Testers Wanted!

Download the Testers-Only version of Whonix for VirtualBox:

Alternatively, in-place release upgrade is possible upgrade using Whonix testers repository.

This release would not have been possible without the numerous supporters of Whonix!

Please Donate!

Please Contribute!

Notable Changes

• Whonix VirtualBox:
  • improve VirtualBox screen resolution situation
    • functional VirtualBox VM Window → View → Virtual Screen 1 → resize to resolution
    • functional VirtualBox VM Window → View → Adjust Window Size
    • workaround improve VirtualBox screen resolution situation still required
    • add xserver-xorg-video-vmware to kicksecure-desktop-environment-essential-gui because it is required by VirtualBox Graphics Controller VMSVGA for auto resize and resize through VirtualBox settings menu
    • again set VirtualBox Graphics Controller to VMSVGA (equivalent to “VirtualBox → click a VM → Settings → Display → Graphics Controller → VMSVGA → OK”)
      • Quote Chapter 3. Configuring Virtual Machines

      • “VMSVGA: Use this graphics controller to emulate a VMware SVGA graphics device.”

      • “This is the default graphics controller for Linux guests.”

      • Has better desktop resolution in CLI (virtual terminal) mode.
      • This was previously disabled: Black screen on 15.0.0.6.6 and 15.0.0.7.1
    • increase Whonix VirtualBox Whonix-Gateway video ram to 128 MB since previously assigning only 16 MB RAM can be a source of resize issues
  • Research notes on how to write good VirtualBox bug reports that actually have a chance of getting fixed.
  • Wrote VirtualBox developer documentation on VirtualBox Licensing Issues, unavailable in Debian main and Debian backports, missing features, VirtualBox security and arguments for keeping VirtualBox Support.
  • Updated VirtualBox and VirtualBox guest addition to 6.1.4.
• Tor related:
  • fix parsing torrc.d twice bug
  • Fix bug in Whonix 15.0.0.8.9 where anon-connection-wizard added %include /etc/torrc.d/95_whonix.conf to /etc/tor/torrc configuration file even though Whonix was already ported to %include /etc/torrc.d/.
  • anon-verify
    • report Extraneous Tor Configuration Files (files that do not end with file extension .conf)
    • ignore file names starting with dot (.) (Quote Tor manual: ‘Files starting with a dot are ignored.’)
    • ignore subfolders when using %include /path/to/folder (Quote Tor manual: ‘Files on subfolders are ignored.’)
    • fix, check all files in torrc.d folders for issues
• work towards Whonix Host operating system
• upgrade LKRG to latest upstream version (not yet installed by default)
• install gvfs by default
  • fix access LUKS encrypted USB drive with Thunar
  • add gvfs to kicksecure-desktop-applications-xfce
  • ⚓ T965 install gvfs by default / fix access LUKS encrypted USB drive with Thunar
  • cannot access encrypted USB drive with Thunar in Whonix 15 - #10 by helper
  • Whonix-Host Operating System (OS) ISO - #109 by onion_knight
  • Whonix Xfce Development - #99 by Patrick
  • use sudoedit in Whonix documentation and Whonix software - #22 by Patrick_mobile
• add x11-xserver-utils to kicksecure-desktop-environment-essential-gui
  • to fix XFCE logout button
  • Whonix-Host Operating System (OS) ISO - #109 by onion_knight
• disable vm.unprivileged_userfaultfd=0 for now because broken
  • Kernel Hardening - security-misc - #406 by Patrick
  • reverts “Restrict the userfaultfd() syscall to root as it can make heap sprays easier.”
    • Linux Kernel universal heap spray - Vitaly Nikolenko
• pkexec wrapper: fix gdebi / synaptic but at cost of checking for passwordless sudo /etc/suders /etc/sudoers.d exceptions. (cannot use pkexec - #53 by AnonymousUser)
• SecBrowser / i2pbrowser: no longer use firejail by default even if installed since currently not maintained by anyone in Whonix / Kicksecure.
• fix i2pbrowser local browser homepage
• rename package non-qubes-vm-audio to non-qubes-audio

Full difference of all changes

https://github.com/Whonix/Whonix/compare/15.0.0.8.9-developers-only...15.0.0.9.4-developers-only

About Whonix

Whonix is being used by Edward Snowden, journalists such as Micah Lee, used by the Freedom of the Press Foundation and Qubes OS. It has a 8 years history of keeping its users safe from real world attacks. [1]

The split architecture of Whonix relies on leveraging virtualization technology as a sandbox for vulnerable user applications on endpoints. This is a widely known weakness exploited by entities that want to circumvent cryptography and system integrity. Our Linux distribution come with a wide selection of data protection tools and hardened applications for document/image publishing and communications. We are the first to deploy tirdad, which addresses the long known problem of CPU activity affecting TCP traffic properties in visible ways on the network and vanguards, an enhancement for Tor produced by the developers of Tor, which protects against guard discovery and related traffic analysis attacks. Live Mode was recently added. We deliver the first ever solutions for user behavior masking privacy protections such as Kloak. Kloak prevents websites from recognizing who the typist is by altering keystroke timing signatures that are unique to everyone.

In the future we plan to deploy a hardened Linux kernel with the minimal amount of modules needed to get the job done, an apparmor profile for the whole system, as well as LKRG, the Linux Kernel Runtime Guard.

[1]

• https://twitter.com/Snowden/status/1165607338973130752 [archive]
• https://twitter.com/snowden/status/781495273726025728 [archive]
• https://twitter.com/Snowden/status/1175435436501667840 [archive]
• Micah Lee, Journalist and Security Engineer at The Intercept and Advocate for Freedom of the Press, Developer of OnionShare and Tor Browser Launcher. [archive]
• SecureDrop Journalist Workstation environment for submission handling is based on Qubes-Whonix [archive]
• History
• Whonix - Wikipedia [archive]
• https://www.qubes-os.org [archive]
• Whonix Protection against Real World Attacks