Hacker News new | past | comments | ask | show | jobs | submit login
Whonix – A desktop operating system designed for advanced security and privacy (whonix.org)
226 points by koolba on Feb 3, 2017 | hide | past | web | favorite | 55 comments

As someone unfamiliar with Whonix, I wanted to understand the project in a little more detail than what's on the front page.

This link was really helpful and thorough:


I also recently found ParrotSec OS I was using it as my main OS for about a month or two. I mostly used it because it is a Debian fork and it featured the latest of any programming language I wanted, which is great for me. I stopped using it because it felt cluttered for me to have so many different pentesting type of tools. It had built in support for connecting you to Tor and forcing all connections to go through Tor out of the box. A lot of things I don't need but others might find interesting. I may return to it now that they're building a flavor for developers. It comes with a few text editors out of the box including Atom. I wish Whonix would compare ParrotSec too. :)


Link to ParrotSec OS website. https://www.parrotsec.org/

Used parrotOS 2 years ago. I think it was newish then. Liked it a lot. Was fairly polished then. What do you use it for and what features do you like most?

I really just used it for programming. I loved having the latest of any programming language compiler / interpreter when I used it. Something I don't see in Ubuntu / Debian flavors I try. I'm using ElementaryOS atm because I like how minimal it is, I bring in what I need after installation. They have a "Studio" flavor that I wanted to try, but the Network manager seemed to be broken from install, I remember installing KDE from the ParrotOS based I installed initially and had the same problem, the networking wireless icon is completely missing. If they fix that on their "Studio" release I may start using it again. I enjoyed it overall. My only other issue was that I didn't need the "tools" ParrotSec came with. I would definitely recommend ParrotSec OS overall.

Can't you update to the newest version of some compiler? This is something I hear for the first time...

Linux Distros are always behind, and in the case of Ubuntu / Debian Python is locked into whatever they release because the OS actually relies on whatever version of Python they released the OS with, if you upgrade to latest and greatest on Debian Wheezy e.g. you might find your OS has bugs that Ubuntu 16.04 doesn't see (both use similar packages).

Really i use the latest and nightly gcc toolchain in ubuntu without issue, for python if what your saying is true could you not use conda or docker?

I guess it's mostly for interpreted languages. Try installing (not that I use it) Eclipse the Java IDE as another example, it's usually dated enough. This is probably why people use bleeding edge distributions. I guess in the case of compilers it's not as bad, though you can't usually get the latest and greatest Go compiler either, you have to grab the .deb off the website or use other tools. At least Rust just hands you rustup so I don't need to worry about this in the case of Rust, but with other languages like Python it's a concern of mine.

You can with Guix(pkg mgr or GuixSD distro) or NixOS.

Thanks for the comparison link. Do you think it would be useful to have a comparison with Subgraph OS as well?

If you like this, be sure to check out Qubes OS[1], which uses Whonix as a VM to route all traffic over Tor.

[1]: http://www.qubes-os.org/

Qubes does not use Whonix for anything. Whonix can use Qubes, though.

Qubes and Whonix are fundamentally different. They attempt to solve two different issues.

Whonix solves privacy via obfuscation, Qubes solves security through virtualization / compartmentalization and specifically does not believe in security by obfuscation. You do not have to choose between the two if you run Whonix inside of Qubes, but I have a feeling most users who think they want privacy really want security, and it would be a hassle to constantly use Whonix.

I highly recommend Qubes, if you aren't already using it. It isn't for the faint of heart, however, and there are a long list of bugs to squash and features to add. Things are coming along nicely though, and this year they plan to test-drive corporate support for Qubes OS as a business platform, which if successful should give them quite a bit of capital for expansion and auditing of essential code.

> Qubes does not use Whonix for anything. Whonix can use Qubes, though.

Qubes comes with Whonix gateway and workstation templates preloaded. How is that not "using Whonix"?

Important distinction in terminology. Qubes _runs_ Whonix, Whonix can _use_ Qubes as a host. And the Whonix workstation is an optional addition that a lot of users find no need for. It does not come preloaded, you must enable it during installation. But Qubes does not use Whonix anymore than Windows uses Firefox when you run the firefox process.

In software, when you say something "uses" something, you are implying it uses it as a backend or API. But Qubes does not communicate with nor expose any information to Whonix, and especially does not utilize it for any sort of functionality.

sounds like a distinction without a significant difference. "To improve your privacy and anonymity on the internet, you can install the Whonix Template on your Qubes machine." https://www.qubes-os.org/doc/whonix/ to me that makes it sound like the quebes-os people use whonix to improve privacy

Why do you think an operator of a computer is called a user?

I use Qubes and do not use Whonix, and most users don't either. Qubes is security-focused, offering increased privacy in the process, but Whonix is for the privacy-focused and has separate use-cases. I'm not a journalist in some 3rd world dictatorship so using Whonix would just degrade my user experience.

But that's the thing. As users, we can use a piece of software, but our operating system is not using anything. And it is erroneous and misguiding to say that Qubes OS "uses" Whonix, because again, that implies special meaning, such as using it as a backend for main internet access. This isn't some trivial distinction. It is a very basic, important distinction when you are talking about software.

You may not personally launch Xfce Terminal either but it doesn't mean Qubes doesn't use it as a terminal emulator. Qubes uses Whonix for anonymous VMs. It's bizarre that you're so set on making this distinction that not even the creators attempt to make.

Oh? Can you provide context where they say that Qubes uses Whonix? Under their doc file for Whonix they just mention that, if you want to use Tor, Qubes can make use of Whonix as a ProxyVM. That is the correct usage of the term "use". But not only is that not the same thing as using Whonix for a general backend for operation, many users forgo installing Whonix altogether.

This whole thing devolved from me just trying to make a distinction for other HN users so that they wouldn't get the wrong idea and not try out Qubes because they might think the systems are coupled and are worried of, say, being hacked by the FBI and put on more lists for using Tor.

>>Which uses Whonix as a VM [...]

Sorry to nitpick, but I believe you meant to say something along the lines of "Whonix runs on top of Qubes as a VM (virtual machine), just like any other typical OS does in Qubes."[1]

[1] https://www.whonix.org/wiki/Qubes

Also, you don't have to route traffic over tor in Qubes.

Not only are you not required to route traffic over Tor, but you can create arbitrary tree network topologies for all VMs.

For example, see the screenshot on https://github.com/kbrn/qubes-app-print-vm-status. VMs can access the 'net through "sys-firewall" (i.e. in the clear); or through "[redacted]-vpn", which has firewall rules enforced by "sys-firewall" that reject any traffic not to the designated VPN endpoint; or through "sys-whonix", which obviously routes all traffic over Tor.

Another great feature afforded by combining Qubes and Whonix is that it's trivial to use Whonix as a disposable VM, so you can really be sure one browser instance (say, for porn) can never affect another browser instance (say, for Facebook, or for leaking the next tranche of NSA docs).

Let's say I'm living in, say, Russia and I use this distro. Let's say I want to say some nasty things about Putin. Let's say they are so nasty, that Putin may want to kill me as a result. If I use this OS, is it possible to post the content in a way people can find it and not be identified? If so, what other steps would I have to take to do?

Is this a crazy question?

Are there trusted resources that spell out how to do it?

Would you trust the answers with your life?

The Grugq has some awesome write ups on OpSec. He is the authoritative source on it. Google around for his tumblr, medium posts, and grugq's github [1].

[1]: http://grugq.github.io/blog/archives/

The thing is: people in power may not know what you did, but they can know that you're using Tor which is enough to give you a lot of troubles..

No I wouldn't trust just 1 solution and 1 hidden / obfuscated route.


How does this compare to an existing secure Linux distro with Tor support like Tails (https://tails.boum.org/)?

Whonix theoretically provides better protection against de-anonymization via through-the-browser attacks, because it runs the Tor router and in a separate virtual machine from user applications like the browser. So if the browser is compromised, it can't "phone home" to the attacker over the regular internet: all the attacker's traffic is obliged to go over tor, unless he/she can break out of the VM.

Such an attack was used by the FBI to de-anonymize users of Freedom Hosting, a few years back. https://en.wikipedia.org/wiki/Operation_Torpedo

What's the difference between "Live USB" and "USB Bootable"?

"live" usually means it runs entirely in memory.

I.e. without persistence

Their both Debian based desktops, so pretty similar from a user perspective.

The biggest difference is that Tails is designed to be entirely amnesiac, and leave no forensic trace. Whonix is a persistent system.

Whonix can be configured to be not persistent, and Tails can be configured to be persistent. Out of the box configuration is the biggest difference. However, Whonix is set up to be run as a set of virtual machines. One of the reasons I like Whonix better is that this dual virtual machine setup means that, should you get kicked off of Tor in the virtual machine that acts as a gateway, the other virtual machine does not have any fallback connection, effectively preventing accidental access of the internet while unprotected.

The added risk to Whonix is that if your host system is sufficiently compromised, there's no real guarantee of anonymity. A lot of people end up running Tails in a VM, though, and someone has to be pretty serious about wanting to see what you're doing for that to be a real issue.

> Tails is designed to be entirely amnesiac, and leave no forensic trace

Does Tails drop privileges to the extent that root can't mount the hard drive and modify it?

It can mount HD, but the read/write privileges are the same as any other OS I imagine. I've copied files from my HD to Tails, but I've yet to try dropping files into the shared folder on my HD.

It's just another Linux distro, not a new operating system.

While you're correct that this is a Linux distro, it should be pointed out that nowhere does it state that this is a "new operating system."

The article title is "Whonix - a desktop operating system...". That seems to indicate a new operating system, not a paint job.

I agree it should probably say "Whonix - A Linux Distro for..." Minor detail, though.

For others reading, a new OS for anonymity would be something like removing identifiers from and integrating Tor with seL4 (or Fiasco.OC), Genode, EROS, ExpressOS, or Redox. Key components of these don't make up a whole OS but could be with specific tech and a UI.

No in this context it is distinguishing itself from browsers and live OSes

How does Whonix provide privacy? From the details I see that it is providing anonymity through TOR, but I don't see any mention of encryption.

It uses two VMs, the gateway vm and the workstation vm.

the workstation vm is the linux box with the GUI and connects to the gateway vm.

so you do all your work and browsing in a guest machine where everything is routed through TOR.

regarding encryption, thats a loaded statement. read up on what specifically you want and see if it has it.

The VMs are just another measure added for anonymity not privacy. Specifically with regards to security we take anonymity to mean generally speaking protecting who we are and privacy to mean protecting what we are doing.

As an example; when I log in to my bank account this should be using a secure connection, but if I'm doing this from an internet cafe connecting to an untrusted wifi network I could be at risk that someone is ARP spoofing + SSL stripping. To not put myself at risk I would use a VPN with end to end encryption. This is privacy; I want to protect my banking data, but it does not provide anonymity; I do not care that anyone knows I'm checking my bank account so long as they can't steal my login/password.

Here are KVM images for libVirt (e.g. with the GUI virt-manager):


One of the most thoroughly documented projects that I've come across.


Would it be possible/make sense to use Docker for this?

Using something like Whalebrew? https://github.com/bfirsh/whalebrew

No, Docker is not built for security. I do use Docker sometimes to isolate processes, but not for serious security.

if properly configured why not? What would stand in the way of implementing a secure containerized version of the workstation+gateway type setup?

Theoretically, nothing. In practice, the isolation it relies on is somewhat weak. And in general, it is new and exciting and changing frequently, which means security bugs. Also, most people seem to rather suck at configuring it, as far as I've seen. (That's not per se a problem with Docker, but it is frequently a problem with Docker as-deployed.) And then there are potential kernel bugs.

When talking about "trusting X", one always has to answer the question "trust X to do what, exactly, under what circumstances?" I don't yet trust Docker to be secure enough for production, internet-exposed business use. I know other people disagree; YMMV.

You could break out of the isolation by using kernel vulnerabilities, e.g., in syscalls.

Do you mean to implement this with Docker or just to use Docker with this OS?

nth'ing the other warnings about this approach, but thanks for mentioning whalebrew. Looks very interesting.

They should probably offer ISOs too so one can more easily try it using kvm or vmware instead of virtualbox.

They have KVM images as well, and KVM was the suggested model on Linux last time I looked.

Operating System is a heavy word to throw around for something that's just a Debian derivative.

Opened hoping for something microkernel-based... bummer.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact