Radoslaw Szkodzinski:
> [snip]
> Likewise, if an attacker cracks the FirewallVM, there's nothing that
> can prevent him from phoning home - even if he doesn't know the IP.
>
These statements aren't true. Be careful with what you say.
While the Firewall/TorVM can't access the MAC address, it can easily
access the real IP address.
Run the following in a TorVM/FirewallVM:
$ curl
ifconfig.me
If there are firewall rules on the vm that prevent that request, well,
the attacker has cracked the VM, so they run:
# iptables --flush
# curl
ifconfig.me
Having a physically separated router, as in one of the whoinix setups,
does prevent access to the real IP address.
Whonix and Qubes have different aims. Whonix wants to preserve anonymity
at all costs, Qubes aims to provide domain isolation on a single machine.
Of course you can achieve much of Whonix within Qubes (and better imho,
since Qubes is more secure by design).
Compare the security matrix of Whonix [1] with Qubes. Qubes fails on
every scenario with a VM popping vulnerability.
My point: if anonymity is your goal, then Qubes can help, but not out of
the box, and there are limitations you should be aware of.
~abel
[1]:
http://sourceforge.net/p/whonix/wiki/Security/#attacks