Welcome to Whonix.
1) This link will answer your first question.
Short answer: Install Debian. Take some time to harden the host OS if you can.
The only thing I don’t like about Debian is installed services are turned on by default. That is not the case in most other Linux distros.
188.8.131.52 Why are all services activated upon installation?
That’s just an approach to the problem of being, on one side, security conscious and on the other side user friendly. Unlike OpenBSD, which disables all services unless activated by the administrator, Debian GNU/Linux will activate all installed services unless deactivated (see Disabling daemon services, Section 3.5.1 for more information). After all you installed the service, didn’t you?
There has been much discussion on Debian mailing lists (both at debian-devel and at debian-security) regarding which is the better approach for a standard installation. However, as of this writing (March 2002), there still isn’t a consensus.
PS Don’t install that malicious malware posing as an OS - otherwise known as Windows.
2) After setting up Debian on your host, use the link below and just follow the directions to get up and running.
Most people just download and verify the Whonix Workstation and Gateway images and import them straight into VirtualBox (usually), or KVM (less often). Easy, quick, and the default set-up will work straight out of the gate.
Make sure you follow the post-install documentation and check out the Whonix security guides for better security.
Staying anonymous is not a just a software or hardware solution. It relies on hardening your system and following guides in documentation to not shoot yourself in the foot. E.g. search for the “Do Not” Whonix guide for example.
3) I think it’s fair to say that every country has turned into (or is turning into) a police state. So, pretty well all Tor use makes you interesting, no matter the location.
Automated systems are already in place with intelligence mobs to flag all encrypted communications e.g. Tor, encrypted emails and so on to set it aside for future cryptanalysis. That is no conspiracy theory, but conspiracy fact.
Basically the shadow state’s motto is Nancy Reaganesque:
“Just say no to crypto!”
If Tor use is dangerous or deemed suspicious, use a bridge - but that is also an imperfect solution. You could try other solutions like User -> VPN -> Tor (see the guides), but that can harm your anonymity and security (it’s unclear).
As an aside…
Now let me put on my tin foil hat for a second. This view is not endorsed by Whonix yada yada.
The difference re: Tor use is some states will lock you up just for using it, while other states probably just routinely hack your ass surreptitiously or run network analysis with end-to-end traffic & timing confirming statistically that it’s you over at mylittlepony.com, even with HTTPS.
7.5 billion people and only a little over 2 million using Tor daily. Not good numbers.
If I was Dr Evil working for the totalitarian state in my windowless underground chamber, I would simply flag all Tor use at the network level and hack each endpoint with my cant-be-stopped toolset paid for by your tax dollars. You know, the one doing the rounds right now, after they got their own asses hacked.
I’m sure that mass targeted attacks on the entire Tor user population will be confirmed in the coming years. Probably with improvements in automated attacks.
What can I say, I’m an optimist.
If your activities are critical and risk being locked up for whatever reason, then being a stationary target isn’t advisable. That kind of situation would require TAILS. Then, it’s incumbent on the state to prove that you were whistleblower X on random computer Y at time Z. Much harder.