usability, popularity vs security, Freedom Software purism

It may be possible to have it disabled by default - something I’ve personally asked about before, but we run into the problem of asking users if they want it enabled and then confusion.

Qubes has secure clipboard. KVM disables it by default. You may want to revise that statement.

Here’s the thing. Even an LCD can be a side-channel leaking its displayed contents to nearby mics due to changes in its coil noise according to what’s displayed. This is a practical attack. Things start going off the deep end once all facts are considered. Surely you can’t recommend users going on without a screen to do their computing. Not even a commandline only machine is safe.

Back to the main point. If I was to disable audio - which we still haven’t decided on until Patrick consults the Qubes people, this still leaves other browsers and VMs on the host exposed. If a security minded user were to add it back they would be running round with an open mic if they hadn’t even through to read about this problem.

Firejail is shipped, we do need volunteers to support users and maintain profiles.

If you are “smart” enough to avoid JS but still need Whonix support, you can se our mailing lists.

Each task requires a different kind of expertise. Nothing currently being done is distracting from what could be done had we had knowledgeable people to do them.

Yet, there’d be a lot less discussion compared the forums. But this inspired an idea…

Correct, I was referring mainly to VBox. However your reply just strengthens the validity of my point. Why is it disabled on KVM and already secure on Qubes but being left less secure on VirtualBox? Do virtualbox users require less safety? are they less prone to making mistakes?

If there is a way to mitigate that, let’s take it. If not, at least mitigate threats we can. I would assume controlling speakers allows an adversary a higher quality, accuracy and range of transmission than through the LCD coil noise. Besides, with speakers I can think of attacks not even requiring an infected device nearby. For example: an adversary has a good reason to believe you use a public wifi at a certain airport, large cafe, library. He gets there, and make the speakers play a loud alarm sound, or maybe Beethoven. Busted. Other attacks - play a sound provoking the user to take some action. For example, mail arriving, or a false error sound. Perhaps encourage rebooting the system (then reconnect to another AP). I think the possibilities with speakers control are quite larger.

Not sure I understood what you mean here.

I will read more about it.

I am not convinced giving the whole world (anyone can join) my email address, or even just to a place on whonix server, is much better.

Let’s take a closer look at clipboard sharing.
My argument is it’s used either by advanced users, or in the wrong way, or correctly but in rare cases.

When should Gateway clipboard be used externally?

• Copy information from Gateway to Workstation: perhaps when user encounters a problem and wants to copy and paste output to the forum? in this case he already engages with support here. He is a problem solver. Any confusion regarding the clipboard will be easily resolved.
• From workstation to gateway, when changing settings, for example Tor bridges, or maybe adding onion grater profiles, and it’s tricky to copy the text char by char? This isn’t an out-of-the-box usage but a higher level. If user gets to do that we can assume he is capable of handling VirtualBox settings as well, or again, capable to engage with support.

When is Workstation clipboard used externally?

• When copying information to the gateway, covered above.
• When copying information from one workstation to another. Using multiple VMs in parallel is an relatively advanced activity and we can assume such users are again able to handle clipboard settings.
• When copying information from workstation to host. I don’t see how this is generally a good practice, and if anyone needs to do that it is fair to require some (very minimal, really) researching being done.
• When copying information from host to workstation. I don’t recall ever doing that. Similarly, rare or wrong.

It was disabled once in VirtualBox and then re-enabled.

https://phabricator.whonix.org/T718

Why is it disabled on KVM and already

already: “It’s not”. “It’s still.”

KVM “lags behind”. When ⚓ T718 Shared Clipboard and Drag n Drop defaults for WS and GW was
implemented for VirtualBox, changing KVM was forgotten.

secure on Qubes but

Because Qubes developed a virtualizer graphical user interface from
scratch and innovated a secure copy key sequence. Qubes comes with this
configuration by default for all VMs. Qubes effectively discourages use
of Qubes host for anything except using VMs. It’s not a setting up to
Qubes-Whonix.

https://phabricator.whonix.org/T720

being left less secure on VirtualBox? Do virtualbox users require less safety? are they less prone to making mistakes?

It can be refereed to analogy mentioned in my original post.

As an analogy, is it useful to have a super secure window while at the
same time it’s infeasible to secure the front door.

And more from my original post.

With Whonix the goal is the right balance.

etc.

VirtualBox has it’s problems. (
Whonix for KVM )

For best security, use Qubes-Whonix:

If there is a way to mitigate that, let’s take it. If not, at least mitigate threats we can.

Same as above. Already mentioned in original post in this thread.

The operation was a success, but the patient died. This style of
development was never applied in the history of Whonix and it won’t be
until Whonix or I got obsoleted.

Besides, with speakers I can think of attacks not even requiring an infected device nearby. For example: an adversary has a good reason to believe you use a public wifi at a certain airport, large cafe, library. He gets there, and make the speakers play a loud alarm sound. Busted. Other attacks - play a sound provoking the user to take some action. For example, mail arriving. I think the possibilities with speakers control are quite larger.

• Once under observation by whoever, software can do very little.
• A lot of these apply to the host operating system too.

Not sure I understood what you mean here.

Users of Non-Qubes-Whonix are very likely to use browsers or other VMs
on their host operating system. I.e. they are likely to run Firefox,
other browsers and other applications outside of the virtualizer.

Better options:

Hardware Threat Minimization - Kicksecure (just
now added)

I am not convinced giving the whole world (anyone can join) my email address is much better.

Use a separate e-mail address?

(anyone can join)

This means you’d prefer a user to staff private communications only?

xariv via Whonix Forum:

in this case he already engages with support here. He is a problem solver. Any confusion regarding the clipboard will be easily resolved.

• From workstation to gateway, when changing settings, for example Tor
  bridges, or maybe adding onion grater profiles, and it’s tricky to copy
  the text char by char? This isn’t an out-of-the-box usage but a higher
  level. If user gets to do that we can assume he is capable of handling
  VirtualBox settings as well, or again, capable to engage with support.

These are assumptions I would have made too during times I only engaging
in online discussions, without having learned about usability research,
and without having talked to arbitrary users in real life outside of my
social bubble.

Not the case. Being a problem solver isn’t absolute. It’s on a spectrum
too. If there are too many obstacles in a too short time, even a lot
problem solver type persons give up. Even I, when i search for whatever
software (source code, applications for myself, applications for
Whonix), when I am too much put off by various factors, I won’t even
pursue getting in contact.

Done due to many, real, out of social sphere users complaining? any references?

This claim is quite amazing for me. Based on? All new users need clipboard sharing in gateway? I find it very very hard to justify. What for?

Based on HulaHoop’s reply above, and at another post (he “almost got his fingers burnt too many times”, I am sure I read it quite recently) rather conveniently left as it is, than forgotten. And rightly so!

We can make all kinds of arguments, but let’s not rewrite history.

And how did Qubes’ users learn of this unique and innovative feature? did they flood the mailinglist with angry questions or just abandon Qubes because of this usability hurdle?

As we all know, hardware restrictions apply.

this was an example I thought of in 2 seconds, you can be sure than determined and well funded adversaries will come up with more.

I am sure this is not new to anyone here: a core advantage of Whonix’s architecture is the harder job required from malware to escape from the VM through hypervisor to host.

Of course, but as long as it’s regularly monitored by me it’s still an additional attack vector and potential deanonymization threat vs not using any. Today those forums allow registration with an email address and never checking it again, removing this attack vector. That’s actually a positive.

No, because I don’t think that’s realistic, and I see a value in a community of users.

I am regularly using at least 3 other forums that don’t require javascript or low TBB security levels and users are very happy with more basic features because they value their security and anonymity.

Reading here can be done without JS. I think you should consider why users post here. It’s normally because they have an issue. This isn’t a place to pass the time (and some of the issues they have is “why JS is required here”).

I guess I will get the same reply of “you are an advanced user and try to restrict others’ usability”. So how about a poll?

Do you prefer:

1. More basic features, with higher security (no javascript required, highest Tor security level possible),
2. Advanced features, with the risk of fingerprinting and susceptibility to JS and other low-security browser related attacks.

At the time the ticket ⚓ T718 Shared Clipboard and Drag n Drop defaults for WS and GW ended with

• Let’s defer enabling/disabling clipboard sharing by default in Whonix KVM to @HulaHoop.

Please create a ticket.

But a ticket was never created by JasonJAyalaP. So a mess up by JasonJAyalaP and a mess up by me for not re-opening the ticket. Since there wasn’t a ticket, HulaHoop couldn’t write “no, I decided not to do this”. Hence, Whonix KVM was “forgotten” also since this wasn’t discussed for a long time after implementing the VirtualBox side (T718). This is major because this would have been the first time Whonix VirtualBox / Whonix KVM disagreed with any default settings / packages. Disagreement would be something like “keepassxc gets installed in Whonix VirtualBox but HulaHoop decided to not want that in Whonix KVM, therefore configured Whonix KVM builds to skip that package”.

In Qubes sets different expectations since the whole host operating system gets replaced. Web search for qubes copy paste comes up with an answer that is both secure and usable. Whonix VirtualBox with clipboard disabled by default would result in a web search with answer “it’s not secure to use this but we don’t have a better answer so just enable it anyhow”.

If we can afford to drop usability, why can’t we support saying “If you can’t effort the hardware, you have nothing worth to protect anyhow”. That’s the problem with elitism. Once established, where does it stop. Following your suggestions such as wasting effort on X (let’s say VirtualBox) prevents security feature Y would lead to the deprecation of VirtualBox. The Qubes people can say “but it works on my hardware”, why I couldn’t say “it works on my hardware too”. How’s VirtualBox support justified then?

That somewhat bites your argument “if the adversary already knows something about you”.

The result of the poll gets influenced by the wording of it. That wording would only be understood by technical users and the result is kinda clear it’s like do you prefer 1. good or 2. bad.

Long and irrelevant explanation. Just last week HulaHoop wrote here he prefers not to do it, in reply to one of your posts. If you really insist I can find the quote.

Searches for “how to enable clipboard in Virtualbox” bring very useful answers. But I am sure it’s always possible to find a scenario in which users will fail, and abandon Whonix as a result of clipboard setting.

We don’t drop usability, we ship a secure feature that can revised in a few clicks. Poor comparison. Please let me know where do I click to turn my hardware into Qubes compatible.

You know what? maybe it’s not justified then. If you do choose to ship virtualbox version though, ship a secure product and not a more vulnerable one.

No, it doesn’t at all. I described a case where an adversary knows your approximate location, this does not imply control over the host, or otherwise any discussion of Whonix in this context is irrelevant.

May I remind people here adversaries do not only operate within the bits and bytes realm.

You could have suggested a more fair wording.

You are wasting your time @xariv . There are underlying issues here:

• Whonix developers do not use VirtualBox with their own sensitive material. They use KVM or Qubes. They use VitualBox for development, when they have to. As selfless as they can be, and I do trust they are, feeling the risk and considering the risk for others isn’t the same thing.

• Whonix developers will probably not suffer dire consequences (in case of being compromised) in relation to what many or at least some of their users will experience. With every honest effort done (again, I do not doubt anyone), they do not really feel the personal fear that is underlying to some posts here. One could argue if that’s good or bad. People under threat would probably be too busy in protecting their own a-- and won’t have time to engage in such long term projects. So I’d say that’s a necessary evil.

Indeed not worthwhile to get to the bottom of this because even if consensus on forgotten vs non-forgotten was found, very little would be gained, but a lot time lost for the discussion.

Unfortunately, I’ve spent too much time on this subject already. It’s clear that discussions on project-philosophy are unsolvable. Positions were made abundantly clear, I think.

By comparison, generally the architects of complex structures like buildings or hardware (and a myriad of other professions) do not explain any technical details or project philosophy in detail for free to the general public.

Therefore, I am closing this forum thread for two weeks for cool down. If someone still can remember it by then and wishes to add to it, feel free to.

Contributors and developers are welcome to e-mail me about this should they think this project-philosophy is too far off.

This topic was automatically opened after 13 days.

im with @xariv for sure , mixing security + insecurity = insecurity

making whonix shiny and sacrifice security then no reason to use whonix anymore because it fail its own purpose.

This !
But i guess the “project-philosophy” is set in stone so there is no reason to argue with Patrick.
Whonix seams to go the way Tor is going, so be it. Usability over security. The average User(who wont use it) over those who need it.

Time to go
Bye bye

Thanks for all those participating in this topic. The Whonix team has outlined its position on the matter and we believe further discussion is not fruitful. Thread closed.