Actions

Host Operating System Selection


Windows Hosts[edit]

Windows as Malware[edit]

The Free Software Foundation is scathing in its analysis of Windows, due to the threats posed to user freedoms, privacy and security. Regardless of the version being used, the FSF classifies Windows as "malware", that is, software that is designed to function in ways that mistreat or harm the user. [1] [2]

Windows Backdoors and User Freedoms[edit]

Windows Insecurity[edit]

The suppostion that proprietary software is free of grave bugs is demonstrably false. In fact, the popularity of Windows platforms on desktops actually increases the risk, as attackers target the near monocultural operating system environment with regularity, for example:

Windows Sabotage[edit]

These are Microsoft technical actions that harm users of specific hardware or software:

Windows Interference[edit]

Microsoft often releases proprietary programs or updates that destabilize or reduce the utility of the user's system:

Windows Surveillance[edit]

Other Windows Abuses[edit]

Windows Analysis[edit]

Forfeited Privacy Rights[edit]

By now the reader should be convinced that just by using any version of Windows, the right to privacy is completely forfeited. Windows is incompatible with the intent of Whonix and the anonymous Tor Browser, since running a compromised Windows host shatters the trusted computing base which is part of any threat model. Privacy is inconceivable if any information the user types or downloads is provided to third parties, or programs which are bundled as part of the OS regularly "phone home" by default.

Inescapable Telemetry[edit]

The fact that there is no way to completely remove or disable telemetry requires further consideration. For instance, non-enterprise editions do not allow a user to completely opt-out of the surveillance "features" of Windows 10. Even if some settings are tweaked to limit this behavior, it is impossible to trust those changes will be respected. Even the Enterprise edition was discovered to completely ignore user privacy settings and anything that disables contact with Microsoft servers.[3]

Any corporation which forces code changes on a user's machine, despite Windows updates being turned off many times before, is undeserving of trust. [4] [5] [6] [7] [8] Windows 10 updates have been discovered to frequently reset or ignore telemetry privacy settings.[9] Microsoft backported this behavior to Windows 7 and 8 for those that held back, so odds are Windows users are already running it.

Windows Insecurity[edit]

Ignoring for a moment its own built-in malware, Windows is a pile of legacy code full of security holes that is easily compromised. Microsoft's willingness to consult with adversaries and provide zero days before public fixes are announced logically places Windows users at greater risk, especially since adversaries buy security exploits from software companies to gain unauthorized access into computer systems. [10] Even the Microsoft company president has harshly criticized adversaries for stockpiling vulnerabilities that when leaked, led to the recent ransomware crisis world-wide.

Microsoft updates also use weak cryptographic verification methods such as MD5 and SHA-1. In 2009, the CMU Software Engineering Institute stated that MD5 "should be considered cryptographically broken and unsuitable for further use". [11] In 2012, the Flame malware exploited the weaknesses in MD5 to fake a Microsoft digital signature. [12]

Windows is not a security-focused operating system. Due to Microsoft's restrictive, proprietary licensing policy for Windows, there are no legal software projects that are providing a security-enhanced Windows fork. On the other hand, in the Linux community there are multiple Libre Software Linux variants that are strongly focused on security, like Qubes OS.

Windows Software Sources[edit]

Before Windows 8, there was no central software repository comparable to Linux where users could download software safely. This means a large segment of users remain at risk, since many (if not most) Windows users are still running Windows 7. [13]

On the Windows platform, a common way to install additional software is to search the Internet and install the relevant program. This is risky, since many websites bundle software downloads with adware, or worse malware. Even if the user always downloads software from reputable sources, they commonly act in very insecure ways. For example, if someone downloads Mozilla Firefox from a reputable website like chip.de, [14] then the download would take place over an insecure, plain http connection. [15] In that case, it is trivial for ISP level adversaries, Wi-Fi providers and others to mount man-in-the-middle attacks and to inject malware into the download. But even if https is used for downloads, this would only provide a very basic form of authentication.

To keep a system secure and free of malware it is strongly recommended to always verify software signatures. However, this is very difficult, if not impossible for Windows users. Most often, Windows programs do not have software signature files (OpenPGP / gpg signatures) that are normally provided by software engineers in the GNU/Linux world. For this reason it is safe to assume that virtually nobody using a Windows platform is regularly benefiting from the strong authentication that is provided by software signature verification.

In contrast, most Linux distributions provide software repositories. For example, Debian and distributions based on Debian are using apt-get. This provides strong authentication because apt-get verifies all software downloads against the Debian repository signing key. Further, this is an automatic, default process which does not require any user action. Apt-get also shows a warning should the user attempt to install unsigned software. Even when software is unavailable in the distribution's software repository, in most cases OpenPGP / gpg signatures are available. In the Linux world, it is practically possible to always verify software signatures.

Libre Software Superiority[edit]

Based on the preceding section and analysis, users are strongly recommended to learn more about GNU/Linux and install a suitable distribution to safeguard their rights to security and privacy. Otherwise, significant effort is required to play "whack-a-mole" with Windows malware, which routinely subjects users to surveillance, limits choice, purposefully undermines security, and harasses via advertisements, forced updates, remote removal of applications without consent, and so on.

Open Source software like Qubes, Linux and Whonix is more secure than closed source software. The public scrutiny of security by design has proven to be superior to security through obscurity. This aligns the software development process with Kerckhoffs' principle - the basis of modern cipher-systems design. This principle asserts that systems must be secure, even if the adversary knows everything about how they work. Generally speaking, Libre Software projects are much more open and respectful of the privacy rights of users. Libre Software projects also encourage security bug reports, open discussion, public fixes and review.

macOS Hosts[edit]

In a similar vein to Windows platforms, there are also many problems with Apple operating systems including: [16]

  • Intentional backdoors allowing remote root privileges, wipes and deletion of applications.
  • Censorship of allowable programs like games, and media, political, bitcoin and health-focused applications.
  • An insecure design allowing execution of malicious code by applications and the extraction of a user's messaging history.
  • Forced system upgrades without user consent.
  • Imposing arbitrary limits on the use of software.
  • Bricking devices if fixed by an "unauthorized" repair shop.
  • Scanning user system files.
  • Failing to fix system security bugs and preventing users from taking manual steps to do so.
  • Bricking devices that had been unlocked without permission.
  • Deleting files from user devices that had been downloaded from sources competing with Apple companies.
  • Using biometric markers like fingerprints to allow devices to be used.
  • Sending lots of personal user information to Apple servers. For example, automatically uploading photos and videos used by certain applications, and sending unsaved documents and program files to Apple servers without permission.
  • Sending user search terms and location information to Apple.
  • Imposing digital restrictions mechanisms.
  • Preventing users from installing older versions of operating systems.
  • Designing user interfaces to make specific options hard to find and enable/disable.

See this write-up by the FSF for further detailed information. [17]

Recommendation[edit]

Based on the preceding sections and analysis, users are strongly recommended to learn more about GNU/Linux and install a suitable distribution to safeguard their rights to security and privacy. Otherwise, significant effort is required to play "whack-a-mole" with Windows and malware, which routinely subjects users to surveillance, limits choice, purposefully undermines security, and harasses via advertisements, forced updates, remote removal of applications without consent, and so on.

Open Source software like Qubes, Linux and Whonix is more secure than closed source software. The public scrutiny of security by design has proven to be superior to security through obscurity. This aligns the software development process with Kerckhoffs' principle - the basis of modern cipher-systems design. This principle asserts that systems must be secure, even if the adversary knows everything about how they work. Generally speaking, Libre Software projects are much more open and respectful of the privacy rights of users. Libre Software projects also encourage security bug reports, open discussion, public fixes and review.

GNU/Linux Hosts[edit]

A Free Software OS that respects user freedom is the only practical choice when it comes to privacy and security. It also comes with many advanced anti-exploit mechanisms built-in.

Use GNU/Linux on the host and only use in-repository software that is automatically gpg-signed and installed from the distributor's repositories by the package manager. This is far safer than downloading programs from the Internet like Windows users are required to do.

Recommended GNU/Linux Distribution[edit]


Interested readers can find a complete list of reasons to use Debian here. For instructions on downloading, verification and installation see Debian Tips.

Formerly, virtually any GNU/Linux distribution could be recommended in order to protect user privacy, however Ubuntu's history of data-mining makes it an unsuitable choice. [18] Ubuntu's February 2016 Privacy Policy allowed search terms entered into the dash to be sent to Ubuntu and selected third parties to "complement" search results, along with the IP address. This text has now been removed in the latest iteration of the document.

For other reasons not to use Ubuntu or Ubuntu-derived distributions, expand this section.

Ubuntu's paltry contributions to the upstream Libre projects they heavily rely on is a policy decision and not a coincidence. As stated by Canonical founder Mark Shuttleworth: "It is absolutely true we have no interest in the core fundamentals of the Linux kernel, none whatsoever." [19]

Canonical only bothers to majorly contribute in any way when forking significant projects; for example, Wayland into Mir, GNOME into Unity [20], and .deb packages incompatible with Debian because of zstd compression. [21] This appears to be a consistent attempt to fragment the software stack to lock in users and put pressure on competing distributions and vendors. [22] [23]

The Ubuntu Contributor License Agreement gives them complete power over patents that cover contributed code. Essentially they are granted the right to re-license this code under any license of their choice, including a proprietary one.

Ubuntu also has a history of treating staff in a hostile fashion. For example, the Kubuntu spin project lead was unilaterally removed without warning and contrary to wishes of his team members. [24] Canonical also pilfered donation funds originally meant for desktop spin projects (Kubuntu, Lubuntu and others). In Kubuntu's case, after funding was abruptly dropped, Blue Systems had to step in to save the popular project. [25] [26]

Canonical has also been applying an absurd intellectual property (IP) policy over packages in its repositories for years. This resulted in claims that Canonical owns the copyright over any binaries compiled by their servers. After the FSF stepped in and arranged a resolution over a period of two years, the policy was amended to state that Canonical’s IP policy cannot override packages with GPL licenses. However, this now means that any package with a permissive license is now copyrighted by Canonical. [27] [28]

Unfortunately, downstream forks based on Ubuntu cannot be relied upon either. For example, the popular Linux Mint distribution was threatened with being cut off from access to Ubuntu infrastructure unless they caved in to Canonical's binary licensing terms. [29] Since then, Linux Mint has developed a version based on Debian instead. Canonical's vague trademark and IP policy has become toxic for downstream distributions. Many have made the smart choice to re-base on Debian instead of Ubuntu over the years including Kali, Whonix [30] and others. [31]

A final major concern is Canonical's friendly relationship with Microsoft. This should make all GNU/Linux users uncomfortable, given Microsoft's strategy of "Embrace, Extend, Extinguish" with respect to Free Software. [32]

There are of course other options. See "Why don't you use <your favorite most secure operating system> for Whonix?" for analysis of alternatives.

References[edit]

  1. https://www.gnu.org/proprietary/malware-microsoft.en.html
  2. https://www.fsf.org/windows
  3. https://web.archive.org/web/20170609221304/https://forums.whonix.org/uploads/default/original/2X/0/004857ec71ff2e4b23c88bf596b6142373fe2879.jpg
  4. https://web.archive.org/web/20071011010707/http://informationweek.com/news/showArticle.jhtml?articleID=201806263
  5. https://archive.fo/LffTy
  6. http://arstechnica.com/information-technology/2015/07/windows-10-updates-to-be-automatic-and-mandatory-for-home-users/
  7. http://voices.washingtonpost.com/securityfix/2007/09/microsofts_stealth_update_come.html
  8. http://www.zdnet.com/blog/hardware/confirmation-of-stealth-windows-update/779
  9. https://community.spiceworks.com/topic/1535835-win-10-update-resets-privacy-again
  10. This is especially true for users of Tor, who are regularly targeted in this fashion.
  11. https://en.wikipedia.org/wiki/MD5#cite_note-11
  12. http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/
  13. www.webcitation.org/6mgUAxhv9
  14. http://www.chip.de/downloads/Firefox-64-Bit_85086969.html http://www.webcitation.org/6mgUDIObc
  15. At the time of writing, chip.de still did not enforce https for its entire website.
  16. https://www.gnu.org/proprietary/malware-apple.en.html
  17. https://fix-macosx.com/
  18. https://fixubuntu.com/
  19. http://www.theinquirer.net/inquirer/news/2168086/canonical-linux-kernel
  20. https://ask.fedoraproject.org/en/question/25127/how-to-build-unity-in-fedora/
  21. https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-Zstd-Deb-Packages
  22. http://mjg59.dreamwidth.org/25376.html
  23. http://www.linux-magazine.com/Online/Blogs/Off-the-Beat-Bruce-Byfield-s-Blog/Mir-vs.-Wayland-show-why-upstream-projects-matter
  24. https://kver.wordpress.com/2015/05/27/making-sense-of-the-kubuntucanonical-leadership-spat/
  25. http://www.pcworld.com/article/2998647/operating-systems/kubuntus-founder-resigns-accuses-canonical-of-defrauding-donors-and-violating-copyright.html
  26. https://lists.ubuntu.com/archives/kubuntu-devel/2012-February/005782.html
  27. https://www.fsf.org/news/canonical-updated-licensing-terms
  28. http://mjg59.dreamwidth.org/37113.html
  29. https://forums.linuxmint.com/viewtopic.php?t=152450
  30. Dev/Operating_System#Switch_from_Ubuntu_to_Debian
  31. https://mjg59.dreamwidth.org/45939.html
  32. http://www.zdnet.com/article/microsoft-and-canonical-partner-to-bring-ubuntu-to-windows-10/

License[edit]

Whonix Host Operating System Selection wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Host Operating System Selection wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.


Random News:

We are looking for help in managing our social media accounts. Are you interested?


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)