Whonix experimental for how long

No “digging” is not required in properly structured guides.

I just went through the Proxy after Tor page. I looked at it in the past, it seemed too complicated. Now I was determined so I tried again. It took me about 2 hours, all I wanted was to find out “how to use a proxy after tor, for the specific case of tor browser”. And you know what? now that I understand, if I need to explain it to someone, verbally or in writing, it would not take me 2 hours. It would take me exactly 2 minutes.
This page contains all possible methods for every tool whatsoever, and it contains methods that are “untested, please report!” or “unfortunately don’t work” (followed by a detailed account of the steps for the method that doesn’t work!). It contains references to disputes and fights between developers of proxychains, it mixes technical steps with doubts about motivation to use tools, I couldn’t have written a more cluttered page if I tried.

Whonix works. It can be improved but it is good. Reading the docs is like looking for a needle in a haystack. Not complicated:

• A user isn’t a search engine that can index all the info by DFS or BFS tree scan. Too much info can be as damaging as too little info.
• A user isn’t a compiler either that requires block inside a block inside a block inside a block.
• Start by concentrating on the most common issue, and on the simplest solution! 80% of or more the readers need just that!
• If there are methods that are untested or are not working at all, don’t put them in the middle of the document! if you must include them at all, do that at the very bottom or better as a link at the bottom! Don’t put “TODO” notes in the middle of a guide that everybody read! isn’t there meta-info for a page or a better place?
• Understand to clearly separate stuff an average user can do and material for advanced or even “testers only” info.

I can go on and on. It is frustrating.

The more you save the further away you get from security. This should be clear to all users. If you have a reference to a case of malware that was found in a Tails USB device in a hidden folder that will be an interesting read.

I don’t see how FDE solves any of that. The data is there and in many cases the attacker can either get to it independently or through you. When you have logs, browsing records and traces every application leaves, (in the case of Whonix) versus saving only the data you absolutely have to (in the case of Tails), there is a big difference.

I wouldn’t be so sure. It’s not only what you store, it’s everything you type, put into the clipboard, view, everyone you communicate with (some of those people will not maintain any OPSEC at all…) and so on. Unless you keep a completely fictitious identity inside each and every action this tracking can deanonymize you.
Of course, a malware in Tails will quickly get your IP. It may make more sense to use a remote connection with Tails.

Shared clipboard settings allow that.
Points I didn’t mention before:

• Attack surface. Tails users are discouraged from adding more applications, Tails project makes a lot of effort to include enough tools, good tools, for most users. Whonix, that does not have an amnesic issue contains less tools, but encourages users to install others. This potentially can create a much larger attack surface in Whonix-Workstation.
• Whonix-Gateway is mininal, but we have here 2 different systems that can be compromised, plus the host, plus the hypervisor. Is this a smaller or larger attack surface?

This, when i first found Whonix i was digging the Docs for a very long time and was learning a massive amount about privacy, security and anonymity. It is one of the few places where this much Information about these Topics is collected and i learned a lot while reading.
There are a lot of Sites that try to limit the Infos they expose to the Users, which isn’t helpful if you wan’t to learn as much as possible about these Subjects. So i disagree heavily with Pano, what you deem as useless might be helpful to a lot of people who try to understand all this.

Then describe it in 2 min and put it on the Wiki, why don’t you just add your “2min” explanation ?

Why are you so sure about that? Where is the other part of the 80% complaining ?

It’s really frustrating to read your posts, you complain about stuff you could easily fix for yourself and keep ignoring the fact that Whonix needs more of everything

I don’t want to comment on the rest, someone with more patience can do that.

My 2 satoshis…

Wow this thread has exploded. It’s nice to see lots of enthusiasm, but there’s a lot of discussion here that wasn’t at all the point of this thread. When organizational stuff comes up everyone starts counting the problems they see and the mood can quickly start to look bad, but that is actually a fake mood. I for one think Whonix is a great success! The community is wonderful and the mood here feels great! There is no place I know of, where important privacy questions are listened to and addressed like here. To gain knowledge you need to make a personal effort and study, there is no other way. People who don’t understand this always have a disproportionately loud voice. Sometimes the forum answers may seem incomplete, but that is almost always a false impression. Some reasons for this:

• the information is readily available if you just search
• the sources provided contain the answers or are the proper starting point for further research
• the question is hard and no one knows the answer
• the problem has no perfect solution or not a better one than provided
• the people who would need to most, don’t find explanations such as this one
• the guide How To Ask Questions The Smart Way is not familiar

The regular answer-givers may sometimes feel that they are asked to write the too obvious, but that is just part and parcel of such a project. Especially if you work on it for years, users will come and go and questions will be repeated. This a sign of good health, the project seems vibrant and active to me. I think questions and suggestions may often come out harsh when they weren’t really meant so at all. Contributors are probably prone to such an impression, the postings above speak for this.

Whonix has the best documentation on privacy and anonymity, it’s like a treasure. There is so much to learn here and any privacy curious user would agree. I disagree strongly with some postings above, the documentation shouldn’t only be a set of instructions to follow. In places it is outdated or incomplete, but this is not a big problem. It is mostly very good and provides a uniquely rich resource on the topic of privacy. A big shout-out to everyone who put it together!

Whonix is the most universally useful from the trio of Qubes, Tails, Whonix. Tails is something you can use on occasion, but as the number of public computers continues to fall due to ever expanding wireless networks, its significance will diminish. Already now the use case for Tails is very limited and it will continue to shrink. I think Tails users are few and far between and the website reflects this. There’s virtually no documentation and the information provided is very scarce. The support is poor and insufficient because it allows for no discussion at all. You get a very brief email from someone lacking much time and so also interest in your question. Whonix is better than Tails in every aspect and hugely superior in terms of support. There is no comparison here.
Switching to Qubes is such a big step that it is only suitable for professionals or very enthusiastic users. But these users are very capable and interested so it may seem like their community is strong. Whonix is what “beginners” i.e. less knowledgeable or committed users will use. It’s like an entry point to security and privacy focused operating systems. That is why an impression may arise that more support is asked for. Let’s not forget Whonix plays a very important role in Qubes itself, there is no tool to match.

Back to the topic of discussion

I’m not sure how best to convey that the project is mature and recommended for use but at the same time could greatly benefit from more help. Probably any project designation would be inadequate to do this. What prompted me to start the thread were some of the goals listed here which just don’t make any sense to me. Make users more clever? Make weak password stronger? Really? Just how do you propose to do that? Don’t let perfect be the enemy of good. Like I said at the start - Whonix can’t solve all computer security problems, no one system can.

I don’t feel experienced or knowledgeable enough about Whonix to say what the best designation would be at this time. But I feel that some of the goals are just dreams we all have about computer technology but that no one on planet earth has found a solution for yet. Whonix must aim to be a fully torified operating system which does not allow anything running inside it to leak the real IP address. If that goal has been reached say so very clearly! Then say what the project’s real shortcomings are. A proper security audit or something else, you’d know better than me. Giving it the experimental label makes it look like it’s under heavy development and very unreliable. Saying not to rely on it for (strong) anonymity is surprising, is this also the case for Tor in general according to your criteria? Whonix is actually the best tool out there for using Tor, from what I gather this is also your view. If using Whonix is more safe than just using Tor Browser this must be obviously declared. There is no virtue or benefit in false modesty. No one is better off for it.

I just think more accurately conveying the state of usability and reliability of Whonix would be good at some point. There shouldn’t be a rush, but it’s definitely worth thinking about. Look at all that I wrote, but even I’m not sure how much I can rely on Whonix, given all the warnings. You really need to look long and hard before you can know and I’m not there yet. You may feel such cautiousness is exactly right and exactly how you want users to think. But this will keep Whonix always on the fringe, when it could improve the security and privacy of so many new users. Some of them won’t be careful enough to stay anonymous no matter what tool they use. Let’s not forget the target audience of Whonix is not huge to begin with. How many computer users run hypervisors, let alone for security? More users would make the project stronger, new contributors would appear. Let Whonix grow!

@pano

I can understand your frustration and would agree that the wiki is a little confusing at times. The wiki could use a some readability edits here and there. But frankly that is not a priority nor should it be. As you have heard the project is low on resources and that dictates what get done and when. Now, its not that we don’t want to improve the readability of the docs. It just there are much higher priority edits. Whats important to me is users have the information they need to stay safe. If they have a question or can’t find something they can find help on the forum.

As you keep on mentioning all the warnings, clutter, low resources etc. I’ll address that.

• Warnings on every page : they serve a very important purpose. Many of those are there to keep users from making mistakes. Many of which would have serious consequences so the warnings have to stay. If you can find a way to organize those a little better that would be great But they need to be blatantly obvious to readers.
• TODOs - not going to waste mine or anyone else’s time with this.
• Wiki pages to long for people with time restraints: Whonix/anonymity is not easy. There is lots of technical information. Shortening the pages will not help anyone understand any better. It takes time, there is no way around that. It will get easier once your more familiar with the wiki.
• Wiki pages to cluttered - the pages are broken up into sections so I’m not sure what you mean. If I want to find out about bridges. I go to the bridges page and all the information is there. As it should.
• Outdated information (yes there is). Solution: Whonix community gets off there butts and starts making contributions.
• Not enough resources to [… ] - if the community would like better Whonix docs, features etc start contributing! If you have a good idea whats stopping you? If its more experienced community member(s) telling it will not work, there is a reason. You don’t think we have thought of this stuff before? The current wiki contribs don’t have the time, Period. We have a long list of edits that take priority. Would you like the old outdated info to be updated? Or would you rather have the wiki look pretty?

If you would like to help out that would be awesome! If you see a mistake in the wiki just hit the edit button. For larger wiki contribs I would suggest copying the chapter to a text editor and make the edit there. If you try directly editing the wiki you may lose your session data. Then you’ll have to start over and let me say I’m speaking from experience. For the most part the important thing is content. Once you compete that, torjunkie and I can help you with what to do next.

.

That’s exactly the reason I gave the example of Tails documentation. 3-4 paragraph pages that give an answer to a specific problem are perfect. See what they do!
You can just claim everything is perfect or you can learn from projects that are, well, more successful and have more following, and, yes the quality of how you communicate stuff matters big time in that.

Whonix/anonymity is not easy. There is lots of technical information. Shortening the pages will not help anyone understand any better. It takes time, there is no way around that.

This is where you get it wrong. Thing’s aren’t easy meaning the guide should strive to be as crystal clear as possible. Many pages in the wiki take a tricky subject and then make it even more complex than it should be. I suggest you read again the page (warning: it will take time) I refer to and see for yourself.

Wiki pages to cluttered - the pages are broken up into sections so I’m not sure what you mean. If I want to find out about bridges. I go to the bridges page and all the information is there. As it should.

No, it is overwhelming to get a huge page, with sections inside sections, blocks inside blocks inside blocks, that contains many things that are irrelevant to any specific user (apart from being outdated sometimes or “unfortunately not working”), when you have a question about something very specific. Specifically if you want to understand Proxys after Tor in the case of Tor Browser, you have to collect info from many different areas of the page I mentioned, and skip many others in the way. Meaning, practically you have to go through everything to make sure you didn’t miss an important detail. And, average user will not even understand half of it.

You forget who reads it. If you wish to write specs for engineers only, then perhaps you’re right. If you truly to be accessible to people of different backgrounds, you need to make things friendly. I don’t know which planet you came from, Mr. Spock. Nobody here has any experience working with people? Easy solution, just dump everything in whatever format, when someone criticize, imply they’re lazy or stupid or what not.

If you would like to help out that would be awesome! If you see a mistake in the wiki just hit the edit button.

I can write specific, well understood pages for common problems. But if you just stick them as sections in a 6,000 words page that will not be helpful to anyone.
Why do you think places like StackOverflow are so popular and so useful? how many votes you think an answer there, that just sends a link to a 6,000 words page of any programming lanugage’s docs, will get?
Think “one problem one page”. Of course this does not apply not to all issues in the world, but to common problems. And only such that can be clearly defined and isolated to a specific issue.
Example: “How can I use Proxies after Tor with Tor Browser?”. In this page we DO NOT write about every other possible application under the sun, we don’t explain what is wrt, we don’t detail every approach that “doesn’t currently work”, and we don’t discuss the relationship between proxychain developers.
Simple question → simple answer. And yes, there will still be place for proper warnings, as well as a link for more detailed documentation.
Interesting?

fish, sorry for taking your thread off-topic.

I generally agree with everything you say here, Whonix should be promoted based on its actual benefits, rather than try to further undermine itself using titles such as “experimental” or “research project”.

Now this is interesting. Was Whonix ever subject to an external security audit that was published?

Simple solution:

Qubes-like “Quick Guide” sections at the top of each relevant entry.

e.g. Create a sys-net DispVM in Qubes:

[dom0]: qvm-create -P <pool_name> --template service-dvm --class DispVM --label red disp-sys-net
[dom0]: qvm-prefs service-dvm virt_mode hvm
[dom0]: qvm-prefs disp-sys-net provides_network true
[dom0]: qvm-prefs net-disp netvm “”
[dom0]: qvm-pci
[dom0]: qvm-pci attach --persistent net-disp :
[dom0]: qvm-prefs disp-sys-net autostart true
[dom0]: qubes-prefs clockvm disp-sys-net

etc.

(No descriptions at all, just a label e.g. “sys-net DispVM Creation”, and commands. Advanced users and those in a hurry can just get it done.)

If someone was ambitious, simply do this for the most relevant sections of the main wiki e.g. security-related, updating etc. Create a new wiki page - “Whonix Pocket Reference” or “Whonix Cheatsheet”. Categorize the entries as relevant.

Then, put the maintainer tab up there with your name on it. Update it as things change, are deprecated, are updated/upgraded etc. Win a gold star from the Whonix team and end the forum debates on this easily solvable problem.

I estimate you could do most of the important wiki pages on the main ToC in one day’s work, maybe two.

There’s enough verbiage in this thread, that 5-10 pages could have been completed in the wiki with the same word count applied to this topic alone.

Lots of ideas and people come through the forums, but maybe 1/200 people actually contribute by hitting the edit button or submitting Whonix code.

The easy solution would be for community members to actually contribute to the project and not just complain in the forum. You have all these ideas (a lot of them good) but you keep on making excuses as to why you won’t contribute.

Are you going to actually help out? Or do like most critics and just stir the pot a little and leave?

Here is what it comes down to. Put up or shut up!

As already said by others: If you don’t like a specific wiki page, feel free to change it.

Where do you get the number from? Proxy before or after Tor is certainly not one of the common issues. Where do I get this from? My gut feeling. So I could be wrong. If it would be relevant for 80% of the common users there would probably more complains and the respective wiki page look more polished.
It is one of the inherent issues of such a project, that you don’t really know what the average user does or needs. Therefore you have to use common sense™, gut feeling … .

True.

Would be pointless. As soon as you use your usb device you increased your attack surface by introducing an additional point of persistence. Why did you do that? For convenience. It is always the same tradeoff. Use your favorite search engine with something like: usb malware hidden partition (or any kind of other USB exploit). Sure it would be not the average ransomware but more likely a targeted attack. Though there is always some kind of trickle down effect where the average bad guy starts to use such tools and not just the nation state attacker.
Tails was on the list of Zerodium so there is certainly a demand for such a thing. Whonix is not there yet, but if it gets used more and more it probably will.

There is certainly a higher risk the more data you have. But how did the forensics guy got to your location? Why and how did he send you some malware in the first place? If they exploited you once they likely can do it again since they expect you to hang around at certain places/websites. With Tails they will get your IP faster, connecting to a remote wifi will maybe slow them down but as @entr0py said in another thread: when they know your rough location or wifi you connect to then correlating your traffic + on/offline times etc starts.
If TheMan knocks on your door then because they already have something. The more FDE is used the more will forensics people work on getting you while the PC is running. If they get the PC with Tails or Whonix while it is running you probably lost.

True. So maybe it would be a wise decision to do that because:

If someone at the other f***s up neither Tails or Whonix can help you.

Take a look at todays Tails website Guess what they did. Increasing the attack surface?

It does, see my last post.

This is the good old attack surface vs virtualization discussion which has been going for years. My gut feeling (again) tells me the virtualization side sort of won. At least a certain project which initially was a proponent of “muh attack surface” started to introduce a hypervisor not too long ago. Hiding your hardware serials is going to be hard without virtualization. I really miss some kind of PC or SBC which shares exactly the same components and serial numbers
If we say attack surface is only about lines of code then you are certainly right. You can come up with a gateway of maybe a few megabytes in size and also a workstation with just the browser for something like 300-400 mb (or maybe lower depending on the OS). Still way below what Tails has. You can also just use curl or wget for “surfing” and decrease your attack surface even more. However, now you maybe stick out of the crowd. Anonymity is hard. In the broader sense attack surface or lets says vulnerable people is also about certain tradeoffs like convenience. It is harder to debug such systems, make changes, maintenance over time … . Normal users are used to some kind of windows like gui … You can create a 99.9% secure™ system for 1% of the people or a 90% secure system for 90% of the people.

Thanks torjunkie, looks good, whining and ranting is great but contributing can be fun too I guess.

Of course it isn’t. The argument I am making is how a specific issue should be documented: in the scope of “Using a Proxy after Tor” page, the vast majority of users will be interested in doing that for the Tor Browser, and not for other applications (for example wget or curl or anything else).

If the page started with a clearly separate section just about that (in reality the case of Tor Browser is discussed in at least 3 different separate parts throughout the page), or better if there was a separate page just for “how to use proxy after Tor Browser”, it would solve the issue for 80% of users. And would be much shorter and simpler without sacrificing warnings or any important detail.
Why 80%? Yes, also a gut feeling. But I think you will agree with me that the Tor Browser is, by far, the most used application in Whonix?

The discussion about Whonix vs. Tails can go on forever. Since you see I spend time with Whonix you can understand that I don’t think it’s inferior. I do think the point of “workstation does not see the IP” is emphasized too much. When you have many people relying on Whonix, and naturally those people have reasons to use this non-trivial setup, Whonix-Gateway becomes a very valuable target to exploit. But again this is off-topic.

@pano It’s not that we don’t understand or even disagree with what you’re proposing. Please take 2 mins and glance at this thread from two years ago. splitting Whonix documentation into a short and long edition for better usability - #10 by entr0py. I even proposed an outline to streamline the docs. It never got done. Why? Because I didn’t do it. You know the saying… ideas are like assholes… I thought I had a good idea but why would I expect anyone else to do it? Every single person here is part-time, volunteer, and busy with a million things. If you have spare time to implement your ideas, we’ll welcome you!

This thread has grown to 3 topics:

1. Whonix development status label
2. Documentation
3. Whonix vs Tails

I think it’s time to give @fish back his thread.

The Whonix vs Tails discussion is a good one to have. If I could, I would split this thread into multiple topics but it looks like individual posts are moving back and forth between topics. Here’s a new thread if you want to continue the discussion. Whonix and Tails Discussion. Feel free to copy/paste from this thread. Hint: Many wiki pages are born from just these types of discussions.

One can’t make everyone happy.

VPN / proxy / tunnel documentation is a complex beast indeed.

However, note on
Tor Browser Essentials we mention:

It is possible to combine Tor with tunnels like VPNs, proxies and SSH.
The traffic can be sent through both Tor and the second tunnel, in
either order. However, this is an advanced topic and appropriate only
for special cases. Adding a second connection does not automatically
improve security, but it will add significant complexity. The potential
positive or negative effects on anonymity are being controversially
debated. ( TorPlusVPN · Wiki · Legacy / Trac · GitLab )

The Whonix project remains technologically neutral in the anonymity
discussion. The improper combination of Tor and another service may
actually degrade a user’s security and anonymity. These configurations
are difficult to set up and should only be attempted by advanced users.
For the vast majority of Whonix users, using Tor in isolation without a
VPN or proxy is the correct choice.

It’s always been a minority of a minority using this. An even smaller
minority using it for the right reasons or having a good reason for
using it. Let alone before all of it was documented, using it in sane
ways, that is using a fail closed mechanism if their use case demands one.

We recently noticed that most users may need only censorship
circumvention by remote servers which is way easier reached and now
documented here:
Tor Browser Essentials

Please don’t use the VPN / proxy / tunnels documentation as a prime
example to discuss how Whonix documentation should be structured.

@torjunkie:
Qubes-like “Quick Guide” sections at the top of each relevant entry.

I like that.

What about this style?

• Stream Isolation
• Stream Isolation: Easy
• Disable Stream Isolation: Easy

Advanced users and those in a hurry can just get it done.)

I think perhaps better these should target beginner type users?

If someone was ambitious, simply do this for the most relevant
sections of the main wiki e.g. security-related, updating etc. Create a
new wiki page - “Whonix Pocket Reference” or “Whonix Cheatsheet”.
Categorize the entries as relevant.

What about this style?

• Stream Isolation
• Stream Isolation: Easy
• Disable Stream Isolation: Easy

Since I am a too technical person, I will most likely tend to the
community judgment on which style is easiest for beginners (on separate
page; or easy section on top of a page; or alternative suggested solution).

Then describe it in 2 min and put it on the Wiki, why don’t you just add your “2min” explanation ?

That would be cool.

Then we’ll have 20% frustrated users. Not sure that would be more or
less than now and probably no way to know.

Was Whonix ever subject to an external security audit that was published?

No, related:

fish:

Saying not to rely on it for strong anonymity is surprising, is this
also the case for Tor in general according to your criteria?
Yes.

See:
https://forums.whonix.org/t/whonix-experimental-for-how-long

From that link:

This security bug was used to craft an exploit which was able to break the Subgraph OS security model.[7] Since Subgraph does not contain Nautilus in an Oz sandbox, [8] once the malicious script was executed, it would have enabled access to much of the user’s data; PGP keys, SSH keys, stored email, documents, password databases, MAC addresses and nearby Wi-Fi access points.

This sensitive information could be used by attackers to deanonymize the user. Whonix defeats this attack and others like it. Since Whonix-Workstation is isolated from the host and Whonix-Gateway, even if a malicious .desktop script is executed, no information can be gathered about the external IP address, hardware serials or sensitive user data.

External IP address or serials, MAC addresses, Wifi data - that’s understood. But I don’t see anything in Whonix-Workstation stopping this script from sending the other data stored locally, such as the PGP keys, SSH keys, stored email, documents, password databases etc.

Whonix does not filter the content of outgoing traffic. Please edit the page.

Very interesting read! It’s nice to see such activity on the forum! I encourage everyone with improvement suggestions to actually contribute, for example on the Wiki…

Done!

https://whonix.org/w/index.php?title=Security_in_Real_World&oldid=33705&diff=cur

//cc @torjunkie

@0brand! You stole pano’s first edit!

Oops! Should I revert the edit?

Just made another edit to that chapter.(I’m my own worst critic) I think it just needed to be clarified a little. The phrase ‘sensitive data’ or “sensitive info” can mean something different to each person.

I made sure readers understood the sensitive data that was referred to was external to Whonix-Workstation. Also added some info into footnote.

Let me know what you think