Whonix Datasecurity (Running Image)

Hello,

this question is near to my other question: Whonix Datasecurity (Image).

Nearly same situation, I am out of the house and an attacker get local access zu my pc.
But this time my Whonix system is already booted and running on the pc (For example to download something).
Before I leave the house, I locked the Gateway and the Workstation with: sudo vlock -ans

Is there any way for the local attacker to steal my data inside the Whonix?
If yes, please explain me the workarount how this is possible, because I do not see any way.

Is there any way for the local attacker to steal my data inside the Whonix?

Yes. Too many. Physical access by a skilled adversary - while the machine is running - even when running full disk encryption - is always fatal. For example, but not limited to, the Cold Boot Attack. Also other attacks exploiting interfaces (USB etc.).

If yes, please explain me the workarount how this is possible, because I do not see any way.

The good news is, it's not Whonix specific. Any operating system, any computer has this problem. Which means, this is a general security question which has been discussed loads of times on the internet. You'll find a ton of advice there. Some people put their computer into a lock. Others remove power as soon as there is an unauthorized opening of the door (presupposes full disk encryption). And more.

The good news is, it’s not Whonix specific. Any operating system, any computer has this problem. Which means, this is a general security question which has been discussed loads of times on the internet. You’ll find a ton of advice there. Some people put their computer into a lock. Others remove power as soon as there is an unauthorized opening of the door (presupposes full disk encryption). And more.[/quote]

Thats the point I think about and I am shocked about this.
Because there is only security with encryption, but to run a system it is allways needed to decrypt the data.
But a shut down system is useless and also it is not always possible to have full hardware controll, for example a company pc on work, or a server that is located in a datacenter.

So let us talk about a scenario where I store my Whonix on a Server in a Datacenter (For example running a HS).
Is there no way to secure my Whonix against the access of the Datacenter Admins?
And how easy it is to have a look on the HS data running inside the Whonix?

Physical security is a prerequisite for Whonix. I am afraid, this is not my area of expertise.

And how easy it is to have a look on the HS data running inside the Whonix?

Without any precautions, it't trivial.

Is there no way to secure my Whonix against the access of the Datacenter Admins?

It also depends how much access you get in the data center. Example, when you are allowed to install locks and cameras you can get better security.

This should be rephrased as, “how to run any server in a data center without trusting the data center”? Then you can speak to a much broader audience.

What you’d need to research is RAM encryption. Looks like PrivateCore is cooking up something interesting to answer this. By no means I am qualified to determine if it’s useful or snake oil. I asked a security researched about it, though.

https://groups.google.com/forum/#!searchin/qubes-devel/"prevent$20unauthorized$20physical$20access$20to$20data$20in$20use"/qubes-devel/-5HxNDeVNdM/fVlxernQPX8J

It also depends how much access you get in the data center. Example, when you are allowed to install locks and cameras you can get better security.

This should be rephrased as, “how to run any server in a data center without trusting the data center”? Then you can speak to a much broader audience.

What you’d need to research is RAM encryption. Looks like PrivateCore is cooking up something interesting to answer this. By no means I am qualified to determine if it’s useful or snake oil. I asked a security researched about it, though.

https://groups.google.com/forum/#!searchin/qubes-devel/"prevent$20unauthorized$20physical$20access$20to$20data$20in$20use"/qubes-devel/-5HxNDeVNdM/fVlxernQPX8J[/quote]

I had a look on PrivateCore project and it looks very well.

The future is Cloud/Server based computing.
Tor is a great project and Whonix is “The next big thing”, but both are build to be managed at home.

What about a server based Whonix with a secret and/or closed forum, only for a hand full of people.
What about a server based Whonix with high risk documents and files on it, to store and up/download.
What about a server based whonix, for the use from all my devices (pc, laptop, tablet, smartphone).
What about a server based whonix…

There are so many needs for such systems, but all benefits of Tor and Whonix will be destroyed if a Datacenter Admin can read and/or copy this files in 5 minutes.

I am not a dreamer, so I dont think it will be possible to harden the server against the access of an Three Letter Agency. If any Government Agency get a server in his hands, they will be able to read this informations.

But I think about the curiosity of a Datacenter (For example the curiosity can start because of the Tor traffic)!
I stay on the point, that if they dont like the activity of a customer, they have to delete the contract and the server.
But they should be not able to read all informations on this server, if the customer dont want this!

I will read now about the PrivateCore project
Do you think they can accomplish this task?

The future is Cloud/Server based computing.

I hope not. At least not until we figure out how making them untrusted, dumb boxes relaying data.

What about a server based Whonix with a secret and/or closed forum, only for a hand full of people. What about a server based Whonix with high risk documents and files on it, to store and up/download. What about a server based whonix, for the use from all my devices (pc, laptop, tablet, smartphone). What about a server based whonix.......................

There are so many needs for such systems, but all benefits of Tor and Whonix will be destroyed if a Datacenter Admin can read and/or copy this files in 5 minutes.

Good questions. No good answers.

I am not a dreamer, so I dont think it will be possible to harden the server against the access of an Three Letter Agency. If any Government Agency get a server in his hands, they will be able to read this informations.

It may be possible in theory, but we don't have enough people care about and working on this.

I will read now about the PrivateCore project Do you think they can accomplish this task?

It's not a Free Software, Free Hardware project? Well, that decreases my hope. They sure can't solve it alone. They relay on TPM and CPU, both pieces of hardware which are to my knowledge black boxes that could include a hardware backdoor by default. Probably they're still doing something useful, they research how to do it under the assumption, that TPM/CPU can be trusted. Perhaps some day they can change their implementation once Free Software CPU's are available. Same with Whonix. We need to make a pretty bold assumption, that hardware can be trusted. Very bold indeed, if you followed up the stories around NSA and Snowden. Still, we're working towards the goal of trustworthy computing. Once we get trustworthy hardware, at least a very few people are working it, I heard, we can re-use all code and everything we learned until then. Not doing what one can do (developing Tor, Free Software distributions etc.) in meanwhile seems a bad option until then.

I hope not. At least not until we figure out how making them untrusted, dumb boxes relaying data.[/quote]

Me to!
But have a look on apple devices, ebook-reader and smartphones (The trend goes to closed devices without control).
Have a look on the progress of the new X-Box, Steam or Browsergames.
Also Microsoft think about to make Windows 10 a cloud based OS.

I am afrait of all this things, but 99,99% of the mainstream users dont give a sh… about privacy and security.
The main request is usability and simpleness, thats it.

I am not a dreamer, so I dont think it will be possible to harden the server against the access of an Three Letter Agency. If any Government Agency get a server in his hands, they will be able to read this informations.[quote] It may be possible in theory, but we don't have enough people care about and working on this. [/quote]

Agree, it is like David vs. Goliat but without happyend and this situation will not change!

I will read now about the PrivateCore project Do you think they can accomplish this task?

[quote]
It’s not a Free Software, Free Hardware project? Well, that decreases my hope. They sure can’t solve it alone. They relay on TPM and CPU, both pieces of hardware which are to my knowledge black boxes that could include a hardware backdoor by default. Probably they’re still doing something useful, they research how to do it under the assumption, that TPM/CPU can be trusted. Perhaps some day they can change their implementation once Free Software CPU’s are available. Same with Whonix. We need to make a pretty bold assumption, that hardware can be trusted. Very bold indeed, if you followed up the stories around NSA and Snowden. Still, we’re working towards the goal of trustworthy computing. Once we get trustworthy hardware, at least a very few people are working it, I heard, we can re-use all code and everything we learned until then. Not doing what one can do (developing Tor, Free Software distributions etc.) in meanwhile seems a bad option until then.
[/quote]

It is sofware based, so no hardware needet.

You are right, that a CPU have to be trustfull hardware.
But do you think Intel will risk his Company by building a backdoor in it?
Any Government on this planet uses CPU and the CPU production is in China, India and other Countrys.
So to hide this backdoor, for the hole world, would be nearly impossible for the US Government.
And last but not least, if there would be a backdoor in it, the USA would use it for the “highest level top secret spy” and not for citizens they try to protect her privacy.

Yes, it is a payed service, starting with about 500USD/month, so it is designed for big companys.
But there is a Ubuntu trial for max. 5 Servers and I do not see any time limit. So if I understand it right, maybe it is free for small “private” users with only 1-5 Servers.

Look at this, sounds good:
PrivateCore Demonstrates Industry’s First PRISM-Proof Tor Server in Public Cloud

Also they have a great Team:
"PrivateCore management has solid security DNA. Oded Horovitz spent 5 years at VMware, where he developed vShield and VMSafe security products. His co-founder Dr. Stephen Weis has a Ph.D. in cryptography from MIT and designed Google’s two-step verification system. Right now they are the extent of the company, with former VMware principal engineer Dr. Carl Waldspurger on as an advisor.

But do you think Intel will risk his Company by building a backdoor in it?

Do you think RSA would risk weaken their encryption products?

They did:
http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220

I expect Intel to honor national security letters (NSL).

So to hide this backdoor, for the hole world, would be nearly impossible for the US Government.

There are very few people who really understand sophisticated CPU design. I've read, that even their own engineers having the blueprints don't understand it all. Are there really so many people out there qualified to find such backdoors and really looking? Please don't just assume it. That can go terribly wrong.

And last but not least, if there would be a backdoor in it, the USA would use it for the "highest level top secret spy" and not for citizens they try to protect her privacy.

Not long ago, people though NSA does respect US constitution. Won't spy on US citizen. Those who said otherwise were labeled as conspiracy theorists. From what we learned thanks to Snowden, it's easy to extrapolate what they're up to. Also they did worse things in the open, such as war crimes. They're neither bound by ethics nor intelligence (which is in my opinion related to ethics).

Currently I would translate their attitude as “fuck you! we wiretap all of you! what you gonna do about it? attack us? ridiculous!”.

When some day we would find out that all major CPU’s are backdoored by default, their attitude could be “fuck you! yes, we backdoor all CPUs. what you gonna do about it? develop your own one? ha! you’re only 30 years of research behind us. ridiculous!”

I am afraid to say, I wouldn’t be surprised and find it quite possible.

Yes, it is a payed service, starting with about 500USD/month, so it is designed for big companys.

Companies are not to be trusted. Read how NSA forced Google, Facebook etc. to grant them direct server access?

The question is, is PrivateCore privacy by policy (“we know our sources, we promise we didn’t add a backdoor”) or privacy by design “(even if we got a NSL, we could not comply for technical reasons)”?

Also they have a great Team: "PrivateCore management has solid security DNA. Oded Horovitz spent 5 years at VMware, where he developed vShield and VMSafe security products. His co-founder Dr. Stephen Weis has a Ph.D. in cryptography from MIT and designed Google’s two-step verification system. Right now they are the extent of the company, with former VMware principal engineer Dr. Carl Waldspurger on as an advisor.

Sure. Sounds great. No offense against them. I don't know them. But I don't give a lot consideration on such things. A great CV doesn't say anything about their current motives. I am sure, there are country leaders, Ph.D. anything who started wars and managed to kill thousands of people. I'd be more convinced, if they provided deterministic/verifiable builds, and if they could for technical reasons not betray others.

I agree with you in all points, but we have to decide between “100% safety” and “I do my best, safety”.

100% safety works like that:

Can I 100% trust Intel? No
Can I 100% trust security firms like PrivateCore? No
Can I 100% trust encryption algorithmen? No
Can I 100% trust the Tor Project? No
Can I 100% trust Whonix? No
Can I 100% trust Adrelanos? No

So take your pc, laptop, tablet and your phone, open your BBQ grill, make a big fire and burn all this things to hell.

Is the door of your house unbreakable? Is the door of your car unbreakable?
I think not, so do you let it always open, because it is useless to close it?
No, you close your door, because you take the best protection that you have and maybe you buy a alarm for your car and maybe you buy a garage for your car, all this makes it a bit better, but far away from a perfect protection.

I think we should take the best that we have and try to make it a bit better (And discuss the howtodo).
This is a big problem in forums like this, a lot of people answer all questions with thinks like “Brute Force can Break this” or “Thats useless against cold boot attack” or “The NSA is able to locate you anyway” or “A Trojan/Keylogger can steal your password”.

So paranoid people talk about paranoid scenarios. But this is not the real world, not everybody is Osama Bin Laden.
The fact that they can do something, did not mean that they will do it (Time and Money is here the keyword).

Do you ever think about a VM inside a VM?
I tried this, but only very short, because at that time VM in VM dont work fine (Not sure how is the actual situation).

But if this will work now (or in future) it could be possible to make a very secure full encrypted host VM.
This special host could run the Whonix Gateway and Whonix Workstation inside.
(I think the PrivateCore software is based nearly on the same idea).

This setup could be used/copied/transported on USB sticks, servers and unencrypted computers of friends, work or family and in any other unsafe scenarios. It is possible and usefull, in your eyes, to create something like this?

I get your point. But I’ve given up hope on non-Free products.

Do you ever think about a VM inside a VM?

Yes.

But if this will work now (or in future) it could be possible to make a very secure full encrypted host VM.

A VM above other VMs still isn't as good as a host. If the host was compromised, still all VMs were compromised.

It is possible and usefull, in your eyes, to create something like this?

I don't know if it's possible. Could be useful.

A VM above other VMs still isn’t as good as a host. If the host was compromised, still all VMs were compromised.[/quote]

I know that a full encrypted host pc, in a special locker , with a power off by opening, is better.

But if I would like to use my whonix by a friend on his pc?
If I would like to use my whonix on work?
Or if I need a whonix on a server?

This VM in a VM would be no perfect protection, but could improve it.
The question is how much is the benefit and it is worth the work to build this.

But if I would like to use my whonix by a friend on his pc? If I would like to use my whonix on work?

I do not have an answer to your question on running Whonix (perfectly safe) in a datacenter. I even doubt there is a solution after all - adrelanos mentioned a lot already in that regard.

As of your desire to use it at work/at a friend’s pc, i.e. a portable Whonix if you will:

• Install Debian on USB with full-disk encryption, except /boot + Grub
• put /boot and Grub on some second unencrypted USB
• then just install Virtualbox and import the DL VMs (Gateway + Workstation)

This setup should be pretty safe (at least as safe as it gets with current technology) as long as you store the two USB away from each other and do not leave the running Whonix unattended.

Also Whonix Forum may be interesting for you if using such a setup. basically it’s a kill-switch for the full-disk-encryption.

You shouldn’t use her operating system. Not because of distrust, but because having a malware free operating system is a science and an art. If you trust the hardware, bring an USB bootable disk and boot that. I would advise against using remote desktop (ssh), since malware on her computer could still monitor everything you do.

Best is, same as above. I would advise against installing Whonix on your employers operating system without permission, but that is up to you. Whonix can be useful for businesses as well. See: Who uses Tor?

Well, my answer is still the same. I don’t have great answers to this. Any online shop may ask “how can I protect my customer database from data center admins?” After all, stealing the whole customer database has value. A competitor could try to poach the shop owners customers. Without the shop owner even noticing what happened. Looks like IT industry doesn’t have great answers for that.

[quote=“adrelanos, post:13, topic:65”][quote author=donothackme link=topic=46.msg465#msg465 date=1392596870]
But if I would like to use my whonix by a friend on his pc?
[/quote]
You shouldn’t use her operating system. Not because of distrust, but because having a malware free operating system is a science and an art. If you trust the hardware, bring an USB bootable disk and boot that. I would advise against using remote desktop (ssh), since malware on her computer could still monitor everything you do.[/quote]

Thanks to Adrelanos and Cerberus, this workaround is easy and solve the problem.

[quote=“adrelanos, post:13, topic:65”][quote author=donothackme link=topic=46.msg465#msg465 date=1392596870]
If I would like to use my whonix on work?
[/quote]
Best is, same as above. I would advise against installing Whonix on your employers operating system without permission, but that is up to you. Whonix can be useful for businesses as well. See: Who uses Tor?

Thanks to Adrelanos and Cerberus, this workaround is easy and solve the problem.

[quote=“adrelanos, post:13, topic:65”][quote author=donothackme link=topic=46.msg465#msg465 date=1392596870]
Or if I need a whonix on a server?
[/quote]
Well, my answer is still the same. I don’t have great answers to this. Any online shop may ask “how can I protect my customer database from data center admins?” After all, stealing the whole customer database has value. A competitor could try to poach the shop owners customers. Without the shop owner even noticing what happened. Looks like IT industry doesn’t have great answers for that.[/quote]

So for sure a full encrypted dedicated root server is needed, for minimal security.
But also this will not bring the owner of the server in a good protected situation.
I think this is totaly crazy, a server can hold thousands of customers addresses, phone-numbers, e-mails, credit-cards, bank-accounts and all this together with passwords. Also a free-speech forum post can bring you, in some countries, in jail if it comes to a deanonymization of your person.

And there is no fuc… security and privacy for all this critical data in a well payed Datacenter?
Is anybody out there in the IT Industry that wonders about 70million stolen playstation Data?
Or about 16 million stolen e-mail/password Data?
If I read all this thinks, I think the door is wide open for any kind of hacking and Industry spy.

Also another question, do the traffic of a Tor/Whonix connection will alert a ISP or a Datacenter?
(I know that if an ISP or a Datacenter observed the traffic, than they can see that it is Tor traffic).
But is there a kind of automatic “alarm” in ISP/Datacenters, that marks (blacklisted) you as “unnormal” customer if you start to use a Tor connection from your account?

[quote=“donothackme, post:14, topic:65”]And there is no fuc… security and privacy for all this critical data in a well payed Datacenter?
Is anybody out there in the IT Industry that wonders about 70million stolen playstation Data?
Or about 16 million stolen e-mail/password Data?
If I read all this thinks, I think the door is wide open for any kind of hacking and Industry spy.[/quote]
The door is wipe open here. I doubt though that it’s the datacenters that are most vulnerable here. Actually it’s the consumers that are using proprietary software, think Windows + the consumers that carelessly share whatever information on FB and other services (think spear phishing) and clicking on whatever attachment that reaches their inboxes (think malware).

Also another question, do the traffic of a Tor/Whonix connection will alert a ISP or a Datacenter? (I know that if an ISP or a Datacenter observed the traffic, than they can see that it is Tor traffic). But is there a kind of automatic "alarm" in ISP/Datacenters, that marks (blacklisted) you as "unnormal" customer if you start to use a Tor connection from your account?

I guess this very much depends on the datacenter. There are Tor-friendly hosts out there (see Tor wiki: friendly ISP) and quite to the opposite. An automatic "alarm" isn't too much of voodoo-thinking here actually . If the datacenter wants, it certainly can flag you - automatically - as a "troublemaker".