The premise is wrong. Not useful to start with the premise that this came never to mind.
So the mini history of Whonix:
- It was difficult to have a VM that anonymizes all traffic, reliably redirects runs all traffic over Tor. Instructions were ambiguous, difficult.
- I started to research, document that, others joined, a script was written and now downloadable images are being provided.
- This is was resolved.
- Other anonymity and security improvements are being worked on.
But what’s happening now some people are requesting to be able to run malicious, locally compromised software and still have no useful information such as what operating system (such as Qubes) is being used inside that VM. That’s a reasonable request, reasonable development goal. Nobody going to argue against “make thing better”. But also totally different ball game.
Many of underlying components that Whonix is based on that to name a few, Debian, a virtualizer, the Linux kernel aren’t primarily projects focused on security, privacy, let alone anonymity. These are independent Open Source / Freedom Software projects with thousands of users. These are not part of a company where I am the CEO where I could order them to change things.
In case of Qubes-Whonix, the virtualizer is Xen. And Qubes is a distribution of Xen. The local VM fingerprinting issues are inherited from Debian, Xen, Qubes. This is not something that realistically ever can be fixed by Whonix because that would cost literally millions of USD to fix these issues at the root. And there’s no market of that size and/or business model for that either. At least I didn’t figure that out.
Computers are notoriously insecure, see:
You already have better protection by using a VM instead of lets say a Windows host were applications can read unique hardware identifiers. See:
The issue of locally running malicious software reading identifiers, for example Linking two or more locally compromised Virtual Machines (VMs) to the same pseudonym, is a known issue see:
Also related:
Organizational structure:
I can document these imperfections and hopefully motivate others to work on them but that’s it. I cannot possibly solve them all by myself.
On telegram specifically:
related:
Realistically, no. At least nobody on the internet I am aware is explaining how to do that.
But I see an issue creating the impression that is an issue that Whonix ought to fix or can fix.
Maybe the way to frame it…
- Qubes is security focused VMs.
- Kicksecure is a security-focused OS.
- Whonix is a research and implementation project for network level privacy. It will also incorporate security improvements (Qubes, Kicksecure).
- There is no privacy focused virtualizer project or fork of Xen or Qubes.