Selecting An Adversary Resistant Computing Solution

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
Posts: 8
Joined: Mon Jan 21, 2013 2:11 pm

Selecting An Adversary Resistant Computing Solution

Post by killswitch » Fri Jul 24, 2015 1:57 pm

The Cryptostorm desktop OS demographic in some ways mirrors the real world's Windows/Mac/Linux division, but Mac/Linux are more prevalent, at least among those who visit the #cryptostorm IRC channel. A portion of these subscribers reveal, after some discussion, that they truly need an adversary resistant solution above and beyond hardening their normal desktop OS.

There are three adversary resistant systems available today, TAILS, Whonix, and Qubes. Each has its strengths and weaknesses, but it might be better if we used to phrase 'requisite skills' rather than weakness.

TAILS, The Amnesiac Incognito Live System, is the Linux distribution Edward Snowden recommended to his press contacts. The backronym TAILS is very descriptive of what the system does – you're incognito when using it and it doesn't provide any place for a nosy website to drop cookies or other identifying information.

TAILS routes all its traffic to the Tor anonymizing network. There are provisions to use an OpenVPN provider like Cryptostorm, but the developers are very particular about what is included and why. There is no easy path to turning up Cryptostorm, or any other VPN for that matter. Once Cryptostorm is workable it's likely going to be in an usual role, providing TCP based VPN services after transiting the Tor network. This is needed because some sites block all Tor exit nodes, but they'll accept a VPN exit.

Hardware wise TAILS is the least demanding of the three – it'll work on whatever retired laptop you have sitting around in a closet. You don't need to know anything about Linux to use TAILS.

Whonix is a gateway/workstation solution that will run under a type two hypervisor such as VirtualBox. The gateway has access to the internet, it connects to Tor entry nodes, and it provides SOCKS5 proxy service for the workstation. This configuration is sturdier than TAILS – if an attacker does come up with a way to crack the workstation, they can do many things, but finding your public IP is not one of them.

Whonix, like TAILS, has some very specific ideas about where VPNs should go and their thinking is somewhat similar to the TAILS developers. It is possible to install a recent OpenVPN package on the gateway and use Cryptostorm, but this requires a multistep recipe that involves turning the iptables firewall off for some stages.

Hardware requirements are a processor that supports VirtualBox and each VM wants about a gig of memory, so a four gig system is a bare minimum, and you'll be much happier if the disk is SSD rather than a spindle. You can start using Whonix right away without any Linux knowledge, but it takes quite a bit of command line and network skills in order to get OpenVPN running.

Qubes is a type one hypervisor based on Xen virtualization and the Fedora Linux distro. This system has its graphical system management stuff in a VM that is quite secure against network attacks, as it has no network access. A NetVM handles networking hardware, a ProxyVM provides services and enforces policies, while one or more AppVMs access the internet using the ProxyVM.

Qubes does not include OpenVPN support in the NetVM or the ProxyVM, but the system is open and flexible enough that you can add this service where it makes sense. We want to get to the point where Qubes either includes a ProxyVM set up to run Cryptofree, or we want to offer instructions here so that a new Qubes user can do this for themselves.

Hardware wise the Qubes minimums are the same as for Whonix, four gig of ram and a processor that supports virtualization. If you want to get into this system, upgrading an older laptop by adding an SSD will provide a workable platform without a big price tag.


Two of these systems enforce the use of Tor and none of them are plug and play with Cryptostorm, nor any other VPN provider. Qubes will probably be the first to handle OpenVPN smoothly and the reason is they are focused on securing the system itself rather than any networking concerns.

You can use Cryptostorm on your host OS when running Whonix, but unless you are comfortable manually hardening your workstation, your setup will fail open, leaving Whonix grasping for new Tor entry nodes. You can also run TAILS in a VM to take advantage of the additional protection afforded by a VPN connection, but the same fail open caveat applies here, too. Maybe that's a problem, maybe not, it all depends on who your likely adversaries are.

The world is at a turning point brought on by the militarization of cyberspace. People who never worried if their machine was safe or if they were under surveillance are waking up in a house on fire. Minimalist, easily audited systems that connect using snoop/tamper proof network connections are going to become the new normal for the technically literate, with both Whonix and Qubes carving out niches. TAILS is simple by design and will appeal to a different demographic.

If these things feel a bit raw and 'fiddly' to you, that's because they still are. Look again in a year and there will be more offerings in this area, maybe Subgraph will even offer an ISO worthy of the slick site they've created. All three of the ARC offerings mentioned here are going to develop some means to use OpenVPN services, although it may be done in a curious, limited fashion with TAILS and Whonix.