Host Operating System Selection Wiki Page Discussion

macOS asks about telemetry during install and makes it extremely easy to disable.

It doesn’t respect those options fully unlike macOS.

honestly, i don’t think this is truly fair. it was a horrible choice of variable wording on microsoft’s part, which also became public knowledge around the same time of the controversy involving the secret nsa router closet with at&t as i recall. microsoft did ackowledge the controversy. but, if i also recall correctly, the discussions on this broke down.

this also wouldn’t be the first time that something shady or unethical was exposed with microsoft. as an example, despite microsoft’s “anti-piracy” aggressive litigation stance, metadata in wav files for their media player with xp demonstrated that a version of soundforge was used to process the wav files was supplied by a well known cracking group. despite the horrible public relations that could have caused, microsoft missed that, even though it should have been obvious. microsoft has a rediculously huge development team, both in house and out sourced. is it that unrealistic to believe that employees involved may be nefarious in the context raised in this paragraph regarding “nsakey”? it’s a valid concern, despite being paranoid.

yes, i agree with you that “open source” doesn’t absolutely provide greater security. but, the option to audit is there, which is absent with microsoft. and that is a fair critique at the end of the day. does “open source” make something more secure? obviously not. the ancient bash vulns discovered way too late obviously prove that. but, they were discovered eventually due to it being open source, which may never have been discovered or addressed by the likes of microsoft absent a very open and problematic exploit in the wild that stood to harm their stock prices. if the exploit was discovered by microsoft privately, and it didn’t stand to affect their market share if not disclosed, it’s not an unfair critique to believe that microsoft may have avoided addressing it if the thought was there that it could harm their bottom line if publicly addressed. after all, that’s the oracle way, no?

furthermore, since you brought up the debate regarding privacy vs. security, it would appear that we agree that debian respects privacy more than microsoft, apple, google, etc. whonix host is looking to plug the security holes that exist in vanilla debian. thus, when whonix host is reaady, while i agree with you that the “linux is more secure than windows” argument is largely bogus from various technical standpoints at this point as far as exploits are concerned, i think the whonix team will be able to make a case for being better for both privacy and security once whonix host is released. in my honest opinion, that should be the focus. once whonix host is ready for delivery, the “other os” wikis can be focused on that, which i think will be more beneficial.

if anyone thinks i’m off base here, please let me know. but, let’s keep this away from a “microsoft/apple vs. linux” debate. there are way too many subjective uses which makes that debate unfinishable. but, for what whonix adrdesses, which is a fairly specific use case, i think we can do it without engaging that debate.

point blank, whonix will never be a panacea. but, for people who want a best case scenario for anonymity with an operating system, whonix fulfills a need there, which will be even better with whonix host. if we keep the focus on that without engaging in fud, hyperbole, or pie in the sky promises, i will continue to believe, and promote, that whonix is the best os for this use scenario. it will never be perfect. but, what compares?

absent qubes that implemented whonix templates, i can’t offer much as an example in that regard referenced above. but, as someone who was once involved with very problematic activism as far as some govs were concerned, compatriots of mine who didn’t use whonix, but used tor, got busted due to very trivial mistakes. i’m still free. that is a huge selling point for me. whonix was the main difference, and i’m not implying that i engaged in anything criminal. whonix kept me free of harassment that could have affected my immediate freedom, right to travel, or employment opportunities. whonix alone wasn’t the answer there. but it was an incredibly significant part, which freed me of relying on a number of custom scripts and steps to anonymize a debian host, which i’d developed for my own use over years of experience, and could still screw up. and, for that, i will forever be thankful. if the majority of clients i have now knew of my involvement with “anonymous,” i would not have a job, despite being no threat to them. that is part of the reason that i started publicly sharing an originally private document through anonymous on how to set up a basic system using debian as a host with whonix as virtual machines. and it’s why i publicly updated it for years.

in the end, i think we all need to keep focused on the notion that whonix is both a secure and private os for people who want anonymity. that is the end goal, correct? the debates on the flaws of other operating systems are less relevant there, since the enhancements that whonix team actively works on is better for people who want anonymity in comparison to the others. let’s keep the focus there. we don’t need to bother with the “linux vs” arguments, since this is “whonix vs” for those who want an anonymity geared operating system.

1 Like

Since I won’t have time soon for this the potentially remaining Windows / macOS enhancements suggestions from this post Long Wiki Edits Thread - #1793 by @madaidan I’ve created ticket ⚓ T993 improve Windows Hosts / macOS wiki mentions as reminder and mentioned this in on the related wiki pages.

Added to wiki just now.

I disagree and then you are going to say “I don’t have to to refute them”. I.e. no agreement will be reached. But it’s not necessarily you that has to refute them anyhow. GNU/FSF are popular. Meaning:

  • If GNU/FSF make libelous claims, it is likely that they will be on the receiving end of a defamation lawsuit. This didn’t happen yet to my knowledge.
  • The internet is big. Others would have made a rebuttal. If you can find a good one, that might be a a good alternative as rebuttal.

Any write-up is non-perfect and the GNU one was a comprehensive one.

Agreed. Who build the security and for what purpose. Benefit of user or maximizing profit at expense of privacy and security from vendor.

It’s besides the point. Please don’t cling on a single phrase “Level Security” and then view everything through that lens. That chapter has to be viewed in a bigger context.

The headline iPhone and Android Level Security for Linux Desktop Distributions is also bad for other more pragmatic reasons. Through conversations I’ve learned that many people know about how bad many phones/mobile apps are in their default configuration for privacy they equate this with security, and then intuitively discard the idea that iPhone / Android have any worthwhile security features worth porting to Linux desktop. I.e. even if iPhone and Android Level Security for Linux Desktop Distributions was fully possible in theory and even if madaidan would agree, it would still be bad self-representation of the project. Will change chapter title to Kicksecure Development Goals.

Project Zero: Mitigations are attack surface, too

Interesting. Added.

Kicksecure: Difference between revisions - Whonix

Please don’t do “burn the house down” / delete all changes. Rejected edit. Took some changes suggested with modification by me. And added more content.

2 Likes

No, I’ve even refuted some of their points above.

Big companies like Google or Apple don’t care about them.

I’m not clinging to that. I don’t really have much of an issue with the title.

Just look at the comparison table. It’s wrong to pretend that the full system MAC policy in Android and Kicksecure are similar. SELinux is ingrained into Android’s architecture and the entire ecosystem was shaped around it. Additionally, SELinux allows for far more restrictive policies (e.g. ioctl filtering or even just stricter permissions for files) than apparmor.

We’re slapping an apparmor policy on top of an OS that it wasn’t intended for. While this is good and we can make some great progress with it, it’ll never be as good as a strict policy on top of an OS that was designed for it.

Another example is the hardened kernel row. Our hardened-kernel is nice but it’s not the same as Android. Android kernels contain a lot of hardening patches including fine-grained forward-edge Clang Control-Flow Integrity and ShadowCallStack to prevent code reuse attacks (CFI/SCS is only on Pixels >=3 though). CFI isn’t in mainline or linux-hardened and won’t be for a long time. ShadowCallStack isn’t even possible on x86 due to the way it handles returns.

Although, I’m looking more into Android/Qualcomm’s hardening patches and might submit some to linux-hardened (I’ve been talking to Daniel Micay about this on Matrix).

The comparison table is also neglecting to mention all the advantages of Android over Kicksecure. One example is that Android has the majority of the system written in memory safe languages (Java). Another example is that Android/iPhone has modern user space exploit mitigations like CFI/PAC.

This subject is too complex to be a simple Yes/No comparison table which is why I removed it and expanded a bit below it. What I meant by “Security is not just a checklist of features” is that the implementation matters. Not the general topic. Sure, you can have a “sandbox” but that doesn’t mean it’ll actually restrict anything meaningful for example.

I don’t think it should mention mitigations specifically since it’s not just mitigations vendors introduce. They add tons of bloatware that contain their own security vulnerabilities. I’ve found Samsung to be particularly egregious in this regard although sane vendors like Google are usually fine.

I’m not. The comparison table just doesn’t make sense.

1 Like

I missed those, misunderstood, disagreed etc. But anyhow. It’s too much of a detail for me to spend time on it. As said…

…unless there’s a better, similar write-up, the the current links are good enough and I won’t debate them further.

It’s still missing the purpose of that comparison table / chapter. It’s not an security from exploitation from third parties comparison table for Android AOSP vs Linux desktop/server distributions.

That’s good to know and valuable knowledge but again not an security from exploitation from third parties comparison table for Android AOSP vs Linux desktop/server distributions.

It would be a net benefit for the knowledge of the world if this information was documented somewhere. But not on whonix.org. Too time consuming and too far off-topic from the goals of Whonix project to get involved deeply involved into creating a perfect comparison table or write-up on that subject. Wikipedia might be interested to host this information or any other more general knowledge wiki / comparison site. I would certainly a minimum be a reader. Probably also add a link to it from Whonix wiki. Having this information well laid out could help to get these issues fixed. Without awareness of the issue it’s even less likely of getting fixed.

2 Likes

The host OS page is still mostly misinformation. I can go over it again if you want. I’ve also expanded Linux | Madaidan's Insecurities to include more direct comparisons to Windows/macOS.

Split from long wiki edits forum thread to this own topic since way too complex for long wiki edits thread.


https://phabricator.whonix.org/T993

! In T993#20220, @Patrick wrote:
I don’t see what else can be done here. This statement is limited to only what was said in this ticket.

Issue tracker was moved meanwhile to forums as per:
Bug Reports, Software Development and Feature Requests

I am not calling the whole task done.

Split discussion into its own forum discussion.

Host Operating System Selection Wiki Page Discussion

Will continue there.

Patrick closed this task as Resolved.

It’s only really closed once the forum topic says it is. Just doing this since this issue tracker phabricator is being phased out at Whonix project.

! In T993#20223, @Patrick wrote:

! In T993#20220, @Patrick wrote:
I don’t see what else can be done here. This statement is limited to only what was said in this ticket.

If not… Quote and bring up here:

Host Operating System Selection Wiki Page Discussion

To make this less of a daunting task… That ends up in the backlog not being worked on… Since this is one of the most controversial technical discussions here ever…

I suggest this needs to be split into small chunks. Because if it’s too many points at the same time, it quickly gets messy, overwhelming.

Please bring up one small point. (Or I will soon bring up one small point and ask for clarification.) Then stick to that point until that’s resolved. And meanwhile that point is being discussed, don’t bring up other stuff. One point such as “this and this is a Windows backdoor or not”. If it’s not possible in this forum thread, use a separate one and make the on-topic very clear. I’d then try to moderate as restrictive as possible and move any posts too broad back to this one.

Not sure when we start this modus of operation. In separate forum topic, post any time.

Otherwise, you could also have patience with me for a week or so. It’s “just” 63 posts for now. I am going to re-read all. And then, I’ll be attempting to integrate your criticisms and answer them right on the same wiki page.

In other situations I also often very much understand the usefulness of sometimes to make a “summary answer”. If too many people bring up too many things, not everything can get answered. Cannot discuss with everyone until consensus is found or giving up due to fatigue. Similar for long articles / wiki pages where one feels that just too much is wrong to go into everything in detail. However, in this case, in improvements should be made, I very much suggest to split into small chunks, keeping working on it continued. It’s not that many bullet points in total.

1 Like

It is effectively impossible to directly talk to developers for most people.

Well, twitter with a 140 character limit isn’t exactly known for being a productive discussion platform.

Any examples of any productive discussions that resulted in enhancements and/or bug fixes?

The main point is:

There is no public issue tracker for Microsoft Windows. In comparison for Open Source projects, issue tracker are most often public for everyone (with exception of security issues under embargo until fixed).

I guess I don’t need to show examples for that.

How’s that done for Windows?

Word definitions: Spyware is a type of malware.

Quote wikipedia malware [archive]:

A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and scareware.

If that definition is accepted… It therefore follows, if one agrees that “Windows is Spyware”, it then logically follows “Windows is also Malware”. This is to explain the GNU Project opinion of calling Windows “Malware”.

1 Like

Twitter is where nearly all of the security community is. For example, here a few Microsoft security researchers I follow:

https://twitter.com/dwizzzleMSFT
https://twitter.com/JosephBialek
https://twitter.com/epakskape
https://twitter.com/AmarSaar
https://twitter.com/metr0
https://twitter.com/Lee_Holmes
https://twitter.com/spoofyroot
https://twitter.com/xjamesmorris

Same goes for other companies like Google, Apple, Amazon, Facebook, etc.

Here’s an example of one directly relevant to us and resulted in an improvement to kconfig-hardened-check:

https://twitter.com/dvyukov/status/1245969522869309441

It depends on the issue. Microsoft regularly assign CVEs to security issues.

https://msrc.microsoft.com/update-guide/vulnerability

I meant spyware as derogatory term for “lots of privacy invasive telemetry”, not in a literal sense.

1 Like

Alright. I am dropping the “talk to developers” directly point.

My main point:

There is no public issue tracker for Microsoft Windows where any reasonable user is allowed to post or reply. There is a public list of vulnerabilities [archive] but without public discussion among developers and/or users. In comparison for Open Source projects, issue tracker are most often public for everyone to post and reply (with exception of security issues under embargo until fixed).

There is https://answers.microsoft.com but I’ve never seen developers asking users for debug information (maybe rarely needed due to telemetry?) or telling what bug gets fixed with what update, any workaround, bug confirmed/closed/wontfix etc.

1 Like

Here’s one I found randomly: Redirecting

Please use the feedback option within the browser (Alt+Shift+i) to report the error when it happens, including diagnostic data so they can see what’s going wrong.

There’s also https://techcommunity.microsoft.com/

A volunteer moderator isn’t a developer.

Redirecting

I’ve looked thorugh a few random threads but cannot see any Microsoft employees either.

All seems user-to-user.

This is much different from let’s say Debian or Qubes where almost every ticket at some point gets tagged/reply from some developer.

Microsoft internally certainly must have some issue tracker but it’s not public. That’s the difference I would like to work out. Safe to say, Open Source development generally “more open”. Windows development detail discussions seem a lot more private.

…if you have any re-wording suggestions for that.

1 Like

Microsoft deals with an enormous user base, compared to most open source projects. The developers don’t have the time to provide support like that. Especially not for trivial issues like most threads there.

That’s how closed source software works in general. The community can’t participate as much in development.

Also, I’ve noticed that you have continued to add misleading parts to the page.

By comparison, also other operating systems, even Whonix and Kicksecure source code contain the string snippet nsa. For example in package security-misc file /usr/lib/security-misc/pam_tally2-info contains string xscreensaver has its own failed login counter. The word xscreensaver contains xscreensaver that however is an absurd comparison. Things have to be compared in proper context. Whonix and Kicksecure source code there is no variable, function or symbol name with any meaning containing “nsa”. Words such as unsave have nothing to do with it. This can be confirmed by auditing the related parts of the source code.

Here’s a more fair comparision then: Repository search results · GitHub

  • NSA_DEV
  • pass_NSA
  • RX_ENABLE_NSA
  • nsa_mode

“These are quite clearly commands to enable the NSA Linux kernel backdoor to steal user passwords.”

There is no evidence to say that _NSAKEY even stood for the “National Security Agency”. There is no expansion of the acronym or a space between “NSA” and “KEY”. You’d have a stronger argument with the examples I listed above because there are spaces between them and the National Security Agency actually do have a history of contributing to the Linux kernel — you don’t do this though because it is absurd, just like with _NSAKEY.

A much more likely explanation for the naming is: https://web.archive.org/web/20121024225124/http://www.microsoft.com/en-us/news/press/1999/sept99/rsapr.aspx

Microsoft said the key is labeled “NSA key” because NSA is the technical review authority for U.S. export controls, and the key ensures compliance with U.S. export laws.

Even Bruce Schneier doesn’t buy this nonsense: Crypto-gram: September 15, 1999 - Schneier on Security

1 Like

Clarified the point on open development.

(Need to use code tags as the forum eats <rev> tags.)

There is no public issue tracker for Microsoft Windows where any reasonable user is allowed to post or reply. There is a public [https://msrc.microsoft.com/update-guide/vulnerability list of vulnerabilities] but without public discussion among developers and/or users. <ref>
https://answers.microsoft.com is mostly(?) user-to-user discussion. Mostly: hard to find any employees posting there or very low interaction. [https://answers.microsoft.com/en-us/page/faq#faqWhosWho1 A volunteer moderator isn't a developer.]

There is also https://techcommunity.microsoft.com.
</ref> Microsoft's internal issue tracker is private, unavailable for the public even for reading. <ref>
Link as evidence pointing to the fact that Microsoft does have an internal issue tracker: https://www.engadget.com/2017-10-17-microsoft-bug-database-hacked-in-2013.html
</ref> The ability of the public of getting insights into the planning, thought process of Microsoft, participation in the development of Windows is much more limited. This is the case for many closed source, proprietary software projects. The community cannot participate as much in development. In comparison for Open Source projects, issue tracker are most often public for everyone to post and reply (with exception of security issues under embargo until fixed).

I explained the “nsa search results”… Because…

I guess that was sarcastic but I found it informative to work out the differences.

Moved the Whonix source code comparison part to a footnote and answered the Linux comparison instead.

Added that link. Only fair to allow the accused to explain their side of the story.

Microsoft said the key is labeled “NSA key” because NSA is the technical review authority for U.S. export controls, and the key ensures compliance with U.S. export laws.

Then where in the U.S. export laws it is said that there need to be two keys or a key labeled “NSA key” or some other phrase in the law which explains that?

Will take under consideration. Added for now:

Bruce Schneier in post NSA Key in Microsoft Crypto API? [archive] does not believe NSAKEY has any malicious purpose.

I disagree with Bruce Schneier from 1999 too. But I don’t think it’s realistic to contact him for discussion on that one. Too bad that’s not one of his articles with comments enabled (was a newsletter, perhaps before the blog that supports comments was introduced, dunno).

Third, why in the world would anyone call a secret NSA key “NSAKEY”?

You tell me.

Lots of people have access to source code within Microsoft;

Why assume it’s in the source code that relevant developers work on (or nowadays in the version shared through the shared source program)? It was found in forgotten to remove debugging symbols only.

The source code most developers work with could be clean. A backdoor might only be introduced during compilation, which is most likely done on a different machine, a build machine.

Access to Microsoft source code is most likely not a all or nothing situation. Not every developer working on let’s say Skype or Edge don’t necessarily always has access to all source code of other components of let’s say kernel, crypto all the time. Compartmentalization is clever to avoid leaks.

Therefore even if Microsoft had at some point 47000 developers or so (dunno how many it where in 1999), doesn’t mean all of them would have access to that part of the source code.

Anyone with a debugger could have found this “NSAKEY.”

Not anyone.

  • The public: An independent security researcher was only able to find it since Microsoft forgot to remove debugging symbols. This mistake was probably fixed by Microsoft nowadays.
  • A Microsoft developer:
    • Most Microsoft developers would be provided, and work with the clean source code, without any backdoors. If they created a build including debug symbols, “NSAKEY.” would not have been included.
    • Even if a Microsoft developer found “NSAKEY” and they asked the management about it, the management could just say “that’s alright” or some other explanation. The developer might not be suspicious. Even if suspicious, it is unreasonable to assume every developer becoming a whisteblowser, risk their current employment, income, legal action and further employment opportunities. Anonymous whisteblowing wouldn’t be worth it without evidence / source code. Then it would be a minor note and disregarded as FUD. Any if leaked including source code / further evidence, then the number of suspects who could have leaked it would be tiny.
    • “NSAKEY.” could have been inserted by a much smaller group of developers at a later stage (before building / on the build machine).

If this is a covert mechanism, it’s not very covert.

Don’t assume the perfect crime. Humans make mistakes.

What might have really happened:

Quote HCL Notes - Wikipedia

In 1997, Lotus negotiated an agreement with the NSA that allowed export of a version that supported stronger keys with 64 bits, but 24 of the bits were encrypted with a special key and included in the message to provide a “workload reduction factor” for the NSA.

But even then Microsoft isn’t forthcoming about it.


To strengthen the argument made on that page, to not distract from more important and stronger points. I’ll remove that part now.

(And move to Outdated, Deprecated, Archived Whonix Documentation. (set to noindex just now).)

Ready.

Done.

I assume the key is used to indicate that the NSA has reviewed the cryptography and determined that it is fully compliant with the law. The key itself is not a legal requirement — it’s used to indicate that the actual requirements have been met. The US used to have really tight restrictions on cryptography (they have since been relaxed).

This doesn’t seem very far-fetched.

Yes, anyone. Anyone has the ability to reverse engineer Windows source code and still do today. Windows is reverse engineered often for various reasons.

I don’t know what you mean by “debugging symbols”. This isn’t anything like that.

It’s not simply a small mistake. It would have to be an enormous failure for something as seemingly obvious as this. That just wouldn’t happen.

You mean you want me to bring up some points?

First off, you have far too many subsections and not everything is relevant to security or privacy such as the nuisances part. There are also many parts that are duplicated and it’s just a huge wall of misleading text.

Microsoft has a history of informing adversaries of bugs before they are fixed. Microsoft reportedly gives adversaries security tips [archive] (archive.is [archive]) on how to crack into Windows computers.

Microsoft’s willingness to consult with adversaries and provide zero days [archive] before public fixes are announced logically places Windows users at greater risk

(That’s duplicated, by the way)

I have gone over this before. They are not providing adversaries with zero days — they are giving a variety of organisations early access to embargoed security patches so they can ship them out immediately after public disclosure. Linux does the exact same thing and this isn’t a major issue: https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html

The crucial difference between Microsoft bug embargoes and Linux bug embargoes is that Microsoft notifies intelligence agencies which are then known to exploit vulnerabilities while the Linux kernel security team has a much more transparent bug embargo process where trusted parties, huge Linux distributions receive an early notification for the purpose of wide availability of the software upgrade containing the fix before to prevent wide exploitation by attackers in the wild.

No, it’s just naive to assume intelligence agencies aren’t getting these notifications. The NSA doesn’t even need these since Linux is so trivial to exploit anyway which brings me on to the next point…

All the claims on “Windows Insecurity” are simply nonsensical. Microsoft have made enormous strides on security and is decades ahead of Linux: Linux | Madaidan's Insecurities

Any credible security researcher will tell you the same thing: Linux | Madaidan's Insecurities

And no, source models aren’t magic security properties.

(Non-technical comment, so take with a grain of salt)

I agree that page is super messy. A logical approach would be:

  • split into separate pages Windows v macOS v other
  • clearly demarcate privacy and security issues on those child pages (yes, they’re related I know, but it’s too messy right now)
  • add the main missing element - Xen and like systems with Type I hypervisors & virtualized, separated domains for various elements - networking, firewalls, USB, GUIVM, ‘dangerous applications’ etc.

I’m pretty sure security professionals were saying in recent times that all monolithic OSes are clusterf**ks for security. Too much code, massive kernels running with 10s of millions of lines of code etc. means they can never be properly secured (until maybe we have quantum computer fuzzing operations or similar doing tests in massive paralell i.e. something with 300 qubits or so).

So, we must assume in advance all systems will be pwned by any competent adversary. That suggests fine-grained separation is the only solution, preferably with those VM instances running in minimal templates, all in a disposable fashion i.e. Qubes architecture.

I think it’s hard to argue that Windows 10, even with 10s of thousands of developers and billions of dollars of investment/man hours, is more secure than say Xen hypervisor with disposable netVM, disposable firewall-VM, disposable USB-VM, GUIVM, all applications run in minimised disposableVMs for single use purposes etc.

Maybe those Qubes VMs can be pwned at a rate of 2-3 times (say) a Windows instance, but who gives a shit if the minute I shut down the disposable VM the miscreant’s presence is killed? If they are performing VM breakouts and infecting dom0, then you’ve bigger things to worry about, because that is apparently not trivial.

I also wonder what OS the NSA and others run BTW? I searched for that in the past and couldn’t see any clear answers. Pretty sure they’re not running Windows 10.

Even if Windows 10 is far more secure in its architecture than your best Linux OS today, I don’t think our community cares i.e. they want privacy and not 100s of open channels to the Microsoft mothership that can never be turned off despite all best efforts.

An honest appraisal at the end of the day might say - yes, Windows 10 is far more secure than your stock standard Linux OS as madaidan points out, but a privacy disaster. On the other hand, none of the monolithic OSes come near Type I hypervisor arrangements. So, I’d suggest that Qubes-Whonix is then the best compromise under the circumstances. Reasonably secure, privacy-focused, and can limit the long term impact of breaches by malicious turds when properly configured with a bit of effort.

1 Like