Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS

New submitter I Ate A Candle (3762149) writes Tails OS, the Tor-reliant privacy-focused operating system made famous by Edward Snowden, contains a number of zero-day vulnerabilities that could be used to take control of the OS and execute code remotely. At least that's according to zero-day exploit seller Exodus Intelligence, which counts DARPA amongst its customer base. The company plans to tell the Tails team about the issues "in due time", said Aaron Portnoy, co-founder and vice president of Exodus, but it isn't giving any information on a disclosure timeline. This means users of Tails are in danger of being de-anonymised. Even version 1.1, which hit public release today (22 July 2014), is affected. Snowden famously used Tails to manage the NSA files. The OS can be held on a USB stick and leaves no trace once removed from the drive. It uses the Tor network to avoid identification of the user, but such protections may be undone by the zero-day exploits Exodus holds.

Re:Curious

[Penguinisto]

What could allow remote code execution in Tails but not affect Firefox or any of the other software us non-terrorists use. A bug in tor itself?

Given that they likely had to add a few custom bits to insure anonymity, and likely modified or ripped out a few other bits, odds are good that the customizations are where the issue lies.

(...then again, perhaps the bug(s) can be found in the std. packages, but the researchers wanted to scare a smaller organization into becoming a customer first?)

Re:

[almitydave]

Replying to pedantic ACs is a waste of time, I know, but I see this mistake made often enough. "Insure" and "ensure" are largely interchangeable: http://dictionary.reference.com/browse/insure [reference.com].

Re:

[Demena]

Why did you call hims a piece of firewood or baked potato?

Re:

[gweihir]

What is certainly there is at least several JavaScript zero-days. JavaScript is complex to implement and easy to get wrong. As this is a commercial effort (as can be seen by its immorality and focus on profit), they will go after low-hanging fruit. The JavaScript engine is the most promising one.

And who said it would not affect other users too?

Wait, wait...

[Penguinisto]

The company plans to tell the Tails team about the issues "in due time"

I'm 100% certain "in due time" would come a lot sooner if the Tails OS maintainers coughed up the right fee, which means that this is most definitely NOT responsible disclosure.

I get that security researchers have to eat too, but damn - this sort of reeks of extortion. Maybe I'm wrong, but I know if I had a code project and some company said they knew I had holes but refused to tell me upon asking, extortion would be the first effing thought that would come to mind.

Re:Wait, wait...

[Noryungi]

No, not extortion against Tails - extortion of money from the NSA or whoever else their ''clients'' are.

I am sure a lot of TLAs right now are salivating -- unless they have discovered these vulnerabilities before Exodus. In which case, silence can be golden, indeed.

Re:

[MacDork]

Or it's bullshit to scare people away from tails. Have they demonstrated the exploit?

Re:

[Anonymous Coward]

If you don't think these fees are fair, you can pay someone else to audit your code.

Re:Wait, wait...

[mrchaotica]

The arguments I'm used to hearing go something like "but it's obviously unethical, they should just responsibly report and disclose vulnerabilities they find". But this is a total crap argument. The options Exodus has aren't "sell to governments" or "responsibly disclose for little to no fee". The options are "sell to governments" or "go out of business". So maybe someone will say "fine, they should go out of business, then we will all obviously be safer!".

But, well, it's not really clear that's the case. If Exodus (or Vupen, or whomever) quit, it's not like suddenly the government would stop looking for exploits. And if the US government did, it's not like China or Russia would. And if they did, it's not like criminal organizations would stop. You aren't going to stop vulnerabilities from happening or being sold. Game theoretically, it seems like the right choice is to keep the US government snatching up what vulnerabilities it can to keep in its back pocket for espionage. Not doing so would be a huge blow to US intelligence agencies, when every other major government out there is working on the same capabilities.

So what you're saying is that what Exodus is doing is unethical, but criminals would do the same thing anyway, so we might as well ignore Exodus' unethical behavior because they're on "our side?"

Fuck that, and fuck you!

Re:

[gweihir]

Commercial enterprises (such as Exodus) will do anything and everything that is or should be criminal, provided they can get away with it. Do not even look for minimal ethics there, it is a complete waste of time.

Re:

[mrchaotica]

So you seem to be saying hacking is never ethical.

Hacking with responsible disclosure is ethical. The fact that it may not be possible to do so profitably is irrelevant.

Hacking without responsible disclosure is always unethical, and what others choose to do is irrelevant. The fact that somebody else is acting unethically is not an excuse for you to act unethically too!

So no, I guess what I'm saying is that if Exodus weren't selling bugs to the government, we would be worse off, not better.

No. We're exactly

Re:

[tylerni7]

Ugh, maybe on this computer my replies will show up with my user account (I don't mind a bit of bad karma every now and then, and I think it is hard to have an actual discussion with an AC post). Anyway..

Didn't your parents ever ask you rhetorical questions like "if your friends all jumped off a bridge, does that mean you should do it too?" or tell you "the ends do not justify the means" when you were a kid?

I think this is more akin to "an eye for an eye makes the whole world blind". But obviously, just because something is a catchy statement, that doesn't mean it's good advice.
If other people are attacking you, should you lay down all your weapons and hope they do the same? Maybe, but it's not a cut and dry

Re:

[mrchaotica]

If other people are attacking you, should you lay down all your weapons and hope they do the same?

Are people attacking Exodus via TOR? If not, then what ethical justification does it have for involving itself as the NSA's mercenary?

I'm all for self-defense; it's aiding aggression that I find unethical.

Hacking without responsible disclosure is always unethical, and what others choose to do is irrelevant.

I think this is an incredibly bold statement. I think it's a bit hard to judge the ethics of exploiting a

Re:

[tylerni7]

If other people are attacking you, should you lay down all your weapons and hope they do the same?

Are people attacking Exodus via TOR? If not, then what ethical justification does it have for involving itself as the NSA's mercenary?

I'm all for self-defense; it's aiding aggression that I find unethical.

I don't think it matters whether we take Exodus or the US Government. I'm not really sure why being a mercenary is so bad? What is the difference if the US Government pays Exodus or hires the people working for Exodus to write exploits directly?
And yes, people are using Tor to fight against the US; certainly hackers and terrorists use Tor. (I don't believe more than a small fraction of Tor users are malicious, but malicious users undoubtedly exist.

Clearly, I'm failing to understand -- what is there about your hypothetical situation that precludes responsible disclosure?

Also, responsible disclosure is sort of tautologically ethical because it does consider context (that's what the "responsible" part means). If you're not sure what kind of disclosure is responsible, then the only ethical option would be to forgo the hacking.

If you have responsibly disclosed every exploit you know

Re:

[mrchaotica]

I don't think it matters whether we take Exodus or the US Government. I'm not really sure why being a mercenary is so bad? What is the difference if the US Government pays Exodus or hires the people working for Exodus to write exploits directly?

The difference is motivation. If you're partisan -- if you're motivated because you think the cause is just -- then maybe it's ethical to fight. If you're motivated by money and otherwise don't care, it's clearly unethical.

(I say "maybe" because it's not ethical to f

Re:

[Unordained]

http://www.wired.com/2014/04/o... [wired.com]

We can still break into the systems we "need" to break into, without keeping a full hand of all possible vulnerabilities. To reduce our overall exposure to risk, it makes sense to disclose most of these to vendors for patching, maybe some with a delay. Our government can buy up vulnerabilities from Exodus, then release them -- Exodus gets paid, we get somewhat better security all around, and the NSA gets a few last holes to work with.

Re:

[compro01]

Our government can buy up vulnerabilities from Exodus, then release them

Or just buy up Exodus, period, continue operating it as a GOC, and release vulnerabilities are they're discovered.

Re:

[gl4ss]

but if I did it and sold it on the market on the country that I am in or their neighbouring countries then I would be unethical/criminal?

wtf? there's no "due time".

they could be just bullshitting too and just waiting for fixes to come in and then say "yeah those were the vulns".

furthermore, they would be vulnurabilities on the firefox code or the tor code which would count as news on their own. or perhaps they're just buggy drivers for wifi or ethernet. we don't know and now they're just doing two things,

Re:

[Boronx]

Libertarianism run amok. Apparently the need to stay in business trumps any moral concerns.

Re:

[Archangel Michael]

Business is neither moral, nor immoral but AMORAL. People are either moral, or immoral, they are not amoral. Everyone is a hypocrite, at some point will violate their own moral code. This is called situational ethics, and is popular in politics.

If your personal code of ethics prevents you from doing business with people who are hypocritical(evil, bad, immoral etc), then you'll be doing business with nobody, The best you can do is do business with people who support your ideals more often that the other guys

Re:

[Boronx]

Response to parent post, you brain-dead moron.

Re:Wait, wait...

[sjames]

Doesn't that put them dangerously close to criminal like the guys that sell zero days to the Russian mob?

I'm thinking yes but it will be ignored because their customers include bad guys within the U.S. government.

OT: signature

[cant_get_a_good_nick]

Im stealing your signature...

Re:

[Samizdata]

Nothing personal, but vaporous unconfirmable zero day reports like this strike me as more of a "My uncle works at Nintendo, and he got a copy of the secret developer nude Mario Brothers cart. No, it's at his house...In Hawaii. No, he won't mail it to me to show you."

They have no accountability

[stewsters]

So they are selling vulnerabilities to hackers rather than telling the source maintainers? That's irresponsible at best.

Re:

[Minupla]

Agreed - and in this case "Hackers" == "Nation Sates"

Re:

[klui]

They're either selling or sold the vulnerability to government agencies or just FUD against Tails.

Re:

[eulernet]

No, this is business.
Why would you want to use morality in business ?

Re:

[gweihir]

It is the most unethical thing they can do. On the plus-side, this may help Tails (and Tor) to get ahead of the game again, as this draws a lot of attention to the problem.

Scaremongering?

[Anonymous Coward]

Every OS has 0-day issues - no such thing an OS without them. However, dare I say that there is a little scaremongering on here in relation to Tails? If you can't stop them throw some mud or sow the seeds of doubt?

Re:

[K. S. Kyosuke]

Every OS has 0-day issues - no such thing an OS without them.

Except for Oberon... (And other similar designs in the spirit of "obviously no deficiencies")

Re:

[Actually, I do RTFA]

How does that work? If there is an easy way to guarantee no deficiencies, why isn't it used always?

Re:

[K. S. Kyosuke]

Because small software fell out of favor some time ago. And it doesn't do HTML5 yet. :-) (It may not be actually easy, but compared to the man-years needed to create the 100MLOC behemoths of today, it doesn't seem such a far-fetched prospect to me! Especially if we're talking about specialized secure computing systems, where one might be expected to be willing to do a few sacrifices...)

Re:

[Actually, I do RTFA]

How does it assure no deficiencies? And why don't other projects use that methodology?

Re:

[K. S. Kyosuke]

How does it assure no deficiencies?

I spelled out the "obviously no efficiencies" part, haven't I? How much up to date are you with your Hoare lectures?

And why don't other projects use that methodology?

Because they'd have to change their whole direction? As I said, compact things fell out for fashion in the SW arena.

Re:

[K. S. Kyosuke]

That should have read "obviously no deficiencies", of course!

FUD?

[Joe Gillian]

This sounds like FUD against Tails. A security research firm finds some undisclosed zero-days in Tails, but doesn't describe what they could do - arbitrary code execution? De-anonymization? They then go on to say that they haven't told the Tails maintainers what the vulnerabilities are, but will "in due time", implying they're going to sell them off to the government first. Exodus Intelligence also does a lot of business with the US government, possibly including the NSA.

To me, this sounds like they probably found some minor zero-days and are trying to spread FUD (likely spurred on by their clients in the government) to get people to stop using Tails. After all, we know that the NSA is trying to put people who attempt to download Tails on a watchlist for further scrutiny.

Re:FUD?

[thoriumbr]

I don't think this is FUD.

If any government gets to know that you have an exploit for a very secure system they are targeting, you will surely be contacted and will earn a lot of money. Disclosing the vulnerability to the mantainers will destroy a great part of the value.

I would tell it's FUD if the vulns were advertised by some competing Linux distro.

It's FUD?

[Cid Highwind]

Disclosing the existence of a vulnerability destroys a lot of its value, too. People who can stop using Tails until the issue is sorted out will do so, shutting off whatever intelligence could be gathered from them. If these guys had a real-world exploitable vulnerability and a willingness to sell it to the NSA, they would have sold it and said nothing.

Re:FUD?

[bmo]

Carnegie Mellon is suppressing de-anonymising TOR discussion at Black Hat.

Talk on cracking Internet anonymity service Tor withdrawn from conference

By Joseph Menn

SAN FRANCISCO, July 21 Mon Jul 21, 2014 1:05pm EDT

        Technology

(Reuters) - A heavily anticipated talk on how to identify users of the Tor Internet privacy service has been withdrawn from the upcoming Black Hat security conference.

A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment. (Reporting by Joseph Menn; Editing by Chris Reese)

------

My guess is that someone wants the hole (if there is one) kept open a while longer or the suspicion that TOR is somehow ineffective alive. Let your mind run wild with speculation.

--
BMO

http://www.reuters.com/article... [reuters.com]

Re:

[Anonymous Coward]

> My guess is that someone wants the hole (if there is one) kept open a while longer or the suspicion
> that TOR is somehow ineffective alive. Let your mind run wild with speculation.

Or...

The lawyers are worried that the testing violated wiretap laws and are trying to reduce CMU's legal liability. [techdirt.com]

Re:

[gweihir]

Well, I am not sure about "minor". But a prime source of zero-days should be the Java-Script engine. Turn it off or use NoScript, and you may be still secure.

Re:

[gweihir]

And that is a different story discussed in a different place. This discussion here is about zero-days in Tails, not about TOR vulnerabilities.

what environments allow USB boot?

[Gothmolly]

What kind of real environment allows boot from a USB drive?

Re:

[Noryungi]

Anything that has a USB port, really.

Essentially, anything that is run by NGOs or individuals.

Sure, in a corporate or governmental/military environment, USB ports are usually a big ''no no'' but some of use like them USB gadgets.

(Yes, before anyone ask, there has been infiltration through contaminated USB drives and keys ''abandoned'' in strategic locations...)

Re:

[watcher-rv4]

Stuxnet on that Iran's nuclear plant?

Re:what environments allow USB boot?

[dave562]

The kind of environment where the attacker is a sysadmin with access to the box and the ability to do whatever they feel like with BIOS, including enabling USB boot.

The default security posture of most organizations these days is to assume that a trusted insider will exploit the system at some point. Therefore everyone is implementing damage mitigation techniques so that they can respond quickly and understand the scope of the inevitable breach when it does occur.

Everyone is watching everyone else. The security guys get access to the firewalls and the IDS, but cannot touch the servers. The server guys cannot touch the backups. The backup team cannot initiate a restore without two levels of change control approval. It is a serious PITA for everyone involved and a gross inefficiency.

The first time an auditor told me that they cannot trust me, my knee jerk reaction was to tell them to go fuck themselves. Eventually I realized that I am in a very risky position with access to a lot of sensitive information. The key is not that they do not trust me, it is that they CANNOT trust me. While I may be trustworthy, who is to say that someone else in my same position, with my same level of access, is also trustworthy? Just like I have to assume that any executable downloaded from the internet is potentially full of malicious code, the risk management folks have to assume that every sysadmin in the organization is potentially full of malicious intent.

Re:

[dave562]

Trust but verify.

Re:

[Actually, I do RTFA]

you give my physical access to a box, it's my box.

Well, the BIOS could be password protected, the case alarmed if opened. In either case you could work around those, but if I put that box in a busy hallway, that's not going to happen. Combine that with no optical media or USB ports, and I think that's a pretty safe box.

Now, you could mess with the hardware, via a hardware key logger, but that could be mitigated by soldering the wires directly as opposed to allowing a PS/2 port. And the keyboard could pr

Re:

[Actually, I do RTFA]

Well, you could use PS/2, or serial, or even say "fuck it, no mouse for you. Here's a command line and a tab key."

Re:

[mspohr]

I've used TAILS to do banking when I'm traveling and only have access to dodgy WiFi or hotel computers. I've found that it will boot and run on most any computer... sometimes you need to call up the boot menu and select the USB drive, other times "it just works".
It boots and runs from the USB stick and doesn't use the computers mass storage at all. It performs a wipe of the RAM on exit. It encrypts everything, uses HTTPS and TOR; has a minimal secure browser and a more full featured insecure browser. OpenPG

Re:

[gweihir]

Using Tor (Tails) _and_ doing financial transactions with it! You are sure to be on the short list for a drone-strike...

Classic Spook Stuff...

[CaptainOfSpray]

Tails is clearly a big problem for the NSA. They can't crack it, so they spread disinformation and FUD instead, to put people off using it.

These people "Exodus Inteligence", who are they, where do they come from, what is their agenda, and how much are the Five-Eyes paying to discredit Tails.

Obligatory NSA food: Kalashnikov, Handbook of Urban Guerilla, bomb factory, Edward Snowden was right, GCHQ is staffed by lackeys and lickspittles.

Re:

[Noryungi]

I think you forgot "FCUK NSA" somewhere in that NSA food... Or is it "FSCK GCHQ''?

Re:

[CaptainOfSpray]

F**k 'em both, and the equivalents in Canada, Oz, and NZ, and the lazy, corrupt and incompetent oversight committees. Oh and by the way, did you notice the Germans have been at it too, though not on the same scale.

I am now Officially In a Bad Mood, at which point I am quite likely to send a sizable donation to the people who make Tails, and I encourage y'all to do the same.

Re:

[Noryungi]

Amen, brother.

(And don't forget the French!)

Re:

[dave562]

You you realize that you forgot to fnord that and they can totally see what you wrote, right?

Re:

[CaptainOfSpray]

Oh sorry, should I be encrypting my NSA Food, to make sure they read it?

Re:

[dave562]

Have no fear. /. is collection friendly, with the data being sent in plaintext. They have all of our posts, and sort them for content and categorize them by context.

Re:

[Demena]

Snowden is not an agent. Even NSA says that.

Conspiracy theory

[Charliemopps]

Sounds fishy to me...
Perhaps the NSA (or another agency) has another Snowden on their hands and paid Exodus for this "release" to scare the leaker into not sending their data out...

Re:Conspiracy theory

[dave562]

Now THIS is the level of paranoia that I like to see.

Re:

[Charliemopps]

Now THIS is the level of paranoia that I like to see.

It's funny what you'll believe when you can't believe anything anymore.

Re:

[meta-monkey]

That's a depressingly accurate statement.

Curiosity

[watcher-rv4]

All this gave me will to take a loot at Tails.

They have nothing!

[xednieht]

Exodus Intelligence - a euphemism for cock-sucking maggots. It's just FUD. Their techs are second rate hacks who couldn't make it in the ether and decided to get day jobs and pay taxes instead.

Re:

[gweihir]

There are some things you can do even when second-rate, just by throwing resources at the problem. They may also have _bought_ these exploits form people that are not second-rate.

Zero Days? Updates?

[cant_get_a_good_nick]

Not a troll, but how do you get updates on a LiveCD? a good safe distro would not only update bad code easily, but also prevent whatever malware gets in from writing to local disc. What to do?

Re:

[mspohr]

We're talking about a USB stick.
I just updated my TAILS USB... password, trusted repository, good to go.
If you want, you can use a Live CD but then you can't have any encrypted local storage.

Re:

[cant_get_a_good_nick]

My point is - part of the security of a LiveCD is the fact it's a Read Only medium. Malware can't write to it.. But it also means you can't update buggy code. What if my LiveCD has Heartbleed?

The AC who commented "burn a new one" doesn't know how most distros do things, which is not to create a new CD image every time a package changes. The CD image is current on Day 1, and deviates from the true distro starting possibly on Day 2. Unless you only use the CD Image on release days, you'll always be slightly b

Re:

[gweihir]

They just send data to some server they own in clear and they know your last public IP. For spywork, that is enough. If laws are draconian enough, they are also sure to find _something_ when they kick down your door. Also, when you are not on US ground (warning: current state, this may change), they may also just drone-murder you and bypass any legality whatsoever.

They're everywhere!

[viperidaenz]

It's an NSA backdoor!

As Easy to See Through as Glass

[TechForensics]

Hmmmm.... Let's see... Snowden embarrasses NSA using Tails; suddenly tails has scary "vulnerabilities"; a new company / entity on the scene says it will make everything nice.

What's the likely truth here? Snowden embarrassed NSA using Tails; NSA plants disinformation campaign to the exent of "vulnerabilities"; the new company / entity is an NSA puppet that will give you a new Tails every bit as reliable as the new TrueCrypt.

First grade simple so it's not suspected until..... (complete the sentence).

W

Re:

[Mordok-DestroyerOfWo]

My theory is that Steve Balmer is bored in his retirement and feels the need to troll open source sites.

Re:

[cbiltcliffe]

Nope, we don't use unmaintained, unaudited, open sores garbage.

So I guess that means you use unauditable, backdoored, closed source garbage then, huh?

Well.

[Demena]

Snowden gave nothing to Russia or China. Even the head of the NSA has stated that. He gave nothing to any national party. It makes me wonder what you are. But I doubt you will ever be a little star.