Devs cook up 'leakproof' all-Tor untrackable platform
Whonix? You'll never find out, The Man
Developers are brewing an anonymous general purpose computing platform, dubbed Whonix.
Whonix is designed to ensure that applications (such as Flash and Java etc) can only connect through Tor. The design goal, at least, is that direct connections (leaks) ought to be impossible. "This is the only way we know of that can reliably protect your anonymity from client application vulnerabilities and IP/DNS and protocol leaks," the developers explain.
The main goal is to prevent the determination of users' IP address and location. Not even malware that has buried deep into machines can access IP address information. In this way, Whonix aims to be safer than Tor anonymity software alone.
Whonix can be used in conjunction with VPN technology - routing networks through isolated remote computer networks - for even greater security.
The technology is better described as design approach or platform than as an operating system. In one example, the implementation of anonymity is provided around Tor on two virtual machines using VirtualBox and Debian GNU/Linux. Whonix can be installed on every computer capable of running Virtual Box (virtualisation software), so it supports Windows, OS X, Linux, BSD and Solaris. Running the technology on physically separate machines (a Whonix gateway and a Whonix workstation) would also work, and might provide greater security, say the devs.
The technology is currently only at an Alpha stage of early development, making it suitable for use only for the computing equivalent of test pilots.
In a post to a full disclosure mailing list last week, the main developer behind the project explains its goal and requests help from other members of the development community.
More details on the emerging computing platform can be found in a development Wiki here. The developers are pretty open about the tradeoff in using their technology (more complex set-up, potentially slower) as well as the anonymity advantages of their approach.
Paul Ducklin, head of technology in Asia Pacific for Sophos, said the approach followed by Whonix is different from the Live CDs associated with more traditional anonymity systems. This brings advantages as well as some drawbacks.
"Whonix is different from most existing 'all-in-one anonymity' systems inasmuch as the lead developer decided not to stick to the idea of a Live CD but to go with a set of virtual machines that don't need to fit on a CD or to boot from one," Ducklin explained.
"This allows much greater functionality and easier security updating."
The main disadvantage is that Whonix is more complex than comparable systems.
"The safety and security of your Whonix environment is dependent on the safety and security of your host OS, of the virtualisation software and of its configuration," Ducklin told El Reg. "The anonymity system then becomes, at worst, no more secure than the host itself. So you just took one problem (guest anonymity) and made it two problems (guest anonymity and host security).
"Whonix's size also makes its internal surface area larger than is strictly necessary. That in turn brings its own risks."
Ducklin added that there are many "tricks and traps of anonymity online", many covered by the Whonix developer. He added that users would be well advised to review these before placing their faith in Whonix (or any other approach) to shield their identity online. ®
@koolholio: Re: Looking forward to see-ing this
As to reverse engineering, I supect you're not looking at the risk the developers are trying to defend against. The issue of anonymity isn't only to do with what plod breaking down your door and taking away your equipment can find. It's also to do with whether plod can identify the right door to break down, and my reading of this article suggests the latter risk is being defended by this development, and not the former. No doubt work could be done to combine techniques to defend against both risks, e.g. using encrypted hard disk partitions etc.
Designing an OS/Platform from the ground up is the best way to achieve this. Tor Tails is still based on other systems, so has all the inherent weaknesses. Just dont' install browser plugins/addons/java and open up more holes.
Sad times when everyone is fed up of every part of their lives being snooped on and catalogued.
I think the idea is that using a VM provides a stronger layer of defense between an attacker (e.g. a malicious website) and the part of the system that forces connections to go through Tor.
I'm not as familiar with Liberte Linux, but Tails runs Tor and other applications run on the same OS, albeit as different users. It's probably no coincidence that the browser is still relatively locked down, e.g. no Flash or Java. A worst case scenario malware attack could potentially gain access to the settings that force traffic through Tor. This would provably require some kind of privilege escalation exploit, but these things happen.
If I understand right, the idea here is that no matter what happens, the virtual machine can't access a direct connection. So malware would have the additional daunting challenge of breaking out of the VM before it could reveal your identity. Still not impossible, but it's another layer of security.