Computer Security Mental Model

From Whonix


Mental Model Overview[edit]

For computer security it is crucial to have a rough overview mental model on how the computer works on a technical level that approximates how the computer is really technically functioning.

A lot of program code from various sources runs on the computer. Some from necessarily trusted [1] vendors. Other from less trusted or untrusted sources. This is required to provide useful functionality for general computing. [2]

  1. When a computer is fully powered off, previously has had no battery and no power cord connected, when powering on the first thing that happens is the hardware initialization which is invisible to the user.
  2. The first visible thing the user can see during the boot process is the BIOS. It is an essential skill that the user can visually recognize the BIOS.
  3. The next thing the user can see is the bootloader such as for example grub on Linux.
  4. Skipping intermediary steps [3] the next thing the most users will usually see is the operating system desktop environment.
  5. The hardware, BIOS is ultimately trusted. [1]
  6. The operating system is highly trusted. [1] [4]
  7. Less trusted are applications such as web browsers for example, Firefox, Chrome or Tor Browser.
  8. Least trusted are contents shows by applications such as a website in a web browser.

Therefore it is important to know which program code (application or program) usually[5] has which permission to draw windows in which place.

The following image is legitimate.

Figure: Virtual Box Virtual Machine showing Whonix ™ Xfce with Tor Browser showing the duckduckgo Website

Tor browser duckduckgo2.png

The following image is an example of a scam. It is showing the Windows operating system running the Internet Explorer application viewing the website.

Figure: scam popup [6]


With the proper mental mental the is easily detected. That is, because is just a website inside the browser window. In most cases

It is important to mentally box the different parts.

  • operating system: Windows
  • application: Internet Explorer
  • website: (scam)

The image must not be viewed as a unified whole. Just because it is written there it does not mean it is the truth. It is just text shown on a website. The source of the message is the website. The browser is just the messenger. And the operating system, computer display the final message destination. The message is not generated by a virus scanner.

When seeing messages on websites such as saying "Warning, your computer is infected with a virus." it is very most likely a lie. It might be the case for unrelated reasons (previous malware infection) but the website will be unaware of it. The website's only permission is to show text, images or audio in the web browser. A website cannot detect viruses. [7] Web browsers are web browsers, not virus scanners. A web browser is neither designed, nor supposed to scan for viruses. If that was the case, that would be well documented.

On the contrary, scam websites resorting to such tactics usually do not posses the skill to exploit vulnerabilities in web browsers or operating systems. If an attackers has such skills, they could just compromise the victim's computer. In that case, the attacker does not need to instruct the user to compromise oneself. If the user remains skeptical about such messages, researches and possibly taking independent advice before proceeding, the user will very most likely stay safe from such attacks. Many security compromises happen only because users are following instructions by attackers.

While users must trust their operating system and less so their application, they must be absolutely skeptical about everything any website is saying.

Users who do not understand this concept remain highly vulnerable to all sorts of scams.

When seeing any information, text, audio or image shown by the computer, the user should ask oneself the following questions:

  • Which program code is likely generating this message?
  • Which program code is likely drawing this (part of this) window?
  • Does this application have access to this information?
  • How does this application have access to this information? [8]

This model is not only useful to avoid scams but also to diagnose, fix issues.

Learning about the concepts documented on related wiki pages Social Engineering and (Spear) Phishing, Cryptocurrency Hardware Wallet: Threat Model and login spoofing might also deepen understanding of this topic.

The following image is legitimate. It is a screenshot of the ClamTK Virus Scanner.

Figure: ClamTK Virus Scanner [9]

ClamTk 4.30.png

These are real windows. The window decoration (minimize to tray, maximize, close buttons) as well as the window itself is drawn by the operating system. Responsible for the window title and content of the window is the application, ClamTK.


Some URLs in Firefox, Chrome and Tor Browser are special such as about:config or about:preferences. Content of these is not generated by websites but by the browser itself.

very hard to notice Phishing Scam - Firefox / Tor Browser URL not showing real Domain Name - Homograph attack (Punycode) [archive]

Advanced Topics[edit]

When rebooting it is in theory not guaranteed that one will see the real BIOS. It is possible that the user is only presented a fake reboot, i.e. the real operating system keeps running normally but shows a graphical simulation of a full reboot sequence. There is no confirmation that this technique has ever been deployed in practice.

See Also[edit]


  1. 1.0 1.1 1.2 Trusted because one has to. No trusted because one wants to trust.
  2. In comparison to a for example classic washing machine (without internet, sophisticated, remote controls) where only trusted program code by the washing machine vendor is used to draw information on the display.
  3. On Linux such as kernel initialization, initramfs or dracut, systemd, single user mode.
  4. Unless there is hardware, firmware or BIOS level malware it is always possible to replace a compromised operating system with a clean operating system.
  5. Aside of compromise by malware.
  6. [archive]
  7. Ignoring deprecated dangerous technologies such as Internet Explorer with ActiveX.
  8. For example nowadays browsers can ask for permission to use the Microphone or IP addresses can be used to determine the location of a user.

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Mental Model&body= link= Model link= Model link= Model%20 Model

Love Whonix ™ and want to help spread the word? You can start by telling your friends or posting news about Whonix ™ on your website, blog or social media.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.