Big Brother has arrived in the UK

[Jetsun]

The book 1984 was based in the UK and it looks like it is becoming a reality. The government has used the Trump election as a cover for passing the most intrusive snooping law in history.

 

The following departments will now have access to your full internet history...

 

Metropolitan police force

City of London police force

Police forces maintained under section 2 of the Police Act 1996

Police Service of Scotland

Police Service of Northern Ireland

British Transport Police

Ministry of Defence Police

Royal Navy Police

Royal Military Police

Royal Air Force Police

Security Service

Secret Intelligence Service

GCHQ

Ministry of Defence

Department of Health

Home Office

Ministry of Justice

National Crime Agency

HM Revenue & Customs

Department for Transport

Department for Work and Pensions

NHS trusts and foundation trusts in England that provide ambulance services

Common Services Agency for the Scottish Health Service

Competition and Markets Authority

Criminal Cases Review Commission

Department for Communities in Northern Ireland

Department for the Economy in Northern Ireland

Department of Justice in Northern Ireland

Financial Conduct Authority

Fire and rescue authorities under the Fire and Rescue Services Act 2004

Food Standards Agency

Food Standards Scotland

Gambling Commission

Gangmasters and Labour Abuse Authority

Health and Safety Executive

Independent Police Complaints Commissioner

Information Commissioner

NHS Business Services Authority

Northern Ireland Ambulance Service Health and Social Care Trust

Northern Ireland Fire and Rescue Service Board

Northern Ireland Health and Social Care Regional Business Services Organisation

Office of Communications

Office of the Police Ombudsman for Northern Ireland

Police Investigations and Review Commissioner

Scottish Ambulance Service Board

Scottish Criminal Cases Review Commission

Serious Fraud Office

Welsh Ambulance Services National Health Service Trust

 

Why work, food and health departments need to have full access to my browsing history I don't know.

[Marblehead]

Lots of Big Brothers, don't you think?

 

The government has had way too many babies.

[Aetherous]

https://petition.parliament.uk/petitions/173199

[dust]

Not really sure how this is supposed to work.

 

An ISP will keep a record of connections (ICR) from each account held with it, but in many cases how will these agencies know exactly who visited each site? In a shared/family house with shared internet, or a public Wi-Fi spot, for example, how would they differentiate between users? (surely there will be a single ICR for each single account?)

 

I also don't understand the point of it. If someone's looking up illegal porn or trying to buy guns or chatting with ISIS or anything else the government could be said to have a right to invade privacy to investigate, they're likely not doing it directly through their ISP? (Tor/VPN/etc?) And I would imagine it is those who know how to evade detection that a government should be most concerned with detecting?

[Jetsun]

Not really sure how this is supposed to work.

 

An ISP will keep a record of connections (ICR) from each account held with it, but in many cases how will these agencies know exactly who visited each site? In a shared/family house with shared internet, or a public Wi-Fi spot, for example, how would they differentiate between users? (surely there will be a single ICR for each single account?)

 

I also don't understand the point of it. If someone's looking up illegal porn or trying to buy guns or chatting with ISIS or anything else the government could be said to have a right to invade privacy to investigate, they're likely not doing it directly through their ISP? (Tor/VPN/etc?) And I would imagine it is those who know how to evade detection that a government should be most concerned with detecting?

I expect the next step is to ban VPN's and Tor etc, they can try justify it by saying the other laws are useless unless they are banned.

 

I have heard they are already trying to ban some advanced forms of cryptography as basically it's too good at doing its job ie stopping others from deciphering it

Edited November 25, 2016 by Jetsun

[Jetsun]

Also apparently MP's are not included in this digital surveillance bill, surprise surprise.

[Marblehead]

Also apparently MP's are not included in this digital surveillance bill, surprise surprise.

 

My government does that all the time too.

[thelerner]

My government does that all the time too.

As I understand it, many of the provisions of the 'Patriot' act have expired and weren't renewed (http://www.usatoday.com/story/news/nation/2015/05/31/patriot-act-expires-senate-stalemate/28260905/).  Some still exist.  I don't think they were ever quite as wide spread or draconian as the UK bill. 

 

From what I read there still needs to be a final approval for it (royal??), so there's a chance it might not pass, or that a general shout of no from the public can derail it.   I hope. 

 

 

At the heart of this (hopefully) is stopping terrorists using the social networks to recruit and communicate.  Seems better to smart 'bomb' those targets heavily then record the other 99.999% of all internet traffic. 

[Eques Peregrinus]

I expect the next step is to ban VPN's and Tor etc, they can try justify it by saying the other laws are useless unless they are banned.

 

I have heard they are already trying to ban some advanced forms of cryptography as basically it's too good at doing its job ie stopping others from deciphering it

 

That would be very doubtful, banks and enterprises are already making a large usage of cryptography and VPN, while Tor was developped by the US Navy and deployed (at least in part) by the NSA. The development part indicated on the Tor website, while the deployment part was revealed by Snowden.

 

Hoever, it is indeed true that cryptography today is a real piece of art. Even for a simple TLS connection used to make a search on Google is technically unbreakable, if the certificates can be trusted. If we are speaking of large agencies like the NSA, I would not be surprised if they already have the private keys of a few certification authorities and are able to do a man-in-the-middle for specific targets.

 

 

[Marblehead]

As I understand it, many of the provisions of the 'Patriot' act have expired and weren't renewed

I see you believed them again.  When will you learn?

[dust]

My legalese is not very good. Anyone care to confirm what this says?
 
http://www.publications.parliament.uk/pa/bills/cbill/2015-2016/0143/cbill_2015-20160143_en_2.htm#pt1-pb2-l1g5

 

5 Definition of “lawful authority”

 

(1) For the purposes of this Act, a person has lawful authority to carry out an interception if, and only if—

{a} the interception is carried out in accordance with—

(i) a targeted interception warrant or mutual assistance warrant under Chapter 1 of Part 2, or

(ii) a bulk interception warrant under Chapter 1 of Part 6,

 

{b} the interception is authorised by any of sections 37 to 45, or Investigatory Powers Bill

 

{c} in the case of a communication stored in or by a telecommunication system, the interception—

(i) is carried out in accordance with a targeted equipment interference warrant under Part 5 or a bulk equipment interference warrant under Chapter 3 of Part 6,

(ii) is in the exercise of any statutory power that is exercised for the purpose of obtaining information or taking possession of any document or other property, or

(iii) is carried out in accordance with a court order made for that purpose.

 

...........................

 

 

38 Interception by providers of postal or telecommunications services

 

(1) The interception of a communication is authorised by this section if the interception is carried out—
 

{a} by, or on behalf of, a person who provides a postal service or a telecommunications service, and

 

{b} for any of the purposes in subsection (2).

 
(2) The purposes referred to in subsection (1) are—
 

{a} purposes relating to the provision or operation of the service;

 

{b} purposes relating to the enforcement, in relation to the service, of any enactment relating to—

(i) the use of postal or telecommunications services, or

(ii) the content of communications transmitted by means of such services;

{c} purposes relating to the provision of services or facilities aimed at preventing or restricting the viewing or publication of the content of communications transmitted by means of postal or telecommunications services.

Edited November 27, 2016 by dust

[gatito]

Not really sure how this is supposed to work.

 

An ISP will keep a record of connections (ICR) from each account held with it, but in many cases how will these agencies know exactly who visited each site? In a shared/family house with shared internet, or a public Wi-Fi spot, for example, how would they differentiate between users? (surely there will be a single ICR for each single account?)

 

I also don't understand the point of it. If someone's looking up illegal porn or trying to buy guns or chatting with ISIS or anything else the government could be said to have a right to invade privacy to investigate, they're likely not doing it directly through their ISP? (Tor/VPN/etc?) And I would imagine it is those who know how to evade detection that a government should be most concerned with detecting?

 

I’ve yet to watch the film itself but, having seen the trailer and a couple of interviews with Joseph Gordon-Levitt, I think you’ll find that it (the full film) will give you an understanding about mass surveillance and why it’s an important and highly effective act of civil defiance to use Tails/Tor as much as possible.

 

Links:

tails.boum.org/home/index.en.html

www.torproject.org/

[Marblehead]

Maybe (about tails and tor). But didn't somebody get suspended some time in the past for having multiple IPs or something associated with their account? Or something that was related to anti-tracking  either from (or similar to the ones from) Tails?

 

---that might be something to consider before jumping into it, unless it's no longer an issue.

 

Generally one of the duplicate accounts would simply be deleted.  The person would almost always still be an active member.

 

Someone who has been suspended or banned and has somehow managed to get a different approved account, if found out by a moderator or admin would have that account immediately deleted.

[thelerner]

I see you believed them again.  When will you learn?

What I've learned is, trends swing like a pendulum.  In times of war and paranoia, rights are taken away.  We, society are as much to blame as the government.  In US history, we do have a strong independent streak, against invasion of privacy.  Inevitably we turn back the regulations.

 

In my 50 years I've seen the pendulum swing back and forth 2 or 3 times.  Its probably wrong to be stuck in permanent paranoia mode.  Because you won't protect civil rights when they are threatened because you assume we never had them in the first place. 

[Marblehead]

What I've learned is, trends swing like a pendulum.  In times of war and paranoia, rights are taken away.  We, society are as much to blame as the government.  In US history, we do have a strong independent streak, against invasion of privacy.  Inevitably we turn back the regulations.

 

In my 50 years I've seen the pendulum swing back and forth 2 or 3 times.  Its probably wrong to be stuck in permanent paranoia mode.  Because you won't protect civil rights when they are threatened because you assume we never had them in the first place. 

 

Fair response.  But I must suggest that it are the governments of the West that are creating the paranoia so that they can take away the individual's freedoms and rights to privacy.  We, most of the Western governments created the hatred most of the people of the Middle East have for us.

 

Don't you see where this is going?  It is all well planned and orchestrated.  One world power - the top 1%.  Governments are following orders.

[EmeraldHead]

I expect the next step is to ban VPN's and Tor etc, they can try justify it by saying the other laws are useless unless they are banned.

 

I think Tor is already within their reach as there's lots of rumours about it. Orbit - the android version is for sure. 

[gatito]

There are certainly a lot of ways that a government can circumvent an individuals use of Tails/Tor.

 

Nevertheless, using it takes a stand that's infinitely more effective in negating the effects of the Snoopers' Charter than signing a petition begging for a change in a longstanding, immoral practice.

 

If a proportion of the population used that as well as using OpenPGP encryption of emails it would certainly tie-up a lot of BB's resources.

 

Links:

openpgp.org/about/

 

This may also be of interest:

 

 

Source: https://en.wikipedia.org/wiki/Charter_of_Fundamental_Rights_of_the_European_Union

 

And this:

 

 

As an ordinary citizen with a life, you can’t hide from the security services, any more than you can defend your house against a tank regiment. If they want to hack your devices, they will. If you’re an investigative journalist, human rights campaigner, one of Snowden’s collaborators etc, you need a higher level of security.

 

www.theguardian.com/technology/askjack/2016/nov/24/how-can-i-protect-myself-from-government-snoopers

 

and this:

 

www.theguardian.com/commentisfree/2016/nov/28/technology-our-lives-control-us-internet-giants-data

 

At least, we all have the (informed) option of turning off our wifi and our mobile phones (for now...).

[gatito]

FYI

 

Source: tails.boum.org/doc/about/warning/index.en.html

 

Warning

 

Even though we do our best to offer you good tools to protect your privacy while using a computer, there is no magic or perfect solution to such a complex problem. Understanding well the limits of such tools is a crucial step to, first, decide whether Tails is the right tool for you, and second, make a good use of it.

1. Tails does not protect against compromised hardware
2. Tails can be compromised if installed or plugged in untrusted systems
3. Tails does not protect against BIOS or firmware attacks
4. Tor exit nodes can eavesdrop on communications
5. Tails makes it clear that you are using Tor and probably Tails
6. Man-in-the-middle attacks
7. Confirmation attacks
8. Tails doesn't encrypt your documents by default
9. Tails doesn't clear the metadata of your documents for you and doesn't encrypt the Subject: and other headers of your encrypted email messages
10. Tor doesn't protect you from a global adversary
11. Tails doesn't magically separate your different contextual identities
12. Tails doesn't make your crappy passwords stronger
13. Tails is a work in progress

Tails does not protect against compromised hardware

If the computer has been compromised by someone having physical access to it and who installed untrusted pieces of hardware (like a keylogger), then it might be unsafe to use Tails.

Tails can be compromised if installed or plugged in untrusted systems

When starting your computer on Tails, it cannot be compromised by a virus in your usual operating system, but:

• Tails should be installed from a trusted system. Otherwise it might be corrupted during installation.

• Plugging your Tails device in a compromised operating system might corrupt your Tails installation, and destroy the protection that Tails provides. Only use your Tails device to start Tails.

See the corresponding FAQ.

Tails does not protect against BIOS or firmware attacks

It is also impossible for Tails to protect against attacks made through the BIOS or other firmware embedded in the computer. These are not managed or provided by the operating system directly, and no operating system can protect against such attacks.

See for example, this attack on BIOS by LegbaCore.

Tor exit nodes can eavesdrop on communications

Tor is about hiding your location, not about encrypting your communication.

Instead of taking a direct route from source to destination, communications using the Tor network take a random pathway through several Tor relays that cover your tracks. So no observer at any single point can tell where the data came from or where it's going.

The last relay on this circuit, called the exit node, is the one that establishes the actual connection to the destination server. As Tor does not, and by design cannot, encrypt the traffic between an exit node and the destination server, any exit node is in a position to capture any traffic passing through it. See Tor FAQ: Can exit nodes eavesdrop on communications?.

For example, in 2007, a security researcher intercepted thousands of private email messages sent by foreign embassies and human rights groups around the world by spying on the connections coming out of an exit node he was running. See Wired: Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise.

To protect yourself from such attacks you should use end-to-end encryption.

Tails includes many tools to help you using strong encryption while browsing, sending email or chatting, as presented on our about page.

Tails makes it clear that you are using Tor and probably Tails

Your Internet Service Provider (ISP) or your local network administrator can see that you're connecting to a Tor relay, and not a normal web server for example. Using Tor bridges in certain conditions can help you hide the fact that you are using Tor.

The destination server that you are contacting through Tor can know whether your communication comes from a Tor exit node by consulting the publicly available list of exit nodes that might contact it. For example using the Tor Bulk Exit List tool from the Tor Project.

So using Tails doesn't make you look like any random Internet user. The anonymity provided by Tor and Tails works by trying to make all of their users look the same so it's not possible to identify who is who amongst them.

See also Can I hide the fact that I am using Tails?

Man-in-the-middle attacks

A man-in-the-middle attack (MitM) is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

While using Tor, man-in-the-middle attacks can still happen between the exit node and the destination server. The exit node itself can also act as a man-in-the-middle. For an example of such an attack see MW-Blog: TOR exit-node doing MITM attacks.

Again, to protect yourself from such attacks you should use end-to-end encryption and while doing so taking extra care at verifying the server authenticity.

Usually, this is automatically done throught SSL certificates checked by your browser against a given set of recognized certificate authorities). If you get a security exception message such as this one you might be the victim of a man-in-the-middle attack and should not bypass the warning unless you have another trusted way of checking the certificate's fingerprint with the people running the service.

But on top of that the certificate authorities model of trust on the Internet is susceptible to various methods of compromise.

For example, on March 15, 2011, Comodo, one of the major SSL certificates authorities, reported that a user account with an affiliate registration authority had been compromised. It was then used to create a new user account that issued nine certificate signing requests for seven domains: mail.google.com, login.live.com, www.google.com, login.yahoo.com (three certificates), login.skype.com, addons.mozilla.org, and global trustee. See Comodo: The Recent RA Compromise.

Later in 2011, DigiNotar, a Dutch SSL certificate company, incorrectly issued certificates to a malicious party or parties. Later on, it came to light that they were apparently compromised months before, perhaps as far back as May of 2009, or even earlier. Rogue certificates were issued for domains such as google.com, mozilla.org, torproject.org, login.yahoo.com and many more. See The Tor Project: The DigiNotar Debacle, and what you should do about it.

This still leaves open the possibility of a man-in-the-middle attack even when your browser is trusting an HTTPS connection.

On one hand, by providing anonymity, Tor makes it more difficult to perform a man-in-the-middle attack targeted at one specific person with the blessing of a rogue SSL certificate. But on the other end, Tor makes it easier for people or organizations running exit nodes to perform large scale MitM attempts, or attacks targeted at a specific server, and especially those among its users who happen to use Tor.

Quoted from Wikipedia: Man-in-the-middle attack, Wikipedia: Comodo Group#Certificate hacking and Tor Project: Detecting Certificate Authority compromises and web browser collusion.

Confirmation attacks

The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network. That's because if you can see both flows, some simple statistics let you decide whether they match up.

That could also be the case if your ISP (or your local network administrator) and the ISP of the destination server (or the destination server itself) cooperate to attack you.

Tor tries to protect against traffic analysis, where an attacker tries to learn whom to investigate, but Tor can't protect against traffic confirmation (also known as end-to-end correlation), where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math.

Quoted from Tor Project: "One cell is enough to break Tor's anonymity".

Tails doesn't encrypt your documents by default

The documents that you might save on storage devices will not be encrypted by default, except in the encrypted persistent volume. But Tails provides you with tools to encrypt your documents, such as GnuPG, or encrypt your storage devices, such as LUKS.

It is also likely that the files you may create will contain evidence that they were created using Tails.

If you need to access the local hard-disks of the computer you are using, be conscious that you might then leave trace of your activities with Tails on it.

Tails doesn't clear the metadata of your documents for you and doesn't encrypt the Subject: and other headers of your encrypted email messages

Numerous files formats store hidden data or metadata inside of the files. Word processing or PDF files could store the name of the author, the date and time of creation of the file, and sometimes even parts of the editing history of the file, depending on the file format and the software used.

Please note also, that the Subject: as well as the rest of the header lines of your OpenPGP encrypted email messages are not encrypted. This is not a bug of Tails or the OpenPGP protocol; it's due to backwards compatibility with the original SMTP protocol. Unfortunately no RFC standard exists yet for Subject: line encryption.

Image file formats, like TIFF of JPEG, probably take the prize for most hidden data. These files, created by digital cameras or mobile phones, contain a metadata format called EXIF which can include the date, time and sometimes the GPS coordinates when the picture was taken, the brand and serial number of the device which took it, as well as a thumbnail of the original image. Image processing software tends to keep this metadata intact. The internet is full of cropped or blurred images in which the included EXIF thumbnail still shows the original picture.

Tails doesn't clear the metadata of your files for you. Yet. Still it's in Tails' design goal to help you do that. For example, Tails already comes with the Metadata anonymisation toolkit.

Tor doesn't protect you from a global adversary

A global passive adversary would be a person or an entity able to monitor at the same time the traffic between all the computers in a network. By studying, for example, the timing and volume patterns of the different communications across the network, it would be statistically possible to identify Tor circuits and thus match Tor users and destination servers.

It is part of Tor's initial trade-off not to address such a threat in order to create a low-latency communication service usable for web browsing, Internet chat or SSH connections.

For more expert information see the Tor design paper, "Tor Project: The Second-Generation Onion Router", specifically, "Part 3. Design goals and assumptions."

Tails doesn't magically separate your different contextual identities

It is usually not advisable to use the same Tails session to perform two tasks or endorse two contextual identities that you really want to keep separate from one another. For example hiding your location to check your email and anonymously publishing a document.

First, because Tor tends to reuse the same circuits, for example, within the same browsing session. Since the exit node of a circuit knows both the destination server (and possibly the content of the communication if it's not encrypted) and the address of the previous relay it received the communication from, it makes it easier to correlate several browsing requests as part of a same circuit and possibly made by the same user. If you are facing a global adversary as described above, it might then also be in a position to do this correlation.

Second, in case of a security hole or an error in using Tails or one of its applications, information about your session could be leaked. That could reveal that the same person was behind the various actions made during the session.

The solution to both threats is to shutdown and restart Tails every time you're using a new identity, if you really want to isolate them better.

As explained in our documentation about Tor Browser, its New identity feature is not a perfect solution to separate different contextual identities. And, as explained in the FAQ, Tails does not provide a global New Identity feature. Shutdown and restart Tails instead.

Tails doesn't make your crappy passwords stronger

Tor allows you to be anonymous online; Tails allows you to leave no trace on the computer you're using. But again, neither or both are magic spells for computer security.

If you use weak passwords, they can be guessed by brute-force attacks with or without Tails in the same way. To know if your passwords are weak and learn good practices to create better password, you can read Wikipedia: Weak Passwords.

Tails is a work in progress

Tails, as well as all the software it includes, are continuously being developed and may contain programming errors or security holes.

 

[shortstuff]

Note that tails does not protect against compromised hardware.

 

Also note that the NSA compromised all hard disks available to consumers at factory level source, which means unless you run your OS (which is likely to also be compromised) of a USB key (which is likely to also be compromised), Tails cannot protect you.

 

The new law gives more powers than just logging. If you proxy your connection you will stand out and be noticed. The law gives Police the right to hack your computer for a look around.

 

Of course GCHQ have been doing all this for years, they tap the fibre as it comes into the UK.

 

https://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa

https://en.wikipedia.org/wiki/GCHQ_Bude#Cable_interception

 

http://www.stevenheaton.co.uk/SubmarineCableLandingsUK/?p=28

 

In 2014 it was revealed that Skewjack Farm was the location of the Government Communications Headquarters interception point on the Indian telecoms company Reliance Communications international fiber link, copying data to GCHQ Bude as part of GCHQ's Mastering the Internet project.^[3][4]

 

The current idea is to get as many people as possible to run some kind of program that accesses random URLS, including "dodgy" ones, every 1ms, with a bandwidth restriction. Then everyone who participates' logs will be full of sites they don't visit. If everyone did this, you could avoid Big Brother. People are even thinking of injecting something similar into iFrame's on exploitable forums and websites.

Edited December 3, 2016 by shortstuff

[gatito]

<snip>

Tails cannot protect you.

 

<snip>

 

Nonsense!

 

However, as I said:

 

There are certainly a lot of ways that a government can circumvent an individuals use of Tails/Tor.

 

<snip>

 

Just read (and understand) the documentation first.

 

For example: if you're as paranoid as shortstuff is about hardware-compromised HDDs and USB keys (and some of the other issues he raises) then you'd just run Tails from a DVD on a second-hand laptop bought for cash from a random pawnshop.

 

Some of the other issues are a bit more complex (e.g. downloading and verifying the iso).

[Eques Peregrinus]

This thread made me wondering: Have someone here already tried an experimental OS focused on security, like Qubes or Subgraph? Both are based on hardened Linux and isolate processes from each others, the first by virtualisation, and the second by the use of containers.

[shortstuff]

The problem with experimentals is they are even more likely to have 0day's that can be designed for them, and even less likely that these 0days will ever get fixed. It could take a pentest team a week to find a root-giving exploit and it could take the creator a year or ten (see below) to actually discover it exists.

 

Microsoft for example was exploited by stuxnet etc....that was a 10 year old 0day.

 

Now one has to wonder if Microsoft were forced to hide this decade old exploit...were they told by the NSA that "We have discovered X, no one else knows it, you are NOT to patch it unless given permission" or did they just not even know?

This is the same with cryptography, anyone worth their salt (excuse the pun ) knows not to develop and run their own encryption, but to rely on the common ones.

[Eques Peregrinus]

The software components used to build these OS are mature, at least in the case of Qubes, (the container management of Subgraph is newer than Xen, which is used in Qubes).

 

I have tried Qubes once, the concept is interesting. It essentially consists in a Linux kernel on which the Xen hypervisor is running differents virtual machines. The critical components of the OS, like the driver for the network card, are run in VMs and are therefore separated from other components like the mail client or the GPG agent, which are also running in separate VMs. The VMs communicate between themselves using the local network interface of dom0 (dom0 is the name of the physical machine, using Xen terminology) and these communication have to be explicitely allowed by a firewall. Each VM also uses its own encrypted partition using LUKS, therefore is is not possible to read the content of a file contained in a VM from a different VM. There also exists a concept of throwable VM, that is a VM which is launched once, and deleted once the application running inside it is closed. Finally, the graphical applications in the VMs communicate with the X server running in dom0 using the X protocol.

 

Now about the user experience, it is definitively in experimental stage: common manipulations requires launching a VM, which takes a long time, Xen does not work well with the EFI, and we are constantly annoyed because a file we want to open with an application is not in the VM running the said application. The file needs therefore to be transferred, which can be done, but is still a hassle. It is nevertheless an interesting experiment, if we are interested in security.

 

I have never tested Subgraph, but this project looks similar in its design, except that it uses containers. The kernel is therefore shared between the different software components. Therefore it should be less secure than Qubes, which do a complete virtualization, but it should be much smoother.