Allow discussion anonymous pentesting in Whonix forums?

Organization
1

Update
In short: banned

Like many tools, Tor / Whonix itself is a dual use tool. Due to Tor usage statistics (http://planete.inrialpes.fr/papers/TorTraffic-NSS10.pdf) and low rates of abuse, I believe that on average, Tor does more good than harm.

Are there any statistics on pentesting tools, on their good/harm ratio?

I am not sure the combination of anonymity and pentesting is a useful one. Which legitimate use cases come to your mind?

At the moment I believe making anonymous pentesting and more usable and popular (by using Whonix) would on average do more harm than good to the Tor network.

I am asking this, because here Whonix Forum a user asked how to use sqlmap (http://sqlmap.org). Sql pentesting, exploitation and even takeover tool. No obvious intention to do something evil by this user. There is no obligation for me to help with every specific question, but I am wondering it is a useful discussion to have in Whonix forums.

In past I wasn’t sure about this. I decided to simply not answer how to make port scanners work in Whonix and hoped they wouldn’t find out themselves, which they did (fortunately?) not. Obviously this isn’t a great policy.

Few arguments come to my mind. Not necessarily mine. Streisand effect (Streisand effect - Wikipedia). The other argument is, that bad guys already know how to do it, and to archive the good ones have the same chances, explain for everyone how to do it.

Any opinions?

2

Quite an interesting topic.

Since he is using Qubes + Whonix, it is obvious to us what his technical issue is.

He does mention that it is “his site” that he is pentesting against.

However, if it is truly “his own site” and is whitehat pentesting it, then why the need for Tor anonymity?

What comes to mind as possibilities, might be…

  • a) He defaults to using Tor for most everything due to his personal life privacy needs/wants.

  • b) He is pentesting against a .onion site of his own and needs/wants to test it over Tor.

  • c) He is concerned about others using the Tor network to anonymously attack his server, is looking to put server side Tor-specific rules/mitigations in place, and wants to test their effectiveness out under real-world Tor network conditions.

Of course, one can’t truly know what the use is truly for here, good or bad.

Also, Tor, Whonix, Tails, TorVM, corridor, etc, as tools, are ultimately more like “platforms” for tools/apps.

For all of the good use cases, we want our platforms to improve in ease of use.

Of course, the pentesting/exploit applications will and do continue to independently improve their ease of use.

I think ease of use for our platform should be pursued to the maximum for general purposes.

However, your specific concern about the combination of pentesting and anonymity platforms is a specific use case that I see why one would be hesitant about giving additional personal direction and support to.

Although, bad intending blackhats will likely figure how to run their exploit apps with Whonix or other anonymizing platforms regardless of being helped or not. And they can always come back with different identities and generalize their technical questions to try and get help out of you/us.

This instance was just bad luck for him that his particular connectivity issue has not been resolved in the general Qubes + Whonix platform yet. Most Whonix users and Whonix Qubes users throughout the future will have no problems getting their pentesting apps to run.

Anyway, those 3 listed possibilities were the ones I could think of for combining Tor anonymity and pentesting for legitimate whitehat purposes.

I’m going to hang back on this issue as well for now.

3

Whonix is a very useful distribution to protect the anonymity of all kind of users. Created for legitimate usage of course, but it would be reasonable to assume that blackhats uses it as well.

I think pentesting of personal sites is a legitimate usage and if it’s an hidden service only possible through tor. And it’s essential to offer a secure (public) website. I think it would be careless to leave such users behind.

Of course, there is no obligation to answer or help this kind of usage, but i strongly advise against censorship.

4

For questions like these, just refer them to discuss these topics on pen-testing forums and support lists for pentesting distros like Kali.

If they have particular comments on Whonix security or would like to help fuzzing they should be welcomed, but encouraged to report their findings to the concerned upstream projects (if its code not written directly by you).

No possible uses of Whonix, good or bad, should be attached to Whonix itself. As technologists we should focus only on that aspect of the project and nothing more.

1 Like
5

Probable they will redirect them to the Whonix Forum. :wink:

Well written!

6

i think your current method of simply ignoring it is working fine. quite simply, the user base here isn’t participating in in this forum for pentesting issues and most of the people who will ask questions like the sqlmap or nmap ones are obviously impatient and will likely give up on the topic fast.

another simple solution, assuming such topics ever become burdensome, is to point out that there are full linux distros out there for pentesting which can be run through the whonix gateway, and that questions related to such topics would make more sense at the forums for those distros, rather than the whonix forums.

7

this topic has a good title with what i was thinking. i was thinking about the same think on how to make a good deal with pentesting&anonymity. it is a great combination specially for BlackHat hackers. do u think Kali linux community is a good choice to talk with ?

8

By the definition from wikipedia (and commonly understood by me like that before also):

A black hat hacker is a hacker who “violates computer security for little reason beyond maliciousness or for personal gain.”

So, no. It would be terrible to attract attention of that sort.

10

Good day,

while I would say, that supporting people who would like to use Whonix in combination with pen-testing software for good (or at least without hinting upon them doing something harmful or illegal with it) should be done to the extent which we are capable of providing, the second something which in any way, shape or form could be illegal gets mentioned, this needs to be shut down. The thing is that, as Patrick is a citizen of Germany and responsible for this website, he would have to deal with § 202c of German law, which states:

Wer eine Straftat nach § 202a oder § 202b vorbereitet, indem er Computerprogramme, deren Zweck die Begehung einer solchen Tat ist einem anderen verschafft, verkauft, einem anderen überlässt, verbreitet oder sonst zugänglich macht, wird mit Freiheitsstrafe bis zu einem Jahr oder mit Geldstrafe bestraft.

To paraphrase this, what it tells us is the following:

People who in some way make software which COULD be used to sabotage a computer system accessible and then gets used in such a way are responsible for this and may face a one year prison sentence or a fine. The thing is, that this law is one of the worst phrased in the history of European legislation, as it leaves a lot of room for interpretation. What after all does “making accessible” (zugänglich macht) include? Making accessible can be anything, from providing a link, to helping with the setup. This law has just for this reason of being really badly phrased, been accused on multiple occasions of being harmful to the stand of Germany when it comes to the protection of computer systems (if you essentially make explanations for pen-testing illegal, because if someone misuses them, that’s just the result) and being the reason for a lot of legal debates. While the German government has stated multiple times, that the use of “hacking software” for pen-testing would be legitimate there is no real law suit, to make this clear for anyone affected and the law in this form is unchanged, even though if what the government said would be correct, changing it would be the proper reaction.

So, with this, we need to be very careful.

On another hand, there is a rather rampant problem in the “hacking community” which we would have to deal with in some way. There are the so called “script kiddies” after all, which aside from network administrators, are a big part of the people using pen-testing software, be it for often outright stupid reasons.

Have a nice day,

Ego

11

It must be ethical. Must be well defensible standpoints. Ones that are well defensible in front of the public, media, politicians, court, etc.

“We encouraged people who intent to harm others for fun or profit to use our software so they might help make us our software better.” is an unethical, utilitarian, indefensible standpoint. One that can contribute or ultimately lead to new legislation to ban any anonymity related software in the few remaining countries where it’s still legal.

So I prefer to concentrate on the majority legitimate use cases and to not help the highly problematic ones with little gain. The ones that are well defensible standpoints.

12

@Ego hmm thats really ridiculous law statement. and yeah we can understand it from 100 different angles. not well written , idiot government. do they write like these laws for the NSA base ? i wonder what does legal really mean in form of reality… (legal for them to do whatever they want but illegal for me to do whatever i want…how pathetic laws…).

also i would like to ask , how can anyone from the idiotic government make an issue of using whonix with kali as an example ? whonix doesnt provide anonymity by itself because it depends on Tor networks and whonix doesnt provide hacking tools because thats not what we want to do.so their problem with Tor & kali , plus our work will be still with Tor. so how come this even legally problematic?!

always following legal laws will make us accept backdoors in the soon time.also just saying legal legal legal and following it blindly…we wont be much different from the sheep. at least there is mental different between the human and the animal. but these laws r made by humans also like me and u. so we will be worst than the sheep in this case, because we r following human laws and we r realizing their mistakes tho we r still following it!!!

we should have points of stand for attack and defense purposes, or whonix will have narrow focuses.

@patrick yeah right , who said it must not be ethical? also why dont we say that we r encouraging ppl to do ethical pentesting without the need of revealing their identities ? isnt the same definition of anonymity on the internet ? also kali linux and similar distros r widely used with no issues, so why it will be issue for just to make it useable with whonix? is the government and the court really blind to that level so they make this as an issue?

lastly, i think we need to find a good company to defend whonix. before was on icons copyright now on hacking tools and i wonder, why not that we will have more and more in the future.

13

The backdoor law discussion is a separate one. ( https://forums.whonix.org/t/how-whonix-going-to-react-with-these-actions/916 ) For now there is no such law here and also none planned. If there was, then it would most likely mean to shut down Whonix - with the only option to try fight it through media attention and the court system. If that failed, and Whonix was not shut down, and if I didn’t comply, then they would simply put me into prison. Not worth it. Not being sheep while being surrounded by a massive amount of sheep is heroic, but only ends up in prison.

There are some courts that have demonstrated to not fully understand technology. So it’s best to make the arguments simple.

I don’t think it’s possible to “find company to defend whonix” before anything actually happened. I’ve never seen a motion to start without having the problem actually manifest in reality already. Once… If something happens, we can start contacting all sorts of people, start a crowd funding, speak to media, talk to lawyers and so forth. But in advance there is no support for that.

14

well hmm i dunno what to tell u … if i say ok then let us contact the security penetration distros since there is no actual things going to happen, tho here i will give a small might possibility of having problems in the future (because there is no guaranteed standing point on how the government going to react with that). and if i say no and leave it , then here im denying it with no actual problems we have faced or received at the first place which will lead to non-sense statement to deny this feature…

this is really confusing when there r laws made on the internet programs.

loosing this feature to be supported officially , like documenting how to use whonix with X distro as workstation for pentesting or …etc will for sure give negative results on whonix fans increasement ratio.

tho, this wont stop things like “how to DDOS the department of justice website anonymously with whonix” …etc. actually it is really not related. but then we dont want anyone in prison. so yeah, accepting the non-sense denying seems to be safer …

15

Good day,

According to the “BND-NSA-Selector-List-Scandal”, over which the Austrian government currently tries to sue the German one, that is reasonable to think…

Kali could be used for things which are illegal. And, “making accessible” could, according to multiple law experts, already apply once there are instructions given on how to use it in combination with software provided by this project.

Like I’ve said, according to the flimsy definitions which this law may make possible, those in charge of it could be fined simply for providing help, even though illegal use was prohibited. There has never been any comment on things like a disclaimer, where the creator distances himself from whatever is done with his creation. However, like I’ve said, the government has issued statements claiming a lawsuit would be dismissed in such a case but until a higher court rules such a verdict, nothing is safe unless a laywer is intagreated into the discussion. However, such a laywer would also have to agree to definetly be in charge of the defense once “shit hits the fan”. And they usually don’t do such a service for free, if Sempervideo (the most famous German Youtube-Channel for Pentesting) is to believe. Just for this reason, they have a law expert who, according to them, checks each and every of their videos before they upload them…

This actually is a very interesting thought which I would like to comment on in detail:

You see, living in a democracy is somewhat similar to eating at an all-you-can-eat buffet, in the way that no matter what you say/believe/want, since the majority has voted for the people in charge (or in the buffet example the cook who creates the menus), you’ll always have to accept or pay for certain things you don’t like. If you can get enough people to think that salad should be banned from the buffet you can get them to vote differently next time. However, until that happens, everything stays the way it is. And, just like you’ll have to pay for the salad even though you hate it, in a state like Germany, you’ll have to pay taxes for something you don’t want them to be used for and have to accept laws even though in your eyes they don’t make sense. Now the problem is, that a lot of the voters in Germany are either not all to tech-savy or don’t care about anonymity/security online/technological progress, to get a law change to happen. And this “not all to intelligent law” was pitched as a solution for hacking, credit card theft, etc. as we all know, criminals would never use software they weren’t allowed to. So even if you could get a lot of people to listen to the problems you see here, it’ll be an uphill struggle.

But like I’ve said, that is just a part of democracy and for all the “stupid” laws which there are, we need to keep in mind, that a lot of the laws do make sense and serve a purpose.

Personally, I fell like the best course of action would be to keep the support as is and help with setup in general.

Have a nice day,

Ego

16

lolz , thats really funny. living on the major stupidity of ppl , will for sure shutting up the minor geniuses ppl.

1 dog can protect 100 sheep from tiger , but 100 sheep cant protect 1 dog from anything.

imagine the sheep voted as the majority to kick the dog and live with no protection = all will be eaten with one wolf.

lowering ur mind thinking and making it compatible witha stupidity of others = smartness no more.

anyhow, i wish there will be no more stupid laws to c in the future. because if that so , then its better to contact edward snowden or julian assange to find a new place for patrick to live away from his government.

17
22

Thats also not a very good definition