Google Play icon

Zero-day intelligence company issues false alarm regarding Tails GNU/Linux vulnerability

Posted July 24, 2014
Tails GNU/Linux is a known live-bootable operating system that is dedicated to preserving its users' anonymity and privacy. Image credit: Will Will via Flickr (CC BY-ND 2.0 licence)

Tails GNU/Linux is a known live-bootable operating system that is dedicated to preserving its users’ anonymity and privacy. Image credit: Will Will via Flickr (CC BY-ND 2.0 licence)

Recently, an online security company called Exodus Intelligence, specializing in zero-day intelligence, has publicly announced a discovery of a zero-day vulnerability in Tails GNU/Linux live operating system. Tails (The Amnesic Incognito Live System) is a highly regarded system dedicated to fully anonymizing its users’ activities by channeling their traffic via Tor anonymization network, and it can be booted from a portable media device such as a USB stick or DVD.

Besides Tor, Tails ships with many other programs, usually coupled with corresponding encryption tools, such as OTR for instant messaging, GnuPG for e-mail encryption, etc.

Exodus vows to publish a full report in a week. Meanwhile, it has notified Tails developers of the vulnerability beforehand. Given that the operating system has some notable user base, part of which may be particularly privacy sensitive, Exodus has refused to release the details until Tails developers fix the bug and give its users a chance to upgrade to the patched version. “We think that this is the right process to responsibly disclose vulnerabilities, and we’re really looking forward to read this report.”, Tails developers concede.

However, a part of the security research community has been dissatisfied by the way the problem was presented by Exodus. The catch is that the zero-day is not really a bug in Tails. In fact, it is a vulnerability in a piece of software included in the Tails system but which does not even run by default. The software is called I2P and it works as a network layer allowing different software to communicate pseudonymously. Somewhat like Tor, it is a distributed network, allowing users to channel their traffick via multiple layers of encryption. The vulnerability found by Exodus Intelligence allows an attacker to deanonymize I2P users.

Given that Tails is one of the most highly regarded operating systems dedicated to users’ anonymity – its status exacerbated after learning that whistleblower Edward Snowden used it to secure his communications – it is a strong misstatement by Exodus to claim that they have found a bug in Tails GNU/Linux, when in fact it is just a zero-day in one of its shipped programs.

The difference is that the latter type of bugs are being found every day and there is nothing in them that undermines the merits of the system itself. “You did not find a vulnerability in ‘Tails’. You found a vulnerability in I2P. Don’t be idiots”, tweeted Matthew Green, a notable cryptography engineer of John Hopkins University, addressing Exodus misstatement.

Hence, Exodus announcement contributes to a growing pool of sensationalist findings that one or another highly regarded security system is “broken” when most often those are just unavoidable glitches, given that no system can be made 100% unhackable.


Featured news from related categories:

Technology Org App
Google Play icon
87,553 science & technology articles

Most Popular Articles

  1. An 18 carat gold nugget made of plastic (January 13, 2020)
  2. Anti Solar Cells: A Photovoltaic Cell That Works at Night (February 3, 2020)
  3. Toyota Raize is a new cool compact SUV that we will not see in this part of the world (November 24, 2019)
  4. Nuclear waste could be recycled for diamond battery power (January 21, 2020)
  5. Physicist Proposes a Testable Theory Stating that Information has Mass and could Account for Universe s Dark Matter (January 24, 2020)

Follow us

Facebook   Twitter   Pinterest   Tumblr   RSS   Newsletter via Email