Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS

Posted by timothy on from the compared-to-what? dept.

New submitter I Ate A Candle (3762149) writes Tails OS, the Tor-reliant privacy-focused operating system made famous by Edward Snowden, contains a number of zero-day vulnerabilities that could be used to take control of the OS and execute code remotely. At least that's according to zero-day exploit seller Exodus Intelligence, which counts DARPA amongst its customer base. The company plans to tell the Tails team about the issues "in due time", said Aaron Portnoy, co-founder and vice president of Exodus, but it isn't giving any information on a disclosure timeline. This means users of Tails are in danger of being de-anonymised. Even version 1.1, which hit public release today (22 July 2014), is affected. Snowden famously used Tails to manage the NSA files. The OS can be held on a USB stick and leaves no trace once removed from the drive. It uses the Tor network to avoid identification of the user, but such protections may be undone by the zero-day exploits Exodus holds.

18 of 132 comments (clear)

  1. Wait, wait... by Penguinisto · · Score: 5, Insightful

    The company plans to tell the Tails team about the issues "in due time"

    I'm 100% certain "in due time" would come a lot sooner if the Tails OS maintainers coughed up the right fee, which means that this is most definitely NOT responsible disclosure.

    I get that security researchers have to eat too, but damn - this sort of reeks of extortion. Maybe I'm wrong, but I know if I had a code project and some company said they knew I had holes but refused to tell me upon asking, extortion would be the first effing thought that would come to mind.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
    1. Re:Wait, wait... by Noryungi · · Score: 3, Insightful

      No, not extortion against Tails - extortion of money from the NSA or whoever else their ''clients'' are.

      I am sure a lot of TLAs right now are salivating -- unless they have discovered these vulnerabilities before Exodus. In which case, silence can be golden, indeed.

      --
      The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    2. Re:Wait, wait... by sjames · · Score: 4, Insightful

      Doesn't that put them dangerously close to criminal like the guys that sell zero days to the Russian mob?

      I'm thinking yes but it will be ignored because their customers include bad guys within the U.S. government.

    3. Re:Wait, wait... by mrchaotica · · Score: 4, Insightful

      The arguments I'm used to hearing go something like "but it's obviously unethical, they should just responsibly report and disclose vulnerabilities they find". But this is a total crap argument. The options Exodus has aren't "sell to governments" or "responsibly disclose for little to no fee". The options are "sell to governments" or "go out of business". So maybe someone will say "fine, they should go out of business, then we will all obviously be safer!".

      But, well, it's not really clear that's the case. If Exodus (or Vupen, or whomever) quit, it's not like suddenly the government would stop looking for exploits. And if the US government did, it's not like China or Russia would. And if they did, it's not like criminal organizations would stop. You aren't going to stop vulnerabilities from happening or being sold. Game theoretically, it seems like the right choice is to keep the US government snatching up what vulnerabilities it can to keep in its back pocket for espionage. Not doing so would be a huge blow to US intelligence agencies, when every other major government out there is working on the same capabilities.

      So what you're saying is that what Exodus is doing is unethical, but criminals would do the same thing anyway, so we might as well ignore Exodus' unethical behavior because they're on "our side?"

      Fuck that, and fuck you!

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    4. Re:Wait, wait... by Unordained · · Score: 2

      http://www.wired.com/2014/04/o...

      We can still break into the systems we "need" to break into, without keeping a full hand of all possible vulnerabilities. To reduce our overall exposure to risk, it makes sense to disclose most of these to vendors for patching, maybe some with a delay. Our government can buy up vulnerabilities from Exodus, then release them -- Exodus gets paid, we get somewhat better security all around, and the NSA gets a few last holes to work with.

  2. Re:Curious by Penguinisto · · Score: 3, Interesting

    What could allow remote code execution in Tails but not affect Firefox or any of the other software us non-terrorists use. A bug in tor itself?

    Given that they likely had to add a few custom bits to insure anonymity, and likely modified or ripped out a few other bits, odds are good that the customizations are where the issue lies.

    (...then again, perhaps the bug(s) can be found in the std. packages, but the researchers wanted to scare a smaller organization into becoming a customer first?)

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  3. They have no accountability by stewsters · · Score: 4, Insightful

    So they are selling vulnerabilities to hackers rather than telling the source maintainers? That's irresponsible at best.

  4. FUD? by timrod · · Score: 5, Insightful

    This sounds like FUD against Tails. A security research firm finds some undisclosed zero-days in Tails, but doesn't describe what they could do - arbitrary code execution? De-anonymization? They then go on to say that they haven't told the Tails maintainers what the vulnerabilities are, but will "in due time", implying they're going to sell them off to the government first. Exodus Intelligence also does a lot of business with the US government, possibly including the NSA.

    To me, this sounds like they probably found some minor zero-days and are trying to spread FUD (likely spurred on by their clients in the government) to get people to stop using Tails. After all, we know that the NSA is trying to put people who attempt to download Tails on a watchlist for further scrutiny.

    1. Re:FUD? by thoriumbr · · Score: 3, Insightful

      I don't think this is FUD.

      If any government gets to know that you have an exploit for a very secure system they are targeting, you will surely be contacted and will earn a lot of money. Disclosing the vulnerability to the mantainers will destroy a great part of the value.

      I would tell it's FUD if the vulns were advertised by some competing Linux distro.

    2. Re:FUD? by bmo · · Score: 4, Insightful

      Carnegie Mellon is suppressing de-anonymising TOR discussion at Black Hat.

      Talk on cracking Internet anonymity service Tor withdrawn from conference

      By Joseph Menn

      SAN FRANCISCO, July 21 Mon Jul 21, 2014 1:05pm EDT

              Technology

      (Reuters) - A heavily anticipated talk on how to identify users of the Tor Internet privacy service has been withdrawn from the upcoming Black Hat security conference.

      A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment. (Reporting by Joseph Menn; Editing by Chris Reese)

      ------

      My guess is that someone wants the hole (if there is one) kept open a while longer or the suspicion that TOR is somehow ineffective alive. Let your mind run wild with speculation.

      --
      BMO

      http://www.reuters.com/article...

    3. Re:FUD? by Anonymous Coward · · Score: 3, Informative

      > My guess is that someone wants the hole (if there is one) kept open a while longer or the suspicion
      > that TOR is somehow ineffective alive. Let your mind run wild with speculation.

      Or...

      The lawyers are worried that the testing violated wiretap laws and are trying to reduce CMU's legal liability.

  5. Re:what environments allow USB boot? by Noryungi · · Score: 2

    Anything that has a USB port, really.

    Essentially, anything that is run by NGOs or individuals.

    Sure, in a corporate or governmental/military environment, USB ports are usually a big ''no no'' but some of use like them USB gadgets.

    (Yes, before anyone ask, there has been infiltration through contaminated USB drives and keys ''abandoned'' in strategic locations...)

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  6. Conspiracy theory by Charliemopps · · Score: 3, Interesting

    Sounds fishy to me...
    Perhaps the NSA (or another agency) has another Snowden on their hands and paid Exodus for this "release" to scare the leaker into not sending their data out...

    1. Re:Conspiracy theory by dave562 · · Score: 4, Funny

      Now THIS is the level of paranoia that I like to see.

  7. Re:what environments allow USB boot? by dave562 · · Score: 5, Insightful

    The kind of environment where the attacker is a sysadmin with access to the box and the ability to do whatever they feel like with BIOS, including enabling USB boot.

    The default security posture of most organizations these days is to assume that a trusted insider will exploit the system at some point. Therefore everyone is implementing damage mitigation techniques so that they can respond quickly and understand the scope of the inevitable breach when it does occur.

    Everyone is watching everyone else. The security guys get access to the firewalls and the IDS, but cannot touch the servers. The server guys cannot touch the backups. The backup team cannot initiate a restore without two levels of change control approval. It is a serious PITA for everyone involved and a gross inefficiency.

    The first time an auditor told me that they cannot trust me, my knee jerk reaction was to tell them to go fuck themselves. Eventually I realized that I am in a very risky position with access to a lot of sensitive information. The key is not that they do not trust me, it is that they CANNOT trust me. While I may be trustworthy, who is to say that someone else in my same position, with my same level of access, is also trustworthy? Just like I have to assume that any executable downloaded from the internet is potentially full of malicious code, the risk management folks have to assume that every sysadmin in the organization is potentially full of malicious intent.

  8. Re:Classic Spook Stuff... by dave562 · · Score: 2

    You you realize that you forgot to fnord that and they can totally see what you wrote, right?

  9. Re:what environments allow USB boot? by dave562 · · Score: 2

    Trust but verify.

  10. Re:what environments allow USB boot? by Actually,+I+do+RTFA · · Score: 2

    you give my physical access to a box, it's my box.

    Well, the BIOS could be password protected, the case alarmed if opened. In either case you could work around those, but if I put that box in a busy hallway, that's not going to happen. Combine that with no optical media or USB ports, and I think that's a pretty safe box.

    Now, you could mess with the hardware, via a hardware key logger, but that could be mitigated by soldering the wires directly as opposed to allowing a PS/2 port. And the keyboard could probably be physically hardened to the point that you cannot easily open it.

    Bottom line, physical access is one thing. But tamper-evident measures combined with regular but not continuous observations should enable me to trust that if you do gain access, I will know about it while you are present. Possibly even before you are able to finish gaining access.

    --
    Your ad here. Ask me how!