[Whonix-devel] [qubes-users] Valid Concerns Regarding Integrity of Whonix Project

Patrick Schleizer patrick-mailinglists at whonix.org
Tue Feb 19 20:56:00 CET 2019

qubes-fan at tutanota.com:
> Feb 16, 2019, 4:08 AM by xaver at protonmail.com:
>> Sent with ProtonMail Secure Email.
>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> On Friday, February 15, 2019 10:58 PM, <> qubes-fan at tutanota.com <mailto:qubes-fan at tutanota.com>> > wrote:
>>> Dear Patrick,
>>> I appreciate your answer and understand your point of view. On the other side, the issue raised by the law in Australia (and GCHQ asked for that too, like the request of ghost user in all the "encrypted" conversations) is an important security concern and should be taken into consideration in the thread/trust model not only with Whonix, but with all the HW, SW, infrastructure and personnel. As of today, it is not.
>> While this threat is certainly a concern it is nothing new. Although new in Australia, many other countries have had similar laws and/or don't have any laws that would prevent the govts from forcing a person to do pretty much what ever they want. With ever evolving threats it would be near impossible to keep up. Once a mitigation is found for one, two more emerge. How do you combat adversaries that have near unlimited resources? Trust model/concerns have been considered in > https://www.whonix.org/wiki/Trust <https://www.whonix.org/wiki/Trust>> . (Has anyone bothered to read it?)
> I am not talking about magical 100% protection or 10$-wrench-decryption. I believe this attack is different by its implications and consequences. Sure many govs using different methods today, many of which are but un-lawfull. Doing this can ruin any case be it getting to the court. By having these laws in place, like the ones in Australia, this attack yesterday unlawful, is lawful today. This has high consequences. To ruin any project today it is enough that they come and ask you for your keys, or ask to plant a backdoor. If not, you go to jail. Project is over, perfectly fit with law. Yesterday it wasn't possible so simply, they had to be on border with or cross the law, considering morality of the dev constant.

It's trying to establish security by policy. What is that policy? If you
want to do something, you need to be serious about it. Of course such a
policy shouldn't have logical contradictions.

- Everyone residing in countries with laws that can force someone to add
backdoors must be ostracized.
- Obey the white listed destination country list. It is forbidden to
travel to countries with laws that can force someone to add a backdoor.
- Everyone who got caught traveling to such a country must be ostracized.
- Anonymous development is banned in our project.
- Everyone must regularly post proof of physical location.

If you'll see such a concept/policy in theory or even in effect in
practice somewhere, let me know. Will be interesting.

The problem is, that there's not even need for obvious backdoor code
that describes how a third party can break it using authentication.

Every remote code execution vulnerability can also be used as backdoor.
If you look at the Obfuscated C Code Contest, how subtle innocent
looking mistakes can make the difference between secure code and a backdoor.

Therefore, ban all developers from countries with laws that can force
someone to add backdoors from all projects such as Linux, Firefox, etc.?

Let's assume the "countries with laws that can force someone to add a
backdoor" issue is solved for a moment: Please also, give me the
ultimate guide to establish who's trustworthy and who isn't. The
ultimate guide to human relationships. How to vet someone's
trustworthiness. In a clear, comprehensible, replicable, objective way.

I heard that secret services and scientology are pretty good at choosing
their members with the goals of avoiding infiltration, leaks, dissent
and backdoors? Do you suggest Libre Software organizations should be
structured the same way? I guess if one wanted to be serious about
security by policy, they would have to?

>>> Existing thread models are currently not considering this form of attack. Same way as the existing thread models, including those of Qubes, TAILS, Whonix and others, are not covering the thread of being forced on the border to GB or US to hand over all the keys to all your digital devices under the thread of imprisonment. There is no Hidden OS functionality mentioned, and no known development in this area, even the thread exists and ppl are already successfully exploited by these attacks.
>> If anyone can come up with a mitigation to an adversary putting a gun to a developers head and asking nicely for their private key - id like to hear it. How exactly does someone overcome an impossible situation? How do you you cover a - do as is say or die- threat model? Holy shit! It was here all along! > https://www.whonix.org/wiki/Trust#Free_Software_and_Public_Scrutiny <https://www.whonix.org/wiki/Trust#Free_Software_and_Public_Scrutiny>
> As an example, if developer is anonymous, one can point gun at his own head only. This should be part of the thread model, mitigations and contingency plans. You are again trying to find 100% solution for everything, and if not available, you call it impossible situation. It is possible situation and must be analyzed separately from other threads with different characteristics.

So should pseudonymous developers be more trusted than those who's
country location is known?

Pseudonymity comes with its own set of issues.

Who trusts pseudonymous developers? How you'd even know in which country
they reside?

Never meet anyone in real life whatsoever to discuss the project.

Typing would be the only form of communication.

As a developer it's required to express oneself frequently and in large
volumes in text as well as in code. This makes one vulnerable to
stylometry. Meaning, no non-pseudonmous publications (something to make
a living) on the side to avoid being linked to the pseudonymous project.

Inability to host one's own website since. Super hard anonymously.
Customers who are anonymous are widely unwanted in most places. Payments
with anonymous currencies little supported. There's laws there such as
imprint obligation and GDPR publication of name and Address of the
controller which one would have to break to stay pseudonymous.

Also inability to receive donations (mostly just crypto currencies) or
breaking the tax code. Or receive crypto currency donations, do the
proper accounting but hope it won't break anonymity when doing so?

You'll never know if "they" already know who you are. So if you get
politely ask to cease all development or if you simply disappear, no one
will even know what is going on. Totally outside of public eye.


If that is the standard by which Linux, Firefox, etc. should be
developed, good luck.

> But the sec projects like Qubes, TAILS and similar, don't have it in their description. They are supposed to be resistant to the threads, mentioned in their thread model.

When did anyone's threat model include that? Citation?

> To use torture, murder or any other violent or unlawful measures, (to get the same effect as following Ausie law today), needs completely different attacker's determination, very different and rare, highly specialized resources to do that job, and there is much lower probability for this measure to be executed in real life. How many sec devs were tortured and killed this year, because they denied to hand over their keys?
> To execute the attack today with law in hand is incomparably simpler, with the same or even higher effect. It needs incomparably much less determination from the attacker, largely available, non-specialized resources can be used to do the job, and so the probability to execute the attack is much higher too. 

What countries remain nowadays which are strongly determined to the rule
of law, checks and balances, cracking down on corruption and unlawful

We're running out of countries.

I doubt that violence is required. You're asking developers to stand
against an virtually, for all practical purposes, all powerful entity.
Many developers are just people who like to build and share things.
You're expecting them at the same time to be solid as rock against all
non-violent psychological attacks. I bet this is totally unrealistic.

What would most developers do if they get invited and friendly asked "we
don't like what you're doing, can you stop please?" by the government?
"Btw we've better paid job for you." "No need to into any possibilities
what might happen if you refuse."

They have a variety of non-physically violent buttons they can press
that will make someone's life hell.

If it failed to resist the government by preventing such a law being
passed, why assume fewer people are capable to resist the government in
application of even non-violent unlawful practices?

Wouldn't be surprising at all if similar laws will be passed in other
countries as well. Things will probably get worse before they get
better, if ever.


More information about the Whonix-devel mailing list