updated the bitmessage page to inform readers that the bmg service at bitmessage.ch is terminated.
Reading thru whonix. org/wiki/KVM, there’s the note:
„Read and apply the [Pre-Installation Security Advice](whonix. org/wiki/Pre_Install_Advice)“ which leads to an outdated page, which links to another page, but the Pre-Installation isn’t there either. As you’ve already covered here that some pages are outdated, a new guide from tempest would come in handy and/or update the wiki here.
Where I can imagine an own wiki page from tempest would be a good thing, as he walks thru all necessary steps from scratch to finish - maybe especially for new users.
this will be coming. i’m converting chapters into wiki text at the moment.
3 posts were split to a new topic: Whonix Enterprise Software
https://www.whonix.org/w/index.php?title=E-Mail&oldid=53928&diff=cur what do you think? @HulaHoop
Also not sure we should go into privacy by policy based advice anyhow. Previous (existing point):
Due to the US PATRIOT Act (especially p. 215ff) and the fourth amendment to the FISA Amendments Act it is possible for US authorities to eavesdrop on the communication of non US citizens without a warrant. According to the US authorities it is enough that the servers are located in the US.
Lots of countries have similar programs. It might be hard to find any that don’t have these. Seems pretty difficult to keep track and reason about since there are ~ 200 countries and hard to keep track about each of these.
The fourteen eyes are irrelevant. Just because those governments share data with each other, doesn’t mean they’re going to force the email provider to.
I think it’s worthless advice and we must only recommend things on a technical basis and assume if surveillance is possible then it is happening.
Offtopic: Is there a better looking vector icon for Thunderbird we can use? This one is absolutely hideous.
OK. Edit rejected and other non-technical advice removed:
FAQ was rebooted yet again.
Link to FAQ is now prominent on top of Whonix front page https://www.whonix.org
Wifi encryption is beyond fucked. https://www.schneier.com/blog/archives/2020/03/wi-fi_chip_vuln.html
Where do I add this reference?
That’s for specific hardware and patches have already been released. Users just need to update.
Problem is, most of the vulnerable devices will never receive an update nor will they be upgradable even if they do. Better to let people assume this is the case and behave accordingly.
From the article you linked:
Manufacturers have made patches available for most or all of the affected devices, but it’s not clear how many devices have installed the patches.
The only issue is users not installing them.
If you read the original post by Schneier he says what I’ve quoted.
When was the last time you saw a 3 or 4 year old phone get an update?
If you’re using EoL devices, this is one of the last things you should be worried about.
Even if you use an aftermarket ROM the wifi drivers are usually closed blobs that never get updated by the manufacturer.
Custom ROMs can’t apply security patches to EoL devices either. The patches don’t exist in the first place.
Unless you’re talking about the community creating their own patches which is very unlikely and isn’t the same as experts at google making the patches.
Custom ROMs themselves are a massive security issue too. The majority of them ruin the security model by using userdebug builds, disabling SELinux, disabling verified boot, requiring an unlocked bootloader etc.
I am not discussing a perfect world where everybody (including large enterprises) throws out their devices every couple of years, but the situation as it is now and will remain. Obsolete embedded devices and phones will stick around for much longer than the planned obsolescence model has planned because it’s costly.
In this type of world wifi vulns will remain unpatched for a long time. Nevermind the faulty IEEE standards or half baked fixes for KRACK.
I’m not discussing that either. These vulnerabilities just aren’t anything major to be worried about in comparison to the other massive issues with EoL devices and if you aren’t using an EoL device, you can update to fix it. I don’t see why this would deserve a wiki mention.