Tails Distro update fails to address serious zero-day vulnerabilities

by
Anonymous Coward
in security on (#3RJ)
story imageThe Tails Linux distro gained a lot of publicity when Edward Snowden noted it as his operating system of choice. But while TAILS goes to great pains to ensure maximum anonymity when using online services, it is not impenetrable. In fact, the software's design is seriously flawed, says Loc Nguyen, a researcher at Exodus.
Tails is comprised of numerous components working in interchange," he said. ... however because there are numerous inter-locking mechanisms in play on the system, it's difficult to readily pinpoint a particular weak area."
Nguyen and team had identified a number of zero-day vulnerabilities in the distro that have gone unaddressed and remain open even as TAILS releases an update to the software. Exodus said it would release details about the zero-days in a series of blog posts next week. For the Tails platform, privacy is contingent on maintaining anonymity and ensuring their actions and communications are not attributable. Thus, any violation of those foundational pillars should be considering highly critical," added Nguyen. This affects every user of Tails, who should all "diversify security platforms so as not to put all your eggs in one basket", he added. Exodus sells to private and public businesses hoping to use the findings for either offensive or defensive means. Those unconcerned about governments targeting their systems might not be concerned about the Tails zero-days. Others will likely be anxious one of their trusted tools to avoid government hackers contains vulnerabilities that could be exploited to spy on any user of the OS."

More on the vulnerabilities at the Register and Forbes.

Good points (Score: 2, Insightful)

by nightsky30@pipedot.org on 2014-07-23 12:53 (#2MP)

I agree it's not good to put all of your eggs in one basket. Look at the huge target society has developed that is Windows. No matter who the hackers may be, if we focus on using one single OS or software bundle, we are making their lives easier, and the target larger. There needs to be competing or at least different, friendly, options in OS and software. For a distribution that touts security and anonymity, they really dropped the ball. Zero-days are no joke. Diversity here will help by offering other, possibly more secure alternatives.

This also reminds me of a change they made in Android not too long ago where they randomized the place in memory where running applications were stored. Prior to that I think it was some standard location that allowed for easier exploitation.
Post Comment
Subject
Comment
Captcha
In the number 9296628, what is the 4th digit?