[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Long Wiki Edits Thread

A post was split to a new topic: set apt-get --no-install-recommends by default

Background:

Documented just now:

https://www.whonix.org/wiki/Malware_and_Firmware_Trojans#Malware_Audit

Hmm… maybe we should review that StartPage recommendation in a couple of wiki pages (my bold).

Startpage Acquired by System1, Privacy One Group - Still Safe?

Recently there has been lots of talk about Startpage being acquired (or at least partially acquired) by a US company called Privacy One Group, which is a division of System1, a “data science” company that specializes in targeted advertising.

With that being said, my general rule here at Restore Privacy is to only recommend products and services that I would personally trust and use myself. Therefore I will not be recommending Startpage as a private search engine due to some lingering concerns I have. These concerns include:

  • The fact that System1 has acquired a stake in Startpage and is not disclosing the details.
  • The history and business model of System1, which includes gathering “as much data as possible” and profiling users for targeted ads.
  • The board of directors change at Surfboard Holding BV, to appoint the System1 co-founder and an outside investor.
  • The nine-month delay in alerting the public to these changes, and then announcing it as a “most recent” change.
  • The contradictory business models of System1 and a truly private search engine.
1 Like

startpage has only 1 mention for Tor relay ban, that’s it? No special endorsement whatsoever. Also google cache is mentioned there. If we’re super strict at in that place then the user would have even less working options to view any websites that block Tor exists. At no time it’s implied that using such services improve privacy. Necessarily such workaround worsen privacy. Perhaps worth pointing that out and/or linking to * Unsubstantiated Conclusions?

We as a privacy by technology project should be careful and not get lost in endless debates on privacy by policy / legal / company valuation. Related:

I.e. which company bought which one, who are the people behind it.

It’s very complex. Often non-verifiable. Good arguments can be made for opposite viewpoints. I don’t think there can be a methodology that could be applied consistently.

Fair enough.

1 Like

New wiki page:

backgrounds: Lots of people in Whonix telegram / matrix ask about Whonix KVM. Questions such as “Do I really need vibr0?” I don’t know enough about KVM to get into that.

//cc @HulaHoop

1 Like

Yeah I prefer one place (here) to see all support topics and the answers are permanent and can be easily referred to in the future when the same questions pop up.

1 Like

new wiki page:

Background: The impression for new users keep sticking that Whonix invented all the thousands of packages or things like apt. Sometimes users discuss something in Whonix chat such as for example installation of packages also (not) available from Debian. Maybe not the best example. Or general security questions. In such cases I’d like to have a handy link to point out that more could be learnt my knowing it’s actually unspecific to Whonix.

Bug: The url is wiki/unspecific (to keep it easy to type) but the title should actually be Information Booster might be Available!. (Suggestions welcome.)

Bug reported:

Upstream swift fix.

New wiki chapter:
Generic Bug Reproduction

You might be interested in this.

  1. Open Source Security Metrics

Security Metrics - Open Source Security Foundation

(Whonix scoring around 48-50%)

  1. ossf / scorecard

Release v2.0.0 · ossf/scorecard · GitHub
https://raw.githubusercontent.com/ossf/scorecard/main/cron/data/projects.csv

Result: github.com/Whonix/Whonix,criticality_score:0.482730

  1. google / oss-fuzz

GitHub - google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.

(Useful for Whonix?)

1 Like

new wiki chapter:
VirtualBox Generic Bug Reproduction

sure will do

Edit: fixed from them, working fine from my side.

1 Like

Thanks.

@Patrick I don’t think it is risky for us to publish Host Kernel Hardening while awaiting madaidan’s website changes - we have his permission on this forum after all.

Also, Since Tor’s sandbox feature seems perpetually broken/non-functional can/should we run Tor in a chroot jail, or at least provides wiki instructions to do so as an optional configuration?

No idea if this would work in Whonix configuration. (On a side note there is a lot of the Arch wiki we could rip off for security-related matters in our own wiki. TODO)

Tor - ArchWiki

For security purposes, it may be desirable to run Tor in a chroot. The following script will create an appropriate chroot in /opt/torchroot:

~/torchroot-setup.sh

#!/bin/bash
export TORCHROOT=/opt/torchroot

mkdir -p $TORCHROOT
mkdir -p $TORCHROOT/etc/tor
mkdir -p $TORCHROOT/dev
mkdir -p $TORCHROOT/usr/bin
mkdir -p $TORCHROOT/usr/lib
mkdir -p $TORCHROOT/usr/share/tor
mkdir -p $TORCHROOT/var/lib
mkdir -p $TORCHROOT/var/log/tor/

ln -s /usr/lib $TORCHROOT/lib
cp /etc/hosts $TORCHROOT/etc/
cp /etc/host.conf $TORCHROOT/etc/
cp /etc/localtime $TORCHROOT/etc/
cp /etc/nsswitch.conf $TORCHROOT/etc/
cp /etc/resolv.conf $TORCHROOT/etc/

cp /usr/bin/tor $TORCHROOT/usr/bin/
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-.so /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/
cp $(ldd /usr/bin/tor | awk ‘{print $3}’|grep --color=never “^/”) $TORCHROOT/usr/lib/

/var/log/tor/notices.log is only needed if you run hidden services

cp /var/log/tor/notices.log $TORCHROOT/var/log/tor/

cp -r /var/lib/tor $TORCHROOT/var/lib/
cp /etc/tor/torrc $TORCHROOT/etc/tor/

chown tor:tor $TORCHROOT
chmod 700 $TORCHROOT
chown -R tor:tor $TORCHROOT/var/lib/tor
chown -R tor:tor $TORCHROOT/var/log/tor

sh -c “grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd”
sh -c “grep --color=never ^tor /etc/group > $TORCHROOT/etc/group”

mknod -m 644 $TORCHROOT/dev/random c 1 8
mknod -m 644 $TORCHROOT/dev/urandom c 1 9
mknod -m 666 $TORCHROOT/dev/null c 1 3

if [[ “$(uname -m)” == “x86_64” ]]; then
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.
ln -sr /usr/lib64 $TORCHROOT/lib64
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64
fi

After running the script as root, Tor can be launched in the chroot with the command:

chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor

or, if you use systemd, overload the service:

/etc/systemd/system/tor.service.d/chroot.conf

[Service]
User=root
ExecStart=
ExecStart=/usr/bin/sh -c “chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc”
KillSignal=SIGINT

2 Likes

That would be an exclusive permission (full terms and conditions unclear, perhaps revokeable…) which doesn’t extend to anyone who would want to fork that text. Would still be proprietary (copyrighed) as per copyright laws default. Proper Open Source projects, specifically bigger ones, don’t accept content/contributions without crystal clear licensing.

chroot is not a security feature.

related:

The tor package by default already comes with:

  • /lib/systemd/system/tor@default.service various systemd hardening
  • /etc/apparmor.d/system_tor an apparmor profile.

That is sandboxing. Potential enhancements should be contributed upstream.

A custom chroot solution would be weaker and more stability fragile.

Could you review Difference between revisions of "Bitcoin" - Whonix please? @HulaHoop

Rejected. We don’t add obscure altcoins to our wiki (which implies endorsement) just because they slapped on a buzzword (in this case “quantum”) on their website.

I have no idea what the qualifications of the people behind is or what their motives are.

1 Like

For reference, was about this edit:
Difference between revisions of "Bitcoin" - Whonix

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]