Parrot Sitting in Whonix Nest?


(TNT BOM BOM) #1

Hi there,

im TNT BOM BOM from Whonix community , we believe Parrot has a great future with protecting user privacy&security. So i was wondering what is Parrot community perspective on Whonix an anonymous OS as we are seeking the same vision on user privacy/security/anonymity?
As i see, its a great combination and collaboration working together while we are walking on same road.

I will be happy to hear any further feedback

Thank You. :relaxed:


(Lorenzo "Palinuro" Faletra) #2

im SUPER BOSS from parrot and we would love to collaborate with your team.

i promised in a previous topic to help you with the firejail (user space sandbox) integration, but i think we can push it to a higher level and create a true collaboration between projects


(Nico Paul) #3

The common good is our game so I believe you have the same values and goals as we do. Looking forward to some great conversation!


(TNT BOM BOM) #4

@palinuro @Nico_Paul

Glad to hear that you are enjoying the team up :smiling_face_with_three_hearts:.

let me start with simple questions and then lets move forward from it:

is it an advantage for Parrot OS to torrify all the connections through Tor?

is it an advantage for Parrot OS to get per VM installation like as an .ova for vbox or template for Qubes or libvert for KVM …etc instead or with .ISO ?

you can ask your questions as you like , we want parrot to get the best advantages from whonix nest while taking rest on it. :wink:


(Nico Paul) #5

passes paper of questions to SUPER BOSS Lol
If no answers still in another day or so I will attempt to explain how I THINK not know 100% at least the tor connection advantages but I am only a member of the community here and not an official parrotsec.org developer.


#6

Tor as a default gateway by default is probably the best thing that can happen to Parrot :smiley:
I always use a custom Anonsurf script at startup. The disadvantage of this, that some people live in a country where Tor ( and pluggable transport too ) is blocked.

so the answer YES :smiley:

It is depend on the people, a lot of users use Parrot because of being very ligthweight. So it is an advantage, but not will be the most popular innovation of Parrot.

So, a collaboration between Whonix and Parrot could be amazing, and it can give birth to the most powerfull privacy, anonimity based pen testing OS.

( aspect of another user :slight_smile: )


(TNT BOM BOM) #7

No problem , its free speech regarding the same subject.

for me i dont mind , but check the superboss first :wink: lol


(TNT BOM BOM) #8

great great! , we can overcome this by Whonix GateWay (minimized as GW). either by built-in bridges , customize/manually adding bridges , and they can obtain it from the bridges server which is newly feature implemented in TBB and so as in GW we gonna have it. we use Anonymous Connection Wizard (ACW) to control Tor connection in the GW.

serveimage

lightweight we all agree on it, but the idea of having these builds i mentioned so it will give the a default connection of parrot os to the GW without the need of user interaction/configuration. because these builds are virtualizer specific so settings will be implemented by default once the user import/install the images.

yep it will be something that the anonymity/security never done it before. yooopeee!!!


(Nico Paul) #9

I’m not a huge person on lightweight distros but that’s due to usage and environment but I do like my VM’s so a vm image is always greeted with a smile! I echo g0rbe 100% on the importance of tor for parrot. I was deferring till @palinuro responded simply because he can speak more in depth as to the intent/outcomes of crucial elements such as anything to do with anonsurf/firejail etc. (Firejail is something that I believe is really ultra super duper sudo important as well!) What are some of the important aspects of who whonix in your opinion? Some of the collaborations/gains you hope to make with parrotsec? Some improvements you have thought of while exploring 4.2.2 or 4.2.3?


(TNT BOM BOM) #10

If you mean about Whonix , well Hardening things as much as possible. We have harden KDE , AppArmors profiles , sdwdate time synchronization…etc most of that created from scratch by modifying and customizing alot of things…

Well uniting the efforts is very great thing and we really miss that in areas specifically seeking security and privacy for their users. Also we were using AppArmors profiles to harden Whonix until Seccom/Firejail came to light, so maintaining both will be really awesome. and alot of things like going into faster builds more testers and …etc. instead of each project doing the same thing separately while we seek the same vision.

well i just made a simple scan on the OS, and actually it needs good amount of improvements. but thats can be discussable later once we settle the agreement on helping each other to avoid getting away from the topic subject.

Though you can find that out through reading Whonix Documentation.(or Onion link)


(Nico Paul) #11

Yes I meant whonix I have been using the iPad for forum responses so that it can be in front of me and not forgotten and I’m having a bad autocorrect day… haha yes there are bugs abounds but on the bright side a few of the really big problems were fixed with the last rollout! We have plenty to keep us busy in though! I think we will both benefit from further developing and hardening of the tor connections while also fixing what many in some countries are having issues with being blocked which sounds like you have a great solution to! Sorry I forgot I had to table this post due to my dogs wanting dinner! :grin:


(Nico Paul) #12

So I’m in the process of reading through your docs but of course Ive all but finalized the two VM installs before finishing! I am super curious about the inner workings (firetorbox might be my middle name because those are three ways to get to my heart quickly!) im interested to hear your thoughts on how best work vs “daily” use is separated with little to no effect in regards to productivity to the end user? I love that idea and I’m a huge fan of virtualization for that firejail type “box” so I’m interested to hear the whonix perspective on that. Tor is something I think we can all agree is vital but also becomes a larger target due to its effects it can have on heavy handed “organizations” (read: regimes). What are your thoughts on how we can work collectively to either harden it and make it more robust or less of a target or both?


#13

Please NOOOOOOO. I use a laptop for pentesting so we must have an ISO and not a vm image… All connection through tor, please NOOOOOO or just replace the home edition with a private edition but dont touch the ParrotOS Security… For professionnal that lead to a disaster and you will lose the little pro user you have and we’ll sadly go back to kali


(TNT BOM BOM) #14

:thinking: not really sure what do u mean by that, you mean it may effect the development ? if so, its very simple to learn how to make X or Y specially when we r talking about developers level.

Awesome! Awesome! :slight_smile:

personally i don’t care about politics influence , Tor has its own methods of circumventing the censorship which we already use it, so as apparmor,firejail and we had our own improvements you can read all of that in the wiki as an e.g: Tor.


(TNT BOM BOM) #15

to be honest with you , i was thinking the same thing regarding the home edition to privacy edition (which is as well home edition) but on the same time i cant decide that. its up to parrot leaders.


(Lorenzo "Palinuro" Faletra) #16

we are not an anonymous distro. we are just a general purpose distro tuned for pentesters, researchers, students and infosec guys in general. but we recognize privacy as a fundamental right and we want to provide privacy-oriented tools on our distro by default.

we are not interested in providing ready-to-use .ova files as we don’t have a post-installation script to allow users to complete the system configuration (we don’t have an OEM installer).
the absence of an OEM oriented installer causes the users to not be able to set up the system (user, password, language etc) if the system is already installed by someone else. and the only secure way to let users install parrot in as VM is to provide them a generic iso file and guide them through the standard installation process.

we would love to provide ready to use .ova appliances once an OEM installer is developed for the distro. but we don’t have the human power to do that at the moment.


(Lorenzo "Palinuro" Faletra) #17

my turn to make questions :slight_smile:

  1. whonix container inside parrot by default
    we are embracing containerization technologies to provide host-agnostic parrot containers that can provide a full parrot environment anywhere (even on parrot itself).
    can whonix be transformed into a docker template and then spawned into a host? it would make a lot easier to integrate whonix into anonsurf by just starting a whonix-gateway container (or even many of them) from inside parrot and then route the whole system traffic through whonix.

  2. a ready to use parrot+whonix combo for qubes
    would it make sense to develop a little qubes derivative with parrot+whonix guests already available?
    some background:
    while whonix is focused on providing a guest environment to be run into other hosts, we at parrot prefer our users to use parrot on bare metal to have full access to hardware resources.

we also believe that virtualizing the hardware may push the guest system to believe that very sensible data is hosted on secure parts of the cpu, or that such data is being deleted, while an insecure host is moving such data around on unsafe and readable addresses, or keep such data available somewhere after its deletion.
to provide a very secure environment, we don’t want to provide just a secure guest, but also a secure host, as all the most sensible operations have to be done on bare metal (imho).

side note:
parrot is currently a rolling release distro based on debian testing, but we are planning to offer a secure and stable LTS branch with the next debian freeze.


#18

Why don’t you guys give a choice to the users so that they can choose if they want to download it as an iso or an ova. That will give users the option to easily install it in a VM or (multi)boot Parrot OS. :slight_smile:


(Patrick Schleizer) #19

No reason it’s an either/or. Can be both.

What’s wrong with generic user names like user and letting users change the password and other settings like language later? What settings are important that would be required to be done in a VM first run wizard?

In theory, I don’t see why not. Whonix exists for bare metal (physical isolation), VirtualBox, KVM and Qubes. Whonix build script supports creation of raw images, vdi, vmkdk, qcow2. Other formats would just require a simple build step to make the conversion if needed. So Whonix is very modular and portable. In theory any virtualizer should work.

Question is does the virtualizer support internal connections from one VM to another like from workstation to gateway. That is one of the few demands that Whonix has at virtualizers.

Routing all host traffic into a VM sounds difficult. I woulnd’t know how to do that. It obviously needs an exception: the traffic of the VM itself must not be routed through through the VM but to clearnet directly otherwise there’s an endless loop.


(Nico Paul) #20

Its actually a lot lighter than you might think because a docker container only contains the bins/libs and the corresponding app and thats it vs a guest OS which requiress the fundamentals. ![image|616x318](upload://rHS8wdXRwiU5wN7SprLlpkNtvbe.png) this is a really great, simple graphic to help you visualize the differences!