Whonix

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Whonix
Whonix Logo
Whonix-Workstation-XFCE 16 01 2021 11 00 00.png
DeveloperWhonix Developers
OS familyLinux (Unix-like)
Working stateActive
Source modelOpen source
Initial release29 February 2012; 10 years ago (2012-02-29)
Latest release16[1] / September 10, 2021; 14 months ago (2021-09-10)
Repositoryhttps://gitlab.com/whonix
Marketing targetPersonal Computing, Servers (onion service hosting)
Platformsx86, arm64 (RPi 3)
Kernel typeMonolithic (Linux)
LicenseMainly the GNU GPL v3 and various other free software licenses
Official website

Whonix (/hnɪks/, HOO-niks)[2] is a Kicksecure–based security hardened Linux distribution.[3][4] Its main goals are to provide strong privacy and anonymity on the Internet.[5] The operating system consists of two virtual machines, a "Workstation" and a Tor "Gateway", running Debian GNU/Linux. All communications are forced through the Tor network.[6][7][8]

Both Whonix and Kicksecure have documentation which spans from basic operating system maintenance to more advanced topics.[9][10]

History[edit]

The first iteration, TorBOX (February-July 2012)[edit]

The initial concept was announced by Schleizer under the pseudonym Proper, and later changed to Adrelanos in 2012 before revealing his identity in 2014.[11][12] His idea was to leverage a virtual machine acting as a transparent proxy to route all Internet traffic through the Tor network. This would have allowed to mask one's IP address, prevent DNS leaks and avoid having to configure proxy settings for individual applications (or ones who do not support them).[13]

TorBOX was at its beginning only a guide released on the Tor Project website which also provided some shell scripts.[14] Other contributors provided more information as TorBOX became more popular.[13][15]

As the project's complexity grew, leak tests became increasingly necessary. Some contributors developed utilities to automatize many steps and improve user-friendliness. Nonetheless, maintaining the build instructions for TorBOX while simultaneously updating the shell scripts became too much of a burden for the developers, who decided to drop the manual creation instructions, migrating them and focusing exclusively on the shell scripts.[16]

Even then, complexity was still growing due to additional features or changes in line with security research. In March 25, 2012 with the release of TorBOX's 0.1.3,[17] the programmers agreed to completely automatize the build process and improving codability with a change in the developing process, brought by a new website with better capabilities than the old project's wiki.[16]

The TorBOX/aos wiki listed seven released versions.[18] With the advent of the third release, proper released his GPG public-key containing his contact information,[19]

The sixth version saw the first rename of the developer proper to adrelanos.[20] However, the former username was maintained on the Tor Website until the seventh and final version.[21]

Development of TorBOX continued until version 0.2.1, release July 16, 2012. The project was renamed the following day.[22]

Rename into aos (July-September 2012)[edit]

Andrew Lewman (then Tor Project Executive Director[23][24]) privately advised adrelanos to rename the project, stating that even if TorBOX mentioned on its website about being unaffiliated with the Tor Project, it was still being mistaken by some people. Adrelanos renamed the project aos, acronym of "anonymous operating system".[25]

No new releases were made under the name aos.

Final rename and continued development as Whonix (September 2012-present)[edit]

The choice of the name aos was quickly regretted and described as "sub-optimal" by adrelanos. He noted that search engines didn't return relevant results due to the name being shared with many other acronyms. A secondary reason was the project's name being non-capitalized, which would have made it incompatible with the grammatical convention of capitalizing a word at the beginning of a sentence.[26]

Adrelanos posted a request for suggestions on the tor-talk mailing list. His original idea was a name which would have made the purpose of the anonymous operating system clear and at the same time avoiding confusion or trademark issues.[27] Nick Mathewson, Tor Project's co-founder debated the idea of having a self-explanatory name, stating that Tor was "doing okay" even without having a particularly descriptive name.[28]

While many suggestions were sent, adrelanos concluded the post announcing the new name, Whonix, and publishing a signed message with his final decision on the project's website.[29][30] He reasoned that the name was unused and would have provided more results in search engines. Whonix is a compound of two words: who ("what person/s") and nix (a German word that means "nothing").[25]

Whonix 0.3.0, never released, was based on Ubuntu.[31] While Ubuntu was praised from a technical perspective, potential trademark issues would have complicated the distribution along the potential revocation of the license from Canonical. Complying with the terms requested by a rebranding[32] would have required work which was beyond the capability of the Whonix developers.[33] Moreover, the release of Ubuntu 12.10 was heavily criticized for the closer integration with the Amazon ecosystem and other privacy issues.[34][35][36][37]

The Whonix project recognized the privacy issues which would have caused a problem with the use of Ubuntu, and recommended against using it even on the host machine.[38]

The first release under the new name of Whonix happened with version 0.4.4, the first one since TorBOX 0.2.1.[39] It was rebased on Debian which is described by the project as being "a good compromise of security and usability".[40]

The second release, Whonix 0.4.5 was the first to be announced by adrelanos on the tor-talk mailing list.[41]

In a blog post published on January 18, 2014 on the Whonix wiki, adrelanos decided to give up his pseudonymity and using for the first time his real name, Patrick Schleizer.

Schleizer, a German citizen[42] stated the burden of maintaining his operational security. Also, he mentioned that both the USA and Germany are not persecuting their citizens for criticizing the government, concluding with a remark on the importance of speaking out in public and taking action.[43]

Porting to Qubes OS[edit]

In August 2014 a user called WhonixQubes announced on the qubes-users mailing list the first successful integration of Qubes OS version R2-rc2 and Whonix 8.2. Joanna Rutkowska, founder of Qubes OS, publicly stated her praise about the efforts.[44]

In June 2015, Rutkowska announced the reception of funding from the Open Technology Fund to further sponsor the porting work of Whonix to Qubes OS. The proposal to OTF was made initially in September 2014, after Rutkowska was approached by Michael Carbone, an employee of Access Now[45] and member of the Qubes OS team[46] who helped with the process.[47]

At the same time, Patrick Schleizer wrote about wanting to personally focus on the development of Qubes-Whonix.[48]

With the release of Qubes OS R3.0 in October 2015,[49] Whonix templates officially became available.[50]

Variants[edit]

Standalone[edit]

The standard version of Whonix can be used on many different platforms as host-machines, such as Windows, macOS, GNU/Linux and Qubes OS. It is downloadable in formats compatible with the most common hypervisors like VirtualBox, QEMU, KVM and Xen.[51] Whonix is reported to have experimental compatibility with VMware and Hyper-V, though not officially supported.[52][53]

The VirtualBox packages for both the Workstation and Gateway are distributed with the xfce desktop environment or in a headless "CLI" version.[54] They can be seamlessly combined.[55]

Qubes OS[edit]

Whonix can be configured directly from the Qubes OS' installation menu since version R3.0.[50] Since at least Qubes OS R4.0 it can also be installed at a later time using the management software Salt from dom0.[56]

Design[edit]

An "advanced" configuration uses two physically separate computers, with the Gateway running on the hardware of one of the computers, and the Workstation running in a VM hosted on the second. This protects against attacks on hypervisors at the cost of flexibility. Supported physical hardware platforms include the Raspberry Pi 3[57] and unofficial community efforts on the PowerPC workstation hardware, Talos, from Raptor Computing.[58]

On first startup, each VM runs a check to ensure that the software is up to date. On every boot, the date and time are set using the sdwdate secure time daemon that works over Tor's TCP protocol.[59]

The Gateway VM is responsible for running Tor, and has two virtual network interfaces. One of these is connected to the outside Internet via NAT on the VM host, and is used to communicate with Tor relays. The other is connected to a virtual LAN that runs entirely inside the host.

The Workstation VM runs user applications. It is connected only to the internal virtual LAN, and can directly communicate only with the Gateway, which forces all traffic coming from the Workstation to pass through the Tor network. The Workstation VM can "see" only IP addresses on the Internal LAN, which are the same in every Whonix installation.

User applications therefore have no knowledge of the user's "real" IP address, nor do they have access to any information about the physical hardware. In order to obtain such information, an application would have to find a way to "break out" of the VM, or to subvert the Gateway (perhaps through a bug in Tor or the Gateway's Linux kernel).

The Web browser pre-installed in the Workstation VM is the modified version of Mozilla Firefox provided by the Tor Project as part of its Tor Browser package. This browser has been changed to reduce the amount of system-specific information leaked to Web servers.

Since version 15 Whonix supports an optional "amnesiac" live-mode, much like the similar security-focused operating system Tails.[60] This combines the best of both worlds by allowing Tor's entry guard system to choose long-lived entry points for the Tor network on the Gateway, reducing the adversaries' ability to trap users by running malicious relays, while rolling back to a trusted state. Some precautions on the host may be needed to avoid data being written to the disk accidentally. Grub-live, an additional separate project,[61] aims to allow bare-metal Debian hosts to boot into a live session, avoiding forensic remnants on disc.

For the best defense against malicious guards, it is recommended to boot up the gateway from a pristine state and have a unique guard paired to each user activity. Users would take a snapshot to be able to switch to, and use that guard consistently.[62] This setup guarantees that most activities of the user remain protected from malicious entry guards while not increasing the risk of running into one as a completely amnesiac system would.

Scope[edit]

Anonymity is a complex problem with many issues beyond IP address masking that are necessary to protect user privacy. Whonix focuses on these areas to provide a comprehensive solution. Some features:

  • Kloak - A keystroke anonymization tool that randomizes the timing between key presses. Keystroke biometric algorithms have advanced to the point where it is viable to fingerprint users based on soft biometric traits with extremely high accuracy. This is a privacy risk because masking spatial information—such as the IP address via Tor—is insufficient to anonymize users.
  • Tirdad - A Linux kernel module for overwriting TCP ISNs. TCP Initial Sequence Numbers use fine-grained kernel timer data, leaking correlatable patterns of CPU activity in non-anonymous system traffic. They may otherwise act as a side-channel for long running crypto operations.[63]
  • Disabled TCP Timestamps - TCP timestamps leak system clock info down to the millisecond which aids network adversaries in tracking systems behind NAT.[64]
  • sdwdate - A secure time daemon alternative to NTP that uses trustworthy sources and benefits from Tor's end-to-end encryption. NTP suffers from being easy to manipulate and surveil. RCE flaws were also discovered in NTP clients.[65]
  • MAT 2 - Software and filesystems add a lot of extraneous information about who, what, how, when and where documents and media files were created. MAT 2 strips out this information to make file sharing safer without divulging identifying information about the source.
  • LKRG - Linux Kernel Runtime Guard (LKRG) is a Linux security module that thwarts classes of kernel exploitation techniques. Hardening the guest OS makes it more difficult for adversaries to break out of the hypervisor and deanonymize the user.

Documentation[edit]

The Whonix wiki includes a collection of operational security guides for tips on preserving anonymity while online. Additionally, a number of original content guides on which security tools to use, and how to use such tools, have been added over time. This includes how to access the I2P[66] and Freenet[67] networks over Tor.

See also[edit]

References[edit]

  1. ^ "Whonix 16 has been Released! (Debian 11 bullseye based) - for VirtualBox - Major Release".
  2. ^ "History". Whonix. 2022-02-22. Retrieved 2022-03-19.
  3. ^ "DistroWatch.com: Put the fun back into computing. Use Linux, BSD". distrowatch.com.
  4. ^ "Kicksecure ™: A Security-hardened, Non-anonymous Linux Distribution". Whonix. 2020-10-17. Retrieved 2020-12-11.
  5. ^ "Frequently Asked Questions - Whonix ™ FAQ". Whonix. 2022-01-26. Retrieved 2022-03-19.
  6. ^ "Devs cook up 'leakproof' all-Tor untrackable platform". The Register. 13 Nov 2012. Retrieved 10 July 2014.
  7. ^ Greenburg, Andy (17 June 2014). "How to Anonymize Everything You Do Online". Wired. Retrieved 10 July 2014.
  8. ^ "Whonix adds a layer of anonymity to your business tasks". TechRepublic. 4 January 2013. Retrieved 10 July 2014.
  9. ^ "Whonix ™ Documentation". Whonix. 2022-03-15. Retrieved 2022-03-19.
  10. ^ "Kicksecure ™ Documentation". Kicksecure. 2022-02-21. Retrieved 2022-03-19.
  11. ^ Internet Archive | "Proper - Adrelanos PGP Identity transition
  12. ^ Internet Archive | Richard Schleizer PGP Identity Transition
  13. ^ a b "History". Whonix. 2022-02-22. Retrieved 2022-03-20.{{cite web}}: CS1 maint: url-status (link)
  14. ^ "doc/TorBOX – Tor Bug Tracker & Wiki". 2014-03-10. Archived from the original on 10 March 2014. Retrieved 2022-03-20.
  15. ^ "doc/TorBOX (history) – Tor Bug Tracker & Wiki". 2013-06-28. Archived from the original on 28 June 2013. Retrieved 2022-03-20.
  16. ^ a b "History". Whonix. 2022-02-22. Retrieved 2022-03-22.{{cite web}}: CS1 maint: url-status (link)
  17. ^ "Dev/Old Changelog". Whonix. 2022-03-08. Retrieved 2022-03-22.{{cite web}}: CS1 maint: url-status (link)
  18. ^ "doc/proper (history) – Tor Bug Tracker & Wiki". 2020-06-17. Archived from the original on 17 June 2020. Retrieved 2022-03-21.
  19. ^ "doc/proper – Tor Bug Tracker & Wiki". 2014-03-16. Archived from the original on 16 March 2014. Retrieved 2022-03-21.
  20. ^ "doc/proper – Tor Bug Tracker & Wiki". 2014-03-16. Archived from the original on 16 March 2014. Retrieved 2022-03-21.
  21. ^ "doc/proper – Tor Bug Tracker & Wiki". 2014-03-16. Archived from the original on 16 March 2014. Retrieved 2022-03-22.
  22. ^ "Old Project Versions and News". Whonix. 2021-12-02. Retrieved 2022-03-22.
  23. ^ "Andrew Lewman | Personal Democracy Forum". personaldemocracy.com. Retrieved 2022-03-22.
  24. ^ Campbell, Thomas (2014-08-29). "The sunnier side of Tor: Andrew Lewman, the Tor Project & the mother of all makeovers". Retrieved 2022-03-22.
  25. ^ a b "History". Whonix. 2022-02-22. Retrieved 2022-03-22.
  26. ^ "History". Whonix. 2022-02-22. Retrieved 2022-03-22.{{cite web}}: CS1 maint: url-status (link)
  27. ^ "[tor-talk] please suggest a new project name for Anonymous Operating System". tor-talk.torproject.narkive.com. Retrieved 2022-03-22.
  28. ^ "[tor-talk] please suggest a new project name for Anonymous Operating System". tor-talk.torproject.narkive.com. Retrieved 2022-03-22.
  29. ^ "[tor-talk] please suggest a new project name for Anonymous Operating System". tor-talk.torproject.narkive.com. Retrieved 2022-03-22.{{cite web}}: CS1 maint: url-status (link)
  30. ^ "TorBOX · Wiki · Legacy / Trac · GitLab". 2021-11-01. Archived from the original on 1 November 2021. Retrieved 2022-03-22.
  31. ^ "Old Project Versions and News". Whonix. 2021-12-02. Retrieved 2022-03-22.{{cite web}}: CS1 maint: url-status (link)
  32. ^ "Intellectual property rights policy | Terms and policies". Ubuntu. Retrieved 2022-03-22.
  33. ^ "Dev/Operating System". Whonix. 2022-02-03. Retrieved 2022-03-22.
  34. ^ Lee, Micah (2012-10-29). "Privacy in Ubuntu 12.10: Amazon Ads and Data Leaks". Electronic Frontier Foundation. Retrieved 2022-03-22.
  35. ^ Leach, Anna. "Fans revolt over Amazon 'adware' in Ubuntu desktop search results". www.theregister.com. Retrieved 2022-03-22.
  36. ^ "Now in Ubuntu Linux 12.10: Amazon search results". PCWorld. Retrieved 2022-03-22.
  37. ^ "Ubuntu 12.10 (Quantal Quetzal) review". ZDNet. Retrieved 2022-03-22.
  38. ^ "Dev/Operating System". Whonix. 2022-02-03. Retrieved 2022-03-22.{{cite web}}: CS1 maint: url-status (link)
  39. ^ "Old Project Versions and News". Whonix. 2021-12-02. Retrieved 2022-03-22.
  40. ^ "Dev/Operating System". Whonix. 2022-02-03. Retrieved 2022-03-22.{{cite web}}: CS1 maint: url-status (link)
  41. ^ adrelanos (2012-10-09). "[tor-talk] Whonix ALPHA 0.4.5 - Anonymous Operating System released". Retrieved 2022-03-22.
  42. ^ "adrelanos (Patrick Schleizer) | Keybase". keybase.io. Retrieved 2022-03-21.
  43. ^ "giving up pseudonymity after collecting experiences with pseudonymous project development - Whonix". 2014-04-03. Archived from the original on 3 April 2014. Retrieved 2022-03-21.
  44. ^ "New Announcement: Qubes + Whonix is now available!". groups.google.com. Retrieved 2022-03-23.
  45. ^ "Michael Carbone". Access Now. Retrieved 2022-03-23.
  46. ^ "Team". Qubes OS. Retrieved 2022-03-23.{{cite web}}: CS1 maint: url-status (link)
  47. ^ "Qubes OS Project gets OTF funding to integrate Whonix, improve usability | The Invisible Things". blog.invisiblethings.org. Retrieved 2022-03-23.{{cite web}}: CS1 maint: url-status (link)
  48. ^ "Whonix Host Operating System, Announcing OTF Sponsorship". 2015-09-29. Archived from the original on 2015-09-29. Retrieved 2022-03-23.
  49. ^ "Qubes R3.0 release schedule". Qubes OS. Retrieved 2022-03-23.
  50. ^ a b "Qubes R3.0 release notes". Qubes OS. Retrieved 2022-03-23.{{cite web}}: CS1 maint: url-status (link)
  51. ^ "FREE Whonix ™ Download". Whonix. 2022-03-18. Retrieved 2022-03-23.
  52. ^ "VMware". Whonix. 2022-01-13. Retrieved 2022-03-23.{{cite web}}: CS1 maint: url-status (link)
  53. ^ "How to get Whonix running on Hyper-V - Support - Whonix Forum". forums.whonix.org. Retrieved 2022-03-23.
  54. ^ "Whonix ™ for Windows, macOS, Linux inside VirtualBox". Whonix. 2021-12-02. Retrieved 2022-03-23.
  55. ^ "Can I combine Whonix-Gateway CLI with Whonix-Workstation XFCE? Yes! - News - Whonix Forum". forums.whonix.org. Retrieved 2022-03-23.
  56. ^ "How-to: Install the Stable Version of Qubes-Whonix ™ 16". Whonix. 2022-02-16. Retrieved 2022-03-23.{{cite web}}: CS1 maint: url-status (link)
  57. ^ "Build Documentation: Physical Isolation". 2 December 2021.
  58. ^ https://wiki.raptorcs.com/wiki/Whonix>
  59. ^ "sdwdate: Secure Distributed Web Date". Whonix. 2020-09-14. Retrieved 2020-12-11.
  60. ^ "VM Live Mode: Stop Persistent Malware". Whonix. 2020-09-28. Retrieved 2020-12-11.
  61. ^ "grub-live: Boot existing Host Operating System or VM into Live Mode". Whonix. 2020-11-24. Retrieved 2020-12-11.
  62. ^ "Tor Entry Guards". Whonix. 2020-08-13. Retrieved 2020-12-11.
  63. ^ "Add research idea for Linux TCP Initial Sequence Numbers may aid correlation (#16659) · Issues · Legacy / Trac". GitLab. Retrieved 2020-12-11.
  64. ^ "[Tails-dev] Risks of enabled/disabled TCP timestamps?". 2017-02-01. Archived from the original on 2017-02-01. Retrieved 2020-12-11.
  65. ^ "Don't update NTP – stop using it - Hanno's blog". blog.hboeck.de. Retrieved 2020-12-11.
  66. ^ "Invisible Internet Project (I2P)". Whonix. 2020-11-26. Retrieved 2020-12-11.
  67. ^ "Freenet". Whonix. 2020-08-08. Retrieved 2020-12-11.

External links[edit]