Whonix Yes or No

[jrsm...@gmail.com]

Reading through the post questioning the trustworthiness of Whonix, I can't tell whether we can continue trusting/using Whonix or not. Can someone (preferably in a position to speak for QubesOS), please state, in a straightforward and unambiguous manner, spell this out for us?

[awokd]

jrsm...@gmail.com wrote on 2/17/19 9:49 PM:

> Reading through the post questioning the trustworthiness of Whonix, I can't tell whether we can continue trusting/using Whonix or not. Can someone (preferably in a position to speak for QubesOS), please state, in a straightforward and unambiguous manner, spell this out for us?
>

I don't speak for QubesOS, but yes, Whonix is as trustworthy as any
other open source project. I see no reason to discontinue use. Patrick's
and Xaver's replies already covered anything I'd add. No point jumping
at shadows painted by someone who has never before posted anything here,
or anywhere else as far as I can tell.

[Stuart Perkins]

Agreed. That said, heed the warning of tor itself. No guarantee of "strong anonymity". If it can be transmitted over the internet, it can be hacked.

[Xaver]

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Sunday, February 17, 2019 9:49 PM, <jrsm...@gmail.com> wrote:

> Reading through the post questioning the trustworthiness of Whonix, I can't tell whether we can continue trusting/using Whonix or not. Can someone (preferably in a position to speak for QubesOS), please state, in a straightforward and unambiguous manner, spell this out for us?

(Fedora, Xen, Qubes) According the OP of that thread, if any developer from the aforementioned projects lived in Australia, or any other country that could force a person to backdoor software would effectively destroy the credibility/trustworthiness of Qubes.

(Debian, Tor, Mozilla) According the OP of that thread, if any developer from the aforementioned projects lived in Australia, or any other country that could force a person to backdoor software would effectively destroy the credibility/trustworthiness of Whonix / Tails.

...

Should I keep going or do you get the point? To be straight, Nothing has changed except for the realization that you maybe never trusted the project in the first place. What if it was a Qubes that was singled out from countless other projects? Or TAILS or Tor or Debian or Fedora or even Linus Torvalds? Is your "trust" so easily swayed?

>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2f35c1b7-bcdf-40f7-963d-3d29e2692b2a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[22...@tutamail.com]

I still trust Whonix...but the aussies, well you still got to watch them regardless! :)

[r...@posteo.de]

On 2/17/19 10:49 PM, jrsm...@gmail.com wrote:
> Reading through the post questioning the trustworthiness of Whonix, I can't tell whether we can continue trusting/using Whonix or not. Can someone (preferably in a position to speak for QubesOS), please state, in a straightforward and unambiguous manner, spell this out for us?

Personally, I don't trust Whonix. The decision to not trust Whonix is
not based on the sysadmin/aussie issue that came up recently on the
list. I'm simply not convinced that they are capable of designing and
writing secure software. Furthermore, there is no reason to use whonix
in the first place, especially when you are using Qubes. Creating a tor
netvm is rather straight forward (and a dispvm that includes the Tor
Browser if you like to use that as well). If there is enough interest, I
can also write up a summary on how to do that in Qubes.

Regards

[kitchm via Forum]

I would suggest that one become familiar with what each
software does to protect privacy and security. (The EFF is
a good place to start.) Understand and consider carefully
the words used by groups like TOR to explain what they can
and cannot do.

The good news is that the cannot do's are small, while the
good software, like Qubes/Whonix and Tor Browser, take care
of the vast majority of problems. What is left over is
simply what you can take care of yourself by taking steps
the experts recommend.

One must employ all the parts to be safe, and each is
important in its own way. Forgetting a part is what dooms
us. Automating this process is paramount, even if you have
to make a list for yourself. Forget something at your
peril. And it doesn't take much.

As an example, you need not worry about the Internet if you
are not a target (get lost in the crowd), you are not being
provocative in some manner, you practice good safety and you
never, ever associate your real name and location with
anything you do publicly. We often forget about all our
communications, such as telephones. For instance, never use
a smart phone because Android is controlled by Google and
there is still no known way to completely lock it down. And
never start a new persona that can be connected with
yourself by incorporating some part that was previously
used. Phone, text, subscription, purchase history,
location, etc., etc..

Kevin Mitnick's book entitled "The Art of Invisibility" is a
must read.

You can protect yourself and you can be anonymous.
Remember, when in doubt, don't.

[ashleyb...@tutanota.com]

Personally, I don't trust Whonix. The decision to not trust Whonix is

not based on the sysadmin/aussie issue that came up recently on the

list. I'm simply not convinced that they are capable of designing and

writing secure software. Furthermore, there is no reason to use whonix

in the first place, especially when you are using Qubes. Creating a tor

netvm is rather straight forward (and a dispvm that includes the Tor

Browser if you like to use that as well). If there is enough interest, I

can also write up a summary on how to do that in Qubes.

Regards

Please, it would be greatly appreciated. Especially on how to ensure no clear traffic happens and that it only goes over tor.

[awokd]

ashleyb...@tutanota.com wrote on 2/19/19 4:05 PM:

>
>
>> Creating a tor
>> netvm is rather straight forward (and a dispvm that includes the Tor
>> Browser if you like to use that as well). If there is enough interest, I
>> can also write up a summary on how to do that in Qubes.

>

> Please, it would be greatly appreciated. Especially on how to ensure no clear traffic happens and that it only goes over tor.

What you're describing is one of the primary goals of Whonix. They have
also done a lot of work around anonymizing applications and time sync,
which I doubt the procedure above will cover. Unless you know and are
prepared to address the possible anonymity compromising details of the
individual applications and distribution you are planning on using (see
https://phabricator.whonix.org/maniphest/query/all/ for ones they've
considered), it's likely safer to stick with Whonix. See also
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Trust
for a longer discussion on Whonix and trust.

[r...@posteo.de]

On 2/19/19 6:45 PM, 'awokd' via qubes-users wrote:
> ashleyb...@tutanota.com wrote on 2/19/19 4:05 PM:
>>
>>
>>> Creating a tor
>>> netvm is rather straight forward (and a dispvm that includes the Tor
>>> Browser if you like to use that as well). If there is enough interest, I
>>> can also write up a summary on how to do that in Qubes.
>
>>
>> Please, it would be greatly appreciated. Especially on how to ensure
>> no clear traffic happens and that it only goes over tor.
>
> What you're describing is one of the primary goals of Whonix.

Right. I have no trust in their capability to design and write secure
software nonetheless.

> They have
> also done a lot of work around anonymizing applications and time sync,
> which I doubt the procedure above will cover. Unless you know and are
> prepared to address the possible anonymity compromising details of the
> individual applications and distribution you are planning on using (see
> https://phabricator.whonix.org/maniphest/query/all/ for ones they've
> considered), it's likely safer to stick with Whonix. See also
> http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Trust
> for a longer discussion on Whonix and trust.

Clock synchronization over Tor is not rocket science and pretty much
straight forward. Furthermore, if you need to ensure that separate Tor
paths are used for particular applications, you can either simply use
separate Tor netvms or depend on handcrafted, error prone circuit
isolation in Whonix. I'd prefer the former, simpler option but YMMV.

Regards

[awokd]

r...@posteo.net wrote on 2/19/19 11:49 PM:

> Clock synchronization over Tor is not rocket science and pretty much
> straight forward.

True, but do the clocks in your client AppVMs differ from each other and
your main system's time? If not, they can possibly be correlated.
Rolling your own solution is great if you are comfortable with that, but
I think it's a bit reckless to suggest as a blanket approach to people
who may not be aware of the consequences. Agreed, YMMV!

[unman]

Have you looked at the qubes-tor package and www.qubes-os.org/doc/torvm?
- that page is removed from the menu but still available.
The qubes-tor package is OK but with some tweaking makes a solid
replacement for Whonix gw - certainly for live images and machines with
limited RAM.
imo the decision to deprecate that package and then remove all reference
to it from the docs was a mistake.

unman

[cooloutac]

I stopped using whonix a while ago. I wasn't huge on tor to begin with. I was more in line with how Joanna originally felt about it. The only time I used tor was to check security certificates. Then after the issue that happened a year or two ago started using it as updatevm. But whonix kept giving me so many problems, is so darn slow, and was constantly feeling sketchy to me I stopped using it after the latest issues with clock, and then the latest version I didn't even bother troubling with.

I'm sure it has valid use cases but personally for me I have no need for it. Most sites I go to on the computer I don't need tor or tor is not even allowed. And I still feel anonymity and privacy are two diff things.

[John Smiley]

Thanks for all you responses and thoughts. You have presented multiple thoughtfull easy ways to think about this in plain English while politely pointing out the flaws on the originally posed scenario. Although there were several no’s and I understand their choice, my answer is Yes. 

[r...@posteo.de]

On 2/20/19 3:12 AM, unman wrote:
> Have you looked at the qubes-tor package and www.qubes-os.org/doc/torvm?
> - that page is removed from the menu but still available.
>
> The qubes-tor package is OK but with some tweaking makes a solid
> replacement for Whonix gw - certainly for live images and machines with
> limited RAM.
> imo the decision to deprecate that package and then remove all reference
> to it from the docs was a mistake.

I fully agree.

See https://hackmd.io/JIXLStC-Sbq8rr1mjomCDQ for a first guide on a
simple tor gateway (sys-tor). Looking forward to discussions!

Regards


PS: I will continue to write up a more advanced guide that covers clock
synchronization over Tor, routing DNS requests of non-torified VMs
through Tor, and routing VM updates over Tor.

[r...@posteo.de]

This is covered now here:
https://hackmd.io/JIXLStC-Sbq8rr1mjomCDQ

Regards

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

It's not true that all reference to TorVM was removed from the docs.
In fact, the intro section of our main Whonix page specifically
mentions TorVM and links to the the TorVM page. [1]

As you know, the decision to deprecate TorVM was years ago, [2][3] and
it's been unmaintained ever since. Using it now could be dangerous,
unless you really know what you're doing.


[1] https://www.qubes-os.org/doc/whonix/
[2] https://github.com/QubesOS/qubes-issues/issues/1196
[3] https://github.com/QubesOS/qubes-issues/issues/1201

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlxxpKUACgkQ203TvDlQ
MDAfIhAAni1qEcGYUJZ2Rvr7mzlenxY4BAY/I5fxm+ROZpMxWMmkJBJGHvRoPn8b
W39f+d1WRH6RXCb9xsoJ9up4fTs05ZmjD8mULwoy5ugh58lYLfipTJwGyOLReQnM
DtkpWhmLxGF8O8U3ndjZJLOBSg73EmnlxsyDwLdBdVkqSfzCS++pdPlpjEgjfjSy
H8gBX+YnBuev/hUdTDBYsLsoHy35uIlq/AWkULLv+Md8zLh9fCfqHYsvRNdbUFfA
7aCv/9M2KwNZyWAr8hjhVyncPaqKHupaROv3bRN9sKCiH3vjFapNb44FRTMO1cb7
NytBgwR2mimluXvYFgFhOq7RzRgejmB1ZeNvmV98FFOJAOlE/Wadc4BIPd77aRWk
z6lZCcUz7OfoAUYfO2FqlGhJJjLsSX8qMcnv2hNTHRBbj7SLDsXisoBIxXpVHDTi
zFCU/d8UimN9gOodybfF4TxkwG3taRO7GmDzhZJMx2S3uzqZpgAO9qut8lzZAevl
SH3grIuANK3BBkqi+2QcXuKByxljVTjiZocxwjdmJP3a5pgG258zTxn43+QW2PU5
WB1/maSXyColKLHcimypxTpBHFNw/EjecqUiCWFMZgQAlsLYjjfA87O7pg5/YnYf
ICPz6EW9Chb2wP3ULSIcwnXkm6q22HpsUfTzk9Ld2fbx8RWyJAg=
=6ucB
-----END PGP SIGNATURE-----

[haaber]

thank you for sharing this. Bernhard

[unman]

I stand corrected Andrew.
But the page was removed from the menu and packages are no longer built.
That looks like removed to me, and goes beyond being "deprecated".

As far as being unmaintained, the package worked perfectly well, and the
errors reported were either generic Tor errors (as I pointed out) or
incorrect usage. The advantage of that package was its simplicity.

[unman]

If you want a packaged solution with similar functionality for stretch,
I package 3isec-tor at https://qubes.3isec.org
Add the stretch repository to your template and apt install 3isec-tor.

unman

[cooloutac]

Keep your eye on this guy Andrew.