From 17d6868f58e7d93eee33dc27aa0ad8539edd0a58 Mon Sep 17 00:00:00 2001 From: Your Name Date: Fri, 4 Apr 2025 23:24:37 -0600 Subject: feed'n'stuff --- feed.xml | 771 ++++++++++++++++++++++++++++++++++++++------------------------- 1 file changed, 462 insertions(+), 309 deletions(-) (limited to 'feed.xml') diff --git a/feed.xml b/feed.xml index 8b48e2b..6fc8354 100644 --- a/feed.xml +++ b/feed.xml @@ -14,8 +14,8 @@ en - Thu, 03 Apr 2025 20:01:20 -0600 - Thu, 03 Apr 2025 20:01:20 -0600 + Fri, 04 Apr 2025 23:24:18 -0600 + Fri, 04 Apr 2025 23:24:18 -0600 Emacs 29.4 Org-mode 9.7.22 user@emacs-org (nil) @@ -28,13 +28,15 @@

Table of Contents

@@ -60,153 +62,303 @@ - 3 Browser extensions I almost always install - ./feed.html#org3add3f3 + Spinning, combing, waiting, waiting - draft + ./feed.html#org1194922 user@emacs-org (nil) - ./feed.html#org3add3f3 - Thu, 03 Apr 2025 05:40:00 -0600 + ./feed.html#org1194922 + Fri, 04 Apr 2025 23:24:00 -0600 + + + Spinning, combing, waiting, waiting - draft +

+ ]]> + + + The Tor Browser + ./feed.html#org3c7e42b + user@emacs-org (nil) + ./feed.html#org3c7e42b + Fri, 04 Apr 2025 22:59:00 -0600 - -

Vimium C

-
+ + +

Intro

+

- This lets do basic navigation in your browser with vim-like keybindings. You can click links, scroll, go back and forth between tabs and through your history, select/copy/search text and more with your keyboard. + The immediate threat of government retaliation for speech hasn’t been clearer in decades as it is now in the U.S. under the Trump administration. Journalists, law firms, and polling orgs are being targeted in viewpoint-based lawsuits. Legal permanent residents and writers are being held hostage or sent to El Salvidor-ian labor prisons without charges or due process explicitly for their speech. In the cases of targeted individuals, much of the ’evidence’ found by the executive–and often the speech retaliated against–happened online. +

+ +

+ When the internet and online social spaces are rife with surveillance, and our activity is so often tied to our personal identifiers (IP address, name, phone #, email, address, etc.), the job of a malicious government is easy. Every time you fedpost about Trump on Instagram, express support for groups the US is opposed to, or write a controversial article with your name at the top of it, you leave a trail of breadcrumbs–no, a trail of loafs–that tons of organizations and governments can use to learn your political persuasions, and potentially persecute you for them. +

+ +

+ When you can’t trust your network, your ISP, the sites you’re visiting, or your government with your internet activity, the value of anonymity becomes clear. The Tor Browser is a web browser that mitigates many of these threats by making your browsing anonymous. Using it, you can create and maintain accounts on various websites, participate in conversation, publish your writing, and get access to information without being surveilled.

-
-

Dark Reader

-
+
+

Hiding your web traffic with the Tor Network

+
+

+ The first job of the Tor Browser to hide your traffic from your network, your ISP, and to keep your IP address hidden from the websites you visit, and it solves this problem in a very cool way. When you visit a website through the Tor Browser, your traffic is sent through the Tor Network, which is a network of thousands of servers run by volunteers. Your traffic is encrypted three-fold and sent through a randomly-picked three servers in the network, in such a way where no single node can see both your IP address the IP address you’re visiting. +

+

- Makes all websites default to a mode, and provides an easy toggle. + This means that your ISP can’t know what website you’re visiting; it’ll just be a bunch of encrypted traffic into the Tor Network. The website you’re visiting also won’t know where your connection came from, just the IP address of the exit node. And even the nodes your traffic was routed through can’t simultaneously know your IP address and the address of the website you were visiting. Your three-node “circuit” will automatically rotate periodically as well. Basically it’s a proxy/VPN on steroids. +

+ +

+ Now, as mentioned above, it’s important to stress that though your traffic is truly hidden, by default your network will know that you’re using Tor for something. Using Tor is not illegal anywhere in the US (as far as I know?), but it may be suspicious to your network administrator or possibly blocked on your network. If you’re worried about your network knowing you’re using Tor, you can use “bridges”, which are a fourth optional random proxy your traffic will go through before entering the Tor Network to further obscure the nature of your connection. You can easily enable this in your “connection settings”, which will be available right after starting the browser. +

+ +

+ Also, because your traffic is being passed through so many servers on the way to its destination, keep in mind that browsing will be significantly slower than you’re probably used to. It’s comfortable enough on a fast home connection, but trying to use Tor over a mobile connection or with slower home internet can get painful.

-
-

uBlock Origin

-
+
+

Anti-fingerprinting

+

- The most ubiquitous content/ad blocker, reliable as ever. + Aside from the network, online surveillance is often done through “fingerprinting”, where a website can see/query your browser for all sorts of information to build a profile on your connection. The fonts installed on your computer, browser cookies, browser extensions, your screen size and many more variables can be used to build a unique fingerprint and expose yourself to tracking. +

+ +

+ To stop these kinds of attacks, the Tor Browser has many anti-fingerprinting protections build-in, that attempt to make your connection look like every other Tor users, so no-one seems unique.

-
- ]]> - - - Prepping for v2 of my salt repo - ./feed.html#orgb2609a4 - user@emacs-org (nil) - ./feed.html#orgb2609a4 - Wed, 02 Apr 2025 22:34:00 -0600 - - - - I've massively restructured my salt repo and added enough features that I'm going to make a new repository and release it again in full, as a 2.0 version. This should be done within the next week or two. +
+

Letterboxing

+
+

+ The Browser uses letterboxing, which is a curious little feature that disguises your screen size by having a certain number of pre-chosen website sizes that the window will snap to. This is hard to describe in words but you’ll notice it quickly when you use the Browser. You can resize the window as granularly as you wish, but the website will only grow and shrink in certain particular sizes.

- ]]> - - - Methods of installing software in QubesOS with Saltstack - ./feed.html#org26fdb4f - user@emacs-org (nil) - ./feed.html#org26fdb4f - Wed, 02 Apr 2025 22:34:00 -0600 - - - - Here are some various methods of installing software that I've used in my personal salt configuration +
+
+
+

No history

+
+

+ Every time you close the Tor Browser, all cookies and history is removed, so you’ll get a clean start every launch.

-
-

pkg.installed

-
+
+
+
+

Hide everything!

+

- Here’s /srv/user_salt/pkgs/accounting.sls as an example. It uses the simplest way of installing programs, which is just listing them under pkg.installed which pulls them from your distros main repositories. This is the most preferable way to install software if it’s available. + When information about your browser and operating system are typically sent to website, the Tor Browser will lie and claim every user is using the same devices. It will hide your time zone, your installed fonts, and refuse to use many risky APIs that can be privacy-intrusive.

- -
- 
# Install accounting tools
-    accounting--install-apps:
-    pkg.installed:
-    - pkgs:
-    - hledger # Command-line plain text accounting
-    - gnucash # Graphical GNU accounting suite
-
-
-

Install from third-party repo with a script

-
+
+

Don’t make yourself unique

+

- Here’s /srv/user_salt/pkgs/signal.sls as an example. It places an installation script, /srv/user_salt/pkgs/install-scripts/signal-repo.sh into a qube and executes it to install the Signal messenger. + By default, the Tor Browser will use these network and anti-fingerprinting features to make your browser and your connection look as similar as possible to every Tor user, so everyone’s traffic is all mingled and indecipherable and difficult to track, but you can definitely break your anonymity by making mistakes when using it. Here are some things to avoid:

- -
- 
...
-
-    signal--repo-script:
-    file.managed:
-    - name: /usr/bin/install-repo # this is where the installation script is placed
-    - source: salt://pkgs/install-scripts/signal-repo.sh # This is where the installation script was sourced
-    - user: root # sets the owner of the file, you can usually default to root
-    - group: root # sets the group of the file, you can usually default to root
-    - mode: 777 # sets the permissions of the file, you can usually default to 777 (any user on the qube has permissions)
-
-    # This simply executes the install-repo script in a qube
-    'install-repo':
-    cmd.run
-
+
+

Don’t mix Tor and non-Tor traffic/accounts/identities !!!

+
+
    +
  • If you create an anonymous online account using Tor, and then access that account on another device without using Tor, you’ve deanonymized yourself.
    • +
  • If you use Tor to commit a crime, and in another tab you access a personal social media service using the same Tor connection, you’ve deanonymized yourself.
    • +
  • If you start a blog using Tor, and publish a post with your name, you’ve deanonymized yourself.
    • +
  • If you’re talking to someone on Tor, and you give them your personal email to talk further, you’ve deanonymized yourself.
    • +

- Here’s the installation script that’s ran: + This is the most common class of mistake Tor users make that leads to arrests. Always understand what information you may be accidentally linking together that could connect your anonymous activities to your personal identity.

-
-

/srv/user_salt/pkgs/install-scripts/signal-repo.sh

-
-
- 
# Retrieves Signal's key for verifying the package
-    # The request is proxied through 127.0.0.1:8082 to allow the template qube to access the internet
-    sudo curl --proxy 127.0.0.1:8082 -s https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee -a /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null
-
-    # Defines Signal's repo in /etc/apt/sources.list.d/
-    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' | tee /etc/apt/sources.list.d/signal-xenial.list
-
-    # Updates packages and installs signal-desktop through the newly configured repository
-    sudo apt update
-    sudo apt install signal-desktop -y
-
+
+

Don’t configure the browser

+
+

+ Because the Tor Browser is designed to make everyone’s connection look similar, if you start changing settings or installing extensions, your browser will become more unique and trackable. Just use Tor as it is default. +

+
    +
  • Exceptions
    +
    +

    + Now that we know the rule of thumb (don’t touch things!), there are a couple things we can safely configure. +

    +
      +
    • Security settings
      +
      +

      + In the browser settings, there are three “security levels” you can choose from. Choosing the “safer” options will restrict websites from more potentially-risky activity, at the cost of many more websites not being able to function. I’d recommend defaulting to the most secure option and lowering it if a particular site demands it. +

      -
      -

      Move a binary file into /usr/bin

      -
      +
      • +
    • Connection settings
      +

      - Here’s /srv/user_salt/pkgs/st.sls as an example. It takes a binary file that’s part of this salt repository, and moves it into the ~/usr/bin/ directory in a qube. + As mentioned earlier, you can optionally use a bridge to hide the fact that you’re using Tor from your network and ISP.

      - -
      - 
      # Installs my build of st terminal
-    /usr/bin/st:
-    file.managed:
-    - source: salt://pkgs/bin/st.bin
-    - user: root
-    - group: root
-    - mode: 777
-
      +
      • +
    +
    • +
]]> + + 3 Browser extensions I almost always install + ./feed.html#orgebaa3d1 + user@emacs-org (nil) + ./feed.html#orgebaa3d1 + Thu, 03 Apr 2025 05:40:00 -0600 + + +

Vimium C

+
+

+ This lets do basic navigation in your browser with vim-like keybindings. You can click links, scroll, go back and forth between tabs and through your history, select/copy/search text and more with your keyboard. +

+
+
+
+

Dark Reader

+
+

+ Makes all websites default to a mode, and provides an easy toggle. +

+
+
+
+

uBlock Origin

+
+

+ The most ubiquitous content/ad blocker, reliable as ever. +

+
+
+ ]]> + + + Prepping for v2 of my salt repo + ./feed.html#orgf508654 + user@emacs-org (nil) + ./feed.html#orgf508654 + Wed, 02 Apr 2025 22:34:00 -0600 + + + + I've massively restructured my salt repo and added enough features that I'm going to make a new repository and release it again in full, as a 2.0 version. This should be done within the next week or two. +

+ ]]> + + + Methods of installing software in QubesOS with Saltstack + ./feed.html#orgc9afcc6 + user@emacs-org (nil) + ./feed.html#orgc9afcc6 + Wed, 02 Apr 2025 22:34:00 -0600 + + + + Here are some various methods of installing software that I've used in my personal salt configuration +

+
+

pkg.installed

+
+

+ Here’s /srv/user_salt/pkgs/accounting.sls as an example. It uses the simplest way of installing programs, which is just listing them under pkg.installed which pulls them from your distros main repositories. This is the most preferable way to install software if it’s available. +

+ +
+ 
# Install accounting tools
+  accounting--install-apps:
+  pkg.installed:
+  - pkgs:
+  - hledger # Command-line plain text accounting
+  - gnucash # Graphical GNU accounting suite
+
+
+
+
+
+

Install from third-party repo with a script

+
+

+ Here’s /srv/user_salt/pkgs/signal.sls as an example. It places an installation script, /srv/user_salt/pkgs/install-scripts/signal-repo.sh into a qube and executes it to install the Signal messenger. +

+ +
+ 
...
+
+  signal--repo-script:
+  file.managed:
+  - name: /usr/bin/install-repo # this is where the installation script is placed
+  - source: salt://pkgs/install-scripts/signal-repo.sh # This is where the installation script was sourced
+  - user: root # sets the owner of the file, you can usually default to root
+  - group: root # sets the group of the file, you can usually default to root
+  - mode: 777 # sets the permissions of the file, you can usually default to 777 (any user on the qube has permissions)
+
+  # This simply executes the install-repo script in a qube
+  'install-repo':
+  cmd.run
+
+
+ +

+ Here’s the installation script that’s ran: +

+
+
+

/srv/user_salt/pkgs/install-scripts/signal-repo.sh

+
+
+ 
# Retrieves Signal's key for verifying the package
+  # The request is proxied through 127.0.0.1:8082 to allow the template qube to access the internet
+  sudo curl --proxy 127.0.0.1:8082 -s https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee -a /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null
+
+  # Defines Signal's repo in /etc/apt/sources.list.d/
+  echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' | tee /etc/apt/sources.list.d/signal-xenial.list
+
+  # Updates packages and installs signal-desktop through the newly configured repository
+  sudo apt update
+  sudo apt install signal-desktop -y
+
+
+
+
+
+
+

Move a binary file into /usr/bin

+
+

+ Here’s /srv/user_salt/pkgs/st.sls as an example. It takes a binary file that’s part of this salt repository, and moves it into the ~/usr/bin/ directory in a qube. +

+ +
+ 
# Installs my build of st terminal
+  /usr/bin/st:
+  file.managed:
+  - source: salt://pkgs/bin/st.bin
+  - user: root
+  - group: root
+  - mode: 777
+
+
+
+
+ ]]> + Website update - ./feed.html#org4b6cbd3 + ./feed.html#org1952bc2 user@emacs-org (nil) - ./feed.html#org4b6cbd3 + ./feed.html#org1952bc2 Sat, 01 Mar 2025 10:14:00 -0700 @@ -229,22 +381,22 @@ Convenient torrenting with qBittorrent - ./feed.html#org31bbfc2 + ./feed.html#orgd384a95 user@emacs-org (nil) - ./feed.html#org31bbfc2 + ./feed.html#orgd384a95 Fri, 28 Feb 2025 14:30:00 -0700 - -

Introduction

-
+ +

Introduction

+

Your access to media should not be limited by money, nor should it be limited by technical ability. I want to demonstrate with this quick guide that torrenting is as accessible and easy as it’s ever been, using Free and open-source software.

-
-

Install qBittorrent

-
+
+

Install qBittorrent

+

qBittorrent is a Free and open-source BitTorrent client that supports tons of features, but you need to know much at all to get started. To install it, go to their downloads page website at https://www.qbittorrent.org/download and select the right option for your computer. It supports Windows, MacOS, and can be installed through most common package managers on Linux.

@@ -254,9 +406,9 @@

-
-

Enable the search engine

-
+
+

Enable the search engine

+

To let us search for media, we need to turn on qBittorrent’s search engine.

@@ -271,9 +423,9 @@
-
-

Search for and download some media

-
+
+

Search for and download some media

+
  • In the “Search” tab, click on the search bar, enter the name of some movie, and press Return. Very quickly, you should see many results, with slightly different titles, sizes, and numbers of “Seeders”, among other things.
@@ -286,9 +438,9 @@
-
-

Now just wait

-
+
+

Now just wait

+

You can track the progress of torrents being downloaded in the “Transfers” tab. When it’s 100% complete, you can right-click the file, and click “Preview file” to have it play in your default media player.

@@ -298,21 +450,21 @@

-
-

Extra tips

-
+
+

Extra tips

+
-
-

Consider using a VPN

-
+
+

Consider using a VPN

+

Some copyright holders use bots to detects users downloading their media. If you’re not using a VPN, these companies can see your IP and potentially send complaints to your ISP. If you download many things and want to keep your ISP happy, using a VPN will ensure your torrenting can’t be traced to your IP address. I personally use and recommend Mullvad ($5/month for 5 devices), but there are other reputable ones like Proton and IVPN.

-
-

Stream Media

-
+
+

Stream Media

+

When you go to download a torrent and the download prompt pops up, you can optionally select “Download first and last pieces first” and “Download in sequential order”.

@@ -322,9 +474,9 @@

-
-

Hosting a media server with Jellyfin

-
+
+

Hosting a media server with Jellyfin

+

Jellyfin is a Free and open-source media-hosting server you can run on your computer. It’ll let you sign in to your library on a smart TV, other devices on your local network, or in a browser.

@@ -343,23 +495,23 @@ QubesOS Saltstack configuration v1 - ./feed.html#org6ddd067 + ./feed.html#orgf24c24f user@emacs-org (nil) - ./feed.html#org6ddd067 + ./feed.html#orgf24c24f Fri, 28 Feb 2025 14:30:00 -0700 - -

Notice:

-
+ +

Notice:

+

The repository is now hosted on this site at https://git.skylarcloud.xyz, not Github! For up-to-date instructions, refer to the new README.org in the new repo, there have been lots of changes since the publishing of this post.

-
-

Intro

-
+
+

Intro

+

I’m publishing the janky V1 of my QubesOS configuration written with Saltstack. It’ll help set up a window manager, a couple of handy qubes, Doom Emacs, and the 3isec repo to jump-start your QubesOS experience.

@@ -372,42 +524,42 @@ You can use my configuration almost as-is (just change the username references!) and it does work, but it’s not very feature-filled or optimized, and it’s probable that the next versions will conflict with it.

-
-

Link to repo on Github

-
+
+

Link to repo on Github

+

https://github.com/bumbleoats/My-QubesOS-Configuration <- See the notice at the top of this post

-
-

Installation

-
+
+

Installation

+

Make sure state.user-dirs is active, then just move the repo to /srv/user_salt/ in dom0, and apply with sudo qubesctl --all state.apply

    -
  • Resources for installation
    -
    +
  • Resources for installation
    +
      -
    • Community user guide for user-salt
      -
      +
    • Community user guide for user-salt
      +
      • -
    • Issue I sometimes run into from a fresh QubesOS install
      -
      +
    • Issue I sometimes run into from a fresh QubesOS install
      +
      - 
      ln -s /srv/salt/qubes/user-dirs.top /srv/salt/_tops/base/user-dirs.top
+  
      ln -s /srv/salt/qubes/user-dirs.top /srv/salt/_tops/base/user-dirs.top
      @@ -417,9 +569,9 @@
-
-

Programs in dom0

-
+
+

Programs in dom0

+

My configuration will install a few programs in dom0. It’s important that I put this at the top because generally, you want to limit the number of packages in dom0. Every new package is more attack surface on your most critical qube. I trust the programs I’ve chosen to add, and by using my configuration, you’re implicitly trusting them too.

@@ -429,20 +581,20 @@

-
-

Window Management

-
+
+

Window Management

+
-
-

i3

-
+
+

i3

+

i3 is a tiling window manager. It’s used primarily through the keyboard, so muscle memory can operate everything very quickly once you get used to it. When a window is opened, it will be ’tiled’, maximizing screen space. To open windows, rofi is used to search for applications and qubes.

    -
  • Keybindings
    -
    +
  • Keybindings
    +

    You can navigate i3 with ’vim-like’ keybindings, inspired by the vi text editor. Some basic keybindings are shown below, and you can see many more by reading i3’s config file at /srv/user_salt/dots/i3

    @@ -497,9 +649,9 @@
-
-

Misc

-
+
+

Misc

+

wm.sls will do a few other smaller things:

@@ -514,13 +666,13 @@
-
-

My qubes

-
+
+

My qubes

+
-
-

Emacs

-
+
+

Emacs

+

If you’re a Doom Emacs user (there are dozens of us!) this will hopefully make your life slightly easier.

@@ -534,9 +686,9 @@

-
-

Torrenting

-
+
+

Torrenting

+

A template and app qube for qBittorrent will be created. The gruxbox theme that I use will be moved from dom0 to the app qube so it’s easy to apply.

@@ -555,8 +707,8 @@
    -
  • VPN use
    -
    +
  • VPN use
    +

    If you’re downloading copyrighted content in an area where it’s illegal, I would strongly urge you consider using a VPN to hide your IP address. LE is unlikely to bust down your door for watching Spongebob, but copyright holders can and will send letters to your ISP, which can eventually get your internet service shut off if you continue. Tor can be used, but it’s extremely slow, and hogs a lot of bandwidth on the network.

    @@ -568,18 +720,18 @@
-
-

Personal/work email

-
+
+

Personal/work email

+

A template for email will be created, and two app qubes, “email-personal” and “email-work”. These just have the Thunderbird email client installed so you can sign into your accounts.

-
-

3isec

-
+
+

3isec

+

The 3isec repo is a handy repository of salt files with some miscellaneous utilities. The repository will be added to dom0, their gpg key will be added from this salt repository, and their graphical interface for it will be installed in dom0. You can start it with ’qubes-task-gui’ in dom0.

@@ -589,9 +741,9 @@

-
-

Post install

-
+
+

Post install

+

Almost everything will be done out of the box, but here are some recommended finishing touches:

@@ -603,9 +755,9 @@
-
-

What’s next?

-
+
+

What’s next?

+

This project will develop over time as I learn more about Saltstack and continue to work on my personal configuration. I have lots of plans:

@@ -625,14 +777,15 @@ Create an anonymous Whonix environment with KVM + NixOS - ./feed.html#org273106a + ./feed.html#org284aaa0 user@emacs-org (nil) - ./feed.html#org273106a + ./feed.html#org284aaa0 Fri, 28 Feb 2025 14:30:00 -0700 - -

The why

-
+ + +

The why

+

I’ve spent significant time using QubesOS on various computers, and I’ve been thoroughly spoiled by the VM magic Zen and the Qubes team have enabled. For a few reasons though, I’ve recently switched my main laptop from running QubesOS to NixOS. NixOS is great: it’s declaratively managed, fast, stable, has tons of fresh packages, but I can’t help but feel like my trust in the system has decreased a little bit due to the lack of isolation via virtualization that QubesOS provides.

@@ -650,9 +803,9 @@

-
-

What’s Whonix?

-
+
+

What’s Whonix?

+

Whonix is a 2-VM setup for compartmentalizing your computing, and uses the Tor Network to keep your activity anonymous. It runs on KickSecure (hardened Debian).

@@ -666,53 +819,53 @@

-
-

KVM vs VirtualBox

-
+
+

KVM vs VirtualBox

+

Whonix supports 2 type-2 hypervisors: KVM and VirtualBox. KVM is build into the Linux kernel, and is thus fully Free Software. VirtualBox is developed and maintained by Oracle, and is not Free software. I’ll be using KVM for these examples, but there’s a convenient guide for VirtualBox.

-
-

KVM vs QubesOS Zen

-
+
+

KVM vs QubesOS Zen

+
-
-

Hypervisor simplicity

-
+
+

Hypervisor simplicity

+

KVM is part of the Linux kernel, meaning that the virtualization is being done by a larger, monolithic program than a type-1 hypervisor like Zen, with a larger attack surface.

-
-

Type-1 vs type-2 hypervisor

-
+
+

Type-1 vs type-2 hypervisor

+

KVM runs on a host Linux system, and therefor the contents of the VM are only as secure as the host system. This is perhaps the biggest downside to running this KVM setup over Qubes in terms of security. I’d recommend delegating any risky activity to VMs like Whonix to try to mitigate the risk of malware running on your host system.

-
-

No sys-net/firewall/usb/audio/etc.

-
+
+

No sys-net/firewall/usb/audio/etc.

+

QubesOS uses VMs to compartmentalize the hardware, and running Whonix on a Linux host keeps those in the domain of the large Linux kernel.

-
-

Performance

-
+
+

Performance

+

Whonix on KVM performs about as well as on QubesOS (varying based on how much virtual CPU/memory you allocate of course), but a big benefit of having a Linux host is that the applications ran in it won’t be slowed down by virtualization. Risky activities can be compartmentalized while keeping the main system fast and convenient to use.

-
-

Relevant Whonix security documentation

-
+
+

Relevant Whonix security documentation

+

The advantages QubesOS has over KVM listed above are just a few basic examples. QubesOS has a much more robust security model in many ways, and if your security is essential, you should understand the downsides:

@@ -722,9 +875,9 @@
-
-

Installing Whonix on KVM

-
+
+

Installing Whonix on KVM

+

Make sure to check the relevant NixOS and Whonix documentation to ensure these examples are up-to-date. Always be weary of executing commands from a random blog on the internet, and go to the source whenever possible.

@@ -738,9 +891,9 @@ Some of this setup (packages, user groups, dconf settings, the actual virtualization setup) is declaratively configured, but many of the commands to set up Whonix are not. On a fresh NixOS system build with your configuration.nix, you’ll still need to download the Whonix images and set them up with the commands outlined below. It’s possible more (or even all?) of this could be done declaratively with more NixOS knowledge.

-
-

Installing KVM + Virt-manager

-
+
+

Installing KVM + Virt-manager

+

Enable libvirtd and virt-manager

@@ -790,16 +943,16 @@

- 
# Start qemu networking
-  sudo virsh -c qemu:///system net-autostart default
-  sudo virsh -c qemu:///system net-start default
+  
# Start qemu networking
+  sudo virsh -c qemu:///system net-autostart default
+  sudo virsh -c qemu:///system net-start default
-
-

Download the Whonix XFCE .qcow archive

-
+
+

Download the Whonix XFCE .qcow archive

+
  • You can the most up-to-date versions directly from their website:
      @@ -809,30 +962,30 @@
-
-

Extract the archive

-
+
+

Extract the archive

+

- Make sure your working directory and archive are both in your home directory. (You may need to mv ~/Downloads/Whonix* ~/) + Make sure your working directory and archive are both in your home directory. (You may need to mv ~/Downloads/Whonix* ~/)

- 
# Unpacking archive with gnu tar
-  [~/]$ tar -xvf Whonix*.libvirt.xz
+  
# Unpacking archive with gnu tar
+  [~/]$ tar -xvf Whonix*.libvirt.xz
-
-

Agree to the Whonix Binary License Agreement

-
+
+

Agree to the Whonix Binary License Agreement

+

To read the agreement, use:

- 
# Prints the license agreement
-  [~/]$ more WHONIX_BINARY_LICENSE_AGREEMENT
+  
# Prints the license agreement
+  [~/]$ more WHONIX_BINARY_LICENSE_AGREEMENT
@@ -841,73 +994,73 @@

- 
# Creates an empty file "..._accepted" that tells Whonix you agree
-  [~/]$ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+  
# Creates an empty file "..._accepted" that tells Whonix you agree
+  [~/]$ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
-
-

Setup Whonix virtual networks

-
+
+

Setup Whonix virtual networks

+
- 
# Add virtual networks
-  sudo virsh -c qemu:///system net-define Whonix_external*.xml
-  sudo virsh -c qemu:///system net-define Whonix_internal*.xml
-
-  # Activate the networks
-  sudo virsh -c qemu:///system net-autostart Whonix-External
-  sudo virsh -c qemu:///system net-start Whonix-External
-  sudo virsh -c qemu:///system net-autostart Whonix-Internal
-  sudo virsh -c qemu:///system net-start Whonix-Internal
+  
# Add virtual networks
+  sudo virsh -c qemu:///system net-define Whonix_external*.xml
+  sudo virsh -c qemu:///system net-define Whonix_internal*.xml
+
+  # Activate the networks
+  sudo virsh -c qemu:///system net-autostart Whonix-External
+  sudo virsh -c qemu:///system net-start Whonix-External
+  sudo virsh -c qemu:///system net-autostart Whonix-Internal
+  sudo virsh -c qemu:///system net-start Whonix-Internal
-
-

Import Whonix Gateway and Workstation images

-
+
+

Import Whonix Gateway and Workstation images

+
- 
# Creates two qemu profiles for the Whonix VMs
-  sudo virsh -c qemu:///system define Whonix-Gateway*.xml
-  sudo virsh -c qemu:///system define Whonix-Workstation*.xml
+  
# Creates two qemu profiles for the Whonix VMs
+  sudo virsh -c qemu:///system define Whonix-Gateway*.xml
+  sudo virsh -c qemu:///system define Whonix-Workstation*.xml
-
-

Image File Installation

-
+
+

Image File Installation

+
- 
# Assigns those qemu VMs to the Whonix .qcow2 images
-  [~/]$ sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
-  [~/]$ sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
+  
# Assigns those qemu VMs to the Whonix .qcow2 images
+  [~/]$ sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
+  [~/]$ sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
-
-

Remove Whonix home clutter

-
+
+

Remove Whonix home clutter

+
- 
# WARNING: running this command will delete every file that starts with "Whonix" or "WHONIX" in your working directory.
-  [~/]$ rm Whonix*
-  [~/]$ rm -r WHONIX*
+  
# WARNING: running this command will delete every file that starts with "Whonix" or "WHONIX" in your working directory.
+  [~/]$ rm Whonix*
+  [~/]$ rm -r WHONIX*
-
-

Post-installation

-
+
+

Post-installation

+

Use the virt-manager application to start Whonix-Gateway, and open its terminal. We’ll use setup-dist to create your Tor connection and otherwise prepare Whonix for use.

- 
# Whonix Gateway VM
-  [gateway user ~]% sudo setup-dist
+  
# Whonix Gateway VM
+  [gateway user ~]% sudo setup-dist
@@ -916,8 +1069,8 @@

- 
# Whonix Gateway VM
-  [gateway user ~]% sudo apt-get dist-upgrade
+  
# Whonix Gateway VM
+  [gateway user ~]% sudo apt-get dist-upgrade
@@ -926,26 +1079,26 @@

- 
# Whonix Workstation VM
-  [workstation user ~]% sudo apt-get dist-upgrade
+  
# Whonix Workstation VM
+  [workstation user ~]% sudo apt-get dist-upgrade
-
-

Using Whonix

-
+
+

Using Whonix

+

Assuming the VMs are booting properly and can receive updates, you should be good to go! You now have a compartmentalized environment where your traffic will be anonymized, and any malware should generally be contained to the VM (sophisticated enough malware could theoretically jump the KVM hypervisor, but if that’s part of your threat model you probably shouldn’t be getting security advice from this blog :P)

-
-

Some tips

-
+
+

Some tips

+
    -
  • Basic applications
    -
    +
  • Basic applications
    +
    • Tor Browser: Fingerprinting-resistant browser made for anonymous internet use
    • VLC: Video player capable of playing almost media file you throw at it
      • @@ -957,8 +1110,8 @@
    • -
  • Staying secure and anonymous
    -
    +
  • Staying secure and anonymous
    +

    Think before you act! Whonix gives you a good platform for staying anonymous, but you can absolutely de-anonymize yourself if you’re not careful.

    @@ -976,8 +1129,8 @@

      -
    • Use a live system when possible
      -
      +
    • Use a live system when possible
      +

      When you’re booting the Workstation VM, you can select the option to run it ’live’. This means that when you shutdown the VM, everything you did during the session is erased.

      @@ -991,8 +1144,8 @@

      • -
    • Optionally disable Javascript in Tor Browser
      -
      +
    • Optionally disable Javascript in Tor Browser
      +

      Javascript adds a massive attack surface to your browser, and disabling it can remove entire categories of browser-based malware. But, many many sites rely on Javascript for basic functionality.

      -- cgit v1.2.3