Forgot your password?
typodupeerror
Operating Systems Debian Security Software IT Linux

Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS 132

Posted by timothy
from the compared-to-what? dept.
New submitter I Ate A Candle (3762149) writes Tails OS, the Tor-reliant privacy-focused operating system made famous by Edward Snowden, contains a number of zero-day vulnerabilities that could be used to take control of the OS and execute code remotely. At least that's according to zero-day exploit seller Exodus Intelligence, which counts DARPA amongst its customer base. The company plans to tell the Tails team about the issues "in due time", said Aaron Portnoy, co-founder and vice president of Exodus, but it isn't giving any information on a disclosure timeline. This means users of Tails are in danger of being de-anonymised. Even version 1.1, which hit public release today (22 July 2014), is affected. Snowden famously used Tails to manage the NSA files. The OS can be held on a USB stick and leaves no trace once removed from the drive. It uses the Tor network to avoid identification of the user, but such protections may be undone by the zero-day exploits Exodus holds.
This discussion has been archived. No new comments can be posted.

Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS

Comments Filter:
  • Wait, wait... (Score:5, Insightful)

    by Penguinisto (415985) on Tuesday July 22, 2014 @12:15PM (#47508417) Journal

    The company plans to tell the Tails team about the issues "in due time"

    I'm 100% certain "in due time" would come a lot sooner if the Tails OS maintainers coughed up the right fee, which means that this is most definitely NOT responsible disclosure.

    I get that security researchers have to eat too, but damn - this sort of reeks of extortion. Maybe I'm wrong, but I know if I had a code project and some company said they knew I had holes but refused to tell me upon asking, extortion would be the first effing thought that would come to mind.

    • Re:Wait, wait... (Score:4, Insightful)

      by Noryungi (70322) on Tuesday July 22, 2014 @12:33PM (#47508593) Homepage Journal

      No, not extortion against Tails - extortion of money from the NSA or whoever else their ''clients'' are.

      I am sure a lot of TLAs right now are salivating -- unless they have discovered these vulnerabilities before Exodus. In which case, silence can be golden, indeed.

      • by MacDork (560499)
        Or it's bullshit to scare people away from tails. Have they demonstrated the exploit?
    • by Anonymous Coward

      If you don't think these fees are fair, you can pay someone else to audit your code.

    • Re:Wait, wait... (Score:5, Insightful)

      by sjames (1099) on Tuesday July 22, 2014 @01:09PM (#47508893) Homepage

      Doesn't that put them dangerously close to criminal like the guys that sell zero days to the Russian mob?

      I'm thinking yes but it will be ignored because their customers include bad guys within the U.S. government.

    • Im stealing your signature...

    • Nothing personal, but vaporous unconfirmable zero day reports like this strike me as more of a "My uncle works at Nintendo, and he got a copy of the secret developer nude Mario Brothers cart. No, it's at his house...In Hawaii. No, he won't mail it to me to show you."
  • by stewsters (1406737) on Tuesday July 22, 2014 @12:20PM (#47508457)
    So they are selling vulnerabilities to hackers rather than telling the source maintainers? That's irresponsible at best.
    • by Minupla (62455)

      Agreed - and in this case "Hackers" == "Nation Sates"

    • by klui (457783)

      They're either selling or sold the vulnerability to government agencies or just FUD against Tails.

    • by eulernet (1132389)

      No, this is business.
      Why would you want to use morality in business ?

    • by gweihir (88907)

      It is the most unethical thing they can do. On the plus-side, this may help Tails (and Tor) to get ahead of the game again, as this draws a lot of attention to the problem.

  • by Anonymous Coward

    Every OS has 0-day issues - no such thing an OS without them. However, dare I say that there is a little scaremongering on here in relation to Tails? If you can't stop them throw some mud or sow the seeds of doubt?

    • Every OS has 0-day issues - no such thing an OS without them.

      Except for Oberon... (And other similar designs in the spirit of "obviously no deficiencies")

      • How does that work? If there is an easy way to guarantee no deficiencies, why isn't it used always?

        • Because small software fell out of favor some time ago. And it doesn't do HTML5 yet. :-) (It may not be actually easy, but compared to the man-years needed to create the 100MLOC behemoths of today, it doesn't seem such a far-fetched prospect to me! Especially if we're talking about specialized secure computing systems, where one might be expected to be willing to do a few sacrifices...)
          • How does it assure no deficiencies? And why don't other projects use that methodology?

            • How does it assure no deficiencies?

              I spelled out the "obviously no efficiencies" part, haven't I? How much up to date are you with your Hoare lectures?

              And why don't other projects use that methodology?

              Because they'd have to change their whole direction? As I said, compact things fell out for fashion in the SW arena.

  • FUD? (Score:5, Insightful)

    by Joe Gillian (3683399) on Tuesday July 22, 2014 @12:22PM (#47508475)

    This sounds like FUD against Tails. A security research firm finds some undisclosed zero-days in Tails, but doesn't describe what they could do - arbitrary code execution? De-anonymization? They then go on to say that they haven't told the Tails maintainers what the vulnerabilities are, but will "in due time", implying they're going to sell them off to the government first. Exodus Intelligence also does a lot of business with the US government, possibly including the NSA.

    To me, this sounds like they probably found some minor zero-days and are trying to spread FUD (likely spurred on by their clients in the government) to get people to stop using Tails. After all, we know that the NSA is trying to put people who attempt to download Tails on a watchlist for further scrutiny.

    • Re:FUD? (Score:4, Insightful)

      by thoriumbr (1152281) on Tuesday July 22, 2014 @12:44PM (#47508697) Homepage
      I don't think this is FUD.

      If any government gets to know that you have an exploit for a very secure system they are targeting, you will surely be contacted and will earn a lot of money. Disclosing the vulnerability to the mantainers will destroy a great part of the value.

      I would tell it's FUD if the vulns were advertised by some competing Linux distro.
      • Disclosing the existence of a vulnerability destroys a lot of its value, too. People who can stop using Tails until the issue is sorted out will do so, shutting off whatever intelligence could be gathered from them. If these guys had a real-world exploitable vulnerability and a willingness to sell it to the NSA, they would have sold it and said nothing.

    • Re:FUD? (Score:5, Insightful)

      by bmo (77928) on Tuesday July 22, 2014 @01:09PM (#47508889)

      Carnegie Mellon is suppressing de-anonymising TOR discussion at Black Hat.

      Talk on cracking Internet anonymity service Tor withdrawn from conference

      By Joseph Menn

      SAN FRANCISCO, July 21 Mon Jul 21, 2014 1:05pm EDT

              Technology

      (Reuters) - A heavily anticipated talk on how to identify users of the Tor Internet privacy service has been withdrawn from the upcoming Black Hat security conference.

      A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment. (Reporting by Joseph Menn; Editing by Chris Reese)

      ------

      My guess is that someone wants the hole (if there is one) kept open a while longer or the suspicion that TOR is somehow ineffective alive. Let your mind run wild with speculation.

      --
      BMO

      http://www.reuters.com/article... [reuters.com]

    • by gweihir (88907)

      Well, I am not sure about "minor". But a prime source of zero-days should be the Java-Script engine. Turn it off or use NoScript, and you may be still secure.

  • What kind of real environment allows boot from a USB drive?

    • by Noryungi (70322)

      Anything that has a USB port, really.

      Essentially, anything that is run by NGOs or individuals.

      Sure, in a corporate or governmental/military environment, USB ports are usually a big ''no no'' but some of use like them USB gadgets.

      (Yes, before anyone ask, there has been infiltration through contaminated USB drives and keys ''abandoned'' in strategic locations...)

    • by dave562 (969951) on Tuesday July 22, 2014 @12:56PM (#47508785) Journal

      The kind of environment where the attacker is a sysadmin with access to the box and the ability to do whatever they feel like with BIOS, including enabling USB boot.

      The default security posture of most organizations these days is to assume that a trusted insider will exploit the system at some point. Therefore everyone is implementing damage mitigation techniques so that they can respond quickly and understand the scope of the inevitable breach when it does occur.

      Everyone is watching everyone else. The security guys get access to the firewalls and the IDS, but cannot touch the servers. The server guys cannot touch the backups. The backup team cannot initiate a restore without two levels of change control approval. It is a serious PITA for everyone involved and a gross inefficiency.

      The first time an auditor told me that they cannot trust me, my knee jerk reaction was to tell them to go fuck themselves. Eventually I realized that I am in a very risky position with access to a lot of sensitive information. The key is not that they do not trust me, it is that they CANNOT trust me. While I may be trustworthy, who is to say that someone else in my same position, with my same level of access, is also trustworthy? Just like I have to assume that any executable downloaded from the internet is potentially full of malicious code, the risk management folks have to assume that every sysadmin in the organization is potentially full of malicious intent.

    • by mspohr (589790)

      I've used TAILS to do banking when I'm traveling and only have access to dodgy WiFi or hotel computers. I've found that it will boot and run on most any computer... sometimes you need to call up the boot menu and select the USB drive, other times "it just works".
      It boots and runs from the USB stick and doesn't use the computers mass storage at all. It performs a wipe of the RAM on exit. It encrypts everything, uses HTTPS and TOR; has a minimal secure browser and a more full featured insecure browser. OpenPG

      • by gweihir (88907)

        Using Tor (Tails) _and_ doing financial transactions with it! You are sure to be on the short list for a drone-strike...

  • Tails is clearly a big problem for the NSA. They can't crack it, so they spread disinformation and FUD instead, to put people off using it.

    These people "Exodus Inteligence", who are they, where do they come from, what is their agenda, and how much are the Five-Eyes paying to discredit Tails.

    Obligatory NSA food: Kalashnikov, Handbook of Urban Guerilla, bomb factory, Edward Snowden was right, GCHQ is staffed by lackeys and lickspittles.
    • by Noryungi (70322)

      I think you forgot "FCUK NSA" somewhere in that NSA food... Or is it "FSCK GCHQ''?

      • F**k 'em both, and the equivalents in Canada, Oz, and NZ, and the lazy, corrupt and incompetent oversight committees. Oh and by the way, did you notice the Germans have been at it too, though not on the same scale.

        I am now Officially In a Bad Mood, at which point I am quite likely to send a sizable donation to the people who make Tails, and I encourage y'all to do the same.
    • by dave562 (969951)

      You you realize that you forgot to fnord that and they can totally see what you wrote, right?

      • Oh sorry, should I be encrypting my NSA Food, to make sure they read it?
        • by dave562 (969951)

          Have no fear. /. is collection friendly, with the data being sent in plaintext. They have all of our posts, and sort them for content and categorize them by context.

  • Conspiracy theory (Score:4, Interesting)

    by Charliemopps (1157495) on Tuesday July 22, 2014 @12:37PM (#47508629)

    Sounds fishy to me...
    Perhaps the NSA (or another agency) has another Snowden on their hands and paid Exodus for this "release" to scare the leaker into not sending their data out...

  • All this gave me will to take a loot at Tails.
  • Exodus Intelligence - a euphemism for cock-sucking maggots. It's just FUD. Their techs are second rate hacks who couldn't make it in the ether and decided to get day jobs and pay taxes instead.
    • by gweihir (88907)

      There are some things you can do even when second-rate, just by throwing resources at the problem. They may also have _bought_ these exploits form people that are not second-rate.

  • Not a troll, but how do you get updates on a LiveCD? a good safe distro would not only update bad code easily, but also prevent whatever malware gets in from writing to local disc. What to do?

    • by mspohr (589790)

      We're talking about a USB stick.
      I just updated my TAILS USB... password, trusted repository, good to go.
      If you want, you can use a Live CD but then you can't have any encrypted local storage.

      • My point is - part of the security of a LiveCD is the fact it's a Read Only medium. Malware can't write to it.. But it also means you can't update buggy code. What if my LiveCD has Heartbleed?

        The AC who commented "burn a new one" doesn't know how most distros do things, which is not to create a new CD image every time a package changes. The CD image is current on Day 1, and deviates from the true distro starting possibly on Day 2. Unless you only use the CD Image on release days, you'll always be slightly b

  • It's an NSA backdoor!

  • Hmmmm.... Let's see... Snowden embarrasses NSA using Tails; suddenly tails has scary "vulnerabilities"; a new company / entity on the scene says it will make everything nice.

    What's the likely truth here? Snowden embarrassed NSA using Tails; NSA plants disinformation campaign to the exent of "vulnerabilities"; the new company / entity is an NSA puppet that will give you a new Tails every bit as reliable as the new TrueCrypt.

    First grade simple so it's not suspected until..... (complete the sentence).

    W

Nothing succeeds like success. -- Alexandre Dumas

Working...