The Register reports that separate sources - possibly all originating from one source - report that TAILS 1.1, due for release tomorrow, contains zero-day vulnerabilities:
"We're happy to see that TAILS 1.1 is being released tomorrow. Our multiple RCE/de-anonymization zero-days are still effective." -via @ExodusIntel: https://twitter.com/ExodusIntel
"Exploit Dealer: Snowden's Favourite OS Tails Has Zero-Day Vulnerabilities Lurking Inside" - Thomas Brewster | Security | 7/21/2014 @ 2:14PM
"The flaws work on the latest version of Tails and allow for the ability to exploit a targeted user, both for de-anonymisation and remote code execution," said Loc Nguyen a researcher at Exodus. Remote code execution means a hacker can do almost anything they want to the victim's system, such as installing malware or siphoning off files.
"Considering that the purpose of Tails is to provide a secure non-attributable platform for communications, users are verifiably at-risk due to these flaws. For the Tails platform, privacy is contingent on maintaining anonymity and ensuring their actions and communications are not attributable. Thus, any violation of those foundational pillars should be considering highly critical," added Nguyen. This affects every user of Tails, who should all "diversify security platforms so as not to put all your eggs in one basket", he added.
All users, including Snowden, should be wary of using Tails with a false sense of security, though it's still more likely to protect anonymity than Windows. Exodus sells to private and public businesses hoping to use the findings for either offensive or defensive means. Those unconcerned about governments targeting their systems might not be concerned about the Tails zero-days. Others will likely be anxious one of their trusted tools to avoid government hackers contains vulnerabilities that could be exploited to spy on any user of the OS."
Exodus have promised not to sell their findings but say that they will work with the TAILS team - but that is how they make their money so I'm not sure how much faith one should put in that remark. They also claim that they will publish the vulnerabilities in their blog next week.
(Score: 1, Offtopic) by Jeremiah Cornelius on Tuesday July 22 2014, @08:00PM
And I just found it... :-P
Really, this isn't startling that 0-day were found here. I hope the finders have a higher ethical calling than mere national patriotism, political affiliation or mere profit.
On second thought, I guess we're screwed.
You're betting on the pantomime horse...
(Score: 2, Interesting) by Anonymous Coward on Tuesday July 22 2014, @08:14PM
Talk on cracking Internet anonymity service Tor withdrawn from conference
By Joseph Menn | SAN FRANCISCO, July 21
"A heavily anticipated talk on how to identify users of the Tor Internet privacy service has been withdrawn from the upcoming Black Hat security conference.
A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment."
http://www.reuters.com/article/2014/07/21/cybercrime-conference-talk-idUSL2N0PW14320140721 [reuters.com]
http://www.pcworld.com/article/2456700/black-hat-presentation-on-tor-suddenly-cancelled.html [pcworld.com]
http://www.theguardian.com/technology/2014/jul/22/is-tor-truly-anonymising-conference-cancelled [theguardian.com]
(Score: 3, Insightful) by buswolley on Tuesday July 22 2014, @08:27PM
Apparently, this is only for the NSA's ears. :)
subicular junctures
(Score: 3, Interesting) by mrchew1982 on Tuesday July 22 2014, @09:58PM
There is the remote possibility that this and the op's articles are false flag operations by the NSA to try and drive people away from truly secure systems and back into something that they control. Seems a little deep to me but since no one has been forthcoming with details its tenable.
I honestly believe that any end user attempts at anonymity are doomed, no matter how hard we try its just a band aid on top of a festering wound. I have much higher hopes for the ethos that was shared at that hacker convention, let's bake anonymity right into the protocols themselves.
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 22 2014, @08:39PM
Fed ex overnight and be done. Every one thinks it has to be digital but throw them a curve and do it old school. They probably won't look there or if they know your sending it by fed ex they have to actually send someone to go look and ...let's face it....they would rather sit at their offices then walk. Better yet...don't be a moron and they won't care about you cheating on your wife, the beastiality you like, or that you made $4,000 under the table.
(Score: 0) by Anonymous Coward on Wednesday July 23 2014, @07:19AM
It's "bestiality."
Err, or so I'm told.
(Score: 0) by Anonymous Coward on Wednesday July 23 2014, @09:08AM
"Don't be a moron" sounds an awful lot like "nothing to hide". The point of having this kind of dirt on everyone is not to use it against everyone, it's to be able to use it against anyone. Especially anyone that tries to rock the boat politically, like say Martin Luther King Jr [wikipedia.org]. That's why mass surveillance (and indeed almost all surveillance of civilians) is so incredibly wrong - because it normalizes this type of activity.
(Score: 4, Interesting) by metamonkey on Tuesday July 22 2014, @08:45PM
I can believe de-anonymization. I do not believe remote code execution. Against what? There's almost nothing running on Tails. It's not serving anything. There's no surface area for your attack.
Okay 3, 2, 1, let's jam.
(Score: 0) by Anonymous Coward on Tuesday July 22 2014, @09:36PM
The browser perhaps. But that means they still have to get you to visit an exploit site. Or in Tor itself perhaps. That seems unlikely to say the least though unless it's through a library like openssl. They're still using an ancient version, which while not vulnerable to Heartbleed may be vulnerable to other exploits. But one would think that the NSA would have figured that out long ago, before Snowden came out.
(Score: 2) by Jeremiah Cornelius on Wednesday July 23 2014, @12:17AM
Alternate title for this story:
You're betting on the pantomime horse...
(Score: 2, Informative) by Anonymous Coward on Tuesday July 22 2014, @09:19PM
They use an ancient version of openssl:
0.9.8o-4squeeze15
Which has been a plus lately for avoiding a lot of exploits, but a recent openssl exploit targets this version and others. I hope they will upgrade the package but they probably won't.
##
Also, on an unrelated note, their network-manager version is ancient at version 0.8.1-6+squeeze2.