Subgraph OS – Adversary-resistant computing platform
Superior Subgraph

© Lead Image © Kheng Ho Toh, 123RF.com
Kid-tested and Snowden approved – is Subgraph, the privacy-oriented OS, now ready for humans?
In early 2016, David Mirza Ahmad, president of Subgraph, announced their OS as a public alpha. The announcement took place at the Logan CIJ Symposium, which is dedicated to fighting surveillance and censorship, and was greeted warmly by Edward Snowden himself [1].
Ahmad also advised, "The Internet is more hostile than it's ever been. Subgraph is addressing that problem."
Since then, he and the rest of the four-man team in Montreal have been devoting themselves to developing Subgraph. Most recently, their efforts have culminated in Subgraph Alpha r3 with a range of news apps and security features [2] (Figure 1). The project is backed financially by the US government-sponsored Open Technology Fund, which is also behind privacy-oriented distros like Qubes OS and Tails.

The similarity doesn't end there. Subgraph protects users through a hardened kernel, a carefully selected list of apps, and anonymizing network connections.
Starting Subgraph
Subgraph r3 can be downloaded from the project's website [3]. In keeping with the strong emphasis on security, the 1.3GB ISO download is accompanied by a SHA sum and GPG signature, which you can use to check the integrity of the image before copying to DVD or USB.
The team also cautions that this is still alpha software, so it should not be relied upon for any serious project.
That said, it's clear that unlike many privacy-oriented distros, the Subgraph team has emphasized usability as well as privacy. The GUI is the familiar Gnome Desktop Environment running on a modified version of Debian 9 (Stretch). This means that the installer will pose no issues if you've ever installed a Debian-based system. The major difference is that encryption of your drive via Linux Unified Key Setup (LUKS) is mandatory.
Installs require at least 20GB of disk space and a minimum of 2GB of RAM, although 4GB is recommended. If you prefer to run Subgraph in Live mode, at least 4GB of memory is required. Although these requirements are onerous, the minimum amount of RAM required for installation is the same as for Qubes OS and Tails.
Currently only 64-bit machines are supported. On first boot, the OS superficially seems to resemble a stock install of Debian, albeit with a few new preinstalled apps. Under the surface, however, Subgraph has some marked differences.
Torifying Apps
Opening the Gnome Shell Dash reveals the stock Subgraph apps. A good starting point is the system's default Tor Browser, which helps to anonymize your connection while browsing, as well as hugely reduces the chance of browser fingerprinting.
The browser also contains a slider bar, which allows you to change the level of security used at the expense of loading certain types of web pages.
On first run, Subgraph downloads a tarball of the browser and uses signature verification to make sure that the integrity of the file has not been compromised (Figure 2). During testing, the installation failed; however, the developers' GitHub page revealed that they were aware of this and that there's a workaround [4].

Aside from the Tor Browser, the preinstalled app OnionShare can also connect directly to Tor hidden services. It is specifically designed for file sharing. The advantage of using hidden services via a .onion
address is that both the sender and receiver are hidden. Because the traffic never leaves the Tor network, there's no way to monitor entry and exit points for vulnerabilities, so obtaining metadata about files you share is virtually impossible. You can share files via OnionShare with ease from within the Nautilus File Manager, simply by right-clicking on them and choosing Share via OnionShare (Figure 3). The OS incorporates IceDove, which is an unbranded version of the Mozilla Thunderbird email client. Incoming and outgoing mail is routed through the Tor network thanks to the pre-installed TorBirdy plugin. IceDove also comes with the Enigmail plugin to allow you to send and receive gpg encrypted emails (Figure 4).


Subgraph also comes with the "torified" instant messenger Ricochet. This privacy-minded app from the invisible.im team uses Tor hidden services to allow chat users to connect directly to one another, avoiding the risk posed by a faulty or malicious central server.
For security reasons, all of these apps run inside their own sandboxes (more on this later).
Marvelous Metaproxies
As handy as privacy minded apps can be, not all useful Linux applications are specifically designed to be used over Tor. Sufficiently skilled users can sometimes manually configure applications capable of connecting via proxy to use the Tor network, but this can be tricky to set up correctly. Any application leaking data while you're using Tor can potentially be used to trace your location and access your data.
Subgraph OS resolves this issue by routing all outgoing connections that otherwise wouldn't go through Tor via a Subgraph Metaproxy. This ensures all connections are made via the Tor network. However, crucially, programs, such as the Tor Browser Bundle, that already use Tor are ignored by the Metaproxy.
Another extremely well thought-out Subgraph feature is the inclusion of the control port filter ROFLCopTor
.
By default, the Tor service is managed by a control protocol, which regulates information about Tor connection, starts hidden services, and changes your configuration. Most programs don't need access to all these settings.
ROFLCopTor
acts as a proxy server between Tor control clients the Tor control server port. It has a number of built-in policies in place to filter incoming and outgoing commands on an application-by-application basis to determine which features they can access. This substantially reduces the chance that a compromised program could de-anonymize your connection or otherwise be used to spy on you.
Your privacy is increased even further by Macouflage
, which creates random network addresses for all your interfaces, giving you better anonymity even when connecting to the same networks.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
News
-
An All-Snap Version of Ubuntu is In The Works
Along with the standard deb version of the open-source operating system, Canonical will release an-all snap version.
-
Mageia 9 Beta 2 Ready for Testing
The latest beta of the popular Mageia distribution now includes the latest kernel and plenty of updated applications.
-
KDE Plasma 6 Looks to Bring Basic HDR Support
The KWin piece of KDE Plasma now has HDR support and color management geared for the 6.0 release.
-
Bodhi Linux 7.0 Beta Ready for Testing
The latest iteration of the Bohdi Linux distribution is now available for those who want to experience what's in store and for testing purposes.
-
Changes Coming to Ubuntu PPA Usage
The way you manage Personal Package Archives will be changing with the release of Ubuntu 23.10.
-
AlmaLinux 9.2 Now Available for Download
AlmaLinux has been released and provides a free alternative to upstream Red Hat Enterprise Linux.
-
An Immutable Version of Fedora Is Under Consideration
For anyone who's a fan of using immutable versions of Linux, the Fedora team is currently considering adding a new spin called Fedora Onyx.
-
New Release of Br OS Includes ChatGPT Integration
Br OS 23.04 is now available and is geared specifically toward web content creation.
-
Command-Line Only Peropesis 2.1 Available Now
The latest iteration of Peropesis has been released with plenty of updates and introduces new software development tools.
-
TUXEDO Computers Announces InfinityBook Pro 14
With the new generation of their popular InfinityBook Pro 14, TUXEDO upgrades its ultra-mobile, powerful business laptop with some impressive specs.