Ta. Fixed up most of the above stuff.
1 Like
Agreed
This is how
/etc/qubes-rpc/policy/qubes.UpdatesProxy
should look in Qubes R4 with Qubes-Whonix installed.
whonix-ws $default allow,target=sys-whonix
whonix-ws $anyvm deny
whonix-gw $default allow,target=sys-whonix
whonix-gw $anyvm deny
## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect
## Please use a single # to start your custom comments
# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net
$anyvm $anyvm deny
If you were to clone whonix-gw to whonix-gw-14, and if you were to clone whonix-ws to whonix-ws-14, and if you created sys-whonix-14 and you wanted these TemplateVMs to use that as its ProxyVM, then
/etc/qubes-rpc/policy/qubes.UpdatesProxy
should look like this.
whonix-ws $default allow,target=sys-whonix
whonix-ws $anyvm deny
whonix-gw $default allow,target=sys-whonix
whonix-gw $anyvm deny
whonix-ws-14 $default allow,target=sys-whonix-14
whonix-ws-14 $anyvm deny
whonix-gw-14 $default allow,target=sys-whonix-14
whonix-gw-14 $anyvm deny
## Note that policy parsing stops at the first match,
## so adding anything below "$anyvm $anyvm action" line will have no effect
## Please use a single # to start your custom comments
# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net
$anyvm $anyvm deny
In any case, after upgrading to Qubes R4 and Qubes-Whonix 14, the network setting for any Whonix TemplateVM should be set to none. This is because Qubes R4 uses qrexec based updates proxy. Qubes-Whonix 13 supports that as well after a usual apt-get dist-upgrade.
If you would like to document this, you’re most welcome to!
1 Like
→ Fixed
Off-topic - Phabricator clean-up suggestions:
- T730 - Chinese spam (delete)
- T410 - Grsecurity related - “won’t fix”
- T685 - uBlock Origin install - “won’t fix” (reduces anonymity)
- T716 - “Closed - Resolved” (?) - anon-connection-wizard now integrated
- T91 - “Closed - Resolved” (?) - Whonix is fully 64 bit from Whonix 14
- T190 - “Closed - Resolved” (?) - whonix-setup-wizard is now polished (?)
- T616 - “Won’t fix” - Anonymouth has not had commits for over 4 years = dead project
That “apt-get Qubes instructions” bug (T545) should be relatively easy to fix (?)
1 Like
Thanks, all fixed!
I think how to use multiple Whonix templates and multiple separate clones of sys-whonix / anon-whonix should also be implemented elsewhere than on the upgrade to Whonix 14 page. Imagine a user who starts with Whonix 14. We shouldn’t redirect to the Whonix 13 → Whonix 14 upgrade page. But this can surely wait until Whonix 14 gets released.
I am wondering if the user that posted https://forums.whonix.org/t/how-to-tunnels-connecting-to-a-proxy-before-tor was jumping to trying Connecting to a Proxy before Tor too quickly.
Could you please check if either Connecting to a Proxy before Tor and/or Combining Tunnels with Tor have an appropriate explanation that Configure (Private) (Obfuscated) Tor Bridges might be the more appropriate solution?
This paper written in 2012 claims that both public and private bridges are trivial to enumerate and block by sophisticated censors, like the Chinese. Anecdotally, we’ve had users here claim that it’s a widely known fact in China that Tor bridges do not work.
Glad to see that Lantern page. Too bad they moved to a pay model. Definitely need to document some alternatives that are free or accept more anonymous payment types. Perhaps, Bitmask VPNs could circumvent extensive censorship.
[edit] Lantern has really grown since I looked at it. https://github.com/getlantern/lantern/blob/devel/README-dev.md Seems reasonable that they would need a funding source.
2 Likes
Would you also like to revise user facing messages (gui windows, info/error messages, log output)?
For example recently i created the following one but I am sure the wording is far from ideal.
OK, we can wait until Whonix 14 is ready.
I’ll have a look.
Yes, that’s a good idea. Any easy way to track down the main ones?
2 Likes
Awesome!
I will write something about this soon. I’ll point you at some “manually” for start.
This one is prominent since it can be opened from start menu. Not sure how many people are reading it though.
https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/tor/torrc.examples
Does the github editor work for you?
Also anon-gw-anonymizer-config/etc/tor/torrc.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub - exception this one only: but we cannot merge it soon. We might merge it for Whonix 15 when we include anon-connection-wizard by default.
Do you think people would look into anon-gw-anonymizer-config/usr/share/tor/tor-service-defaults-torrc.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub?
Btw don’t bother updating Copyright (C) 2012 - 2014 (etc.). No need. If you think I should higher priority to update it, I could do an easy mass search and replace so little manual labor would be used for this.
The generic readme. developer-meta-files/README_generic.md at master · Kicksecure/developer-meta-files · GitHub - very prominent - because it gets used on any github repository. GitHub - Kicksecure/sdwdate-gui: Grapical User Interface (gui), Systray Icon for for sdwdate - https://www.kicksecure.com/wiki/sdwdate-gui, https://github.com/Whonix/Whonix, GitHub - Whonix/onion-grater etc. everywhere.
Btw please don’t edit the upper part of github readmes. To change that content, that goes to debian/control such as for example sdwdate-gui/debian/control at master · Kicksecure/sdwdate-gui · GitHub. From there, README.md is sometimes auto generated. 80 characters per line maximum. I am not sure how many people read package descriptions besides reviewers. Would be more important if any Whonix packages made it into packages.debian.org.
VirtualBox import message:
1 Like
Very good new boxes for circumvention rather than tunnels! 
I’ve been told, users don’t know which part of their connection gets censored. If they cannot access a website over clearnet, they don’t know that it is probably their network censoring the website and that circumvention tools would help. Many users don’t even know they are behind censorship. Even when they are using Tor for circumvention and cannot reach singular website, they might still think it is somehow their censor that is preventing that connection.
- User -> Tor -> proxy/VPN/SSH -> Internet
- User -> proxy/VPN/SSH -> Tor -> Internet
Makes a lot sense in our bubble, but I would appreciate if you could please kindly check if we explain this well when we try to take their perspective since you’ve been doing a good job pointing such bubbling issues out. Like when someone using Tor to circumvent, and a website is not reachable over Tor, using bridges would - for us - maybe not user - obviously - not help to fix the issue. Maybe the bridges page should have an overview “good for”, “not good for” or something? Even the page name “bridges” is not thinking from the perspective “what is the user trying to solve”?
2 Likes
Great, thanks.
I’ll try and edit these via Github. I’ve signed up, but they flagged the account because of Tor sign-up I think. So, I’ve asked them to unflag it - probably will take a while over X-Mas.
No problem, will look at this other stuff too and might do a mass find & replace for “Icedove” and change it to “Thunderbird” in the mean time and a few other low priority things.
PS Merry X-Mas and a happy New Year to the Whonix crew! 
All the main contributors seem to be back now, Whonix 14 is close, and you’ve got some $ to employ new people - that’s great. Please share some info about the Linux developer stuff when you have a chance.
Presumably the new blood will focus on bugs, code clean up, and long-awaited minor changes to Whonix from the phabricator list, as opposed to new features.
There are lots of little things in the backlog that the current small Whonix team never have time to get to. Hopefully new programmers should be able to resolve a large number fairly easily and give the community the biggest bang for the buck.
The community is getting noticeably larger, but Whonix still seems to lack the vibrancy for community-based commits (code or documentation) compared to Qubes, and the mothership (Tor). Not sure why that is, but hopefully the positive trajectory continues.
Cheers
1 Like
What, doesn’t anyone work on X-Mas day… slackers. 
Has the apparmor profile for Thunderbird in Whonix 14 been changed to apparmor-profile-thunderbird ?
Right now the instructions still reference:
sudo apt-get install apparmor-profile-icedove
Which I changed in edits to:
sudo apt-get install apparmor-profile-thunderbird
Not sure if that is actually correct. If not, that profile/package should be renamed in Whonix 14 (?)
I changed all “Icedove” references to “Thunderbird” in the wiki, where appropriate.
Also, I changed all “Iceweasel” references to “Firefox ESR” where appropriate, since that branding issue was rectified in mid-2016 (see the Debian note about it).
1 Like
→ Fixed (in Bridges entry)
Edit: 19 spam “issues” opened on phabricator the last 2 days.
Time to tighten up spam protection? All shit from Asia. Surely @fortasse can control that somewhat.
1 Like
Not renamed. Renaming packages is not very rewarding. Very low priority. Maybe for Whonix 15. Maybe by then Debian changed back to icedove so then waiting would be rewarding.
TO DO (reminder to self):
- Finish Advanced Security Guide edits (almost complete).
- Finally re-organize all (now edited) wiki entries as per ⚓ T141 reorganize 'Computer Security Education' vs 'Post Install Advice' vs 'Security Guide' vs 'Advanced Security Guide'
- Cherry-pick Tempest’s guide https://anonguide.cyberguerrilla.org/ for various parts of wiki - cut & paste job given he gave permission for us to do that (see forums). Probably useful:
** Parts of Chapter 3.
** Chapter 4c - Using a Password Manager.
** Chapter 4d - Using IRC and HexChat.
** Chapter 4f - Encrypted email with Icedove and Enigmail (also use https://securityinabox.org/en/guide/thunderbird/linux/ & previous forum discussion re: creating strong key-pair with reference to air-gapped ones for Jason Bourne acolytes) - Start github edits
- Finish edits of remaining untouched entries in “Modern Privacy Threats” & “Whonix Overview” (some are still very messy in terms of language, grammar, formatting, recency of information & structure).
- Move onto Section 6 (“Whonix Bugs”) of long wiki ToC and onwards.
1. I presume this advice (below) in Advanced Security Guide is still correct even though you combined GW and WS firewall code with commits recently?
Second Optional (Extra) Firewall
There is a Second, Optional, Extra Firewall for Whonix-Workstation, which is disabled by default. You find it inside Whonix-Workstation in /usr/bin/whonix_firewall.
Read the script comments and decide if you want to use it.
2. Re: Prevent torproject.org Connections
&
Prevent Downloading Whonix News
&
Prevent Running apt-get (by Whonixcheck)
&
Preventing Autostart (of whonix-check)
in the Advanced Security Guide.
What’s the security/anonymity benefit? We should mention it in a line or two.
Also, I presume the autostart prevention steps be completed in Whonix-Workstation only.
→ Done
torjunkie:
Isn’t this advice (below) in Advanced Security Guide superseded now because you combined GW and WS firewalls with commits recently?
So should we delete this part, or modify the wiki entry to point to where this optional firewall is actually going to be stored in future?
Second Optional (Extra) Firewall
There is a Second, Optional, Extra Firewall for Whonix-Workstation, which is disabled by default. You find it inside Whonix-Workstation in /usr/bin/whonix_firewall.
Read the script comments and decide if you want to use it.
Good point. Shall be after Whonix 14 release.
1 Like
In light of occasional malicious editing by trolls/bots on template pages, maybe it’s worth protecting all uncategorized templates in the first instance, and only allow editing by select staff i.e. those that are actually active with wiki edits in general e.g. TNTBoomBoom, Iry, HulaHoop, you, Entropy, Ego, me, etc.
Sign-in would be required to edit template pages only, and leave general wiki pages open as is.
I’m referring to -> special:uncategorizedtemplates
Or, if you don’t wanna do that, maybe consider protecting core templates e.g.
- those relating to Code
- those relating to color (e.g. BgGreenText etc)
- those relating to donations
- those relating to headers, footers etc.
- those relating to versioning
- etc.
I’ll suggest a re-organization of those security wiki entries as per phabricator ticket here (check everyone’s on board), and wait for final edits on Advanced Security guide to be signed off before I start moving that stuff around.
It’ll break a thousand links in the process, but so be it.
Also, as further above, if you let me know what is the actual point of “hardening Whonixcheck” (security/anonymity-wise - what’s the benefit?), I can reflect that in the advanced security guide also.
1 Like