Linked by Thom Holwerda on Sat 2nd Feb 2013 01:47 UTC, submitted by rohan_p
OSNews, Generic OSes "Whonix is a project to build an operating system that will offer the maximum privacy and anonymity possible straight out of the box. Its creator, 'Adrelanos', says the aim is to make it as hard as possible for privacy-conscious users to make missteps when it comes to remaining anonymous. 'It also provides loads of documentation and possibilities for interested users to make it even more secure,' he says." We've already covered Whonix before.
Permalink for comment 551276
To read all comments associated with this story, please click here.
RE[2]: Comment by Laurence
by Laurence on Sun 3rd Feb 2013 12:34 UTC in reply to "RE: Comment by Laurence"
Laurence
Member since:
2007-03-26

What makes you say this? Now I don't know the particulars of VBox (I'm a KVM user myself), but in general within a VM the networking is completely sandboxed as well. The virtual network traffic cannot just jump onto the host's network stack unless they're bound somehow.

The issue isn't with the network breaking out, but services. VMs still borrow services from the host environment (see the example posted below). Once you've gained shell access to the host, it doesn't really matter if the network is sandboxed because you're gaining root on the host without having to touch the host's NATing.

You'll have to forgive me if I have my doubts, maybe OpenVZ is more secure, but such claims deserve to be backed by hard evidence.

Cetainly, it was bad of me not to cite any evidence:
https://www.youtube.com/watch?v=hCPFlwSCmvU


What makes you say this? Now I don't know the particulars of VBox (I'm a KVM user myself), but in general within a VM the networking is completely sandboxed as well. The virtual network traffic cannot just jump onto the host's network stack unless they're bound somehow.

Not all hardware supports extensions and paravirtualisation will always perform faster than hardware emulation. Which is where containers come into their own: you're using the host hardware and kernel but everything else is sandboxed.

You can even do snapshots and a number of other VM-centric tools with containers too.

Don't get me wrong, VMs do have their place too - I'm not trying to argue that containers are the holy grail of virtualisation (though technically not virtualisation), but I honestly do think containers are a massively underrated and overlooked tool ;)

Edited 2013-02-03 12:37 UTC

Reply Parent Score: 3