45 AM UTC-5, qube...@tutanota.com wrote:
>
>> I trust Whonix the same as I trust Qubes and TAILS, or Debian, Fedora, Xen. I don't have enough intelligence, that would convince me otherwise. And I do research quite often when periodically adjusting my FMECA. Which is just a professional deformation.
>> Every project, however secret, secure, top notch it seems to be, is vulnerable this or that way, and will always remain so. Some of the attacks are common, some are specific. Once old attacks are covered, new emerge. That is life. Disregard a project, only because one of the emerging attacks, is pathetic (I know not your case, you have different reasons mentioned), as this attack (ausie law like, or malicious dev) is possible for every other project too, including your refrigerator, assembled on the production line with malicious guy, willing to do evil. Living somewhere in cave is not a solution.
>>
>> Interestingly I don't have much problem with Whonix in Qubes, and I like it very much. Working very well. I use it on daily basis as my primary template in Qubes, for my company management, email, chat, browsing, research, and privately as well, because I believe that anonymity is a very strong security attitude to thread mitigation, even I understand well the limitations of Tor and Whonix as well. They are clear about what they can do and what not. Are they a magical wand, solving all problems of the world? No, and they don't claim that.
>> Most of the time I try to prefer connections to .onion websites rather than clearnet, because I don't see any benefit from exposing myself to surveillance capitalism. I like v3 onions, and prefer to use it wherever possible. I love to see myself as a person, not as a product. When chatting on XMPP with OTR I use .onion server for my identity and ask the other site to do the same, as I don't see any benefit using clernet server. Tor allows me to mitigate some risks, and of course opening me to another ones. This comparison is still putting the weight *for-tor-whonix-in-qubes*. Others may have it different, depending on ones OPSEC and ones willingness to give his/her life away for free to any random observer.
>>
>> I hope Whonix will go on further with their excellent job, same as Qubes or TAILS or Torproject.
>>
>> I would just stress out the importance to include the high-risk, high-impact emerging threads into their thread model and try to mitigate these risks same way, as other risks included there already - recognized. If you set up your bullet-proof environment and than by crossing a nation border just breaks it down by one simple question of the officer, than resistance of your security setup is extremely weak and breakable any time. More and more states will go on with this attacks in the near future. Australia is only the first one to make it so clear. There are tools and ways available for mitigation, for Plausible Deniability for example, like Hidden Operating System, Hidden Volumes, but are not included in the standard package of the projects yet. If I was a programmer, I would sure contribute, but I am not. And so the only point is to mention it, and try to stress it enough, to motivate people with skill-set to contribute for all of us.
>>
>>
>>
>>

>> Feb 20, 2019, 6:15 AM by >> raah...@gmail.com <mailto:raah...@gmail.com>>> :

>>
>> > I read that whonix thread. Still not sure why whonix doesn't have a canary. What could it hurt? Any aspect of the project could be compromised for any reason. Thats the same as people saying I have nothing to hide so why worry. In the other thread Patrick says US laws affect all countries.
>> >
>> > And don't feel bad. Patrick banned me from the forums too once a long while ago. I told him I'd never post there again and never did. lol.
>> >
>> > I was constantly having issues with whonix. You are a target just for using it. You really have to pay attention when you are updating it.
>> >
>> > Sill never understood why the user qubes-whonix left the project in flamboyant fashion claiming it was just a "cool experiment" and its "security was not taken seriously" ...
>> >
>> > I stopped using whonix after the annoying clock issue. And then couldn't be troubled to install the latest version and just removed it instead.
>> >
>> > I'm sure it has its purposes and some people need it. But I don't. The websites I use qubes for ban tor or it just has no benefit. Anonymity is different then privacy.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "qubes-users" group.

>> > To unsubscribe from this group and stop receiving emails from it, send an email to > >> qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>>> <mailto:>> qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>>> >> .
>> > To post to this group, send email to > >> qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>>> <mailto:>> qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>>> >> .
>> > To view this discussion on the web visit > >> https://groups.google.com/d/msgid/qubes-users/db18e185-a602-4b05...@googlegroups.com <https://groups.google.com/d/msgid/qubes-users/db18e185-a602-4b05...@googlegroups.com>>> <>> https://groups.google.com/d/msgid/qubes-users/db18e185-a602-4b05...@googlegroups.com <https://groups.google.com/d/msgid/qubes-users/db18e185-a602-4b05-8111-0cae75355cdd%40googlegroups.com>>> >> .
>> > For more options, visit > >> https://groups.google.com/d/optout <https://groups.google.com/d/optout>>> <>> https://groups.google.com/d/optout <https://groups.google.com/d/optout>>> >> .

>> >
>>
>
> You could live like a monk. Which is the only way to be truly secure, but you would be missing out on many life experiences. But to each his own.
>
> LIke I said, I was using tor to check certificates and update my qubes. But its so dam slow, the whonix qubes is always so sketchy with errors, and there isn't much support help for it. So I stopped using it.
>
> I'm a gamer and I'm talking to you from a non hardened windows 10 machine right now lmao.. Qubes is my family machine and for more sensitive tasks. And mostly for sites that block tor. Like banking, I shop online for example, download files from USB disks, its for daily tasks besides entertainment.
>
> Don't most IRC networks even block tor now? Tor to me is almost dangerous to use.
>
> I'd only use tor as my daily connection right now if I was fearing for my life or fear of imprisonment. And then I'd probably be using tails with a disposable flash drive.
>
> I think alot of the problems in society stem from the fact we apply different principals and morals to the physical world from the digital realm. They really are not different at all no matter how much people treat them differently. Now these false sense of entitlements are carrying over to the physical world and its scary. When it really should be the other way around.
>
> The reason why I say privacy and anonymity are two diff things. And way apart from security. is For example if I log into a facebook .onion site. Its still my identity. All that information about you is still being sold to ad agencies. Governments are still watching it. The only benefit I can see, is again, people hiding their location for fear of their life or imprisonment.
>
> And actually be using it you are using up bandwidth those people could be using, just to feel special.
>

Regarding your issues with whonix, maybe it is about your HW or SW settings. I actually have no issue at all here. I only struggled to move from whonix-13 to whonix-14  bit, but I got support here, so now it is just perfectly smooth.

My mindset is maybe a bit different from that of yours. I consider my life and all its emissions to be private, owned by me, and valuable. So I have to have a very good reason to share any of it with someone. I use services which dont have problem with Tor. If they do, I dont use it. IRCs block certain exit nodes so you need to switch identity till it works.

Tor and a danger to use it comes from your threat model and what poses more risk for you - to be potentially flagged as a Tor user, or to be completely exposed and profiled by unknown amount of entities, organizations, individuals and having your life shared, traded or potentially even "adjusted", for later misuse. For example, I dont have any benefit from feeding the AI of Cambridge Analytica like orgs, so they can manipulate elections with it. So my default setup is to be consciously anonymous, or semi-anonymous, unless I have a good reason not to be.

To your Facebook example. If you use Facebook (even over its .onion), you are exposed to the service, as it is case in all other services. Now if you use the Facebook service, you already show your trust to it, and you had to consider their behavior in your trust model. You use it, means you somehow trust them. In this scenario you try only to mitigate the risk to be exposed to your ISP or any random entity monitoring your dataflow. So it is perfectly ok. Using .onion you get there. If you believe Facebook will sell your data, which they absolutely do, no kind of tech will help you - not a Tor or Whonix issue.

Morals are very important. I mean the real morals, executed freely without fear, matter only. Therefore I believe that morals that are executed based on fear of others, fear of society reaction, fear of law, fear to be ostracized, and similar auto censorship reasons, are just a useless false facades, posing a huge threat to the understanding of the true state in which the society really is.
Tor and also its .onions make possible to be yourself, to express what you really feel and think, without any artificial sefl-regulation. And so I see the real state of the society is much more reflected in the anonymous channels, than in Facebook-like spaces, with its manipulations and social engineering and trying to paint the world with their pink. And no amount of their apologism can ever justify that.

> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .

> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/7670d567-71f4-4b07...@googlegroups.com <https://groups.google.com/d/msgid/qubes-users/7670d567-71f4-4b07-a3a1-27601f860629%40googlegroups.com>> .

[qube...@tutanota.com]

Feb 23, 2019, 12:23 AM by raah...@gmail.com:

> and it would still require alot more discipline and restraint not to post exposing information about yourself online, that would defeat the purpose of using something like facebook or twitter imno. Again not something I could see practical for daily life. Are there propagandists and government agents on these sites. Of course, but even they have a separate personal digital life somewhere. The world is getting faker by the minute, we don't need more fakes.
>

This: "The world is getting faker by the minute, we don't need more fakes."

I cant agree more cooloutac. Lets than not engage in the services which are faking everything with their censorship, manipulations, social engineering, surveillance, human rights violations for their profit and other uncountable malicious reasons, which are today very well documented. Lets use .onion sites for expressing your opinions instead. Where you can just finally come, and say what you fucking really think about the matter openly in your real words, without any fake poses forced on you. And get a real, uncensored feedback too. Does this makes sense?

> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .

> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/8db1a24d-a13a-457c...@googlegroups.com <https://groups.google.com/d/msgid/qubes-users/8db1a24d-a13a-457c-980e-9ec3043e09e1%40googlegroups.com>> .

[qube...@tutanota.com]

Feb 23, 2019, 3:50 AM by patrick-ma...@whonix.org:

> Reminds me, would be good to have OpenPGP signed websites all over the
> internet. Unfortunately there is no project working towards it.
>

> https://www.whonix.org/wiki/Dev/OpenPGP_Signed_Website <https://www.whonix.org/wiki/Dev/OpenPGP_Signed_Website>
>

Absolutely yes. What is the biggest hindrance to make it more widespread IYHO?

> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .

> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/3d931f65-c1ba-3d8b...@whonix.org <https://groups.google.com/d/msgid/qubes-users/3d931f65-c1ba-3d8b-f510-9d38dfb82802%40whonix.org>> .

[cooloutac]

Issues like having to manually update all the time to new versions by reinstalling is a real pain. Not very user friendly. Fact I was getting clock errors, etc. But most of the issues have to do with tor. Dns not matching, updates taking long time or timing out, invalid signatures. Its because tor users are targeted.

[cooloutac]

On Monday, March 4, 2019 at 10:04:38 AM UTC-5, qube...@tutanota.com wrote:

If you notice I'm not afraid to express myself without Tor. Anonymity in this way is cowardly and usually a bad thing. Leads to people acting and behaving and ways they normally wouldn't because they know they are not respectful. some examples are why e-sports is not a billion dollar industry like athletic sports. Its why social media has had overly negative impacts in recent years.

If people aren't accountable for their actions we wouldn't be living in a very nice world.

[cooloutac]

The internet was amazing in the 90s and early 2000s. Then chatroom and forum trolls and russian spammers infested everything. And it all crashed and died.

IMO the internet is now called facebook, instagram, twitter and youtube. because its the corner Americans have been backed into. But now that is also under attack, and the negatives are starting to outweight the positives, so it will be interesting what the future holds.

Just like Tsutomu Shimomura, I believe the same morals and principles we apply in the physical realm need to be applied to the digital realm before anything changes for the better. People feel way too entitled and untouchable.

But before that happens its probably only going to get worse.

[Patrick Schleizer]

qube...@tutanota.com:

> Feb 23, 2019, 3:50 AM by patrick-ma...@whonix.org:
>
>> Reminds me, would be good to have OpenPGP signed websites all over the
>> internet. Unfortunately there is no project working towards it.
>>
>> https://www.whonix.org/wiki/Dev/OpenPGP_Signed_Website
>>
>

> Absolutely yes. What is the biggest hindrance to make it more widespread IYHO?

Speculation:

- lack of developer manpower
- lack of problem awareness
- lack of a real world case where such an incident happened which was
then widely popularized

[vadimkly...@gmail.com]

OP here.

I unreservedly apologize to Patrick and mig5 for making this post. The work you do on the whonix project is of incredible value and I think my post here has lead to a discussion that I now regret instigating. None of the broader issues I raised are whonix specific. It was unfair to single out Patrick and his fantastic team. My post was reactive and without much thought.

More broadly I do advocate the position that if a country passes anti-sec laws the global tech community should attach a price to such action. The cost of exclusion from potential job markets and opportunities would not only put pressure on Australia reconsider it's position but deter future countries from following same path which has in my view got no good outcome.