[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Long Wiki Edits Thread

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Template:Persistent_Tor_Entry_Guards_Introduction

@adw (hopefully good now)

1 Like

OK - makes sense.

Maybe, if I need later I’ll ask. Manual changes picks up lots of other issues at the same time.

Fixed.

OK.

Thanks. Will fix sooner or later. :slight_smile:

1 Like

(Nothing to confirm edit. That version is already live. https://www.whonix.org/wiki/Special:WhatLinksHere/Template:Persistent_Tor_Entry_Guards_Introduction Please let me know if I missed any edits to confirm.)

The edit looks good.

An advanced adversary has conducted traffic analysis and successfully used guard discovery techniques to discover the user’s entry point to the Tor network.

https://www.whonix.org/wiki/Warning#Guard_Discovery is about onions, not Tor client only users. No https://www.whonix.org/wiki/Warning#Guard_Discovery to link a home internet connection registered at a residential address on someone’s real name to a Tor entry guard. Default Tor traffic (not hidden in any way https://www.whonix.org/wiki/Hide_Tor_and_Whonix_from_your_ISP) is easily distinguished from other traffic by the ISP. The list of Tor entry guard IPs is public. Therefore https://www.whonix.org/wiki/Warning#Guard_Discovery is unrelated.

https://www.whonix.org/wiki/Warning#Traffic_Analysis as defined in that link is also not required. The only part from https://www.whonix.org/wiki/Warning#Traffic_Analysis that is required is Observing the client-to-guard-node network path.. That’s it.

If the user posts about the event and an adversary who is monitoring network traffic conducts a successful guard discovery attack

guard discovery attack is again not required here. (No onions required.) (This is passive traffic logging only.)

1 Like

Mass search and replace idea:

whonix-ws-14 -> whonix-ws (this is just temporary)

whonix-ws -> {{whonix-ws}} (making it a wiki template)

Template:whonix-ws:

whonix-ws-14

Same for Whonix-Gateway.

Thanks. Edit fixed based on passive observation only.

Sounds good.

1 Like

Is package anon-workstation-extra-applications useful?

Package: anon-workstation-extra-applications
Architecture: all
Depends: ${misc:Depends}
Recommends: anon-workstation-packages-recommended,
 anon-workstation-default-applications, shutter,
 gtk-recordmydesktop, libreoffice, kdenlive, kolourpaint4
Description: Complements anon-workstation-default-applications
 A metapackage, which installs extra applications, to complement the
 default applications.
 .
 Does not get installed by default, because extra applications
 take too much space and are not required for everyone.

It was never documented. How could it be if I never let anyone know. :slight_smile:
sudo apt-get install anon-workstation-extra-applications could result in installing shutter, gtk-recordmydesktop, libreoffice, kdenlive, kolourpaint4. Does that sound useful? If not, I’d rather remove that from Whonix source code for simplification.

1 Like

I’ve been working on instructions that use APT-conf to sort out the dependency problem when installing debian-package electrum 3.1.3

1. In APT-conf create a new file named 99defaultrelease

sudo nano /etc/apt/apt.conf.d/99defaultrelease

Add the following text.

APT::Default-Release "stretch";

Save and exit.

2 Add the current Debian testing codename buster to sources.list

sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian buster main' > /etc/apt/sources.list.d/testing.list"

3. Update the package lists.

sudo apt-get update

4. Install electum from debian testing.

sudo apt-get install electrum

Note: since electum is not available in the stable repository no target in necessary when insalling i.e. -t buster install electrum. The package is installed from testing repository: electrum 3.1.3

Also, most of the documentation states that APT-conf should have:

APT::Default-Release "stable";

not

APT::Default-Release “stretch”;

More testing is need but I wanted to ask if I was heading in the right direction with this?

https://wiki.debian.org/AptConf

2 Likes

Nit: How come that file name 99defaultrelease? High number yes but maximum is bad since it can never be overruled.

Yes, stretch.

Indeed. Minor: When we make this a wiki template however it may be easier to just add -t buster.

We at Whonix don’t control what stable points to. Debian does. And when Debian does this can break things. Happened in past with electrum and our apt pinning template. So better leave it at specific codename stretch rather than generic codename stable.

If it works why not.

1 Like

Maybe ask in support forum if they think its useful?

PS Do you have “current sources” info listed somewhere for build documentation? Doesn’t appear in Whonix 14 build documentation.

This idea is linked in a couple of areas where I’ve been editing, but I couldn’t find it (so just changed to Dev/Build/Whonix14 documentation in general instead).

Looks good @0brand.

PS The 4 images you uploaded when doing Multiple Whonix-Workstations or similar edits were never embedded in the relevant pages?

Simple as (without options):

[[File:Whonix concept refined.jpg]]

PPS Those leak tests x2 still need to be sorted. I may get to it this week, as they are the only 2 old pics left in that section (OCD and all that… :grinning:)

1 Like

@Patrick

This page needs your technical know-how i.e.

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix-Gateway_Security_Hardening

  1. Is it generally up-to-date for Whonix 14 i.e. these commands will work?
  2. Whonix 13-only instructions:

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix-Gateway_Security_Hardening#Deactivate_CPFP

  1. Easy TODO Fix?

Make sure sdwdate-gui is always present in systray. TODO: describe better how to achieve that.

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix-Gateway_Security_Hardening#Non-Qubes-Whonix

  1. sdwdate-plugin-anon-shared-con-check is no longer relevant? That GitHub link 404s…

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix-Gateway_Security_Hardening#Deactivate_sdwdate-plugin-anon-shared-con-check

1 Like

I think it 3 screenshots. I deleted the first one. Image was not clear enough.

http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/updated-screenshots-images-thread/5371/11

I embedded one:

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Qubes/Create_Gateway_ProxyVMs

Still have to create a template for the other two snapshots: “Qubes/Clone TemplateVM”

I’ll try and get the leak tests done later today :wink:

Edit:

Updated shreenshots are needed for Verify the virtual maching imagaes using Linux . The KGpg pics are causing confusion.

As per this post:

http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/key-import-key-fingerprint-doesnt-match/5709

I’ll see about these screenshots when I work on leak testx2 .

Edit: Having problems installing flash in Whonix / Tor Browser. May have to install in a Debian VM with sys-whonix as NetVM

2 Likes

Never mind. If the doc writers first reaction is not screaming “yay” I am happy to remove it. :slight_smile:

Always current sources atm. Frozen sources deprecated.

https://www.whonix.org/wiki/Template:Build_Documentation_CurrentSources

1 Like

All addressed.

1 Like

https://www.whonix.org/wiki/Whonix-Gateway_Security_Hardening#Block_Networking_until_sdwdate_Finishes applies to both gw and ws. Moved here: https://www.whonix.org/wiki/Network_Time_Synchronization#Block_Networking_until_sdwdate_Finishes

Haven’t been able to install flashplugin-nonfree. Its only available in debian sid and jesse.

https://packages.debian.org/sid/flashplugin-nonfree

Tried manually installation and still does not function when enabling in about:prefs.

https://wiki.debian.org/FlashPlayer/

1 Like

Thanks. I nitpicked some of those changes.

It says the opposite in that page? Just needs an update?

Build Documentation CurrentSources

DEPRECATED!

OPTIONAL!

Advanced users can install from Current Sources (custom) instead of from Frozen Sources (the Whonix default since version 7.4.0). Both options have security advantages and disadvantages.

Also, Network Time Synchronization issues ->

Does sdwdate runs on only Whonix-Gateway or both WS and GW?

Needs clarification for user actions in this page:

  1. http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Network_Time_Synchronization#All_Whonix_Users

We say:

Edit /etc/whonix_firewall.d/50_user.conf

Where? e.g. TemplateVMs / AppVMs (Qubes) / Both Whonix-WS and Whonix-GW?

  1. http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Network_Time_Synchronization#Qubes-Whonix

We say:

Edit /usr/lib/sdwdate-gui/start-maybe

Where? e.g. TemplateVMs / AppVMs / Both (?) Whonix-WS and Whonix-GW?

1 Like

Ha. Thanks for trying. There is always the option of cloning a template, ramming a sid flash player turd down its throat from unstable repos, destabilizing the clone and eventual AppVM, just to force the issue. :laughing: Depends how bad we want it…

2 Likes

Should have mentioned. I tried that to. (unstable) :stuck_out_tongue_winking_eye:

I can keep trying. There has to be a way

2 Likes

Since you’ll delete the template and appVMs anyway, you could try either:

a) The really unsafe method.
b) The just-as-insecure method.

A)

Download the tar.gz directly from Adobe https://get.adobe.com/flashplayer/

Then apparently this will work:

https://unix.stackexchange.com/questions/391467/how-to-install-flash-on-debian-stretch

  • As root, extract the downloaded archive and copy libflashplayer.so to /usr/lib/flashplugin-nonfree

  • Fix the file’s ownership and permissions:

chmod 644 /usr/lib/flashplugin-nonfree/libflashplayer.so
chown root:root /usr/lib/flashplugin-nonfree/libflashplayer.so

  • If necessary, install the alternative so Firefox will find the plug-in. If:

update-alternatives --list flash-mozilla.so

returns /usr/lib/flashplugin-nonfree/libflashplayer.so, it’s set up correctly (this would be the case if you had the plug-in working in the past), but if it doesn’t, you need to run

update-alternatives --quiet --install /usr/lib/mozilla/plugins/flash-mozilla.so flash-mozilla.so /usr/lib/flashplugin-nonfree/libflashplayer.so 50

Running random commands off stackexchange. What could go wrong. But that 2012 flash leak test just burns so bad :wink:

B)

Probably marginally safer:

https://wiki.debian.org/FlashPlayer/

Debian 9 Stretch

  1. Download the latest Adobe Flash Player for Linux from https://get.adobe.com/flashplayer/

    On 64bit systems, it should be: flash_player_npapi_linux.x86_64.tar.gz
    On 32bit systems, it should be: flash_player_npapi_linux.i386.tar.gz

Alternatively, you can download it from: https://get.adobe.com/flashplayer/otherversions/

  1. Unpack the tar.gz file: tar -xzf flash_player_npapi_linux*.tar.gz

  2. Identify the location of the browser plugins directory, based on your Linux distribution and Firefox version:

Example: Debian 9 Stretch + Firefox 52.4.0 (64-Bit): /usr/lib/mozilla/plugins/

Example: Debian 9 Stretch + Firefox 62+ (64-Bit): ~/.mozilla/plugins/

Please note you may have to create this directory if it does not exist

  1. Copy libflashplayer.so to the appropriate browser plugins directory: sudo cp libflashplayer.so

Example: sudo cp libflashplayer.so /usr/lib/mozilla/plugins/

  1. Copy the Flash Player Local Settings configurations files to the /usr directory: sudo cp -r usr/* /usr

  2. Restart Firefox.

Or maybe easiest, since you don’t care about an unstable Template etc for testing, just use apt -t option to set testing repo and force install.

https://www.debian.org/doc/manuals/debian-handbook/sect.apt-get.en.html

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]