[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix and Tails Discussion


#10

A lot of thought has already gone into this topic. You’re just scratching the surface of virtualization with Whonix. Please spend some time with Qubes.

https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html
https://blog.invisiblethings.org/2011/09/28/playing-with-qubes-networking-for-fun.html


#11

I like Tails. I think it’s great software, and a great introduction to Tor/OPSEC for the masses. It’s free software, debian-based, well supported and has a lot of ready-to-use utilities. It’s much better than your typical Windows 10 or macOS user running Tor Browser.

But let’s be real: by design, Whonix is much more secure. Any “simple” root exploit in Tails will immediately expose your real public IP address. Something as basic as this for instance (once the attacker has root rights):

service ferm stop && iptables -F && echo nameserver $(traceroute 8.8.8.8 | awk '{print $2}' | head -3 | tail -1) > /etc/resolv.conf && curl ipinfo.io

Whereas in Whonix, there is no way such a thing could happen. An infected Workstation could never reveal its true IP address, at least there are no known exploits to achieve that.

Regarding persistence/amnesia, it is trivial to erase the VM and clone or reimport a new VM for each new session, it is just a matter of a few minutes. It’s not a big deal. Moreover, you can keep an always up-to-date pair of Whonix VM and just clone them for each new session. With Tails, you are stuck with the version you have until a new release.

As for the sensitive files stored in the Workstation, nothing stops you from keeping them in another offline VM (be it in Qubes or with VirtualBox/KVM), even in an encrypted container, and copy-paste the important stuff when you need it (such as passwords, logins). Same thing with PGP: if you fear for the integrity of your private keys, run the encryption/decryption stuff in an offline VM. Don’t do it on your connected Workstation. Likewise, BTC transactions can be signed offline and broadcast on the Workstation with the public keys. I think it is good practice to never store sensitive files in a connected device/VM, even if it is (pseudo)anonymous.

I don’t see how it could be otherwise?

In my opinion, the biggest threat to Whonix users is the integrity of the host system. If it is compromised/spied on/keylogged, then it is basically game over. But if your host is a dedicated Linux OS (let’s say debian) on an encrypted USB key with the minimal number of software possible, never do anything else than using the virtualization software, etc., I would say it’s pretty safe.


#12

you’re welcome. :slight_smile: not too much thought. the issue is really just the resources of your machine. here’s a pontential set up.

  • gateway - immutable drive.
    ** workstation or other - network access disabled - guest to host clipboard enabled. (use for password storage in keepassx or other).
    ** workstation - browser - immutable drive. (use as generic disposable browser)
    ** workstation - browser - immutable drive - host to guest clipboard enabled. (use as browser where you need to paste passwords for login sessions)
    ** workstation - email - immutable drive - host to guest clipboard enabled - create private gpg keys before snapshot - create additional “passthrough” virtual drive as storage for public keys you receive. (use as email client where you need to paste passwords. downloaded public keys will persist. can also set to save emails if desired.)
    ** workstation - irc - immutable drive - host to guest clipboard enabled - if using ssl certs, create before snapshot. (use as irc client where you need to paste passwords for login sessions)
    ** workstation - instant messenger - immutable drive - host to guest clipboard enabled - create otr fingerprints before snapshot. (use as chat client where you need to paste passwords for login sessions)

just one example. when you get to this level of isolation, qubes is better than virtualbox. but, a somewhat similar method to virtualization with disposible vms can be done with virtualbox. however, the above example would be more for fun than practical. if you can visualize how to work that, you’re better off using qubes if your hardware is supported by it.


#13

Everybody keep focusing on the Workstation and brushing aside potential Gateway vulnerabilities. Why??

When I search for Debian vulnerabilities in cvedetails.com, there is a very long list there (probably patched by now but if they occurred in the past, there’s no reason to believe others won’t be discovered in the future). For example, vulnerability in curl (included in Whonix-Gateway).

That’s just debian. How many people pentest the specific settings of Whonix-Gateway or the packages added by Whonix developers? I think not many, a vulnerability there can persist for a long time before it is discovered.

Of course, Tails would be subject to the same issues. But I would be more careful before stating “in Whonix no such thing could happen”.

When you compare Tails with Whonix vulnerabilites, you can’t compare it just with the Workstation. You have to compare Tail’s vulnerabilities with those of everything that is a must used in Whonix: Workstation + Gateway + Hypervisor.


#14

because majority of exploits likely deal with a host exploitation, which will be game over. if such exploit happens in your workstation, likely won’t happen in your gateway. and as far as drive by exploits are concerned, this is yet another reason to take advantage of immutable drives if you use virtualbox. not foolproof. but fairly solid.


#15

I can agree with that. It’s more secure, but there’s a big difference between “less likely” and “could never happen”. And this does not require any exotic attacks on firmware or anything like that. One major fault in any of the Whonix-Gateway packages and user is done for.

Now we also have VirtualBox. As stated by Whonix documentation, Oracle have a bad history in revealing security issues, plus it isn’t open-source. Tails is all open source if I am not mistaken. Another point to Tails.


#16

Then use Qubes OS, which you should do when you fear these kind of attacks anyway…


#17

Why don’t you tell us how you might conduct a targeted attack on the Gateway? Network interface? Tor daemon? iptables? And what would be your solution? If you were an attacker would you rather spend time and money trying to find a remotely-exploitable bug in a network driver or phish for an idiot user to click on clickbait? And if you did happen to find a bug in a driver or libc or whatever - and this is a huge point - how would you know which Gateway to target? Why not target the user of interest directly in the Workstation without having to crack Tor first?

Sure, it’s possible to be a random victim of a non-targeted mass attack… but then so is everyone else - Tails, Subgraph, data centers, corporations, etc.

And how many of those are remotely exploitable and/or privilege escalation bugs? The malware ecosystem is very large. No usable exploits get left on the shelf.

An audit can be immensely useful. But what specifically would you like pentested? Whonix is a bunch of settings and scripts, that you can see and understand for yourself on Github. There are no binaries that need to be fuzzed. You can manually put Whonix together yourself and watch each piece go in. Start with a small Debian, add Tor, add the Whonix glue. Most hypothesized potential Whonix vulnerabilities are brought up by users who don’t really understand what Whonix is. (btw, the same could be said of Tails. but Tails also puts a lot more eggs in its only basket.)

Partially correct. Yes, the Gateway + the Workstation should be included in the Whonix attack surface. But what do you gain in your analysis by including the Gateway, since all of those components (again, minus some scripts) are also included in Tails? The Whonix Gateway, and by extension, the Tor daemon, strictly has less attack avenues when used with Whonix than when used with Tails. I don’t think Tails would argue with that. This comes at the expense of usability. Then there is an entirely orthogonal discussion of amnesia and forensics, in which Tails is superior (even when using various Whonix hypervisor non-persistence features).

It is incorrect to include the hypervisor as a vulnerability when comparing to Tails. The hypervisor adds a layer of defense, not increased attack surface in that comparison because the guest VM needs to be compromised first in order to attack the hypervisor. Like I said above, with Tails, you only have one OS that needs to be compromised for full access.


#18

I already gave examples. Nothing new really. Stack or Buffer overflows. String functions vulnerabilities. Small unnoticed bugs in protocols or applications that run them.Things that get exploited every day. Every kind of system is a target.

You surely don’t think it ends with idiots downloading malware? yes, there are plenty of them, but those aren’t the valuable targets. If I’m an attacker, I’d very much want to find a bug in a system that’s probably popular with onion sites operators, or other high quality systems. Sure! such a vulnerability is worth a thousand idiots.

A huge point for you and for me, no doubt, but I hope you do realize many people do that successfully every day? and I don’t mean script kiddies…

If a bug in the system is available then all of them. Yes, today bots do the job. You still think about a 15 years old hacker in the basement or part timers? think expert hacking groups, well funded and determined.

Right, and the attacker should assume there’s an idiot at the other side, and satisfy himself with that. Exploits are written to make sure all the vulnerable systems are exploited regardless of idiots or not running them.

That’s correct, I didn’t say others aren’t vulnerable. My point is how to make the Gateway even more secure. For example, I saw in the docs there was an initiative to use Gentoo Hardened but I didn’t see anything recent.

I do sincerely hope you are aware that open source software isn’t immune to mistakes and vulnerabilities just because everything is there to be seen. I don’t imply that there are secret backdoors if that what you mean. Of course every input should be fuzzed in any way possible. Do you expect me instruct the professionals how to do their job? yes, also Tails is and should be subject to audits despite being open source, one of those audits appear on their site.

What are you talking about? Tails doesn’t use the Whonix Gateway. If there is a vulnerability specifically there, it is unique to Whonix. The components are not identical to those used in Tails. Some are obviously, others aren’t. I don’t talk generalities but specifics.

Wrong wrong wrong. As admitted above, if the hypervisor itself is compromised, everything is compromised. The guest doesn’t need to be compromised first. You still limit your thinking to some user clicking on a clickbait. The hypervisor can be infected, for example, by an attack on the download page (how many users verify VirtualBox properly?). Or it can affect any connection Virtualbox by itself maintains, even when there’s no traffic at the guests (for example, VirtualBox initiates its own connection to check for new versions right?). Or it can be attacked by anything that runs on the host. Ah yes, I didn’t include that, but Tails has no host. And if users run VirtualBox, probably many of them run Windows. Can windows affect Tails…? no, Tails has no other “host”. So, to be more precise, when we compare attack surface, it is Tails on one side, and:

  • Whonix workstation (and everything the user installed on it, he is encouraged to do so!)
  • Whonix gateway
  • The hypervisor
  • The host

on the other.
Failure of (1) will not reveal the IP, MAC, correct, but it will reveal many other sensitive info.
Failure of (2-4) may reveal it all.

QED. Cheers.


#19

Ok, go ahead… Maybe we should start by patching those…

I don’t… that’s where it begins. Attackers have costs just like defenders.

Could’ve fooled me. Do a search for “major cyber intrusions”. See how many occurred because of user error and how many were due to master hacker exploiting a low-level library on their way to compromising a hypervisor. Yes, we don’t always hear about nation-state ops like Stuxnet - but we do hear about more and more of them - and it would be a safe guess to say that nation-states would rather use low-hanging fruit if they can.

You missed the point. Finding a vulnerability isn’t it. Rather, the second part of the sentence…

That would be ideal. Then it’d be so much easier to detect. Expert hacking groups don’t hack everyone to get to a target. (again, stuxnet). Surveillance is a different animal.

Whonix isn’t just open-source. It’s small and readable.

I don’t but that doesn’t seem to be stopping you. :wink:

Well, if you want to go down the rabbit hole that there is nothing that can be trusted - like my polonium-laced pencil - then congratulations, I have no rebuttal. We usually have to make some assumptions - like not being compromised already. There is no system that can survive that so I’m not sure that helps or hurts your point of view.


#20

Gentoo wouldn’t help you there either and it would be more helpful if you would point us to Vulnerabilities that do exist at this very moment and not just talk about how things get exploited without any example.
Also you could port everything whonix related to Gentoo and finish that work if you think that this would make the GW more secure.

Seems very broad and unspecific to me …

Thats why you download it of a official Repo and not from the Website, if you talk about a Windows OS then you got a lot more problems to worry about.


#21

:slight_smile:
Of course many things can be vulnerable, and if one system eliminates the need in some components, and the second doesn’t, then… see if you can figure it out by yourself… still no? when a comparison is made, the lack of potential vulnerabilities in those components (due to lack of those component altogether) is very relevant to the comparison.
But of course, you can just choose to make comparisons that assume Tails is also vulnerable to hypervisor or host issues. One of its advantages is that it’s a standalone, but that’s too complicated to take into consideration I guess.

I would assume people who care about their security would be very interested to find faults so those could be solved and improved, rather than to do everything to assure themselves everything is fine. The latter is a recipe for disaster.


#22

We are talking about security risks in different systems. I don’t see anyone pointing out a vulnerability that can be exploited today in Tails. If anyone could name those, then Whonix or Tails would be broken today, not just in risk of becoming broken.
That’s why audits are necessary, to find everything’s possible before a malicious attacker does. Without such, the whole system is based on a lot of hope.


#23

you simply aren’t going to find an unexploitable operating system or vm set up. the software can be hardened to a degree. if exploitation is of greater concern, you need to take physical mitigation steps as well. For a basic paranoid set up:

  1. cash bought laptop that never connects from home. always one way isolated from home computers.
  2. cash bought disposible wifi nic that never connects from home. ideally aircrack-ng compatible with long range capabilities.
  3. access network in distance of a metropolitan area with 1,000,000+ residents. ideally accessing public free wifi that is used by many. ideally in high location where line of sight works for both signal and view of potential incoming physical attackers.
  4. be constantly mobile and erratic. randomize your movements.

software alone is not enough if you truly have a reason to be concerned about exploits. you need to take physical measures to ensure that such exploits still can’t identify you. this is a problem that whonix, qubes, tails, etc. cannot solve, and thus relatively pointless in regards to discussions of software hardening. ideally, you should be able to leave your machine at the scene and not have it tie back to you if the situation calls for it. no operating system alone can achieve that for you.


#24

That’s clear, however the comparison between the software is also interesting by itself. One has to choose something. People reading this thread may think I am all for Tails and against Whonix. Not at all, I didn’t make up my mind yet which is more suitable for me. I am however against exaggerated or non-relevant claims made by some.

Most attacks are on the browser? yes, if looking at the overall population. But if you use Tor Broswer, with the highest security level set, no Javascript, no plugins, no flash, no extensions, and exercising great care when downloading everything whatsoever, then in my opinion you have minimized the browser originated risks to a large extent and you can move to look at other risks.


#25

well, you brought up the whonix gateway getting slipped a problematic package. the same applies to tails or anything else. if it is a matter of life or death, or incarceration, if your identity is exposed, no software alone will be enough. and if you are relying on just the software in such a situation, the lessons are already there. whonix and tails provide a very good means of privacy and anonymity for many. but if you are in a situation where you can’t afford any risk, no software alone will work for you. and this will never change.


#26

I think a directional antenna is important. But it makes it very obvious to any casual visitor I have something going on. On the surface at least, things should look standard. A technician can comment to his friends etc. How to achieve that?

I also thought of utilizing a satellite dish for really long range wifi (I saw some instructions online). Again it may look very strange when the dish isn’t pointed at the sky…


#27

regardless, issues that are beyond software. and all doable.


#28

#29

[Closing my ill-conceived thread as overly broad. We want to keep topics narrowly focused and productive going forward. Feel free to create new threads to discuss specific issues. If you have an assertion to make, provide proper sources, tests, evidence.]