Computer Security Education
- 1 Introduction
- 2 General
- 3 Safer Upgrades
- 4 Tor Browser
- 5 Host Security
- 5.1 Malware
- 5.2 Firmware Trojans
- 5.3 Avoid Out-of-band Management Features
- 5.4 Using a dedicated host operating system
- 5.5 Using Whonix on External Media
- 5.6 Using your own host
- 5.7 Using a dedicated host computer
- 5.8 Firmware Updates
- 5.9 Using Libre Software Hardware
- 5.10 Host Operating System
- 5.11 LAN/Router Security
- 5.12 Host Firewall
- 5.13 Disable TCP Timestamps
- 5.14 Disable ICMP Timestamps
- 5.15 Microphone
- 5.16 Webcam
- 5.17 Wireless Input Devices
- 5.18 Backups
- 6 Whonix information
- 6.1 MAC Address
- 6.1.1 Introduction
- 6.1.2 Using your home connection
- 6.1.3 Using a public computer (e.g. in a library, Internet-cafe)
- 6.1.4 Using a personal computer (e.g. a laptop, wherever it happens) in a public network
- 6.1.5 Random MAC address
- 6.1.6 Auto-connect issue
- 6.1.7 Changing MAC address
- 6.1.8 Sources
- 6.1 MAC Address
- 7 Known bugs
- 8 Most Security
- 9 What's next?
- 10 References
- 11 License
|Make sure you have already read the Warning page.|
Whonix, with its default settings, may provide better protection than Tor alone. Higher levels of security can be achieved depending on how much you are willing to invest in Whonix configuration, as well as your security practices and procedures. See Documentation.
If you already have Whonix installed, before performing an upgrade to your current Whonix setup, you are advised to shutdown any running Whonix instance currently attached to the internal virtual network named 'Whonix'. This is required to prevent cross contamination of the new machines you are importing, in the event that a powerful adversary has taken control over the ones currently in use.
Note: This is not required if you intend to create a new virtual network for the machines you are importing.
It is recommended that you always have the latest release of Tor Browser installed on your host.
The Tor Browser is great for testing, whether you live in a censored area or not and if Tor is blocked by your ISP or not. If you need (private) or (obfuscated) bridges for the Tor Browser, you will also need them for Whonix. (See Bridges.)
If the Tor Browser fails to work on your system, Whonix will similarly fail to work. If the Tor Browser unexpectedly stops running in Whonix, you can still use the Tor Browser independently to visit the Whonix Homepage.
The Importance of a Malware Free System
The integrity of the host is a critical part of the system's Trusted Computing Base. If the host system is compromised by malware, so is every Whonix virtual machine, Tor process and communication thought to be anonymous. Malware has malicious intent and can potentially: 
- View and take snapshots of the desktop.
- Peruse files and folders.
- Gain access to protected data when decrypted.
- Exfiltrate, corrupt or destroy data (particularly financial and personal information).
- Damage operating system functionality.
- Encrypt the contents of a drive(s) and demand payment for decryption (ransomware).
- Display unwanted advertising.
- Install unwanted software.
- Install persistent rootkits or backdoors.
- Track browsing and other behaviour.
- Remotely turn on webcams and microphones.
- Create "zombie" computers which form part of a botnet for spam email, DDOS attacks or the hosting of illicit / illegal material.
- Record everything a user types, sends and receives.
The Utility of Antivirus Tools
Antivirus products and personal firewalls are not drop in solutions for a secure host. Malware can often stay undetected and evade scans, while application level personal firewalls are often circumvented.  Polymorphic code and rootkits essentially render antivirus products helpless.  
Antivirus tools are actually worse than useless. In the case of sophisticated and targeted attacks, the antivirus software can serve as a pathway to exploiting a system's kernel, since they almost always run with administration level privileges.  Antivirus software also harms privacy by sending system files back to the company servers for analysis. The software also actively conducts man-in-the-middle attacks on secure SSL connections, enabling very sensitive information to be viewed. 
Preventing Malware Infections
The optimal scenario is to avoid infection by malware in the first place. Once malicious code has accessed a system, it is next to impossible to contain. Sensible steps include: hardening the operating system, carefully vetting programs and files that are retrieved from the internet, and using hypervisors (virtualizers) to isolate software that processes untrusted data.
Detecting Malware Infections
Detecting off-the-shelf (standardized) malware is a very hard problem and conceptually a lost cause. If uncustomized malware is widespread enough, then it has a chance of being detected by a technician. Tailored malware might also get detected by a technician, but the likelihood is low unless they are lucky or gifted.
Non-technical users don't have many good options. They can either:
- Spend a few years to rapidly increase their knowledge base of operating systems, network protocols, package analysis, programming, disassembly etc., and then try their luck.
- Pay exorbitant sums to a technician to try and find system malware, even though there is no certainty of success.  
- Or seek the voluntary assistance of a technician to find malware, if they are both a high value target and have a reasonable rationale for why they are likely compromised. 
Once infected with very sophisticated malware that modifies low-level firmware, it is extremely difficult to detect in almost all cases. Note this should not be confused with hardware/circuit trojans, which are malicious modifications made to machine components during the manufacturing process (though even those are not immune to detection). 
Can a virtualizer such as Qubes, VirtualBox, KVM etc. prevent hardware compromise?
Running everything inside VMs is a very reasonable approach. However, it only raises the bar and makes it more difficult / expensive to compromise the whole system. It is not a perfect solution.
No distribution of Linux (or Xen, or...) like Debian, Qubes, BSD or other variants can solve the issue of not needing to dispose of potentially infected hardware. Hardware-specific issues can really only be fixed at the hardware level. At best, software interventions can only provide workarounds.
The problem is no hardware exists that consists of entirely Libre firmware. It is very difficult to: analyze the firmware of hardware, wipe potentially compromised versions, or overwrite firmware with a most-likely-clean version. If the firmware being used was Libre Software, it would make verification easier but wouldn't stop infection. Disassembling hardware components (BIOS, disk controllers, CPU, Intel AMT etc.) and flashing them with clean versions offline is so difficult, that it is just cheaper and more convenient to buy new hardware.
Bundling undesirable anti-features like DRM in closed firmware is further evidence that Libre firmware is needed, in addition to Libre hardware designs.
Avoid Out-of-band Management Features
A commonly decried feature is Intel ME and Intel AMT. The first is a firmware running on a dedicated micro-controller in all machines while the latter is the remote access feature introduced in their vPro platform. An analogous feature to ME is provided in other manufacturer's products (AMD PSP based in turn on ARM TrustZone). When you buy new hardware, don't buy Intel hardware that has AMT. AMD chipsets do not contain anything like AMT. Note, however, that there are other comparable problems (from a freedom perspective) in hardware from both Intel and AMD.
In recent developments the ME can be disabled and mostly erased without impacting the system on both Libre and closed BIOS firmwares using a simple python script. Most recent CPU generations are covered.
The situation of the Intel ME firmware is comparable to that of any other proprietary firmware blob running on your system or all its peripherals. Almost every component of a modern computer is made of firmware running on auxiliary processors of varying architectures that have privileged access on a machine. Firmware binaries and their inner-workings can still be picked apart and examined for malware by reverse engineering. Inserting an intentional malicious backdoor in every product would be dumb because it is undeniable and very likely someone will discover it eventually, destroying a business' reputation and revenue. The Intelligence Community favors targeted attacks (product interdiction) to avoid detection for as long as possible. Also 0days: a way into all systems out there without having any a priori traces on a system that can be discovered until they are used (typically selectively to extend their shelf-life) and more commonly 0-days: serious bugs that most users don't bother to patch.
The problem arises when exposing blobs which contain bugs to the network which leads to remote exploitation - however any common criminal will have access, far from the NOBUS access sought by Intelligence Agencies. According to the most prominent Intel ME researcher and reverser, only the corporate/AMT firmwares include the networking stack. There were some mobile variants which had access to the wireless 3G chip (for Anti-Theft) but this functionality has been dropped. As mentioned already, the simple solution is to avoid computers with that feature entirely.
In principle there is no problem with the concept of out-of-band management and it has a place in the datacenter, as long as the owner of the machine can patch security vulnerabilities on demand and controls the remote access to it - only possible with Libre software . Out-of-band management has been around since 1998, dubbed the Intelligent Platform Management Interface (IPMI) framework which consists of a proprietary firmware running on the Baseboard management controller (BMC) a dedicated micro-controller in enterprise NICs to allow complete remote control over a machine despite its power state. There is no secret about what it does either because it does what it says on the tin. Running a network-facing, bug-ridden proprietary OS and giving it privileged access over a machine has proven a horrible idea. Facebook has put out OpenBMC, an interesting looking implementation that, in theory, may be placed on BMCs. Problematically most vendors (HP, Dell, IBM, etc.) won't let you install firmware that is not signed by them... so you're out of luck. Plus, the low-level drivers and so on. However there has not been any publicly available hardware that will run it.
Other features to watch out for and disable are the commonly deployed PXE boot and Wake-on-Lan (WoL). PXE is implemented either as a Network Interface Card (NIC) BIOS extension or today in modern devices as UEFI code and can be easily disabled from there. WoL hardware functionality is typically blocked by default on most systems and needs to be enabled in using the system BIOS/UEFI.  Though rare nowadays, avoid machines with an anti-theft feature which is really a BIOS rootkit that phones home.
Using a dedicated host operating system
It is recommended that you use a dedicated host operating system just for hosting Whonix Virtual Machines. Should your every day operating system already be compromised, Whonix could not provide any additional protection. It is best to have one dedicated host operating system which is used to only host Whonix.
Using Whonix on External Media
Unfortunately, Whonix does not provide a user friendly USB creator (help welcome!). However, you can install the host operating system(s) required for Whonix on (encrypted) a dedicated external disk(s) such as USB, FireWire, eSATA, etc for futher security. This will reduce the risk of other operating system(s) infecting Whonix's host operating system. You can remove and hide the Whonix disk(s) while they are not in use.
There are a number of guides online explaining how to install Linux on USB. Whonix differs only in that you must install a supported virtualizer and Whonix.
Using your own host
It is recommended that you only use Whonix on computers you own with no shared access. While other users may be trusted, they might not be equally knowledgeable in computer security. Only one mistake is required for your system to be compromised.
Needless to say, hosting Whonix in the cloud, on a foreign server you do not physically control, on a VPS etc is not recommended. Information on these systems is readily accessible to their owners/regulators.
Using a dedicated host computer
For the ultimate host security option you should use a dedicated computer just for hosting Whonix. Ideally one, that you never used for anything else before.
This chapter contains general security advice and is unspecific to Whonix.
Due to the hardware and host operating system specificity and difficulty of this topic, it is outside the scope of Whonix documentation. The links provided may not be the most relevant and you may have to research this topic further on your own.
Updating firmware may or may not improve security. On one hand you may fix vulnerabilities. On the other hand, an update may introduce a new backdoor. If you know of examples of one of these situations, feel free to edit this chapter. As an end user, you unfortunately have to blindly trust the hardware producer anyway, so it might be better to get the non-Free updates.
(See also the thread on the debian-security mailing list How secure is an installation with no non-free packages?)
Using Libre Software Hardware
This chapter contains general security advice and is unspecific to Whonix.
Open-source hardware is not affected by the non-Free firmware updates issue described above. Such hardware might be more trustworthy. (The Lemote Yeeloong Notebook maybe?)
TODO: research and expand
Host Operating System
GNU/Linux is the only serious option for having a private host operating system. You can stop reading this windows chapter here or go on reading to find out why.
If you want to just use your system without harassment (advertisements, forced updates, remotely removing applications without your consent) and surveillance then it is worth investing comparably less effort in learning Linux instead of playing whack-a-mole with malware on your system by people who wrote it.
By using any version of Windows, you completely forfeit your privacy by using this OS. An anonymous browser or OS is of little help when the host is compromised and sends info about what you type or download to a third party. The trustworthiness of the host is a crucial part of any threat model. Windows is also bundled with a large number of programs that 'phone home' by default.
Additional privacy risks have been introduced with Windows 8. One example is the smartscreen filter, which reports to Microsoft what software you are running on your computer.  This feature includes a kill switch that can allow Microsoft (or any one with an exploit for this mechanism) to delete programs on your machine without your consent. 
Windows 10 takes surveillance of users to a whole new level. It runs a telemetry spyware program out-of-the-box that snoops on the users' files, what programs you are running and for how long, text input including your unique typing pattern, voice input, location info, contacts, calendar records and web browsing history, as well as automatically connecting the machines to open hotspots and showing targeted ads. There is no way to remove telemetry. Know that with non-enterprise editions you have no way to completely opt-out of the surveillance "features" of Windows 10. Even if you can tweak some settings you cannot trust that they will be respected because they forced code on user's machines despite turning off windows updates many times before  
Microsoft has been aggressively and deceptively forcing Windows 10 on users to get people to run the spyware. They backported it to Windows 7 and 8 for those that held back so odds are you are already running it. Even if you "disable" windows update on windows 7 and 8 Microsoft is still able to modify the system. For more details about Windows malicious behavior check the factual write-up.
Ignoring for a second its own built-in malware, Windows is a pile of legacy code full of security holes that is easily compromised. Before patching Windows, Microsoft is known to consult with intelligence agencies and provide information on security holes before they inform the public and fixes are produced. Since the NSA also buys security exploits from software companies  and uses them to gain unauthorized access into computer systems,  it is reasonable to assume that the NSA also uses information supplied by Microsoft and that Windows users are at a higher risk.
Microsoft updates use weak cryptographic verification such as MD5 and SHA-1. The CMU Software Engineering Institute said about MD5 in 2009, it "should be considered cryptographically broken and unsuitable for further use".  In 2012, the Flame malware exploited the weaknesses in MD5 to fake a Microsoft digital signature. 
Open Source software like Linux is more secure than closed source software. The public scrutiny of security by design has proven to be superior to security through obscurity. This aligns the software development process with Kerckhoffs' principle - the basis of modern cipher-systems design. This principle asserts that systems must be secure, even if the adversary knows everything about how they work. Generally speaking, Libre Software projects are much more open and respectful of the privacy rights of users. Libre Software projects also encourage security bug reports, open discussion, public fixes and review.
Before Windows 8, there was no central software repository comparable to for example Debian apt-get where users can download software. Most Windows users are still using Windows 7  and have their reasons for refusing to upgrade to higher Windows versions.
A common way on the Windows platform to install additional software is to search the internet for it and to install it. It is not simple to never end up on a website that bundles software downloads with adware or worse malware. Even if someone always downloads software from reputable websites, users very commonly act in very insecure ways. For example if someone downloads Mozilla Firefox from a reputable website chip.de  then the download would happen over an insecure plain http connection. (At time of writing, chip.de still did not enforce https for its whole website.) In that case it is trivial for internet service provider (ISP) level adversaries, WiFi providers etc. to mount man-in-the-middle attacks and to inject malware into the download. But even if https is used for downloads, it would only provide a very basic form of authentication.
To keep a system secure and free of malware it is strongly advised to always verify software signatures. This however is very difficult if not impossible for Windows users. Most of the time in the Windows world, no software signature files (OpenPGP / gpg signatures) are provided by the producers of the software. Therefore it is probably safe to conclude that almost nobody on the Windows platform is always verifying software signatures for strong authentication.
In contrast in the Linux world, for most Linux distributions, software repositories are provided. For example Debian and Debian based distributions are using apt-get which provides strong authentication because it verifies all software downloads against Debian's repository signing key. That process is default, automatic and does not require any user action. On the contrary, apt-get shows warning should the user attempt to install unsigned software. For software that is not available in the distribution's software repository, most times OpenPGP / gpg signatures are available. In the Linux world it is much more practically doable to always verify software signatures.
Windows is not a security-focused operating system. Due to Microsoft's proprietary restrictive Windows licensing policy, there are no legal software projects that are providing a security-focused remix of Windows. On the other hand, in the Linux world there are Libre Software security-focused remixes of Linux such as Qubes OS.
Mac OS-X Hosts
There are many problems with Apple's OSes including surveillance, censorship of what programs you can run and DRM crippleware to limit what you can do with your devices. See this write-up by the FSF for more information.
A Free Software OS that respects user freedom, is the only realistic choice when it comes to privacy and security.
Use GNU/Linux on the host and only use in-repository software that is automatically gpg signed and installed from the distributor's repositories by the package manager. This is much safer than downloading stuff from the web like you have to do as a Windows user.
Which GNU/Linux Distribution do you recommend?
It used to be that any GNU/Linux distribution was a safe bet with privacy however Ubuntu's data-mining functionality makes it an unsuitable choice.
For other reasons not to use Ubuntu or Ubuntu-derived distros expand this section.
Ubuntu's paltry contributions to the upstream libre projects they rely on so much is a policy not a coincidence with "It is absolutely true we have no interest in the core fundamentals of the Linux kernel, none whatsoever." - Mark Shuttleworth (Canonical founder).
The only time they bother contributing in any major way is when forking major projects (Wayland into Mir and GNOME into Unity - both which cannot be built without major effort on any other distro but their's) in attempt to fragment the open source software stack to lock in users and put pressure on competing distros and vendors.
Their Contributor License Agreement gives them complete power over patents that cover contributed code and grants them the right to re-license this code under any license of their choice including a proprietary one.
Hostile treatment of Kubuntu spin project lead and unilaterally removing him without warning and contrary to wishes of his team members. Canonical also pilfered donation funds originally meant for desktop spin projects (Kubuntu, Lubuntu...) despite abruptly dropping funding in Kubuntu's case and Blue Systems stepped in to save the popular project. For years Canonical has been applying an absurd intellectual property policy over packages in its repositories - claiming it owns the copyright over any binaries compiled by their servers. After the FSF stepped in and arranged a resolution over 2 years, the amended policy now states that Canonical’s IP policy can’t override packages with GPL licenses, but that now means that any package with a permissive license is now copyrighted by them.
You cannot rely on downstream forks based on Ubuntu either - The popular Linux Mint distro was threatened to be cut off from accessing Ubuntu infrastructure unless they caved in to Canonical's binary licensing terms. Since then they put out a version based on Debian instead. Their vague trademark and IP policy has become radioactive for downstream distros and many have made the smart choice to re-base on Debian instead of Ubuntu over the years including Kali, Whonix and others.
Canonical is getting snugly with Microsoft which should make you uncomfortable given the latter's strategy of Embrace, Extend, Extinguish of Free Software.
There are of course other options. See "Why don't you use <your favorite most secure operating system> for Whonix?" for analysis of alternatives.
If your Whonix-Gateway is ever compromised, it can theoretically access any computer in your local network. Therefore, if you are the administrator of your home network, it is recommended that you lock down the web interface of your home router, i.e. installing the latest firmware with latest security patches and using a secure password.
Having a simple host firewall (gufw - Uncomplicated Firewall on Debian), denying all incoming ports, is recommended as well.
On the host, on Debian.
1. Install gufw.
sudo apt-get update && sudo apt-get install gufw
2. Start gufw
3. Press unlock. Enter password.
4. Press enable.
5. Settings: Incoming: Deny Outgoing: Allow
Disable TCP Timestamps
Adversaries can remotely access the current uptime of your machine and the host's clock-down to millisecond precision. To avoid this information being passed, it is recommended that you disable TCP timestamps on your systems. The less information attackers can get, the higher the security.
This is the default in Qubes R3.1 and above. 
Open a terminal (Konsole).
You need to add the following line to /etc/sysctl.d/tcp_timestamps.conf:
net.ipv4.tcp_timestamps = 0
To do that, you could use the following command.
echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf
To apply the sysctl settings without reboot, run the following command.
Check if it is really set.
If it worked correctly, the system should respond the following: net.ipv4.tcp_timestamps = 0
To disable TCP timestamping on Windows, run the following root command:
netsh int tcp set global timestamps=disabled
Note: You must have administrator privileges.
Other Operating Systems
Disable ICMP Timestamps
This is the default in Qubes R3.1 and above. 
ICMP Timestamps need to be blocked using your firewall. This is distro dependent and varies widely as does having a firewall enabled on your specific OS - some distros don't turn it on. There are many differing ways to accomplish this via command-line, its recommended to consult your distro's documentation.
Instead for a more straightforward way, you are advised to download a GUI front-end to configure your firewall and have it set to silently drop all incoming connections by default, allowing only outgoing traffic from your machine.
Other Operating Systems
Does your computer or notebook have a microphone? You could have a built-in one, but never noticed it. In most cases it is recommended to disable your microphone for security reasons. If your Whonix-Workstation ever gets compromised by malware, an adversary could eavesdrop through your microphone. It is safe to assume that everyone has had an unencrypted phone call during their life time and that one of them has been recorded.
Voice and writing is very personal, unique so your non-anonymous and "anonymous" voice can be easily linked. This is called voice recognition and documented on the VoIP wiki page in the introduction chapter. (For writing this technique is called stylometry and documented on the Surfing Posting Blogging wiki page.)
External microphones should be unplugged for ultimate security. If your microphone is built-in and you decide to disable your microphone, you can check the BIOS to find out if the microphone can be disabled. Removing built-in microphones may be a bit more difficult, but if you have the skills to remove it, go for it.
By default, unfortunately microphones connected to your host are available to virtual machines such as the Whonix-Workstation.
If you want to make internet calls, Voice over IP (VoIP) or use the microphone for other reasons inside Whonix-Workstation, use Multiple Whonix-Workstations and use the microphone only in selected, not all Whonix-Workstations. Unplug your microphone after use.
Expand for more information:
KVM by default emulates a line-in/line-out in the virtual sound device, meaning microphone passthrough to guests is enabled if it is turned on for the host.
As per the usual Qubes feature.
Qubes VM Manger -> Right click on VM -> Attach/deattach audio input device to the VM
Does your computer or notebook have a webcam? You could have a built-in one, but just never noticed - check your computer's datasheet and operating system hardware manager.
Unless you plan to use a webcam inside Whonix-Workstation, it is recommended to disable or possibly remove your webcam. If you do plan to use a webcam you should disable and possibly unplug your webcam after use.
External webcams should be unplugged for optimal security. If your webcam is built-in and you decide to disable it, you can check the BIOS to find out if the webcam can be disabled. Removing built-in webcams may be a bit more difficult, but if you have the skills to remove it, go for it. Alternatively, cover the webcam externally.
Wireless Input Devices
Avoid using wireless keyboards and mice because most send data unencrypted. Even if this wasn't the case, there is no way to verify the robustness of the crypto involved in proprietary products. A local adversary (up to 100 meters away) can sniff keystrokes and inject their own, allowing them to take over the machine.
Backups of sensitive data is important. Data where you do not possess at least two copies of the original should be considered lost. This is because one data medium might become inaccessible beyond repair any minute. So your computer would not even detect the risk anymore, so data recovery tools would not be of help either. (In such cases you might be lucky with professional data recovery companies, but they usually charge thousands of dollars.)
So this is what is recommended:
- original file on medium such as your internal hard drive.
- backup one. Example: on an external hard drive from manufacturer A.
- backup two. Example: on an external hard drive from manufacturer B.
For better security for other events such as fire or physical access such as robbery, backups in separate physical locations are recommended. Additionally backups at remote servers are also an option, but then you really must make sure to get the encryption right.
All network cards, both wired and wireless, have a unique identifier stored within them called their MAC address. This is used to assign an address to your computer on the local network. This address is not traceable (as in it is not passively sent to computers beyond your local router).
However, other computers on the local network could log it, which then would provide proof that your computer has been connected to that network. If you are using an untrusted, public network you should consider spoofing it.
IMPORTANT NOTE: According to recent research, MAC address spoofing is not effective against advanced tracking techniques that can still enumerate it by looking at physical characteristics of the Wi-Fi card. Manufacturers need to modify their hardware's drivers or firmware to add privacy preserving mitigations.
A workaround is to buy new "burner" WiFi USB sticks of different brands. Take care to disable your machine's native WiFi functionality in the BIOS because odds are its characteristics are already logged if you used it from any untrusted hotspot. Enable connectivity with these burner devices only from the intended public destination. At no point should you use them to connect from a network tied to you or a place you regularly visit. Use a different stick for every new location to avoid location profiling/tracking.
Dealing with MAC Addresses is one piece of the puzzle of the location tracking problem. Attention must be given to changing the usual entry guards you connect to - for every Tor instance on your machine host (apt-transport-tor) and guest to thwart this type of attack.
An authentication technique (which can also track user devices as a side-effect) can fingerprint devices by observing inter-packet timings on a LAN's wire-segment which are the result of how various components in a machine create packets. Fortunately this cannot be used to identify devices across the internet. This can be defeated by inducing random delays in a machine's packet stream. Since we don't care about impersonating other devices on the LAN, it doesn't matter that such an authentication system would view machines as "unknown".  Note that spectrum analyzers are mentioned as a way to fingerprint the unique EM characteristics of a WiFi card. The disposable USB WiFi workaround would mitigate this. 
Using your home connection
Changing your MAC address is not required. However, when not using a VM your physical MAC address could be revealed in the case of a browser exploit. If you are already under suspicion, this would eventually provide proof of your identity. When the MAC address has been changed, root access is required to discover the real physical address. (Note: This is yet to be tested)
Consider: If your home network uses a cable modem internet connection, the ISP either provides the cable modem device as part of the service or requires pre-registration of the MAC address of your self-provided cable modem in order to setup your service. If you manage to hack/change the MAC address of the modem, your service would immediately cease functioning (because the IP assignment is apportioned for, and bound to, that specific MAC address). As a result, when connecting from behind a cable modem/NAT router, spoofing the MAC address of your PC's ethernet adapter may be pointless. If you are traced, the trackable endpoint will be the MAC address of your cable modem device.
Using a public computer (e.g. in a library, Internet-cafe)
The MAC address should not be changed, as it may bring undesired admin attention to your service and/or simply forbid your access to the Internet.
Using a personal computer (e.g. a laptop, wherever it happens) in a public network
The MAC address should be changed, and /var/lib/tor/state should be removed so that a new set of guards is selected.
It is advisable that the admin not discover the use of Tor on your computer. This depends on your configuration, i.e. perhaps you are using obfsproxy or you tunnel your traffic through SSH/VPN.
Changing the MAC address and being a Tor user, depending on your personal threat model, might be risks for re/visiting that public network.
If you are going to reuse the same public network, you have to decide if you are going to use the very same MAC address (and set of guards) or if you are going to create a new MAC address. If you suspect that the admin has seen you and logged the MAC, it could be unwise to change the MAC address, since this could appear suspicious. If you believe that public network is adequately public and that you have not been observed, you might decide to use a new MAC address (popular vendor ID, random/unique second part) each time you use this network.
For more discussion on this rather difficult topic, see Dev/MAC.
Random MAC address
Using a random MAC address is not recommended. While this might sufficiently confuse some adversaries, it will not defeat skilled adversaries. If you are using a random MAC address, it might happen that the vendor ID of the MAC address is non-existent. Even if it was existent, you might end up with a vendor ID, which has either never been used or not been used in decades. If you are going to spoof your MAC, you have to use a popular vendor ID.
The initial second part of the MAC address may be random/unique.
As yet, we cannot provide detailed instructions on how to create such appropriate MAC addresses. Research is still ongoing.
The reason why MAC changing is not always enabled is that it might cause problems on some networks.
Apart from the difficulty creating an appropriate MAC address, there are also technical hurdles. All the work of creating this MAC will be futile if you boot your computer and it instantly connects to the public network and spills your MAC address. For Virtual Machine users: your host operating system most likely automatically connects (updates, perhaps time sync). For Physical Isolation users: Whonix-Gateway automatically connects to Tor after start.
Also if you use a USB WiFi device, this might also occur.
Changing MAC address
For Qubes Hosts
Qubes users do this in their NetVM. Refer to the Qubes documentation / support. See:
For Linux Hosts
If you are interested in this with Non-Qubes-Whonix, please press on expand on the right.
TODO: test and expand, please help!
Standard-Download-Version (Virtual Machine) users
Edit /etc/network/interfaces on the host.
Physical Isolation users
Edit /etc/network/interfaces on Whonix-Gateway
apt-get update && apt-get install macchanger
If instructions 1+ below don't work, you can use the following to manually change the MAC address for your device (eth0, wlan0, etc.):
ifconfig wlan0 down
macchanger -a wlan0
ifconfig wlan0 up
ifconfig wlan0 down
ifconfig wlan0 hw ether 00:AA:BB:CC:DD:EE
ifconfig wlan0 up
ip link set down wlan0
ip link set wlan0 address 00:AA:BB:CC:DD:EE
ip link set up wlan0
Below "iface eth0 inet dhcp" Add
hwaddress ether 00:00....
To automatically randomize the MAC address on boot, if desired, add
pre-up macchanger -e eth0
To prevent automatically bringing up new network interfaces, all that is needed is to uncomment.
Then manually bring up with
sudo ifup eth0
See footnote. 
Check Download page for a list of known bugs.
If you want to learn all of the security concerns that Whonix considers you should, before installing Whonix, read all Whonix Documentation pages. Depending on your security needs, you might also like to consult the Design pages.
- A botnet author brags in this thread of writing unbeatable malware and trolling antivirus vendors.
- The salary costs for a security researcher / malware analyst over an extended period rule this out for most individuals.
- Only a select group of people fall into this group, for instance, whistleblowers targeted and infected by tailored viruses. Experts might be located who are willing to conduct analysis pro bono; later publicizing their findings for the public benefit.
- Libre software can contain bugs too but it gives users the freedom to fix it
- To reduce risks of eventual previous hardware compromised.
- https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Desktop_and_laptop_computers www.webcitation.org/6mgUAxhv9
- http://www.chip.de/downloads/Firefox-64-Bit_85086969.html http://www.webcitation.org/6mgUDIObc
You can skip this Temporary chapter and move on to #Permanently if you are looking for a permanent solution.
To dynamically disable TCP timestamping on Linux...
(When using Qubes: in the NetVM.)
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
- Unless your computer is infected with Malware looking for this number.
- Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms
- A Passive Technique for Fingerprinting Wireless Devices with Wired-side Observations
- The primary weakness of this technique, as with most works that rely on fine-grained packet timing, is that the timing is lost as a result of buffering in switches and routers. Therefore, this technique is not suited for identification across the Internet. Rather, it is perfectly suitable for the significant challenge of local network access control (and other local network activities, e.g., counterfeit detection).
- Figure 7(a) shows attackers that can vary their packet sizes, change their data rate, tunnel their packets through another protocol. Figure 7(b) presents attackers that can introduce constant/random delays to packet stream and load the CPU with intensive applications to over shadow normal behavior. Figure 7(c) shows an attacker that can modify/change its operating system. GTID detects these attacks and classifies all of these devices that generated attack traffic from previously seen devices as unknown.
- There have also been physical layer approaches to fingerprint wireless devices. Radio frequency (RF) emitter fingerprinting uses the distinct electromagnetic (EM) characteristics that arise from differences in circuit topology and manufacturing tolerances. This approach has a history of use in cellular systems and has more recently been applied to Wi-Fi  and Bluetooth  emitters. The EM properties fingerprint the unique transmitter of a signal and differ from emitter to emitter. This technique requires expensive signal analyzer hardware to be within RF range of the target.
Whonix Computer Security Education wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Computer Security Education wiki page Copyright (C) 2012 - 2017 Patrick Schleizer <email@example.com>
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
Impressum | Datenschutz | Haftungsausschluss
Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself.