Survey: How to make Whonix really user friendly? Looking for your suggestions!

[html]

Future Directions – Where Whonix wants to be in 2 or 5 years?

Do we want Whonix to be for average users or just for those with unix knowledge?

Whonix is a useful tool for some already, got many fans. How can we make Whonix really user friendly to allow mass adaption by regular people who need anonymity most?

It seems, Whonix limits itself by its two machines design. It’s not exactly simple and user friendly to say “you first need to get VirtualBox, then import these two VMs, then start Whonix-Gateway, then start Whonix-Workstation or use physical isolation“. How could that be improved while keeping Whonix’s design?

In the last days many had great ideas. One was to create a hardware appliance. Whonix running as physically isolated gateway running on devices such as Raspberry PI or OpenWRT or creating a Tor WiFi Hotspot (a WiFi hotspot once using it, torifying the whole connection). The issue is, having a “route everything through Tor” approach alone doesn’t make it anymore nowadays. If someone would run their usual applications, such as their Firefox or Internet Explorer browser they used for non-anonymous stuff beforehand over Tor, they wouldn’t be anonymous at all due to (flash) cookies, browser fingerpriting and so forth. Saying “plug this hardware appliance between your router and your computer AND install this client package” also doesn’t sound exactly simple.

Another idea was to create a Whonix Live DVD. But even if we managed to create one, it would still be clumsy to say “you have to burn this iso to DVD, then boot it, then start Whonix-Gateway, then start Whonix-Workstation”.

Jason Ayala suggested to create an Whonix USB installer. It would still be clumsy (as above), but installing Whonix would get simpler and more encouraging to use a non-Windows, separate operating system. We then would have to support lots of different hardware, but additional support by funding this would be possible. Users still would have to figure out how to boot from USB, which is not entirely trivial due to different BIOS implementations. Also “secure boot” won’t make this simpler.

Cerberus raised the idea to make Whonix fully managed. Perhaps he meant to enable automatic updates for the host, Whonix-Gateway and Whonix-Workstation. Whonix-Gateway could then be fully managed and hidden from non-advanced users. However, there are some settings that need to be set up on Whonix-Gateway, such as settings for Tor bridges. Maybe a Whonix-Host operating system could ssh into Whonix-Gateway to manage it.

Or maybe while we’re at discussing a Whonix-Host operating system, we should revive the OneVM concept? In essence, we’re shipping Whonix-Gateway as VM package, because it is a simpler and more robust implementation to support a variety of different host operating systems and configurations. As long as Whonix doesn’t provide a host operating system, the two VM solution is more robust. But if Whonix is enters the next stage of evolution, i.e. by shipping a host operating system, the OneVM concept may work better.

The idea to add Whonix to the usual app stores, such as Windows / Mac app store as well as “sudo apt-get install whonix” has been raised as well. This wouldn’t make Whonix less clumsy (still two VMs), but it would make installation simpler and more secure.

In summary, we’re not sure yet where the journey should go to. We’d appreciate the input of the community. Please share ideas on how Whonix could become really usable while not sacrificing security.

[/html]

On the desktop of NSA sys admins :stuck_out_tongue:

That design is the reason why most people think Whonix is complicated IMO.

I see this as a side branch. Getting a separate device, hacking/flashing/programming would not be perceived as simple.

Or maybe while we’re at discussing a Whonix-Host operating system, we should revive the OneVM concept? In essence, we’re shipping Whonix-Gateway as VM package, because it is a simpler and more robust implementation to support a variety of different host operating systems and configurations. As long as Whonix doesn’t provide a host operating system, the two VM solution is more robust. But if Whonix is enters the next stage of evolution, i.e. by shipping a host operating system, the OneVM concept may work better.

OneVM+OS, sounds very interesting. I like this version best.

The idea to add Whonix to the usual app stores, such as Windows / Mac app store as well as “sudo apt-get install whonix” has been raised as well. This wouldn’t make Whonix less clumsy (still two VMs), but it would make installation simpler and more secure.

This would download two (GW & WS) .ova files?

I see this as a side branch. Getting a separate device, hacking/flashing/programming would not be perceived as simple.
Yes, doesn't sound simple. Even if you could buy such a device, probably not many would enjoy that either.
This would download two (GW & WS) .ova files?
Yes.
Cerberus raised the idea to make Whonix fully managed. Perhaps he meant to enable automatic updates for the host, Whonix-Gateway and Whonix-Workstation. Whonix-Gateway could then be fully managed and hidden from non-advanced users. However, there are some settings that need to be set up on Whonix-Gateway, such as settings for Tor bridges. Maybe a Whonix-Host operating system could ssh into Whonix-Gateway to manage it.
Not what I meant. Will get back to this.

the biggest step to making it more user friendly would be a more unified “click and run” install process. perhaps build a minimal host iso which already has virtualbox and the gateway and workstation installed on it. the confusion regarding the multiple virtual machines could possibly be avoided by having both start on host boot. how in depth one wants to get with building an installer (such as throwing in an option to encrypt the host drive) could be left up to discussion.

for the advanced or non-novice users, leave the option to install the gateway and workstation vm as it is now.

1 Like

I really like using VMs, since I can…

  • Run multiple simultaneous systems
  • Achieve greater isolation between apps/data/tasks
  • Share data between VMs when need be
  • Move VMs around between machines
  • Pool underlying hardware resources for multiple VMs
  • Easily take multiple VM configuration snapshots
  • Have novice users get in the game without wiping out their existing OS platform

VM usage could still be done without Whonix being prepackaged into .ova VM images though.

I agree that the 2 (Whonix) + 1 (VirtualBox) package install format is a ease of useability and intimidation/confusion barrier for average users.

Ideally, it could be a 1 single package install format, no matter what OS or lack of VM programs are on their machine.

I think, although maybe I’m biased, that advanced users are going to want more modular control over how they implement Whonix on their machine, like how a VM provides.

So, for average users, a 1 single integrated package format would be ideal.

For advanced users, a versatile base OS image would be more ideal.

For advanced users, it would be somewhat nicer if Whonix could pair down its 2 OS images into 1 single OS image. But, I believe in the Tor vs. Apps isolation concept, so I wouldn’t want to sacrifice that principle just to pair down the 2 OS images to 1.

For average users, to achieve an ideal 1 single integrated package format, such as just simply downloading and running Whonix.exe on Windows… it seems doable with some custom programming, to package the infrastructural concepts of VM isolation into a single container program. Not sure about the best way to make that concept practical and feasible from a project management perspective though. Maybe forking the code of an open source VM platform and then transparently building Whonix into it as a single executable package? Dunno. Just thinking here.

Qemu or virt-manager images, PLEASE! For those of us using 100% free distributions, Virtualbox is not an option. Until that changes, Whonix is not an option for me, no matter how much I appreciate the design.

You’re welcome to join our efforts. KVM support is halfway done.

However, I think using Whonix with KVM will be more difficult than Whonix with VirtualBox due to issues in KVM. (At least not until we create a Whonix installer.) (KVM does not have a VM import feature.)

Great suggestions so far! Keep it coming!

I like the idea of having an installer iso. We could reuse Debian’s usual installer.

We could also automatically start a Whonix-Workstation VM. Even in full screen. But I guess it would be confusing. Because when users attach an additional, the host will be responsible for it. Unless we somehow manage to automatically attach devices to the VM.

And updates on the host? Should go automatic?

Will it be possible to completely hide the host from average users? Is this a good idea?

Advanced users should be able to leave the VM, so they can fire up additional VMs and switch between those.

Then the question would also be, if the host should have a graphical user interface at all. Most likely one will be required. Probably there is no graphical virtualizer that can start without X?

Yes.

I am not a developer, sorry.

[quote=“virt-user, post:10, topic:204”][quote author=Patrick link=topic=215.msg1385#msg1385 date=1396024157]
You’re welcome to join our efforts. KVM support is halfway done.
[/quote]

I am not a developer, sorry.[/quote]
We’re not developers either. We do read man pages, search engines, ask on irc, etc.

Virtual Box images for Gateway and Workstation

  • Low to High Security
  • Medium Difficulty
  • Allows Custom Host

Installer ISO for Physical Isolation Gateway (x86, ARM)

  • High Security (of Gateway)
  • Medium to High Difficulty
  • Can be combined with other options

KVM/QEMU images

  • Medium to High Security
  • Stallman Approved
  • High difficulty
  • Allows Custom (GNU/Linux) Host

Whonix Live/Installer CD/USB

  • High Security
  • Medium Difficulty
  • Whonix team has full control over the experience

Windows/Mac Installer

  • Low to Medium Security
  • Low to Medium Difficulty
  • Major Unknown Issues

(Fedora) Whonix Workstation and Gateway HVMs/PVMs for Qubes

  • Advanced Security
  • Advanced Difficulty

Notes:

  • OneVM vs TwoVM is orthogonal to (is independent of) all except Qubes and Physically isolated gateway.
    • OneVM disallows one gateway managing multiple workstations
  • “Difficulty” refers to user, which may be wildly different from implementation

With unlimited resources, we could provide all these great options. But with no funding and Patrick working his day job as part of the German version of Chippendales (Chippendales - Wikipedia), we need to make decisions.

I believe we should prioritize based on:
Lower difficulty of use
Lower difficulty of implementation
Higher security

These are conflicting needs, of course. And I haven’t even prioritized these priorities!

And so, the option/form/implementation (we need a name) of Whonix that we work on should, ideally, be in a “sweet spot” of good usability, not to burdensome difficulty for us, but at least low to medium security.

I’m going to propose something: We don’t focus first on the use case where Tails is already quite strong. That would be the low skill, medium security, “low needs” (my term; not much more than a web browser) group.

But to argue against myself: It’s interesting to note that a Mac/Windows installer could make us easier to use than Tails, and that could be huge.

Here is my opinion. It may be biased of course as a KVM helper, but nonetheless hear me out.

Whonix IMO serves a dual role. For the first one, it is in our best interest to cater to the casual user - within limits as they really need some basic understanding of how virtualization works. The reason is strategic. A large and diverse userbase provides a large anonymity set for vulnerable people to hide in, so that downloading Whonix does not automatically become a redflag. With time the fan base may itself evangelize and bring in some knowledgeable hackers to help or they themselves can try to self-educate so they can be able to contribute something.

If the Linux community decided to give up on the desktop initiative and abandon GUIs and DEs, people like you and me wouldn’t be using it today. So it is essential to keep them in mind. However I don’t think virtualization could get any easier than VirtualBox.

The OneVM is not safe I think, because the direct baremetal becomes a variable. If someone’s host becomes infected by an adversary smart enough or with enough resources, this is guaranteed to be a permanent breach of anonymity. With access to the underlying hardware, disinfecting a machine or hiding from its webcam or microphone becomes essentially impossible. Of course software like VirtualBox finds it necessary to expose your webcam in a vm anyway which makes it useless in high-sec situations.

The second role is one mentioned in the front page and I believe is more important. Setting up Tor hidden services. Anyone knowledgeable enough to setup a hidden service is most likely using a free software base and is therefore a Linux user who will want to use KVM for best security and flexibility. Normal Linux desktop users who appreciate security and software freedom will take this as the obvious choice.

A couple of remarks.

Whatever the success of Whonix (or Tails, or Liberte Linux) as an anonymisation system, unless Tor becomes so widely used that the majority of the sites could not afford to ban it, we will still need an easy access to the clearnet for everyday tasks like banking, social relationships (relatives, girlfriends/boyfriends, local community, sports if you are interested…). I do not include Facebook that I don’t use because I don’t believe the birth of my nth kid is a global issue, amongst other things.

In this light, for the “average” user, until Whonix-KVM is up and running, the current Whonix implementation seems the best one. Of course, if you can provide an installer that would take care of Debian, VirtualBox and the virtual machines, it might help enlarging the user base. If achievable, that is probably a lot of work.

As you mentioned somewhere, Patrick, Tails is more aimed at the mobile market. You visit North Korea, take your Tails USB key in the pocket, it is totally amnesic, there is no evidence against you (well, perhaps North Korea is not the perfect scenario… :-).

Qubes OS is definitely security oriented, with the applications running in their own isolated domains. As for anonymity, I am wondering. First of all, I do not know how some of the developers see their own future, but I suspect there are spotlights in the picture. Not a criticism, but… Secondly, if the domains are security isolated, as far as I understand, there is no stream isolation. Running the TorVM domain along with the Thunderbird and/or XChat domains comes to the same as running Tor and Icedove-XChat together in Debian.

As for usability, try to install an HVM and connect it to the network. It is far from being an easy step. Installing a virtual image is a whole different story, I gave up, too quickly may be (it’s personal, but I do not feel at ease in this environment, and it’s a good enough reason).

There is another alternative, booting Xen in Debian. The installation is easy, and It seems they have made some good progress with the network issues in xend, by implementing xl, as a user choice in the current version 4.1, and as the default toolstack from the upcoming one, Xen 4.2. I am looking into it.

Hi everybody.

Alternative to the best possible solution.

Best ‘plug and play’ solution ‘on offer’ without having to change habits in a serious way.

I’m a newbie and knowledge of security is rather low, I’m overwhelmed by all the possibilities where things could go wrong in terms of perfect privacy. Ideal for me and probably the other 99% of us, being non-techies, would be the above mentioned appliance-route. I already have an appliance which is an mailserver with auto-encryption therefore no gpg related stuff on my desktop, works like a charm.
Leave my desktop ‘as is’, eventually advice what pre-configured browser to use to enhance matters. It wouldn’t be perfect, but it would be an great enhancement over the current no-privacy at all situation, I think.
How bad is this idea, love to get some feedback.

What is the idea behind using d-i installer for Whonix? Installing Debian & VB and then loading the images?

There is a link on the documentation page labeled “Manually Create Whonix VM Settings, in case you want to restore a backup of .vdi hard disk image files” and linking to Manually Create Whonix VM Settings - Whonix. Similar instructions would be required when installing using d-i (debian-like installer iso). I don’t think saying “install that iso”, then open a terminal and do ‘VBoxManage setextradata “yourvmname” “VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled” “1”’ etc. would be simpler than using the ova import method.

Providing multiple versions, each for particular users and applications, would be best, I believe. The current OVA version is fine for users who use VMs, or are willing to learn. And the current “build it yourself version” is fine for those with middling Linux skills. But that leaves out potential users who find Tails, or even TBB, too complicated.

I don’t like TBB, because I think that it puts clueless Windows and OS X users at risk. It’s not at all configured for other apps, but it doesn’t prevent them from running, or (as far as I know) even warn users. Tails is also somewhat problematic, because there’s no Tor-userland barrier, and it’s all too easy to save insecurely on USB flash drives.

As I’ve written in < Whonix Forum >, I would love to see a LiveDVD version of Whonix. I believe that it’s doable, and with luck I’ll have a crude hack working within a week or so.

Many interesting opinions until now. To give the future of whonix a direction, I think you have to take a look from all perspectives: the users, the people offering whonix based services, the providers of other tor based solutions and maybe even the authorities.

The users might be the biggest group, people who want to profit from privacy in their more or less honest or legal interest. So greater their need, so bigger the effort they are willing to take. So for the masses the simple tbb or tails are first choice, as you can quickly use them when needed and then change back to normal life - until somebody uses whonix there has to a really professional or ideological need.
None of these examples from above finally represents a desktop os for daily use (that could convince users for that reason), only Qubes takes a very interesting approach in that direction. Finally the user is the weakest point in the equation, most people simply don’t care about or are not aware of privacy, or consider any effort to protect their privacy as useless anyway.
In order to change this whonix has to be or a quick and easy to use solution, or an integrated part of a desktop os (here I talk again about Qubes, forgive me). Even if one of these two ways can be done, there is still missing a corresponding public appearance of whonix as a solution (product).

Second I mentioned the people offering services. The usability of whonix for hosting is practically very low, though technically advanced. It seems to me like building an armored pickup with Ferrari technology - but there are no highways to drive it and let’s pray that no part will ever break. Last but not least there is no clue if you ever drive it safely when it’s loaded… so the step using kvm is extremely important.
Combining this with the user subject, there remains the missing infrastructure - and that would require management. There is missing everything that would make using tor/whonix attractive (besides the dark or legal reasons for privacy). To explain this furthermore would take to long here, still the main reason for that is the lack of opportunities for making profit because of the missing infrastructure. OK, now there is bitcoins and many others, but how about social networking, email, hosting and everything else that makes the web so attractive?
Finally the technology that could be used over the TN already exists: additional protocols, encrypted clouds and I even succeeded to use multipath tcp over tor - the sky is the limit.

As a conclusion I would draw the following image of whonix for a bright future: simplify it dramatically or integrate it with other projects (bundle resources), design and implement the technology for an extended user experience (whonix network;) and offer a commercial solution package (this alone is a highly delicate and complex subject, I will no go further into it now).
Maybe it sounds like SF to you - desn’t to me :slight_smile: