it has not changed at the moment, @torjunkie. if it does, i’ll handle the wiki edits.
1 Like
https://www.whonix.org/wiki/Host_Operating_System_Selection#Windows_Hosts
I think they’re all removed from main ToC.
I was just hoping for a clean execution of those pages. Dev pages etc wouldn’t reference them much (?) anyway. Then any red links are easily located and fixed via broken links function on wiki I believe.
This footnote:
Perhaps my text further up can go into the “testers” wiki page in Introduction section on why we need testers etc.
(that page badly needs a revamp - will get to that later on after links maybe)
Other nit:
-
That setting Tor Browser pre-pended with firejail didn’t work for me. Must be set in the templateVM? I thought that .d location in anon-whonix was persistent, but probably wrong. (should be noted in that section one way or another)
-
Why do we have AppArmor enforcement examples for anon-whonix, when settings are inherited from TemplateVMs anyway? Someone who only wants a session of AppArmor due to possible conflicts or other reason?
-
Passwords page - without researching it, I thought from memory computers / software weren’t to be trusted for password generation due to possible exhausted entropy pools or similar shit. That is the basic idea to go with dice, and leave the fancy computer stuff off the table in general for safety.
(I’m sure you have some good reference or idea one way or the other. Lets not leave these TODOs lying around unnecessarily if they are easily answered or footnoted)
Please also check my edits on guard fingerprinting to address what you and adw raised.
These may be referenced tons of times in the forums / on external websites. We could/should __NOINDEX__ these pages to hide outdated location from search engine results so the new docs locations get picked up by search engines. It’s not critical but good to have.
Btw would it help if you had access to wiki mass search and replace?
Yes.
- In TemplateVM: /etc/torbrowser.d/50_user.conf
or - In TemplateBasedVM: /rw/config/torbrowser.d/50_user.conf; do
set
tb_starter_bin_pre=something...
To debug:
bash -x torbrowser
It’s only inherited if TemplateBasedVM is created after TemplateVM had the setting by the time of the creation of the TemplateBasedVM. This leaves a gap for users who do it later.
Reinhold writes a bit about physical dices not being perfect either. casino-grade dice might be better.
But if one orders one after regarding or as a security enthusiast how to make sure not getting delivered a tainted dice?
For best security mix dice with casino grade dice with computer?
Please add if you like.
If that was the case we could trash https, gnupg, ssh, Tor, etc. - these all depend on entropy. On the subject of run of of entropy:
From Myths about /dev/urandom - Thomas' Digital Garden (good read) I found D. J. Bernstein Fri, 16 Aug 2013 17:31:59 -0700 - Re: [cryptography] urandom vs random Quote:
Think about this for a moment: whoever wrote the /dev/random
manual page seems to simultaneously believe that(1) we can’t figure out how to deterministically expand one 256-bit
/dev/random output into an endless stream of unpredictable keys
(this is what we need from urandom), but(2) we can figure out how to use a single key to safely encrypt
many messages (this is what we need from SSL, PGP, etc.).For a cryptographer this doesn’t even pass the laugh test.
Sure thing, very happy to!
That was totally off my radar. Thanks for reminding me. Guess I’ll search upwards in this thread here to find it.
1 Like
OK - makes sense.
Maybe, if I need later I’ll ask. Manual changes picks up lots of other issues at the same time.
Fixed.
OK.
Thanks. Will fix sooner or later. 
1 Like
(Nothing to confirm edit. That version is already live. Login required - Whonix Please let me know if I missed any edits to confirm.)
The edit looks good.
An advanced adversary has conducted traffic analysis and successfully used guard discovery techniques to discover the user’s entry point to the Tor network.
Whonix and Tor Limitations is about onions, not Tor client only users. No Whonix and Tor Limitations to link a home internet connection registered at a residential address on someone’s real name to a Tor entry guard. Default Tor traffic (not hidden in any way Hide Tor use from the Internet Service Provider) is easily distinguished from other traffic by the ISP. The list of Tor entry guard IPs is public. Therefore Whonix and Tor Limitations is unrelated.
Whonix and Tor Limitations as defined in that link is also not required. The only part from Whonix and Tor Limitations that is required is Observing the client-to-guard-node network path.. That’s it.
If the user posts about the event and an adversary who is monitoring network traffic conducts a successful guard discovery attack
guard discovery attack is again not required here. (No onions required.) (This is passive traffic logging only.)
1 Like
Mass search and replace idea:
whonix-ws-14 -> whonix-ws (this is just temporary)
whonix-ws -> {{whonix-ws}} (making it a wiki template)
Template:whonix-ws:
whonix-ws-14
Same for Whonix-Gateway.
Thanks. Edit fixed based on passive observation only.
Sounds good.
1 Like
Is package anon-workstation-extra-applications useful?
Package: anon-workstation-extra-applications
Architecture: all
Depends: ${misc:Depends}
Recommends: anon-workstation-packages-recommended,
anon-workstation-default-applications, shutter,
gtk-recordmydesktop, libreoffice, kdenlive, kolourpaint4
Description: Complements anon-workstation-default-applications
A metapackage, which installs extra applications, to complement the
default applications.
.
Does not get installed by default, because extra applications
take too much space and are not required for everyone.
It was never documented. How could it be if I never let anyone know.
sudo apt-get install anon-workstation-extra-applications could result in installing shutter, gtk-recordmydesktop, libreoffice, kdenlive, kolourpaint4. Does that sound useful? If not, I’d rather remove that from Whonix source code for simplification.
1 Like
I’ve been working on instructions that use APT-conf to sort out the dependency problem when installing debian-package electrum 3.1.3
1. In APT-conf create a new file named 99defaultrelease
sudo nano /etc/apt/apt.conf.d/99defaultrelease
Add the following text.
APT::Default-Release "stretch";
Save and exit.
2 Add the current Debian testing codename buster to sources.list
sudo su -c "echo -e 'deb tor+http://vwakviie2ienjx6t.onion/debian buster main' > /etc/apt/sources.list.d/testing.list"
3. Update the package lists.
sudo apt-get update
4. Install electum from debian testing.
sudo apt-get install electrum
Note: since electum is not available in the stable repository no target in necessary when insalling i.e. -t buster install electrum. The package is installed from testing repository: electrum 3.1.3
Also, most of the documentation states that APT-conf should have:
APT::Default-Release "stable";
not
APT::Default-Release “stretch”;
More testing is need but I wanted to ask if I was heading in the right direction with this?
2 Likes
Nit: How come that file name 99defaultrelease? High number yes but maximum is bad since it can never be overruled.
Yes, stretch.
Indeed. Minor: When we make this a wiki template however it may be easier to just add -t buster.
We at Whonix don’t control what stable points to. Debian does. And when Debian does this can break things. Happened in past with electrum and our apt pinning template. So better leave it at specific codename stretch rather than generic codename stable.
If it works why not.
1 Like
Maybe ask in support forum if they think its useful?
PS Do you have “current sources” info listed somewhere for build documentation? Doesn’t appear in Whonix 14 build documentation.
This idea is linked in a couple of areas where I’ve been editing, but I couldn’t find it (so just changed to Dev/Build/Whonix14 documentation in general instead).
Looks good @0brand.
PS The 4 images you uploaded when doing Multiple Whonix-Workstations or similar edits were never embedded in the relevant pages?
Simple as (without options):
[[File:Whonix concept refined.jpg]]
PPS Those leak tests x2 still need to be sorted. I may get to it this week, as they are the only 2 old pics left in that section (OCD and all that… 
)
1 Like
This page needs your technical know-how i.e.
- Is it generally up-to-date for Whonix 14 i.e. these commands will work?
- Whonix 13-only instructions:
- Easy TODO Fix?
Make sure sdwdate-gui is always present in systray. TODO: describe better how to achieve that.
- sdwdate-plugin-anon-shared-con-check is no longer relevant? That GitHub link 404s…
1 Like
I think it 3 screenshots. I deleted the first one. Image was not clear enough.
I embedded one:
Still have to create a template for the other two snapshots: “Qubes/Clone TemplateVM”
I’ll try and get the leak tests done later today 
Edit:
Updated shreenshots are needed for Verify the virtual maching imagaes using Linux . The KGpg pics are causing confusion.
As per this post:
I’ll see about these screenshots when I work on leak testx2 .
Edit: Having problems installing flash in Whonix / Tor Browser. May have to install in a Debian VM with sys-whonix as NetVM
2 Likes
Never mind. If the doc writers first reaction is not screaming “yay” I am happy to remove it.
Always current sources atm. Frozen sources deprecated.
https://www.whonix.org/wiki/Template:Build_Documentation_CurrentSources
1 Like
All addressed.
1 Like
Whonix-Gateway Security Hardening - Whonix applies to both gw and ws. Moved here: Network Time Synchronization - Whonix
Haven’t been able to install flashplugin-nonfree. Its only available in debian sid and jesse.
https://packages.debian.org/sid/flashplugin-nonfree
Tried manually installation and still does not function when enabling in about:prefs.
1 Like
Thanks. I nitpicked some of those changes.
It says the opposite in that page? Just needs an update?
Build Documentation CurrentSources
DEPRECATED!
OPTIONAL!
Advanced users can install from Current Sources (custom) instead of from Frozen Sources (the Whonix default since version 7.4.0). Both options have security advantages and disadvantages.
Also, Network Time Synchronization issues →
Does sdwdate runs on only Whonix-Gateway or both WS and GW?
Needs clarification for user actions in this page:
We say:
Edit /etc/whonix_firewall.d/50_user.conf
Where? e.g. TemplateVMs / AppVMs (Qubes) / Both Whonix-WS and Whonix-GW?
We say:
Edit /usr/lib/sdwdate-gui/start-maybe
Where? e.g. TemplateVMs / AppVMs / Both (?) Whonix-WS and Whonix-GW?
1 Like