Thoughts on security of Kicksecure (debian based linux distribution)??

PrivateLoop

"But GrapheneOS does way better for other threat models Whonix does not care about or prioritize."

Given you've said that virtualization is more secure than GrapheneOS's exploit protections, and that "Whonix was designed for, eg remote attacker trying to deanonymize you", wouldn't that make Whonix almost always a better choice?

I can see GOS as a good choice for physical attack threats, though I think it's more to do with GOS' ties to the Pixel hardware?

I am not sure if this is enough for a threat model:

I am not concerned much about physical attacks, and I won't need to be storing any sensitive data (honestly would love to just use Tails because of its fire-and-forget amnesic nature but security/anonymization is far more important)
I am (unfortunately) forced to use mainstream apps for communication, which I know harvest data and device identifiers. I can use their web app equivalent (I am not sure what would be more secure/anonymous here, browser web apps or Android apps? I've heard Tor Browser/Firefox engines are terrible for security, and provide no sandboxing, BUT does provide you better anonymity?)
Not much concerned about compartmentalization... I'll essentially be willing to maintain a pseudo anonymous persona, even in between apps

So I have pretty much two choices:

web app equivalents of the Android apps, with Whonix on QubesOS plus Whonix gateway? What browser should I use here? I found a post about this here https://forums.whonix.org/t/benefits-to-browser-only-use-of-whonix-workstation/18173 but no answers :/
Use GOS and the Android apps, with a Tor router for isolation?

Sorry for asking a lot of questions; I've seen you before in this forum and I can tell you know your stuff so!

Thanks

GrapheneOS

PrivateLoop

Given you've said that virtualization is more secure than GrapheneOS's exploit protections, and that "Whonix was designed for, eg remote attacker trying to deanonymize you", wouldn't that make Whonix almost always a better choice?

No, this is thoroughly untrue. It's absolutely not a replacement for memory safe languages, advanced exploit protections, sandboxing within the OS, verified boot, etc. They achieve one thing which is forcing traffic through Tor, but their implementation is poor and comes at the cost of very poor overall security.

I can see GOS as a good choice for physical attack threats, though I think it's more to do with GOS' ties to the Pixel hardware?

GrapheneOS provides far better protection from remote attacks along with local code including websites and apps. You're wrong about what it provides and are wrong about why it provides much better security. The hardware providing what we need doesn't mean the hardware is doing most of the work at all. Pixels provide the currently unique combination of the features we need with proper support for using another OS, but that doesn't mean they're far ahead of other phones on security features which is not the case. They're the most secure Android hardware, but Snapdragon provides most of the same security features other than hardware memory tagging and general purpose virtualization support with a largely comparable quality of implementation. Snapdragon does have virtualization support but currently only has it set up for protected VMs, not regular unprotected VMs for running apps, etc.

I've heard Tor Browser/Firefox engines are terrible for security, and provide no sandboxing, BUT does provide you better anonymity?)

Tor Browser has poor security combined with it being an extremely high priority target for commercial exploit development.

ryrona

PrivateLoop Given you've said that virtualization is more secure than GrapheneOS's exploit protections, and that "Whonix was designed for, eg remote attacker trying to deanonymize you", wouldn't that make Whonix almost always a better choice?

No. Whonix is a very special purpose operating system, so for many use-cases Whonix would not be suitable. For example, Whonix does not provide any meaningful isolation between apps inside the workstation, only between the workstation and gateway. So you cannot use Whonix as a regular operating system and hope you get any real security, you specifically need to use it for domain isolation / compartmentalization, or it won't really give you much.

PrivateLoop I am not sure if this is enough for a threat model:

In a threat model you want to define who your attacker is, and what you worry they might do. Who do you want to stop from doing what?

For example, you might want to visit and post on a certain website anonymously, but the things you post is a severe inconvenience for your government or some criminal gang or some other group that could do you serious harm. You worry they will attempt to hack you when you login on your account using Tor Browser, in order to deanonymize you by disabling or bypassing Tor, and expose your real IP address or geographical location. So you use Whonix, and only have things related to your anonymous activity on that website inside your Whonix workstation. If the Tor Browser gets hacked, they can only access files within the workstation, which is only things that already are or is going to be published on that anonymous account. There won't be any identifying information about who you are, no hardware identifiers, and even if they have fully compromised the workstation, they cannot bypass Tor or even find out which Tor guards you are connected to. They would need a virtual machine escape vulnerability, which is very hard to find and use, and extremely costly. Here the strong isolation between the workstation and gateway is super important, but the fact there aren't much protections within the workstation matters less.

Or you might be an activist working with a stigmatized and marginalized minority in society. If members of that minority becomes known, they will be harassed and possibly even assaulted by other citizens while the police looks with a blind eye, letting it happen. You as the activist have contact details to many members of this minority and know who they are, so you can help them. You also have end-to-end encrypted chats on various messaging apps with them, with chat history. You need to be able to communicate with them while on the go, so your device needs to be running most of the time. You worry that someone will realize you work with this minority, which is likely since you are rather high profile, and that they will attempt to get physical access to your device, or hack your messaging apps, in order to expose the members of this minority. Here Whonix would be a very poor choice, as Whonix does not do anything to harden messaging apps from being hacked, does not do anything to prevent information from other messaging apps running on the same machine from being obtained by a hacked messaging app, and does not provide that much physical security at all. GrapheneOS on the other hand would be a perfect fit. GrapheneOS hardens the messaging apps you run in various ways, including MTE, which means vulnerabilities that might exist in the messaging apps may not actually be exploitable at all on GrapheneOS even if it is on other operating systems. This protects your other chats in that same messaging app from leaking. GrapheneOS also isolate apps from each other using app sandboxing, so if one messaging app gets compromised either way, the contacts and chat history in the other messaging apps won't leak, nor will sensitive real life contact information you have stored in regular files. If you phone gets taken, there is also two-factor unlock, auto reboot and duress passphrase and other functionalities that help making sure they cannot get in.

Who is your attacker and what do you worry they would do? What consequences would that have to you? When you know that, it is possible to start choosing an operating system, apps and a way to use it all that is the most secure for your use-case.

GrapheneOS

@PrivateLoop

Whonix doesn't provide a good implementation of enforcing Tor usage with virtualization. It's a non-hardened OS with very weak security. The concept it implements is good, not how it implements it and the technical details of it. It be very straightforward for people to make a far better implementation for QubesOS and other operating systems.

It's very misleading to compare it to GrapheneOS to that concept. GrapheneOS is a hardened mobile OS on hardware platforms which only recently began supporting hardware virtualization. Until recently, it did not provide a mature implementation of it yet. Snapdragon still doesn't have support for running the kinds of virtual machines used by the Terminal VM management app in the first place which is currently exclusive to Tensor Pixels. GrapheneOS will make much more use of hardware-based virtualization, similar to QubesOS, but mobile hardware wasn't ready for it until recently and it still needs to mature more for high performance GUI usage. Pixel 10 is the first Pixel with native GPU virtualization support. The approach in QubesOS of using software rendering is very slow and provides poor usability, but the alternative of proxying GPU commands when proper hardware support isn't available has very high attack surface due to how GPU drivers are currently implemented.

Virtualization is not magical and does not provide an impenetrable security barrier. x86_64 is a complete mess and there are a lot of issues at a hardware/firmware level which are largely unfixable by an OS. The rarity of research into it and publications about it doesn't mean it's not a real issue. Virtualization also still has attack surface at a software level which QubesOS tries to minimize. You don't get nearly the same thing by simply using QEMU + KVM.

Whonix is not a hardened OS but rather quite the opposite and is dramatically worse at providing overall user privacy and security. The one thing it provides in a strong way is forcing traffic through Tor. That does not mean you cannot be deanonymized. Tor provides questionable anonymity/privacy as a service and Whonix has far weaker protection against exploitation used to take control over it and obtain all user data than even macOS.

That's not to mention the highly untrustworthy behavior of the Whonix team. Anyone using it is at risk of the actions taken by the developer. They removed hardened_malloc and began a misinformation campaign against it as a nearly immediate reaction to us bringing up their ties to fascists when they were attacking us. They're also now participating doxxing, stalking and harassment material as a further reaction to this. Do you trust an OS which heavily sacrificed security for their users and tries to harm open source security beyond their own project because their attacks on us resulted in criticism in response to them?

Whonix is not a good option and is not a safe choice. Strongly recommend not being misled by the endless misinformation they publish on their site. It's absolutely filled with false information and outright lies from the developer of it.

PrivateLoop

ryrona Whonix does not provide any meaningful isolation between apps inside the workstation

I don't need this much under my threat model; it's OK and quite obvious I am the same person across apps if they get leaked/read, and I'm fine with that.

ryrona So you cannot use Whonix as a regular operating system and hope you get any real security, you specifically need to use it for domain isolation / compartmentalization

I will only use the device for this one use case, and nothing else. The device will also have no ties to the real life me, no sensitive data, nothing, just the apps for communication.

ryrona In a threat model you want to define who your attacker is, and what you worry they might do.

Government, exploits for deanonymization

ryrona For example, you might want to visit and post on a certain website anonymously, but the things you post is a severe inconvenience for your government or some criminal gang or some other group that could do you serious harm.

This is spot on for me.

Unfortunately, I cannot use anonymity-oriented apps for communication (e.g. Signal, SimpleX or whatever is recommended these days), only mainstream apps which I know harvest data.

The content within these apps would clearly give away that I am the same person across the apps, therefore I am not worried much about fingerprinting / isolation between them.

Hence why I came to this thread: given that security is my #1 concern, I don't know whether or not I should just use GOS + PWAs (instead of apps) + physical isolation with a Tor router ( @GrapheneOS has mentioned many times that Orbot is a buggy mess, and TorVPN is alpha software, so I don't even have much choice here anyway?), or go with virtualization: Whonix + its gateway and also web applications.

But given @GrapheneOS's comments, I'm leaning towards the former. Also, any preferences towards PWAs or native apps? I think the only comment I've seen is https://x.com/GrapheneOS/status/1741184728265273554, which tracks as Vanadium is quite well sandboxed and secure.

ryrona This protects your other chats in that same messaging app from leaking.

Also not worried about this too. Essentially, the only exploit I'm worried about is one that'd deanonymize my network/geolocation thus myself: I don't really care if a exploit has access to the files within the device, or the conversations, to be honest.

PrivateLoop

or Qubes+Whonix

ryrona

PrivateLoop Hence why I came to this thread: given that security is my #1 concern, I don't know whether or not I should just use GOS + PWAs (instead of apps) + physical isolation with a Tor router ( @GrapheneOS has mentioned many times that Orbot is a buggy mess, and TorVPN is alpha software, so I don't even have much choice here anyway?), or go with virtualization: Whonix + its gateway and also web applications.

Whonix + web apps would be way most secure in your case, if that is possible. It is not clear to me what apps you would need to use, or if they would allow anonymous access, or would require you to ID yourself in some way, eg by associating a phone number with them. But if they work without phone number or with anonymous phone number from throwaway service, Whonix + web app should be way most secure.

I can see a million things going wrong with your Tor router idea, including as I mentioned weaker sandboxing and breaking out of it making it trivial for the attacker to bypass the Tor router by changing Wifi and cellular settings, even if you somehow manage to configure the Tor router setup in a leak proof way.

I strongly recommend you to go with Whonix in your threat model. Specifically Qubes+Whonix, yes.

Nobody

I am super excited to see where Graphene goes once virtualization matures on mobile. It will exceed QubesOS which I have been using for a very long time and helped informally in a minor way with the project assisting building the Arch templates for the Qubes 3 .x series and writing a number of the wiki docs. It will exceed if for no other reason than it's not X86 and it's architecture which as was mentioned is unfixable because of the direction it went. Hopefully proper choices will be made on the mobile front going forward. Once Graphene has a dedicated device and virtualization matures we will have a hell of a device and secure system. I know I have read this was the direct of Graphene for a very long time. It's great to see graphene is knocking at the door. If a tablet ever comes out the Graphene project that could take a good chunk of laptop productivity. A large monitor and keyboard with mouse functionality goes a long way and can be had without the cellular modem. Nice to see the future slowly unfolding. Exciting times.

GrapheneOS

Initial Snapdragon devices with GrapheneOS will have less virtualization capabilities than Pixels, but they'll likely add all of it too.

ryrona

GrapheneOS Initial Snapdragon devices with GrapheneOS will have less virtualization capabilities than Pixels, but they'll likely add all of it too.

Generally speaking, what hardware and upstream software support is missing in Pixels and Snapdragon respectively in order to start strengthening the security of GrapheneOS using virtualization?

I am thinking, what is missing to move all radio related drivers and the whole Wifi/BT/Cellular software stack from the main OS into its own virtual machine, to protect against remote exploits in potentially poorly written and hugely complex device specific C/C++ drivers and software stacks? Such vulnerabilities have been exploited in the wild after all, since they often give kernel-level or root-level privileges, and doesn't require more than being within radio distance from the victim, or knowing the victims unique IP address or phone number. But if they get kernel-level or root-level privileges inside a virtual machine that only sees TLS-encrypted traffic flowing through it, and have no access to any data, and is fully reset at each boot, the consequences of such exploits and the attractiveness in doing them are effectively neutered, unless they also can attack the way smaller and more well-audited and hopefully memory-safe network interface between virtual machines, which is much less likely to succeed.

I am also thinking, what is missing to separate user profiles into separate virtual machines, to protect from a sandbox escape compromise in one user profile from being able to access any data at all in other user profiles? I mean, only a single user profile is ever shown on the screen at the same time, so there is not even a need to mix graphics or audio or anything like that, just safely reset and hand-over the device in some way, and make storage be a thinly provisioned volume instead of a separate key-space in a shared user file system. This way one can also make truly offline user profiles, that virtually has no network connectivity at all, or user profiles those all connectivity is forced through Tor without any hardware identifiers or other localizable identifiers available within the virtual machine nor through the virtual network interface. We know it is much harder for an attacker to break out of the confinements of a virtual machine than the confinements of an app sandbox, so this will harden typical use-cases of security domain isolation / compartmentalization quite effectively, ideally even removing Linux as an exploit vector.

I am just curious how far away we are from seeing something like this.

de0u

ryrona I am thinking, what is missing to move all radio related drivers and the whole Wifi/BT/Cellular software stack from the main OS into its own virtual machine, to protect against remote exploits in potentially poorly written and hugely complex device specific C/C++ drivers and software stacks?

One giant missing thing is all of the glue code / API shims for those isolated drivers to send and receive data and configuration/status information with the primary OS.

Bismark

systemd? lol
I have devuan running on all my machines and in data centers (colocation). Is it hardened, - I have no idea, not even sure what that exactly means, but if they don't want bloated stuff like systemd, and is somewhat main stream (Debian) than I stick with that. That is exactly what I want. I mean its Linux, you can easily see what connections are established, wireguard is baked into the kernel, you can use Luks for full disk encryption.
KISS = Keep it simple stupid.

« Previous Page