Hidden Pitfalls of Security-Focused Operating Systems

In this brief overview, we’ll discuss security-oriented operating systems that you’re likely already familiar with. We won’t dive into detailed reviews, but instead, we’ll take a more critical look at them and highlight some of their hidden pitfalls.

Tails OS

Tails (The Amnesic Incognito Live System), often just called “Tails,” is a Linux distribution focused on privacy and anonymity. It’s a live distribution (runs from a USB stick and leaves no traces on your PC) and is based on the very stable Debian, like many other distributions. Most of you are probably already familiar with it.

For those who aren’t: Tails routes all your traffic through the Tor network, providing security for your online activities. It comes with pre-installed software that makes life easier (cryptocurrency wallet, password manager, communication clients, Tor Browser, and much more). I won’t list all the possible advantages of Tails or the other systems here—this has been done countless times. Instead, let’s talk about the pitfalls.

Unfortunately, many people believe Tails is a magic bullet that lets you do shady things without ever getting caught. The case of “Brian Kil” Hernandez shows that things aren’t so simple. This criminal was involved in blackmail and extortion of young women and children, threatening them with rape and terrorism. He conducted his activities on Facebook but also took steps to protect himself, using Tails in live mode from an external drive, leaving no evidence on his PC. (Yes, there is a Facebook mirror on Tor.)

Eventually, Hernandez’s lifestyle attracted the attention of law enforcement. What he didn’t realize was that Facebook’s security team had paid a third-party contractor a hefty sum to develop a zero-day exploit for Tails. This led to his de-anonymization and a life sentence in a U.S. federal prison.

Hernandez became a “victim” of Tails’ imperfections.

So, what’s wrong with Tails?

1. Undisclosed vulnerabilities: Facebook did not notify Tails about the discovered vulnerability. No one knows how many times this or other exploits have been used or whether they’ve been shared with other agencies. Using Tails or any other Linux distribution is not a cure-all. Linux also has exploits and malware (though far fewer than, say, Windows).
2. Tor limitations: Tails in its default state isn’t suitable if you need to access resources that only accept “white” (non-Tor) IPs. Many clearnet sites now block Tor, unless they have a Tor mirror. You’ll need to take extra steps (like connecting to a VPN or VPS/RDP), which can be challenging for beginners.
3. Live system drawbacks: While you can install Tails in VirtualBox or another virtual environment, this defeats the purpose of a live system. Live systems aren’t ideal for comfort or long-term use, even with persistent storage. In my experience and that of many others, Tails isn’t really designed for ongoing, long-term work. Also, your external drive could fail at the worst possible moment. So, always—whether you use Tails or not—make backups to avoid losing important data like a Bitcoin wallet stored only on a USB stick that suddenly fails.
4. Persistent storage risks: If you create a persistent volume, it’s visible to anyone with access to your USB drive. Accessing persistent storage from other operating systems can also compromise your security.

Conclusion: Tails is a good “emergency” option for secure browsing. But if you need a higher level of security, Tails is only suitable for safe browsing.

Whonix

The next solution is Whonix. It’s a bit less well-known than Tails, but many of you are probably familiar with it. Essentially, it’s two virtual machines: one is a Tor gateway, and the other is your working environment (there are other implementations, like Whonix for Qubes OS or even physical isolation using two separate PCs). The Tor gateway routes all traffic through Tor, and the working environment can only access the internet through the gateway. In addition to traffic anonymization, security is provided by isolation—even if the virtual machine is compromised, the malware stays contained (in theory).

What are the pitfalls?

1. Host OS matters: Your level of protection depends directly on your host operating system. Linux, Xen (Qubes), or BSD are the only effective options for hosting Whonix. You’ll learn later why you should avoid proprietary (closed-source) OSes like Windows if security is your goal. If your main OS is Windows, there’s little that can help you. You can’t make a silk purse out of a sow’s ear.
2. Virtualization platform: Your security also depends on the virtualization platform you use for Whonix. The general rule is to avoid proprietary software. While VirtualBox is more intuitive for beginners, as you gain experience, it’s better to switch to more secure and open options (KVM/Qemu or ideally Qubes).

Conclusion: Whonix by itself is far from perfect. But if you take additional steps and fine-tune it, it can be an effective working solution.

Qubes OS

Like Whonix, Qubes OS provides security through isolation, using the Xen hypervisor. It’s based on Fedora, relatively easy to install (with some skill), and to use. Its isolation method is based on limiting the interaction between programs and hardware. Essentially, Qubes is a management center for virtual machines. Each process runs in its own virtual machine, making it the best solution available today—especially when combined with Whonix.

But it’s not all smooth sailing:

1. Hardware requirements: Since Qubes OS is a virtual machine management center, you’ll need a powerful PC. While you can run Qubes OS on less powerful hardware, it’s not recommended. Qubes is also very picky about hardware compatibility, which is its biggest drawback. There’s an official list of supported hardware. As you can see, only a limited number of models work well with Qubes OS and support all its features. You can buy hardware that’s fully compatible and comes pre-installed with Qubes OS, such as the Purism line.
2. Learning curve: Interacting with Qubes OS (like installing applications) is a bit different from other Linux distributions. Since the community isn’t as large as, say, Ubuntu or Debian, beginners may face some challenges.

Conclusion: If your PC is fully compatible with Qubes OS, it’s undoubtedly the best option available today—especially when combined with Whonix and after taking additional security measures and customizing the system for your needs.