LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Distributions

Whonix for anonymity

By Jake Edge
October 17, 2012

Creating a distribution for anonymity on the internet has its challenges. But it's important, especially for those living under repressive regimes. Getting the details right is clearly an overriding concern, which is why distributions of this kind tend to turn to Tor to provide that anonymity. But, Tor alone does not necessarily insulate users from disclosing personally identifiable information.

We looked at The Amnesic Incognito Live System (Tails)—a Tor-based live distribution—back in April 2011. But, regular applications or malware on a Tails system can potentially leak some information (e.g. IP address) that might be used to make a link between the user and their internet activity. The new Whonix distribution, which released an alpha version on October 9, uses virtualization to isolate the Tor gateway from the rest of the system, in part to eliminate those kinds of leaks.

Whonix is based on Debian and VirtualBox. It creates two separate virtual machines (VMs), one that runs all of the applications, and another that acts as a Tor gateway. All of the network traffic from the application VM (which is called the Whonix-Workstation) is routed through the Whonix-Gateway VM. That means the only network access available to applications is anonymized by Tor.

That setup has a number of benefits. For one, malware running on the Whonix-Workstation has no visibility into the actual configuration of the underlying system, so things like IP address, MAC address, hardware serial numbers, and the like, are all hidden. In addition, Whonix can be used in a physically isolated way, where the Workstation and Gateway run on two separate machines. It isn't only Linux that can be protected with Whonix, either, as Windows or other operating systems can be installed as the Whonix-Workstation.

The iptables rules on the workstation redirect all traffic to the gateway and disallow any local network connections. In addition, the firewall on the gateway fails "closed", disallowing any connections if Tor fails. Whonix also configures the system and various applications to reduce or eliminate information leaks. That includes using UTC for the time zone, having the same desktop resolution, color depth, and installed fonts on all installations, and setting the same virtual MAC address on all workstations. The user on Whonix is "user" and applications like GPG are configured to not leak operating system version information

As envisioned, Whonix is a framework that is "agnostic about everything", including using alternatives for the anonymized network (e.g. JonDo, freenet), virtualization mechanism (e.g. KVM, Xen, VMWare), and host and guest operating systems (e.g. Windows, *BSD). Any of those pieces can be swapped out "with some development effort", but the developers are concentrating on the Debian/VirtualBox/Tor combination, at least currently.

Isolating applications in a single VM does not protect against all anonymity-piercing attacks. Malware can (and does) send the contents of files to remote hosts, which can, obviously, provide personally identifiable information. The Whonix documentation suggests using multiple workstation VMs, one for each type of activity. That idea is, in some ways, similar to the concept behind Qubes, another virtualization-based security-oriented operating system.

The security of Whonix is obviously dependent on its constituent parts, including the Linux kernel, VirtualBox, and Tor itself, but it also depends on how the system has been put together as well. It is perhaps not a surprise that the developer behind Whonix is pseudonymous, "adrelanos", but he or she seems keenly aware that vetting of Whonix is required before users can potentially put their lives at risk by using it. The release announcement says: "I hope skilled people look into the concept and implementation and fail to find anonymity related bugs." As with most (all?) projects, Whonix is also looking for more developers to work on it.

The project does come with an extensive Security document that covers the technology behind Whonix, its advantages and disadvantages, threat model, best practices, and so on. It also has an in-depth comparison of Whonix with Tails and the Tor Browser Bundle, which is a browser configured to use Tor and to avoid leaking identifiable information. Whonix is an ambitious project that overlaps with Tails to some extent (though there is an extensive justification for having separate projects), but the projects do collaborate, which bodes well for both.

Comments (none posted)

Brief items

Distribution quotes of the week

When, as in the case of node.js, upstream is antisocial and has an overinflated sense of self-importance, it's perfectly appropriate for Debian to work contrary to their design. Our job is not to make upstreams happy, it's to make our *users* happy; and while being good Free Software citizens means we try to respect the wishes of upstreams as well, there are exceptions.
-- Steve Langasek

I use RMS as a guide in the same way that a boat captain would use a lighthouse. It's good to know where it is, but you generally don't want to find yourself in the same spot.
-- Tollef Fog Heen (Thanks to Chris Cunningham)

For F19 I plan to submit a feature asking for not installing syslog by default anymore. I wonder how far I'll get with this before this is shut down by the conservatives... ;-)
-- Lennart Poettering

Note: I don't want to smash down the discussion with a lame "show me the code" argument. But I do want to avoid the impression that "we're unable to decide" when I fact, in this case, we are and we did. But that's, unfortunately, not enough to make appear out of thin area the code implementing the decision.
-- Stefano Zacchiroli

Comments (13 posted)

NetBSD 6.0

The NetBSD Project has announced NetBSD 6.0. "Changes from the previous release include scalability improvements on multi-core systems, many new and updated device drivers, Xen and MIPS port improvements, and brand new features such as a new packet filter."

Full Story (comments: none)

OpenELEC 2.0 the embedded XBMC distribution released

OpenELEC is an embedded Linux distribution that aims to allow people to use their Home Theatre PC in the same manner as any other device attached to your TV. "OpenELEC 2.0 is the first stable Distribution ever, that includes direct XVBA (X-Video Bitstream Acceleration) support for XBMC. The advantages introduced by this implementation are enormous. It is now possible on AMD Systems with integrated UVD (Unified Video Decoder) to playback every H.264 and VC-1 encoded content directly. This reduces CPU usage drastically."

Full Story (comments: none)

Distribution News

openSUSE

openSUSE 11.4 EOL

openSUSE 11.4 will no longer be maintained after November 5, 2012. "However, the community Evergreen team plans to provide ongoing maintenance for openSUSE 11.4. More details on this will be published when they are known."

Full Story (comments: none)

Newsletters and articles of interest

Distribution newsletters

Comments (none posted)

Fedora is retiring Smolt hardware census (The H)

The H reports on Fedora's plan to retire the smolt hardware census on November 7. "A page on the Fedora wiki dealing with the program's retirement lists several reasons for the decision. It seems that the information collected from the program was not as useful as the developers had hoped. Since the data resulted from an opt-in process, it was always skewed and could not be used to generalise about the distribution's install base. Added to this was the fact that the software had not been maintained for a while and does not work on RHEL 6. It is clear, from the wiki, that the Fedora development team have decided to change their approach to collecting data about their install base."

Comments (10 posted)

Mandriva Foundation gets a name (The H)

The H reports that the foundation governing Mandriva's community distribution will be called OpenMandriva. The name of the distribution will be chosen by the community once the OpenMandriva foundation has been set up and formally takes over from Mandriva SA.

Comments (none posted)

The story of Nokia MeeGo (TaskuMuro)

TaskuMuro has a lengthy history of Maemo and MeeGo, translated from the Finnish version at Muropaketti. It looks at the various devices Nokia created, starting with N770 in 2005 and continues through the concept devices that were under development up until Nokia pulled the plug on MeeGo. "The Harmattan UI was originally based on the Activity Theory principle, a frame of reference for studying human behavior and development processes. The goal is to understand society, personality and, most importantly, how these two are connected. The theory was originally developed by the Russian psychologist Vygotsky. [...] The aim was to utilize information on how people combine tasks and communicate with each other, and thus support these ways of working instead of forcing people to adopt technology-based working models. The system would adapt to the way the user interacts eith it, to ensure reciprocated interaction." (Thanks to Jussi Saarinen.)

Comments (76 posted)

Page editor: Rebecca Sobol
Next page: Development>>

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds