back to article Tails-hacking Exodus: Here's video proof of our code-injection attack

Exodus Intelligence has revealed what it claims is video evidence of researchers unmasking an anonymous user of the Tails operating system. The security bods claim they can upload malicious code to a system running Tails, execute the payload remotely, and ultimately discover the victim's public IP address. Tails is a fork of …

  1. fearnothing

    "We hope to break the mold of unconditional trust in a platform. Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security,"

    That's absurd. Users don't have time to learn the kind of in-depth computing knowledge required to understand security properly, that's why we have security professionals. If your builder or estate agent put in the time required to learn that degree of detail, you wouldn't have a car or a house.

  2. Johnny Canuck

    Hmm

    TAILS just released an updated version yesterday with the advice "All users must upgrade as soon as possible - this release fixes numerous security issues."

    So maybe not an issue anymore.

  3. Gotno iShit Wantno iShit

    Why?

    I'm struggling to understand Exodus' motivation in this. The flaw they have identified seems like exactly the kind that to them is saleable product. Surely their customers would be foaming at the mouth to get hold of this and would pay handsomely for it? Why render that product valueless?

    Perhaps Exodus already have other better attacks? In that scenario I'm still struggling with why Exodus are highlighting that I2P is vulnerable. Forget any 'good of the community' argument, it doesn't wash given their business model.

    Could it be that Exodus do have a much better attack, one that is so good they are asking a kings ransom for it and their customers won't pay up? An attack so good that the customers see it as too good to be true? Exodus are therefore trying to improve the credibility of their expensive attack by publicly demonstrating their skill in attacking I2P?

    Ah hell, I seem to have drifted into tinfoil hat territory.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Why?

      I'd imagine a Tor/I2P vulnerability is worth a fair amount of cash from governments wanting to trace and spy on users. These companies selling vulns have no morals (they know the vulns are used by govts to identify, spy on and sometimes to kill people), so I'd presume they have more Tor/I2P vulns for sale and are using this for publicity in order to boost their brand/sales.

    3. Matt Bryant Silver badge
      Facepalm

      Re: Gotno Re: Why?

      "I'm struggling to understand Exodus' motivation in this....." Marketing. I suspect the hole was actually not that hard to find or fix, offering limited potential for profit, but the publicity, whilst hard to quantify, is very good for future profitability. They win friends in the tinfoil-attired community by 'protecting' a product their 'heroes' have told them is 'good', and at the same time get inches on technical websites where real businesses (with money to spend on security consultancy) may see it. Had you even heard of Exodus before this article?

    4. Anonymous Coward
      Anonymous Coward

      Re: Why?

      Most likely their customers don't need to buy their latest hack because this one already exists. So they will get this one fixed and then all their customers will need to buy the new undisclosed one to maintain their current capabilities.

  4. Steve Graham

    Exodus: Hey, NSA, we've got a great new Tails vuln to sell!

    NSA: Nah, sorry guys, we've already got it.

    Exodus: Hey, Press, our morally upstanding company is helping users!

    1. h4rm0ny

      followed two months later by:

      Exodus: Hey, NSA. We heard that Tails vuln you were depending got found and fixed. Would you like to buy this other one we have?

  5. Old Handle
    Stop

    So it's a bug in I2P but...

    They claim it works on the on a default install with no configuration changes, but as of the last time I used Tails (admittedly several versions back) it didn't even start I2P automatically. I guess it's strictly true that launching a program is not a "configuration change", but if that's their game, it's more than a little dishonest to call this a vulnerability in Tails.

    It's possible Tails has changed since I used it, or maybe there's some hook left for I2P that makes this attack work even when the main program isn't running, but I doubt it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like