Slashdot Mirror
Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS
New submitter I Ate A Candle (3762149) writes Tails OS, the Tor-reliant privacy-focused operating system made famous by Edward Snowden, contains a number of zero-day vulnerabilities that could be used to take control of the OS and execute code remotely. At least that's according to zero-day exploit seller Exodus Intelligence, which counts DARPA amongst its customer base. The company plans to tell the Tails team about the issues "in due time", said Aaron Portnoy, co-founder and vice president of Exodus, but it isn't giving any information on a disclosure timeline. This means users of Tails are in danger of being de-anonymised. Even version 1.1, which hit public release today (22 July 2014), is affected. Snowden famously used Tails to manage the NSA files. The OS can be held on a USB stick and leaves no trace once removed from the drive. It uses the Tor network to avoid identification of the user, but such protections may be undone by the zero-day exploits Exodus holds.
What could allow remote code execution in Tails but not affect Firefox or any of the other software us non-terrorists use. A bug in tor itself?
The company plans to tell the Tails team about the issues "in due time"
I'm 100% certain "in due time" would come a lot sooner if the Tails OS maintainers coughed up the right fee, which means that this is most definitely NOT responsible disclosure.
I get that security researchers have to eat too, but damn - this sort of reeks of extortion. Maybe I'm wrong, but I know if I had a code project and some company said they knew I had holes but refused to tell me upon asking, extortion would be the first effing thought that would come to mind.
Quo usque tandem abutere, Nimbus, patientia nostra?
So they are selling vulnerabilities to hackers rather than telling the source maintainers? That's irresponsible at best.
Every OS has 0-day issues - no such thing an OS without them. However, dare I say that there is a little scaremongering on here in relation to Tails? If you can't stop them throw some mud or sow the seeds of doubt?
This sounds like FUD against Tails. A security research firm finds some undisclosed zero-days in Tails, but doesn't describe what they could do - arbitrary code execution? De-anonymization? They then go on to say that they haven't told the Tails maintainers what the vulnerabilities are, but will "in due time", implying they're going to sell them off to the government first. Exodus Intelligence also does a lot of business with the US government, possibly including the NSA.
To me, this sounds like they probably found some minor zero-days and are trying to spread FUD (likely spurred on by their clients in the government) to get people to stop using Tails. After all, we know that the NSA is trying to put people who attempt to download Tails on a watchlist for further scrutiny.
Consider the details:
- "We have a vulnerability and we're not telling you what it is!"
- The vulnerability only worst is the newest upcoming Tails release! If you want to be secure, run old unpatched OSes.
If this doesn't sound like the NSA selling Dual_EC_DRBG or one of their other super secure extra-short key length ECC solutions, I don't know what does.
What kind of real environment allows boot from a USB drive?
I want to delete my account but Slashdot doesn't allow it.
Tails is clearly a big problem for the NSA. They can't crack it, so they spread disinformation and FUD instead, to put people off using it.
These people "Exodus Inteligence", who are they, where do they come from, what is their agenda, and how much are the Five-Eyes paying to discredit Tails.
Obligatory NSA food: Kalashnikov, Handbook of Urban Guerilla, bomb factory, Edward Snowden was right, GCHQ is staffed by lackeys and lickspittles.
"Cock Up Your Beaver" does not mean what you think. This sig is intended to clog filters and annoy do-gooders
My theory is that Steve Balmer is bored in his retirement and feels the need to troll open source sites.
"Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
Sounds fishy to me...
Perhaps the NSA (or another agency) has another Snowden on their hands and paid Exodus for this "release" to scare the leaker into not sending their data out...
Way to not address my points. Defend and deflect at all costs!!
Tor's "security" is a total joke. The FBI and NSA can easily deanonymise people or simply use their own nodes to inject malware into people's computers to pwn you that way.
They are doing it wrong. Notify then publicize.
<rant>
I don't think people understand what vulnerability sellers really do. They invest thousands of man and computer hours into finding bugs which people are willing to pay lots of money for. As a business, they want to keep their customer base happy, which means allowing their customers (yes, presumably the NSA/FBI/etc.) to use their exploits rather than selling them to Tails OS maintainers. Yes, it's probably the case that these exploits don't just go to nabbing child pornographers or drug traffickers, they also probably try to catch the next Snowden, which not everyone agrees is The Right Thing To Do. But for what it's worth, I'd still trust the US government (even with all its faults) far more than the Russians or Chinese.
But let's be honest here, Tails OS maintainers probably couldn't afford the same price that Exodus's customers will happily pay. Even if Exodus were happy to sell it to the Tails folks, that is certainly going to be a loss of money.
The arguments I'm used to hearing go something like "but it's obviously unethical, they should just responsibly report and disclose vulnerabilities they find". But this is a total crap argument. The options Exodus has aren't "sell to governments" or "responsibly disclose for little to no fee". The options are "sell to governments" or "go out of business". So maybe someone will say "fine, they should go out of business, then we will all obviously be safer!".
But, well, it's not really clear that's the case. If Exodus (or Vupen, or whomever) quit, it's not like suddenly the government would stop looking for exploits. And if the US government did, it's not like China or Russia would. And if they did, it's not like criminal organizations would stop. You aren't going to stop vulnerabilities from happening or being sold. Game theoretically, it seems like the right choice is to keep the US government snatching up what vulnerabilities it can to keep in its back pocket for espionage. Not doing so would be a huge blow to US intelligence agencies, when every other major government out there is working on the same capabilities.
At this point some folks might say: but doesn't that mean we'd all just be safer if the government just released all the vulnerabilities they knew about to vendors to have them patched? then the Chinese/Russians/criminals wouldn't be able to break in! Sadly, that's not how security works. You can patch 100 vulnerabilities, but if you miss one, you'll still lose. Staying open about every vulnerability would almost certainly hurt foreign intelligence, true, but if the US government is sharing every vulnerability they know about, and $ENEMY isn't, then US intelligence is going to be at a disadvantage, hands down.
So, when Exodus wants to invest time and money in finding exploits in your favorite application and turning a profit to help their government against Chinese/Russian/criminal agencies, that doesn't bother me.
</rant>
All this gave me will to take a loot at Tails.
Sure, cold fjord. Not even trying to hide your shilling anymore?
Dr. Evil strikes again.
Wow... you shills comment on literally every post don't you? How much money do you guys make? Is this a legitimate work-at-home with full government benefits or do you worry sometimes that they won't cut you a check? I've had bad luck with these kinds of things. Let a brotha know!
I think you know it already, as you happen to have an established shilling career for The Linux Foundation.
Disclosing the existence of a vulnerability destroys a lot of its value, too. People who can stop using Tails until the issue is sorted out will do so, shutting off whatever intelligence could be gathered from them. If these guys had a real-world exploitable vulnerability and a willingness to sell it to the NSA, they would have sold it and said nothing.
0 1 - just my two bits
Exodus Intelligence - a euphemism for cock-sucking maggots. It's just FUD. Their techs are second rate hacks who couldn't make it in the ether and decided to get day jobs and pay taxes instead.
Hope is the currency of fools
Wonder if Exodus' directors have considered what the civil or criminal liabilities could be for knowingly witholding information that could have prevented deaths, torture, catastrophic damages, data loss or theft, etc., just for a few bucks. Wonder also if their customers couldn't be liable or complicit as well. Would RICO apply here, I wonder? Patriot Act? Could not advertising such knowledge be considered a form of terrorism? Reverse blackmail?
If not, then why is there such a double standard vis-a-vis "white hats" and cops who constantly have to shit on hackers in order to shine their Eagle Scout good-guy badges, when anyone with any knowledge knows they're as dirty as anyone else. If not more so.
Whatever. Anyway, I hear some room's been freed up at Gitmo...
Not a troll, but how do you get updates on a LiveCD? a good safe distro would not only update bad code easily, but also prevent whatever malware gets in from writing to local disc. What to do?
Im stealing your signature...
Yes, but open source (volunteer) shilling doesn't pay so good.
I suppose if they can execute remote code, they can find the BIOS, MB, and hardware Mac address, but if you never use your hardware Mac address and never not use Tor, then it's not correlatable. They can ping a server that will give away your ip, but what if your router is routing through Tor and your computer does not have access to it? I figured it was hackable, although I thought it was likely a browser issue because, being in a life-long weird ass CIA experiment, everything I use gets hacked into, like a sort of game, and it's usually noticeable, although they may make it noticeable on purpose, but I'm wondering if there are precautions that can be taken, like the aforementioned set the router to route through tor so no IP can be deduced and don't give your computer access to the router and the one that does have access should be kept offline, plus the router should not allow configuration access from the computer being used, in addition, I think the entry point to Tor should be a trusted entry point, as if you're connected to one of their relays or a hacked relay, then they can correlate data patterns with your IP. The problem is largely a long-held IP system.
"We're happy to see that TAILS 1.1 is being released tomorrow. Our multiple RCE/de-anonymization zero-days are still effective."
via @ExodusIntel: https://twitter.com/ExodusInte...
#$%#
"Exploit Dealer: Snowden's Favourite OS TAILS Has Zero-Day Vulnerabilities Lurking Inside"
Thomas Brewster | Security | 7/21/2014 @ 2:14PM
http://www.forbes.com/sites/th...
#$%#
"The flaws work on the latest version of TAILS and allow for the ability to exploit a targeted user, both for de-anonymisation and remote code execution," said Loc Nguyen a researcher at Exodus. Remote code execution means a hacker can do almost anything they want to the victimâ(TM)s system, such as installing malware or siphoning off files.
"Considering that the purpose of TAILS is to provide a secure non-attributable platform for communications, users are verifiably at-risk due to these flaws. For the TAILS platform, privacy is contingent on maintaining anonymity and ensuring their actions and communications are not attributable. Thus, any violation of those foundational pillars should be considering highly critical," added Nguyen. This affects every user of TAILS, who should all "diversify security platforms so as not to put all your eggs in one basket", he added.
All users, including Snowden, should be wary of using TAILS with a false sense of security, though itâ(TM)s still more likely to protect anonymity than Windows. Exodus sells to private and public businesses hoping to use the findings for either offensive or defensive means. Those unconcerned about governments targeting their systems might not be concerned about the TAILS zero-days. Others will likely be anxious one of their trusted tools to avoid government hackers contains vulnerabilities that could be exploited to spy on any user of the OS."
#$%#
Don't look, Snowden: Security biz chases TAILS with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
By Iain Thomson | 21 Jul 2014
http://www.theregister.co.uk/2...
#$%#
RE: TAILS: https://tails.boum.org/
what your co-conspiritors at your favorite slaveware peddling company didn't use openssl? If companies donated just 10% of what they shell out for slaveware the open source projects they use would be way better than anything else available (even though lots already are, despite the selfish users). These dumb bastards think they are comparing two "products" so it's ok to criticize. One is a deceptive product aimed at stealing your kids' future and one is a contribution to humanity. You don't get to criticize b/c you're part of the problem. I think deep down you already know this is true, but you're too much of a liar to admit it.
That word must have undergone some rapid semantic shift. They're spreading unspecific rumours to discredit Tails.
It's an NSA backdoor!
^-- downvote this misinformation.
man, the website of exodus unintelligence gives a blow by blow timeline some retarded jocks aaron and paul and zef? telling of all their awesome geeky fudge packing. Is this really an intelligence business? fuckin' facebook fartburgers, give me a break. More importantly hand over the details of the exploit and stop being bitches.
Nope, we don't use unmaintained, unaudited, open sores garbage.
Hmmmm.... Let's see... Snowden embarrasses NSA using Tails; suddenly tails has scary "vulnerabilities"; a new company / entity on the scene says it will make everything nice.
What's the likely truth here? Snowden embarrassed NSA using Tails; NSA plants disinformation campaign to the exent of "vulnerabilities"; the new company / entity is an NSA puppet that will give you a new Tails every bit as reliable as the new TrueCrypt.
First grade simple so it's not suspected until..... (complete the sentence).
What do YOU think?
Those are my principles, and if you don't like them... well, I have others.
Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS.
No it fucking doesn't, Timothy, you illiterate moron. Detail them is exactly what Exodus have not done. They have done nothing except assert their existence, sans proof or evidence.
Snowden gave nothing to Russia or China. Even the head of the NSA has stated that. He gave nothing to any national party. It makes me wonder what you are. But I doubt you will ever be a little star.
If you don't want open sores, don't bang AC's mom without a raincoat.
Nope, we don't use unmaintained, unaudited, open sores garbage.
So I guess that means you use unauditable, backdoored, closed source garbage then, huh?
"City hall" in German is "Rathaus" Kinda explains a few things......