{{Header}} {{Title|title= {{project_name_long}} and Tor Limitations }} {{#seo: |description=Things you should know about {{project_name_short}} and Anonymity in General to stay safe. |image=Mitm.png }} [[File:Mitm.png|thumb]] {{intro| Things you should know about {{project_name_short}} and Anonymity in General to stay safe. }} = Introduction = {{security_intro}} {{project_name_short}} developers have done their utmost to provide solid tools which protect online privacy, but no perfect solution exists to the complex anonymity problem. Before deciding whether {{project_name_short}} is the right platform to use, it is crucial that each individual understands the limitations of the tools offered and how to make best use of them. This wiki page focuses on anonymity and security threats that {{project_name_short}} either cannot, or does not, mitigate at present. These issues are for the most part [[unspecific|unspecific to {{project_name_short}}]]. No other anonymity tool has a solution to all of these issues. = Essential Security Knowledge = You cannot be anonymous without being secure. Whonix is based on Kicksecure. While Whonix aims to anonymize users and Kicksecure works to improve the security, it is likely that other less secure or outright insecure devices around you could compromise your anonymity. These devices could range from mobile phones and tablets to Smart TVs and smart home gadgets. These devices can spy on you and break your privacy and anonymity. To fully comprehend the scope of potential risks, it is highly recommended to study the documentation provided by {{Kicksecure}}. {{upstream_wiki}} = Anonymous Identities = == Separation of Different Contextual Identities == It is usually inadvisable to use the same {{project_name_workstation_long}} to perform more than one task, or when using two (or more) contextual identities that must be kept separate from each other. For example, it is poor operational security to use the same {{project_name_workstation_long}} to check email via Tor, while simultaneously publishing an anonymous document. The first reason is that Tor tends to reuse the same circuits during the same browsing session. The Tor exit relay of a circuit knows both the destination server (and possibly the content of the communication if not encrypted) and the address of the previous relay it received the communication from. This makes it easier to infer that several browsing requests which took place on the same circuit are possibly correlated and originate from the same person. Global adversaries described later are in the perfect position to undertake this form of correlation analysis. Secondly, if {{project_name_short}} or one of its applications has a security hole or is misused, then information might leak from the {{project_name_workstation_short}}. That could reveal that the same person was behind the various activities conducted inside the {{project_name_workstation_short}}. To address both threats, better isolation of new identities is required on every occasion they are used. It is recommended to conduct one activity at a time, and implement one or more of the following solutions: Depending on personal circumstances and the {{project_name_short}} platform in use. * [[{{project_name_workstation_short}}_Security#VM_Snapshots | Multiple VM Snapshots]]. * [[Multiple Whonix-Workstation|Multiple {{project_name_workstation_short}}]]. * [[Qubes/Disposables | Disposables in {{q_project_name_long}}]]. {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = [[TorController | Nyx's]] "New Identity" button sends the protocol command "signal newnym" to Tor's ControlPort. A new Tor exit relay and a new IP address is likely, but this is not guaranteed. }} Using this feature, Tor may only have replaced the middle relay while using the same Tor exit relay. Additionally, "signal newnym" will not interfere with long-lived connections like an IRC connection. Apart from the Tor circuits, other types of information can reveal past activities, for example the cookies stored by the browser. Therefore, this arm feature is not a solution for properly separating contextual identities. == Protection Against Social Engineering == {{project_name_short}} does not protect against [https://en.wikipedia.org/wiki/Social_engineering_%28security%29 social engineering] attacks. These attacks rely on human cognitive biases and trick people into revealing passwords or other sensitive information that allows the compromise of a target system's security. https://www.sans.org/white-papers/529/ Other examples of social engineering include convincing someone to send a copy of logs or other information from the {{project_name_gateway_long}} or host operating system machine. In all cases, after trust has been established between the attacker and the victim, and sufficient information has been gathered, an exploit will be executed to perform harmful actions such as stealing personal or financial information, sabotaging the target's system, deanonymizing the individual and so on. The best tools in maintaining anonymity are the knowledge that comes from research and experience, and healthy skepticism towards scenarios that pose potential security threats. Dedicated wiki page: [[Social Engineering]]. == Protection Against External Threats or User Mistakes == Obviously, {{project_name_short}} cannot protect against external threats like people looking over the user's shoulder or gaining physical access to the machine in order to subvert the anonymity features of Tor and {{project_name_short}}. Neither can {{project_name_short}} prevent people from shooting themselves in the foot, leading to inadvertent deanonymization. It is strongly encouraged to read the [[Tips_on_Remaining_Anonymous|Tips on Remaining Anonymous]] page to learn about non-technical steps to stay anonymous when using Tor, Tor Browser and {{project_name_short}}. This list considers:
The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network. That's because if you can see both flows, some simple statistics let you decide whether they match up.=== Traffic Analysis === Adversaries conducting traffic analysis are able to discover a varying amount of user information, depending on the position(s) they are occupying in the network. The following observations reveal various information, in increasing order: https://blog.torproject.org/tors-open-research-topics-2018-edition * Observing the client-to-guard-node network path. * Controlling the guard relay, as individual circuits can be examined. * Observing the paths to the guard relay and from the Tor exit relay. * Controlling the guard and exit relays (or client guard and onion service guard). * Controlling both ends of the communication, and able to inject and manipulate traffic patterns. Notably, The Tor Project has recently highlighted research that has identified a number of new, low cost, website traffic (fingerprinting) analysis attacks and potential mitigations; see [[Speculative_Tor_Attacks#Website Oracles|Website Oracles]] for further information. === Guard Discovery === Advanced adversaries are capable of identifying the guard node(s) in use by an onion service or Tor client. Many connections are made to the onion service, forcing it to create multiple circuits until one of the adversary's nodes is chosen as the middle relay (next to the guard). A traffic analysis side channel then confirms the relay is next to the onion service, confirming the identity of the service's guard node. The guard node is then compromised, forced or surveilled to discover the actual IP address of the onion service or client. === Tor Defenses === Tor has implemented some defenses against limited adversaries that can gather traffic statistics from Internet routers along the path to the guard node, and is planning defenses against website traffic fingerprinting by guard node adversaries. However, a number of other attacks remain viable at present such as end-to-end correlation attacks, alternate guard node exploits, circuit fingerprinting attacks and so on. = Documents = == Document Encryption == If documents are saved inside {{project_name_short}}, they will not be encrypted by default. This is why it is recommended to apply [[Full_Disk_Encryption#Debian_Hosts | full disk encryption on the host]] to protect sensitive data. Documents created in {{project_name_short}} may also have specific file signatures that reveal use of the platform. This issue is currently being further investigated. == Document Metadata == Numerous file formats store hidden data or metadata inside of the files. For example, text processors or PDF files could store the author's name, the date and time of file creation, and sometimes even parts of the file's editing history. The extent of hidden data depends on the file format and the software that is used. Image file formats like [https://en.wikipedia.org/wiki/TIFF TIFF] and [https://en.wikipedia.org/wiki/JPEG JPEG] are some of the worst offenders. For instance, when these files are created by digital cameras or mobile phones, they contain a metadata format called [https://en.wikipedia.org/wiki/Exif Exif] whose defined tags can include: * Date and time information. * Occasionally GPS coordinates of the picture. * Camera settings: camera model and make (including the serial number), orientation (rotation), aperture, shutter speed, focal length, metering mode and ISO speed information. * A thumbnail for previewing the picture in file managers, on camera, or in photo editing software. Image processing software tend to keep Exif data intact. * Descriptions. * Copyright information. Notably, the Internet is full of cropped or blurred images where the Exif thumbnail still contains the full original picture. [https://packages.debian.org/mat Specialist software] is often required to remove Exif tags before safely publishing images. For example, the [https://en.wikipedia.org/wiki/XKeyscore XKeyscore] program is actively targeting Exif information for collection. Be aware that {{project_name_short}} does not clear file metadata automatically. However, {{project_name_short}} comes bundled with [[Metadata#MAT2:_Metadata_Anonymisation_Toolkit_v2 | MAT2 -- the Metadata Anonymisation Toolkit v2 --]] as part of the design goal to help protect users. = Fingerprinting = == Stylometry == === Coding Style === [https://www.wired.com/story/machine-learning-identify-anonymous-code/ Recent research] has revealed that coders have a unique fingerprint similar to linguistic expressions. Machine learning techniques are capable of de-anonymizing code samples, using "abstract syntax trees" that analyze the underlying structure. For instance, a 2017 study found that GitHub coders could be identified with [https://arxiv.org/pdf/1701.05681.pdf 99 per cent accuracy] based on small and incomplete source code fragments. To date, attempts to obfuscate coding style have failed. The implication is that "anonymous" developers of open-source projects might be identified by prior non-anonymous code contributions. It is likely that advanced adversaries will use this capability to target and de-anonymize developers of popular anonymity and censorship circumvention tools. === Linguistic Style === {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = '''Tip:''' The warning below equally applies to regular {{project_name_short}} wiki contributors and forum participants. Who should also prefer v3 onion connections to {{project_name_short}} infrastructure whenever possible. }} {{project_name_short}} does not obfuscate an individual's writing style, which is easily fingerprinted based on syntax and other grammatical idiosyncrasies. [[Surfing_Posting_Blogging#Stylometry|Unless precautions are taken]], [https://en.wikipedia.org/wiki/Stylometry stylometric analysis based on linguistic characteristics] is a credible threat. Research suggests only a few thousand words (or less) may be enough to positively identify an author, and there are a host of software tools available to conduct this analysis. == {{project_name_short}} Signature == Developers have designed {{project_name_short}} to be indistinguishable from standard use of the Tor network. However, there may be unknown fingerprinting methods available to ISPs and other network adversaries which identify {{project_name_short}} users. If this is a legitimate concern, then investigate optional configurations which can [[Hide Tor from your Internet Service Provider |hide Tor / {{project_name_short}} use from the ISP]]. = Platform Security = == Password Strength == Tor promotes online anonymity, while {{project_name_short}} automatically forces desktop-wide activities through Tor (along with many extra [[Design|security features]]). However, neither Tor or {{project_name_short}} are one-click solutions for impregnable security or absolute anonymity. If weak passwords (passphrases) are used they can be easily determined by [https://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks], whether or not {{project_name_short}} is installed. In essence, attackers systematically try all passwords until the correct one is found, or attempt to guess the key which is created from the password using a key derivation function (an exhaustive key search). This method is very fast for short and/or non-random passwords. For greater security it is recommended to generate strong and unique [[Passwords#Generating_Unbreakable_Passwords|Diceware passwords]] and follow [[Passwords#Principles_for_Stronger_Passwords|other recommendations]] concerning safe habits, password generation and storage. == Compromised Hardware or Advanced Malware == Virtualizers like Qubes, VirtualBox and KVM cannot absolutely prevent the compromise of hardware, nor detect advanced malware. Running all activities inside VMs is a very reasonable approach. However, this only raises the bar and makes it more difficult and/or expensive to compromise the whole system. It is by no means a perfect solution. As one Google Project Zero researcher noted recently when demonstrating a VM escape in KVM: https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html
That could also be the case if your ISP (or your local network administrator) and the ISP of the destination server (or the destination server itself) cooperate to attack you.
Tor tries to protect against traffic analysis, where an attacker tries to learn whom to investigate, but Tor can't protect against traffic confirmation (also known as end-to-end correlation), where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math.
The bug and its exploit still serve as a demonstration that highly exploitable security vulnerabilities can still exist in the very core of a virtualization engine, which is almost certainly a small and well audited codebase. While the attack surface of a hypervisor such as KVM is relatively small from a pure LoC perspective, its low level nature, close interaction with hardware and pure complexity makes it very hard to avoid security-critical bugs. While we have not seen any in-the-wild exploits targeting hypervisors outside of competitions like Pwn2Own, these capabilities are clearly achievable for a well-financed adversary. I’ve spent around two months on this research, working as an individual with only remote access to an AMD system. Looking at the potential ROI on an exploit like this, it seems safe to assume that more people are working on similar issues right now and that vulnerabilities in KVM, Hyper-V, Xen or VMware will be exploited in-the-wild sooner or later.{{project_name_short}} cannot provide protection if the system's [https://en.wikipedia.org/wiki/Trusted_computing_base trusted computing base] has been compromised by: * Physical access and the installation of untrusted pieces of hardware (like a keylogger); * [[Malware_and_Firmware_Trojans#Firmware_Trojans|Firmware Trojans]] (including BIOS/UEFI attacks); or * [[Malware_and_Firmware_Trojans#Malware|Malware]]. If the host system is affected by malware, firmware trojans or malicious hardware components, then every {{project_name_short}} virtual machine, Tor process and communication thought to be anonymous is similarly compromised. In the event a system compromise is strongly suspected or confirmed, the ultimate goal is to re-establish a trusted, private environment for future activities -- see [[Disaster_Recovery|Compromise Recovery]] for techniques to recover from host and/or {{project_name_short}} VM infections. == Host Security == The security of the {{project_name_short}} platform is itself reliant upon the security of the host. Naturally, a majority are likely to run {{project_name_short}} on top of the every day operating system without making any additional changes. However, safety is materially improved by using a [[System_Configuration_and_Access#Use_a_Dedicated_Host_Operating_System_and_Computer | dedicated host operating system]] solely for {{project_name_short}} VMs. For better security, this system should be configured on a computer bought solely for {{project_name_short}} activities, and which has never been used before. There are a number of recommendations relevant to host OS security in the following [[Documentation]] sections: * Basic Security Guide. * Advanced Security Guide. * Computer Security Education. The [[System_Hardening_Checklist|System Hardening Checklist]] also provides a quick and handy reference guide for specific areas of interest. = Tor = == Exit Relays can Eavesdrop on Communications == {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = The Tor network hides an individual's location, but it does not automatically encrypt communications. }} Instead of taking a direct route from source to destination, communications using the Tor network take a random pathway through several Tor relays to help cover the user's tracks. This means observers at any single point cannot tell both where the data came from and where it is going. '''Figure:''' How Tor Works Source: [https://2019.www.torproject.org/about/overview.html.en#overview Tor: Overview] License: [https://creativecommons.org/licenses/by/3.0/us/ Creative Commons Attribution 3.0 United States License] [[File:Htw2.png|frame|none|alt=| A Tor connection usually goes through 3 relays with the last one establishing the actual connection to the destination server]] The last relay on the three-hop circuit is called the Tor exit relay. It is the critical relay that establishes the actual connection to the destination server. By design, Tor does not encrypt the traffic between a Tor exit relay and the final destination. This means any exit relay is in a position to capture any traffic passing through it. To protect against snooping by the Tor exit relay, end-to-end encryption should always be used. For example, a HTTPS or onion service (.onion) connection. Malicious exit nodes have previously been used to spy on sensitive communications. For example, in 2007, a security researcher monitored the connections coming out of an exit relay under their control and [https://www.wired.com/2007/09/rogue-nodes-turn-tor-anonymizer-into-eavesdroppers-paradise/ intercepted thousands of private e-mail messages] sent by foreign embassies and human rights groups around the world.. While browsing, sending email or chatting online, it is recommended to utilize the necessary tools bundled with {{project_name_short}} to enforce strong encryption. Refer to the [[Documentation]] for necessary steps to remain safe. Source: [https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#CanexitnodeseavesdroponcommunicationsIsntthatbad Tor FAQ: Can exit relays eavesdrop on communications?] == Use of Tor is Obvious == Tor tries to prevent attackers from learning what destination websites are being connected to. Both the ISP and a local network administrator can easily check if connections are made to a Tor relay and not a normal web server. To learn more about whether it is possible to hide Tor network activity, see: [[Hide_Tor_from_your_Internet_Service_Provider|Hide Tor use from the Internet Service Provider]]. The destination server contacted through Tor can learn whether the communication originates from a Tor exit relay by consulting the publicly available list of known exit relays. For example, The Tor Project [https://check.torproject.org/cgi-bin/TorBulkExitList.py Tor Bulk Exit List tool] could be used for this purpose. Based on this information, {{project_name_short}} users will not appear to be a random Internet user is used to prevent the telltale signs of Tor use. The strong anonymity provided by Tor and {{project_name_short}} is based on trying to make everyone look exactly the same, so it is not possible to identify a specific individual in the larger user pool. Ultimately, stronger protection requires a social approach; the larger the pool of Tor users (in close proximity) and the more [https://www.torproject.org/about/torusers.html.en diverse] their interests, the less likely it will be that a specific individual can be identified. Convincing others to use Tor will help the larger anonymity-minded community. Attribution: Two sentences in this chapter have been forked from the [https://www.torproject.org/download/ Tor] website, which was licensed under a [https://creativecommons.org/licenses/by/3.0/us/ Creative Commons Attribution 3.0 United States License] at the time of writing. == Persistent Guard Relays can Enable Physical Location Tracking == {{Persistent Tor Entry Guards Introduction}} For more information, see the advanced topic [[Tor_Entry_Guards#Configure_Non-Persistent_Entry_Guards|Configure Non-Persistent Entry Guards]]. == Tor cannot Protect Against a Global Adversary == A global, passive adversary is defined as a person or entity who is able to monitor the traffic between all the computers in a network at the same time. By studying the timing and volume patterns of the different communications across the network, it is statistically feasible to identify Tor circuits and thus match Tor clients with destination servers. In order to create a low-latency communication service which is usable for web browsing, Internet chat or SSH connections, The Tor Project has made a security trade-off and has not attempted to address this threat. For more expert information on this topic, see [https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf Tor Project: The Second-Generation Onion Router], part 3. Design goals and assumptions. {{Anchor|{{project_name_short}} is not Amnesic}} {{Anchor|live}} = {{project_name_short}} Persistence vs Live vs Amnesic = Traces of software installations, files or other user activities depend on whether or not the user is using a live operating system or [[Live Mode]]. {{live}} == A Live Operating System or [[Live Mode]] is not Configured == * '''A)''' persistent mode: If any software is downloaded or used on a computer, local traces of the download, installation and use will be left on the device's mass storage device (hard drive, HDD, SSD). This normal mode of operation is referred to as "persistent mode" since any files downloaded, documents created and so on will persist after reboot. Any created files still exist after the computer is powered-off or rebooted, unless steps are taken to securely wipe the files or otherwise remove all signs of their existence. Unless [[Live Mode]] is used, there are no preventative measures to limit what is written to disk. This can lead to evidence of activity in created files, backup files, temporary files, swap, chat history, browser history and so on. It is likely most {{project_name_short}} users are utilizing persistent mode. For this reason it is recommended to [[{{project_name_workstation_short}}_Security#VM_Snapshots|use multiple VM Snapshots]] and to [[Full_Disk_Encryption|apply Full Disk Encryption on the host]]. A higher level of security is afforded by encrypting everything, including data, system and swap partitions. * '''B)''' Live Mode inside a VM: This is useful to stop persistent [[malware]] as well as for testing. Be aware that although [[Live Mode]] inside [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] virtual machines (VMs) make writes go to RAM instead of the HDD/SSD, traces of activity may be left in swap files, core dumps or via other configurations on the host {{os}}. If this is a risk in your circumstances, refer to [[Anti-Forensics Precautions]] or preferably utilize [[Live Mode]] on the host OS. Unix-like operating systems also [https://en.wikipedia.org/wiki/Swap_partition#Unix_and_Unix-like_systems swap (move) memory pages between host RAM and the host disk], and this behavior cannot be prevented in {{project_name_short}} VMs. The danger is data leakage might occur and an unencrypted swap partition could reveal interesting data to an attacker or be used to store unencrypted copies of files in /tmp for later retrieval. https://www.linuxtopia.org/online_books/linux_administrators_security_guide/06_Linux_File_System_and_File_Security.html * '''C)''' Live Mode inside on the host OS: Without the disadvantages mentioned above. See [[Live Mode]]. == A Live Operating System or [[Live Mode]] is Configured == Refer to the [[Live Mode]] chapter for further details. == Live DVD / USB == To install {{project_name_short}} on a USB, see: [[USB Installation|{{project_name_short}} on USB]]. At the time of writing {{project_name_short}} does not offer a Live DVD / USB. This situation may change in the future, see: [[Whonix-Host]]. = {{project_name_short}} Development = == Missing {{project_name_short}} Features == {{project_name_short}} is currently alpha quality software and missing some features, including those relating to security. While many issues listed below are planned for future implementation, a number will probably never get "fixed" because they are impossible to address in a software-only project. '''Table:''' ''Missing {{project_name_short}} Features'' {| class="wikitable" |- ! scope="col"| '''Category''' ! scope="col"| '''Missing Feature or Capability''' |- ! scope="row"| Adversaries | Protect against global network adversaries. |- ! scope="row"| AppArmor | Apply AppArmor profiles for every process or application. Although a full system MAC policy is currently in development, see [https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339 here] for further details. |- ! scope="row"| Backdoors | Protect against hardware or software backdoors. |- ! scope="row"| Encryption | Encrypt a user's data, documents, files and so on. |- ! scope="row"| Hardening | Use all the possible hardening options like full PIE and grsecurity. |- ! scope="row"| Local Adversaries | Protect against local adversaries who could mount cold boot and evil maid attacks, or otherwise compromise a user's physical machine. |- ! scope="row"| MAC Address | Automatically protect against MAC address fingerprinting on public networks. |- ! scope="row"| Passwords | Make weak passwords stronger. |- ! scope="row"| RAM | * Wipe RAM on shut down. ** (When using {{Kicksecure_wiki |wikipage=Main_Page |text={{Kicksecure}} }} as a host operating system, consider {{kicksecure_wiki |wikipage=Cold_Boot_Attack_Defense |text=Cold Boot Attack Defense / Wipe RAM }}.) * Wipe video RAM on shut down. [https://gitlab.tails.boum.org/tails/tails/-/issues/5356 Tails feature request - erase video memory on shutdown] |- ! scope="row"| Security Updates | Automatically apply security updates. This was a conscious developer decision because automated updates also come with their own set of security problems. However, [[{{project_name_short}}check|whonixcheck]] provides notifications about updates on {{project_name_workstation_short}}. |- ! scope="row"| Software Attacks | Protect against highly skilled software attacks, unless [[Dev/Build_Documentation/Physical_Isolation|physical isolation]] or [[Qubes|{{q_project_name_short}}]] is utilized. |- ! scope="row"| Stylometry | Obfuscate an individual's linguistic style to defeat stylometric analysis. |- ! scope="row"| Tor | * Provide protection by default if Tor is somehow broken. This situation is partially mitigated (with caveats) by chaining Tor with SSH, proxies or VPNs.
Developer: Donations to {{project_name_short}} are possible via Bitcoin.
{{project_name_short}} user: Since you are knowledgeable about Bitcoin, can you also accept Monero donations?In this case the hypothetical developer did not state "I am knowledgeable about Bitcoin", but rather concisely stated "Donations to {{project_name_short}} are possible via Bitcoin." The conclusion drawn by the user "Since you are knowledgeable about Bitcoin" might be totally unsubstantiated. In a similar fashion, just because {{project_name_short}} does something -- like providing a [https://forums.whonix.org/t/whonix-telegram-chat-channel/8346 telegram channel] -- it does not follow that {{project_name_short}} endorses it; see also [[Terms_of_Service#Non-Endorsement|Terms of Service: Non-endorsement]]. A list of further examples is outlined below. '''Table:''' ''Facts vs. False Conclusions'' {| class="wikitable" ! '''Fact''' Things that were really stated. ! '''False Conclusion''' Things which were not said or implied. ! '''More Information''' |- | {{project_name_short}} provides a [[Donate|Bitcoin (BTC) donation address]]. | Bitcoin is anonymous. | [[Money|Anonymous Money]] |- | {{project_name_short}} provides a [[Donate|Monero (XMR) donation address]]. | Monero is perfect. | [[Money|Anonymous Money]] |- | The {{project_name_short}} website is using popular web applications (web apps) like [https://www.mediawiki.org/wiki/MediaWiki MediaWiki], [https://phabricator.wikimedia.org/ Phabricator] and [https://www.discourse.org/ Discourse] (forum software). | These are perfectly "secure" (for whatever purpose, threat model) web apps. | In an ideal world, better web apps would be used but this is not possible due to finite {{project_name_short}} resources. To learn more, see: [[Privacy_Policy_Technical_Details#website|Privacy on the {{project_name_short}} Website]]. |- | {{project_name_short}} provides downloadable [[VirtualBox]] builds. | VirtualBox is secure. | [[Dev/Virtualization_Platform#VirtualBox|VirtualBox isn't an ideal choice]]. |- | {{project_name_short}} is available for Windows hosts. | Windows is a suitable host. | [[Windows Hosts]] pose numerous security and privacy threats. |- | {{project_name_short}} is installable on macOS hosts. | macOS is a suitable host. | [[Host_Operating_System_Selection#macOS_Hosts|macOS Hosts]] pose numerous security and privacy threats. |- | {{project_name_short}} is [[Reasons for Freedom Software|Freedom Software]]. | {{project_name_short}} is a Freedom Software 'maximalist' project. | See also: * [[Policy On Nonfreedom Software]]; * [[Dev/nonfree]]; * Forum discussion: [https://forums.whonix.org/t/whonix-host-nonfree-blobs-firmware-linux-nonfree/7251 Whonix host - nonfree blobs - firmware-linux-nonfree]; and * [https://forums.whonix.org/t/whonix-and-free-system-distribution-guidelines-gnu-fsdg/5877 {{project_name_short}} and Free System Distribution Guidelines (GNU FSDG)]. |- | {{project_name_short}} provides a [https://forums.whonix.org/t/whonix-telegram-chat-channel/8346 telegram channel] [[support]] channel. | Telegram is a perfect, privacy-respecting, secure messenger. | See footnote. Some criticisms of Telegram. * New releases are squished into a single commit, see: [https://github.com/DrKLO/Telegram/commit/28eb8dfd0ef959fd5ad7d5d22f1d32879707c0a0 one commit]. * It is impossible to sign up without a phone number. * There are other concerns, but they are irrelevant for illustrating the point being made here. |- | There is an {{Twitter_link|Whonix|twitter profile}}. | Twitter is a safe platform to utilize. | [[Official Online Profiles|Official {{project_name_short}} Online Profiles]] |- | whonix.org has a public [https://forums.{{project_clearnet}} forum]. | The whonix.org forum and associated comments are intended to promote free speech. | Unfortunately, running a free speech platform is a full-time job and would constitute a separate project in itself. This is simply not possible as a side project. For further details, see: [[Limitations on Free Speech on Whonix Website and Whonix Chat]]. |- | {{project_name_short}} is Open Source. | {{project_name_short}} must/should implement all ideas from the community. | See: [[Reporting_Bugs#Community_Feedback|Community Feedback]] / [[Reporting_Bugs#Patches_are_Welcome|Patches are Welcome]] |} It is also recommended to consult the following resources: * [https://forums.whonix.org/tag/project-philosophy list of forum posts regarding the {{project_name_short}} project philosophy]; * {{kicksecure_wiki |wikipage=Linux User Experience versus Commercial Operating Systems |text=Linux User Experience versus Commercial Operating Systems }}; and * the underpinning [[Tips_on_Remaining_Anonymous#Rationale|Rationale]] for this chapter. On top of unsubstantiated conclusions it also happens that adherence to "perfectly moral" behavior or an approved ™ set of political/ideological beliefs is expected from the {{project_name_short}} project. However, what counts as "perfectly moral" and the path of attaining therein will always be subjective and disputed among proponents. Such demands include "don't allow running {{project_name_short}} on Windows hosts", "don't have a twitter project account", "don't accept Bitcoin donation", "don't use centralized services such as telegram", "don't document X, because of Y". Those disagreeing with our methods and philosophy are welcome to exercise their right to [https://en.wikipedia.org/wiki/Fork_(software_development) software fork] the project under the respective licenses. = Footnotes = {{reflist|close=1}} = License = {{License_Amnesia|{{FULLPAGENAME}}}} {{Footer}} [[Category:Documentation]]