Computer Security Education
- 1 Introduction
- 2 General
- 3 Safer Upgrades
- 4 Tor Browser Bundle
- 5 Host Security
- 5.1 Malware
- 5.2 Using a dedicated host operating system
- 5.3 Using Whonix on External Media
- 5.4 Using your own host
- 5.5 Using a dedicated host computer
- 5.6 Firmware Updates
- 5.7 Using Libre Software Hardware
- 5.8 Disable TCP Timestamps
- 5.9 Disable ICMP Timestamps
- 5.10 Host Operating System
- 5.11 LAN/Router Security
- 5.12 Host Firewall
- 5.13 Microphone
- 5.14 Webcam
- 5.15 Wireless Input Devices
- 5.16 Backups
- 6 Whonix information
- 6.1 MAC Address
- 6.1.1 Introduction
- 6.1.2 Using your home connection
- 6.1.3 Using a public computer (e.g. in a library, Internet-cafe)
- 6.1.4 Using a personal computer (e.g. a laptop, wherever it happens) in a public network
- 6.1.5 Random MAC address
- 6.1.6 Auto-connect issue
- 6.1.7 Changing MAC address
- 6.1.8 Sources
- 6.1 MAC Address
- 7 Known bugs
- 8 Most Security
- 9 What's next?
- 10 References
- 11 License
|Make sure you have already read the Warning page.|
Whonix, with its default settings, may provide better protection than Tor alone. Higher levels of security can be achieved depending on how much you are willing to invest in security practices and procedures. See Documentation.
If you already have Whonix installed, before performing an upgrade to your current Whonix setup, you are advised to shutdown any running Whonix instance currently attached to the internal virtual network named 'Whonix'. This is required to prevent cross contamination of the new machines you are importing, in the event that a powerful adversary has taken control over the ones currently in use.
Note: This is not required if you intend to create a new virtual network for the machines you are importing.
Tor Browser Bundle
It is recommended that you always have the latest release of Tor Browser Bundle installed on your host.
The Tor Browser Bundle is great for testing, whether you live in a censored or not and if Tor is blocked by your ISP or not. If you need (private) or (obfuscated) bridges for the Tor Browser Bundle, you will also need them for Whonix. (See Bridges.)
If the Tor Browser Bundle fails to work on your system, Whonix will similarly fail to work. If the Tor Browser unexpectedly stops running in Whonix, you can still use the Tor Browser independently to visit the Whonix Homepage.
The integrity of the host is a critical part of the system's Trusted Computing Base. If the host system is compromised by Malware so is every virtual machine with Whonix, Tor and all anonymous communication. Malware can see your desktop, everything you type, send and receive. Antivirus products and personal firewalls are NOT drop in solutions for a secure host. Malware can often stay undetected and application level personal firewalls are often circumvented . Polymorphic code and Rootkits essentially render Antivirus products helpless.  
The optimal scenario is to not get infected by Malware in the first place. Once malicious code has accessed a system, it is next to impossible to contain. In case of sophisticated and targeted attacks, the Antivirus software is not only completely useless but can serve as a pathway to exploiting a system's kernel (since they almost always run with admin privileges)..
This is not to say that Antivirus scanning and firewalls are totally useless, however, it is difficult to take advantage of antivirus scanning since a secure setup is very impractical, cumbersome. For more information on that, see the following footnote. 
Refer to antivirus not as your first but as your very last line of defence. If you do find malware on your system, this only demonstrates that your precautions didn't work. It is the precautions (hardening, secure host operating system, signed software) that are of most importance not the detection.
Using a dedicated host operating system
It is recommended that you use a dedicated host operating system just for hosting Whonix Virtual Machines. Should your every day operating system already be compromised, Whonix could not provide any additional protection. It's best to have one dedicated host operating system which is used to only host Whonix.
Using Whonix on External Media
Unfortunately, Whonix does not provide a user friendly USB creator (help welcome!). However, you can install the host operating system(s) required for Whonix on (encrypted) a dedicated external disk(s) such as USB, FireWire, eSATA, etc for futher security. This will reduce the risk of other operating system(s) infecting Whonix's host operating system. You can remove and hide the Whonix disk(s) while they are not in use.
There are a number of guides online explaining how to install Linux on USB. Whonix differs only in that you must install a supported virtualizer and Whonix.
Using your own host
It is recommended that you only use Whonix on computers you own with no sharing privileges. While other users may be trusted, they might not be equally knowledgeable in computer security. Only one mistake is required for your system to be compromised.
Needless to say, hosting Whonix on your cloud, on a foreign server you do not physically control, on a VPS etc is not recommended. Information on these systems is readily accessible to their owners/regulators.
Using a dedicated host computer
For the ultimate host security option you should use a dedicated computer just for hosting Whonix. Ideally one, that you never used for anything else before.
This chapter contains general security advice and is unspecific to Whonix.
Due to the hardware and host operating system specificity and difficulty of this topic, it is outside the scope of Whonix documentation. The links provided may not be the most relevant and you may have to research this topic further on your own.
Updating firmware may or may not improve security. On one hand you may fix vulnerabilities. On the other hand, an update may introduce a new backdoor. If you know of examples of one of these situations, feel free to edit this chapter. As an end user, you unfortunately have to blindly trust the hardware producer anyway, so it might be better to get the non-Free updates.
(See also the thread on the debian-security mailing list How secure is an installation with no non-free packages?)
Using Libre Software Hardware
This chapter contains general security advice and is unspecific to Whonix.
Open-source hardware is not affected by the non-Free firmware updates issue described above. Such hardware might be more trustworthy. (The Lemote Yeeloong Notebook maybe?)
TODO: research and expand
Disable TCP Timestamps
Adversaries can remotely access the current uptime of your machine and the host's clock-down to millisecond precision. To avoid this information being passed, it is recommended that you disable TCP timestamps on your systems. The less information attackers can get, the higher the security.
If you are using Qubes R3.1 or above, then there is nothing to do since this is the Qubes R3.1 and above.  Otherwise you should upgrade the latest stable Qubes version.
Open a terminal (Konsole).
You need to add the following line to /etc/sysctl.d/tcp_timestamps.conf:
net.ipv4.tcp_timestamps = 0
To do that, you could use the following command.
echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf
To apply the sysctl settings without reboot, run the following command.
Check if it's really set.
If it worked correctly, the system should respond the following: net.ipv4.tcp_timestamps = 0
To disable TCP timestamping on Windows, run the following root command:
netsh int tcp set global timestamps=disabled
Note: You must have administrator privileges.
Other Operating Systems
Disable ICMP Timestamps
ICMP Timestamps need to be blocked using your firewall. This is distro dependent and varies widely as does having a firewall enabled on your specific OS - some distros don't turn it on. There are many differing ways to accomplish this via command-line, its recommended to consult your distro's documentation.
Instead for a more straightforward way, you advised to download a GUI front-end to configure your firewall and have it set to silently drop all incoming connections by default, allowing only outgoing traffic from your machine.
Other Operating Systems
Host Operating System
GNU/Linux is the only serious option for having a private host operating system. You can stop reading this windows chapter here or go on reading to find out why.
By using any version of Windows, you completely forfeit your privacy by using this OS. An anonymous browser or OS is of little help when the host is compromised and sends info about what you type or download to a third party. The trustworthiness of the host is a crucial part of any threat model.
Microsoft 'silently' updates users' machines even if they have Windows Update disabled.   As well as this, Windows is bundled with a large number of programs that 'phone home' by default. Accordingly, Windows as a host system is not recommended for supporting anonymity.  Additional privacy risks have been introduced with Windows 8. One example is the smartscreen filter, which reports to Microsoft what software you are running on your computer.  This feature includes a kill switch that can allow Microsoft (or any one with an exploit for this mechanism) to delete programs on your machine without your consent. 
Windows 10 takes surveillance of users to a whole new level. It snoops on the users' files, text input, voice input, location info, contacts, calendar records and web browsing history, as well as automatically connecting the machines to open hotspots and showing targeted ads. Microsoft has engaged in deceptive practices to aggressively push Windows 10 on unwitting users. For details and more check the factual write-up about Windows malicious behavior for a better understanding. Know that with non-enterprise editions you have no way to completely opt-out of the surveillance "features" of Windows 10.
Microsoft has silently backported the spyware telemetry process to older versions of Windows that had Automatic Updates enabled. Now users have to choose between running unpatched, insecure machines or being surveilled.
Before patching Windows, Microsoft is known to consult with intelligence agencies and provide information on security holes before they inform the public and fixes are produced. Since the NSA also buys security holes from software companies  and uses them to gain unauthorized access into computer systems,  it is reasonable to assume that the NSA also uses information supplied by Microsoft and that Windows users are at a higher risk.
Microsoft updates use weak cryptographic verification such as MD5 and SHA-1. The CMU Software Engineering Institute said about MD5 in 2009, it "should be considered cryptographically broken and unsuitable for further use".  In 2012, the Flame malware exploited the weaknesses in MD5 to fake a Microsoft digital signature. 
Mac OS-X Hosts
There are many problems with Apple's OSes including surveillance, censorship of what programs you can run and DRM crippleware to limit what you can do with your devices. See this write-up by the FSF for more information.
A Free Software OS that respects user freedom, is the only realistic choice when it comes to privacy and security.
Use GNU/Linux on the host and only using in-repository software is automatically gpg signed and installed from the distributor's repositories by the package manager. This is much safer than downloading stuff from the web like you have to do as a Windows user.
Which GNU/Linux Distribution do you recommend?
It used to be that any GNU/Linux distribution is a safe bet with privacy however Ubuntu's data-mining functionality makes it an unsuitable choice.
For other reasons not to use Ubuntu or Ubuntu-derived distros expand this section.
Ubuntu's paltry contributions to the upstream libre projects they rely on so much is a policy not a coincidence with "It's absolutely true we have no interest in the core fundamentals of the Linux kernel, none whatsoever." - Mark Shuttleworth (Canonical founder).
The only time they bother contributing in any major way is when forking major projects (Wayland into Mir and GNOME into Unity - both which cannot be built without major effort on any other distro but their's) in attempt to fragment the open source software stack to lock in users and put pressure on competing distros and vendors.
Their Contributor License Agreement gives them complete power over patents that cover contributed code and grants them the right to re-license this code under any license of their choice including a proprietary one.
Hostile treatment of Kubuntu spin project lead and unilaterally removing him without warning and contrary to wishes of his team members. Canonical also pilfered donation funds originally meant for desktop spin projects (Kubuntu, Lubuntu...) despite abruptly dropping funding in Kubuntu's case and Blue Systems stepped in to save the popular project. For years Canonical has been applying an absurd intellectual property policy over packages in its repositories - claiming it owns the copyright over any binaries compiled by their servers. After the FSF stepped in and arranged a resolution over 2 years, the amended policy now states that Canonical’s IP policy can’t override packages with GPL licenses, but that now means that any package with a permissive license is now copyrighted by them.
You cannot rely on downstream forks based on Ubuntu either - The popular Linux Mint distro was threatened to be cut off from accessing Ubuntu infrastructure unless they caved in to Canonical's binary licensing terms. Since then they put out a version based on Debian instead. Their vague trademark and IP policy has become radioactive for downstream distros and many have made the smart choice to re-base on Debian instead of Ubuntu over the years including Kali, Whonix and others.
Canonical is getting snugly with Microsoft which should make you uncomfortable given the latter's strategy of Embrace, Extend, Extinguish of Free Software.
There are of course other options. See "Why don't you use <your favorite most secure operating system> for Whonix?" for analysis of alternatives.
If your Whonix-Gateway is ever compromised, it can theoretically access any computer in your local network. Therefore, if you are the administrator of your home network, it's recommended that you lock down the web interface of your home router, i.e. installing the latest firmware with latest security patches and using a secure password.
Having a simple host firewall (gufw - Uncomplicated Firewall on Debian), denying all incoming ports, is recommended as well.
On the host, on Debian.
1. Install gufw.
sudo apt-get update && sudo apt-get install gufw
2. Start gufw
3. Press unlock. Enter password.
4. Press enable.
5. Settings: Incoming: Deny Outgoing: Allow
Does your computer or notebook have a microphone? You could have a built-in one, but never noticed it. In most cases it is recommended to disable your microphone for security reasons. If your Whonix-Workstation ever gets compromised by malware, an adversary could eavesdrop through your microphone. It is save to assume, that everyone has have a unencrypted phone call during ones life time and that one of them has been recorded.
Voice and writing is very personal, unique so your non-anonymous and "anonymous" voice can be easily linked. This is called voice recognition and documented on the VoIP wiki page in the introduction chapter. (For writing this technique is called stylometry and documented on the Surfing Posting Blogging wiki page.)
External microphones should be unplugged for ultimate security. If your microphone is built-in and you decide to disable your microphone, you can check the BIOS see find out if the microphone can be disabled. Removing built-in microphones may be a bit more difficult, but if you have the skills to remove it, go for it.
By default, unfortunately microphones connected to your host are available to virtual machines such as the Whonix-Workstation.
If you want to make internet calls, Voice over IP (VoIP) or use the microphone for other reasons inside Whonix-Workstation, use Multiple Whonix-Workstations and use the microphone only in selected, not all Whonix-Workstations. Unplug your microphone after use.
Expand for more information:
KVM by default emulates a line-in/line-out in the virtual sound device, meaning microphone passthrough to guests is enabled if its turned on for the host.
As per the usual Qubes feature.
Qubes VM Manger -> Right click on VM -> Attach/deattach audio input device to the VM
Does your computer or notebook have a webcam? You could have a built-in one, but just never noticed - check your computer's datasheet and operating system hardware manager.
Unless you plan to use a webcam inside Whonix-Workstation, it's recommended to disable or possibly remove your webcam. If you do plan to use a webcam you should disable and possibly unplug your webcam after use.
External webcams should be unplugged for optimal security. If your webcam is built-in and you decide to disable it, you can check the BIOS to find out if the webcam can be disabled. Removing built-in webcams may be a bit more difficult, but if you have the skills to remove it, go for it. Alternatively, cover the webcam externally.
Wireless Input Devices
Avoid using wireless keyboards and mice because most send data unencrypted. Even if this wasn't the case, there is no way to verify the robustness of the crypto involved in proprietary products. A local adversary (up to 100 meters away) can sniff keystrokes and inject their own, allowing them to take over the machine.
Backups of sensitive data is important. Data where you do not posses at least two copies of the original should be considered lost. This is because one data medium might become inaccessible beyond repair any minute. So your computer would not even detect the risk anymore, so data recovery tools would not be of help either. (In such cases you might be lucky with professional data recovery companies, but they usually charge thousands or dollars.)
So this is what is recommended:
- original file on medium such as your internal harddrive.
- backup one. Example: on an external hardrive my manufactor A.
- backup two. Example: on an external harddrive by manufactor B.
For better security for other events such as fire or physical access such as robbery, backups in separate physical locations are recommended. Additionally backups at remote servers are also an option, but then you really must make sure to get the encryption right.
All network cards, both wired and wireless, have a unique identifier stored within them called their MAC address. This is used to assign an address to your computer on the local network. This address is not traceable (as in it isn't passively sent to computers beyond your local router).
However, other computers on the local network could log it, which then would provide proof that your computer has been connected to that network. If you are using an untrusted, public network you should consider spoofing it.
IMPORTANT NOTE: According to recent research , MAC address spoofing is not effective against advanced tracking techniques that can still enumerate it by looking at physical characteristics of the Wi-Fi card. Manufacturers need to modify their hardware's drivers or firmware to add privacy preserving mitigations.
A workaround is to buy new "burner" WiFi USB sticks of different brands. Take care to disable your machine's native WiFi functionality in the BIOS because odds are its characteristics are already logged if you used it from any untrusted hotspot. Enable connectivity with these burner devices only from the intended public destination. At no point should you use them to connect from a network tied to you or a place you regularly visit. Use a different stick for every new location to avoid location profiling/tracking.
Dealing with MAC Addresses is one piece of the puzzle of the location tracking problem. Attention must be given to changing the usual entry guards you connect to - for every Tor instance on your machine host (apt-transport-tor) and guest to thwart this type of attack.
Using your home connection
Changing your MAC address is not required. However, when not using a VM your physical MAC address could be revealed in the case of a browser exploit. If you are already under suspicion, this would eventually provide proof of your identity. When the MAC address has been changed, root access is required to discover the real physical address. (Note: This is yet to be tested)
Consider: If your home network uses a cable modem internet connection, the ISP either provides the cable modem device as part of the service or requires pre-registration of the MAC address of your self-provided cable modem in order to setup your service. If you manage to hack/change the MAC address of the modem, your service would immediately cease functioning (because the IP assignment is apportioned for, and bound to, that specific MAC address). As a result, when connecting from behind a cable modem/NAT router, spoofing the MAC address of your PC's ethernet adapter may be pointless. If you are traced, the trackable endpoint will be the MAC address of your cable modem device.
Using a public computer (e.g. in a library, Internet-cafe)
The MAC address should not be changed, as it may bring undesired admin attention to your service and/or simply forbid your access to the Internet.
Using a personal computer (e.g. a laptop, wherever it happens) in a public network
The MAC address should be changed, and /var/lib/tor/state should be removed so that a new set of guards is selected.
It is advisable that the admin not discover the use of Tor on your computer. This depends on your configuration, i.e. perhaps you are using obfsproxy or you tunnel your traffic through SSH/VPN.
Changing the MAC address and being a Tor user, depending on your personal threat model, might be risks for re/visiting that public network.
If you are going to reuse the same public network, you have to decide, if you are going to use the very same MAC address (and set of guards) or if you are going to create a new MAC address. If you suspect that the admin has seen you and logged the MAC, it could be unwise to change the MAC address, since this could be appear suspect. If you believe that public network is adequately public and that you have not bee observed, you might decide to use a new MAC address (popular vendor ID, random/unique second part) each time you use this network.
For more discussion on this rather difficult topic, see Dev/MAC.
Random MAC address
Using a random MAC address is not recommended. While this might sufficiently confuse some adversaries, it will not defeat skilled adversaries. If you are using a random MAC address, it might happen that the vendor ID of the MAC address is non-existent. Even if it was existent, you might end up with a vendor ID, which has either never been used or not been used in decades. If you are going to spoof your MAC, you have to use a popular vendor ID.
The initial second part of the MAC address may be random/unique.
As yet, we cannot provide detailed instructions on how to create such appropriate MAC addresses. Research is still ongoing.
The reason why MAC changing is not always enabled is that it might cause problems on some networks.
Apart from the difficulty creating an appropriate MAC address, there are also technical hurdles. All the work of creating this MAC will be futile if you boot your computer and it instantly connects to the public network and spills your MAC address. For Virtual Machine users: your host operating system most likely automatically connects (updates, perhaps time sync). For Physical Isolation users: Whonix-Gateway automatically connects to Tor after start.
Also if you use a USB WiFi device, this might also occur.
Changing MAC address
For Qubes Hosts
Qubes users do this in their NetVM. Refer to the Qubes documentation / support. See:
For Linux Hosts
If you are interested in this with Non-Qubes-Whonix, please press on expand on the right.
TODO: test and expand, please help!
Standard-Download-Version (Virtual Machine) users
Edit /etc/network/interfaces on the host.
Physical Isolation users
Edit /etc/network/interfaces on Whonix-Gateway
apt-get update && apt-get install macchanger
If instructions 1+ below don't work, you can use the following to manually change the MAC address for your device (eth0, wlan0, etc.):
ifconfig wlan0 down
macchanger -a wlan0
ifconfig wlan0 up
ifconfig wlan0 down
ifconfig wlan0 hw ether 00:AA:BB:CC:DD:EE
ifconfig wlan0 up
ip link set down wlan0
ip link set wlan0 address 00:AA:BB:CC:DD:EE
ip link set up wlan0
Below "iface eth0 inet dhcp" Add
hwaddress ether 00:00....
To automatically randomize the MAC address on boot, if desired, add
pre-up macchanger -e eth0
To prevent automatically bringing up new network interfaces, all that is needed is to uncomment.
Then manually bring up with
sudo ifup eth0
See footnote. 
Check Download page for a list of known bugs.
If you want to learn all of the security concerns that Whonix considers you should, before installing Whonix, read all Whonix Documentation pages. Depending on your security needs, you might also like to consult the Design pages.
- A botnet authors was even writing undefeatable malware and trolling antivirus vendors.
You would have the antivirus software being installed a separate system where you have the assumption, that it is less likely of being already compromised.
- To a degree external HDDs (such as USB or eSATA) may be useful. Sophisticated malware may compromise the for example the physical USB stack, so when booting from USB, the malware would again disable the detection by the antivirus. Also see the following blog post, USB Security Challenges. This is why Qubes OS encourages users to move the USB controller into a separate VM so the USB controller is not exposed to the host so a compromised USB controller does not compromise the whole system.
- The most precautions way to scan a disk is to physically remove it from the computer where it was being used. Then put it into an external disk enclosure. Put the disk controller into a separate VM. Practically for now, probably only using Qubes with a USBVM. Then connect the disk to that (USB) disk controller. Hope that by reading that disk not another hypothetical exploit will compromise your scanning system. That way you could scan a disk with relative security that the not-yet-compromised scanning computer does not get compromised.
- To reduce risks of eventual previous hardware compromised.
You can skip this Temporary chapter and move on to #Permanently if you are looking for a permanent solution.
To dynamically disable TCP timestamping on Linux...
(When using Qubes: in the NetVM.)
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
- Unless your computer is infected with Malware looking for this number.
- Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms
Whonix Computer Security Education wiki page Copyright (C) Amnesia <amnesia at boum dot org> Whonix Computer Security Education wiki page Copyright (C) 2012 -2014 Patrick Schleizer <firstname.lastname@example.org> This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code. This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
Impressum | Datenschutz | Haftungsausschluss
Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.