I've decided to go for a general checklist of the most important 'hardening' ideas as a wiki entry instead and mark some items as 'Qubes-Whonix or non-Qubes-Whonix only'.
This fits better with the Security wiki and it's nice to have a quick reference for users who don't want to trawl the documents and discover various things they could (or should) have done, but missed.
See the suggested entry further below. If you're happy with it, I'll post it straight away.
Ideas I've discarded:
Running hardened alpha Tor Browsers if adventurous due to near-term (December) sandboxing opportunities;
-> Scrapped this idea, since we now know sandboxing works with any Tor Browser series.
following Qubes guideline for MAC spoofing
-> Scrapped this idea.
Although this is now easy using a Debian-9 template and the latest Network Manager (see updated Qubes docs), MAC spoofing is NOT recommended for home PCs or laptops from my reading e.g. TAILS docs, because it hurts your anonymity. So, this can't be recommended unless one is using a laptop from various locations. Plus, MAC addresses are largely hidden, especially with use of VMs and Whonix.
Anyhow, based upon the lengthy discussions in this thread and input from various people, I think this entry is now suitable for the Security wiki:
General Hardening Checklist
It is possible to significantly harden your platform and improve the chances of successful anonymous activity. This depends upon a user's skill level, motivations and available hardware. This checklist is intended to provide a quick overview of some of the most important issues, categorized by difficulty level (easy, moderate and difficult).
Note: some of these recommendations are Qubes-Whonix or non-Qubes-Whonix specific; they have been marked accordingly.
Disabling/Minimizing Hardware Risks
Mandatory Access Control
Passwords and Logins (Qubes-Whonix Only)
- Store all login credentials and passwords in an offline vault VM (preferably with KeypassX) and securely cut and paste into the Tor Browser; and
- Copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere.
Tor Browser Series and Settings
- Consider using the 'hardened' Tor Browser series for additional ALSR memory protections;
- Default search settings to the DuckDuckGo .onion hidden service;
- Select 'ClearClick' protections in NoScript;
- Run the Tor Browser Security Slider in the highest position;
- Use .onion hidden services where possible to stay within the Tor network; and
- Follow all other Whonix recommendations for safe use of the Tor Browser. https://www.whonix.org/wiki/Tor_Browser
VirtualBox (non-Qubes-Whonix Only)
Create a USB Qube (Qubes-Whonix only)
Networking (Qubes-Whonix Only)
Newer Kernels (Qubes-Whonix Only)
Secure Back-ups (Qubes-Whonix Only)
Time Stamps (non-Qubes-Whonix only)
Anti-Evil Maid (Qubes-Whonix only)
Chaining Anonymizing Tunnels
Disposable VMs (Qubes-Whonix Only)
Email (Qubes-Whonix Only)
Host Security (non-Qubes-Whonix Only)