Tails Distro update fails to address serious zero-day vulnerabilities
The Tails Linux distro gained a lot of publicity when Edward Snowden noted it as his operating system of choice. But while TAILS goes to great pains to ensure maximum anonymity when using online services, it is not impenetrable. In fact, the software's design is seriously flawed, says Loc Nguyen, a researcher at Exodus.
More on the vulnerabilities at the Register and Forbes.
Tails is comprised of numerous components working in interchange," he said. ... however because there are numerous inter-locking mechanisms in play on the system, it's difficult to readily pinpoint a particular weak area."Nguyen and team had identified a number of zero-day vulnerabilities in the distro that have gone unaddressed and remain open even as TAILS releases an update to the software. Exodus said it would release details about the zero-days in a series of blog posts next week. For the Tails platform, privacy is contingent on maintaining anonymity and ensuring their actions and communications are not attributable. Thus, any violation of those foundational pillars should be considering highly critical," added Nguyen. This affects every user of Tails, who should all "diversify security platforms so as not to put all your eggs in one basket", he added. Exodus sells to private and public businesses hoping to use the findings for either offensive or defensive means. Those unconcerned about governments targeting their systems might not be concerned about the Tails zero-days. Others will likely be anxious one of their trusted tools to avoid government hackers contains vulnerabilities that could be exploited to spy on any user of the OS."
More on the vulnerabilities at the Register and Forbes.
By Joseph Menn | SAN FRANCISCO, July 21
"A heavily anticipated talk on how to identify users of the Tor Internet privacy service has been withdrawn from the upcoming Black Hat security conference.
A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment."
http://www.reuters.com/article/2014/07/21/cybercrime-conference-talk-idUSL2N0PW14320140721
http://www.pcworld.com/article/2456700/black-hat-presentation-on-tor-suddenly-cancelled.html
http://www.theguardian.com/technology/2014/jul/22/is-tor-truly-anonymising-conference-cancelled