Superior Subgraph

In early 2016, David Mirza Ahmad, president of Subgraph, announced their OS as a public alpha. The announcement took place at the Logan CIJ Symposium, which is dedicated to fighting surveillance and censorship, and was greeted warmly by Edward Snowden himself [1].

Ahmad also advised, "The Internet is more hostile than it's ever been. Subgraph is addressing that problem."

Since then, he and the rest of the four-man team in Montreal have been devoting themselves to developing Subgraph. Most recently, their efforts have culminated in Subgraph Alpha r3 with a range of news apps and security features [2] (Figure 1). The project is backed financially by the US government-sponsored Open Technology Fund, which is also behind privacy-oriented distros like Qubes OS and Tails.

Figure 1: Subgraph's overall look and feel is very similar to Debian 9, but there are new apps and hidden features.

The similarity doesn't end there. Subgraph protects users through a hardened kernel, a carefully selected list of apps, and anonymizing network connections.

Starting Subgraph

Subgraph r3 can be downloaded from the project's website [3]. In keeping with the strong emphasis on security, the 1.3GB ISO download is accompanied by a SHA sum and GPG signature, which you can use to check the integrity of the image before copying to DVD or USB.

The team also cautions that this is still alpha software, so it should not be relied upon for any serious project.

That said, it's clear that unlike many privacy-oriented distros, the Subgraph team has emphasized usability as well as privacy. The GUI is the familiar Gnome Desktop Environment running on a modified version of Debian 9 (Stretch). This means that the installer will pose no issues if you've ever installed a Debian-based system. The major difference is that encryption of your drive via Linux Unified Key Setup (LUKS) is mandatory.

Installs require at least 20GB of disk space and a minimum of 2GB of RAM, although 4GB is recommended. If you prefer to run Subgraph in Live mode, at least 4GB of memory is required. Although these requirements are onerous, the minimum amount of RAM required for installation is the same as for Qubes OS and Tails.

Currently only 64-bit machines are supported. On first boot, the OS superficially seems to resemble a stock install of Debian, albeit with a few new preinstalled apps. Under the surface, however, Subgraph has some marked differences.

Torifying Apps

Opening the Gnome Shell Dash reveals the stock Subgraph apps. A good starting point is the system's default Tor Browser, which helps to anonymize your connection while browsing, as well as hugely reduces the chance of browser fingerprinting.

The browser also contains a slider bar, which allows you to change the level of security used at the expense of loading certain types of web pages.

On first run, Subgraph downloads a tarball of the browser and uses signature verification to make sure that the integrity of the file has not been compromised (Figure 2). During testing, the installation failed; however, the developers' GitHub page revealed that they were aware of this and that there's a workaround [4].

Figure 2: Subgraph checks the signature for the download and starts again, if necessary, to make sure the Tor Browser isn't compromised.

Aside from the Tor Browser, the preinstalled app OnionShare can also connect directly to Tor hidden services. It is specifically designed for file sharing. The advantage of using hidden services via a .onion address is that both the sender and receiver are hidden. Because the traffic never leaves the Tor network, there's no way to monitor entry and exit points for vulnerabilities, so obtaining metadata about files you share is virtually impossible. You can share files via OnionShare with ease from within the Nautilus File Manager, simply by right-clicking on them and choosing Share via OnionShare (Figure 3). The OS incorporates IceDove, which is an unbranded version of the Mozilla Thunderbird email client. Incoming and outgoing mail is routed through the Tor network thanks to the pre-installed TorBirdy plugin. IceDove also comes with the Enigmail plugin to allow you to send and receive gpg encrypted emails (Figure 4).

Figure 3: Right-click on any file to share via OnionShare. The app will launch automatically with the link to the file.

Figure 4: Subgraph includes the Icedove email client. The plugins Torbirdy and Enigmail are preinstalled to anonymize your connection and encrypt your emails, respectively.

Subgraph also comes with the "torified" instant messenger Ricochet. This privacy-minded app from the invisible.im team uses Tor hidden services to allow chat users to connect directly to one another, avoiding the risk posed by a faulty or malicious central server.

For security reasons, all of these apps run inside their own sandboxes (more on this later).

Marvelous Metaproxies

As handy as privacy minded apps can be, not all useful Linux applications are specifically designed to be used over Tor. Sufficiently skilled users can sometimes manually configure applications capable of connecting via proxy to use the Tor network, but this can be tricky to set up correctly. Any application leaking data while you're using Tor can potentially be used to trace your location and access your data.

Subgraph OS resolves this issue by routing all outgoing connections that otherwise wouldn't go through Tor via a Subgraph Metaproxy. This ensures all connections are made via the Tor network. However, crucially, programs, such as the Tor Browser Bundle, that already use Tor are ignored by the Metaproxy.

Another extremely well thought-out Subgraph feature is the inclusion of the control port filter ROFLCopTor.

By default, the Tor service is managed by a control protocol, which regulates information about Tor connection, starts hidden services, and changes your configuration. Most programs don't need access to all these settings.

ROFLCopTor acts as a proxy server between Tor control clients the Tor control server port. It has a number of built-in policies in place to filter incoming and outgoing commands on an application-by-application basis to determine which features they can access. This substantially reduces the chance that a compromised program could de-anonymize your connection or otherwise be used to spy on you.

Your privacy is increased even further by Macouflage, which creates random network addresses for all your interfaces, giving you better anonymity even when connecting to the same networks.