Pre Install Advice[edit]

General[edit]

Whonix with its default settings may provide better protection than Tor alone. You can make it even more secure. It depends on how much you are willing to read, think about and practice with the procedures. See Documentation.

Safer Upgrades[edit]

If you already have Whonix installed, before performing an upgrade to your current Whonix setup, you are advised to shutdown any running Whonix instance currently attached to the internal virtual network named 'Whonix'. This is required to prevent cross contamination of the new machines you are importing, in the event that a powerful adversary has taken control over the ones currently in use.

Note: This is not required if you intend to create a new virtual network for the machines you are importing.

Warnings[edit]

Make sure you have already read the Warning page.

On your host operating system[edit]

Tor Browser Bundle[edit]

It is recommended to always have the latest release of Tor Browser Bundle installed on your host. A great way to learn the basics about Tor.

The Tor Browser Bundle is great for testing if you live in either a censored area or not, if Tor is either blocked by your ISP or not. When you need (private) (obfuscated) bridges for the Tor Browser Bundle, you will need them for Whonix as well. (See Bridges#private and obfuscated bridges.)

If you can not get the Tor Browser Bundle to work, you will most certainly not get Whonix to work either. And if some day Tor Browser in Whonix shouldn't work anymore or updating is broken, you can still use the Tor Browser Bundle to visit the Whonix Homepage.

Host Security[edit]

Introduction[edit]

If the host is compromised by Malware^[1] so is every virtual machine with Whonix, Tor and all anonymous communication. In essence, Malware can see your desktop, everything you do, type, send, receive, etc.

Malware[edit]

Antivirus products and personal firewalls^[2] are not drop in solutions for a secure host. Malware often stays undetected. Polymorphic code^[3] and Rootkits^[4] pretty much render Antivirus products helpless. Quote: "Antivirus pioneer Symantec declares AV “dead” and “doomed to failure”" (source). A botnet authors was even writing undefeatable malware and trolling antivirus vendors.^[5]

Application level personal firewalls often get circumvented.^[6]

The only promising approach is not to get infected by Malware in the first place. Once malicious code is on a system, it's next to impossible to contain. Not saying Antivirus scanning and firewalls are totally useless. They are not. Refer to them as your very last line of defense. If you ever find malware on your system, which is not a false positive, it only demonstrates, that your precautions didn't work. It is the precautions that matter (hardening, secure host operating system, using signed software, etc.), not the detection.

Recommendation to use a dedicated host operating system[edit]

You are advised to use a dedicated host operating system just for hosting the Whonix Virtual Machines. Should your regular every day operating system be already compromised, then Whonix could not provide any additional protections. It's best to have one dedicated host operating system, which is only used to host Whonix.

Recommendation to use Whonix on External Media[edit]

Unfortunately, Whonix does not provide a user friendly USB creator (help welcome!). However, no one stops you from installing the host operating system(s) required for Whonix on (encrypted) external disks such as USB, FireWire, eSATA, etc. You can improve security by installing Whonix's host operating system(s) on a dedicated disk(s). That reduces the risk that any other operating system(s) of yours infecting Whonix's host operating system. You can remove and hide the Whonix disk(s) while you're not using them.

You can use any guide on the web explaining how to install Linux on USB. There are no Whonix specific differences other than, after you finished that, you install a supported virtualizer and Whonix.

Recommendation to use your own host[edit]

It is recommended to only use Whonix on computers you own. Which are not shared with others. Other users even if you trust them may not be equally educated about computer security. They just need to make one mistake. Once your computer is compromised, Whonix can't provide any protection anymore.

Needless to say, hosting Whonix in the cloud, on a foreign server you do not physically control, on a VPS etc. is recommended against, because the owner of that machine can see everything you do.

Recommendation to use a dedicated host[edit]

If you want to go even one step further on the security ladder, you are advised to use a dedicated computer just for hosting Whonix. A machine which you only use for using Whonix. Dedicated within the meaning of using a second/extra host operating system(s), which you never use(d) for anything else.

Disable TCP Timestamps[edit]

Linux[edit]

The adversary can estimate the current uptime of a Linux machine remotely and also the host's clock down to milisecond precision. It's preferable to disable TCP timestamps on your systems. The less information attackers can get, the better of you are.

To dynamically disable TCP timestamping,run the following as root command:

sudo su

echo 0 > /proc/sys/net/ipv4/tcp_timestamps

To make that change permanent though, you need to add the following line to /etc/sysctl.conf or /etc/sysctl.d/tcp_timestamps.conf:

net.ipv4.tcp_timestamps = 0

Other Operating Systems[edit]

TODO: document.

Disable ICMP Timestamps[edit]

Linux[edit]

ICMP Timestamps need to be blocked using your firewall. This is distro dependent and varies widely as does having a firewall enabled on your specific OS - some distros don't turn it on. There are many differing ways to accomplish this via command-line, its recommended to consult your distro's documentation.

Instead for a more straightforward way, you advised to download a GUI front-end to configure your firewall and have it set to silently drop all incoming connections by default, allowing only outgoing traffic from your machine.

Other Operating Systems[edit]

TODO: document.

Firmware Updates[edit]

This chapter is general security advice and unspecific to Whonix.

These are just a pointers, because due the hardware and host operating system specificness and the difficulty of the topic, this is outside the scope of Whonix documentation. These may not be the most suitable links and you may have to research the topic on your own.

This includes BIOS updates, non-free drivers or firmware and processor microcode updates (on Debian systems, depending on your processor, either the intel-microcode or the amd-microcode package).

It may or may not improve security to get the latest updates. One one hand, you may fix vulnerabilities. On the other hand, an update may introduce a new backdoor. It is not really clear. If you know examples for one or the other, please edit this chapter. See also the thread on the debian-security mailing list How secure is an installation with no non-free packages? As an end user, using common non-Free (as in Freedom, not price) hardware, not using Free hardware (Lemote Yeeloong Notebook maybe?), you unfortunately have to blindly trust the hardware producer anyway, so it might be better to get the non-Free updates.

Windows Hosts[edit]

Short:
You are much better off using alternative host operating systems, such as GNU/Linux. If you are using Windows...

Long:
Microsoft silently updates users' machines even if that runs counter to their wishes and they have Windows Update disabled. ^{[7] [8]}

Windows as a host system is unsuitable for anonymity due to the large number of software that phones home that comes included in a default install and the leaks that result from this. ^[9] Additional privacy risks not covered in the article have been introduced as part of the Windows 8. They include the smartscreen filter which reports to Microsoft what software you are running on your computer. ^[10] It includes a kill switch that can allow Microsoft (or any one with an exploit for this mechanism) delete programs on your machine without your consent. ^[11]

Before patching Windows, Microsoft is known to consult with intelligence agencies about which security holes before they tell the public about them or fix them. ^[12] Since the NSA also buys security holes from other companies ^[13] and uses them to gain unauthorized access in computer systems ^[14], it is reasonable to assume, that the NSA also uses information supplied by Microsoft and that therefore Windows users are at higher risk.

Microsoft update used weak cryptographic verification. The CMU Software Engineering Institute said about MD5 in 2009 about MD5 it "should be considered cryptographically broken and unsuitable for further use" ^[15] In 2012, the Flame malware exploited the weaknesses in MD5 to fake a Microsoft digital signature. ^[16]

If you insist on using a Windows host... Was Windows installed from legitimate media? Not some pirated iso found on the net that could include malware. You shouldn't have any pirated software, this usually involves running unverified, possibly malicious binary cracks or key generators.

Stick to renowned Open Source software, such as Firefox, Gimp, 7-zip, Libre Office, etc., which is more unlikely to contain malicious code. You should only download over https (SSL) and even better check the gpg signatures.

GNU/Linux Hosts[edit]

Using GNU/Linux on the host and only using in-repository software is automatically gpg signed and installed from the distributor's repositories by the package manager. This is much safer than downloading stuff from the web like you have to do as a Windows user.

Which host operating system do you recommend?[edit]

Briefly: Debian GNU/Linux is a reasonable compromise of security and usability (popularity, documentation). For extra security tips for download, verification and installation see Debian Tips.

Longer: There are of course other options. See "Why don't you use <your favorite most secure operating system> for Whonix?".

LAN/Router Security[edit]

In case Whonix-Gateway would be ever compromised, you should know that it can theoretically access any computer in your local network. Therefore, if you're the admin of your home network, it's recommended to lock down the web interface of your home router, i.e. installing the latest firmware with latest security patches and using a secure password.

Host Firewall[edit]

Having a simple host firewall (gufw - Uncomplicated Firewall^[17] on Debian), denying all incoming ports, is recommended as well.

On the host, on Debian.

1. Install gufw.

sudo apt-get update && sudo apt-get install gufw

2. Start gufw

gufw

3. Press unlock. Enter password.

4. Press enable.

5. Settings: Incoming: Deny Outgoing: Allow

Microphone[edit]

Does your computer or notebook have microphone? You could have a built-in one, but just never noticed - mute it, just in case. This chapters only applies to non-USB microphones, not to USB microphones.

Microphones connected to your host get available to VirtualBox virtual machines such as Whonix-Workstation. VirtualBox does not yet have a feature to disable microphones inside virtual machines.^[18] If your Whonix-Workstation ever gets compromised by malware, an adversary could eavesdrop. Unless you plan to use Voip inside Whonix-Workstation, it's recommended to mute your microphone in your host operating system's audio settings. And even if you plan to use Voip sometimes, you should mute and possibly unplug your microphone after use.

External microphones should be unplugged, that's even safer. If it's a built-in microphone and in case you decided to disable your microphone, you can also check in BIOS if the microphone can be disabled. Removing built-in microphones may be a bit more difficult, but if you have the skills to remove it, go for it. Obviously, a host without any microphones, can not eavesdrop even in case the host is compromised.

Webcam[edit]

Does your computer or notebook have webcam? You could have a built-in one, but just never noticed - check your computer's datasheet and operating system's hardware manager.

Unless you plan to use a webcam inside Whonix-Workstation, it's recommended to disable or possibly remove your webcam. And even if you plan to use a webcam sometimes, you should disable and possibly unplug your webcam after use.

External webcams should be unplugged, that's even safer. If it's a built-in webcam and in case you decided to disable your microphone, you can also check in BIOS if the webcam can be disabled. Removing built-in webcams may be a bit more difficult, but if you have the skills to remove it, go for it. Alternatively, cover it up. Obviously, a host without any webcams, can not record even in case the host is compromised.

Whonix information[edit]

MAC Address[edit]

Status of MAC Address chapter[edit]

No one has a good answer for this problem yet - not Whonix, Tails, Liberte Linux or the Tor Browser Bundle. It's still an open research problem. This chapter will give you all existing information.

Introduction[edit]

First of all, you should know that all network cards, both wired and wireless, have a unique identifier stored in them called their MAC address^[19]. This address is actually used to address your computer on the local network, but it will never get out on the Internet so people can not use it to trace you. ^[20]

However, other computers on the network could log it, which then would provide proof that your computer have been connected to that network. But if you are using an untrusted, public network, you should consider spoofing^[21] it.

Using your home connection[edit]

Changing your MAC address is not required. However, when not using a VM, your physical MAC address could be revealed in case of a browser exploit. If you are already under suspicion, this would eventually provide proof of your identity.

Changing the MAC address at least requires root access to find out the real physical address. (Note: This has to be tested)

Consider: If your home network uses a cable modem internet connection, the ISP either provides the cable modem device as part of the service or requires pre-registration the MAC address of your self-provided cable modem in order to setup/apportion your service. If you manage to hack/change the MAC address of the cmodem, your service would immediately cease functioning (because the IP assignment is apportioned for, and bound to, that specific MAC address). As a result, when connecting from behind a cable modem / NAT router, spoofing the MAC address of your PC's ethernet adapter may be pointless -- if you are "traced", the trackable endpoint will be the MAC address of the cable modem device.

Using a public computer (e.g. in a library, Internet-cafe)[edit]

The MAC address should not be changed, as it may bring undesired admin attention and/or simply forbid access to the Internet.

Using a personal computer (e.g. a laptop, wherever it happens) in a public network[edit]

The MAC address should be changed, and /var/lib/tor/state should be removed so that a new set of guards is selected.

Rather the admin may or may not find out, that you are using Tor. That depends on your configuration, i.e. perhaps you are using obfsproxy or you tunnel your traffic SSH/VPN, and on the adversary's skills.

The MAC address and being a Tor user, depending on your personal threat model, might be a risk visiting that public network (again).

If you are going to use the same public network again, you have to decide, depending on your threat model, if you are going to use the very same MAC address (and set of guards) or if you are going to create a new MAC address. In case you suspect that the admin has seen you and logged the MAC, perhaps you shouldn't change the MAC, since this could be appear suspect. If you believe that public network is so public, that no one has seen you, you might decide to use a new MAC address (popular vendor ID, random/unique second part) each time you stop by.

For more discussion on that rather difficult topic, see Dev/MAC.

Random MAC address[edit]

Using a random MAC address is not recommended. While this might sufficiently confuse some adversaries, it won't defeat skilled adversaries. If you are using a random MAC address, it might happen that the vendor id part of the MAC address is non-existent. Even if it was existent, you might end up with a vendor id, which has either never been used or never been used in decades. If you are going to spoof your MAC, you have to use a popular vendor id.

The initial second part of the MAC address may be random/unique.

Unfortunately, we can't yet provide detailed instructions on how to create such appropriate MAC addresses. Research is still ongoing.

The reason why MAC changing is not always enabled is that it might cause problems on some networks.

Auto-connect issue[edit]

Apart from the difficulty creating such an appropriate MAC address, there are also technical hurdles. All the care creating the MAC does not help, if you boot your computer and it instantly connects to the public network and spills your MAC address. For Virtual Machine users: your host operating system most likely automatically connects (updates, perhaps time sync). For Physical Isolation users: Whonix-Gateway automatically connects to Tor after start.

Also if you plug in a wifi stick, it might happen, they automatically try to connect and spill your MAC.

Changing MAC address[edit]

TODO: test and expand, please help!

(0)

Get Macchanger

su
apt-get update && apt-get install macchanger

(0.1)

Changing MAC

if instructions 1+ below don't work, you can use the following to manually change MAC for your device (eth0, wlan0, etc.):

su
ifconfig wlan0 down
macchanger -a wlan0
ifconfig wlan0 up

It might also work without macchanger:

su
ifconfig wlan0 down
ifconfig wlan0 hw ether 00:AA:BB:CC:DD:EE
ifconfig wlan0 up

Or, using iproute2 commands:

ip link set down wlan0
ip link set wlan0 address 00:AA:BB:CC:DD:EE
ip link set up wlan0

(1)

Standard-Download-Version users

Edit /etc/network/interfaces on the host.

Physical Isolation users

Edit /etc/network/interfaces on Whonix-Gateway

(2)

Below "iface eth0 inet dhcp" Add

hwaddress ether 00:00....

(3)

To automatically randomize the MAC address on boot (if you want this?) add

pre-up macchanger -e eth0

instead.

(4)

To prevent automatically bringing up new network interfaces this is probably all that's needed is to uncomment.

auto eth0

Then manually bring up with

sudo ifup eth0

Sources[edit]

Source of information: ^[22]; ^[23]. Both worth reading! Thanks to Tails!

Known bugs[edit]

Check Download page for a list of known bugs.

Most Security[edit]

If you want to learn everything Whonix considers, you should, before installing Whonix, read all Whonix Documentation pages, and depending on security needs, also the Design.

What's next?[edit]

After reading and applying Pre Install Advice, download, verify and install Whonix. Then read and apply Post Install Advice.

References[edit]

1. ↑ https://en.wikipedia.org/wiki/Malware
2. ↑ https://en.wikipedia.org/wiki/Personal_firewall
3. ↑ https://en.wikipedia.org/wiki/Polymorphic_code
4. ↑ https://en.wikipedia.org/wiki/Rootkit
5. ↑ https://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/?limit=500000
6. ↑ https://www.grc.com/lt/leaktest.htm
7. ↑ http://voices.washingtonpost.com/securityfix/2007/09/microsofts_stealth_update_come.html
8. ↑ http://www.zdnet.com/blog/hardware/confirmation-of-stealth-windows-update/779
9. ↑ https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks#Windows
10. ↑ http://log.nadim.cc/?p=78
11. ↑ http://www.pcmag.com/article2/0,2817,2400985,00.asp
12. ↑ https://www.techdirt.com/articles/20130614/02110223467/microsoft-said-to-give-zero-day-exploits-to-us-government-before-it-patches-them.shtml
13. ↑ https://threatpost.com/nsa-bought-exploit-service-from-vupen-contract-shows/102314
14. ↑ http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity
15. ↑ https://en.wikipedia.org/wiki/MD5#cite_note-11
16. ↑ http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/
17. ↑ https://en.wikipedia.org/wiki/Uncomplicated_Firewall
18. ↑ https://www.virtualbox.org/ticket/12026
19. ↑ https://en.wikipedia.org/wiki/MAC_address
20. ↑ Unless your computer is infected with Malware looking for this number.
21. ↑ https://en.wikipedia.org/wiki/MAC_spoofing
22. ↑ https://tails.boum.org/contribute/design/MAC_address/
23. ↑ https://tails.boum.org/todo/macchanger/

License[edit]

Whonix Pre Install Advice wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Pre Install Advice wiki page Copyright (C) 2012 -2014 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.