Schneier on Security

dutch ditch digger • November 15, 2012 5:10 AM

Devs cook up ‘leakproof’ all-Tor untrackable platform Whonix? You’ll never find out, The Man

By John Leyden | 11.13.2012

http://www.theregister.co.uk/2012/11/13/whonix/

http://sourceforge.net/p/whonix/wiki/Home

“Developers are brewing an anonymous general purpose computing platform, dubbed Whonix.

Whonix is designed to ensure that applications (such as Flash and Java etc) can only connect through Tor. The design goal, at least, is that direct connections (leaks) ought to be impossible. “This is the only way we know of that can reliably protect your anonymity from client application vulnerabilities and IP/DNS and protocol leaks,” the developers explain.

The main goal is to prevent the determination of users’ IP address and location. Not even malware that has buried deep into machines can access IP address information. In this way, Whonix aims to be safer than Tor anonymity software alone.

Whonix can be used in conjunction with VPN technology – routing networks through isolated remote computer networks – for even greater security.

The technology is better described as design approach or platform than as an operating system. In one example, the implementation of anonymity is provided around Tor on two virtual machines using VirtualBox and Debian GNU/Linux. Whonix can be installed on every computer capable of running Virtual Box (virtualisation software), so it supports Windows, OS X, Linux, BSD and Solaris. Running the technology on physically separate machines (a Whonix gateway and a Whonix workstation) would also work, and might provide greater security, say the devs.

The technology is currently only at an Alpha stage of early development, making it suitable for use only for the computing equivalent of test pilots.

In a post to a full disclosure mailing list last week, the main developer behind the project explains its goal and requests help from other members of the development community.

More details on the emerging computing platform can be found in a development Wiki here. The developers are pretty open about the tradeoff in using their technology (more complex set-up, potentially slower) as well as the anonymity advantages of their approach.

Paul Ducklin, head of technology in Asia Pacific for Sophos, said the approach followed by Whonix is different from the Live CDs associated with more traditional anonymity systems. This brings advantages as well as some drawbacks.

“Whonix is different from most existing ‘all-in-one anonymity’ systems inasmuch as the lead developer decided not to stick to the idea of a Live CD but to go with a set of virtual machines that don’t need to fit on a CD or to boot from one,” Ducklin explained.

“This allows much greater functionality and easier security updating.”

The main disadvantage is that Whonix is more complex than comparable systems.

“The safety and security of your Whonix environment is dependent on the safety and security of your host OS, of the virtualisation software and of its configuration,” Ducklin told El Reg. “The anonymity system then becomes, at worst, no more secure than the host itself. So you just took one problem (guest anonymity) and made it two problems (guest anonymity and host security).

“Whonix’s size also makes its internal surface area larger than is strictly necessary. That in turn brings its own risks.”

Ducklin added that there are many “tricks and traps of anonymity online”, many covered by the Whonix developer. He added that users would be well advised to review these before placing their faith in Whonix (or any other approach) to shield their identity online.”

http://seclists.org/fulldisclosure/2012/Nov/2

http://sourceforge.net/p/whonix/wiki/Security