Qubes-Whonix DisposableVM documentation created

Before we had just a stub. Now Qubes-Whonix DisposableVMs are fully documented thanks to contributions by the community. (wiki history)

What are DisposableVMs?

Under the Qubes TemplateVM model, any changes made to a TemplateBasedVM’s root filesystem are lost upon reboot. This is advantageous for several reasons: it allows centralized (and therefore faster) updates for all applications (most) inside the root filesystem, saves time and disk space.

However, certain directories are designed to persist between reboots in order to store files and settings. These directories are stored in /rw/ and include /home/user as well as additional directories defined by “bind directory” settings.

To ensure that all changes to the filesystem are discarded after a session, Qubes offers DisposableVMs. When a DisposableVM is shutdown, the VM is removed from Qubes and all related VM images are deleted from the host filesystem.

What is a Whonix-Workstation DisposableVM?

As the name suggests, this is a Qubes DisposableVM template based on the Whonix-Workstation. This allows Qubes-Whonix users to create throw-away instances of their Whonix-Workstation.

Why Should I Consider Using a Whonix-Workstation DisposableVM?

Whonix-Workstation DisposableVMs:

  • Are quickly generated;
  • Are disposed of (deleted) when the user has finished browsing and other activities in a single session; and
  • Will not remember any of the user’s activities across DisposableVM sessions, unless customized.

The major benefit of this approach is that the Whonix-Workstation DisposableVM can be created in order to host a single application – usually the Tor Browser – mitigating the risk that a compromise of the browser will affect any of your other VMs.

Critically, a Tor Browser exploit will not affect (poison) later instances of the Tor Browser running in a subsequent DisposableVM session, because the DisposableVM is always started in its original state.

Can I Customize Whonix-Workstation DisposableVMs?

Yes. For advanced users, the instructions include steps to create a customized savefile that will remember specific changes, such as personalized Tor Browser settings. Due to concerns over possible fingerprinting issues, users should carefully read the wiki warnings before proceeding on this course of action.

Can I Easily Add DisposableVM Entries to the Qubes Menu?

Not yet for Qubes R3.2 XFCE 4, but you can edit existing DispVM start menu entries and desktop shortcuts can be created.

What Else Should I Know?

Due to a few usability issues affecting anonymity, do not use Whonix-Workstation DisposableVMs until:

  • You understand Whonix-WS DispoableVMs are NOT yet amnesic; and
  • Have carefully read and understood the available Qubes-Whonix DisposableVM documentation.

Alternatively, you may wish to wait for Qubes 4.0 before you start using Qubes DisposableVMs, due to significant enhancements planned for the later release.

This blog post was written by torjunkie.

don’t apt-get dist-upgrade for now – wait for workaround – CVE-2016-1252

Update, see:

* https://www.whonix.org/wiki/CVE-2016-1252
* https://forums.whonix.org/t/how-to-upgrade-debian-whonix-etc-without-being-compromised-by-cve-2016-1252

Short: Don’t ‘apt-get dist-upgrade’ for now until a workaround was published

We are currently discussing this Debian apt-get security issue.

This blog post will later be updated. Another security advisory blog post will be published later.

Testers Wanted! Tor – Stable Upgrades

Tor was updated to in Whonix stable-proposed-updates as well as in testers repository.

Instructions for changing Whonix repository:

Then just do a update:

accessibility tools could be automatically removed / you probably should remove them

If you do not use any accessibility tools (gnome-orca, espeakup, console-braille, florence, dasher, kdeaccessibility, kvkbd, kmousetool, kmag, kmouth, jovie, xbrlapi, festival, qt-at-sp), you will not miss anything. (You would probably know if you are using them.)

Soon, there will be a Whonix stable upgrade. The package whonix-gateway-shared-packages-shared-meta will no longer depend on anon-shared-kde-accessibility. This means, when you run `sudo apt-get purge kdeaccessibility && sudo apt-get autoremove` after the upgrade, these accessibility packages will be automatically removed.

Non-Qubes-Whonix only: brltty should be removed, since it currently is causing a performance issue.

Otherwise if you just want to remove brltty, use `sudo apt-get purge brltty`. If you want to keep almost all or only not those you manually uninstalled, you can use `sudo aptitude keep-all`.

If you want these installed, you are still very much free to have them installed. Just install them the usual way.

This is because those have some issues.

Can these packages also be uninstalled before the Whonix stable upgrade? – Due to technical limitations, this is not that easy. However, it is documented here:

Non-Qubes-Whonix only: If you just want to stop the brltty syslog spam, you could use the following workaround to reliably stop it.

sudo systemctl stop brltty
sudo systemctl mask brltty

riseup.net likely compromised

riseup.net is a popular service provider among privacy and activist circles tweeted an obscure reference about birds which likely refers to their warrant canary that hasn’t been renewed since August.

I have looked through their whole twitter media history and they never posted pictures of birds with quotes difficult to interpret.

What is a canary? Quote:

A mechanism to test for unsafe conditions, originating from the use of canaries in coal mines to detect poisonous gases or cave-ins. If the canary died, it was time to get out of the mine. More recently, the term has been used by some online service providers to refer to an affirmative statement, updated regularly, that the provider has not been subjected to certain legal processes. If the statement is not updated in a timely fashion, users may infer that the canary statement may no longer be true.

This was followed by a confusing update which could be read as reassurance. Also it could be interpreted as being threatened with incarceration and being forced to keep the site up and a reminder to archive stuff immediately because of impending shutdown.

Compared with past similar concerns where riseup staff were prompt and direct about renewing their canary. No clear response was given so its logical to conclude that the servers may not be under their control any longer.

Why it matters?

While the threats of using a conventional email providers are well understood and apply regardless of who operates the service, taking over a server gives surveillance the power to actively compromise users machines en mass or to target select individuals.

For alternatives, see our wiki page about e-mail.

Tor / whonixcheck Stable Upgrades – Testers Wanted!

Tor was updated to and whonixcheck was updated to 3:4.6.4-1 in Whonix stable-proposed-updates as well as in testers repository.

Instructions for chaneing Whonix repository:

Then just do a update:

inchain – insurance from BTC / ETH losses

This is a sponsored blog post.


Inchain is a decentralized insurance platform. It is based on Ethereum smart contracts.

Digital cash (crypto currencies) such as Bitcoin, Ethereum and Monero come with many advantages over the fiat money system. Banks cannot arbitrarily inflate the supply, transactions are harder to censor, very low transaction costs and very fast international transaction speed. However, there are some disadvantages. Security. Once money was lost due to a hacked exchanges, there is no bank to bail one out. One popular way to obtain digital cash are exchanges.

Mt. Gox was an exchange. People could trade fiat currency for Bitcoin there. Also Mt. Gox is probably the most famous examples of a failed exchanges. It got hacked. Thousands of coins were stolen. The customers of Mt. Gox still have not got their money back. Also lots of other exchanges were hacked.

So until now the best advice is to not park too much money on exchanges. Not more than one can afford to loose. This makes the whole process of acquiring digital currencies tiresome. This is where inchain comes in.

The idea behind inchain is,

Wouldn’t it be a great idea to insure my balance on exchanges for a premium?

Customers of inchain will be able to purchase a premium to insure their balance on supported exchanges. Should an exchange be compromised and the users of that exchange loose money, then inchain will compensate the customers who bought their insurance.

The following mechanisms maintain the financial stability of the platform:

•  Inchain transfers risks to investors by issuing insurance ­linked bonds. Investors take on the underlying risks and receive coupons as rewards.

•  The insurance funds are managed by token holders, who choose investment strategies through voting. Investment returns are spent on bond coupons and then dividends are paid to token holders.

The inchain team is currently running an initial coin offering (ICO). By participating one becomes a shareholder of the platform that has voting rights and is eligible for dividends.

For more information, see:

Tor Onion Services as Anti-DDoS Protection

The more widely known feature of Onion Services besides anonymity is the free and trustworthy end-to-end encryption they provide which is impossible to have under the Certificate Authority racket.

Another interesting property is they can serve as a drop-in Global Server Load Balancing and Layer 3 DDoS-resistance solution. In short a a free and libre CDN alternative to tyrants like Cloudflare. It can protect your site without compromising on principles like complete and unhindered access for your your users and readers.

This was recently brought up by network scaling engineer, Alec Muffett who contributed much code to make it possible to run heavy traffic Onion Sites.

Advanced Deanonymization Attacks

A number of advanced deanonymization attacks. These do not just apply to Whonix, but any anonymity system. Some are also general security issues.

Rather than exploiting bugs in the hypervisor to break out, some of these attacks rely on the design of the underlying hardware to bypass privilege separation boundaries and extract (or leak) sensitive information to the network. No need for alarm, there are many qualifications to this and details in the listed tickets on proposed countermeasures. We are interested in cooperation to better assess the performance impact of the planned fixes.

  • Keystroke Deanonymization: T542
  • Advanced Attacks Meta ticket: T540
    • CPU-induced latency Covert Channel: T530
    • Cross-VM cache attacks countermeasures: T539
    • DRAMA: Exploiting DRAM Addressing for Cross-CPU Attacks: T541
    • TCP ISNs and Temperature induced clock skews: T543


Qubes-Whonix TemplateVMs – Testers Wanted!

Qubes-Whonix only!

Ideally for this testers wanted task, start fresh. Rename or delete both Whonix VMs sys-whonix and anon-whonix, reinstall whonix-gw and whonix-ws Qubes-Whonix templates. See the following instructions. Note: use qubes-dom0-unstable rather than qubes-templates-community then recreate Whonix VMs.


(The following command deviates from the above instructions so you install the testers rather than stable Whonix templates.)

sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable qubes-template-whonix-gw qubes-template-whonix-ws

After template re-installation, to re-create Whonix VMs you can use the following command in Qubes dom0 using salt (not yet mentioned in Qubes documentation).

sudo qubesctl state.highstate

(Or you can also upgrade from Whonix jessie-proposed-updates and testers repository. Dedicated blog post and more information on this upgrade: