Theres a good reason the PORTAL is a separate hardware device: security [1]. There is also a reason it isn't on Debian -- huge attack surface as there [were?] are no minimal Debian images. If you want something similar, the transparent Tor proxy, then possibly OnionPi [2] is for you.
The setup that you describe is actually implemented in Whonix [3], and personally I don't like it that much. I don't believe that VMs are very secure. I prefer the TAILS [4] system for a hardened Linux as a baseline, but it doesn't even use a VM to segregate the Tor daemon from the main OS. A superior hardened system (from a security POV) is Liberte Linux [5], however development is stalled and it is more complex to setup and use than TAILS. (Worth noting that TAILS is sponsored and has development resources, everything else is just a side project for various people).
If you want to setup a PORTAL that runs in a vm, it is really simple to do. QEMU will run the OpenWRT based PORTAL image, although someone would have to figure out how to configure the network settings appropriately. You'll probably want to use a VM for the "workstation" environment, as well as a VM for the Tor daemon. This will give you maximum control over the networking (this is what Whonix does).
At any rate, I suspect that JITSI is a better client than pidgin, but it gets no love (and unfortunately, it is Java). pidgin is basically technical debt which can never be repaid. Parsing network protocols in ad hoc parsers written in C is just not rational in this day and age. A client should use a managed language to minimise memory corruption bugs. I don't think using xulrunner is a good idea either, given how terrible Firefox is at security.
Ideally, there would be work put into making Pond [6] a viable instant message application.
I'd also be happy if the OTR spec was updated to bring it inline with the new TextSecure v2 protocol.
I got a few comments since I love your blogs and opinion. I work on Whonix and am excited that you're commenting on it.
A minimum Debian is grml [1], 150-350MB, which Whonix uses as a base.
But by the time we're done adding packages and KDE, it's not minimal anymore. We use a popular GNU/Linux distro (instead of, say, hardened gentoo) because 1) Lots of eyes on a bigger project is more secure than few eyes on a smaller project, and 2) Bad or missing usability/UX hurts security: these systems are used by journalists and dissidents, not the Unix and computer security trained. The trick is making a system that moderately educated users can get work done on, without letting them shoot themselves in the foot.
VMs have their problems, but VirtualBox inside an average Windows install is harder to exploit than an average Windows install alone. Whonix can also run on dedicated hardware or inside a dedicated/minimal/portable host OS. Running inside QubesOS, the Xen-based (everything is isolated) security focused desktop OS, is a mid-term goal.
Additionally, as resources (that is, volunteers) grow, builds of Whonix based on other distros/desktops/hardware will appear. To see you post on our forum [2] or github issues [3], lending your experience with PORTAL, would be a dream! Let's talk stream isolation. Or just voice your concerns and we'll try to defend our choices.
---
Ditto on Pond, which is weird since Appelbaum is behind it, but apparently they don't want to start from scratch (Pond was just a README last time I checked).
I have big hopes for TIMB, BitMessage, and the new (crossplatform) TextSecure. Hopefully redphone will receive the same treatment as TextSecure. Me and the lead Whonix developer tried to set up a crossplatform secure voice chat over Jitsi... an hour later we gave up.
Icebird + TorBirdy is just barely becoming a reality. A GPG capable email client that doesn't give away your time zone is big news in this world. Don't get me started on losing all your bookmarks when you update the tor browser bundle! We got a long way to go.
I should have been more clear, I mean a minimal Debian install for RaspberryPi. I don't want to create a full debootstrap image and make that available (it comes to almost 512mb after adding all the software, WTF!). I am familiar with grml.
A hardened Gentoo is a more solid platform because of the reliability of GRsec + PaX for exploit mitigation. Unfortunately, configuring GRsec to work generically for a large number of usecases would be time consuming. I would still like to see it though.
There is an option on how to do it properly, but so far I don't believe that anyone is working on making it available publicly. I know it has been done in private at least twice but neither implementation is likely to become public. I would very much like it to be public. :(
If you are interested, it is a viable business, but I personally don't have the time to put into it.
I really don't like VirtualBox. I think Xen, KVM, VMware are all superior options.
I have never been able to get Qubes to install on any of my computers. It just fails. I guess I have the wrong hardware. I think it is sort of the correct approach, but there is a much better way. Email me if you want to devote some time to "doing it right". Would be in line with Whonix/Qubes, but different. :)
interesting list, thanks for the info. someone made a portal on debian though that's why i mentioned it. boot2docker is actually a tinycorelinux, with a 24 mb base system image.
I gave up on Jitsi fairly quickly(this from a person that wrote actually hacked together a proof of concept skypekit plugin for pidgin). It's slow, it randomly locks up for no apparent reason, and well as you said, it's java. So I went back to pidgin.
You're absolutely right about pidgin and it's technical debt though. The only way it can be repaid is by a complete rewrite. I'm still holding my breath for stable gui bindings, and a 1.0 rust release.
what you're saying about vm's and containers about security is true, yes. But it's not about security. It's about leaking information, and comfort. The tor browser bundle is all about comfort, and being "safe enough". If you're rooted it neither tor browser bundle, nor tor chat bundle will help you. The reason I brought this up is because i think in theory it should be possible to make a bundle that allows you to run desktop apps inside of that vm/container setup with a fully configured pf tables setup so that particular instances connection will fully go through the parents tor node
Pond looks interesting, but i'm still a little of split opinion whether things that later target end user desktop application should ultimately be written in go.
They aren't. TextSecure is an updated version of OTR. It is provides a means of securing content between two individuals, but it doesn't do anything to protect against traffic analysis or metadata analysis (it can't, really, since the trade off is security for speed and IM requires speed).
Pond is a sort of email replacement. I prefer it for security reasons. It protects against traffic analysis.
I stand corrected. It makes sense since OTR is basically the gold standard of how to encrypt messages between two people.
My main point, really, is that the content is not that relevant most of the time. It is far more interesting to see who is talking to whom, how frequently, and for how long. This sort of data provides rich information on the target network, both the edges and the nodes. This information can be used to analyze the network and to fit people back into the network if their identifying device/ID/etc is changed. You can still match the new activity against the old activity (particularly if the old activity has ceased) and get a match on who the "new" node actually is.
The metadata masking of Pond is what I like. It makes it a much more secure system than an XMPP based IM network. Even a private XMPP server is not secure against a global passive adversary. And thats basically the important thing for me. TextSecure is fine, but it leaks too much information for me to be completely comfortable using it. Pond addresses those issues (although, unfortunately, it fails on the usability front).
The setup that you describe is actually implemented in Whonix [3], and personally I don't like it that much. I don't believe that VMs are very secure. I prefer the TAILS [4] system for a hardened Linux as a baseline, but it doesn't even use a VM to segregate the Tor daemon from the main OS. A superior hardened system (from a security POV) is Liberte Linux [5], however development is stalled and it is more complex to setup and use than TAILS. (Worth noting that TAILS is sponsored and has development resources, everything else is just a side project for various people).
If you want to setup a PORTAL that runs in a vm, it is really simple to do. QEMU will run the OpenWRT based PORTAL image, although someone would have to figure out how to configure the network settings appropriately. You'll probably want to use a VM for the "workstation" environment, as well as a VM for the Tor daemon. This will give you maximum control over the networking (this is what Whonix does).
At any rate, I suspect that JITSI is a better client than pidgin, but it gets no love (and unfortunately, it is Java). pidgin is basically technical debt which can never be repaid. Parsing network protocols in ad hoc parsers written in C is just not rational in this day and age. A client should use a managed language to minimise memory corruption bugs. I don't think using xulrunner is a good idea either, given how terrible Firefox is at security.
Ideally, there would be work put into making Pond [6] a viable instant message application.
I'd also be happy if the OTR spec was updated to bring it inline with the new TextSecure v2 protocol.
[1]: http://grugq.github.io/blog/2013/10/05/thru-a-portal-darkly/
[2]: http://learn.adafruit.com/onion-pi/overview
[3]: https://www.whonix.org/wiki/Main_Page
[4]: https://tails.boum.org/
[5]: http://dee.su/liberte
[6]: https://pond.imperialviolet.org/