Whonix on macOS

For Whonix on macOS:

(Edit by Patrick. Original post unmodified below.)

---

Hi guys,
I read up on which operating system to use to run whonix. In the wiki it doesn’t recommend to use Windows as it is likely to be infected already with some sort of malware which cannot be removed.

I am currently running whonix on mac osx. Knowing that it is much less likely affected by malware, is it preferable over windows?
I know ideally a linux based OS should be used, but because I use MacOsx for my other work I wanted to use whonix in virtualbox for my surfing, emailing and other sensitive areas. I’m hesitant to change completely over to Linux based OS just yet.

What are your thoughts on this?
thanks

You have to keep in mind that Mac OS X is, just as Windows actually is, a proprietary operating system. So, basically, unlike with a Linux Host, you’re not really in the driver seat here. Windows also doesn’t come with malware out of the box (while this depends on the respective definition of malware), but you may classify some default system behaviour as spyware, i.e. “phone home” features and as a result … information available (out of your control) to a watching adversary. Mac OS X most likely isn’t much better here.

Other than that, it’s in general advisible to use a dedicated host operating system (and even better dedicated hardware) for Whonix, if you depend on strong anonymity.

That said, what about using a dual-boot Mac OS X/Debian setup if you depend on Mac OS X for your other work? That would at least be one step ahead.

PS: What I’m trying to say, is, that a Windows computer attached to your real identity is basically “burned” as soon as you connect it to the internet for the very first time as you have to assume that Microsoft has access to your identity information + unique hardware serials of that particular PC. And as Microsoft as a company is known to “share” this information, you cannot use that particular PC anymore without a certain risk involved. I would think that Apple isn’t much better here. That is to say, you certainly can use both Mac OS X and/or the Mac hardware that’s attached to your identity for Whonix. At the end of the day, you have to decide about your level of paranoia. I’m just trying to raise your awareness.

Thanks so much for your advice Cerberus, that is really helpful.

I do agree with all you say and have made the decision to sell my mac, buy a hardware and run Mint on it with whonix via virtualbox.
For my work, I still need Windows though so I will make it a dual boot on that computer, making sure that I will not use any sensitive information on the windows platform.

Would that do it in your opinion?

Would that do it in your opinion?

It actually is pretty hard to give some good advice here without knowing what requirements you have in terms of both privacy and anonymity (privacy and anonymity are not even close the same thing but actually very much different).

If you depend on strong anonymity, I would recommend you buying dedicated hardware for Whonix. Buy it in cash. Install a minimal Debian host operating system + Virtualbox and load Whonix. Consider utilizing a Physical Isolation setup, i.e. Whonix Gateway physically isolated from the Debian host you’re using for Whonix Workstation. I wouldn’t even use my regular internet connection for using Whonix/Tor. That said, adrelanos provides a whole lot of useful information on the wiki. Try to absorb as much as possible to get an understanding of actual surveillance and the technology + counter-technology involved. So far for the most paranoid setup I could currently think of.

Other than technological counter-measures, you very much need to think about your individual behaviour to stay anonymous. Think about Ross Ulbricht, Jeremy Hammond, etc. Read about their actual mistakes. It is my very strong personal opinion, that individual (careful) behaviour is even more important than technological countermeasures if you want to stay anonymous. I mean, Tor can hide your IP but it cannot avoid the actual mistakes you might do to reveal your location, identity, etc. by just doing the wrong things, using the wrong services, tell people and/or corporations tiny bits of information (at a time) that lead to a bigger picture.

To sum up, staying anonymous is really hard. Almost impossible considering the sophisticated opportunities available to a watching adversary. It is my opinion that, as an individual, you can think twice about everything you do and learn something, a lot actually, along the way.

Some thoughts about privacy … If you happen to be concerned about your privacy but not so much about your utmost anonymity, you can achieve a lot even without using Whonix/Tor. Whom do I provide my personal data and/or information? What services do I use and why? Are there alternatives? > There are.

Some inspiration (just by telling you this, you could assume that I’m using Android + Firefox, btw):

• Facebook?
• Google? > e.g. riseup.net, autistici.org, privatdemail.net. Use PGP
• Are you wiretapped? You are! We all are. What can I do about it? > e.g. Redphone
• Do I encrypt my text communication? > e.g. Pidgin-OTR, Textsecure
• What services do I use to chit chat? > There are other Jabber services than GTalk.
• How do I approach to search the Web? > I recommend Startpage.
• Do I have a mobile phone in my pocket? Is this phone registered to cell towers? To GPS? Does it scan surrounding Wifi access points? Does Google know my phone number? You get the idea.
• Also important: Are my peers educated about these matters? Do they help me strengthen my (and their) privacy? I.e. are they also using Redphone, Textsecure, PGP. This isn’t a one-man show. May I educate them about to improve the overall situation?
• Do I care about SSL connections to services I log into? > HTTPS Everywhere
• Do I execute every tiny bit of Javascript? > NoScript

OMG, the list is long and I missed a lot. You would ultimately fail if you’d try to list everything to think about. While, I have to say, adrelanos is on a pretty good journey with the Whonix wiki. LOL.

At the end of the day, you need to know what you’re trying to achieve. Selling your Mac might be a decision. You could also leave it as is and use it like before asking for opinions here (so far you anyways just heard my rather paranoid estimation). Nothing wrong with that. One thing I would advice you is using a very minimal Debian host for serving Whonix if you anyways plan to dual-boot. The less bloated the host OS is, the less attack surface it provides. I’m not sure what “spyware” Linux Mint includes, if any. The advantage is … you can find out by investigating the running services + most important its sources. That’s impossible with a Windows or Mac OS X operating system.

I hope my loud thinking helps you a bit. I’m pretty sure adrelanos has a lot to add to my write-up so far. Feel free to ask specific questions and/or provide some insights into your personal privacy/anonymity requirements. Easier to answer that way.

Thank you so much for the extensive reply Cerberus.
I really appreciate you taking the time to do so.

I do agree with the points you make, that anonymity or privacy is being compromised much more likely through careless actions or inconsistencies in ones behavior.

- Do I have a mobile phone in my pocket? Is this phone registered to cell towers? To GPS? Does it scan surrounding Wifi access points? Does Google know my phone number? You get the idea.

I was wondering what you can do about this particular point you are making?

My situation is simple. I have nothing to hide but I’m a private person. So I’m not as much concerned about anonymity (i.e. my life is not at risk etc) but more about privacy. I want to make sure that I only share what I want without fearing that certain organizations can just break my privacy without consent.
So I don’t want to be completely paranoid about it all but certainly make it as hard as possible for any hacker or agency to access my stuff. Removing proprietary software to close backdoors and so on.
Also I want to be safe of malware while surfing the net and doing my banking and emailing (which is why I was thinking Tor via whonix rather than just tor.

Any additional advice is greatly appreciated.

Thank you so much for the extensive reply Cerberus. I really appreciate you taking the time to do so.

You're most welcome. In my opinion, time invested into this very subject, is well worth the extra effort.

[quote]- Do I have a mobile phone in my pocket? Is this phone registered to cell towers? To GPS? Does it scan surrounding Wifi access points? Does Google know my phone number? You get the idea.[/quote]I was wondering what you can do about this particular point you are making?

Good question! Other than removing the battery from your mobile phone or trashing it altogether, there isn't too much you can do about it - at least not to my knowledge. By design of the network, your ISP needs to know where you are at any particular time in order to deliver calls/messages to you. As a side-effect, you - pretty accurately - can be located by triangulation. The fact that ISPs happily share that information by request (or even by default(?)) isn't too much of a secret. Google abused its street view cars to (illegally) do comprehensive wardriving, i.e. to map the location of the world's Wifi APs. This certainly also helps to pinpoint your location at any given time. Malicious gossip has it that it was the actual reason to undertake the street view mission after all. Asked about the fact afterwards, Google stated that it's been done by some engineer's individual responsibility. I realize that ;)

Thinking about this further, while you cannot do something about Google and/or your ISP knowing your location (and sharing this information), you can do something about happily (by your own decision) telling them what you’re interested in (Google Search) at any particular location and time and with whom you’re communicating (Hangouts/Gmail) as well as sharing the contents of said communication. Nobody forces you to use their or other surveillance-funded corporation’s services.

Reading your requirements, I have the following recommendations for you:

• Use as much Open Source Software as possible, both the OS=Linux and applications. If you urgently need some proprietary Windows software use Virtualbox or Wine for that or even better - try substituting. There is lots of good Open Source Software out there. You mentioned backdoors … Even if you personally may not be capable of investigating source code for backdoors, there are people out there looking at Open Source code and backdoors are likely to be found quickly.

• Another argument for Linux (regarding your desire to be protected from Blackhat hackers), is, that most distributions ship with a package manager and as a result almost all your software (if you do use the package repositories) is kept up-to-date, including all libraries etc. That is to say, Linux certainly suffers from vulnerabilities but they are closed much sooner on your system than compared to the challenge of trying to keep a Mac or Windows system up-to-date.

• I would recommend you a Debian-based OS=Debian, Ubuntu, Linux Mint (which is Ubuntu-based). Ubuntu recently introduced some “spyware” to its OS, i.e. you send your Dash searches to Canonical and they share it with advertisers. This can easily be disabled though. I recommend Ubuntu due to its community and availability of software. Meaning that, if some software is available for Linux, chances are it’s packaged for Ubuntu (and thus for Linux Mint). As of the Malware topic … running Linux, you’re (at least more) “out of the way” of Blackhat hackers, so to speak. It’s not economical to write/maintain malware for Linux. Don’t get a false sense of security though. Malware is most effectively distributed through social engineering and the best OS on the planet can’t avoid you being trapped by a social engineering attack (phishing, whatever). There are some pretty clever Blackhats out there. I won’t discuss that here as it’s rather off-topic.

• Try to move away from surveillance-funded services. There is no “free” service out there. Either you pay money or you pay by whatever “information” … in most cases at least. Inform yourself about the providers you’re using. Read their privacy policies.

• Use encryption whenever possible. Assumed you have an Android phone, use Redphone, Textsecure and Chatsecure or Xabber. Replace Hangouts, GMail, your SMS app. Educate people you communicate with to do the same. Google recently made Hangouts incompatible with other Jabber services (think vendor-lockin). If 80 people use it already they get the last 3 resisting to switch over. I say, let’s try to switch all 83 away from Google for doing that. We had it all already with Microsoft Windows. The EFF has an interesting read about it at Google Abandons Open Standards for Instant Messaging | Electronic Frontier Foundation - I know it’s a mess trying to tell people to switch communication services as Google (or Hotmail, Yahoo, Facebook, you name it) is “so convenient” but I fear that’s the only viable alternative to surveillance. Use PGP for email encryption. It has a learning curve and certainly your peers need to play ball for it to be useful for you (and them).

• Your searching habits (I mentioned it already): Give https://startpage.com/ a try. They present you Google search result without Google knowing its you. Google, in result, isn’t able to keep a record on your searches, the results you click on, the location you do it, etc.

• As of Tor, I do not think that this (leave alone Whonix) is your most critical problem here. You don’t need to stay anonymous, you want to have better privacy and that’s done by a step-by-step and - at the end of the journey - radical change in individual thinking and behaviour - at least in my personal opinion. I would even recommend you against using Tor by default and here is the reason: Banking over Tor? Your bank may freeze your account sooner or later. Same for PayPal (which one shouldn’t use anyway). Even accessing your webmail may not be that easy. Google lets you access und use Gmail over Tor if you have an “established” account but you - almost certainly - get flagged. You have to take into account that a row of services may flag you for using Tor with whatever consequences. Not immediately and not necessarily … I’m just saying. If you want to read the federalist papers at some point in time without your ISP knowing, you can still use Tor Browser for that particular task.

• Browser plugins (use Firefox): I recommend a minimum of NoScript (also protects you from XSS vulnerabilities), Adblock, HTTPS Everywhere. Enable “Do-not-track” feature. E-Mail: Get an account with a privacy-respecting provider, use Thunderbird and Enigmail-Addon(PGP). With an email-account often comes a Jabber-account. Use Pidgin with OTR for encryption here. Or Adium on Mac.

To sum up: The question isn’t how to completely avoid surveillance. You cannot. You can make it harder though. You can actively decide not to share everything with the wrong corporations. Disclaimer: All that said, this certainly just is my very personal POV and while I appreciate if you (or anyone else) act upon it, you (and everyone) need to take action (or not) and decide for themselves. Some people may think about it as conspiracy theory … Fine by me.

Happy to continue the discussion if you want to.

Thanks again for the extensive reply Cerberus.

All the points you are making make perfect sense and I have implemented them all gradually in the past (with changing OS being the latest one).

A couple of more points sprang to my mind regarding what you said about Tor.
If it makes no sense to use it for banking and similarly sensitive tasks, what does it make sense to use it for then (and for that matter whonix too)?

Is it most useful for people needing to protect their anonymity (hackers, political dissidents, …) and not so much for people who just want to increase their safety while browsing?
If this is the case then a well configured Firefox (no-scripts) would be enough I assume?!
(On a side note it makes you more unique and therefore more finger-printable…)

I guess using a good VPN with a well well configured Firefox would probably be the best solution to increase one’s privacy, would that be a fair statement?
Especially finding a good VPN can take (and took me) a lot of time but was fund to do.

I know VPN’s are not the be all and end all but I certainly feel safer using one.
Any thoughts on the above?
Thanks again a thousand times.

You can use Tor for banking, ebay, facebook etc. You won’t be anonymous. You have location privacy. And must be prepared to get your account unlocked when they ban login. Up to you if that’s worth it.

Tor is useful for normal people as well. VPN/Firefox add-ons alone won’t prevent creation of big files on them. For example Google logs everything you ever searched for ever. Other websites record every click you do. Tor/Tor Browser make such collections much less valuable.

See also:

I guess using a good VPN with a well well configured Firefox would probably be the best solution to increase one's privacy, would that be a fair statement?

No chance against browser fingerprinting without jointing the anonymity set of Tor Browser.

I know VPN's are not the be all and end all but I certainly feel safer using one.

It doesn't archive anything other than good feeling.

hi Adrelanos,
so browser fingerprinting is reduce the most by using Tor? I do realize that the more FF plugins I use, the more fingerprintable does my browser get.
This does not happen with Tor?

Also regarding what you say about VPN, why do think it does not provide anything other than a good feeling?
I use it mainly for torrenting safely and otherwise increase my privacy some more (sometimes using Tor on top of it). I assume you don’t think it’s safe because the VPN provider knows what you’re doing?

This does not happen with Tor?

It does not happen if you leave Tor Browser as is, because then you're in the Tor Browser anonymity set.

Also regarding what you say about VPN, why do think it does not provide anything other than a good feeling?

Because almost no one is using VPN's with Tor Browser (or other privacy preserving browsers, because there aren't any) and because due to cookies, flash cookies and lots of other tracking techniques (see evercookie, browser fingerprinting) all activity can be linked to the same pseudonym anyway. Once logged in into any service knowing your name (google/facebook/whatever), what also almost everyone is doing, it's not even pseudonymous anymore.

See also:

Because almost no one is using VPN’s with Tor Browser (or other privacy preserving browsers, because there aren’t any) and because due to cookies, flash cookies and lots of other tracking techniques (see evercookie, browser fingerprinting) all activity can be linked to the same pseudonym anyway. Once logged in into any service knowing your name (google/facebook/whatever), what also almost everyone is doing, it’s not even pseudonymous anymore.

See also:

[/quote]

I meant by using whonix that way:

I thought this would add an additional layer of safety?

I am not taking position on that. There are good arguments for and against that motion. I am collection arguments for both sides. Most of the TorPlusVPN · Wiki · Legacy / Trac · GitLab page has been written by me. This is my standpoint. That page is pretty complete over time. There were no additional arguments ever brought up that could be added to that page.