Archive | Wiki-Updates RSS for this section

giving up pseudonymity after collecting experiences with pseudonymous project development

You may have noticed that I, previously known only known under the pseudonym adrelanos, decided to give up my pseudonymity. It was an interesting experience to pseudonymously maintain a Linux distribution (Whonix). I’ve learned a lot during these ~ 2 years.

I didn’t have too bad luck in the lottery of life and are won a citizenship, which is at low risk compared to less lucky ones. Living in a country, where pseudonymity for this kind of activity isn’t crucial. Fortunately, according to latest press, neither the US nor Germany are killing their own citizen for criticizing “the system”. That is, the mass surveillance police state, the military industrial complex, the system of economy, that needs exponential growth to prevent imploding. And so it doesn’t become even worse, and better for the less lucky ones, it is important to speak out in public and to take action.

Staying pseudonymous for such a long time became more and more a burden. For me, it is not healthy for psychology. When pseudonymously working a a project, you cannot tell anyone about it and they’re wondering with what you never tell much. You need to constantly second guess every tiny action. Concentrate on not messing up. Also you’ll never know if you already messed up and if “they” already know who you are. You only need to mess up once, and you’re always linked to that project. Lucky me, I wasn’t forced to stay pseudonymous for ever.

I am looking forward to continue contributing to the awesome Free (as in freedom) Software community. Being no longer pseudonymous allows me to speak at conferences, to attend key singing parties, to meet up with other developers, to voice chat with other developers, to chat on IRC without fear of leaking too much information, to be less paranoid, sometimes even running searches in clearnet if that is more convenient, and so forth.


Hosting a Whonix Mirror (New Wiki Entry)

We are making some DNS changes, so the site may be a little broken for a few days. The .onion address should continue to work 100%.

Running a mirror for Whonix can be immensely helpful, but takes some knowledge, proper configuration and adequate resources to be truly useful.

Other Desktop Environments (New Wiki Entry)

Downloadable Whonix versions come with KDE installed by default. It is possible to uninstall KDE, although doing so is a bit difficult, especially if you want to uninstall all of it and/or to to use a CLI version and/or to install their own desktop environment such as Gnome, LXDE, etc.

Users who build Whonix from source code using Dev/Build Documentation can use optional Terminal-Only build configuration option. And then decide from there.

Read more:

Air Gapped OpenPGP Key (New Wiki Entry)

It is recommended to first quickly read this article from top to bottom without taking actions. After you roughly understood how it’s supposed to work, re-read this page and do it step-by-step. Exercise this with test keys first. If that works, consider doing this with your primary keys.

Make backups of your existing GnuPG files ($HOME/.gnupg). Keep them safe. If something goes wrong during the following steps, you may need this to return to a known good place.

You should know how to boot other operating systems than your primary every day operating system from Live DVD and/or other external media such as USB.

Read more:

The OpenPGP Web of Trust (Updated Wiki Entry)

If you want to be extra cautious and really authenticate a OpenPGP key in a stronger way than what standard HTTPS offers you, you could use the OpenPGP Web of Trust.

One of the inherent problems of standard HTTPS is that the trust we usually put on a website is defined by certificate authorities: a hierarchical and closed set of companies and governmental institutions approved by web browser vendors. This model of trust has long been criticized and proved several times to be vulnerable to attacks as explained on our warning page.

Read more:

Bootstrapping OpenPGP keys from the web (updated wiki chapter)

What in case you want to totally stay anonymous or have no trust path to a OpenPGP key?

Some people just write an unencrypted mail to the recipient and ask them to send their public key. The recipient will most likely either send its public key or at least its fingerprint.

This works against passive attacks. An observer wouldn’t know what they have been talking about in the following encrypted mails. This totally fails against active attacks. A man-in-the-middle could replace the recipient’s key with its own malicious key. The sender would use the wrong key, the man-in-the-middle would decrypt the message, read it, and re-encrypt it with the legit key and forward it to the recipient. Neither sender nor recipient would ever find out that their messages are being read by an adversary. – This is the whole reason, why the trust model path and key signing is recommended in the first place.

Read more:

instructions for using arbitrary operating systems behind Whonix-Gateway updated

They have been simplified. It is now easier to exactly match the settings of the standard download version.