Hi,
I’m not expert, but I’ll have a crack and be corrected if I’m wrong.
1) Clone vs Create New AppVM of anon-whonix
Lets assume the worst case scenario. Some attacker hacked your existing anon-whonix AppVM and managed to create some form of persistence in your /user/home directory, which is the only persistent area in AppVMs.
By cloning it, you just cloned the attacker’s capabilities to a “fresh” instance of the Whonix-Workstation.
So, I’d say it does make a difference, assuming of course he/she didn’t already hack the TemplateVM somehow, which means you’d be totally screwed.
2) Multiple Whonix-Workstations
a) Running 3x anon-whonix vs One Activity at a Time
I think the idea Patrick was getting at is that if you got your ass hacked in one anon-whonix, it’s better not to run others simultaneously, because that’s when you start to get into covert channel attack territory.
That is, the attacker uses their foothold in say Torbirdy AppVM to launch some kind of attack on super-secret Email AppVM that is running at the same time.
By running one activity at a time, you are limiting this opportunity.
b) “New Circuit in Tor Browser”
The stock warning on “New Circuit in Tor Browser” is that it may not actually give you a new circuit that you thought you were getting.
In my pending Tor Browser entry edits (hint, hint mods ;-)), I’ve noted that this is far weaker than using “New Identity” (good) vs closing the Tor Browser session completely (best) since:
Warning: This feature does not attempt to clear Tor browsing session data or unlink activity, unlike the “New Identity” feature. If that action is really necessary to separate contextual identities, it is always safer to close and then restart Tor Browser.
You must remember what New Identity does / and what closing the browser completely achieves. New Identity for example:
Disables Javascript and plugins on all tabs and windows.
Stops all page activity for each tab.
Clears the Tor Browser state:
OCSP state.
Content and image cache.
Site-specific zoom.
Cookies and DOM storage.
The safe browsing key.
Google Wi-Fi geolocation token.
Last opened URL preference (if it exists).
Searchbox and findbox text.
Purge session history.
HTTP authentication.
SSL session IDs.
Crypto tokens.
Site-specific content preferences.
Undo tab history.
Offline storage.
Domain isolator state.
NoScript's site and temporary permissions.
All other browser site permissions.
Closes all remaining HTTP keep-alive connections.
Sends Tor the "newnym" signal to issue a new Tor circuit.
“New Tor Circuit” will only issue a new Tor circuit by comparison. So, if you are looking to unlink activities, it is dangerous to just use the “New Tor Circuit” function.
PS You have many adversaries whether you know it or not, just by using Tor.
Also in my pending Tor Browser edits:
Although the term adversary is not defined by The Tor Project, based on disclosures in recent years a list is likely to include: intelligence agencies (NSA, CIA etc.), federal and state police, homeland security and drug enforcement agencies, federal investigatory agencies (like the FBI), private security researchers, academics, undisclosed hacking groups, corporations, and others.