From 276c89e6dc47201c9569967973b5a8cfab5f2532 Mon Sep 17 00:00:00 2001 From: Your Name Date: Sat, 5 Apr 2025 00:55:04 -0600 Subject: feed --- feed.xml | 661 +++++++++++++++++++++++++++++++++------------------------------ 1 file changed, 349 insertions(+), 312 deletions(-) (limited to 'feed.xml') diff --git a/feed.xml b/feed.xml index 10757c9..97c9797 100644 --- a/feed.xml +++ b/feed.xml @@ -14,8 +14,8 @@ en - Sat, 05 Apr 2025 00:06:50 -0600 - Sat, 05 Apr 2025 00:06:50 -0600 + Sat, 05 Apr 2025 00:54:49 -0600 + Sat, 05 Apr 2025 00:54:49 -0600 Emacs 29.4 Org-mode 9.7.22 user@emacs-org (nil) @@ -24,22 +24,6 @@ -
-

Table of Contents

-
- -
-
@@ -61,11 +45,64 @@
+ +
+

Table of Contents

+
+ +
+
+ + Siddhartha by Hermann Hesse + ./feed.html#org9d9141f + user@emacs-org (nil) + ./feed.html#org9d9141f + Sat, 05 Apr 2025 00:54:00 -0600 + + + + (This post contains spoilers) +

+ +

+ This book has been rattling in my brain since I read it a couple month ago. I wanted to share two of my favorite passages, where Siddhartha is at his wits end, and within a few pages his suffering is reframed as the best possible news: a new start. Full forgiveness of yourself. +

+ +
+

+ +

+ +

+ "A hang bent over the bank of the river, a coconut-tree; Siddhartha leaned against its trunk with his shoulder, embraced the trunk with one arm, and looked down into the green water, which ran and ran under him, looked down and found himself to be entirely filled with the wish to let go and to drown in these waters. A frightening emptiness was reflected back at him by the water, answering to the terrible emptiness in his soul. Yes, he had reached the end. There was nothing left for him, except to annihilate himself, except to smash the failure into which he had shaped his life, to throw it away, before the feet of mockingly laughing gods. This was the great vomiting he had longed for: death, the smashing to bits of the form he hated! Let him be food for fishes, this dog Siddhartha, this lunatic, this depraved and rotten body, this weakened and abused soul! Let him be food for fishes and crocodiles, let him be chopped to bits by the daemons!" +

+ +

+ (a few pages later...) +

+ +

+ "Wondrous indeed was my life, so he thought, wondrous detours it has taken. As a boy, I had only to do with gods and offerings. As a youth, I had only to do with asceticism, with thinking and meditation, was searching for Brahman, worshipped the eternal in the Atman. But as a young man, I followed the penitents, lived in the forest, suffered of heat and frost, learned to hunger, taught my body to become dead. Wonderfully, soon afterwards, insight came towards me in the form of the great Buddha’s teachings, I felt the knowledge of the oneness of the world circling in me like my own blood. But I also had to leave Buddha and the great knowledge. I went and learned the art of love with Kamala, learned trading with Kamaswami, piled up money, wasted money, learned to love my stomach, learned to please my senses. I had to spend many years losing my spirit, to unlearn thinking again, to forget the oneness. Isn’t it just as if I had turned slowly and on a long detour from a man into a child, from a thinker into a childlike person? And yet, this path has been very good; and yet, the bird in my chest has not died. But what a path has this been! I had to pass through so much stupidity, through so much vice, through so many errors, through so much disgust and disappointments and woe, just to become a child again and to be able to start over. But it was right so, my heart says “Yes” to it, my eyes smile to it. I’ve had to experience despair, I’ve had to sink down to the most foolish one of all thoughts, to the thought of suicide, in order to be able to experience divine grace, to hear Om again, to be able to sleep properly and awake properly again. I had to become a fool, to find Atman in me again. I had to sin, to be able to live again. Where else might my path lead me to? It is foolish, this path, it moves in loops, perhaps it is going around in a circle. Let it go as it likes, I want to take it." +

+
+ ]]> + Spinning, combing, waiting, waiting - draft - ./feed.html#org8e9017d + ./feed.html#orge86dd49 user@emacs-org (nil) - ./feed.html#org8e9017d + ./feed.html#orge86dd49 Fri, 04 Apr 2025 23:24:00 -0600 @@ -75,15 +112,15 @@ The Tor Browser - ./feed.html#org8697dcf + ./feed.html#orgf5d9cdc user@emacs-org (nil) - ./feed.html#org8697dcf + ./feed.html#orgf5d9cdc Fri, 04 Apr 2025 22:59:00 -0600 - -

Intro

-
+ +

Intro

+

The immediate threat of government retaliation for speech hasn’t been clearer in decades as it is now in the U.S. under the Trump administration. Journalists, law firms, and polling orgs are being targeted in viewpoint-based lawsuits. Legal permanent residents and writers are being held hostage or sent to El Salvidor-ian labor prisons without charges or due process explicitly for their speech. In the cases of targeted individuals, much of the ’evidence’ found by the executive–and often the speech retaliated against–happened online.

@@ -97,9 +134,9 @@

-
-

Hiding your web traffic with the Tor Network

-
+
+

Hiding your web traffic with the Tor Network

+

The first job of the Tor Browser to hide your traffic from your network, your ISP, and to keep your IP address hidden from the websites you visit, and it solves this problem in a very cool way. When you visit a website through the Tor Browser, your traffic is sent through the Tor Network, which is a network of thousands of servers run by volunteers. Your traffic is encrypted three-fold and sent through a randomly-picked three servers in the network, in such a way where no single node can see both your IP address the IP address you’re visiting.

@@ -117,9 +154,9 @@

-
-

Anti-fingerprinting

-
+
+

Anti-fingerprinting

+

Aside from the network, online surveillance is often done through “fingerprinting”, where a website can see/query your browser for all sorts of information to build a profile on your connection. The fonts installed on your computer, browser cookies, browser extensions, your screen size and many more variables can be used to build a unique fingerprint and expose you to tracking.

@@ -128,41 +165,41 @@ To stop these kinds of attacks, the Tor Browser has many anti-fingerprinting protections build-in, that attempt to make your connection look like every other Tor users, so no-one seems unique.

-
-

Letterboxing

-
+
+

Letterboxing

+

The Browser uses letterboxing, which is a curious little feature that disguises your screen size by having a certain number of pre-chosen website sizes that the window will snap to. This is hard to describe in words but you’ll notice it quickly when you use the Browser. You can resize the window as granularly as you wish, but the website will only grow and shrink in certain particular sizes.

-
-

No history

-
+
+

No history

+

Every time you close the Tor Browser, all cookies and history is removed, so you’ll get a clean start every launch.

-
-

Hide everything!

-
+
+

Hide everything!

+

When information about your browser and operating system are typically sent to website, the Tor Browser will lie and claim every user is using the same devices. It will hide your time zone, your installed fonts, and refuse to use many risky APIs that can be privacy-intrusive.

-
-

Don’t make yourself unique

-
+
+

Don’t make yourself unique

+

By default, the Tor Browser will use these network and anti-fingerprinting features to make your browser and your connection look as similar as possible to every Tor user, so everyone’s traffic is all mingled and indecipherable and difficult to track, but you can definitely break your anonymity by making mistakes when using it. Here are some things to avoid:

-
-

Don’t mix Tor and non-Tor traffic/accounts/identities !!!

-
+
+

Don’t mix Tor and non-Tor traffic/accounts/identities !!!

+
  • If you create an anonymous online account using Tor, and then access that account on another device without using Tor, you’ve deanonymized yourself.
  • If you use Tor to commit a crime, and in another tab you access a personal social media service using the same Tor connection, you’ve deanonymized yourself.
    • @@ -175,30 +212,30 @@

-
-

Don’t configure the browser

-
+
+

Don’t configure the browser

+

Because the Tor Browser is designed to make everyone’s connection look similar, if you start changing settings or installing extensions, your browser will become more unique and trackable. Just use Tor as it is default.

    -
  • Exceptions
    -
    +
  • Exceptions
    +

    Now that we know the rule of thumb (don’t touch things!), there are a couple things we can safely configure.

      -
    • Security settings
      -
      +
    • Security settings
      +

      In the browser settings, there are three “security levels” you can choose from. Choosing the “safer” options will restrict websites from more potentially-risky activity, at the cost of many more websites not being able to function. I’d recommend defaulting to the most secure option and lowering it if a particular site demands it.

      • -
    • Connection settings
      -
      +
    • Connection settings
      +

      As mentioned earlier, you can optionally use a bridge to hide the fact that you’re using Tor from your network and ISP.

      @@ -213,30 +250,30 @@ 3 Browser extensions I almost always install - ./feed.html#org1bdbda0 + ./feed.html#org2c01251 user@emacs-org (nil) - ./feed.html#org1bdbda0 + ./feed.html#org2c01251 Thu, 03 Apr 2025 05:40:00 -0600 - -

      Vimium C

      -
      + +

      Vimium C

      +

      This lets do basic navigation in your browser with vim-like keybindings. You can click links, scroll, go back and forth between tabs and through your history, select/copy/search text and more with your keyboard.

      -
      -

      Dark Reader

      -
      +
      +

      Dark Reader

      +

      Makes all websites default to a mode, and provides an easy toggle.

      -
      -

      uBlock Origin

      -
      +
      +

      uBlock Origin

      +

      The most ubiquitous content/ad blocker, reliable as ever.

      @@ -246,9 +283,9 @@ Prepping for v2 of my salt repo - ./feed.html#org3ddcee5 + ./feed.html#orge83a25f user@emacs-org (nil) - ./feed.html#org3ddcee5 + ./feed.html#orge83a25f Wed, 02 Apr 2025 22:34:00 -0600 @@ -259,54 +296,54 @@ Methods of installing software in QubesOS with Saltstack - ./feed.html#org66153f1 + ./feed.html#orgd884c6d user@emacs-org (nil) - ./feed.html#org66153f1 + ./feed.html#orgd884c6d Wed, 02 Apr 2025 22:34:00 -0600 Here are some various methods of installing software that I've used in my personal salt configuration

      -
      -

      pkg.installed

      -
      +
      +

      pkg.installed

      +

      Here’s /srv/user_salt/pkgs/accounting.sls as an example. It uses the simplest way of installing programs, which is just listing them under pkg.installed which pulls them from your distros main repositories. This is the most preferable way to install software if it’s available.

      - 
      # Install accounting tools
-  accounting--install-apps:
-  pkg.installed:
-  - pkgs:
-  - hledger # Command-line plain text accounting
-  - gnucash # Graphical GNU accounting suite
+  
      # Install accounting tools
+  accounting--install-apps:
+  pkg.installed:
+  - pkgs:
+  - hledger # Command-line plain text accounting
+  - gnucash # Graphical GNU accounting suite
      -
      -

      Install from third-party repo with a script

      -
      +
      +

      Install from third-party repo with a script

      +

      Here’s /srv/user_salt/pkgs/signal.sls as an example. It places an installation script, /srv/user_salt/pkgs/install-scripts/signal-repo.sh into a qube and executes it to install the Signal messenger.

      - 
      ...
-
-  signal--repo-script:
-  file.managed:
-  - name: /usr/bin/install-repo # this is where the installation script is placed
-  - source: salt://pkgs/install-scripts/signal-repo.sh # This is where the installation script was sourced
-  - user: root # sets the owner of the file, you can usually default to root
-  - group: root # sets the group of the file, you can usually default to root
-  - mode: 777 # sets the permissions of the file, you can usually default to 777 (any user on the qube has permissions)
-
-  # This simply executes the install-repo script in a qube
-  'install-repo':
-  cmd.run
+  
      ...
+
+  signal--repo-script:
+  file.managed:
+  - name: /usr/bin/install-repo # this is where the installation script is placed
+  - source: salt://pkgs/install-scripts/signal-repo.sh # This is where the installation script was sourced
+  - user: root # sets the owner of the file, you can usually default to root
+  - group: root # sets the group of the file, you can usually default to root
+  - mode: 777 # sets the permissions of the file, you can usually default to 777 (any user on the qube has permissions)
+
+  # This simply executes the install-repo script in a qube
+  'install-repo':
+  cmd.run
      @@ -314,40 +351,40 @@ Here’s the installation script that’s ran:

      -
      -

      /srv/user_salt/pkgs/install-scripts/signal-repo.sh

      -
      +
      +

      /srv/user_salt/pkgs/install-scripts/signal-repo.sh

      +
      - 
      # Retrieves Signal's key for verifying the package
-  # The request is proxied through 127.0.0.1:8082 to allow the template qube to access the internet
-  sudo curl --proxy 127.0.0.1:8082 -s https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee -a /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null
+  
      # Retrieves Signal's key for verifying the package
+  # The request is proxied through 127.0.0.1:8082 to allow the template qube to access the internet
+  sudo curl --proxy 127.0.0.1:8082 -s https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee -a /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null
 
-  # Defines Signal's repo in /etc/apt/sources.list.d/
-  echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' | tee /etc/apt/sources.list.d/signal-xenial.list
+  # Defines Signal's repo in /etc/apt/sources.list.d/
+  echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' | tee /etc/apt/sources.list.d/signal-xenial.list
 
-  # Updates packages and installs signal-desktop through the newly configured repository
-  sudo apt update
-  sudo apt install signal-desktop -y
+  # Updates packages and installs signal-desktop through the newly configured repository
+  sudo apt update
+  sudo apt install signal-desktop -y
      -
      -

      Move a binary file into /usr/bin

      -
      +
      +

      Move a binary file into /usr/bin

      +

      Here’s /srv/user_salt/pkgs/st.sls as an example. It takes a binary file that’s part of this salt repository, and moves it into the ~/usr/bin/ directory in a qube.

      - 
      # Installs my build of st terminal
-  /usr/bin/st:
-  file.managed:
-  - source: salt://pkgs/bin/st.bin
-  - user: root
-  - group: root
-  - mode: 777
+  
      # Installs my build of st terminal
+  /usr/bin/st:
+  file.managed:
+  - source: salt://pkgs/bin/st.bin
+  - user: root
+  - group: root
+  - mode: 777
      @@ -356,9 +393,9 @@ Website update - ./feed.html#org3888bd2 + ./feed.html#orgb5420e0 user@emacs-org (nil) - ./feed.html#org3888bd2 + ./feed.html#orgb5420e0 Sat, 01 Mar 2025 10:14:00 -0700 @@ -381,22 +418,22 @@ Convenient torrenting with qBittorrent - ./feed.html#org26983f0 + ./feed.html#org8e66573 user@emacs-org (nil) - ./feed.html#org26983f0 + ./feed.html#org8e66573 Fri, 28 Feb 2025 14:30:00 -0700 - -

      Introduction

      -
      + +

      Introduction

      +

      Your access to media should not be limited by money, nor should it be limited by technical ability. I want to demonstrate with this quick guide that torrenting is as accessible and easy as it’s ever been, using Free and open-source software.

      -
      -

      Install qBittorrent

      -
      +
      +

      Install qBittorrent

      +

      qBittorrent is a Free and open-source BitTorrent client that supports tons of features, but you need to know much at all to get started. To install it, go to their downloads page website at https://www.qbittorrent.org/download and select the right option for your computer. It supports Windows, MacOS, and can be installed through most common package managers on Linux.

      @@ -406,9 +443,9 @@

      -
      -

      Enable the search engine

      -
      +
      +

      Enable the search engine

      +

      To let us search for media, we need to turn on qBittorrent’s search engine.

      @@ -423,9 +460,9 @@
-
-

Search for and download some media

-
+
+

Search for and download some media

+
  • In the “Search” tab, click on the search bar, enter the name of some movie, and press Return. Very quickly, you should see many results, with slightly different titles, sizes, and numbers of “Seeders”, among other things.
@@ -438,9 +475,9 @@
-
-

Now just wait

-
+
+

Now just wait

+

You can track the progress of torrents being downloaded in the “Transfers” tab. When it’s 100% complete, you can right-click the file, and click “Preview file” to have it play in your default media player.

@@ -450,21 +487,21 @@

-
-

Extra tips

-
+
+

Extra tips

+
-
-

Consider using a VPN

-
+
+

Consider using a VPN

+

Some copyright holders use bots to detects users downloading their media. If you’re not using a VPN, these companies can see your IP and potentially send complaints to your ISP. If you download many things and want to keep your ISP happy, using a VPN will ensure your torrenting can’t be traced to your IP address. I personally use and recommend Mullvad ($5/month for 5 devices), but there are other reputable ones like Proton and IVPN.

-
-

Stream Media

-
+
+

Stream Media

+

When you go to download a torrent and the download prompt pops up, you can optionally select “Download first and last pieces first” and “Download in sequential order”.

@@ -474,9 +511,9 @@

-
-

Hosting a media server with Jellyfin

-
+
+

Hosting a media server with Jellyfin

+

Jellyfin is a Free and open-source media-hosting server you can run on your computer. It’ll let you sign in to your library on a smart TV, other devices on your local network, or in a browser.

@@ -495,23 +532,23 @@ QubesOS Saltstack configuration v1 - ./feed.html#org973deab + ./feed.html#org61983e5 user@emacs-org (nil) - ./feed.html#org973deab + ./feed.html#org61983e5 Fri, 28 Feb 2025 14:30:00 -0700 - -

Notice:

-
+ +

Notice:

+

The repository is now hosted on this site at https://git.skylarcloud.xyz, not Github! For up-to-date instructions, refer to the new README.org in the new repo, there have been lots of changes since the publishing of this post.

-
-

Intro

-
+
+

Intro

+

I’m publishing the janky V1 of my QubesOS configuration written with Saltstack. It’ll help set up a window manager, a couple of handy qubes, Doom Emacs, and the 3isec repo to jump-start your QubesOS experience.

@@ -524,42 +561,42 @@ You can use my configuration almost as-is (just change the username references!) and it does work, but it’s not very feature-filled or optimized, and it’s probable that the next versions will conflict with it.

-
-

Link to repo on Github

-
+
+

Link to repo on Github

+

https://github.com/bumbleoats/My-QubesOS-Configuration <- See the notice at the top of this post

-
-

Installation

-
+
+

Installation

+

Make sure state.user-dirs is active, then just move the repo to /srv/user_salt/ in dom0, and apply with sudo qubesctl --all state.apply

    -
  • Resources for installation
    -
    +
  • Resources for installation
    +
      -
    • Community user guide for user-salt
      -
      +
    • Community user guide for user-salt
      +
      • -
    • Issue I sometimes run into from a fresh QubesOS install
      -
      +
    • Issue I sometimes run into from a fresh QubesOS install
      +
      - 
      ln -s /srv/salt/qubes/user-dirs.top /srv/salt/_tops/base/user-dirs.top
+  
      ln -s /srv/salt/qubes/user-dirs.top /srv/salt/_tops/base/user-dirs.top
      @@ -569,9 +606,9 @@
-
-

Programs in dom0

-
+
+

Programs in dom0

+

My configuration will install a few programs in dom0. It’s important that I put this at the top because generally, you want to limit the number of packages in dom0. Every new package is more attack surface on your most critical qube. I trust the programs I’ve chosen to add, and by using my configuration, you’re implicitly trusting them too.

@@ -581,20 +618,20 @@

-
-

Window Management

-
+
+

Window Management

+
-
-

i3

-
+
+

i3

+

i3 is a tiling window manager. It’s used primarily through the keyboard, so muscle memory can operate everything very quickly once you get used to it. When a window is opened, it will be ’tiled’, maximizing screen space. To open windows, rofi is used to search for applications and qubes.

    -
  • Keybindings
    -
    +
  • Keybindings
    +

    You can navigate i3 with ’vim-like’ keybindings, inspired by the vi text editor. Some basic keybindings are shown below, and you can see many more by reading i3’s config file at /srv/user_salt/dots/i3

    @@ -649,9 +686,9 @@
-
-

Misc

-
+
+

Misc

+

wm.sls will do a few other smaller things:

@@ -666,13 +703,13 @@
-
-

My qubes

-
+
+

My qubes

+
-
-

Emacs

-
+
+

Emacs

+

If you’re a Doom Emacs user (there are dozens of us!) this will hopefully make your life slightly easier.

@@ -686,9 +723,9 @@

-
-

Torrenting

-
+
+

Torrenting

+

A template and app qube for qBittorrent will be created. The gruxbox theme that I use will be moved from dom0 to the app qube so it’s easy to apply.

@@ -707,8 +744,8 @@
    -
  • VPN use
    -
    +
  • VPN use
    +

    If you’re downloading copyrighted content in an area where it’s illegal, I would strongly urge you consider using a VPN to hide your IP address. LE is unlikely to bust down your door for watching Spongebob, but copyright holders can and will send letters to your ISP, which can eventually get your internet service shut off if you continue. Tor can be used, but it’s extremely slow, and hogs a lot of bandwidth on the network.

    @@ -720,18 +757,18 @@
-
-

Personal/work email

-
+
+

Personal/work email

+

A template for email will be created, and two app qubes, “email-personal” and “email-work”. These just have the Thunderbird email client installed so you can sign into your accounts.

-
-

3isec

-
+
+

3isec

+

The 3isec repo is a handy repository of salt files with some miscellaneous utilities. The repository will be added to dom0, their gpg key will be added from this salt repository, and their graphical interface for it will be installed in dom0. You can start it with ’qubes-task-gui’ in dom0.

@@ -741,9 +778,9 @@

-
-

Post install

-
+
+

Post install

+

Almost everything will be done out of the box, but here are some recommended finishing touches:

@@ -755,9 +792,9 @@
-
-

What’s next?

-
+
+

What’s next?

+

This project will develop over time as I learn more about Saltstack and continue to work on my personal configuration. I have lots of plans:

@@ -777,15 +814,15 @@ Create an anonymous Whonix environment with KVM + NixOS - ./feed.html#orgb214ac6 + ./feed.html#org7de6ff8 user@emacs-org (nil) - ./feed.html#orgb214ac6 + ./feed.html#org7de6ff8 Fri, 28 Feb 2025 14:30:00 -0700 - -

The why

-
+ +

The why

+

I’ve spent significant time using QubesOS on various computers, and I’ve been thoroughly spoiled by the VM magic Zen and the Qubes team have enabled. For a few reasons though, I’ve recently switched my main laptop from running QubesOS to NixOS. NixOS is great: it’s declaratively managed, fast, stable, has tons of fresh packages, but I can’t help but feel like my trust in the system has decreased a little bit due to the lack of isolation via virtualization that QubesOS provides.

@@ -803,9 +840,9 @@

-
-

What’s Whonix?

-
+
+

What’s Whonix?

+

Whonix is a 2-VM setup for compartmentalizing your computing, and uses the Tor Network to keep your activity anonymous. It runs on KickSecure (hardened Debian).

@@ -819,53 +856,53 @@

-
-

KVM vs VirtualBox

-
+
+

KVM vs VirtualBox

+

Whonix supports 2 type-2 hypervisors: KVM and VirtualBox. KVM is build into the Linux kernel, and is thus fully Free Software. VirtualBox is developed and maintained by Oracle, and is not Free software. I’ll be using KVM for these examples, but there’s a convenient guide for VirtualBox.

-
-

KVM vs QubesOS Zen

-
+
+

KVM vs QubesOS Zen

+
-
-

Hypervisor simplicity

-
+
+

Hypervisor simplicity

+

KVM is part of the Linux kernel, meaning that the virtualization is being done by a larger, monolithic program than a type-1 hypervisor like Zen, with a larger attack surface.

-
-

Type-1 vs type-2 hypervisor

-
+
+

Type-1 vs type-2 hypervisor

+

KVM runs on a host Linux system, and therefor the contents of the VM are only as secure as the host system. This is perhaps the biggest downside to running this KVM setup over Qubes in terms of security. I’d recommend delegating any risky activity to VMs like Whonix to try to mitigate the risk of malware running on your host system.

-
-

No sys-net/firewall/usb/audio/etc.

-
+
+

No sys-net/firewall/usb/audio/etc.

+

QubesOS uses VMs to compartmentalize the hardware, and running Whonix on a Linux host keeps those in the domain of the large Linux kernel.

-
-

Performance

-
+
+

Performance

+

Whonix on KVM performs about as well as on QubesOS (varying based on how much virtual CPU/memory you allocate of course), but a big benefit of having a Linux host is that the applications ran in it won’t be slowed down by virtualization. Risky activities can be compartmentalized while keeping the main system fast and convenient to use.

-
-

Relevant Whonix security documentation

-
+
+

Relevant Whonix security documentation

+

The advantages QubesOS has over KVM listed above are just a few basic examples. QubesOS has a much more robust security model in many ways, and if your security is essential, you should understand the downsides:

@@ -875,9 +912,9 @@
-
-

Installing Whonix on KVM

-
+
+

Installing Whonix on KVM

+

Make sure to check the relevant NixOS and Whonix documentation to ensure these examples are up-to-date. Always be weary of executing commands from a random blog on the internet, and go to the source whenever possible.

@@ -891,9 +928,9 @@ Some of this setup (packages, user groups, dconf settings, the actual virtualization setup) is declaratively configured, but many of the commands to set up Whonix are not. On a fresh NixOS system build with your configuration.nix, you’ll still need to download the Whonix images and set them up with the commands outlined below. It’s possible more (or even all?) of this could be done declaratively with more NixOS knowledge.

-
-

Installing KVM + Virt-manager

-
+
+

Installing KVM + Virt-manager

+

Enable libvirtd and virt-manager

@@ -943,16 +980,16 @@

- 
# Start qemu networking
-  sudo virsh -c qemu:///system net-autostart default
-  sudo virsh -c qemu:///system net-start default
+  
# Start qemu networking
+  sudo virsh -c qemu:///system net-autostart default
+  sudo virsh -c qemu:///system net-start default
-
-

Download the Whonix XFCE .qcow archive

-
+
+

Download the Whonix XFCE .qcow archive

+
  • You can the most up-to-date versions directly from their website:
      @@ -962,30 +999,30 @@
-
-

Extract the archive

-
+
+

Extract the archive

+

- Make sure your working directory and archive are both in your home directory. (You may need to mv ~/Downloads/Whonix* ~/) + Make sure your working directory and archive are both in your home directory. (You may need to mv ~/Downloads/Whonix* ~/)

- 
# Unpacking archive with gnu tar
-  [~/]$ tar -xvf Whonix*.libvirt.xz
+  
# Unpacking archive with gnu tar
+  [~/]$ tar -xvf Whonix*.libvirt.xz
-
-

Agree to the Whonix Binary License Agreement

-
+
+

Agree to the Whonix Binary License Agreement

+

To read the agreement, use:

- 
# Prints the license agreement
-  [~/]$ more WHONIX_BINARY_LICENSE_AGREEMENT
+  
# Prints the license agreement
+  [~/]$ more WHONIX_BINARY_LICENSE_AGREEMENT
@@ -994,73 +1031,73 @@

- 
# Creates an empty file "..._accepted" that tells Whonix you agree
-  [~/]$ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+  
# Creates an empty file "..._accepted" that tells Whonix you agree
+  [~/]$ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
-
-

Setup Whonix virtual networks

-
+
+

Setup Whonix virtual networks

+
- 
# Add virtual networks
-  sudo virsh -c qemu:///system net-define Whonix_external*.xml
-  sudo virsh -c qemu:///system net-define Whonix_internal*.xml
-
-  # Activate the networks
-  sudo virsh -c qemu:///system net-autostart Whonix-External
-  sudo virsh -c qemu:///system net-start Whonix-External
-  sudo virsh -c qemu:///system net-autostart Whonix-Internal
-  sudo virsh -c qemu:///system net-start Whonix-Internal
+  
# Add virtual networks
+  sudo virsh -c qemu:///system net-define Whonix_external*.xml
+  sudo virsh -c qemu:///system net-define Whonix_internal*.xml
+
+  # Activate the networks
+  sudo virsh -c qemu:///system net-autostart Whonix-External
+  sudo virsh -c qemu:///system net-start Whonix-External
+  sudo virsh -c qemu:///system net-autostart Whonix-Internal
+  sudo virsh -c qemu:///system net-start Whonix-Internal
-
-

Import Whonix Gateway and Workstation images

-
+
+

Import Whonix Gateway and Workstation images

+
- 
# Creates two qemu profiles for the Whonix VMs
-  sudo virsh -c qemu:///system define Whonix-Gateway*.xml
-  sudo virsh -c qemu:///system define Whonix-Workstation*.xml
+  
# Creates two qemu profiles for the Whonix VMs
+  sudo virsh -c qemu:///system define Whonix-Gateway*.xml
+  sudo virsh -c qemu:///system define Whonix-Workstation*.xml
-
-

Image File Installation

-
+
+

Image File Installation

+
- 
# Assigns those qemu VMs to the Whonix .qcow2 images
-  [~/]$ sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
-  [~/]$ sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
+  
# Assigns those qemu VMs to the Whonix .qcow2 images
+  [~/]$ sudo mv Whonix-Gateway*.qcow2 /var/lib/libvirt/images/Whonix-Gateway.qcow2
+  [~/]$ sudo mv Whonix-Workstation*.qcow2 /var/lib/libvirt/images/Whonix-Workstation.qcow2
-
-

Remove Whonix home clutter

-
+
+

Remove Whonix home clutter

+
- 
# WARNING: running this command will delete every file that starts with "Whonix" or "WHONIX" in your working directory.
-  [~/]$ rm Whonix*
-  [~/]$ rm -r WHONIX*
+  
# WARNING: running this command will delete every file that starts with "Whonix" or "WHONIX" in your working directory.
+  [~/]$ rm Whonix*
+  [~/]$ rm -r WHONIX*
-
-

Post-installation

-
+
+

Post-installation

+

Use the virt-manager application to start Whonix-Gateway, and open its terminal. We’ll use setup-dist to create your Tor connection and otherwise prepare Whonix for use.

- 
# Whonix Gateway VM
-  [gateway user ~]% sudo setup-dist
+  
# Whonix Gateway VM
+  [gateway user ~]% sudo setup-dist
@@ -1069,8 +1106,8 @@

- 
# Whonix Gateway VM
-  [gateway user ~]% sudo apt-get dist-upgrade
+  
# Whonix Gateway VM
+  [gateway user ~]% sudo apt-get dist-upgrade
@@ -1079,26 +1116,26 @@

- 
# Whonix Workstation VM
-  [workstation user ~]% sudo apt-get dist-upgrade
+  
# Whonix Workstation VM
+  [workstation user ~]% sudo apt-get dist-upgrade
-
-

Using Whonix

-
+
+

Using Whonix

+

Assuming the VMs are booting properly and can receive updates, you should be good to go! You now have a compartmentalized environment where your traffic will be anonymized, and any malware should generally be contained to the VM (sophisticated enough malware could theoretically jump the KVM hypervisor, but if that’s part of your threat model you probably shouldn’t be getting security advice from this blog :P)

-
-

Some tips

-
+
+

Some tips

+
    -
  • Basic applications
    -
    +
  • Basic applications
    +
    • Tor Browser: Fingerprinting-resistant browser made for anonymous internet use
    • VLC: Video player capable of playing almost media file you throw at it
      • @@ -1110,8 +1147,8 @@
    • -
  • Staying secure and anonymous
    -
    +
  • Staying secure and anonymous
    +

    Think before you act! Whonix gives you a good platform for staying anonymous, but you can absolutely de-anonymize yourself if you’re not careful.

    @@ -1129,8 +1166,8 @@

      -
    • Use a live system when possible
      -
      +
    • Use a live system when possible
      +

      When you’re booting the Workstation VM, you can select the option to run it ’live’. This means that when you shutdown the VM, everything you did during the session is erased.

      @@ -1144,8 +1181,8 @@

      • -
    • Optionally disable Javascript in Tor Browser
      -
      +
    • Optionally disable Javascript in Tor Browser
      +

      Javascript adds a massive attack surface to your browser, and disabling it can remove entire categories of browser-based malware. But, many many sites rely on Javascript for basic functionality.

      -- cgit v1.2.3