Tails, the OS of Snowden, has security vulnerability

When you need the level of security from surveillance or other threats that a figure like Edward Snowden does, you can’t trust Microsoft or Apple’s operating systems. Instead, the de facto choice for a secure operating system in recent times has been Tails, also known as The Amnesic Incognito Live System. This GNU/Linux-based operating system, famously used by Edward Snowden to communicate with Glenn Greenwald and other journalists before his famous leaks, has a security vulnerability.

That is according to Exodus Intelligence, a private, for-profit security firm. They announced their discovery in a tweet yesterday and are now working alongside the group behind Tails on a fix.

Usually, Exodus’s business is finding security holes in software and selling their findings to developers. However, they told The Verge that they will be disclosing this finding and working with the developers of Tails for free, due to the fact that Tails is a not-for-profit project (and there is some good free publicity here).

In the open-source community, it’s common practice to point out where security problems lie. The code is out there anyway, and by making problems public you can get everyone working towards a fix. That isn’t how Exodus and its customers tend to work, though, so for now the specifics of the vulnerability will be kept secret until a fix is put in.

At this point, as a matter of fact, the people behind Tails don’t even know what’s wrong. In a blog post, their annoyance from the way Exodus approached the situation was evident:

We were not contacted by Exodus Intel prior to their tweet. In fact, a more irritated version of this text was ready when we finally received an email from them. They informed us that they would provide us with a report within a week. We’re told they won’t disclose these vulnerabilities publicly before we have corrected it, and Tails users have had a chance to upgrade. We think that this is the right process to responsibly disclose vulnerabilities, and we’re really looking forward to read this report.

Clearly, they aren’t too happy with the way Exodus turned this security problem into a publicity opportunity. Nonetheless, it seems that all will end well.

The appeal of Tails has several aspects:

  • As a GNU/Linux project, the code is open for people to examine and the people behind it aren’t out for a profit. This leaves assurances that they have not been coerced to build hidden backdoors for governments or others to spy on its users. Those assurances don’t exist on Windows or Mac.
  • It is a “live” operating system. That means it does not have to be installed on a computer’s hard drive to function. Instead, you install it on a flash drive or disc and run it from those devices. You can take it from computer to computer without leaving a trace or bothering with setup.
  • As the name suggests, it is “amnesic.” That means none of the data created and/or downloaded during one use of the system is stored after shutting down a session. This comes at a cost to convenience, but reduces the risks if the flash drive is stolen.
  • Finally, all of the system’s software is geared towards privacy. You can only surf the web using Tor, for instance. It comes with messaging and email programs that are already equipped to use encryption protocols like PGP and OTR messaging.

The vulnerability, which supposedly could allow a hacker to run scripts on the system, could jeopardize all of those things. Once someone has access to your operating system, there are almost no privacy or security precautions that can protect you.

It isn’t incredibly easy to get that access and probably still requires something like being logged onto the same wi-fi network in the case of this vulnerability, but it surely has privacy advocates everywhere worried.