Long Wiki Edit Thread

Patrick · May 16, 2021, 1:18pm

This is now implemented. Daily.

Patrick · May 17, 2021, 8:45am

Amazing contribution!

Added:

= Help Welcome =
Please add screenshots, texts, examples of actual social engineering / phishing attempts with explanations how it could have been detected as one.

justadocreporter · May 19, 2021, 2:59am

Whonix-Workstation ™ has the transparent proxying feature enabled by default. (You could disable it if you wanted to.)

This is confusing. Whonix-Workstation does not have a transparent proxy. I believe this should say Whonix-Workstation has its traffic transparently proxied by Whonix-Gateway.

Whonix-Gateway ™ has by default no transparent proxying feature. Instructions below document how you could enable it. There are no known use cases besides leak testing.

This is confusing as well. I believe it should say Whonix-Gateway by default transparently proxies traffic originating from Whonix-Workstation, but does not transparently proxy traffic that is generated by Whonix-Gateway.

This may seem like nitpicking, but if you look through my multiple edits you’ll understand the various interpretations I had of these two quotes.

Patrick · May 19, 2021, 6:05am

Whonix-Gateway Traffic: Transparent Proxying

That is OK. The focus isn’t supper narrow limited Whonix-Gateway only. Analogy: when describing a “circle” it’s useful to define “a form” or to compare with “a rectangle”.

That one is correct as is too.

It’s describing it from a features point of view. There could be a footnote describing a bit where/how this is implemented.

There are no two transparent proxies.

No.

prerequisite knowledge:

transparent proxy
Tor transparent proxy

User clearnet on Whonix-Gateway just uses clearnet. It’s not transparently proxied anywhere.

justadocreporter · May 19, 2021, 6:12am

Hmm? If I’ve got two TransPorts and one of those ports is fed traffic originating from this machine and another is fed traffic originating from the gateway then there are two transparent proxies in operation, no?

Other than that I understand what you’re saying, but I still think it’s confusing if taken at face value.

Patrick · May 19, 2021, 6:17am

Added on sentence to clarify just now to wiki.

A TransPort is just that. It’s not a a transparent proxy. A Tor TransPort is a very useful ingredient to implement a Tor transparent proxy. A TransPort alone being prepared doesn’t make it an enabled by default transparent proxying feature.

torjunkie · May 21, 2021, 10:19pm

@madaidan

You have some beautiful stuff here:

Unrelated, but I’ve recently published a Linux hardening guide which you may want to link in the wiki: Linux Hardening Guide | Madaidan's Insecurities

Where possible/useful, can we just import the most relevant material holus bolus (as is) into Whonix documentation and in future any updates you can amend in our wiki? You’ll also get a lot more eyeballs for your material. Obviously we’ll credit you directly as the original author.

I haven’t had a chance to review all your stuff there, but there is plenty of good material.

torjunkie · May 21, 2021, 10:20pm

torjunkie · May 23, 2021, 1:12am

@tempest

Where are we at with the currency of the Email entry in the wiki? It’s probably our most out-of-date entry on the main page?

Is there any updated version of your guide we can rip off to bring it up-to-date? The main thing is of course Enigmail going AWOL etc.

Patrick · May 30, 2021, 7:17pm

Replaced download button (used at Whonix for Windows, macOS, Linux inside VirtualBox for example). CSS enhancements welcome.

https://www.whonix.org/wiki/Widget:Download_Link_Unified_Download_Image

torjunkie · May 31, 2021, 6:32am

OK, I had a thorough look at the @madaidan hardening guide:

Chapter 2 Kernel Hardening - this could be a complete chapter in our Advanced Documentation; something like “Host Kernel Hardening” i.e. a cut and paste job because it is huge.
Chapter 3 Mandatory Access Control - we can just take bits we like for the AppArmor entry.
Chapter 4 Sandboxing - we could just take bits talking about common sandbox escapes and maybe the Systemd sandboxing section could be a standalone page in Advanced Documentation; something like “Host systemd Sandboxing”.
Chapter 5 Hardened Memory Allocator - I think this is all covered off in the existing Whonix wiki entry (?)
Chapter 6 Hardened Compilation Flags - could be a standalone page in Advanced Documentation (?). This would be another cut and paste job.
Chapter 7 Memory Safe Languages - we probably mention this somewhere, but could beef up any Whonix material by taking this paragraph as a quote.
Chapter 8 The root Account - I presume Whonix already has an entry on this somewhere & has these protections in place already. So maybe again it could be a page in Advanced Documentation for non-Qubes-Whonix users for their host OS (?). Re: Qubes, no idea if applicable.
Chapter 9 Firewalls - maybe we could beef up our existing entry on Firewalls to use his example etc. (?). Our stuff is pretty basic.
Chapter 10 Identifiers - again, I imagine Whonix has a lot of this sorted by devs. So we could create a standalone page on standard documentation page called “Identifiers” and outline all these protections that could be done on the host. Another cut and paste job. (I know we cover some of this already e.g. MAC address spoofing, time attacks and keystroke fingerprinting. We wouldn’t duplicate any existing Whonix material).
Chapter 11 File Permissions - already covered in SUID Disabler entry. I gather users could also apply this automatically on their host OS by installing security-misc (?).
Chapter 12 Core Dumps - we already have an entry, but we could beef up the host OS instructions with madadian’s info/steps.
Chapter 13 Swap - I think we already cover off this issue in the Whonix wiki. TBC.
Chapter 14 PAM - I don’t think we cover this off anywhere. Could be cut and pasted into a new page (aimed at both Whonix and host OS?)
Chapter 15 Microcode Updates - we already cover this issue.
Chapter 16 IPv6 Privacy Extensions - I know Whonix is currently IPv4 only so that’s fine. But we could add a page in normal documentation covering this for host OS. Cut and paste job.
Chapter 17 Partitioning and Mount Options - I don’t think we cover this (?). Could be a cut and paste job for a new basic entry (aimed at host OS)
Chapter 18 Entropy - we have a /Dev page that could just rip off this content for specific instructions listed.
Chapter 19 - Editing Files as root - we already have info somewhere re: sudoedit - we could just ‘borrow’ anything here we haven’t already stated.
Chapter 20 - Distribution-specific Hardening - we have some mention of mirror issues, but barely mention seccomp-bpf. We can rip off seccomp text for host OS recommendation (?)
Chapter 21 - Physical Security - we mention some of these issues, but could rip off whatever is missing. Cut and paste job, probably mostly related to host OS.

Basically if we did all this, the Whonix wiki would go from good to “shit hot”.

I don’t see any issues, so long as we have permission to do this i.e. reference madaidan everywhere and explicitly note for chapters that are full cut and paste jobs, something like:

The following material was authored by Whonix developer madaidan and forms Chapter X of The Linux Hardening Guide – see: Linux Hardening Guide | Madaidan's Insecurities. This material has been used with the author’s permission.

Benefits as I see it:

We then have one of the best/complete security hardening guides on the net for Linux.
madaidan gets a lot more eyeballs on his hard work and more traffic to his site.
Users who bother to apply most/all of this will be far better protected.

If I get the okay then I’ll go and do all that.

Patrick · May 31, 2021, 7:04am

Would be good if @madaidan could license works on Linux Hardening Guide | Madaidan's Insecurities (or generally on madaidans-insecurities.github.io).

And would be good if it was compatible with Whonix Copyright

I am also open for discussion of changes to Whonix Copyright (ideally in separate forum thread). Such as dual licensing with “plain” GPL-3 or GFDL and/or whatever else might be desirable.

Though, since Whonix wiki contents are Freedom Software, i.e. Whonix might be forked one day under the license, we shouldn’t do any “special” ideals. I.e. permission for Whonix only.

Yes. Surely doable.

A wiki template.

Could also be similar (or in addition) Template:License Amnesia - Whonix as for example used on Whonix - Overview

Yes, sure. Proper credits where desired are the least that can be done for the many amazing contributions!

Contributors and Authorship - Whonix is for that (on top) and on request I’d provide reference letters (confirming contributions, contributor since, character and whatnot).

Will probably comment on your list if/once licensing/permission is sorted.

torjunkie · May 31, 2021, 10:20am

Agree with everything you said. We’ll wait to hear from madaidan (fingers crossed).

madaidan · June 3, 2021, 9:20pm

Of course, that’s perfectly fine.

Sure, I can look into it.

CC BY-SA 4.0 seems like a much better and simpler license for my website than the GFDL.

Deed - Attribution-ShareAlike 4.0 International - Creative Commons

GFDL versus CC-by-sa - Creative Commons

Wikipedia:Comparison of GFDL and CC BY-SA - Wikipedia

Patrick · June 3, 2021, 9:35pm

To be able to import CC-by-sa content into Whonix wiki (or at least related pages) [0], the license of the Whonix would need to be:

either dual licenses (current + CC BY-SA)
changed to CC BY-SA only [1] [2]

It’s a big decision. Big change. Needs a separate forum thread, thought, possibility for wide input.

[0] Unless quoteable under fair use.

[1] Those who received the current version under current license can of course keep using it under the license.

[2] Since dual licensing has disadvantages too. If forked under 1 license only, these could not be backported to Whonix.

madaidan · June 3, 2021, 9:44pm

So if I license my website under CC BY-SA, it cannot be included in the wiki without an overall wiki license change?

torjunkie · June 4, 2021, 9:54am

That’s great news - thanks.

Patrick · June 4, 2021, 10:05am

Great question. Difficult question. But since you said…

I guess so.

Any input? @HulaHoop

HulaHoop · June 5, 2021, 3:25pm

CC BY-SA 4.0 is one-way compatible with the GPLv3 meaning a derivative work can be made opting for GPLv3 coverage instead.

Besides, as the sole copyright holder, @madaidan has full power to re-license it for our use as needed even if licensing was not harmonious.

Patrick · June 5, 2021, 4:15pm

Great so if/once @madaidan chooses CC BY-SA 4.0 we’re safe to go ahead.

Wishlist @torjunkie:

Please add a comment in edit summary if imported material from outside.
Add copyright to = License = section. (Using a wiki template.)
Similar to Dev/Tails Doc Fork - Whonix
Add a wiki html comment (which cannot be a wiki template unfortunately). For example the About page uses that. (All Dev/Tails_Doc_Fork pages.)

<!--
Copyright:

   {{project name}} About wiki page Copyright (C) Amnesia <amnesia at boum dot org>
   {{project name}} About wiki page Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>

[...]
-->
<!--
This wiki page is a fork of the Tails About page, from this exact source <http://git.immerda.ch/?p=amnesia.git;a=blob;f=wiki/src/about.mdwn;hb=9ff23c529b206f6f3d637257f8f1f2aa434f3d27>.
-->

(Actually should not use templates as the source as it will show up in wiki backups doesn’t have any dynamic processing. But not too bad. A bug not worth fixing. I guess can be kept as is.)

The exact wording is yet to be invented. Maybe mentioning above article, original license, origin, new license (“plain”, GPLv3. Actually GPLv3+ is not possible, I think, was not mentioned above but will be OK either way..).

Maybe just 1 page first. Then I can nitpick/perfect on it before opening the editing floodgate.