Forgot your password?
typodupeerror
Operating Systems Debian Security Software IT Linux

Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS 132

Posted by timothy
from the compared-to-what? dept.
New submitter I Ate A Candle (3762149) writes Tails OS, the Tor-reliant privacy-focused operating system made famous by Edward Snowden, contains a number of zero-day vulnerabilities that could be used to take control of the OS and execute code remotely. At least that's according to zero-day exploit seller Exodus Intelligence, which counts DARPA amongst its customer base. The company plans to tell the Tails team about the issues "in due time", said Aaron Portnoy, co-founder and vice president of Exodus, but it isn't giving any information on a disclosure timeline. This means users of Tails are in danger of being de-anonymised. Even version 1.1, which hit public release today (22 July 2014), is affected. Snowden famously used Tails to manage the NSA files. The OS can be held on a USB stick and leaves no trace once removed from the drive. It uses the Tor network to avoid identification of the user, but such protections may be undone by the zero-day exploits Exodus holds.
This discussion has been archived. No new comments can be posted.

Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS

Comments Filter:
  • Re:Curious (Score:4, Interesting)

    by Penguinisto (415985) on Tuesday July 22, 2014 @12:18PM (#47508443) Journal

    What could allow remote code execution in Tails but not affect Firefox or any of the other software us non-terrorists use. A bug in tor itself?

    Given that they likely had to add a few custom bits to insure anonymity, and likely modified or ripped out a few other bits, odds are good that the customizations are where the issue lies.

    (...then again, perhaps the bug(s) can be found in the std. packages, but the researchers wanted to scare a smaller organization into becoming a customer first?)

  • Conspiracy theory (Score:4, Interesting)

    by Charliemopps (1157495) on Tuesday July 22, 2014 @12:37PM (#47508629)

    Sounds fishy to me...
    Perhaps the NSA (or another agency) has another Snowden on their hands and paid Exodus for this "release" to scare the leaker into not sending their data out...

  • Wait, wait... (Score:0, Interesting)

    by Anonymous Coward on Tuesday July 22, 2014 @12:58PM (#47508801)

    <rant>
    I don't think people understand what vulnerability sellers really do. They invest thousands of man and computer hours into finding bugs which people are willing to pay lots of money for. As a business, they want to keep their customer base happy, which means allowing their customers (yes, presumably the NSA/FBI/etc.) to use their exploits rather than selling them to Tails OS maintainers. Yes, it's probably the case that these exploits don't just go to nabbing child pornographers or drug traffickers, they also probably try to catch the next Snowden, which not everyone agrees is The Right Thing To Do. But for what it's worth, I'd still trust the US government (even with all its faults) far more than the Russians or Chinese.

    But let's be honest here, Tails OS maintainers probably couldn't afford the same price that Exodus's customers will happily pay. Even if Exodus were happy to sell it to the Tails folks, that is certainly going to be a loss of money.

    The arguments I'm used to hearing go something like "but it's obviously unethical, they should just responsibly report and disclose vulnerabilities they find". But this is a total crap argument. The options Exodus has aren't "sell to governments" or "responsibly disclose for little to no fee". The options are "sell to governments" or "go out of business". So maybe someone will say "fine, they should go out of business, then we will all obviously be safer!".

    But, well, it's not really clear that's the case. If Exodus (or Vupen, or whomever) quit, it's not like suddenly the government would stop looking for exploits. And if the US government did, it's not like China or Russia would. And if they did, it's not like criminal organizations would stop. You aren't going to stop vulnerabilities from happening or being sold. Game theoretically, it seems like the right choice is to keep the US government snatching up what vulnerabilities it can to keep in its back pocket for espionage. Not doing so would be a huge blow to US intelligence agencies, when every other major government out there is working on the same capabilities.

    At this point some folks might say: but doesn't that mean we'd all just be safer if the government just released all the vulnerabilities they knew about to vendors to have them patched? then the Chinese/Russians/criminals wouldn't be able to break in! Sadly, that's not how security works. You can patch 100 vulnerabilities, but if you miss one, you'll still lose. Staying open about every vulnerability would almost certainly hurt foreign intelligence, true, but if the US government is sharing every vulnerability they know about, and $ENEMY isn't, then US intelligence is going to be at a disadvantage, hands down.

    So, when Exodus wants to invest time and money in finding exploits in your favorite application and turning a profit to help their government against Chinese/Russian/criminal agencies, that doesn't bother me.
    </rant>

"Life, loathe it or ignore it, you can't like it." -- Marvin the paranoid android

Working...