Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS

timothy posted about 3 months ago | from the compared-to-what? dept.

Operating Systems 132

New submitter I Ate A Candle (3762149) writes Tails OS, the Tor-reliant privacy-focused operating system made famous by Edward Snowden, contains a number of zero-day vulnerabilities that could be used to take control of the OS and execute code remotely. At least that's according to zero-day exploit seller Exodus Intelligence, which counts DARPA amongst its customer base. The company plans to tell the Tails team about the issues "in due time", said Aaron Portnoy, co-founder and vice president of Exodus, but it isn't giving any information on a disclosure timeline. This means users of Tails are in danger of being de-anonymised. Even version 1.1, which hit public release today (22 July 2014), is affected. Snowden famously used Tails to manage the NSA files. The OS can be held on a USB stick and leaves no trace once removed from the drive. It uses the Tor network to avoid identification of the user, but such protections may be undone by the zero-day exploits Exodus holds.

cancel ×

132 comments

Sorry! There are no comments related to the filter you selected.

Somehow (-1)

Anonymous Coward | about 3 months ago | (#47508401)

Snowden is involved.

He may be a plant by the NSA to lull those into buying his malarky, and the NSA still has you by the 'nadz!

Re:Somehow (-1, Troll)

Anonymous Coward | about 3 months ago | (#47508615)

Snowden is a relatively junior sysadmin. He didn't have any idea what all he gave to Russia and China and how valuable it is to them. And he really doesn't know much about security or operating systems either.

Re:Somehow (0)

Anonymous Coward | about 3 months ago | (#47508923)

Sure, cold fjord. Not even trying to hide your shilling anymore?

Re:Somehow, downvote (0)

Anonymous Coward | about 3 months ago | (#47510551)

^-- downvote this misinformation.

Curious (0)

Anonymous Coward | about 3 months ago | (#47508413)

What could allow remote code execution in Tails but not affect Firefox or any of the other software us non-terrorists use. A bug in tor itself?

Re:Curious (3, Interesting)

Penguinisto (415985) | about 3 months ago | (#47508443)

What could allow remote code execution in Tails but not affect Firefox or any of the other software us non-terrorists use. A bug in tor itself?

Given that they likely had to add a few custom bits to insure anonymity, and likely modified or ripped out a few other bits, odds are good that the customizations are where the issue lies.

(...then again, perhaps the bug(s) can be found in the std. packages, but the researchers wanted to scare a smaller organization into becoming a customer first?)

Re:Curious (-1)

Anonymous Coward | about 3 months ago | (#47508483)

Given that they likely had to add a few custom bits to insure anonymity

The had to "add bits" to provide insurance for anonymity? The term you were lookin for was ensure, you twit.

Re: Curious (-1)

Anonymous Coward | about 3 months ago | (#47508583)

You understood what he mean, so stop being a pedantic faggot.

Re:Curious (0)

Anonymous Coward | about 3 months ago | (#47509867)

What could allow remote code execution in Tails but not affect Firefox or any of the other software us non-terrorists use. A bug in tor itself?

Given that they likely had to add a few custom bits to insure anonymity, and likely modified or ripped out a few other bits, odds are good that the customizations are where the issue lies.

(...then again, perhaps the bug(s) can be found in the std. packages, but the researchers wanted to scare a smaller organization into becoming a customer first?)

ensure.

Re:Curious (-1)

Anonymous Coward | about 3 months ago | (#47508497)

Oh wait, silly me, of course its an exploit in software we're all using, but we're all supposed to suffer with it to make sure the government can get those dirty terrorpedodruglords. Anyone who objects to hackers running their code on your computer must be a terrorpedodruglord, right?

Wait, wait... (5, Insightful)

Penguinisto (415985) | about 3 months ago | (#47508417)

The company plans to tell the Tails team about the issues "in due time"

I'm 100% certain "in due time" would come a lot sooner if the Tails OS maintainers coughed up the right fee, which means that this is most definitely NOT responsible disclosure.

I get that security researchers have to eat too, but damn - this sort of reeks of extortion. Maybe I'm wrong, but I know if I had a code project and some company said they knew I had holes but refused to tell me upon asking, extortion would be the first effing thought that would come to mind.

Re:Wait, wait... (3, Insightful)

Noryungi (70322) | about 3 months ago | (#47508593)

No, not extortion against Tails - extortion of money from the NSA or whoever else their ''clients'' are.

I am sure a lot of TLAs right now are salivating -- unless they have discovered these vulnerabilities before Exodus. In which case, silence can be golden, indeed.

Re:Wait, wait... (1)

Anonymous Coward | about 3 months ago | (#47508643)

If you don't think these fees are fair, you can pay someone else to audit your code.

Re:Wait, wait... (0)

Anonymous Coward | about 3 months ago | (#47509113)

Selling someone's schedule, alarm code and house keys to the highest bidder is not auditing. They're knowingly helping criminals in committing a crime. Of course, the criminal happens to be the government so nothing will come of it.

Re:Wait, wait... (0)

Anonymous Coward | about 3 months ago | (#47509823)

I don't think the comparison of a private house to a public repository is helpful. If you don't want these guys looking through your code and doing whatever they want with the bugs, then don't publish it.

Wait, wait... (0, Interesting)

Anonymous Coward | about 3 months ago | (#47508801)

<rant>
I don't think people understand what vulnerability sellers really do. They invest thousands of man and computer hours into finding bugs which people are willing to pay lots of money for. As a business, they want to keep their customer base happy, which means allowing their customers (yes, presumably the NSA/FBI/etc.) to use their exploits rather than selling them to Tails OS maintainers. Yes, it's probably the case that these exploits don't just go to nabbing child pornographers or drug traffickers, they also probably try to catch the next Snowden, which not everyone agrees is The Right Thing To Do. But for what it's worth, I'd still trust the US government (even with all its faults) far more than the Russians or Chinese.

But let's be honest here, Tails OS maintainers probably couldn't afford the same price that Exodus's customers will happily pay. Even if Exodus were happy to sell it to the Tails folks, that is certainly going to be a loss of money.

The arguments I'm used to hearing go something like "but it's obviously unethical, they should just responsibly report and disclose vulnerabilities they find". But this is a total crap argument. The options Exodus has aren't "sell to governments" or "responsibly disclose for little to no fee". The options are "sell to governments" or "go out of business". So maybe someone will say "fine, they should go out of business, then we will all obviously be safer!".

But, well, it's not really clear that's the case. If Exodus (or Vupen, or whomever) quit, it's not like suddenly the government would stop looking for exploits. And if the US government did, it's not like China or Russia would. And if they did, it's not like criminal organizations would stop. You aren't going to stop vulnerabilities from happening or being sold. Game theoretically, it seems like the right choice is to keep the US government snatching up what vulnerabilities it can to keep in its back pocket for espionage. Not doing so would be a huge blow to US intelligence agencies, when every other major government out there is working on the same capabilities.

At this point some folks might say: but doesn't that mean we'd all just be safer if the government just released all the vulnerabilities they knew about to vendors to have them patched? then the Chinese/Russians/criminals wouldn't be able to break in! Sadly, that's not how security works. You can patch 100 vulnerabilities, but if you miss one, you'll still lose. Staying open about every vulnerability would almost certainly hurt foreign intelligence, true, but if the US government is sharing every vulnerability they know about, and $ENEMY isn't, then US intelligence is going to be at a disadvantage, hands down.

So, when Exodus wants to invest time and money in finding exploits in your favorite application and turning a profit to help their government against Chinese/Russian/criminal agencies, that doesn't bother me.
</rant>

Re:Wait, wait... (4, Insightful)

mrchaotica (681592) | about 3 months ago | (#47508913)

The arguments I'm used to hearing go something like "but it's obviously unethical, they should just responsibly report and disclose vulnerabilities they find". But this is a total crap argument. The options Exodus has aren't "sell to governments" or "responsibly disclose for little to no fee". The options are "sell to governments" or "go out of business". So maybe someone will say "fine, they should go out of business, then we will all obviously be safer!".

But, well, it's not really clear that's the case. If Exodus (or Vupen, or whomever) quit, it's not like suddenly the government would stop looking for exploits. And if the US government did, it's not like China or Russia would. And if they did, it's not like criminal organizations would stop. You aren't going to stop vulnerabilities from happening or being sold. Game theoretically, it seems like the right choice is to keep the US government snatching up what vulnerabilities it can to keep in its back pocket for espionage. Not doing so would be a huge blow to US intelligence agencies, when every other major government out there is working on the same capabilities.

So what you're saying is that what Exodus is doing is unethical, but criminals would do the same thing anyway, so we might as well ignore Exodus' unethical behavior because they're on "our side?"

Fuck that, and fuck you!

Re:Wait, wait... (0)

Anonymous Coward | about 3 months ago | (#47509859)

(I posted the above, but /. is having weird issues with my cookie or something, so it logged me out and posted as AC. Probably beta's fault)

 

So what you're saying is that what Exodus is doing is unethical, but criminals would do the same thing anyway, so we might as well ignore Exodus' unethical behavior because they're on "our side?"

Fuck that, and fuck you!

So you seem to be saying hacking is never ethical. I'm not really sure that's fair either. Is it ethical for criminals to break into computers to steal money from your bank account? No, I think we can agree on that.

Is it ethical for the CIA to break into computers of terrorists (for the sake of the argument, let's assume they are indeed terrorists)? Let's say they wanted to hack into the computer of Russian separatists to intercept communications to see if they were responsible for the MH 17 incident. Is that ethical? I think it is. Especially when often the alternative to getting necessary intelligence (we don't have to agree all the intelligence the CIA gets is necessary, but surely some of it is) by breaking into computers involves killing people.

So no, I guess what I'm saying is that if Exodus weren't selling bugs to the government, we would be worse off, not better. The world would be a better place if you could prevent 100% of people from having weapons, but that will never happen. Especially if all it takes to make those weapons are people in a room with computers.

Re:Wait, wait... (0)

Anonymous Coward | about 3 months ago | (#47510099)

Is it ethical for criminals to break into computers to steal money from your bank account? No, I think we can agree on that.

Is it ethical for the CIA to break into computers of terrorists (for the sake of the argument, let's assume they are indeed terrorists)? Let's say they wanted to hack into the computer of Russian separatists to intercept communications to see if they were responsible for the MH 17 incident. Is that ethical? I think it is.

it may be 'ethical' from your point of view
but do they have a warrant?
sure they have reasonable suspicion but does that constitute an invasion of privacy?
should people in the ukraine expect privacy?
should the rest of the world?
should the united states?
if i thought my wife was at your house because i am an over-bearing suspicious asshole and i saw you talking to her yesterday -
does that mean it's ethical for me to peep in your windows
trespass on your property or break into your house?

ethics are funny, and just like the rest of reality they are prone to the the many, various viewing angles of our limited perception.

Re:Wait, wait... (1)

mrchaotica (681592) | about 3 months ago | (#47510147)

So you seem to be saying hacking is never ethical.

Hacking with responsible disclosure is ethical. The fact that it may not be possible to do so profitably is irrelevant.

Hacking without responsible disclosure is always unethical, and what others choose to do is irrelevant. The fact that somebody else is acting unethically is not an excuse for you to act unethically too!

So no, I guess what I'm saying is that if Exodus weren't selling bugs to the government, we would be worse off, not better.

No. We're exactly equally bad off in either case. An attacker is an attacker. I have no confidence whatsoever that giving the NSA the exploits helps the American public, but even if I did the act of doing so would still be unethical!

Didn't your parents ever ask you rhetorical questions like "if your friends all jumped off a bridge, does that mean you should do it too?" or tell you "the ends do not justify the means" when you were a kid?

Re:Wait, wait... (1)

tylerni7 (944579) | about 3 months ago | (#47510561)

Ugh, maybe on this computer my replies will show up with my user account (I don't mind a bit of bad karma every now and then, and I think it is hard to have an actual discussion with an AC post). Anyway..

Didn't your parents ever ask you rhetorical questions like "if your friends all jumped off a bridge, does that mean you should do it too?" or tell you "the ends do not justify the means" when you were a kid?

I think this is more akin to "an eye for an eye makes the whole world blind". But obviously, just because something is a catchy statement, that doesn't mean it's good advice.
If other people are attacking you, should you lay down all your weapons and hope they do the same? Maybe, but it's not a cut and dry situation like you make it out to be. I agree that in an ideal world, no one would exploit anyone, and all of our software would be bug free. But it seems naive to base our actions off of that world view when it is not the case. Is fighting and war bad? Yes. But I don't think a Ghandi approach will work in all situations, and sometimes fighting back is necessary. (That doesn't mean all cases, of course.)

Hacking without responsible disclosure is always unethical, and what others choose to do is irrelevant.

I think this is an incredibly bold statement. I think it's a bit hard to judge the ethics of exploiting a computer "in a vacuum", the context certainly matters. Let's take a hypothetical situation: if a computer was used as the trigger for a bomb which was going to go off and kill 100 people, would it not be ethical to hack in to the computer and disable it? [we can assume it also has all the fancy triggering mechanisms in place.. capacitive sensing in case someone gets too close, tilt/shock sensors in case something tries to move it, etc]
I find that belief absurd. And while I'm sure that wasn't the situation you envisioned when you made that claim, I think it's important to note there are cetainly extreme cases where hacking into a computer is clearly ethical.
If we're able to agree that
sometimes computer hacking is ethical, then it just becomes a question of where the line is drawn. How much personal information needs to be on the computer about to detonate a bomb before you decide it isn't The Right Thing To Do to hack in? I am sure there are cases where the government is happy to hack into something that I think is ethically dubious, but again, I think it is absurd to say it is never ethical.

The other thing is you have to consider that "cyber weapons" mean governments can gain intelligence or affect systems without hurting people. Stuxnet is an interesting example. How many lives would have been lost if instead someone bombed the Iranian nuclear facility, or killed off Iranian scientists (yes, I know this still happens anyway, sadly)? Stuxnet was a virus that infected the public's computers as well.
Based on our discussion so far I would expect you to say something like "well sure, maybe it's better than bombing, but having neither would be even better". That's a totally understandable stance, but again, that isn't the world we live in. I think it's a step in the right direction to at least try to minimize deaths.


Anyway, it doesn't sound like we're going to come to an agreement on anything, and that's fine. I definitely understand how hacking can be a moral grey area, and not everyone has to agree. However, I just hope people will accept that it is at least a moral grey area, rather than a moral black area.

Re:Wait, wait... (2)

Unordained (262962) | about 3 months ago | (#47508933)

http://www.wired.com/2014/04/o... [wired.com]

We can still break into the systems we "need" to break into, without keeping a full hand of all possible vulnerabilities. To reduce our overall exposure to risk, it makes sense to disclose most of these to vendors for patching, maybe some with a delay. Our government can buy up vulnerabilities from Exodus, then release them -- Exodus gets paid, we get somewhat better security all around, and the NSA gets a few last holes to work with.

Re:Wait, wait... (1)

compro01 (777531) | about 3 months ago | (#47509117)

Our government can buy up vulnerabilities from Exodus, then release them

Or just buy up Exodus, period, continue operating it as a GOC, and release vulnerabilities are they're discovered.

Re:Wait, wait... (1)

gl4ss (559668) | about 3 months ago | (#47509053)

but if I did it and sold it on the market on the country that I am in or their neighbouring countries then I would be unethical/criminal?

wtf? there's no "due time".

they could be just bullshitting too and just waiting for fixes to come in and then say "yeah those were the vulns".

furthermore, they would be vulnurabilities on the firefox code or the tor code which would count as news on their own. or perhaps they're just buggy drivers for wifi or ethernet. we don't know and now they're just doing two things, scaremongering and fishing for money from companies. they're using this as advertisement. "pay us or we'll sell exploits to your sw and not tell you" which is pretty much exactly what "black hat" exploit sellers are doing so does their work bother you? if not, ok.

Re:Wait, wait... (0)

Anonymous Coward | about 3 months ago | (#47509055)

But for what it's worth, I'd still trust the US government (even with all its faults) far more than the Russians or Chinese.

You just as well forget that Exodus is just, if not more, probable to be selling these exploits to the Russians and the Chinese. It is, after all, the case that Tor was created and then supported by the US government precisely for those in oppressive regimes like Russia and China (and ironically can be applied to the US, but that's another story) who otherwise would have their free speech suppressed. So, who would logically be on the short list to buy vulnerabilities? Why, governments that have no compunction about violating the privacy and speech rights of individuals in the name of "national harmony".

So, when Exodus wants to invest time and money in finding exploits in your favorite application and turning a profit to help their government against Chinese/Russian/criminal agencies, that doesn't bother me.

Even presuming they're not selling the exploits to Chinese/Russian/criminal agencies, there's every bit of evidence the NSA has used their own surveillance for corporate espionage against foreign multinational corporations for American corporations. Now, perhaps in your eyes that makes them a "criminal organization". But, if not, then it stands to reason that any corporation doing their own espionage would be fair game to buy these exploits as well.

You see, the whole notion that unethical things can be done ethically by a select few and therefore it's okay is just wrong. The whole Justice system isn't based upon the idea that the executioner is some holy sage engaging in some divine right. It's that if a death penalty or an imprisonment is a necessary evil, yet an evil none the less. And at every step along the way, we should be as transparent as possible about what is happening and try to correct when unnecessary evil happens.

Every bit of Exodus making clandestine sales to who knows whom and organizations like the NSA being incredibly opaque only highlights how wrong the system is. Waving a magic level of trust in them is just plain stupidity--except to the extent that the degree of unnecessary evil has, in the past, shown to be less than the Russian or Chinese governments so we can likely presume that the unnecessary evil of today will likely be less as well (although that inherently grants them the ability to be nearly as bad as the Russians and still be okay by you). No matter how you look at it, the argument that we're heading towards an even worse police state so we should side with the lesser of two or three evils is just wrong.

Re:Wait, wait... (1)

Boronx (228853) | about 3 months ago | (#47509087)

Libertarianism run amok. Apparently the need to stay in business trumps any moral concerns.

Re:Wait, wait... (0)

Anonymous Coward | about 3 months ago | (#47509863)

don't blame this on libertarianism you fucking slav

Re:Wait, wait... (1)

Boronx (228853) | about 3 months ago | (#47510155)

Response to parent post, you brain-dead moron.

Re:Wait, wait... (1)

Archangel Michael (180766) | about 3 months ago | (#47510667)

Business is neither moral, nor immoral but AMORAL. People are either moral, or immoral, they are not amoral. Everyone is a hypocrite, at some point will violate their own moral code. This is called situational ethics, and is popular in politics.

If your personal code of ethics prevents you from doing business with people who are hypocritical(evil, bad, immoral etc), then you'll be doing business with nobody, The best you can do is do business with people who support your ideals more often that the other guys.

Re:Wait, wait... (0)

Anonymous Coward | about 3 months ago | (#47509845)

if vupen and exodus weren't wormy pieces of #$!% they would responsibly disclose vulns to free software projects for free. If they want to find and sell info on vulns in proprietary code then that's fine. that's part of the deal with the devil that closed source vendors made and they deserve what that produces.

Re:Wait, wait... (0)

Anonymous Coward | about 3 months ago | (#47509933)

and you know they aren't selling to criminals because....????

Re:Wait, wait... (4, Insightful)

sjames (1099) | about 3 months ago | (#47508893)

Doesn't that put them dangerously close to criminal like the guys that sell zero days to the Russian mob?

I'm thinking yes but it will be ignored because their customers include bad guys within the U.S. government.

OT: signature (1)

cant_get_a_good_nick (172131) | about 3 months ago | (#47509549)

Im stealing your signature...

Re:Wait, wait... (0)

Anonymous Coward | about 3 months ago | (#47509739)

i don't know if i'd believe this, this company would be under an NDA etc. it's prolly just a scare tactic to move you away from it, along similar lines of as tor being used to paint targets.

Open sores software? No thanks! (-1)

Anonymous Coward | about 3 months ago | (#47508425)

If you want security why would you use open sores software? Did these idiots miss the heartbleed fiasco and how Tor's security is swiss cheese to the NSA and FBI?

Re:Open sores software? No thanks! (-1)

Anonymous Coward | about 3 months ago | (#47508517)

Wow... you shills comment on literally every post don't you? How much money do you guys make? Is this a legitimate work-at-home with full government benefits or do you worry sometimes that they won't cut you a check? I've had bad luck with these kinds of things. Let a brotha know!

Re:Open sores software? No thanks! (1)

Mordok-DestroyerOfWo (1000167) | about 3 months ago | (#47508571)

My theory is that Steve Balmer is bored in his retirement and feels the need to troll open source sites.

Re:Open sores software? No thanks! (0)

Anonymous Coward | about 3 months ago | (#47508641)

Way to not address my points. Defend and deflect at all costs!!

Tor's "security" is a total joke. The FBI and NSA can easily deanonymise people or simply use their own nodes to inject malware into people's computers to pwn you that way.

Re:Open sores software? No thanks! (0)

Anonymous Coward | about 3 months ago | (#47508985)

Wow... you shills comment on literally every post don't you? How much money do you guys make? Is this a legitimate work-at-home with full government benefits or do you worry sometimes that they won't cut you a check? I've had bad luck with these kinds of things. Let a brotha know!

I think you know it already, as you happen to have an established shilling career for The Linux Foundation.

Re: Open sores software? No thanks! (0)

Anonymous Coward | about 3 months ago | (#47509563)

Yes, but open source (volunteer) shilling doesn't pay so good.

Re:Open sores software? No thanks! (0)

Anonymous Coward | about 3 months ago | (#47509941)

what your co-conspiritors at your favorite slaveware peddling company didn't use openssl? If companies donated just 10% of what they shell out for slaveware the open source projects they use would be way better than anything else available (even though lots already are, despite the selfish users). These dumb bastards think they are comparing two "products" so it's ok to criticize. One is a deceptive product aimed at stealing your kids' future and one is a contribution to humanity. You don't get to criticize b/c you're part of the problem. I think deep down you already know this is true, but you're too much of a liar to admit it.

They have no accountability (4, Insightful)

stewsters (1406737) | about 3 months ago | (#47508457)

So they are selling vulnerabilities to hackers rather than telling the source maintainers? That's irresponsible at best.

Re:They have no accountability (1)

Minupla (62455) | about 3 months ago | (#47508533)

Agreed - and in this case "Hackers" == "Nation Sates"

Re:They have no accountability (1)

klui (457783) | about 3 months ago | (#47508535)

They're either selling or sold the vulnerability to government agencies or just FUD against Tails.

Re:They have no accountability (1)

eulernet (1132389) | about 3 months ago | (#47509295)

No, this is business.
Why would you want to use morality in business ?

Scaremongering? (1)

Anonymous Coward | about 3 months ago | (#47508459)

Every OS has 0-day issues - no such thing an OS without them. However, dare I say that there is a little scaremongering on here in relation to Tails? If you can't stop them throw some mud or sow the seeds of doubt?

Re:Scaremongering? (1)

K. S. Kyosuke (729550) | about 3 months ago | (#47508789)

Every OS has 0-day issues - no such thing an OS without them.

Except for Oberon... (And other similar designs in the spirit of "obviously no deficiencies")

Re:Scaremongering? (1)

Actually, I do RTFA (1058596) | about 3 months ago | (#47509603)

How does that work? If there is an easy way to guarantee no deficiencies, why isn't it used always?

Re:Scaremongering? (1)

K. S. Kyosuke (729550) | about 3 months ago | (#47509787)

Because small software fell out of favor some time ago. And it doesn't do HTML5 yet. :-) (It may not be actually easy, but compared to the man-years needed to create the 100MLOC behemoths of today, it doesn't seem such a far-fetched prospect to me! Especially if we're talking about specialized secure computing systems, where one might be expected to be willing to do a few sacrifices...)

Re:Scaremongering? (1)

Actually, I do RTFA (1058596) | about 3 months ago | (#47509931)

How does it assure no deficiencies? And why don't other projects use that methodology?

FUD? (5, Insightful)

Joe Gillian (3683399) | about 3 months ago | (#47508475)

This sounds like FUD against Tails. A security research firm finds some undisclosed zero-days in Tails, but doesn't describe what they could do - arbitrary code execution? De-anonymization? They then go on to say that they haven't told the Tails maintainers what the vulnerabilities are, but will "in due time", implying they're going to sell them off to the government first. Exodus Intelligence also does a lot of business with the US government, possibly including the NSA.

To me, this sounds like they probably found some minor zero-days and are trying to spread FUD (likely spurred on by their clients in the government) to get people to stop using Tails. After all, we know that the NSA is trying to put people who attempt to download Tails on a watchlist for further scrutiny.

Re:FUD? (0)

Anonymous Coward | about 3 months ago | (#47508555)

This is indeed, FUD.

Re:FUD? (0)

Anonymous Coward | about 3 months ago | (#47508591)

I came here to post this comment, but in a shorter form:

That's what they would say, wouldn't they.

Re:FUD? (3, Insightful)

thoriumbr (1152281) | about 3 months ago | (#47508697)

I don't think this is FUD.

If any government gets to know that you have an exploit for a very secure system they are targeting, you will surely be contacted and will earn a lot of money. Disclosing the vulnerability to the mantainers will destroy a great part of the value.

I would tell it's FUD if the vulns were advertised by some competing Linux distro.

It's FUD? (1)

Cid Highwind (9258) | about 3 months ago | (#47508999)

Disclosing the existence of a vulnerability destroys a lot of its value, too. People who can stop using Tails until the issue is sorted out will do so, shutting off whatever intelligence could be gathered from them. If these guys had a real-world exploitable vulnerability and a willingness to sell it to the NSA, they would have sold it and said nothing.

Re:It's FUD? (0)

Anonymous Coward | about 3 months ago | (#47509839)

this was exactly my two points

Re:It's FUD? (0)

Anonymous Coward | about 3 months ago | (#47509923)

what if the bug isn't in tails/tor, but i2p ?
misinformation win.

Re:FUD? (4, Insightful)

bmo (77928) | about 3 months ago | (#47508889)

Carnegie Mellon is suppressing de-anonymising TOR discussion at Black Hat.

Talk on cracking Internet anonymity service Tor withdrawn from conference

By Joseph Menn

SAN FRANCISCO, July 21 Mon Jul 21, 2014 1:05pm EDT

        Technology

(Reuters) - A heavily anticipated talk on how to identify users of the Tor Internet privacy service has been withdrawn from the upcoming Black Hat security conference.

A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment. (Reporting by Joseph Menn; Editing by Chris Reese)

------

My guess is that someone wants the hole (if there is one) kept open a while longer or the suspicion that TOR is somehow ineffective alive. Let your mind run wild with speculation.

--
BMO

http://www.reuters.com/article... [reuters.com]

Re:FUD? (3, Informative)

Anonymous Coward | about 3 months ago | (#47509703)

> My guess is that someone wants the hole (if there is one) kept open a while longer or the suspicion
> that TOR is somehow ineffective alive. Let your mind run wild with speculation.

Or...

The lawyers are worried that the testing violated wiretap laws and are trying to reduce CMU's legal liability. [techdirt.com]

Re:FUD? (0)

Anonymous Coward | about 3 months ago | (#47509783)

OR they're pissed cuz they did find a zero day in tails and got blocked by something else in it lol

Bogus Article (0)

Anonymous Coward | about 3 months ago | (#47508501)

Consider the details:
- "We have a vulnerability and we're not telling you what it is!"
- The vulnerability only worst is the newest upcoming Tails release! If you want to be secure, run old unpatched OSes.

If this doesn't sound like the NSA selling Dual_EC_DRBG or one of their other super secure extra-short key length ECC solutions, I don't know what does.

what environments allow USB boot? (1)

Gothmolly (148874) | about 3 months ago | (#47508527)

What kind of real environment allows boot from a USB drive?

Re:what environments allow USB boot? (2)

Noryungi (70322) | about 3 months ago | (#47508613)

Anything that has a USB port, really.

Essentially, anything that is run by NGOs or individuals.

Sure, in a corporate or governmental/military environment, USB ports are usually a big ''no no'' but some of use like them USB gadgets.

(Yes, before anyone ask, there has been infiltration through contaminated USB drives and keys ''abandoned'' in strategic locations...)

Re:what environments allow USB boot? (1)

watcher-rv4 (2712547) | about 3 months ago | (#47508825)

Stuxnet on that Iran's nuclear plant?

Re:what environments allow USB boot? (0)

Anonymous Coward | about 3 months ago | (#47508699)

Everything but a Windows RT box.

Re:what environments allow USB boot? (5, Insightful)

dave562 (969951) | about 3 months ago | (#47508785)

The kind of environment where the attacker is a sysadmin with access to the box and the ability to do whatever they feel like with BIOS, including enabling USB boot.

The default security posture of most organizations these days is to assume that a trusted insider will exploit the system at some point. Therefore everyone is implementing damage mitigation techniques so that they can respond quickly and understand the scope of the inevitable breach when it does occur.

Everyone is watching everyone else. The security guys get access to the firewalls and the IDS, but cannot touch the servers. The server guys cannot touch the backups. The backup team cannot initiate a restore without two levels of change control approval. It is a serious PITA for everyone involved and a gross inefficiency.

The first time an auditor told me that they cannot trust me, my knee jerk reaction was to tell them to go fuck themselves. Eventually I realized that I am in a very risky position with access to a lot of sensitive information. The key is not that they do not trust me, it is that they CANNOT trust me. While I may be trustworthy, who is to say that someone else in my same position, with my same level of access, is also trustworthy? Just like I have to assume that any executable downloaded from the internet is potentially full of malicious code, the risk management folks have to assume that every sysadmin in the organization is potentially full of malicious intent.

Re:what environments allow USB boot? (0)

Anonymous Coward | about 3 months ago | (#47509009)

This is it in a nutshell: you give my physical access to a box, it's my box. Either you trust me with that responsibility, or you don't, but don't kid yourself into thinking that I couldn't do whatever I want with it.

So, as you say, you CANNOT trust me. But, you sort of have to. So... now what?

Re:what environments allow USB boot? (2)

dave562 (969951) | about 3 months ago | (#47509337)

Trust but verify.

Re:what environments allow USB boot? (2)

Actually, I do RTFA (1058596) | about 3 months ago | (#47509631)

you give my physical access to a box, it's my box.

Well, the BIOS could be password protected, the case alarmed if opened. In either case you could work around those, but if I put that box in a busy hallway, that's not going to happen. Combine that with no optical media or USB ports, and I think that's a pretty safe box.

Now, you could mess with the hardware, via a hardware key logger, but that could be mitigated by soldering the wires directly as opposed to allowing a PS/2 port. And the keyboard could probably be physically hardened to the point that you cannot easily open it.

Bottom line, physical access is one thing. But tamper-evident measures combined with regular but not continuous observations should enable me to trust that if you do gain access, I will know about it while you are present. Possibly even before you are able to finish gaining access.

Re:what environments allow USB boot? (0)

Anonymous Coward | about 3 months ago | (#47510237)

No USB ports? How will you plug in the mouse?

Re:what environments allow USB boot? (1)

Actually, I do RTFA (1058596) | about 3 months ago | (#47510383)

Well, you could use PS/2, or serial, or even say "fuck it, no mouse for you. Here's a command line and a tab key."

Re:what environments allow USB boot? (1)

mspohr (589790) | about 3 months ago | (#47508897)

I've used TAILS to do banking when I'm traveling and only have access to dodgy WiFi or hotel computers. I've found that it will boot and run on most any computer... sometimes you need to call up the boot menu and select the USB drive, other times "it just works".
It boots and runs from the USB stick and doesn't use the computers mass storage at all. It performs a wipe of the RAM on exit. It encrypts everything, uses HTTPS and TOR; has a minimal secure browser and a more full featured insecure browser. OpenPGP for email and documents.
However, it probably has some vulnerabilities. For instance, a hardware keylogger on the machine... however, they have a randomized on-screen keyboard to use to get around this.
That said, this "security" company which sent out this press release seems like your typical collection of greedy entitled bastards who aim to benefit financially from their FUD.

Classic Spook Stuff... (0)

CaptainOfSpray (1229754) | about 3 months ago | (#47508549)

Tails is clearly a big problem for the NSA. They can't crack it, so they spread disinformation and FUD instead, to put people off using it.

These people "Exodus Inteligence", who are they, where do they come from, what is their agenda, and how much are the Five-Eyes paying to discredit Tails.

Obligatory NSA food: Kalashnikov, Handbook of Urban Guerilla, bomb factory, Edward Snowden was right, GCHQ is staffed by lackeys and lickspittles.

Re:Classic Spook Stuff... (1)

Noryungi (70322) | about 3 months ago | (#47508633)

I think you forgot "FCUK NSA" somewhere in that NSA food... Or is it "FSCK GCHQ''?

Re:Classic Spook Stuff... (1)

CaptainOfSpray (1229754) | about 3 months ago | (#47508735)

F**k 'em both, and the equivalents in Canada, Oz, and NZ, and the lazy, corrupt and incompetent oversight committees. Oh and by the way, did you notice the Germans have been at it too, though not on the same scale.

I am now Officially In a Bad Mood, at which point I am quite likely to send a sizable donation to the people who make Tails, and I encourage y'all to do the same.

Re:Classic Spook Stuff... (1)

Noryungi (70322) | about 3 months ago | (#47508751)

Amen, brother.

(And don't forget the French!)

Re:Classic Spook Stuff... (2)

dave562 (969951) | about 3 months ago | (#47508793)

You you realize that you forgot to fnord that and they can totally see what you wrote, right?

Re:Classic Spook Stuff... (1)

CaptainOfSpray (1229754) | about 3 months ago | (#47509205)

Oh sorry, should I be encrypting my NSA Food, to make sure they read it?

Re:Classic Spook Stuff... (1)

dave562 (969951) | about 3 months ago | (#47509333)

Have no fear. /. is collection friendly, with the data being sent in plaintext. They have all of our posts, and sort them for content and categorize them by context.

Re:Classic Spook Stuff... (0)

Anonymous Coward | about 3 months ago | (#47509035)

o how about this the tails os was made by the NSA or Russia. It really depends on whether or not snowden is a double or triple agent :-p.

Re:Classic Spook Stuff... (0)

Anonymous Coward | about 3 months ago | (#47509237)

They can't crack Tails? Hahahaahaha. Best joke posted all day.

Conspiracy theory (3, Interesting)

Charliemopps (1157495) | about 3 months ago | (#47508629)

Sounds fishy to me...
Perhaps the NSA (or another agency) has another Snowden on their hands and paid Exodus for this "release" to scare the leaker into not sending their data out...

Re:Conspiracy theory (4, Funny)

dave562 (969951) | about 3 months ago | (#47508797)

Now THIS is the level of paranoia that I like to see.

Re:Conspiracy theory (0)

Anonymous Coward | about 3 months ago | (#47508911)

You are not paranoid if they really are out to get you. So I keep my data on paper tape and punch cards. Nobody has equipment to read that anymore...

Re:Conspiracy theory (1)

Charliemopps (1157495) | about 3 months ago | (#47509257)

Now THIS is the level of paranoia that I like to see.

It's funny what you'll believe when you can't believe anything anymore.

Re:Conspiracy theory (1)

meta-monkey (321000) | about 3 months ago | (#47509795)

That's a depressingly accurate statement.

Re:Conspiracy theory (0)

Anonymous Coward | about 3 months ago | (#47509327)

It's an appropriate level of paranoia if you have a serious need for anything like Tails, to begin with. Which is just about everyone, if they think about it.

Seriously looks like disinfo of some sort, tho. Arbitrage, at best. Put up or shut up, Exodus. So far you have shown 0 evidence of 0-day exploits. Just a bare assertion. Much like the entire news media, anymore. Facts? Don't confuse us with facts. We KNOW what happened.

Folks, this is why full disclosure is necessary. Nothing else can be trusted.

Asshats (0)

Anonymous Coward | about 3 months ago | (#47508713)

They are doing it wrong. Notify then publicize.

Curiosity (1)

watcher-rv4 (2712547) | about 3 months ago | (#47508867)

All this gave me will to take a loot at Tails.

One...MIIIILLLLION Dollars! (0)

Anonymous Coward | about 3 months ago | (#47508935)

Dr. Evil strikes again.

They have nothing! (0)

xednieht (1117791) | about 3 months ago | (#47509365)

Exodus Intelligence - a euphemism for cock-sucking maggots. It's just FUD. Their techs are second rate hacks who couldn't make it in the ether and decided to get day jobs and pay taxes instead.

Info arbitrage for fun and profit (0)

Anonymous Coward | about 3 months ago | (#47509453)

Wonder if Exodus' directors have considered what the civil or criminal liabilities could be for knowingly witholding information that could have prevented deaths, torture, catastrophic damages, data loss or theft, etc., just for a few bucks. Wonder also if their customers couldn't be liable or complicit as well. Would RICO apply here, I wonder? Patriot Act? Could not advertising such knowledge be considered a form of terrorism? Reverse blackmail?

If not, then why is there such a double standard vis-a-vis "white hats" and cops who constantly have to shit on hackers in order to shine their Eagle Scout good-guy badges, when anyone with any knowledge knows they're as dirty as anyone else. If not more so.

Whatever. Anyway, I hear some room's been freed up at Gitmo...

Re:Info arbitrage for fun and profit (0)

Anonymous Coward | about 3 months ago | (#47509605)

Not just hackers, either. Simply being an honest, uncompromising reporter or whistleblower will do. Course, there are less and less of them, and most have been harassed and chokepointed into "mere" uncredentialed bloggers of dubious repute.

P.S. for all you honest cops and businessmen out there, didn't mean to tar you with that brush. You know who we're talking about here. If, and I say this advisedly, you don't have your head up your ass, like some misguided, brainwashed, bamboozled Dudley Do-Rights I know.

Zero Days? Updates? (1)

cant_get_a_good_nick (172131) | about 3 months ago | (#47509523)

Not a troll, but how do you get updates on a LiveCD? a good safe distro would not only update bad code easily, but also prevent whatever malware gets in from writing to local disc. What to do?

Re:Zero Days? Updates? (0)

Anonymous Coward | about 3 months ago | (#47509989)

you download the new version and burn it, dude.

Re:Zero Days? Updates? (1)

mspohr (589790) | about 3 months ago | (#47510119)

We're talking about a USB stick.
I just updated my TAILS USB... password, trusted repository, good to go.
If you want, you can use a Live CD but then you can't have any encrypted local storage.

How do you think they get your IP? (0)

Anonymous Coward | about 3 months ago | (#47509811)

I suppose if they can execute remote code, they can find the BIOS, MB, and hardware Mac address, but if you never use your hardware Mac address and never not use Tor, then it's not correlatable. They can ping a server that will give away your ip, but what if your router is routing through Tor and your computer does not have access to it? I figured it was hackable, although I thought it was likely a browser issue because, being in a life-long weird ass CIA experiment, everything I use gets hacked into, like a sort of game, and it's usually noticeable, although they may make it noticeable on purpose, but I'm wondering if there are precautions that can be taken, like the aforementioned set the router to route through tor so no IP can be deduced and don't give your computer access to the router and the one that does have access should be kept offline, plus the router should not allow configuration access from the computer being used, in addition, I think the entry point to Tor should be a trusted entry point, as if you're connected to one of their relays or a hacked relay, then they can correlate data patterns with your IP. The problem is largely a long-held IP system.

Earlier Submission (0)

Anonymous Coward | about 3 months ago | (#47509879)

"We're happy to see that TAILS 1.1 is being released tomorrow. Our multiple RCE/de-anonymization zero-days are still effective."

via @ExodusIntel: https://twitter.com/ExodusInte... [twitter.com]

#$%#

"Exploit Dealer: Snowden's Favourite OS TAILS Has Zero-Day Vulnerabilities Lurking Inside"

Thomas Brewster | Security | 7/21/2014 @ 2:14PM

http://www.forbes.com/sites/th... [forbes.com]

#$%#

"The flaws work on the latest version of TAILS and allow for the ability to exploit a targeted user, both for de-anonymisation and remote code execution," said Loc Nguyen a researcher at Exodus. Remote code execution means a hacker can do almost anything they want to the victimâ(TM)s system, such as installing malware or siphoning off files.

"Considering that the purpose of TAILS is to provide a secure non-attributable platform for communications, users are verifiably at-risk due to these flaws. For the TAILS platform, privacy is contingent on maintaining anonymity and ensuring their actions and communications are not attributable. Thus, any violation of those foundational pillars should be considering highly critical," added Nguyen. This affects every user of TAILS, who should all "diversify security platforms so as not to put all your eggs in one basket", he added.

All users, including Snowden, should be wary of using TAILS with a false sense of security, though itâ(TM)s still more likely to protect anonymity than Windows. Exodus sells to private and public businesses hoping to use the findings for either offensive or defensive means. Those unconcerned about governments targeting their systems might not be concerned about the TAILS zero-days. Others will likely be anxious one of their trusted tools to avoid government hackers contains vulnerabilities that could be exploited to spy on any user of the OS."

#$%#

Don't look, Snowden: Security biz chases TAILS with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS

By Iain Thomson | 21 Jul 2014

http://www.theregister.co.uk/2... [theregister.co.uk]

#$%#

RE: TAILS: https://tails.boum.org/ [boum.org]

"Details"? (0)

Anonymous Coward | about 3 months ago | (#47510067)

That word must have undergone some rapid semantic shift. They're spreading unspecific rumours to discredit Tails.

They're everywhere! (1)

viperidaenz (2515578) | about 3 months ago | (#47510365)

It's an NSA backdoor!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?