[Whonix-devel] [qubes-users] Valid Concerns Regarding Integrity of Whonix Project
patrick-mailinglists at whonix.org
Fri Feb 15 09:19:00 CET 2019
-----BEGIN PGP SIGNED MESSAGE-----
* I was advised in private e-mail by @mig5 about this new law before
it took effect beforehand, and @mig5 offered to step aside because of
it. It was my decision to not to change anything. Below I will explain
* I might have reacted in a better way by protectively discussing this
subject in public but that is really hard without nonproductive
discussions and without badmouthing @mig5 in unintended ways.
* @mig5 doesn't moderate Whonix's forums. That thread wasn't deleted
* I've not researched that Australian law. And I like to avoid it. If
I had to bet, I guess their interpretation is reasonable. For
practical purposes explained below it wouldn't matter.
* From a security enthusiast perspective it's a reasonable question.
No one or only a few have the complete picture.
* The issue with one asking this question are the hidden presuppositions
* The presupposition is that the server location is somehow secure.
** That's not true.
** Assume a regular commercial server host.
** I don't know any people working there.
** I couldn't even find the place without navigation software.
** Just because it's from the Whonix project, doesn't mean server
security magically is a lot better than server security of let's say,
facebook. (And these are even known to have a front- and backdoor.)
* Regarding the server, it's easy to demand better security. Easy to
demand, that I pay for it rather than using a sponsored server, or to
demand other security enhancements. I'd be happy to do all of this,
but then please also provide reliable funding for it.
* We have a wiki page dedicated explaining all the attack vectors that
are related to the risks introduced since we are forced to trust
* Whonix, same as Qubes, operates already on the assumption that the
infrastructure is compromised.
** The wiki page has a chapter "Should I Trust This Website?".  The
short answer is "no".
** Similarly the Qubes project has a chapter "What does it mean to
“distrust the infrastructure”?" 
** If a server administrator (such as mig5) were compelled to replace
an Whonix download, the OpenPGP verification of the file (iso, ova or
libvirt image) would fail (when using the project OpenPGP signing key
for OpenPGP signature verification).
** If a server administrator was compelled to also replace the OpenPGP
signature of that file, all the usual rules would apply: users should
verify the validity of the OpenPGP key by looking for it published in
different places, etc. The same advice provided by the Qubes project
for their isos.
** The Whonix server doesn't host the source code. A server
administrator cannot "insert code" into the Whonix project.
** Github is an organization with many Australian engineers. The same
threat applies there - perhaps even more so, in that Australian
engineers could be coerced into modifying git repository data directly
- - not just of Whonix, but Qubes too - and be unable to even tell their
** In such a situation, the threat of coercion or interference is
indeed real. The protection against that, seems to be all the usual
things: cryptography, ‘many eyes’, etc.
** The same argument could be made against developers, server
administrator or similar from USA and perhaps other countries as well?
** UK has Investigatory Powers Act, similar?
** Tor Project might have Australian developers and/or server
administrators, too? The point is that if you go down that road, there
really is no end. Whonix not special in this regard.
* As bad as that new law might be, I don't see that anything relevant
** Whatever circumstances do apply to @mig5 now, might have applied to
@mig5 before that new law as well.
** Even without that law directly applying to me, and while I've never
been in any territory of the USA, and while their laws may formally
not apply worldwide, yet USA laws are enforced worldwide. And as a
non-USA citizen even outside of USA, legal defense is even more
difficult than for USA citizen inside USA.
* What I witnessed over time is, that many users assume that security
focused projects are already very mature in all aspects and nothing
much needs to be done. This assumption is wrong.
** We don't have reproducible / deterministic builds; we don't have
automatic verification of deterministic builds; our repositories
aren't using multisig.
** We could use more code reviewers, auditors, unit tests, automated
tests, and whatnot.
** We don't have a volunteer server admin. 
** port Whonix package build process to Qubes package build process 
** See also our FAQ entry "Is the Linux User Experience Comparable to
Commercial Operating Systems?" 
** I'd like to tackle all of these issues.
* I am not really eager to build Whonix packages, Non-Qubes-Whonix
downloads, maintain whonix.org server, hold Whonix signing keys.
** Fun: development, source code, testing, design, answering good
** Not so much fun but necessary: legal, funding, server, releases,
uploads, signing keys, announcements
Meaning: Please contribute - then everything can be improved.
I'd be happy to hand over upload rights / package builds / server
administration to a more qualified organization that is strong in
legal defense, computer security and reliable funding. But at the
moment, I don't see anything like that emerging.
 Some US laws apparently apply worldwide.
* Kim Dotcom, a German/Finish dual national, permanent resident of and
physically present in New Zealand at the time of the alleged copyright
infringement by USA had his assets seized, worldwide bank accounts
frozen, arrested and may be extradited to USA, ongoing legal proceedings
* US sanctions laws apparently apply worldwide. Including non-US
citizen outside of US territory. Chinese citizen arrested during
flight layover in Canada by Canadian authorities to be extradited to
* Ulrich Wippermann, German citizen, apparently resident in Germany at
the time, employed by a company did not break any German laws.
Nevertheless, he got put on an US restricted persons blacklist, in resul
* lost his job in a leading position,
* could not find a new job in a leading position because employers
* got his bank accounts and credit cards terminated,
* got denied an Apple phone from its mobile carrier,
* got denied shipping services.
* Comment: Given the public available information. He had a higher
income than most people. Yet, he unfortunately did neither not attempt
or failed to defend himself using the legal system from harassment
inside Germany. Rather, he unfortunately did neither attempt, or
failed, it didn't have any option, to use the legal system to force
his removal from the blacklist. This is not a criticism of his person.
This is a criticism of the unfairness of the legal system. If he can't
defend himself using the legal system, what are the chances that
people with less income can.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Whonix-devel