HiddenVM Project - best solution available?

Hello Whonix Community,

I recently stumbled upon GitHub - aforensics/HiddenVM: HiddenVM — Use any desktop OS without leaving a trace.. Upon first reading it seems to me like one of the most potent privacy and security solutions there is, however it has almost no publicly available user feedback, so I would love to hear from all of you.

In short, a hidden VeryCrypt volume containing Whonix, Virtualbox and HiddenVM is only mounted in Tails.

Tails is arguably the best anti-forensic solution there is at the moment, whilst Whonix is arguably the most secure and anonymous OS there is. In my eyes, this solution would grant the best of both worlds, plausible deniabilty of Whonix even existing when searched at an airport combined with the incredible usability of Whonix.

Now I know what you may think, this is a hobby project and any modifications of the concepts of Whonix and Tails which are not approved by the developers are dangerous in and of itself. However the scripts are open source and could be subject of intense peer review.

In my humble opinion, the idea of combing VeraCrypt and Tails to run Whonix solves almost all anti-forensic objections I had to Whonix, just imagine running a dummy OS in VeraCrypt, all airport security would find is that OS and a blank Tails USB (doesnt even use persistent storage).

So while you may regard HiddenVM as just another stupid hobby idea, I would love to take this opportunity and just honestly debate about its pros and cons.

Thank you! (Especially to the incredible devs, who are never tired of improving).


Edit by Patrick:
Real link. Change https ://github.com/aforensics/HiddenVM to https://github.com/aforensics/HiddenVM. (New users cannot post links.)

Interesting project. Be sure to check out our recently added live mode which should give you amnesiac operating with Whonix. This is possible both in the VM and outside it on the host:

As for hidden volumes, we’ve concluded it provides marginal benefit under totalitarian regimes that can easily keep torturing or imprisoning you until you yield a passphrase.

Very interesting project indeed.

Here is my take regarding HulaHoops fair points.

I think OP described the following scenario: Run Operating System X and create VeraCrypt Volume A and B, fill Volume A with seemingly secret files and documents, fill Volume B as described by the OP (VB, Whonix, HiddenVM). In case of torture (or less evil situations where one would have to give up password), give up password to Volume A to satisfy adversary. More Psychology than Computer Science but in most cases adversary will be content and the Volume we care about (Volume B) remains untouched and its existence unknown.

Regarding live mode: If the presence of Whonix itself should be hidden, which in many cases might be a reasonable thing to aim for, then only Whonix on a live usb host is worth considering. However, Tails amnesic capabilities > vanilla Debian live host imo. + again psychologically speaking, a clean Tails USB has no secrets, if encrypted USB with Whonix on it is in hands of Adversary, then there is no way out of torture.

The project described by OP makes a lot of sense to me and I will defo take a look at it.

It’s interesting but probably will be unsupported at both, Whonix and Tails

Support here means such as review of technical implementation and/or user support.

Speaking for Whonix, won’t be supported.

For Tails, I cannot speak for them, but from past observence, Tails developers will probably also provide no support this setup.

From my perspective as a Whonix developer it is a bit sad to see development effort “wasted” on a hack, that is running Whonix on top of Tails, while a Live Whonix-Host operating system ISO is already in development, see:

Development effort is best spend on Whonix-Host.

On the other hand, glad someone managed to modify both Whonix and Tails to make use of the customization legal rights, technical customization possibilities and combined in the spirit of Freedom Software / Open Source.

Related needed wiki edit:
Long Wiki Edits Thread - #1925 by Patrick

Related:

Hi there, what is the best way to download the whonix repository within tails?

Same as on Debian.

Whonix – 1 Oct 23

Whonix-Host Operating System Live ISO, Whonix-Host Installer

Upcoming Host Operating System - In Development - Help wanted! - Please contribute!

one year+ later…still no System Live ISO.
Still against the use of Tails+virtualBox or Tails+KVM (even better) to run VM’s inside a live-boot mode, read-only, and amnesic OS.

Any reasons why?

In Development - Help wanted! - Please contribute!

If you cant help with development, help with donations, if you cant then wait until then.

How much in donations will it approximately cost to get the project done and reliably operating?

That is a hard question. I am not sure it’s important that is since that might be unrealistic.

This would require at least 1 full time developer supporting me.

To find staff, we’d compete with companies such as Canonical (the company behind Ubuntu). According to Working at Canonical | PayScale such as developer makes 116 K USD / year + 3 K USD bonus. I am not sure that is sufficient, because:

  • workers want prestige (maybe), and
  • job security (knowing the company to employ them is likely going to exist for many years).
  • that information source might be incorrect,
  • Earn less than $100,000 in San Francisco? Then you are considered low income. - CBS News
  • it’s not a straight forward web development or python development task. It’s about Linux distribution maintenance, build scripts, calamares. Since this is obscure work, badly documented, no courses available, it might be a lot more expensive to motivate someone who can get the job done with money.

On top of that, other fees would have to be paid (payroll taxes, health insurance, and whatnot). Just for the fun of it, I asked ChatGPT.

The answer was ~ 131 K USD / year.

Also depending how reliable it should be, 1 developer might be too little (sick leave, holiday).

1 Like

Not all. Most do want a bit of job security. Also worth considering any US developer needs health insurance, dental, and vision. Most want some sort of retirement plan too.

Base salary * 1.5 is about right

Can hire euro dev for cheaper I imagine. Brazil good deal too.

But ultimately it would require massive adoption for donations (most ethical) or some business model which could compromise the project’s vision and goals.

1 Like