Delivery-Date: Tue, 14 Apr 2015 17:41:45 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 9189E1E10AA
	for <archiver@seul.org>; Tue, 14 Apr 2015 17:41:42 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 04CE932BE2;
	Tue, 14 Apr 2015 21:41:38 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 3B6BE324B8
 for <tor-talk@lists.torproject.org>; Tue, 14 Apr 2015 21:41:34 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id drd6Xpg3OzY7 for <tor-talk@lists.torproject.org>;
 Tue, 14 Apr 2015 21:41:34 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 05B43319CD
 for <tor-talk@lists.torproject.org>; Tue, 14 Apr 2015 21:41:33 +0000 (UTC)
Received: from berryeater.riseup.net (berryeater-pn.riseup.net [10.0.1.120])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.riseup.net (Postfix) with ESMTPS id E532B40D81;
 Tue, 14 Apr 2015 21:41:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1429047690; bh=jOT/r71umvNluPdrQbsB2ysj3TSmB+IjfK1B+x2rMf4=;
 h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
 b=JihRFVA54hqzngkMJMYZBhO3RkLfgYjJ7Wsw9xhdRxO7leqRZBaCHVPoW0g/vQgy/
 scNzZJpc0wU/7LOT+t1LWyB/5XgjRV9+0YXhDxtDJaQUd2vuiCq+JbFxE3eTDfkCOH
 MzO7O3gLUg2HXRfyH3bx6wucG+3WpqjTeWpr70ew=
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: whonixqubes) with ESMTPSA id C5069400FE
MIME-Version: 1.0
Date: Tue, 14 Apr 2015 21:41:30 +0000
From: WhonixQubes <whonixqubes@riseup.net>
To: tor-talk@lists.torproject.org
In-Reply-To: <CAAgxajG9P07T0Ya_OyY4FS6ZO5HHBYQTYmttu34sp1oNseHL7A@mail.gmail.com>
References: <54E36CA2.9040504@mykolab.com> <5529BA28.30909@rawbw.com>
 <20150412064735.GA25987@inner.h.apk.li>
 <a6e97db5c897305c7dd655119c5eba57@riseup.net>
 <CAAgxajG9P07T0Ya_OyY4FS6ZO5HHBYQTYmttu34sp1oNseHL7A@mail.gmail.com>
Message-ID: <3de2be9cc26c8e14281da15b6148681a@riseup.net>
X-Sender: whonixqubes@riseup.net
User-Agent: Riseup mail
X-Virus-Scanned: clamav-milter 0.98.6 at mx1
X-Virus-Status: Clean
Subject: Re: [tor-talk] [tor-dev] Porting Tor Browser to the BSDs
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 2015-04-14 1:05 pm, Apple Apple wrote:
> I'm not too familiar with Whonix. May I ask what it does exactly to 
> protect
> the system from a malicious actor with root level access to the 
> "gateway"
> machine?


Dave's response addresses this. The point is not to absolutely isolate 
the Whonix-Gateway where the Tor process is. Although, the 
Whonix-Gateway does force its own connections through Tor, but not 
secure against root-privileged malware.

Rather, the point is for your user machine (Whonix-Workstation) to be 
securely isolated from reaching the clearnet, getting your real IP or 
MAC address, etc.

You don't want the Tor process to be in the same security domain as the 
user applications, since something malicious or misbehaving can simply 
bypass it in one shot. Tails puts them both in the same general security 
domain, so Tor protection can be bypassed and then it is game over.


> Additionally is there any analysis or guidance on the safe hardware and
> software configuration of virtual machines from the Whonix project?
> 
> As you may be aware, virtual machines are not a security product in and 
> of
> themselves and they are certainly not magic.


The reality of this is somewhat different with Qubes.

This is why I launched the Qubes + Whonix project last year.

The security strength of Qubes VM isolation goes meaningfully beyond 
typical VMs.

More info:  https://www.whonix.org/wiki/Qubes



> Do you suppose that it may be the case that malicious software has a 
> harder
> time gaining root privileges on Tails than breaking out of a badly
> configured virtual machine?


I believe it is probably generally harder to break out of a virtual 
machine than root a Linux distro, like Tails, because hypervisors have a 
more limited attack surface compared to a full monolithic OS.

If you use Qubes, then it is infinitely harder to root the host system.


> Do not forget that hypervisor software has bugs too and generally has
> unrestricted access to the host machine.


Right. But hypervisors are more minimal than a full bloated monolithic 
Linux OS with hundreds of millions of lines of code, so naturally less 
general attack surface exists to exploit.

For a usable system, Qubes currently goes the furthest with secure host 
isolation.

I'm also working to push even further towards building even stronger 
security + anonymity systems in the future.


> May I also ask if Whonix addresses the other key feature of Tails which 
> is
> ensuring that there will be no forensic evidence left behind after 
> usage?


Not at this time.

However, with disk encryption, deleting VMs after usage, and overwriting 
disk space, this same anti-forensics effect can be accomplished with 
Whonix.


WhonixQubes
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

