usability, popularity vs security, Freedom Software purism

Continuing the discussion from disable speaker by default or optional for better security?:

It is a question about right balance between two strategies.

The most security focused approach is:

• A) “Whonix” hardened gentoo based - don’t care about any laymen who will fail at usability. A way to run a “project” would be “only use this for myself and don’t bother telling anyone”. Perhaps have a blog post that very few read let alone apply about how to set up that somewhere but then that’s about it.

The most reward focused approach is:

• B) Perhaps some proprietary Windows only tool or perhaps even non-security related software or service.

With Whonix the goal is the right balance.

• Protecting some/as many as possible situations in real world.
• Sizable user base. Having two users only isn’t rewarding. Popularity requires usability. Project growth. Impact.
• Popularity leading to review, contributions.
• Don’t let the perfect be the enemy of the good.
• Don’t try to make everyone happy.
• Realism, non-fatalism, reasonability, feasibility, sustainable development.

If one follows mostly strategy A) then the outcome of that is “only” a guide such as this. I could have used that for myself and then call it a day. Yet, a project, Whonix emerged from that. Without the popularity based approach, people would have never learned about Whonix. People wouldn’t have contributed research, documentation, review and source code. Whonix project certainly contributed inspiration to make create and improved approach of approach A).

As an analogy, is it useful to have a super secure window while at the same time it’s infeasible to secure the front door. Some argue to do everything to super secure the window even if securing the front door isn’t feasible in foreseeable future. Any security related project naturally attracts people who will argue in favor of security maximalism. Yet, in many cases such as Whonix, these security maximalists wouldn’t have benefited from the research and documentation that was created only as result of non-security maximalists projects which directed focus to the subject.

In case of Whonix, the window could be “compromised VMs communicate through audio output with nearby compromised devices” and the front door could be Tor or Debian (which isn’t using the most security focussed operating system applying as much as compilation hardening flags, kernel hardening, and whatnot by default). There are a lot shortcommings in anonymity/security/privacy which are documented throughout the wiki.

To avoid security maximalist yet reducing sustainability changes, sometimes usability is given priority over security maximalism and Freedom Software purism (related, forum discussion).

Security maximalism isn’t my thing. Applying it consistently might lead to fatalism, dropping all but Qubes-Whonix or even A).

I would hope that those who prefer approach A), those who prefer security / Freedom Software purism, security maximalists can still benefit from the Whonix project (documentation, research, source code, discussion) and encourage them to software fork Whonix. Existence of different views on project-philosophy is to be expected. Wikipedia writes:

Almost six hundred Linux distributions exist, with close to five hundred out of those in active development. five hundred out of those in active development.

The great thing about Freedom Software is that it encourages cooperation.

I really share most of your views. It needs to be noted though that I have the impression there can also be exaggerated worries about what deters users and what not.

When a secure but less usable feature can be made less secure and more usable with a single mouse click at any point, by the users choice, I think it is safe enough to assume this is very unlikely be a factor to reduce user base. A few more support tickets? perhaps. A reasonable price to pay in my opinion.

Let’s remember: 99.9%+ of lay users will never even try Whonix because even with all the concessions we can possibly make, it will still and always be way more complicated then a mainstream platform such as Windows / Mac or even say Ubuntu.

Those who do, already made the choice of making a bit more effort for the significant benefits that can’t be found in many other places. There are already used to the lesser usability in Tor browser. Further, they must limit themselves in many other ways to enjoy the advantages of Tor / Whonix.

All with balance of course. And good judgement. No extremes. I for one don’t think we must use free only sources if there are no security issues involved. I do think we should ship as many safe defaults as possible, as long as adjusting them to be more usable is easy enough. The recent instructions for Bisq, are an example of something that can really decrease user base is using it is important for those users. They involve tricky changes both in WS and GW. Any mistake there can be painful. This is what I’d call hard and unreasonable to expect most people to follow. Even I prefer to take the risk of running Tor over Tor for a limited amount of time and on a separate WS, and not get into those modifications. I can think of other examples. Clicking on the speaker icon to enable it is really not one of them.

For me, it’s not a very big deal - I will apply the stricter settings anyway (no audio, highest Tor security level etc), I’d just think it’s nice to have them as default. Whonix users are really smart enough to go the extra mile and we should not fear.

I don’t know if people here follow the news.

Authorities recently took down several more onion sites.

Unlike in other cases, there isn’t an explanation (real or fabricated) about how it was done. Where did those people mess up. What was wrong with their OPSEC.

I guess we will know more in the future.

In this time the choice of security projects should be clear.

More security. More anonymity. Less users? so be it.
If you mind losing some users who can’t make a minimal effort, don’t. They will screw themselves anyway.
If you mind too many support tickets, then ignore or delete them.
More security. And if necessary, less users.

News source?

Less users = less interest from potential contributors = less code feature advancement = less security indirectly

Less users = less donations = less viability in supporting the infrastructure and coding time of the lead dev = dead project

Following that approach, a lot of things would have to be ceased since these cost time which could otherwise be used to work on security:

• shut down the forums
• don’t be reachable by e-mail either
• no more downloadable builds (creating these and testing takes a ton of time) (you can create your own - more secure)
• no more Whonix repository - follow code changes and apply changes yourself
• no build documentation - source code is self explanatory - otherwise you should review it
• react to nothing except of promising (github) pull requests

Any comparable project that is handled like that coming to mind? (Doesn’t need to be security related necessarily.)

I wouldn’t even entirely dismiss this approach. Sometimes the absence or deprecation of a project or component (such as downloadable builds or forums) leads to someone stepping up filling the void.

Nonsense.
If Whonix will not protect it’s core users (those with more security and more anonymity in mind), that’s when you will have no interest, no, donations, no support etc.
If Whonix tries to be all pretty and shiny instead of more secure it may, temporarily, attract more users who cannot be protected anyway but will sacrifice its mission.

The all or nothing approach? it’s too simplistic for you @Patrick.

Define who are the users of Whonix.
“Everyone” is not the answer!
Try to cater for everyone you will lose your user base.
Define what is reasonable to expect from users that have high security / anonymity needs and motivation to solve them. And what is not.
From that, everything else will follow.

Forums or some kind of support are essential to a project like Whonix. Users finding and reporting bugs help development as well. If forums are a huge burden and it’s easier to do that with mailing lists, so be it. I don’t think it’s the case, at least 2 users here who aren’t developers regularly maintain the forums. You are already rejecting some support tickets by giving a link, “unsupported” / “free support principle” etc. Great. You have the system in place. You just do a bit more of that if necessary.

Any person in an important position needs to be able to prioritize, either delegate or completely screen out low importance emails. I am sure you posses those abilities.

Perhaps! you’ll be the judge of that Patrick! If the time can be used in a better way, and your core users can handle it, then yes!

That sounds exaggerated. If you believe core users can handle it, then yes! I doubt it though.

Same reply

React to nothing which isn’t very constructive to Whonix core users, namely people who have high security / anonymity needs, and are willing to make an effort to realize those needs. Why? those users need you. And those users will stay with you. This includes doing some learning, within reason. If you demand all users to be linux sys admins or expert coders this will probably not work.

No, because you have responded in the all or nothing, black and white approach. Reality is endless shades of gray.

Whonix today is actually ahead of things. Not behind. That is good. Very good. But it can create some greed (non financial). Be attractive to more. Careful not to lose your focus.

Lack of resources regarding wiki / forum, and you’re building a Linux primer guide?? that can be found in a 100 places on the web? where can Whonix support be found? sounds like you have excessive resources. Not lack of. Or serious confused priorities.

Lack of resources, and you’re reviving Windows installer? for the least security-centered users? talk about securing a “window” while the door is not secure, in the debian context? in the windows context, it’s securing a part of the building while there is a whole wall missing! sounds like you have excessive resources. Not lack of.

Lack of resources, and you’re discussing GUI goodies, themes, icons? sounds like you have excessive resources. Not lack of.

Give me a break. It’s not about resources, It’s about priorities. I am worried Whonix looks for fame and public recognition from the masses or otherwise seeks to be popular while sacrificing core benefits.

At the very least you need to define your targets in a better way. You are a gifted developer I am sure. I think you can improve on project leadership though. Things here seem random sometimes. This is project-philosophy? where’s the vision? At the very least have a list of priorities. Have a clear idea of what you expect from users. Whonix is great. but it needs to have a clearer direction and focus.

I’m sure Patrick has heard of that as it’s three Germans involved.

Not that we should support the kind of activities. It just sheds light on adversary capabilities. Which can never be 100% known. Snowden’s material is obsolete. Researcers know what they know.

Can you use specific examples here of shortcomings we have?

I think the Tor Project approach of doing whatever security enhancements are needed behind the scenes that don’t interfere with usability, while leaving options that can impact usability like NoScript enabled by default is the right way. Advanced users can always toggle NoScript to disable JS everywhere because they know better, while those who don’t can churn along and use the Browser anyway giving a large set of anonymity to everyone else though they are inadequate users.

OK.

First I want to say that I think Whonix, at this point of time, is at a very good place. Whonix 15 is mostly ready ahead of time. Hardened Debian project is underway. That’s great.

But, it faces the risk of having its current resources drained by wrong focus, that was not properly thought out, and that will be unsustainable for a small project. Moreover, choices made due to this focus, may compromise security / anonymity levels.

Specifically, the apparent desire to attract more lay users.
Yes, Whonix wants to protect as many people as possible, that’s commendable.
But do the people here really understand, what it means to cater for a much larger circle, of those significantly less technically skilled than the current average Whonix user?

Do you think Windows users that cannot even figure out how to handle VirtualBox VMs (if they did, no need for an installer) will accept your “Unsupported” or “Free Support Principle” pages?

Do you seek to attract them, then explain to them that you are a small project that can’t really provide the support, or that they should not expect the same user experience they are used to get with other OSs?

How does this wish to expand user base go together with the dislike of “many support tickets”, or with the thoughts of Patrick from last year to tone down Whonix into a research project?

Do you want those users or you don’t? decide.

Do you think users who use the Windows installer won’t not need to, at some point, change VM settings in Virtual Box, for example to increase memory? they will, and this attempt to dumb things down to a single exe will work (if it does at all) for a very limited amount of time. Then you will again get the support tickets you dislike so much. I say this installer is not doing any good at all. If one wants to use Whonix one must have basic capabilities to handle the virtualizer. There’s no way around it.

If you shift the focus to more lay users you should provide the level of support adequate to those lay users. Or waste many people’s time.

Whonix will have many more trivial support tickets, about Tor, about linux, about VirtualBox, about anything, doesn’t matter how many more pages or guides you add to the wiki.

But why should I care at all?

If Whonix project insists to exhaust itself, misguidedly in my view, why should I speak up?
Becuase I think this will inevitalby lead to relaxing standards and hurting all user base. And already is the case to some extent.
When you try to minimize support tickets by providing more usability on expense of security, that increases the risks to everyone.

Advanced users making adjustments by themselves? sure, it’s possible. But those adjustments aren’t done once. Main benefit to a VM is that you use it for what you need. This hardening will need to be manually done again and again and again. Forget once, continue to use Whonix as you’re used to, you may be vulnerable. Essentially you ship a less secure product that needs to continuously be hardened.

And we cannot ignore the reality here in which developers are not isolated from trivial support and forum activity. I don’t see how more lay users focus will not hurt the chances to further increase Whonix security even on the issues unrelated to usability.

Examples: kernel hardening, blacklisting / whitelisting applications firewall on the gateway, restrict workstation from finding information about host, providing forum that does not require JS, and more. There is no shortage to improvements to be made.

What about shipping a hardened version? no resources. But they exist for Windows installer or for fancy icons support?

Regarding the comparison to Tor project approach:
The two project are different in the level of security they aim to provide or what they ask users to do.
Tor project is OK with client seeing full onion circuit. Whonix isn’t.
Tor project is OK allowing insecure features of Tor Control Protocol to other programs. Whonix isn’t.
Tor project doesn’t try to convert users from Windows to Linux. Whonix apparently does (one the main reasons why Windows is supported at all. Becuase they “may become” linux users).
Consequentially, stricter settings should exists in Whonix. People don’t come to Whonix to get the same standards!

I find it very strange that a Whonix user will go all the way to use a virtualizer and VMs and then leave the door wide open to JS fingerprinting and exploits by any site whatsoever.
It makes no sense at all.
The common answer here to this issue is “we don’t want more support tickets”.
Well. I WANT to see this kind of support tickets. And the answer to this kind of ticket will be: “It makes things more secure. Don’t like it? here’s how you easily turn it off”. That’s a GOOD answer.
In fact I have seen many support tickets asking why the settings are not stricter, or generally posts concerned about JS being required. Then the answer is, “Yes it’s more secure to not use JS (and documented widely in the wiki), but we don’t want confused users posting support tickets asking about it”. That is a BAD answer. Do NOT do the opposite of what you recommend.

Even if your dislike to support tickets is somehow a good reason, shipping Whonix with less secure defaults does by itself generate those dreaded tickets anyway.

To summarize:

• More focus on lay users requires much higher level of support that Whonix can’t provide.
• It may lead to resources being drained in an impossible task, instead of further development and increase levels of security and anonymity.
• It will and already does lead to lower security standard being shipped.

Very interesting discussion.

Thanks @xariv for all the good points you make.

But in my opinion you are overdramatizing things. While it’s surely very important to have a clear focus on what to work on given the scarce skilled developer resources at disposal, I fail to see where the Whonix project is currently at risk of shipping a “lower security standard” as you said. Could you provide some concrete examples of current lowered security standards?

I don’t see how Whonix as it is designed (and has been designed since the beginning as I understand it) would not address the needs of the “layman”, and how that would be a security problem. It is my understanding that on the contrary it can provide a solution for both non-technical and advanced computer users.

The way Whonix works is that it provides a fail-proof system out-of-the box, that prevents the host’s IP to be leaked to a potential attacker. If the user wants, he can dig deeper and try to run SSH/VPN tunnels, change any settings, install additional software, etc., at his own risk.

The Workstation, shipped with a user-friendly GUI (even more so since XFCE), allows users of any skills level to easily interact with it and address their particular needs, be it super complicated advanced settings, or just browsing anonymously Wikipedia…

Whonix has always be beginners-friendly. The only skill that you need is installing VirtualBox and importing the .ova files. And there you go, IP leak prevention out-of-the-box.

Then we try to convey the idea to the users that the journey is merely beginning, and we encourage them to read up on anonymity and computer security that we cover extensively on our Wiki, one of the most advanced resource on the matter that exists, although it probably needs some refreshing.

But to my knowledge, there is nothing in Whonix that should prevent beginners to use it out-of-the-box.

Take my case for example: I am not a computer specialist, have been using Whonix since more or less three years now, I had no previous experience with Linux and/or virtualization. Setting up and using it wasn’t complicated at all. The difficult part began when I tried to understand the inner workings, and documented myself on Tor and anonymity. But my initial ignorance didn’t prevent me from using Whonix. And I know personally people who use it without any knowledge on Linux systems or anonymity.

On the topic of focusing development efforts, from where I see it we are doing fine: Whonix has been ported to Buster before it has even been officially released.

Hope you don’t mind me saying, but most of your reply reads like a marketing PR or intro to Whonix written for someone who never seen it. Let’s stay on point.

Jail time is serious enough I think. Some Whonix users are probably security enthusiasts but others need this kind of solution to survive or keep their freedom. So I don’t think I over dramatize anything. Read closely, adversaries will use tiny leaks of information, utilize any mistakes and put everything together over weeks or months. It doesn’t take much.

This is really not a joke for many users.

Of course. Some been mentioned here by @micky and others appear in other threads throughout the wiki. Many already discussed by developers with decisions made to keep the current state as it is. A partial list:

• Tor Browser within Whonix includes the lowest safety level possible by default.
• The default clipboard sharing is Whonix VMs is the worst safety-wise (bi-directional sharing).
• The speakers in Whonix VMs are enabled by default, allowing malware to leak information to external infected devices.
• There is no mechanism in Whonix to whitelist applications (exists in Qubes). Suggestions to implement this as well as other mitigations of malware was reject due to lack of resources.
• Whonix forums, essentially the only realistic option to get support, require Javascript and in some cases lower security settings in Tor Browser.

Cool. In this case why do we need to spend maintainers’ resources in writing a Linux primer? why do we need to spend developers’ resources on working on Windows Installer? have you seen the following recent activity? so many suggestions get the reply “no resources”.

A complex topic with no doubt in Whonix. A very easy topic elsewhere:

1. Install Tor browser.
2. Sign up for VPN.
3. Install VPN app on host.

Bang! you got VPN before Tor setting. All done with clicks! No editing of configuration files! No creating users or changing permissions! Not breaking stream isolation (coz they never had it).

This setting is actually a requirement for many Tor users (whether it’s good for them or not it’s another question) - I can promise you the vast majority of them can do the above as I described and will not get into doing the setting in Whonix. Yes we can improve education (wiki) but we should admit that Whonix isn’t for everybody.

Great! so let’s ditch the plans to work on windows installer / linux guide etc. and get back to the real tasks!

That’s exactly what I wrote in my first paragraph.

No, just some enthusiastic writing from an enthusiastic user But you are right, let’s stay on point.

Agreed. But then if we are talking about potential jail time, then additional measures are to be taken, such as encrypted USB disks, using bridges to connect to Tor, maybe connecting to public Wifi spots (although might not be a good idea in certain circumstances).

What I mean is that if it really is a question of life or death you surely need to be very up-to-date with OPSEC and anonymity topics, merely installing Whonix on Windows and expecting it to cover all your needs out of the box is unrealistic.

Thanks for the concrete examples.

• Tor Browser: good point, maybe open a new topic (don’t know if it has been already discussed recently or not)?

• The default clipboard sharing is Whonix VMs is the worst safety-wise (bi-directional sharing) → can be disabled very easily. In KVM, disabled by default.

• The speakers in Whonix VMs are enabled by default, allowing malware to leak information to external infected devices → it’s being currently discussed, so nothing definitive here as I understand:

Valid points. If you have the skills and time, I am sure your contribution to the first point would be very valuable. As for the forums, I am afraid there is nothing we can do as long as we use discourse.

A majority of people will go for the easy path. That’s understandable and their own choice. This could also be achievable within Whonix, but it requires some commitment. But it is possible, and documented. So I think we agree it’s the user choice eventually. And yes, Whonix is probably not for everybody or lazy users, but there is nothing that inherently prevents it from being used by anybody.

Regarding resources allocation, I think it really depends on who does what. If @Patrick or other core (and skilled) developers would devote half their time to documenting file permissions in Linux, then yeah that would be pretty bad I guess But if that would be me, or another regular user, that wouldn’t be a waste of resources, don’t you agree?

my bad, must have missed this!

usability, popularity vs security, Freedom Software purism is a decision on a spectrum. I don’t see much point to debate project-philosophy.

It doesn’t come to surprise that some existing and/or advanced users capable to adjust to these usability issues will argue for their benefit.

law of triviality / bikeshed applies. More weight will be given to contributors and developers.

What mechanism are you referring to?

Frequently Asked Questions - Whonix FAQ

Indeed.

A list is good to have. It allows to:

• a) contribute source code that implements (a) build parameter(s) applying these settings by default
• b) justify a software fork of Whonix

No excuse for sub-par settings in Whonix.

Appears in wiki with reasons why not to do it.

We are discussing defaults. Also I mentioned the point of repeatedly hardening non secure settings. Please read more carefully.

I share your hopes. My replies here were after reading this thread.

Let’s keep the discussion realistic and less theoretic.

I would agree. I did however mention above the point of developers not being insulated from ongoing support and forums. Maybe good if Patrick would do it. Fact is, he doens’t.

Also discussed here at length

Similar points in

Usability issues are one point. Admittedly less serious then the second point, namely less focus on advanced security (unrelated to usability).

Certainly reasonable. I voice my opinion here. I believe the points I mentioned will improve the conditions of virtually all current Whonix users.

If we’re discussing theoretical, significantly less capable joiners, perhaps less so.

In this case I will add more items then when I notice them. Sure, if they can be added as build parameters that will be a big step forward.

I don’t see a fork of a project of this complexity as something that’s going to happen anytime soon.

Not all feature requests are created equal. Pure logic such as:

• X takes develoment effort
• development effort spent on X was a waste because that would have given us Y already

is invalid. It ignores the human question. It ignores the available skillset of developers. As you may have noticed, I never created original quality GUI applications but I’ve been capable to modify them. Some things are easy for me (such as this time port from stretch to buster) since I am trained in that (lintian warnings, packaging of simple things scripts, non-compiled code) but to deduce from that I could have equally easy come up from a firewall GUI utility - no.

Quote from FAQ:

By comparison, generally the architects of complex structures like buildings or hardware (and a myriad of other professions) do not explain any technical details for free to the general public.

Volunteer contributions to Whonix ™ are most welcome. All proposed patches are carefully reviewed and merged if appropriate. Volunteers with the requisite coding ability should refer to the current backlog of open Whonix ™ issues and consult with developers before undertaking any significant body of work.

Often, proposed improvements or fixes to the Whonix ™ platform are awaiting implementation due to differing developer priorities, limited human resources and/or the inordinate amount of time required to develop a particular feature or solution. In a minority of cases, the Whonix ™ team is unsure how to resolve a bug or implement a specific change / feature. [70]

It is generally unhelpful to debate the priorities laid out in the future Whonix ™ roadmap, as this diverts energy from core development. Some major suggestions might become available in the long-term or might never eventuate, such as the availability of a Live Whonix ™ CD/DVD.

This is essentially also a debate on priorities which is mostly pointless to discuss due to skill limitations and limitations of users to imagine the difficulty of implementing things where pure logic doesn’t apply without technical background knowledge.

Firewall | Qubes OS is not a whitelisting mechanism. It’s a firewall gui utility and quite some issues with it:
Issues · QubesOS/qubes-issues · GitHub

whonix-firewall doesn’t prevent you from doing port filtering. You can modify the iptables firewall rules as per usual linux command line tools or by editing the firewall script.

Very useful, because…

Either that, and/or coming to mind just now, alternatively Whonix Control Panel (on the host could give an easy choice for most if not all items on the list except forums vs javascript).

If the world depends on me, there’s something wrong with the world, not me.

I did give Qubes firewall as an example but I never intended to ask the Whonix equivalent include any GUI.

A dedicated text file, with rules in a clear syntax will do great, and be more manageable / safer for users to mess with (lower impact of mistakes) than editing iptables or firewall scripts. I’m thinking something that only allows users to add more limitations, never to remove or revise the core Whonix rules.

So we essentially “just” need a script that reads such a file, validates syntax (outputs errors accordingly, or just rejects the file), and writes the additional restrictions to iptables.

Similarly, I will be very happy with a simple configuration file.

Another one: