Recently, an online security company called Exodus Intelligence, specializing in zero-day intelligence, has publicly announced a discovery of a zero-day vulnerability in Tails GNU/Linux live operating system. Tails (The Amnesic Incognito Live System) is a highly regarded system dedicated to fully anonymizing its users’ activities by channeling their traffic via Tor anonymization network, and it can be booted from a portable media device such as a USB stick or DVD.
Besides Tor, Tails ships with many other programs, usually coupled with corresponding encryption tools, such as OTR for instant messaging, GnuPG for e-mail encryption, etc.
Exodus vows to publish a full report in a week. Meanwhile, it has notified Tails developers of the vulnerability beforehand. Given that the operating system has some notable user base, part of which may be particularly privacy sensitive, Exodus has refused to release the details until Tails developers fix the bug and give its users a chance to upgrade to the patched version. “We think that this is the right process to responsibly disclose vulnerabilities, and we’re really looking forward to read this report.”, Tails developers concede.
However, a part of the security research community has been dissatisfied by the way the problem was presented by Exodus. The catch is that the zero-day is not really a bug in Tails. In fact, it is a vulnerability in a piece of software included in the Tails system but which does not even run by default. The software is called I2P and it works as a network layer allowing different software to communicate pseudonymously. Somewhat like Tor, it is a distributed network, allowing users to channel their traffick via multiple layers of encryption. The vulnerability found by Exodus Intelligence allows an attacker to deanonymize I2P users.
Given that Tails is one of the most highly regarded operating systems dedicated to users’ anonymity – its status exacerbated after learning that whistleblower Edward Snowden used it to secure his communications – it is a strong misstatement by Exodus to claim that they have found a bug in Tails GNU/Linux, when in fact it is just a zero-day in one of its shipped programs.
The difference is that the latter type of bugs are being found every day and there is nothing in them that undermines the merits of the system itself. “You did not find a vulnerability in ‘Tails’. You found a vulnerability in I2P. Don’t be idiots”, tweeted Matthew Green, a notable cryptography engineer of John Hopkins University, addressing Exodus misstatement.
Hence, Exodus announcement contributes to a growing pool of sensationalist findings that one or another highly regarded security system is “broken” when most often those are just unavoidable glitches, given that no system can be made 100% unhackable.
- Silver Bullets and Fairy Tails, Exodus Intelligence Blog
- On 0days, exploits and disclosure, Tails website
- Matthew Green tweet