The developers of the TAILS operating system are poised to release a new version of the software–which is designed to preserve privacy and anonymity–and it includes several security fixes. However, there are several other security issues that aren’t patched in the new release, vulnerabilities identified by researchers at Exodus Intelligence, who have not disclosed the bugs to the TAILS developers yet.
TAILS is billed as an operating system specifically designed for users who want to browse the Web anonymously and privately. The OS uses the Tor network for anonymous browsing and can be booted from a USB drive, a CD or even a removable memory card. The software’s most-famous user and advocate is Edward Snowden, and others in the privacy community have recommended it as a good option for users worried about online surveillance.
The vulnerabilities that Exodus Intelligence researchers discovered in TAILS can be used for remote code execution and for stripping away the anonymity of a targeted user. Exodus is a research firm that specializes in finding critical security flaws in high-impact software. It sells the vulnerability details to private clients. The company buys vulnerability information from external researchers but also has its own research team that finds vulnerabilities.
Exodus officials said on Monday that the company had identified multiple vulnerabilities in TAILS and that the flaws were still present in the newest version, 1.1.
“We’re happy to see that TAILS 1.1 is being released tomorrow. Our multiple RCE/de-anonymization zero-days are still effective,” Exodus Intelligence said in a tweet posted on Monday.
The tweet caused a stir in the security community, with some wondering why Exodus hadn’t reported the bugs to the TAILS team, especially given the sensitive nature of the software’s use. Aaron Portnoy, co-founder and vice president of Exodus, said that his team plans to disclose the flaws to the TAILS developers soon.
“We will be reporting the flaws to the Tails development team in the very near future. We’re planning to push a blog post about the issues in the next couple of days, including a video of the exploit in action. Our main goal with the tweet was to bring attention to the fact that no software is infallible and those seeking anonymity should not blindly trust a software recommendation (even if it is from Snowden),” Portnoy said via email.
He also said that there are some misconceptions in the security community about the way that the company is handling the situation.
“One claim I’d like to address now is that there seems to be a misunderstanding driven by uninformed individuals that we are somehow extorting the Tails team for cash. Such claims are entirely unfounded–we will be reporting the issue free of charge to the Tails team. Any insinuation that we are asking them to provide remuneration is false,” Portnoy said.
“These unfortunate claims are due to the fact that people like Chris Soghoian enjoy perpetuating the myth that we work against the interests of the community, while completely ignoring the fact that we work very closely with many defensive vendors to reduce the impact of threats we discover.”
Soghoian, a privacy advocate and principal technologist at the ACLU, is a vocal critic of the sale of zero-day vulnerabilities and posted a couple of messages on Twitter Monday critical of Exodus’s business model.
“Looks like Exodus Intel is looking for a piece of the law enforcement Tor/Tails malware-delivery market,” Soghoian said in one message.
In an interview, Soghoian said that he has no problems with Exodus and others conducting research on software such as TAILS, only with the policy of selling the vulnerability details before disclosing them to the developers.
“I haven’t alleged that this is a shakedown of the TAILS project. My criticism is that they haven’t told the TAILS project about this but are actively advertising it to their customers,” he said. “I’m not saying don’t do this research. We all want this software to be more secure, but this business of giving customers a head start is inexcusable. Disclosing the vulnerabilities after the new version comes out is not an accident.
“These guys are morally accountable for what their clients do with this information.”