If you’ve ever had to configure an SELinux (Security Enhanced Linux) kernel security module without the guidance of an administrator, you’ll understand why this recent interview with David Mirza Ahmad in Motherboard is interesting. Ahmad is the President of a company named Subgraph, which is developing a security-focused version of Linux named Subgraph OS.
Subgraph Mail integrates OpenPGP to let the user have access to signed encrypted email. An identity verification service is built into the mail client. Plus, there is no need to execute commands in a terminal window or the need to install plug-ins. Web browser support is deliberately left out of the mail client to eliminate Web exploits from within mail.
He states that its purpose is to provide an end point that’s “resistant against remote network exploitation,” that will run on low-powered notebook computers, and can be used (and presumably installed) by people who are not security experts.
Subgraph OS offers more than kernel security. It includes features such as full-disk encryption and what appears to be a technique to sandbox (isolate) exploits. It includes also several applications and components to reduce the user’s attack surface.
Although it’s not obvious from the documentation so far, I presume Subgraph’s Vega vulnerability scanner is a component of the OS as well. Vega is an automated scanner, intercepting proxy, and proxy scanner (and it may be related to the Metaproxy application mentioned earlier). Vega itself is a standalone application written in Java that can run on Linux, Apple OS/X, and Microsoft Windows. Note, however, that on theVega download page, the first thing mentioned is that it is “still early stage software.”
The Motherboard report said Subgraph recently received funding from the Open Technology Fund (OTF) which is part of Radio Free Asia and is funded by the U.S. Congress to “empower world citizenry to support the Internet as a safe and secure platform for free speech.” While this funding is apparently new, Subgraph OS itself has been in development for at least a few years. Wired UK ran an article about its then reportedly imminent release in June 2014, but apparently the current release is still in pre-alpha stage.
Tor is used by exclusively by applications that perform communications. This is done by using Subgraph’s Metaproxy software to intercept outgoing connections and relay them through the correct proxy (SOCKS, HTTP, etc). Tor (The Onion Router) is the volunteer network of servers connected using a series of virtual tunnels instead of direct connections to anonymize information about network connectivity. Subgraph’s Orchid is a Java-based Tor implementation that can be also be used outside of Subgraph OS.
If you would like to learn more about Subgraph OS, check out its GitHub repository, which includes the beginnings of a Subgraph OS Handbook. Although Subgraph OS does not look it like it will be in production form in the near future, it may be worth keeping an eye on this project as it percolates through its development phases.