https://tails.net/news/version_6.11/index.en.html
https://gitlab.tails.boum.org/tails/tails/-/blob/master/debian/changelog
The vulnerabilities described below were identified during an external security audit by Radically Open Security and disclosed responsibly to our team. We are not aware of these attacks being used against Tails users until now. [Editor's Comment: I believe they mean 'up to now' or 'so far'.]
These vulnerabilities can only be exploited by a powerful attacker who has already exploited another vulnerability to take control of an application in Tails.
If you want to be extra careful and used Tails a lot since January 9 without upgrading, we recommend that you do a manual upgrade instead of an automatic upgrade.
Prevent an attacker from installing malicious software permanently. (#20701)
In Tails 6.10 or earlier, an attacker who has already taken control of an application in Tails could then exploit a vulnerability in Tails Upgrader to install a malicious upgrade and permanently take control of your Tails.
Doing a manual upgrade would erase such malicious software.
Prevent an attacker from monitoring online activity. (#20709 and #20702)
In Tails 6.10 or earlier, an attacker who has already taken control of an application in Tails could then exploit vulnerabilities in other applications that might lead to deanonymization or the monitoring of browsing activity:
In Onion Circuits, to get information about Tor circuits and close them.
In Unsafe Browser, to connect to the Internet without going through Tor.
In Tor Browser, to monitor your browsing activity.
In Tor Connection, to reconfigure or block your connection to the Tor network.Prevent an attacker from changing the Persistent Storage settings. (#20710)
Also, Tails still doesn't FULLY randomize the MAC address; so much for anonymity.
(Score: 5, Insightful) by ikanreed on Friday January 31, @02:31PM (6 children)
When an open source package you really like releases, and you want to have a news story about it, you should include at least one sentence about what it is.
As an example:
"Tails is a portable Linux installation"
(Score: 5, Informative) by epitaxial on Friday January 31, @03:05PM (3 children)
The only reason for using Tails is to access the TOR network. Edward Snowden used it.
(Score: 5, Insightful) by Ox0000 on Friday January 31, @05:21PM (1 child)
Not quite... [wikipedia.org]
TAILS stands for "The Amnesic Incognito Live System". It's not just for routing all your traffic through the TOR network (unless you explicitly circumvent that), it's also about leaving no trail behind. There are legitimate cases of wanting to do a thing on a computer that does not leave any traces. When you pull the power, (by default) everything disappears because nothing is persisted (unless you're facing a well-resourced and well-prepared adversary that can successfully pull off a cold boot attack [wikipedia.org] - or you're using TAILS and then signing into a system that knows or can know your real identity but no-one would do that, right?).
Whistleblowers, human rights activists, and those designated enemies of the regime they live under have very legitimate use cases for a system such as TAILS.
(Score: 3, Informative) by epitaxial on Friday January 31, @06:03PM
And a dozen other distros all offer bootable live systems. None of them include TOR by default.
(Score: 3, Informative) by Ox0000 on Friday January 31, @05:43PM
"Edward Snowden used it" is a similar defense as "No-one ever got fired for buying {MSFT|IBM|Oracle}"... (they should have gotten fired, but that's a different discussion)
It's not a fail-safe system and "just using it" does nothing if you don't know what you're doing. You can still screw things up and undo those anonymity protections provided by TAILS at which point you're probably in deep trouble assuming you're using TAILS for a thing that can get you into trouble in your local jurisdiction.
You still have to know how to effectively wield the tool(s) you're using. Just using TAILS without changing the rest of your OpSec does nothing for you. Just using TAILS and thinking you'll be fine is a pipe-dream. Using TOR and still using it to sign into facebook, google, or any other account linked to your real world identity (or enabling enough fingerprinting of your activities so that that link can be made despite you not logging in), does nothing. In fact, it only makes things worse when you inevitably do get nabbed... because now you also have a charge of obstruction of justice or whatever...
So saying "Edward Snowden used it" with an implied insinuation of "and it's as simple as just doing that to be 'safe'" is misleading at best...
Signal is an app that I put in that category of deceptive applications: just using signal does not secure anything. You have to change your modus operandi, change the way you do things. E2EE is meaningless if one of the ends is insecure, your phone is not secure. Those who think that "I'm moving this conversation to Signal" protects anything at all are ill-informed. (And then there's the thing where Signal still requires a hard-link to your actual real-world phone number, which means that everything is tied back to you).
(Score: 5, Informative) by janrinok on Friday January 31, @05:19PM (1 child)
Your comment is noted. Tails is probably as well known as Debian [debian.org] from which it is derived.
It tells you that it is Tails Linux [tails.net]. If you are a Tails user then you will know exactly what it is and, if you are not, I don't think that many will be concerned about a series of security fixes. Google, the Tails [tails.net] website, or Wikipedia [wikipedia.org] will tell you far more than we can ever do.
The submission was received this morning (my local time) and I processed it immediately because of its importance, despite being away from home sorting out a funeral, my brother's medical care, and moving my father-in-law into a care home in a different country. There is only so much I can do.
Some in our community use Tails ("The Amnesic Incognito Live System") as their primary security and anonymity software.
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 2) by ikanreed on Friday January 31, @08:10PM
Yeah, it's not that it's not news. It's that every open source release you hear about may be someone's first time with that particular item, so context establishes value to ignorant readers. And I'm not really trying to blame you as an editor, but more as a suggestion to our readership when submitting stories.
(Score: 3, Informative) by Freeman on Friday January 31, @02:52PM (1 child)
https://en.wikipedia.org/wiki/Tails_(operating_system) [wikipedia.org]
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Interesting) by Snospar on Friday January 31, @04:02PM
Couldn't this just mean the FBI used Facebook?
I have to assume they used both the zero day in the video player and a honeypot with a "special" video so they could back-trace the route across the TOR network. I can't think of a way of doing this without the compromise at both ends.
Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.