Tails Distro update fails to address serious zero-day vulnerabilities

Anonymous Coward

in security on 2014-07-22 21:09 (#3RJ)

The Tails Linux distro gained a lot of publicity when Edward Snowden noted it as his operating system of choice. But while TAILS goes to great pains to ensure maximum anonymity when using online services, it is not impenetrable. In fact, the software's design is seriously flawed, says Loc Nguyen, a researcher at Exodus.

Tails is comprised of numerous components working in interchange," he said. ... however because there are numerous inter-locking mechanisms in play on the system, it's difficult to readily pinpoint a particular weak area."

Nguyen and team had identified a number of zero-day vulnerabilities in the distro that have gone unaddressed and remain open even as TAILS releases an update to the software. Exodus said it would release details about the zero-days in a series of blog posts next week. For the Tails platform, privacy is contingent on maintaining anonymity and ensuring their actions and communications are not attributable. Thus, any violation of those foundational pillars should be considering highly critical," added Nguyen. This affects every user of Tails, who should all "diversify security platforms so as not to put all your eggs in one basket", he added. Exodus sells to private and public businesses hoping to use the findings for either offensive or defensive means. Those unconcerned about governments targeting their systems might not be concerned about the Tails zero-days. Others will likely be anxious one of their trusted tools to avoid government hackers contains vulnerabilities that could be exploited to spy on any user of the OS."

More on the vulnerabilities at the Register and Forbes.

5 comments

Meanwhile... (Score: 1, Interesting)

by Anonymous Coward on 2014-07-22 21:14 (#2MB)

Talk on cracking Internet anonymity service Tor withdrawn from conference

By Joseph Menn | SAN FRANCISCO, July 21

"A heavily anticipated talk on how to identify users of the Tor Internet privacy service has been withdrawn from the upcoming Black Hat security conference.

A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment."

http://www.reuters.com/article/2014/07/21/cybercrime-conference-talk-idUSL2N0PW14320140721
http://www.pcworld.com/article/2456700/black-hat-presentation-on-tor-suddenly-cancelled.html
http://www.theguardian.com/technology/2014/jul/22/is-tor-truly-anonymising-conference-cancelled

Re: Meanwhile... (Score: 1, Interesting)

by Anonymous Coward on 2014-07-22 21:18 (#2MD)

That's spooky and weird. Having something like Tor benefits everyone, even the military. Wonder if it was CMU's - I mean CMU's lawyers' - own choice, or what? Were they asked to keep it down while someone knuckles down and deals with the zero days vulns?

Re: Meanwhile... (Score: 1, Interesting)

by Anonymous Coward on 2014-07-22 21:43 (#2ME)

I feel there's a war on Tor/TAILS.

When it ends and Tor is thrown to the wind, they will continue their attacks against any sort of privacy service which doesn't pay nice with TPTB.

Mega-Dupe (Score: 1)

by zafiro17@pipedot.org on 2014-07-22 22:34 (#2MJ)

Cripes, just saw this was posted at at least two other sites. It's a big story with important consequences - get the word out!

Good points (Score: 2, Insightful)

by nightsky30@pipedot.org on 2014-07-23 12:53 (#2MP)

I agree it's not good to put all of your eggs in one basket. Look at the huge target society has developed that is Windows. No matter who the hackers may be, if we focus on using one single OS or software bundle, we are making their lives easier, and the target larger. There needs to be competing or at least different, friendly, options in OS and software. For a distribution that touts security and anonymity, they really dropped the ball. Zero-days are no joke. Diversity here will help by offering other, possibly more secure alternatives.

This also reminds me of a change they made in Android not too long ago where they randomized the place in memory where running applications were stored. Prior to that I think it was some standard location that allowed for easier exploitation.