[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Suggestions for Whonix Host

These are suggestions copied verbatim from a user on Tails mailing list and they might be very relevant to the scope of a host distro also whonix VMs:

  1. Please turn off camera and microphone by default.

  2. MAC address 10:62:E5:… is very unique. Government, Administrator, Network Controller, ISP and others will know that you are using Tails from very unique MAC address especially in censorship-surveillance-nonfree society/city/state/territory/country and they will force Tails user.

  3. Please have tool for clear clipboard automatically. Example auto clear after 10 seconds.

  4. Please auto login to persistent volume after user type a password and press enter no need to click anymore.

2 Likes

Please turn off camera and microphone by default.

Instructions to blacklist the modules are here https://www.whonix.org/wiki/Hardware_Threat_Minimization

MAC address 10:62:E5:… is very unique. Government, Administrator, Network Controller, ISP and others will know that you are using Tails from very unique MAC address especially in censorship-surveillance-nonfree society/city/state/territory/country and they will force Tails user.

You can’t tell a Tails user from their MAC address anyway.

MAC address randomization is important though. Just make sure not to randomize the OUI as it can make you stand out if you choose an OUI nobody has ever used before.

3 Likes

With Debian now supporting Secure boot out of the box, would something like that make sense for Whonix Host?
Maybe something along the lines of: Whonix devs sign the grub efi package with their own keys and maybe for the users who may not know, a small “Readme” or something that outlines for them the process of removing pre-installed keys, and generating their own? Maybe a tool like efitools or something…Not a requirement, maybe for those who are already using FDE on Whonix Host and would like to take security a step further. If /boot is already on encrypted root, the initramfs and kernels would be protected so the boot process would be one of the few things left that could be hardened

Nothing set in stone; this is just an idea that I thought I would share

Secure Boot is being discussed here:

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]