This really needs a rewrite. A lot of the points are just completely inaccurate.
Windows:
The forced updates/upgrades are hardly “backdoors”. Would you rather have millions of people forget to update and their computers become seriously insecure? This is how botnets are formed.
When Microsoft realized it had accidentally allowed GNU/Linux to be installed on RT tablets, it quickly “fixed the error”[archive] to prevent the use of other operating systems.
This is good as a joke. Nothing else. This was a real vulnerability that bypassed verified boot. Would you call our verified boot attempts backdoors too?
Sure, I agree it should have a way to unlock the bootloader but calling it a backdoor is just plain wrong.
Windows Insecurity
You criticize the security of Windows, yet recommend Debian which is years behind Windows in security. Where’s modern mitigations like Control-Flow Integrity in Debian? Since Windows has had it since 2015 as Control Flow Guard.
Windows is a pile of legacy code full of security holes that is easily compromised.
Linux is known for keeping legacy code around and the standard Linux distro is far easier to totally compromise than Windows (just keylog the sudo password and load a kernel module, not even exploiting a bug required).
Your only citations for the MD5/SHA-1 stuff is for Windows 7 Server 2008.
Criticize Windows for it’s actual issues like privacy, not this.
Other:
Using FSF/GNU as a source is also terrible. They call any vulnerability in proprietary software a “backdoor” with 0 evidence.
A Free Software OS that respects user freedom is the only practical choice when it comes to privacy and security.
Being free software makes no difference to its security. Linux is a perfect example of a free software project that has terrible security.
We really shouldn’t be recommending Debian throughout the wiki either. At least recommend Kicksecure.
Don’t peddle the same misinformation that Linux is totally secure and glorious. It’s far from it hence why we have to do so much work in Whonix.
Would be good if someone could add more issues / refine some potential inaccuracies.
Problem is word use. The use of the word “security”.
[1] Google android is tracking you even when you’re in Airplane Mode. (It logs all GPS data and then sends out once airplane mode gets disabled.)
Even if google android is safer against exploitation from third parties outside the ecosystem (non-gov, private hackers) and the repository (app store) is relatively free of exploits and other things against google policy, that isn’t what people would conclude and use the common speech word “security”. When knowing [1] most will assume ignorance or malice when saying google android has better security than X. Not sure how to phrase this right. “Google android has better anti-exploitation features than X but overall worse security due to build-in spyware features.”
Similar for Windows with its enabled-by-default keylogger.
[security definition] Maybe one definition of security is “device / operating system does what the owner of the device thinks it does and does what the owner wants (subject to limitations of reasonable possibilities / prospectus)”. A non-consensual upgrade (which can fail and lead to inaccessible data) is thereby considered insecure. “It’s not secure, because you can loose your data.”
That’s a value question. What’s more important. Individual choice (only upgrade with consent) or collective security (forced upgrade to prevent botnet). Similar freedom vs authoritarianism. It’s similar to ask:
Would you rather have criminals continue to “torture kitten” [2] rather than put everyone everywhere (including private rooms) under permanent video surveillance?
You interpreted that table entry as a comment on security / backdoor?
name of chapter: Windows Backdoors and User Freedoms → Both, backdoors, and user freedoms
table entry: User Freedoms → and then it lists that locked bootloader issue.
You’re viewing that table through glasses of security, verified boot? The one who wrote that table entry might not have been well aware of verified boot, maybe also since this isn’t a popular, easy to understand, important looking concept.
But would be better to complain about locked bootloaders than mentioning that verified boot vulnerability specifically indeed.
It wasn’t called a backdoor.
(quote “Table: Windows Backdoors and User Freedom Threats”)
Well, yeah. That wiki page groups together complaints of Windows security and other
malware infected Windows per 1000 end-user (or any other number of users) VS
malware infected Debian per 1000 end-user (or any other number of users).
When knowing nothing about security, when taking chances, for end-users certainly Debian has a much lower chance of getting infected by off-the-shelf malware.
As per [security definition] it seems really obvious to me that Windows is less secure than Debian.
It’s not ready. There’s no iso, there’s no website.
No, it’s not. We need to make the difference between “Android” (the actual OS) and Google services that are commonly installed (Google Play Services do what you’re talking about). AOSP contains no tracking like this.
We also need to differ between “security” and “privacy”. They aren’t the same. Windows may be better for security but all of its telemetry is terrible for privacy.
It should be separated then. Backdoors and freedom issues aren’t exactly similar.
You’re proposing to rely entirely on security through obscurity which is a terrible approach.
But there are not a lot of public exploits against OpenBSD, so it must be secure!
There isn’t a single one (beside DoS) against TempleOS, Redox, MINIX, Haiku, MenuetOS, … Does it mean that they’re more secure than OpenBSD?
Let’s recommend TempleOS instead then?
There has been off-the-shelf Linux malware. The only reason it’s not as common as Windows is because Linux is less popular and that will change as the number of Linux users rise.
Btw why mention “dropped support for Windows 7 and 8”, because a common
response to “Windows 10 bad something” is “just use Windows XP, 7, 8
instead” (just one, not multiple) as if that was a full mitigation.
The path of least resistance in case of “ok, Windows 10 bad something”
is often “use an earlier version of Windows then”.
Using earlier Windows versions might mitigate one or another issue but
creates new issues because of already or soon deprecated security update
support.
madaidan via Whonix Forum:
No, it’s not. We need to make the difference between “Android” (the actual OS) and Google services that are commonly installed (Google Play Services do what you’re talking about). AOSP contains no tracking like this.
When I say “google android” I mean the thing that most users carry in
their pocket. The thing that comes pre-installed, which is kept, used by
95%+ of all android users which includes google play services. I don’t
know any better term for this. I don’t mean AOSP.
Windows may be better for security
For most definitions of security that I know or can image, real world
results, certainly not. Under some definitions, threat models however
that might be true.
but all of its telemetry is terrible for privacy.
An good distinction to make.
We also need to differ between “security” and “privacy”. They aren’t
the same.
It should be separated then.
Contribution welcome.
You’re proposing to rely entirely on security through obscurity which is a terrible approach.
I didn’t. Also debian has a lot less obscurity than Windows.
There has been off-the-shelf Linux malware. The only reason it’s not as common as Windows is because Linux is less popular and that will change as the number of Linux users rise.
Even if that is so, for now, as a wiki page says, it’s a good compromise
of security / usability. If this changes, it can be updated. Also
supporting Linux is more worthwhile than supporting Windows.
Whonix-Host isn’t available yet for users. Debian is the natural choice
since Whonix is also based on Debian. That’s an argument from usability.
Usability isn’t good enough yet. At time of writing Kicksecure might
brick host networking. Also too much state of previous existing Debian
installation might introduce issues.
I don’t want to spend any resources on that because it would block the
progress of Whonix-Host, create confusion Kicksecure vs Whonix-Host.
It’s a long term project strategic decision. I guess if I had known what
I know now, at the time when development started to make Kicksecure
available, I wouldn’t have made Kicksecure available before Whonix-Host
was available.
Earlier versions of Windows have backported telemetry anyway.
A better term would be “stock OS”. It’s commonly used and would be more accurate.
No, Windows is better for security. They put far more work into exploit mitigations, sandboxing etc. than standard Linux does. Just because not enough people use Linux for them to care to write malware for it isn’t a good argument.
Not really. Windows has exploit mitigations, code auditing, fuzzing etc. Just because it’s proprietary doesn’t mean it relies on security through obscurity. Debian likely relies more on obscurity.
Its not a good compromise. The security of standard Linux is unacceptable. Desktops in general are bad but Linux especially.
Doesn’t matter how secure Windows appears from an objective position.
They are snitch bitches and allow the enemy inside the gates:
Microsoft has a history of collaborating with adversaries [archive] by informing them of bugs before they are fixed.
Microsoft reportedly gives adversaries security tips [archive] on how to crack into Windows computers.
I’m sure I could find more egregious examples. This kind of behavior undoes any shiny new security features.
Also, I think there is a strong argument that the whole architecture of Windows & Linux is weak as a host OS, and will always remain weak i.e. Qubes’ like structure (Type I hypervisor) required to separate dangerous elements into separate domains i.e. USB, networking, (future) GUI VM, (future) read only dom0, small core admin system i.e. Xen etc.
Joanna Rutkowska would have a field day with suggestions Windows is a secure OS. Even if they have 47,000 developers, they introduce something like 30,000 bugs a week (estimated)…
You’re completely misrepresenting what they’re actually doing. As said in the articles linked, Microsoft gives some companies early access to vulnerability info/releases so they can patch their systems before it’s public.
This is done everywhere and isn’t an issue. Linux does this too.
Fixes for sensitive bugs, such as those that might lead to privilege escalations, may need to be coordinated with the private <linux-distros@vs.openwall.org> mailing list so that distribution vendors are well prepared to issue a fixed kernel upon public disclosure of the upstream fix.
That is true. Both Windows and Linux are fundamentally insecure. Linux is just especially bad in comparison.
I’m not calling it a secure OS. I’m saying it’s more secure than Linux. There’s a big difference.
It’s funny you also mention Joanna Rutkowska since she acknowledges Windows’ security improvements along with tons of other security experts.
BTW, Windows is the only one mainstream OS I’m aware of, that actually attempts to implement some form of GUI-level isolation, starting from Windows Vista.
The reputations that companies like google and microsoft have rightly gained due to their various intrusions and repeated blatant disregard for privacy and personal choice completely overshadow anything positive they may have accomplished with the security of their respective software offerings. Couple that with their sneaky and monopolistic business practices and security becomes a distant afterthought.
Myself and many I know would never carry a “smart” phone or use a microsoft product just based on that information alone.
Indeed, and you make good, clear points. I was not answering your statements personally, just adding my thoughts to the overall conversation (which is a good conversation to have)
When adversaries want to collect user data and they say: security not same as privacy we need from you to lower your privacy to keep you secure <- Fuck this concept
When Apple (or any similar evil company) dont let user app run except through their sandbox but when they want to listen to the user through backdoor they just can, so if this called security <- Fuck this concept
When comparing Windows Microsoft which a is proprietary nonfree OS to Free Distro like GNU/Linux Debian and saying its better with security while user cant verify a shit about the source code VS user can verify the code , change it , patch it , fork it…etc and saying Microsoft has better security <- Fuck this concept
What mentioned in that wiki the pure face of microsoft and similar proprietary OS , wont be changed and wiki will be kept as is to warn users not to use microshit windows and any similar garbage proprietary software.
Side point about kicksecure and debian: Not going to change every debian to kicksecure maybe after couple of years , kicksecure is not yet even tested and doesnt has users and its not good idea to recommend all users to use alpha distro over stable distro.
None of them say that. None pretend telemetry is a security feature.
Sandboxing is necessary for security. If you allow the app to run without a sandbox then the attacker will do just that. There’s also no evidence of backdoors.
Proprietary or open source is irrelevant to security. Linux is a perfect example of this. It’s a security mess yet it’s one of the most popular open source projects. Come back to me when Linux gets mitigations that aren’t from the prehistoric era.
The user also can verify plenty about Windows. How exactly do you think malware is made? It’s not hard to verify if mitigations are working. If your exploit technique doesn’t work anymore then that’s a clear indicator it’s working.
Then you’re spreading misinformation and respected people have already criticized Whonix for this.
I really dislike the “free software is super secure and literally unhackable” circlejerk. It’s extremely far from the truth.
Kicksecure has been tested and does have users (I know plenty). Also, where does it say it’s alpha?
None of them say that. None pretend telemetry is a security feature.
though im talking about the concept, but ok no problem.
Sandboxing is necessary for security. If you allow the app to run
without a sandbox then the attacker will do just that. There’s also no
evidence of backdoors.
you skipped to sandbox by itself im talking about malware OS like ios as
a whole with a feature within it e.g Malware OS like IOS…etc can listen
to their users and know everything about them knowing their
location,apps installed,listening to microphone…etc just because they
sandbox my application or X user application from app store doesnt mean
they will not skip this feature when X app is installed or when X app is
installed can bypass this sandboxing. Thats what i call delusional
security, Proprietary software either a malware or might be a malware we
cant say its not malware.
Proprietary or open source is irrelevant to security. Linux is a
perfect example of this. It’s a security mess yet it’s one of the most
popular open source projects. Come back to me when Linux gets
mitigations that aren’t from the prehistoric era.
The user also can verify plenty about Windows. How exactly do you
think malware is made? It’s not hard to verify if mitigations are
working. If your exploit technique doesn’t work anymore then that’s a
clear indicator it’s working.
It is relevant to security because if i want this X tool to be secured
or this tool is actually secure i need to know how it is secured or how
it is built not because someone else telling me how it is secured
because if so then believing in this like saying this is secured because
i said so = blind faith.
Proprietary Mitigation to this X of public exploitation doesnt mean
there arent tons hidden of non-public exploitation sold to any party and
microsoft done great deals doing that. Security through Mirage
Linux the kernel is free software one can fork it, patch it and user can
verify that just because it lack this particular security feature that
doesnt mean proprietary kernel better than it hell no (explained above)
So if we have missing feature just add it or wait for someone to add it
or pay someone to add it for you because there is NO better alternatives
(if the alternative is proprietary software)
Then you’re spreading misinformation and respected people have
already criticized Whonix for this.
I really dislike the “free software is super secure and literally
unhackable” circlejerk. It’s extremely far from the truth.
What misinformation? which respected people? if you think “Microsoft is
a malware OS” is misinformation well enjoy believing that. Also truth is
not based on numbers so if these ppl are delusional i cant help them.
and i never claimed free software is unhackable , but we use free
software because we value our freedom over anything and security come
after the software becoming free/libre not before. free the software
then lets talk about security,auditing…etc not the opposite.
Kicksecure has been tested and does have users (I know plenty). Also,
where does it say it’s alpha?
Its not in the production level yet, something isnt yet available to
download and use for users how is that not alpha? once there is .iso and
users reporting issues and their own experience about it then it might
be considered not alpha.
Apple only has the encryption keys to iCloud data and never claimed otherwise. They do not have the encryption keys to the actual iPhones as shown in their own citations.
I’ve already told you how you can verify it but you’re just ignoring me to continue circlejerking.
More baseless claims.
This is just silly. Linux doesn’t care at all for security. All missing features will never be added. Meanwhile, the alternatives do care for security.
Already explained.
Brad Spengler and Daniel Micay immediately come to mind.
The criteria for being considered alpha is not whether it has an iso file.
This page should also be changed. Free software isn’t any more secure than proprietary software. I’ve already given clear examples of this. There is a big difference between “security” and “freedom”.
“Backdoors” keep being brought up too but that’s also no different in free/proprietary software. Backdoors are trivially hidden in open source software. There’s hundreds of vulnerabilities being found in the Linux kernel each month. How do you know any of these aren’t backdoors? You don’t. Backdoors aren’t going to be:
// steal user data
backdoor();
They’re going to be obscure, intentional bugs that are easy to miss.
Linux could be full of intentional backdoors and you wouldn’t know. Backdoors are even easier in projects like Linux that are written in memory unsafe languages because memory corruption vulnerabilities are very common.
Also see:
Spender only made a single tweet but Daniel talked more about it on Matrix/IRC. He talked about it pushing the lie that open source software (Debian in particular) is more private/secure.
I can’t really give a link but if you create a Matrix account and join the room, you can search for it.
Listening to criticism is necessary for improvements.
you are asking me prove the sun exist while its rising. Not sure how far
i can move on with this discussion without breaking the safety of what
to mention and not to mention here to avoid breaking legal laws on this
section but i will try:
Which is irrelevant since nobody does that.
ever heard about “How much privacy are you willing to give up for
security?” thats what i was referring to, more read here:
switch it to "“How much freedom are you willing to give up for
security?” same answer freedom and security cant go opposite directions
or picking either this or that they are one formula taking one of them
will make the other failing and falling.
This is just a whole bunch of baseless claims with 0 evidence.
Do you believe proprietary blind faith security OS cant do that? or you
do believe that but just want to deny? GNU project has good pages saving
some of many proprietary security scandals:
dont believe this is important? as you wish im not here to convince
anybody.
Apple only has the encryption keys to iCloud data and never claimed
otherwise. They do not have the encryption keys to the actual iPhones as
shown in their own citations.
just because they dont claim they have it that doesnt mean they dont
have it, remember its proprietary they can do it however , whenever ,
wherever they like and you just dont and cant know. also by reading this:
“Apple has the capability to unlock key data like backups, documents,
contacts, and calendar information in response to a government demand.”
yeah very secure and privacy love <3. Just in case, there is something
called zero knowledge cloud storage but its not for apple censorship
design…
I’ve already told you how you can verify it but you’re just ignoring
me to continue circlejerking.
you said:
It’s not hard to verify if mitigations are working. If your exploit
technique doesn’t work anymore then that’s a clear indicator it’s working.
you are kidding if you think this is real mitigation?
again just because my X or public X exploitation stopped working doesnt
mean it has no non-public exploitation still working, or even might be
not mitigating my exploitation just by little tweak to it… i enjoyed
reading these articles called “Defense in depth – the Microsoft way” it
show how much microsoft ignorant about security , and how much time they
leave things openly vulnerable just funny trash company. The series
started from here:
and from part 3 it will continue with the same title “Defense in depth
– the Microsoft way (part X)” till now reached in 60s which is just
recently published.
This is just silly. Linux doesn’t care at all for security. All
missing features will never be added. Meanwhile, the alternatives do
care for security.
Linux the kernel can be patched or forked its licensed under GNU GPLv2 ,
some did removed all proprietary firmware from it like Linux-Libre which
is used in many FSDG distros and also Debian GNU/Linux done it and some
as well can add hardening to it which is somewhat we are doing in Whonix
or maybe other projects as well.
So freedom first then security like i said not the opposite.
Brad Spengler and Daniel Micay immediately come to mind.
Well we have Edward Snowden and Micah Lee and many others praising
Whonix… so stuff not about numbers and who said this or that its about
what hes saying. Thats why we value software freedom because what it has
within it not because of Richard Stallman said it or Eric S.Raymondor
or…etc
The criteria for being considered alpha is not whether it has an iso
file.
jumping to .iso while skipping its not yet on production level for
users… So to be on production level it has to have .iso because thats
the purpose of it to be acting as a host not as a Whonix design. When it
will be on production level and users using it for couple of month or
maybe years then gradually it will be shifted (maybe like release cycle
or so) from alpha beta stable or development testing stable… currently
none of that happened yet.
There is 0 evidence for it and besides, Linux can easily have backdoors as I clearly explained above. If only you’d read what I say…
Again, there’s 0 evidence for that and open source software can be backdoored just as easily.
That doesn’t make sense.
Hence why security researchers do in-depth analysis on these mitigations and the general consensus is that the mitigations are good.
This is just ridiculous. Of course everything has vulnerabilities. Microsoft at least attempts to mitigate them while Linux does nothing. Linux piles trash upon trash.
Linux adds on so many dangerous features and a few terrible mitigations. One example is eBPF which literally allows unprivileged user space to execute arbitary code in ring 0 with a shoddy sanitizer. Or KASLR which is trivially defeated with a single info leak (of which there are plenty).
Where exactly is modern mitigations like CFI in Linux again? Ah, nowhere. Kernel CFI is only really available in Google pixels and PaX.
The KSPP does do great work but they aren’t the ones calling the shots. Linus Torvalds is especially bad. He sees security as a nuisance and has shot down security features without even looking at them such as with STACKLEAK (although it eventually got through):
Not sure what to expect…? Whonix recommending on Host Operating System Selection - Whonix “use Windows
as a host operating system for Whonix because it is more secure than
Linux”? I guess if that happened and wasn’t result of a wiki edit that
slipped through, if that was a serious, non-joke, hardened position, I
guess that would result in a lot ridicule and criticism.
madaidan via Whonix Forum:
This page should also be changed.
Needs something specific about what’s wrong with that page.
Free software isn’t any more secure than proprietary software.
It’s self evident that libre software results in outcomes that are more
aligned with the goals of the user. If there’s any security advantage in
proprietary software it’s still not worthy of attention, support, money,
etc.
If you run a nonfree program on your computer, it denies your freedom;
the immediate wrong is directed at you.(*)
If you recommend that others run the nonfree program, or lead them to
do so, you’re leading them to give up their freedom. Thus, we have a
responsibility not to lead or encourage others to run nonfree software.
The GNU,FSF and other websites produced tons of materials making the
case for that.
I’ve already given clear examples of this. There is a big difference between “security” and “freedom”.
It’s not clear to me what your definition of security is and if that
thing is worth going for. Sure, innovations by proprietary software can
be interesting to look at on a conceptual basis and then perhaps
re-implement in libre software but that’s about it.
“Backdoors” keep being brought up too but that’s also no different in free/proprietary software. Backdoors are trivially hidden in open source software. There’s hundreds of vulnerabilities being found in the Linux kernel each month. How do you know any of these aren’t backdoors? You don’t. Backdoors aren’t going to be:
// steal user data
backdoor();
They’re going to be obscure, intentional bugs that are easy to miss.
But libre software usually does not use “telemetry, log keystroke, send
to server”. They have to be obscure and there’s at least a higher chance
to find and fix these. Proprietary source code can contain “telemetry,
log keystroke, send to server more” easily. Have trust the word of the
vendor and/or reverse engineering (waste of energy). Therefore prefer
libre software.
When libre software goes into an evil direction there is a chance of
forking it. Therefore attention and time is better spend on libre software.
I hear many people saying Windows XP was good enough. Low system
requirements, fast, good stability and feature complete. Then Microsoft
went for Vista with tons of changes which worsened achievements getting
worse with any subsequent release. The community of “nostalgic” was big
enough but they couldn’t fork and maintain Windows XP. Those who
previously invested into Windows XP and then switched to Linux had to
take losses for previous efforts (learning, source code, time).
Therefore better to not take chances and use libre software as much as
possible.
Linux could be full of intentional backdoors and you wouldn’t know. Backdoors are even easier in projects like Linux that are written in memory unsafe languages because memory corruption vulnerabilities are very common.
Could be but at least everybody has the same chance searching and fixing
for these backdoors in the source code. While proprietary kernels source
code is only to those who are powerful / insider enough.
Therefore one potential expert can be struck from list “experts
criticize Whonix”. Also probably wasn’t related to
but Daniel talked more about it on Matrix/IRC. He talked about it pushing the lie that open source software (Debian in particular) is more private/secure.
I guess feedback on Debian has a good chance to be also related to
Whonix. But I don’t count that as specifically “feedback on Whonix”,
“experts already criticized Whonix”.
I can’t really give a link but if you create a Matrix account and join the room, you can search for it.
Kinda mysterious. If there’s nothing public, easily accessible for
everyone, then there’s nothing that can be discussed in public.
Some public quotes here…
Listening to criticism is necessary for improvements.
But careful. There’s also a known method of continuous criticism for
purpose of destruction and subversion. Either intentionally or
non-intentionally. “critical theory”