Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS

Posted by timothy on from the compared-to-what? dept.

New submitter I Ate A Candle (3762149) writes Tails OS, the Tor-reliant privacy-focused operating system made famous by Edward Snowden, contains a number of zero-day vulnerabilities that could be used to take control of the OS and execute code remotely. At least that's according to zero-day exploit seller Exodus Intelligence, which counts DARPA amongst its customer base. The company plans to tell the Tails team about the issues "in due time", said Aaron Portnoy, co-founder and vice president of Exodus, but it isn't giving any information on a disclosure timeline. This means users of Tails are in danger of being de-anonymised. Even version 1.1, which hit public release today (22 July 2014), is affected. Snowden famously used Tails to manage the NSA files. The OS can be held on a USB stick and leaves no trace once removed from the drive. It uses the Tor network to avoid identification of the user, but such protections may be undone by the zero-day exploits Exodus holds.

9 of 132 comments (clear)

  1. Wait, wait... by Penguinisto · · Score: 5, Insightful

    The company plans to tell the Tails team about the issues "in due time"

    I'm 100% certain "in due time" would come a lot sooner if the Tails OS maintainers coughed up the right fee, which means that this is most definitely NOT responsible disclosure.

    I get that security researchers have to eat too, but damn - this sort of reeks of extortion. Maybe I'm wrong, but I know if I had a code project and some company said they knew I had holes but refused to tell me upon asking, extortion would be the first effing thought that would come to mind.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
    1. Re:Wait, wait... by Noryungi · · Score: 3, Insightful

      No, not extortion against Tails - extortion of money from the NSA or whoever else their ''clients'' are.

      I am sure a lot of TLAs right now are salivating -- unless they have discovered these vulnerabilities before Exodus. In which case, silence can be golden, indeed.

      --
      The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    2. Re:Wait, wait... by sjames · · Score: 4, Insightful

      Doesn't that put them dangerously close to criminal like the guys that sell zero days to the Russian mob?

      I'm thinking yes but it will be ignored because their customers include bad guys within the U.S. government.

    3. Re:Wait, wait... by mrchaotica · · Score: 4, Insightful

      The arguments I'm used to hearing go something like "but it's obviously unethical, they should just responsibly report and disclose vulnerabilities they find". But this is a total crap argument. The options Exodus has aren't "sell to governments" or "responsibly disclose for little to no fee". The options are "sell to governments" or "go out of business". So maybe someone will say "fine, they should go out of business, then we will all obviously be safer!".

      But, well, it's not really clear that's the case. If Exodus (or Vupen, or whomever) quit, it's not like suddenly the government would stop looking for exploits. And if the US government did, it's not like China or Russia would. And if they did, it's not like criminal organizations would stop. You aren't going to stop vulnerabilities from happening or being sold. Game theoretically, it seems like the right choice is to keep the US government snatching up what vulnerabilities it can to keep in its back pocket for espionage. Not doing so would be a huge blow to US intelligence agencies, when every other major government out there is working on the same capabilities.

      So what you're saying is that what Exodus is doing is unethical, but criminals would do the same thing anyway, so we might as well ignore Exodus' unethical behavior because they're on "our side?"

      Fuck that, and fuck you!

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  2. They have no accountability by stewsters · · Score: 4, Insightful

    So they are selling vulnerabilities to hackers rather than telling the source maintainers? That's irresponsible at best.

  3. FUD? by timrod · · Score: 5, Insightful

    This sounds like FUD against Tails. A security research firm finds some undisclosed zero-days in Tails, but doesn't describe what they could do - arbitrary code execution? De-anonymization? They then go on to say that they haven't told the Tails maintainers what the vulnerabilities are, but will "in due time", implying they're going to sell them off to the government first. Exodus Intelligence also does a lot of business with the US government, possibly including the NSA.

    To me, this sounds like they probably found some minor zero-days and are trying to spread FUD (likely spurred on by their clients in the government) to get people to stop using Tails. After all, we know that the NSA is trying to put people who attempt to download Tails on a watchlist for further scrutiny.

    1. Re:FUD? by thoriumbr · · Score: 3, Insightful

      I don't think this is FUD.

      If any government gets to know that you have an exploit for a very secure system they are targeting, you will surely be contacted and will earn a lot of money. Disclosing the vulnerability to the mantainers will destroy a great part of the value.

      I would tell it's FUD if the vulns were advertised by some competing Linux distro.

    2. Re:FUD? by bmo · · Score: 4, Insightful

      Carnegie Mellon is suppressing de-anonymising TOR discussion at Black Hat.

      Talk on cracking Internet anonymity service Tor withdrawn from conference

      By Joseph Menn

      SAN FRANCISCO, July 21 Mon Jul 21, 2014 1:05pm EDT

              Technology

      (Reuters) - A heavily anticipated talk on how to identify users of the Tor Internet privacy service has been withdrawn from the upcoming Black Hat security conference.

      A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment. (Reporting by Joseph Menn; Editing by Chris Reese)

      ------

      My guess is that someone wants the hole (if there is one) kept open a while longer or the suspicion that TOR is somehow ineffective alive. Let your mind run wild with speculation.

      --
      BMO

      http://www.reuters.com/article...

  4. Re:what environments allow USB boot? by dave562 · · Score: 5, Insightful

    The kind of environment where the attacker is a sysadmin with access to the box and the ability to do whatever they feel like with BIOS, including enabling USB boot.

    The default security posture of most organizations these days is to assume that a trusted insider will exploit the system at some point. Therefore everyone is implementing damage mitigation techniques so that they can respond quickly and understand the scope of the inevitable breach when it does occur.

    Everyone is watching everyone else. The security guys get access to the firewalls and the IDS, but cannot touch the servers. The server guys cannot touch the backups. The backup team cannot initiate a restore without two levels of change control approval. It is a serious PITA for everyone involved and a gross inefficiency.

    The first time an auditor told me that they cannot trust me, my knee jerk reaction was to tell them to go fuck themselves. Eventually I realized that I am in a very risky position with access to a lot of sensitive information. The key is not that they do not trust me, it is that they CANNOT trust me. While I may be trustworthy, who is to say that someone else in my same position, with my same level of access, is also trustworthy? Just like I have to assume that any executable downloaded from the internet is potentially full of malicious code, the risk management folks have to assume that every sysadmin in the organization is potentially full of malicious intent.