Canadian Developers Are Making the Next Tails Privacy Software

Montreal developers have created Subgraph OS, yet to be released software ready to rival Tails.

Aug 1 2014, 6:00pm

Whether it's the NSA exploiting weaknesses in encryption software, the holes in Tor making it less anonymous, or the major problems with Tails—vulnerabilities are constantly testing the security and anonymity of computer users.

But little known Montreal-based developers at Subgraph want to change all that, and have started working on a zero-day resistant Operating System (OS), protecting against infiltration.

Subgraph takes the approach that overall computer security is critical to anonymity, targeting protection against zero-day vulnerabilities, the types of weakness unknown to the developers while they're writing software.

The company is billing their new OS as an alternative to Tails, another widely used anonymity platform promising to let users travel "the Internet anonymously."

Since it's unrealistic to aim for a completely zero-day-free OS, Subgraph is designed to almost quarantine the impact of those vulnerabilities by limiting how extensively an application allows access to the computer network.

In Subgraph OS, any application a computer interacts with running the operating system is isolated in containers to prevent exploits from having a meaningful impact at the OS level. It uses the Grsecurity kernel, a patch applied to the Linux kernel that enhances security by limiting what processes can do.

For example, with most operating systems, receiving an infected PDF making use of a zero-day vulnerability means before you realize it, there's malicious code running on your computer.

The set of security features implemented in Subgraph OS limits what the code is doing entirely: a PDF exploit would only be running in the PDF viewer container, unable to grab anymore data internally or access the network

"If there's an exploit it can't do much," sums up David McKinney the lead developer at Subgraph. It also features a new email client written from scratch.

The email client will also be compatible with PGP, the most popular encryption software used by journalists and privacy enthusiasts alike. Which is an important feature, given the widespread use of PGP by the sorts of users who would utilize encryption software and the Subgraph OS.

The new OS is also, obviously, designed for complete anonymity. All the connections in the OS are intercepted by a metaproxy that then routes them through Tor. The metaproxy has some nifty tricks, too: it opens different Tor circuits for different apps, to avoid an attacker correlating traffic to the same origin.

"Instant Messaging chat and browsing coming out of the same exit node is not a situation you necessarily want," says David Mirza Ahmad, a developer on Subgraph, referring to traditional chat platforms.

Mirza Ahmad and Bruce Leidl, another developer at the company, created the popular vulnerability scanner Vega, and have worked in the computer security field for the last ten years.

"I used to run a mailing list called bugtraq," remembers Mirza Ahmad. "Before social media, it was the central place on the Internet to discuss all kinds of vulnerabilities."

Bruce Leidl wrote the obfuscated-openssh tool, used by Tor and mentioned in leaked NSA files. "My github (page) is on the slides," said Leidl.

It's this experience in security and vulnerability research that is the team's strongest asset says Mirza Ahmad, noting the privacy community lacks security-versed contributors.

"There are a lot of people who are excited about privacy," said Mirza Ahmad, "and that produces a confused mass of projects that are sincere but maybe not developed by competent or experienced people."

While being users and fans of Tails, they had issues with the "amnesia" distribution of the software. Tails is not meant for long-term use, as it runs on the RAM and wipes out everything when the computer shuts down.

The Subgraph developers believe simply wiping out RAM isn't enough to guarantee user security. In their opinion, if any malicious code would be erased upon shutdown, there are other avenues to compromise a computer running Tails, like modifying the OS itself.

"There were security problems [with Tails] that were not part of the security design," says Mirza Ahmad.

There are, however, limitations to what Subgraph OS can protect the average user from. It won't protect you from vulnerabilities such as Heartbleed, (since the attack targets the website users visit not their computer), physical tampering, and poor security practices.

Since nothing is 100 percent secure, using a cocktail of Transport Layer Security (TLS), Off The Record (OTR) messaging, and hard disk encryption, in addition to Subgraph, would be your best bet at avoiding the prying eyes of the NSA or attacks from hackers.

TLS, often referred to as SSL, allows communications with a website to be encrypted, protecting against any eavesdropper on the network. While OTR is a plugin used in chat applications to encrypt conversations that uses Perfect Forward Secrecy (PFS), ensuring that even if your long-term key is compromised, all the previous chats won't be decipherable.

"We are using pragmatic and well understood ideas in our work to make reasonableclaims of security and privacy with the limitations well understood," says Mirza Ahmad. "There's no wizardry or outrageous promises, because we don't believe the adversary has wizardry."

One other downside in the Subgraph OS is that it's based on Debian code. And as the Debian developers explain, while the OS offers a number of advantages, there are also disadvantages depending on what your needs are.

For example if you need to use proprietary software (like the Adobe suite) the OS could inhibit how you interact with different programs. Especially if you're less tech-savvy and can't personally re-jig the hardware on your computer.

While the software has yet to be released, or faced the scrutiny of security critics, Robert Masse, Canadian director of cyber security firm Mandiant, says systems like Tails and Subgraph are excellent attempts at maintaining anonymity, though they're not military grade secure operating systems.

"Subgraph have super competent guys and do a very good job. They've locked it down as much as possible, but nothing is impervious to exploit," he said in an interview with Motherboard.

Since many of these operating systems are stripped down versions of operating systems, Masse said things like Tails and Subgraph make it so, "the less you're running" on your computer, "the harder it is to exploit." 

To Masse, these systems also pose a question of functionality and how much users are willing to sacrifice to maintain their privacy.

"[Users] have to find a balance between security and functionality," said Masse. "You can have an OS that's locked down and difficult to exploit, but you can't run a lot of the things you want to run on it. Or you can have an open system that runs everything. But the more it runs, the more vulnerable it is to exploit. No OS is perfectly secure. Tails and Subgraph take it a great first step." 

Subgraph is made for day-to-day use, resembling a linux desktop operating system. If you're wondering when you can get your hands on the software, developers expect a live CD of the OS to be out by the end of the summer.

Ultimately, this software seems best suited for people like journalists who have conversations with dicey sources all the time and don't want government eavesdroppers listening in. To them, you can't put a price on pure anonymity and any software hiccups can be tolerated with the belief they're sources are being protected.

For that reason, this new Subgraph OS could be another option in the encrypted communication game, which, in the wake of NSA spying revelations, seems to be an increasingly important technology for users everywhere.