Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS

New submitter I Ate A Candle (3762149) writes Tails OS, the Tor-reliant privacy-focused operating system made famous by Edward Snowden, contains a number of zero-day vulnerabilities that could be used to take control of the OS and execute code remotely. At least that's according to zero-day exploit seller Exodus Intelligence, which counts DARPA amongst its customer base. The company plans to tell the Tails team about the issues "in due time", said Aaron Portnoy, co-founder and vice president of Exodus, but it isn't giving any information on a disclosure timeline. This means users of Tails are in danger of being de-anonymised. Even version 1.1, which hit public release today (22 July 2014), is affected. Snowden famously used Tails to manage the NSA files. The OS can be held on a USB stick and leaves no trace once removed from the drive. It uses the Tor network to avoid identification of the user, but such protections may be undone by the zero-day exploits Exodus holds.

Wait, wait...

[Penguinisto]

The company plans to tell the Tails team about the issues "in due time"

I'm 100% certain "in due time" would come a lot sooner if the Tails OS maintainers coughed up the right fee, which means that this is most definitely NOT responsible disclosure.

I get that security researchers have to eat too, but damn - this sort of reeks of extortion. Maybe I'm wrong, but I know if I had a code project and some company said they knew I had holes but refused to tell me upon asking, extortion would be the first effing thought that would come to mind.

Re:Wait, wait...

[Noryungi]

No, not extortion against Tails - extortion of money from the NSA or whoever else their ''clients'' are.

I am sure a lot of TLAs right now are salivating -- unless they have discovered these vulnerabilities before Exodus. In which case, silence can be golden, indeed.

Re:Wait, wait...

If you don't think these fees are fair, you can pay someone else to audit your code.

Re:Wait, wait...

[sjames]

Doesn't that put them dangerously close to criminal like the guys that sell zero days to the Russian mob?

I'm thinking yes but it will be ignored because their customers include bad guys within the U.S. government.

Re:Wait, wait...

[mrchaotica]

The arguments I'm used to hearing go something like "but it's obviously unethical, they should just responsibly report and disclose vulnerabilities they find". But this is a total crap argument. The options Exodus has aren't "sell to governments" or "responsibly disclose for little to no fee". The options are "sell to governments" or "go out of business". So maybe someone will say "fine, they should go out of business, then we will all obviously be safer!".

But, well, it's not really clear that's the case. If Exodus (or Vupen, or whomever) quit, it's not like suddenly the government would stop looking for exploits. And if the US government did, it's not like China or Russia would. And if they did, it's not like criminal organizations would stop. You aren't going to stop vulnerabilities from happening or being sold. Game theoretically, it seems like the right choice is to keep the US government snatching up what vulnerabilities it can to keep in its back pocket for espionage. Not doing so would be a huge blow to US intelligence agencies, when every other major government out there is working on the same capabilities.

So what you're saying is that what Exodus is doing is unethical, but criminals would do the same thing anyway, so we might as well ignore Exodus' unethical behavior because they're on "our side?"

Fuck that, and fuck you!

Re:Wait, wait...

[Unordained]

http://www.wired.com/2014/04/o...

We can still break into the systems we "need" to break into, without keeping a full hand of all possible vulnerabilities. To reduce our overall exposure to risk, it makes sense to disclose most of these to vendors for patching, maybe some with a delay. Our government can buy up vulnerabilities from Exodus, then release them -- Exodus gets paid, we get somewhat better security all around, and the NSA gets a few last holes to work with.

Re:Wait, wait...

[gl4ss]

but if I did it and sold it on the market on the country that I am in or their neighbouring countries then I would be unethical/criminal?

wtf? there's no "due time".

they could be just bullshitting too and just waiting for fixes to come in and then say "yeah those were the vulns".

furthermore, they would be vulnurabilities on the firefox code or the tor code which would count as news on their own. or perhaps they're just buggy drivers for wifi or ethernet. we don't know and now they're just doing two things, scaremongering and fishing for money from companies. they're using this as advertisement. "pay us or we'll sell exploits to your sw and not tell you" which is pretty much exactly what "black hat" exploit sellers are doing so does their work bother you? if not, ok.

Re:Wait, wait...

[Boronx]

Libertarianism run amok. Apparently the need to stay in business trumps any moral concerns.

Re:Wait, wait...

[compro01]

Our government can buy up vulnerabilities from Exodus, then release them

Or just buy up Exodus, period, continue operating it as a GOC, and release vulnerabilities are they're discovered.

Re:Wait, wait...

[mrchaotica]

So you seem to be saying hacking is never ethical.

Hacking with responsible disclosure is ethical. The fact that it may not be possible to do so profitably is irrelevant.

Hacking without responsible disclosure is always unethical, and what others choose to do is irrelevant. The fact that somebody else is acting unethically is not an excuse for you to act unethically too!

So no, I guess what I'm saying is that if Exodus weren't selling bugs to the government, we would be worse off, not better.

No. We're exactly equally bad off in either case. An attacker is an attacker. I have no confidence whatsoever that giving the NSA the exploits helps the American public, but even if I did the act of doing so would still be unethical!

Didn't your parents ever ask you rhetorical questions like "if your friends all jumped off a bridge, does that mean you should do it too?" or tell you "the ends do not justify the means" when you were a kid?

Re:Wait, wait...

[Boronx]

Response to parent post, you brain-dead moron.

Re:Wait, wait...

[tylerni7]

Ugh, maybe on this computer my replies will show up with my user account (I don't mind a bit of bad karma every now and then, and I think it is hard to have an actual discussion with an AC post). Anyway..

Didn't your parents ever ask you rhetorical questions like "if your friends all jumped off a bridge, does that mean you should do it too?" or tell you "the ends do not justify the means" when you were a kid?

I think this is more akin to "an eye for an eye makes the whole world blind". But obviously, just because something is a catchy statement, that doesn't mean it's good advice.
If other people are attacking you, should you lay down all your weapons and hope they do the same? Maybe, but it's not a cut and dry situation like you make it out to be. I agree that in an ideal world, no one would exploit anyone, and all of our software would be bug free. But it seems naive to base our actions off of that world view when it is not the case. Is fighting and war bad? Yes. But I don't think a Ghandi approach will work in all situations, and sometimes fighting back is necessary. (That doesn't mean all cases, of course.)

Hacking without responsible disclosure is always unethical, and what others choose to do is irrelevant.

I think this is an incredibly bold statement. I think it's a bit hard to judge the ethics of exploiting a computer "in a vacuum", the context certainly matters. Let's take a hypothetical situation: if a computer was used as the trigger for a bomb which was going to go off and kill 100 people, would it not be ethical to hack in to the computer and disable it? [we can assume it also has all the fancy triggering mechanisms in place.. capacitive sensing in case someone gets too close, tilt/shock sensors in case something tries to move it, etc]
I find that belief absurd. And while I'm sure that wasn't the situation you envisioned when you made that claim, I think it's important to note there are cetainly extreme cases where hacking into a computer is clearly ethical.
If we're able to agree that
sometimes computer hacking is ethical, then it just becomes a question of where the line is drawn. How much personal information needs to be on the computer about to detonate a bomb before you decide it isn't The Right Thing To Do to hack in? I am sure there are cases where the government is happy to hack into something that I think is ethically dubious, but again, I think it is absurd to say it is never ethical.

The other thing is you have to consider that "cyber weapons" mean governments can gain intelligence or affect systems without hurting people. Stuxnet is an interesting example. How many lives would have been lost if instead someone bombed the Iranian nuclear facility, or killed off Iranian scientists (yes, I know this still happens anyway, sadly)? Stuxnet was a virus that infected the public's computers as well.
Based on our discussion so far I would expect you to say something like "well sure, maybe it's better than bombing, but having neither would be even better". That's a totally understandable stance, but again, that isn't the world we live in. I think it's a step in the right direction to at least try to minimize deaths.


Anyway, it doesn't sound like we're going to come to an agreement on anything, and that's fine. I definitely understand how hacking can be a moral grey area, and not everyone has to agree. However, I just hope people will accept that it is at least a moral grey area, rather than a moral black area.

Re:Wait, wait...

[Archangel+Michael]

Business is neither moral, nor immoral but AMORAL. People are either moral, or immoral, they are not amoral. Everyone is a hypocrite, at some point will violate their own moral code. This is called situational ethics, and is popular in politics.

If your personal code of ethics prevents you from doing business with people who are hypocritical(evil, bad, immoral etc), then you'll be doing business with nobody, The best you can do is do business with people who support your ideals more often that the other guys.

Re:Wait, wait...

[mrchaotica]

If other people are attacking you, should you lay down all your weapons and hope they do the same?

Are people attacking Exodus via TOR? If not, then what ethical justification does it have for involving itself as the NSA's mercenary?

I'm all for self-defense; it's aiding aggression that I find unethical.

Hacking without responsible disclosure is always unethical, and what others choose to do is irrelevant.

I think this is an incredibly bold statement. I think it's a bit hard to judge the ethics of exploiting a computer "in a vacuum", the context certainly matters. Let's take a hypothetical situation: if a computer was used as the trigger for a bomb which was going to go off and kill 100 people, would it not be ethical to hack in to the computer and disable it? [we can assume it also has all the fancy triggering mechanisms in place.. capacitive sensing in case someone gets too close, tilt/shock sensors in case something tries to move it, etc]

Clearly, I'm failing to understand -- what is there about your hypothetical situation that precludes responsible disclosure?

Also, responsible disclosure is sort of tautologically ethical because it does consider context (that's what the "responsible" part means). If you're not sure what kind of disclosure is responsible, then the only ethical option would be to forgo the hacking.

The other thing is you have to consider that "cyber weapons" mean governments can gain intelligence or affect systems without hurting people. Stuxnet is an interesting example. How many lives would have been lost if instead someone bombed the Iranian nuclear facility, or killed off Iranian scientists (yes, I know this still happens anyway, sadly)? Stuxnet was a virus that infected the public's computers as well. Based on our discussion so far I would expect you to say something like "well sure, maybe it's better than bombing, but having neither would be even better". That's a totally understandable stance, but again, that isn't the world we live in. I think it's a step in the right direction to at least try to minimize deaths.

Being forced to choose the lesser of two evils doesn't mean you should become the active accomplice of that evil.

Besides, on a more practical note, you're also failing to consider the rest of the collateral damage. By supporting Exodus's position, you're saying that hypothetically saving the lives of the Iranian scientists is worth hypothetically risking the lives of TOR users worldwide.

Re:Wait, wait...

[tylerni7]

If other people are attacking you, should you lay down all your weapons and hope they do the same?

Are people attacking Exodus via TOR? If not, then what ethical justification does it have for involving itself as the NSA's mercenary?

I'm all for self-defense; it's aiding aggression that I find unethical.

I don't think it matters whether we take Exodus or the US Government. I'm not really sure why being a mercenary is so bad? What is the difference if the US Government pays Exodus or hires the people working for Exodus to write exploits directly?
And yes, people are using Tor to fight against the US; certainly hackers and terrorists use Tor. (I don't believe more than a small fraction of Tor users are malicious, but malicious users undoubtedly exist.

Clearly, I'm failing to understand -- what is there about your hypothetical situation that precludes responsible disclosure?

Also, responsible disclosure is sort of tautologically ethical because it does consider context (that's what the "responsible" part means). If you're not sure what kind of disclosure is responsible, then the only ethical option would be to forgo the hacking.

If you have responsibly disclosed every exploit you know about, you are not going to be able to hack into the computer which triggers the bomb. I'm not sure why this isn't obvious. Unless somehow your "responsible disclosure" allows for holding on to exploits until you need them for dire situations, you have no way to stop such a computerized device.

Let's be more concrete here: someone has hooked up a Raspberry Pi to detonate a bomb, which is triggered, say, over Tor. Whoever made this wasn't stupid: it has a heartbeat which will detonate the bomb if it fails, so you can't just jam it or cut off internet access. It has normal motion sensors, etc. You have 1 hour to disable it.
I propose that given the possibility of such a scenario (or scenarios like this; obviously this is an extreme and contrived example to try to prove a point), it is ethical to withhold disclosure of vulnerabilities. In your proposed scenario, the government has "emptied its cyber arsenal". It has nothing it can do to prevent such an attack. I believe it is superior to have the capability to prevent such an attack.

Being forced to choose the lesser of two evils doesn't mean you should become the active accomplice of that evil.

Besides, on a more practical note, you're also failing to consider the rest of the collateral damage. By supporting Exodus's position, you're saying that hypothetically saving the lives of the Iranian scientists is worth hypothetically risking the lives of TOR users worldwide.

Except it isn't that simple.. one side has to win. If the US Government doesn't have people writing exploits, they are losing tools that help them to fight $ENEMY.

It's like saying we shouldn't have fought in Wold War II against Hitler, because war is bad. The Allied forces were the "lesser of two evils"--evil, of course, because war is unethical just like hacking is. Why choose to actively help the lesser of two evils? We should have remained neutral.
We can ignore any historical facts for the sake of hypothetical arguments and say Hitler would have succeeded with 100% certainty without US support. In this sort of scenario are you trying to say that the ethical thing to do is nothing? It really sounds like we have some huge differences of opinion in all of this, so this probably isn't going anywhere.

Re:Wait, wait...

[MacDork]

Or it's bullshit to scare people away from tails. Have they demonstrated the exploit?

Re:Wait, wait...

[gweihir]

Commercial enterprises (such as Exodus) will do anything and everything that is or should be criminal, provided they can get away with it. Do not even look for minimal ethics there, it is a complete waste of time.

Re:Wait, wait...

[mrchaotica]

I don't think it matters whether we take Exodus or the US Government. I'm not really sure why being a mercenary is so bad? What is the difference if the US Government pays Exodus or hires the people working for Exodus to write exploits directly?

The difference is motivation. If you're partisan -- if you're motivated because you think the cause is just -- then maybe it's ethical to fight. If you're motivated by money and otherwise don't care, it's clearly unethical.

(I say "maybe" because it's not ethical to fight if you're mistaken in your belief that the cause is just -- it has to genuinely be so. But if you don't care, fighting is unethical even before considering the justness of the cause because it's not your fight.)

And yes, people are using Tor to fight against the US; certainly hackers and terrorists use Tor. (I don't believe more than a small fraction of Tor users are malicious, but malicious users undoubtedly exist.

If the American Revolution were happening today, the Founding Fathers would be labeled "hackers and terrorists" from the perspective of the British Crown. In other words, unless you're purposefully targeting innocents, those sorts of labels are a matter of perspective. I'm not at all convinced that using TOR to fight against the US government is actually a bad thing.

If you have responsibly disclosed every exploit you know about, you are not going to be able to hack into the computer which triggers the bomb. I'm not sure why this isn't obvious. Unless somehow your "responsible disclosure" allows for holding on to exploits until you need them for dire situations, you have no way to stop such a computerized device.

Let's be more concrete here: someone has hooked up a Raspberry Pi to detonate a bomb, which is triggered, say, over Tor. Whoever made this wasn't stupid: it has a heartbeat which will detonate the bomb if it fails, so you can't just jam it or cut off internet access. It has normal motion sensors, etc. You have 1 hour to disable it. I propose that given the possibility of such a scenario (or scenarios like this; obviously this is an extreme and contrived example to try to prove a point), it is ethical to withhold disclosure of vulnerabilities. In your proposed scenario, the government has "emptied its cyber arsenal". It has nothing it can do to prevent such an attack. I believe it is superior to have the capability to prevent such an attack.

First of all, I understood your previous scenario to be that you're discovering a new exploit in the process of defusing the bomb, and deciding whether to responsibly disclose it afterwards or to keep it in your pocket for later use. That's different from what you wrote this time, which is that you're using a previously-discovered but undisclosed exploit to defuse a bomb at the present time.

The problem with your scenario is that you're presupposing it "will" happen, and judging your actions after the fact. That's not a valid mode of reasoning, since there's no way to know that the scenario will actually occur (or even that it's more than infinitesimally likely to occur) at the time you're making the decision to disclose or not.

In other words, you're saying that it's perfectly ethical to do actual harm now because you guess that it might lessen the possibility of doing potential harm later. If you don't understand the problem with this, there's nothing more I can do to explain it to you more clearly.

It's like saying we shouldn't have fought in Wold War II against Hitler, because war is bad. The Allied forces were the "lesser of two evils"--evil, of course, because war is unethical just like hacking is. Why choose to actively help the lesser of two evils? We should have remained neutral.

That's exactly what we did do until the Japanese attacked us directly at Pearl Harbor. I think we acted pretty appropriately in that case!

Re:Wait, wait...

[Samizdata]

Nothing personal, but vaporous unconfirmable zero day reports like this strike me as more of a "My uncle works at Nintendo, and he got a copy of the secret developer nude Mario Brothers cart. No, it's at his house...In Hawaii. No, he won't mail it to me to show you."

Re:Curious

[Penguinisto]

What could allow remote code execution in Tails but not affect Firefox or any of the other software us non-terrorists use. A bug in tor itself?

Given that they likely had to add a few custom bits to insure anonymity, and likely modified or ripped out a few other bits, odds are good that the customizations are where the issue lies.

(...then again, perhaps the bug(s) can be found in the std. packages, but the researchers wanted to scare a smaller organization into becoming a customer first?)

They have no accountability

[stewsters]

So they are selling vulnerabilities to hackers rather than telling the source maintainers? That's irresponsible at best.

Re:They have no accountability

[Minupla]

Agreed - and in this case "Hackers" == "Nation Sates"

Re:They have no accountability

[klui]

They're either selling or sold the vulnerability to government agencies or just FUD against Tails.

Re:They have no accountability

[eulernet]

No, this is business.
Why would you want to use morality in business ?

Re:They have no accountability

[gweihir]

It is the most unethical thing they can do. On the plus-side, this may help Tails (and Tor) to get ahead of the game again, as this draws a lot of attention to the problem.

Scaremongering?

Every OS has 0-day issues - no such thing an OS without them. However, dare I say that there is a little scaremongering on here in relation to Tails? If you can't stop them throw some mud or sow the seeds of doubt?

Re:Scaremongering?

[K.+S.+Kyosuke]

Every OS has 0-day issues - no such thing an OS without them.

Except for Oberon... (And other similar designs in the spirit of "obviously no deficiencies")

Re:Scaremongering?

[Actually,+I+do+RTFA]

How does that work? If there is an easy way to guarantee no deficiencies, why isn't it used always?

Re:Scaremongering?

[K.+S.+Kyosuke]

Because small software fell out of favor some time ago. And it doesn't do HTML5 yet. :-) (It may not be actually easy, but compared to the man-years needed to create the 100MLOC behemoths of today, it doesn't seem such a far-fetched prospect to me! Especially if we're talking about specialized secure computing systems, where one might be expected to be willing to do a few sacrifices...)

Re:Scaremongering?

[Actually,+I+do+RTFA]

How does it assure no deficiencies? And why don't other projects use that methodology?

Re:Scaremongering?

[K.+S.+Kyosuke]

How does it assure no deficiencies?

I spelled out the "obviously no efficiencies" part, haven't I? How much up to date are you with your Hoare lectures?

And why don't other projects use that methodology?

Because they'd have to change their whole direction? As I said, compact things fell out for fashion in the SW arena.

Re:Scaremongering?

[K.+S.+Kyosuke]

That should have read "obviously no deficiencies", of course!

FUD?

[timrod]

This sounds like FUD against Tails. A security research firm finds some undisclosed zero-days in Tails, but doesn't describe what they could do - arbitrary code execution? De-anonymization? They then go on to say that they haven't told the Tails maintainers what the vulnerabilities are, but will "in due time", implying they're going to sell them off to the government first. Exodus Intelligence also does a lot of business with the US government, possibly including the NSA.

To me, this sounds like they probably found some minor zero-days and are trying to spread FUD (likely spurred on by their clients in the government) to get people to stop using Tails. After all, we know that the NSA is trying to put people who attempt to download Tails on a watchlist for further scrutiny.

Re:FUD?

[thoriumbr]

I don't think this is FUD.

If any government gets to know that you have an exploit for a very secure system they are targeting, you will surely be contacted and will earn a lot of money. Disclosing the vulnerability to the mantainers will destroy a great part of the value.

I would tell it's FUD if the vulns were advertised by some competing Linux distro.

Re:FUD?

[bmo]

Carnegie Mellon is suppressing de-anonymising TOR discussion at Black Hat.

Talk on cracking Internet anonymity service Tor withdrawn from conference

By Joseph Menn

SAN FRANCISCO, July 21 Mon Jul 21, 2014 1:05pm EDT

        Technology

(Reuters) - A heavily anticipated talk on how to identify users of the Tor Internet privacy service has been withdrawn from the upcoming Black Hat security conference.

A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment. (Reporting by Joseph Menn; Editing by Chris Reese)

------

My guess is that someone wants the hole (if there is one) kept open a while longer or the suspicion that TOR is somehow ineffective alive. Let your mind run wild with speculation.

--
BMO

http://www.reuters.com/article...

Re:FUD?

> My guess is that someone wants the hole (if there is one) kept open a while longer or the suspicion
> that TOR is somehow ineffective alive. Let your mind run wild with speculation.

Or...

The lawyers are worried that the testing violated wiretap laws and are trying to reduce CMU's legal liability.

Re:FUD?

[gweihir]

Well, I am not sure about "minor". But a prime source of zero-days should be the Java-Script engine. Turn it off or use NoScript, and you may be still secure.

Re:FUD?

[gweihir]

And that is a different story discussed in a different place. This discussion here is about zero-days in Tails, not about TOR vulnerabilities.

what environments allow USB boot?

[Gothmolly]

What kind of real environment allows boot from a USB drive?

Re:what environments allow USB boot?

[Noryungi]

Anything that has a USB port, really.

Essentially, anything that is run by NGOs or individuals.

Sure, in a corporate or governmental/military environment, USB ports are usually a big ''no no'' but some of use like them USB gadgets.

(Yes, before anyone ask, there has been infiltration through contaminated USB drives and keys ''abandoned'' in strategic locations...)

Re:what environments allow USB boot?

[dave562]

The kind of environment where the attacker is a sysadmin with access to the box and the ability to do whatever they feel like with BIOS, including enabling USB boot.

The default security posture of most organizations these days is to assume that a trusted insider will exploit the system at some point. Therefore everyone is implementing damage mitigation techniques so that they can respond quickly and understand the scope of the inevitable breach when it does occur.

Everyone is watching everyone else. The security guys get access to the firewalls and the IDS, but cannot touch the servers. The server guys cannot touch the backups. The backup team cannot initiate a restore without two levels of change control approval. It is a serious PITA for everyone involved and a gross inefficiency.

The first time an auditor told me that they cannot trust me, my knee jerk reaction was to tell them to go fuck themselves. Eventually I realized that I am in a very risky position with access to a lot of sensitive information. The key is not that they do not trust me, it is that they CANNOT trust me. While I may be trustworthy, who is to say that someone else in my same position, with my same level of access, is also trustworthy? Just like I have to assume that any executable downloaded from the internet is potentially full of malicious code, the risk management folks have to assume that every sysadmin in the organization is potentially full of malicious intent.

Re:what environments allow USB boot?

[watcher-rv4]

Stuxnet on that Iran's nuclear plant?

Re:what environments allow USB boot?

[mspohr]

I've used TAILS to do banking when I'm traveling and only have access to dodgy WiFi or hotel computers. I've found that it will boot and run on most any computer... sometimes you need to call up the boot menu and select the USB drive, other times "it just works".
It boots and runs from the USB stick and doesn't use the computers mass storage at all. It performs a wipe of the RAM on exit. It encrypts everything, uses HTTPS and TOR; has a minimal secure browser and a more full featured insecure browser. OpenPGP for email and documents.
However, it probably has some vulnerabilities. For instance, a hardware keylogger on the machine... however, they have a randomized on-screen keyboard to use to get around this.
That said, this "security" company which sent out this press release seems like your typical collection of greedy entitled bastards who aim to benefit financially from their FUD.

Re:what environments allow USB boot?

[dave562]

Trust but verify.

Re:what environments allow USB boot?

[Actually,+I+do+RTFA]

you give my physical access to a box, it's my box.

Well, the BIOS could be password protected, the case alarmed if opened. In either case you could work around those, but if I put that box in a busy hallway, that's not going to happen. Combine that with no optical media or USB ports, and I think that's a pretty safe box.

Now, you could mess with the hardware, via a hardware key logger, but that could be mitigated by soldering the wires directly as opposed to allowing a PS/2 port. And the keyboard could probably be physically hardened to the point that you cannot easily open it.

Bottom line, physical access is one thing. But tamper-evident measures combined with regular but not continuous observations should enable me to trust that if you do gain access, I will know about it while you are present. Possibly even before you are able to finish gaining access.

Re:what environments allow USB boot?

[Actually,+I+do+RTFA]

Well, you could use PS/2, or serial, or even say "fuck it, no mouse for you. Here's a command line and a tab key."

Re:what environments allow USB boot?

[gweihir]

Using Tor (Tails) _and_ doing financial transactions with it! You are sure to be on the short list for a drone-strike...

Re:Open sores software? No thanks!

[Mordok-DestroyerOfWo]

My theory is that Steve Balmer is bored in his retirement and feels the need to troll open source sites.

Conspiracy theory

[Charliemopps]

Sounds fishy to me...
Perhaps the NSA (or another agency) has another Snowden on their hands and paid Exodus for this "release" to scare the leaker into not sending their data out...

Re:Conspiracy theory

[dave562]

Now THIS is the level of paranoia that I like to see.

Re:Conspiracy theory

[Charliemopps]

Now THIS is the level of paranoia that I like to see.

It's funny what you'll believe when you can't believe anything anymore.

Re:Conspiracy theory

[meta-monkey]

That's a depressingly accurate statement.

Re:Classic Spook Stuff...

[Noryungi]

I think you forgot "FCUK NSA" somewhere in that NSA food... Or is it "FSCK GCHQ''?

Re:Classic Spook Stuff...

[CaptainOfSpray]

F**k 'em both, and the equivalents in Canada, Oz, and NZ, and the lazy, corrupt and incompetent oversight committees. Oh and by the way, did you notice the Germans have been at it too, though not on the same scale.

I am now Officially In a Bad Mood, at which point I am quite likely to send a sizable donation to the people who make Tails, and I encourage y'all to do the same.

Re:Classic Spook Stuff...

[Noryungi]

Amen, brother.

(And don't forget the French!)

Re:Classic Spook Stuff...

[dave562]

You you realize that you forgot to fnord that and they can totally see what you wrote, right?

Curiosity

[watcher-rv4]

All this gave me will to take a loot at Tails.

It's FUD?

[Cid+Highwind]

Disclosing the existence of a vulnerability destroys a lot of its value, too. People who can stop using Tails until the issue is sorted out will do so, shutting off whatever intelligence could be gathered from them. If these guys had a real-world exploitable vulnerability and a willingness to sell it to the NSA, they would have sold it and said nothing.

Re:Classic Spook Stuff...

[CaptainOfSpray]

Oh sorry, should I be encrypting my NSA Food, to make sure they read it?

Re:Classic Spook Stuff...

[dave562]

Have no fear. /. is collection friendly, with the data being sent in plaintext. They have all of our posts, and sort them for content and categorize them by context.

Zero Days? Updates?

[cant_get_a_good_nick]

Not a troll, but how do you get updates on a LiveCD? a good safe distro would not only update bad code easily, but also prevent whatever malware gets in from writing to local disc. What to do?

Re:Zero Days? Updates?

[mspohr]

We're talking about a USB stick.
I just updated my TAILS USB... password, trusted repository, good to go.
If you want, you can use a Live CD but then you can't have any encrypted local storage.

Re:Zero Days? Updates?

[cant_get_a_good_nick]

My point is - part of the security of a LiveCD is the fact it's a Read Only medium. Malware can't write to it.. But it also means you can't update buggy code. What if my LiveCD has Heartbleed?

The AC who commented "burn a new one" doesn't know how most distros do things, which is not to create a new CD image every time a package changes. The CD image is current on Day 1, and deviates from the true distro starting possibly on Day 2. Unless you only use the CD Image on release days, you'll always be slightly behind on (at least some) packages.

Yes yes, i know part of the point of a USB stick is a controlled Distro where you know the current state of all things on it. But, it still has issues with Zero Days. Lets say there's a Zero day, and I write to your USB stick. Now you're compromised, with a false sense of security. Do people drop to "single user with networking" on their USB sticks, do updates, then run in multi-user with parts of the file system read-only?

OT: signature

[cant_get_a_good_nick]

Im stealing your signature...

They're everywhere!

[viperidaenz]

It's an NSA backdoor!

Re:Curious

[almitydave]

Replying to pedantic ACs is a waste of time, I know, but I see this mistake made often enough. "Insure" and "ensure" are largely interchangeable: http://dictionary.reference.com/browse/insure.

As Easy to See Through as Glass

[TechForensics]

Hmmmm.... Let's see... Snowden embarrasses NSA using Tails; suddenly tails has scary "vulnerabilities"; a new company / entity on the scene says it will make everything nice.

What's the likely truth here? Snowden embarrassed NSA using Tails; NSA plants disinformation campaign to the exent of "vulnerabilities"; the new company / entity is an NSA puppet that will give you a new Tails every bit as reliable as the new TrueCrypt.

First grade simple so it's not suspected until..... (complete the sentence).

What do YOU think?

Well.

[Demena]

Snowden gave nothing to Russia or China. Even the head of the NSA has stated that. He gave nothing to any national party. It makes me wonder what you are. But I doubt you will ever be a little star.

Re: Curious

[Demena]

Why did you call hims a piece of firewood or baked potato?

Re:Classic Spook Stuff...

[Demena]

Snowden is not an agent. Even NSA says that.

Re:Curious

[gweihir]

What is certainly there is at least several JavaScript zero-days. JavaScript is complex to implement and easy to get wrong. As this is a commercial effort (as can be seen by its immorality and focus on profit), they will go after low-hanging fruit. The JavaScript engine is the most promising one.

And who said it would not affect other users too?

Re:They have nothing!

[gweihir]

There are some things you can do even when second-rate, just by throwing resources at the problem. They may also have _bought_ these exploits form people that are not second-rate.

Re:How do you think they get your IP?

[gweihir]

They just send data to some server they own in clear and they know your last public IP. For spywork, that is enough. If laws are draconian enough, they are also sure to find _something_ when they kick down your door. Also, when you are not on US ground (warning: current state, this may change), they may also just drone-murder you and bypass any legality whatsoever.

Re:Open sores software? No thanks!

[cbiltcliffe]

Nope, we don't use unmaintained, unaudited, open sores garbage.

So I guess that means you use unauditable, backdoored, closed source garbage then, huh?