Whonix » Important https://www.whonix.org/blog Privacy and Anonymity OS Mon, 16 Mar 2015 22:47:20 +0000 en-US hourly 1 http://wordpress.org/?v=4.1.1 [Solved] – Unmaintained Notice! – Whonix inside KVM – Looking for contributor! https://www.whonix.org/blog/unmaintained-notice-whonix-inside-kvm-looking-for-contributor https://www.whonix.org/blog/unmaintained-notice-whonix-inside-kvm-looking-for-contributor#comments Fri, 27 Feb 2015 20:52:04 +0000 http://www.whonix.org/blog/unmaintained-notice-whonix-inside-kvm-looking-for-contributor Update: KVM maintainer HulaHoop is back. Since previous Whonix in KVM maintainer HulaHoop was last active on January 04, 2015, it’s safe to assume this person got lost. No idea why HulaHoop went inactive. There was no notice of departure,

The post [Solved] – Unmaintained Notice! – Whonix inside KVM – Looking for contributor! appeared first on Whonix.

]]>
Update: KVM maintainer HulaHoop is back.

Since previous Whonix in KVM maintainer HulaHoop was last active on January 04, 2015, it’s safe to assume this person got lost. No idea why HulaHoop went inactive. There was no notice of departure, argument or whatsoever. I would like to thank HulaHoop for its work on support for running Whonix inside KVM. As of Whonix 9, the status was “testers-only” and would likely have changed to “stable” in Whonix 10. So most integration work is already done. A new contributor would be welcome to take over from there.

What does this mean for you as a user? No one from the Whonix team will keep KVM in mind. Any eventually upcoming security issues with KVM with respect to Whonix would go unnoticed. Questions in Whonix KVM sub forum will likely not be answered by anyone from the Whonix team. You are encouraged to move on to still supported platforms. The KVM wiki page has been updated accordingly to reflect this information.

Unfortunately, due to work generated by blessing a platform as supported, the current Whonix team cannot takeover HulaHoop’s task. A dedicated maintainer is required for that platform. This is partly because KVM is too support intensive. There are too many KVM’s installation issues from various distribution package sources. KVM’s non-helpful, cryptic error messages if the xml files are using a feature, that is is not available by the platform and because one ought to look over KVM changelogs and to think though if/how those affect Whonix.

The post [Solved] – Unmaintained Notice! – Whonix inside KVM – Looking for contributor! appeared first on Whonix.

]]>
https://www.whonix.org/blog/unmaintained-notice-whonix-inside-kvm-looking-for-contributor/feed 0
Bug: Tor Browser Alpha rather than Tor Browser Stable being installed by Tor Browser Updater (AnonDist) https://www.whonix.org/blog/bug-tor-browser-alpha-rather-than-tor-browser-stable-being-installed-by-tor-browser-updater-anondist https://www.whonix.org/blog/bug-tor-browser-alpha-rather-than-tor-browser-stable-being-installed-by-tor-browser-updater-anondist#comments Thu, 05 Feb 2015 11:55:10 +0000 http://www.whonix.org/blog/bug-tor-browser-alpha-rather-than-tor-browser-stable-being-installed-by-tor-browser-updater-anondist The version file format was changed, and there is no stable version version format. If you want to use the stable version of Tor Browser, you have to use these instructions in meanwhile: https://www.whonix.org/wiki/Manually_Updating_Tor_Browser Forum Discussion: https://www.whonix.org/forum/index.php?topic=939 Whonix Issue Tracker:

The post Bug: Tor Browser Alpha rather than Tor Browser Stable being installed by Tor Browser Updater (AnonDist) appeared first on Whonix.

]]>
The version file format was changed, and there is no stable version version format.

If you want to use the stable version of Tor Browser, you have to use these instructions in meanwhile:
https://www.whonix.org/wiki/Manually_Updating_Tor_Browser

Forum Discussion:
https://www.whonix.org/forum/index.php?topic=939

Whonix Issue Tracker:
https://phabricator.whonix.org/T130

The post Bug: Tor Browser Alpha rather than Tor Browser Stable being installed by Tor Browser Updater (AnonDist) appeared first on Whonix.

]]>
https://www.whonix.org/blog/bug-tor-browser-alpha-rather-than-tor-browser-stable-being-installed-by-tor-browser-updater-anondist/feed 0
Abstain from using Stream Isolation SocksPort 9152 https://www.whonix.org/blog/abstain-from-using-stream-isolation-socksport-9152 https://www.whonix.org/blog/abstain-from-using-stream-isolation-socksport-9152#comments Mon, 26 Jan 2015 20:33:41 +0000 http://www.whonix.org/blog/abstain-from-using-stream-isolation-socksport-9152 Easy / TLDR: Using stream isolation (https://www.whonix.org/wiki/Stream_Isolation) with custom ports? With port 9152? Don’t do this anymore in Whonix 10 and above! Use any higher port numbers as per stream isolation documentation! Long: Reasons: Tor Messenger will use that port

The post Abstain from using Stream Isolation SocksPort 9152 appeared first on Whonix.

]]>
Easy / TLDR:
Using stream isolation (https://www.whonix.org/wiki/Stream_Isolation) with custom ports? With port 9152?
Don’t do this anymore in Whonix 10 and above! Use any higher port numbers as per stream isolation documentation!

Long:

Reasons:
Tor Messenger will use that port in future. (https://phabricator.whonix.org/T107)
Enabling IsolateDestAddr and IsolateDestPort for it (https://trac.torproject.org/projects/tor/ticket/14382) might be recommended.

 

The post Abstain from using Stream Isolation SocksPort 9152 appeared first on Whonix.

]]>
https://www.whonix.org/blog/abstain-from-using-stream-isolation-socksport-9152/feed 0
Whonix Signing Key Expired (KEYEXPIRED Error) https://www.whonix.org/blog/whonix-signing-key-expired-keyexpired-error https://www.whonix.org/blog/whonix-signing-key-expired-keyexpired-error#comments Sun, 18 Jan 2015 02:20:49 +0000 http://www.whonix.org/blog/whonix-signing-key-expired-keyexpired-error Issue and fix documented in the wiki: https://www.whonix.org/wiki/Download#KEYEXPIRED_Error Forum support thread: https://www.whonix.org/forum/index.php/topic,892

The post Whonix Signing Key Expired (KEYEXPIRED Error) appeared first on Whonix.

]]>
Issue and fix documented in the wiki:
https://www.whonix.org/wiki/Download#KEYEXPIRED_Error

Forum support thread:
https://www.whonix.org/forum/index.php/topic,892

The post Whonix Signing Key Expired (KEYEXPIRED Error) appeared first on Whonix.

]]>
https://www.whonix.org/blog/whonix-signing-key-expired-keyexpired-error/feed 0
Tor Browser’s Internal Updater – Security Warning https://www.whonix.org/blog/tor-browsers-internal-updater-security-warning https://www.whonix.org/blog/tor-browsers-internal-updater-security-warning#comments Sun, 07 Dec 2014 23:07:55 +0000 http://www.whonix.org/blog/tor-browsers-internal-updater-security-warning Until further notice, it is recommended against using Tor Browser’s Internal Updater for security reasons. More information and how to securely update is documented in the wiki, see: https://www.whonix.org/wiki/Tor_Browser#Updating User support discussion: https://www.whonix.org/forum/index.php/topic,810 Forum development discussion: https://www.whonix.org/forum/index.php/topic,807 Update: The Tor

The post Tor Browser’s Internal Updater – Security Warning appeared first on Whonix.

]]>
Until further notice, it is recommended against using Tor Browser’s Internal Updater for security reasons.

More information and how to securely update is documented in the wiki, see:
https://www.whonix.org/wiki/Tor_Browser#Updating

User support discussion:
https://www.whonix.org/forum/index.php/topic,810

Forum development discussion:
https://www.whonix.org/forum/index.php/topic,807

Update:
The Tor Project has fixed this in TBB version 4.5a3. (As per blog post.)

The post Tor Browser’s Internal Updater – Security Warning appeared first on Whonix.

]]>
https://www.whonix.org/blog/tor-browsers-internal-updater-security-warning/feed 2
Whonix 9.4 Maintenance Release https://www.whonix.org/blog/whonix-9-4-maintenance-release https://www.whonix.org/blog/whonix-9-4-maintenance-release#comments Mon, 17 Nov 2014 14:52:26 +0000 http://www.whonix.org/blog/whonix-9-4-maintenance-release Existing users can upgrade the usual way using apt-get, see also: https://www.whonix.org/wiki/Security_Guide#Updates

The post Whonix 9.4 Maintenance Release appeared first on Whonix.

]]>
Download:
http://mirror.whonix.de/9.4/

Upgrading:
Existing users can upgrade the usual way using apt-get, see also: https://www.whonix.org/wiki/Security_Guide#Updates

Changelog between 9.3 and 9.4:
– tb-updater: fixed remote download location to cope up with The Tor Project’s changes – https://github.com/Whonix/Whonix/issues/366
– build script: updated frozen repository
– build script: use specific codename (wheezy) rather than generic code name (stable) as per “build script broken because of using grml-debootstrap with –release stable” – https://github.com/Whonix/Whonix/issues/368

The post Whonix 9.4 Maintenance Release appeared first on Whonix.

]]>
https://www.whonix.org/blog/whonix-9-4-maintenance-release/feed 2
hidden service for whonix.org taken offline https://www.whonix.org/blog/hidden-service-for-whonix-org-taken-offline https://www.whonix.org/blog/hidden-service-for-whonix-org-taken-offline#comments Sun, 09 Nov 2014 23:31:54 +0000 http://www.whonix.org/blog/hidden-service-for-whonix-org-taken-offline Fortasse (whonix.org webmaster) and I agreed to take down the hidden service for whonix.org http://xxxxxxxxxxh5kyrx.onion. (If you’re wondering, why we provided a hidden service, but didn’t use it for location privacy, see: https://www.whonix.org/wiki/Forcing_.onion_on_Whonix.org) The reason for this unfortunate change is, that

The post hidden service for whonix.org taken offline appeared first on Whonix.

]]>
Fortasse (whonix.org webmaster) and I agreed to take down the hidden service for whonix.org http://xxxxxxxxxxh5kyrx.onion.

(If you’re wondering, why we provided a hidden service, but didn’t use it for location privacy, see:
https://www.whonix.org/wiki/Forcing_.onion_on_Whonix.org)

The reason for this unfortunate change is, that the Tor service on whonix.org took an immense amount of CPU time. So much, that whole whonix.org was no longer accessible without server reboot.

The bug we’re affected from has probably already been reported:
https://trac.torproject.org/projects/tor/ticket/8864

Unfortunately, it is unlikely, that this bug gets fixed anytime soon:
https://lists.torproject.org/pipermail/tor-talk/2013-December/031531.html

See also:
https://blog.torproject.org/blog/hidden-services-need-some-love

The post hidden service for whonix.org taken offline appeared first on Whonix.

]]>
https://www.whonix.org/blog/hidden-service-for-whonix-org-taken-offline/feed 0
Whonix 9.3 Maintenance Release https://www.whonix.org/blog/whonix-9-3-maintenance-release https://www.whonix.org/blog/whonix-9-3-maintenance-release#comments Sat, 18 Oct 2014 13:30:35 +0000 http://www.whonix.org/blog/whonix-9-3-maintenance-release Download: https://www.whonix.org/wiki/Download Upgrading: Existing users can upgrade the usual way using apt-get, see also: https://www.whonix.org/wiki/Security_Guide#Updates Changelog between 9 and 9.3: – anon-gw-anonymizer-config: Fixed startup of Tor due to an AppArmor conflict as per bug reports in the forums https://www.whonix.org/forum/index.php/topic,559.0.html. Needed

The post Whonix 9.3 Maintenance Release appeared first on Whonix.

]]>
Download:
https://www.whonix.org/wiki/Download

Upgrading:
Existing users can upgrade the usual way using apt-get, see also: https://www.whonix.org/wiki/Security_Guide#Updates

Changelog between 9 and 9.3:
anon-gw-anonymizer-config: Fixed startup of Tor due to an AppArmor conflict as per bug reports in the forums https://www.whonix.org/forum/index.php/topic,559.0.html. Needed to out commented “/usr/bin/obfsproxy rix,” in file “/etc/apparmor.d/local/system_tor.anondist” because The Tor Project added “/usr/bin/obfsproxy PUx,” to file “/etc/apparmor.d/abstractions/tor”. Therefore users of obfsproxy will now end up running obfsproxy unconfined, because we would now require a standalone obfsproxy AppArmor profile. Note, that this is not a Whonix specific issue. Also if you were using plain Debian, no one redistributes an obfsproxy AppArmor profile at time of writing.
– updated frozen sources (contains apt-get and bash security fixes)
– updated frozen sources (contains bash shellshock #2 fixes)
– anon-ws-disable-stacked-tor: Tor Browser 4.x compatibility fix
– tb-starter: Tor Browser 4.x compatibility fix

Update:
Removed “testers-wanted” from title. Blessed stable.

The post Whonix 9.3 Maintenance Release appeared first on Whonix.

]]>
https://www.whonix.org/blog/whonix-9-3-maintenance-release/feed 0
Bug: Tor no longer starts after upgrade / no Tor pid error – Workaround https://www.whonix.org/blog/bug-tor-no-longer-starts-after-upgrade-no-tor-pid-error-workaround https://www.whonix.org/blog/bug-tor-no-longer-starts-after-upgrade-no-tor-pid-error-workaround#comments Wed, 24 Sep 2014 19:39:14 +0000 http://www.whonix.org/blog/bug-tor-no-longer-starts-after-upgrade-no-tor-pid-error-workaround If you are affacted by this bug, please see the following link for a workaround: – https://www.whonix.org/wiki/Download#Connection_Issues_-_Tor_stops_working_after_an_Upgrade_and_needs_a_Workaround Use this forum thread to discuss it if you have any questions: – https://www.whonix.org/forum/index.php/topic,559.0.html There will also soon be a maintenance release fixing

The post Bug: Tor no longer starts after upgrade / no Tor pid error – Workaround appeared first on Whonix.

]]>
If you are affacted by this bug, please see the following link for a workaround:
https://www.whonix.org/wiki/Download#Connection_Issues_-_Tor_stops_working_after_an_Upgrade_and_needs_a_Workaround

Use this forum thread to discuss it if you have any questions:
https://www.whonix.org/forum/index.php/topic,559.0.html

There will also soon be a maintenance release fixing this issue. In meanwhile, use the workaround mentioned above.

The post Bug: Tor no longer starts after upgrade / no Tor pid error – Workaround appeared first on Whonix.

]]>
https://www.whonix.org/blog/bug-tor-no-longer-starts-after-upgrade-no-tor-pid-error-workaround/feed 0
Whonix Anonymous Operating System Version 9 Released! https://www.whonix.org/blog/whonix-anonymous-operating-system-version-9-released https://www.whonix.org/blog/whonix-anonymous-operating-system-version-9-released#comments Fri, 19 Sep 2014 20:06:12 +0000 http://www.whonix.org/blog/whonix-anonymous-operating-system-version-9-released Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s

The post Whonix Anonymous Operating System Version 9 Released! appeared first on Whonix.

]]>
Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP.

Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call
Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.

Download Whonix for VirtualBox

https://www.whonix.org/wiki/Download

Download Whonix for KVM / QEMU / Qubes

This is only useful if you have a testers mindset!

Instructions for KVM:
https://www.whonix.org/wiki/KVM

Instructions for QEMU:
https://www.whonix.org/wiki/QEMU

Instructions for Qubes:
https://www.whonix.org/wiki/Qubes

Call for Help

– If you know shell scripting (/bin/bash) and linux sysadmin, please join us! There are plenty of ways to make Whonix safer.
– We are also looking for download mirros.
– For https://www.whonix.org we need some help with css, html, mediawiki, wordpress, webdesign.
– Contribute: https://www.whonix.org/wiki/Contribute
– Donate: https://www.whonix.org/wiki/Donate

If you want to upgrade existing Whonix version using Whonix’s APT repository
Upgrading Whonix 8 to Whonix 9
– You cannot upgrade using apt-get dist-upgrade or you will break the packaging system!
– You can upgrade using these instructions: https://www.whonix.org/wiki/Upgrading_Whonix_8_to_Whonix_9

If you want to upgrade existing Whonix version from source code

See https://www.whonix.org/wiki/Dev/BuildDocumentation.

If you want to build images from source code

See https://www.whonix.org/wiki/Dev/BuildDocumentation.

Physical Isolation users

See https://www.whonix.org/wiki/Dev/Build_Documentation/Physical_Isolation.

Changelog between Whonix 8 and Whonix 9

– Modding Whonix, extending Whonix, such as installing a different desktop environment is now much simpler, because Whonix has been split into smaller packages https://github.com/Whonix/Whonix/issues/40. Therefore also understanding Whonix internals got simpler.
– added testers-only libvirt (kvm, qemu) support
– providing xz archives with sparse .qcow2 images
– added experimental Qubes support
– A new feature for VPN lovers has been added. VPN’s can now also be easily installed on Whonix-Gateway. Previously, many VPN users who wanted to route Tor through a VPN (user -> VPN -> Tor), preferred to install VPNs on the host and had little different choice. Some in conjunction with VPN-Firewall, to avoid connecting without the VPN, if the VPN (software) breaks down. Physical isolation users could not easily use a VPN on Whonix-Gateway and naturally had no host. VPN-Firewall features have been added to Whonix-Gateway’s firewall in. network-manager-kde and OpenVPN is now being installed by default to aid users who want to hide Tor and Whonix from their ISP.
– Lots of AppArmor profiles are now installed from Whonix’s APT Repository, thanks to troubadoour for creating them!
– fixed Tor restart bug when updated by apt-get
– updated Debian packages including Heartbleed OpenSSL bug fix
– VirtualBox version: no longer recommending to use VirtualBox’s snapshot feature in VirtualBox’s VM import text due to data loss bug in VirtualBox
– Breaking change: Changed Whonix-Gateway internal IP address to 10.152.152.10 and netmask to 255.255.192.0 to avoid conflicts, such as with real networks when using physical isolation and to aid KVM users.
– Breaking change: Changed Whonix-Workstation internal IP address to 10.152.152.11, netmask to 255.255.192.0 and gateway to 10.152.152.10 to avoid conflicts, such as with real networks when using physical isolation and to aid KVM users.
– use logrotate for bootclockrandomization, sdwdate, control-port-filter, timesanitycheck
– fixed timezone question during upgrade for Whonix build version 9 and above
– encrypt swapfile on boot with random password, create swap file on boot using init script instead of postinst script (package: swap-file-creator)
– Whonix-Gateway firewall: reject invalid outgoing packages
– added spice-vdagent to anon-shared-packages-recommended for better kvm support
– ram adjusted desktop starter (package: rads): fixed lightdm (/usr/sbin/…) auto detection
– Physical Isolation: automated ‘Install Basic Packages’ (‘sudo apt-get install $(grep -vE “^\s*#” grml_packages | tr “\n” ” “)’) build step
– Changed keyserver (suggested by tempest @ https://www.whonix.org/forum/index.php/topic,140.0.html) from hkp://2eghzlv2wwcq7u7y.onion to hkp://qdigse2yzvuglcix.onion as used by torbirdy and https://raw.github.com/ioerror/torbirdy/master/gpg.conf.
– Whonix-Gateway: Re-enabled AppArmor for System Tor. Removed workaround for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732578 (USE_AA_EXEC=”no”) by removing Whonix’s displaced (config-package-dev) /etc/default/tor since that bug has been fixed upstream.
– bootclockrandomization: randomizing milliseconds (anonymous, unlink from the host)
– Whonix-Workstation: added password manager fpm2 as per https://www.whonix.org/forum/index.php/topic,187.15.html
– removed –onion feature from update-torbrowser and its man page because torproject took its .onion domain permanently offline (https://trac.torproject.org/projects/tor/ticket/11567) thanks got z (https://www.whonix.org/forum/index.php?action=profile;u=94) for the report (https://www.whonix.org/forum/index.php/topic,277.msg1827.html#msg1827)
– help_check_tor_bootstrap.py: – suggestions by Damian Johnson from — https://lists.torproject.org/pipermail/tor-dev/2014-May/006799.htmlhttps://lists.torproject.org/pipermail/tor-dev/2014-May/006804.html – troubadour advised on implementation https://www.whonix.org/forum/index.php/topic,278.0 – controller.authenticate(“password”) isn’t required, controller.authenticate() works – more robust method to parse Tor bootstrap percent
– removed obsolete whonix_gateway/usr/bin/armwrapper (user “user” is now member of group “debian-tor”, so no longer required to start arm as user “debian-tor”)
– removed backgroundd, was replaced by gateway first run notice https://www.whonix.org/forum/index.php?topic=207
– added machine readable copyright files
– better output, better formatting, clickable links, thanks to https://github.com/troubadoour for working on msgcollector
– kde-kgpg-tweaks: added gnupg-agent to dependencies because we’re using it in the config and because otherwise kgpg would complain about using use-agent while having no agent installed
– Refined whonixlock.png. Thanks to nanohard (https://www.whonix.org/forum/index.php?action=profile;u=248) for the edit!
– added apt-transport-https to anon-shared-packages-dependencies
– added openvpn to anon-shared-packages-recommended
– added network-manager-kde to anon-shared-desktop-kde
– changed displace extension from .apparmor to .anondist, thanks to http://mailman.mit.edu/pipermail/config-package-dev/2014-May/000018.html
– control-port-filter: Added “lie feature”, i.e. when getting asked “GETINFO net/listeners/socks” answer ‘250-net/listeners/socks=”127.0.0.1:9150″‘; configurable by CONTROL_PORT_FILTER_LIMIT_GETINFO_NET_LISTENERS_SOCKS variable. Enabled by default.
– control-port-filter: Limit maximum accepted command string length to 128 (configurable) as done by Tails (https://mailman.boum.org/pipermail/tails-dev/2014-February/005041.html). Thanks to HulaHoop (https://www.whonix.org/forum/index.php?action=profile;u=87) for suggesting this (https://www.whonix.org/forum/index.php/topic,342.0.html).
– control-port-filter: added GETINFO status/circuit-established to whitelist
– control-port-filter: replaced netcat-traditional dependency with netcat-openbsd as per https://www.whonix.org/forum/index.php/topic,444.0.html
– sdwdate: implemented options –no-move-forward and –no-move-backwards (disabled by default)
– sdwdate implemented option to update hardware clock –systohc (disabled by default)
– sdwdate: no more clock jumps. Gradually adjust clock as NTP does. Sclockadj has been written by Jason Ayala (Jason@JasonAyala.com) (@JasonJAyalaP) – https://github.com/Whonix/Whonix/issues/169 – Sclockadj helps sdwdate gradually adjusting the clock instead of producing clock jumps, which can confuse Tor, i2p, servers, logs and more. – It can add/subtract any amount of nanoseconds. – It supports waiting an interval of min/max nanoseconds between iterations, which will be randomized if min/max differs. – It supports slewing the time for min/max nanoseconds, which will be randomized if min/max differs. – It supports to wait before its first iteration. – It can run either verbose or quite. – It supports either really changing the time or running in debug mode.
– sdwdate: use median instead of average as suggested in https://www.whonix.org/forum/index.php/topic,267.0.html
– whonixcheck: don’t check just if Tor is fully bootstrapped, also check if Tor was actually able to create a circuit.
– whonixcheck: increased Tor socks port reachability test timeout from 5 to 10 as per https://www.whonix.org/forum/index.php/topic,129.0.html
– whonixcheck: fixed apt-get –simulate parsing code, whonixcheck can now also report how many packages could be upgraded when using non-English languages
– whonixcheck: There is no general “Whonix Debian Version” anymore, because Whonix has been split into multiple packages that now all have their own version number. What whonixcheck can figure out is if the whonixcheck version is up to date and if there is a Whonix news file for that whonixcheck version. There is currently no notification for packages by the Whonix team in whonixcheck for packages other than whonixcheck for users who do not use Whonix’s APT repository.
– whonixcheck: check_virtualizer, no longer warn if Qubes (https://www.whonix.org/wiki/Qubes) is detected; improved output, improved html tags
– anon-shared-build-apt-sources-tpo: updated The Tor Project’s apt signing key as per https://trac.torproject.org/projects/tor/ticket/12994#comment:9
– whonixcheck: refactoring, use /usr/lib/msgcollector/striphtml rather than sed in usr/lib/whonixcheck/check_tor_socks_or_trans_port
– added VPN_FIREWALL feature to Whonix-Gateway’s firewall https://www.whonix.org/blog/testers-wanted-vpn-firewallhttps://www.whonix.org/wiki/Next#Tunnel_Tor_through_VPN
– Whonix-Firewall: make variables overwrite able by /etc/whonix_firewall.d config folder
– Whonix-Firewall: renamed variable NON_TOR_WHONIXG to NON_TOR_GATEWAY
– added empty Whonix-Custom-Workstation
– Added extra log file /var/run/tor/log that won’t survive reboot. (Existing log file /var/log/tor/log that survives reboot will continue to exist.) And added necessary AppArmor rules. Thanks to @troubadoour who figured out the AppArmor rules (https://www.whonix.org/forum/index.php/topic,372.0/topicseen.html). This is useful, so whonixcheck can in future grep the log for clock specific warnings (https://github.com/Whonix/Whonix/issues/244).
– sdwdate: log time/date before and after running sclockadj
– swap-file-creator: timeout when reading from /dev/random
– when whonixsetup is automatically started, support automatically maximizing window in other terminals than konsole
– disable TCP-Timestamps (implemented #247)
– New alternative option name –install-to-root. This is an alternative to –bare-metal. Since some users liked to use “–bare-metal in a VM”, which sounds like an oxymoron. Now we can talk about “using –install-to-root in a VM”.
– Drop all incoming ICMP traffic by default. All incoming connections are dropped by default anyway, but should a user allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should still be dropped to filter for example ICMP time stamp requests.
– Removed geoclue-ubuntu-geoip and geoclue from anon-banned-packages because those are not evil by definition, those are only providing an API. Not allowing them to be installed would not allow users installing gnome-desktop-environment.
– vbox-disable-timesync: added compatibility with Debian jessie
– whonix-gw-firewall: Added 10.0.2.2/24 to NON_TOR_GATEWAY and LOCAL_NET to prevent spamming syslog with: host dhclient: DHCPREQUEST on eth0 to 10.0.2.2 port 67 | host dhclient: send_packet: Operation not permitted
– rads: made compatible with systemd / debian testing by adding tty1 autologin drop-in config
– tb-updater: update tbb version url as per https://trac.torproject.org/projects/tor/ticket/8940#comment:21
– tb-updater: compatibility with new recommended tbb versions format as per https://trac.torproject.org/projects/tor/ticket/8940#comment:28
– tb-updater: Whonix’s Tor Browser updater: download from torproject’s clearnet domain instead of torproject’s onion domain by default, because the onion domain is too slow/can’t handle the load. Downloading form the onion domain is possible using –onion.
– tb-updater: break when endless data attack is detected (max file size 100 mb for torbrowser, 1 mb for other files)
– anon-ws-disable-stacked-tor: Set environment variable “export TOR_SKIP_CONTROLPORTTEST=1″ to skip TorButton control port verification as per https://trac.torproject.org/projects/tor/ticket/13079. Will take effect as soon as The Tor Project merges the TOR_SKIP_CONTROLPORTTEST patch.
– sdwdate: curl, use –head rather than –include as per https://github.com/Whonix/Whonix/issues/315
– sdwdate: Breaking change: pool variable names were renamed. SDWDATE_POOL_PAL, SDWDATE_POOL_NEUTRAL, are now called SDWDATE_POOL_ONE, SDWDATE_POOL_TWO, SDWDATE_POOL_THREE. If you were using custom pools, you should update your config according to the new variable names. As per https://github.com/Whonix/Whonix/issues/310.
– sdwdate: no longer using pal/neutral/foe pool design. Using three pools instead, that only contain servers of the type “pal”. As per https://github.com/Whonix/Whonix/issues/310. Thanks to https://github.com/HulaHoopWhonix for suggesting it.
– uwt: all temporary files are now in /tmp/uwt
– anon-base-files /usr/lib/pre.bsh: all temporary files are now in /tmp/prepost
– whonixcheck  / sdwdate  / timesync  / tb-updater  / whonix-repository / control-port-filter: fix, clean up temporary files/directory
– whonixcheck / timesync / update-torbrowser: correct exit codes on signal sigterm and sigint
– whonixcheck  / timesync: output
– whonix-gw-kde-desktop-conf: no longer use custom wallpaper (mountain mist) for Whonix-Gateway. Only use wallpapers from Debian repository for security reasons. (https://github.com/Whonix/Whonix/issues/318) Will now default to KDE’s default wallpaper. (Thanks to https://github.com/HulaHoopWhonix for suggesting it)
– build script: Added deletion of /boot/grub/device.map for VM builds during build process to prevent hard drive serial of build machine leaking into image. System also boots without /boot/grub/device.map. https://github.com/Whonix/Whonix/issues/249
– build script: verifiable builds: now using fixed disk identifiers to make verification easier
– build script: updated frozen repository
– build script: improved error handling, when error is detected, wait until builder presses enter before cleanup and exit to make it simpler to read error messages when building in cli
– build script: whonix_build now acts differently for –clean option depending on –virtualbox, –qcow2 and –bare-metal
– build script: removed Whonix’s grml-debootstrap fork, because Whonix’s patches were merged upstream
– build script: Renamed “img” to “raw”, because “img” was a poor name for raw images.
– build script: made variables overrideable by build config
– build script: set DEBUILD_LINTIAN_OPTS to “–info –display-info –show-overrides –fail-on-warnings”, to show more verbose lintian output and to break the build should lintian find an error such as a syntax error in a bash script
– build script: Workaround for a bug in kpartx, which fails to delete the loop device when using very long file names as per https://www.redhat.com/archives/dm-devel/2014-July/msg00053.html
– build script: implemented –testing-frozen-sources, installs from Debian testing frozen (snapshot.debian.org) sources. This is useful for compatibility test of Whonix’s Debian packages with Debian testing. There is no official support for Debian testing.
– build script: Use SAS rather than SATA as virtual hard disk controller for VirtualBox hdds to work around a VirtualBox upstream bug that causes filesystem corruption on high disk I/O (https://www.virtualbox.org/ticket/10031). Thanks to @Neurodrive for the bug report (https://github.com/Whonix/Whonix/issues/274).
– whonix-repository tool, anon-shared-build-apt-sources-tpo, anon-apt-sources-list: use wheezy rather than stable as per https://www.whonix.org/forum/index.php/topic,445.msg3640.html
– build script: makefile: added new feature “make deb-chl-bumpup” – Bump upstream version number in debian/changelog.
– build script: added support for –vram, –vmram, –vmsize switches
– build script: added –file-system (var: whonix_build_file_system)
– build script: added –hostname (var: whonix_build_hostname)
– build script: added –os-password (var: whonix_build_os_password)
– build script: added –debopt (var: whonix_build_debopt)

The post Whonix Anonymous Operating System Version 9 Released! appeared first on Whonix.

]]>
https://www.whonix.org/blog/whonix-anonymous-operating-system-version-9-released/feed 0