After importing Whonix-Gateway in VBox I havn’t change the password “changeme”. if a hacker on the Internet knows this and he is also the entry node runner that knows my real IP address, is it easier for him to access or remote control my computer by my IP, account name and account password?
You should change your default root password but for another very good reason.
If someone manages to execute malicious code on your machine the damage they can do with root privileges is much greater than if you limit them to user-space. Before attacking the hypervisor they must get root on the guest first. By choosing a strong root password you force them to rely on kernel exploits which can expose their presence.
IIUC, the main argument is that any attacker that has the ability to compromise the Xen hypervisor (which has had one “publicly disclosed exploitable bug”, (two now I guess)) - will already have a much easier to obtain root escalation exploit in their back pocket.
Isn’t it conceivable that there is an entire class of attackers (ie script kiddies) that can easily obtain public exploits / malware that might not have the resources to find their own root escalation exploits? In that case, this security policy comes down to a race between Xen/Qubes patches and User update practices vs these less sophisticated attackers. How many “ordinary” users are being actively attacked by nation-states vs the number who are under constant probing from script-kiddies? By focusing defenses against the most sophisticated theoretical adversaries, is Qubes leaving the door wide open to hooligans?
If I may weigh in, personally, I can understand their line of thinking though I don’t agree with it completely for several reasons, the main one being that added security via root in my eyes doesn’t inconvenience the user in such a massive way actually. What I mean by this is that, while their line of thinking that almost anyone capable of “escaping” a hypervisor is very likely also capable of a root escalation, is absolutely valid and probably true, this doesn’t necessarily mean that there shouldn’t be that extra layer of security. Adding to that, an argument could (though shouldn’t) be made that since most users of Qubes are “Linux power users” they are so used to root that not having it will lead to some feeling unsafe and switching back to less safe distributions, because of this notion that having no seperat root account is bad practice. This however shouldn’t be used as an argument as far as I’m concerned as it would just bypass any reasonable discussion and could be more regarded as security theatre than anything else.
Now, regarding your question about “hooligans”, I don’t think they should be of anyones concern. Like argued on the linked site, without an exploit in Xen, they will only stand a miniscule chance, root or not.
Have a nice day,
Let me illustrate my concern with an example. Say a Xen breakout bug is made public. Xen or Qubes addresses it right away and releases a patch. While you and I update obsessively, the victim in this case doesn’t because he’s not aware of the flaw; and he’s running around in a war zone or has extremely limited bandwidth or is lazy or has bad habits. Although it’s justifiable to blame the victim, the (unproven) fact remains that many users of anonymity distributions do not have the luxury of, or appreciation for following security notices and updating daily.
Now a security researcher releases a proof-of-concept malware or a blackhat releases a turnkey exploit, which is now in the hands of anyone with a search engine. Some hooligan distributes it hoping to get lucky and doesn’t have a privilege escalation method.
Is this a far-fetched edge scenario? I think the average (non-Most Wanted) user is much more likely to face this, compared to being the target of a national intelligence agency attempting to record vibrations from his hard drive… How can it be considered “security theater” if it can prevent a real threat? (the only cost is doing what *nix users have done for decades…)
[Disclaimer: I use passwordless sudo. It’s so damn convenient. But I do feel guilty about it.]
I can definitely see where you are comming from there and having put it that way, yes, this risk is larger than I would have initially anticipated it, when keeping in mind what you’ve said.
Regarding the security theatre line, I wasn’t talking about using Sudo in general, but rather about using the argumentation that Sudo should be used because it just seems safer when it maybe isn’t.
The way you’ve put it is one you may want to discuss with the “core Qubes team”, they will likely have a thing or two to say about it as well.
Have a nice day,
If you are going to put all of your faith in the hypervisor you will be disappointed. The OS still matters. If the Linux network stack was a pile of feces then an attacker would be able to exploit the GW via the network and burrow outside and the Whonix security model would collapse.
Its not a good defense posture to give your attacker breathing space for free. Each layer makes them work harder and forces them to rethink the value of the target and the investment they are willing to make vs discovery risk.