BitingBirdJuly 23, 2014 12:12 PM

Well, we don't know more for the time being, but we *do* loo forward to reading the report :)

zJuly 23, 2014 12:43 PM

I really wish the media would stop referring to TAILS as the world's most secure OS. TAILS makes a good effort to be secure, yes, but its focus is anonymity, not security.

Gary BJuly 23, 2014 1:41 PM

My first, second and third thoughts when I read that the other day was B.S., Liars and The darn media is going to have a field day.

Rufo guerreschiJuly 23, 2014 1:53 PM

We will never ever even reduce the zero day market, but we can surely create extremely simpler, completely varifiable and extremely verified techs, whereby he likelihood of zero-day could be so low that we can trust.

QMJuly 23, 2014 2:06 PM

"...booted over 11,000 times in May..."

That's an odd statement. What does that say, good or bad, about the OS? If this is a highly secure and anonymous OS, how would anyone know how many times it's booted? Perhaps "booted" is a tortured phrase. What else does that story torture?

Let me know if any facts self-identify, so I can greet them properly.

GweihirJuly 23, 2014 2:18 PM

Now that Exodus has agreed to supply the vulnerability to the Tail team, I predict it will be something trivial that does not work unless the user does something stupid, like leaving JavaScript enabled.

cryptopalJuly 23, 2014 2:25 PM

Currently, Tor browser bundle is broken which affects your favorite OS. It isn't specific to Gnome2 and Linux environment. Currently, they are working on a fix before this vulnerability information will be notified.

cryptopalJuly 23, 2014 2:31 PM

Even Kali Linux was updated yesterday. It is about TOR. It is more about able to id you in the network. My suggestion is turn off javascript if you can if you are using TOR. Good luck Bruce and keep on championing the security news.

CallMeLateForSupperJuly 23, 2014 2:35 PM

"That's an odd statement. What does that say, good or bad, about the OS?"

The statement means exactly what it seems to mean: a significant number of individuals used it during the stated period. Period.

"If this is a highly secure and anonymous OS, how would anyone know how many times it's booted?"

Simple. Among other actions, Tor "calls home" to download the current list of Tor relays (servers).

"Perhaps "booted" is a tortured phrase."


CallMeLateForSupperJuly 23, 2014 2:46 PM

This comes at a bad time. Announcement of a new Tails version, 1.1, followed my booting Tails today, and v1.1 contains fixes that everyone should want. I run from DVD, so cannot upgrade; I must d/l the the 800-900MB image ... through a 1Mbit pipe. :-(

65535July 23, 2014 4:18 PM

“It is about TOR. It is more about able to id you in the network. My suggestion is turn off javascript if you can if you are using TOR.” – cryptopal

That could be the attack vector.

“Simple. Among other actions, Tor "calls home" to download the current list of Tor relays (servers)" -CallMeLateForSupper


I run from DVD, so cannot upgrade; I must d/l the the 800-900MB image"” - CallMeLateForSupper

I agree, that could be the method of identifying tails - unless certain api calls can ID it - or it has a distinctive signature/finger print. It's just a bit too big for a CD and uses a fourth of a DVD :(

In any event my XKeyscore just went up. I visited the tails blog only to find the exploit is supposedly still there [it has not been fully disclosed].

dukcJuly 23, 2014 4:47 PM

Interesting. It's an i2P vulnerability. The exploit test site, , under certain circumstances returns a different IP when i2p is running, but it's not the right one. Either they're pulling their punches in the demo, or the vulnerability is sensitive to Tails/i2p and not to i2p otherwise configured.

Gerard van VoorenJuly 23, 2014 4:59 PM

@ Maxuint16

"It's about TOR"

The biggest problem I have with TOR is that it is a "bundle". It comes with Firefox and some control software.

In the past it turned out that Firefox was outdated with some versions of TOR. So the browser became the attack vector.

And that is my problem. The browser. It contains a zillion libs. (AFAIK FF has approx 130 libs). Of course this can be sandboxed with something like selinux, but still the attack vector is massive.

If the internet wasn't this ridiculous complex it would be a lot simpler. There is just too much.

dukcJuly 23, 2014 5:00 PM

Ah. I see. So iff you start Tor in Tails and iff you run i2p through the same browser as https (which tails does, which everybody does now and then, and which was understood to be unwise ever since the early days of FREENET) then maybe the exploit can get you.

AnuraJuly 23, 2014 5:56 PM

@Gerard van Vooren

While I agree Tails could be trimmed down, there's nothing you can do about the outdated software, other than downloading new software upon boot, which is not only slow but then you have a second problem of the updates being the attack vector (it's not unrealistic to get the OS in a way that is resistant to *targeted* subversion).

So the question is, outdated software or solve the problem of getting updates through a channel resistant to subversion that requires you to update upon boot (meaning that you are still SOL if the update component has a flaw). By limiting the packages to the minimum necessary for browsing, it's conceivable that the boot time wouldn't be too unweildy, but the problem of getting secure updates in the face of an organization like the NSA is extremely difficult to solve.

youmightbewrongJuly 23, 2014 6:17 PM

Tail is a Linux distribution based on Debian. It is build on Debian packages.

dukcJuly 23, 2014 6:30 PM

@youmight, Exodus Intel say so. They also said that recent upgrade did not affect the vulnerability. Gweihir is right, it doesn't seem to work right without javascript enabled. It also doesn't work unless you run i2p, and nontechnical users like NGOs or journalist might be less apt to take that extra step. Bet it's specific to tail's Iceweasel or proxy setup.

dukcJuly 23, 2014 7:11 PM

Let's hope they don't throw out the i2p baby with the bathwater because i2p greatly complicates the much-hyped threat of de-anonymization by traffic analysis. It also gives you two of the most user-friendly implementations of end-to-end email encryption.

youmightJuly 23, 2014 7:13 PM

Many tail packages are straight from Debian. I haven't seen anything from Debian will cause this problems. It has to be Tor related or b.s. to get funding.

ThothJuly 23, 2014 9:35 PM

In-regards to possible Javascript and browser based vulnerability in browsers (Tor bundle or not), the good old days of non-fanciful HTML with as little interactivity (CGI/PHP/Server based scripting) which is no-Javascript and no-cookies would be the best to reduce attack surface area. Form processing should have both secure information processing component and normal information processing component which both are decoupled to prevent insecure logic to hijack secure logic.

More extensive open researching and testing of Tor should be implemented. Some kind of special access in return for an open and honest research license can be used to prevent people from trying to hide facts that are discovered.

GweihirJuly 23, 2014 11:11 PM


I completely agree. The current mess is solely a result of the work of incompetent engineers that have probably never heard of KISS or never understood it. Ironically, KISS is what created the web in the first place. On a more meta-level, this reaction to throw more code at a problem instead of simplifying things is widespread and a sure sign that people have no clue what they are doing. Fortunately, you can still access most of the web with the JavaScript abomination turned off, and I hope it will stay that way.

If not, Tor probably needs to go the way of some sandboxing, where absolutely everything in the browser, including basic graphics libraries, comes with the bundle and is the same over all instances.

ThothJuly 23, 2014 11:47 PM

Some elements in HTML that should have replaced Javascript:
- Login form element. All elements in the login form would be protected with the highest security level (includes sandboxing) that the browser can afford.
- Calendar picking. Javascript used to generate calendar picking toolkits to prevent remote execution.

Those who are good at security and web design can help to populate these elements that should be used to replace Javascript.

WaelJuly 24, 2014 2:25 AM

@ Gweihir, @Thoth

The current mess is solely a result of the work of incompetent engineers that have probably never heard of KISS or never understood it.
Unfortunately, there is a lot of truth to your statement. Seems "complexity" has it's charm to some. The more complex a system is, the "smarter" the designer is perceived. They think KISS (Keep It Simple Silly or Stupid) is for the "silly". KICB is a better approach (Keep It Complex, Brilliant.)

Peter BoughtonJuly 24, 2014 8:47 AM


Whilst I have encountered a few programmers that deliberately aim for complexity, (for various reasons, not just misguided ego), that is relatively uncommon compared to what seems to far more often be a case of ignorance or incompetence - not comprehending what "simple" actually means.

As Larkin says, a major problem is that KISS is a matter of perspective, so that attempting to follow the principle merely involves moving complexity to other places. Those places may or not be objectively better places, if such a measurement is even possible.

I was going to explain with an example; if I did so, would this response still be "simple"? ;)

IncredulousJuly 24, 2014 9:41 AM


Tor Browser and Tails usually display a Tor confirmation screen that lets you know that you are successfully anonymized. Tails probably counts how many times their screen is accessed for their boot count. It's anonymized and it is nice to receive confirmation that you are proxied. I don't see a problem.

@ Tails and Tor Grousers

Tails/Tor do not claim to be perfect. They prominently display their log of security fixes so one has to be an idiot to assume that the current version is 100% secure. They issue updates continuously.

Tails is a stripped down OS. You shouldn't install any more programs or plugins or at least be very care when you do or you are asking for trouble. It should run from DVD so no persistent threats can be installed. It locks out your local drives unless you take special steps to give yourself more authority on boot.

Tails and Tor do a great job building software. Their sites educate users how to use them for maximum privacy but also warn about their limitations.

It is easy and grossly unfair to call Tor/Tails engineers incompetent. From all indication they are in fact top notch.

Let's see you do better.

Clive RobinsonJuly 24, 2014 11:12 AM

@ Incredulous,


Tails and Tor do a great job building software. Their sites educate users how to use them for maximum privacy but also warn about their limitations.

Might be true, it is still a problem, it's a rare user who reads all the documentation and rarer still the user who can see the implications beyond the warnings of limitations.

Is this the TAILS developers fault, well yes and no. TAILS is based on a number of components that it feels users want and need, these components are in many cases to complex to be considered even remotly safe from zero day and other attacks. Arguably they should have used less complex components, however in some cases that would be difficult and in others not what users want.

This is a modern example of the ages old problems of "Security -v- Usability" and the less known "Security -v- Efficiency".

Thus what TAILS should do --all be it totaly impracticable-- is to "roll their own" from scratch limited functionality components.

Further they should not use Tor, the warnings about it's usage and Internet Choke Points has been known public information for a very long time. Further Tor's other Traffic Analysis issues should have been well known to the designers since before it was sugested as a project. This is because the armed forces who spawned it have used channel stuffing and full end to end encryption and other Traffic Analysis confounding technology since at least the early 1950's... and might be the reason some have suggested it is "another NSA stich up".

However, the excuses for Tor not fixing these issues are aging faster than my beard and I suspect that the Tor developers will fairly soon find that others will take the issue from them in similar ways to that of OpenSSL, and hopefully also clear out much historic cruft.

That said the question needs to be asked "If not TAILS then who/what else?", and this is difficult to answer. Like the old joke of the newlyweds asking an old farmer leaning on a gate for directions, the answer after due consideration is "If I were you I'd not start from here".

I like one or two others have my own solutions to the anonymity and privacy issues, but for various reasons they would not be popular. One reason being store and forward with long latency is one feature that makes interactive use infeasible for the majority of TAILs and Tor users.

eepJuly 24, 2014 11:15 AM

i2p say, "Reported vuln. is JS+XSS. Noscript or disabling JS should prevent. [it does] Continuing investigation."

Raises the question whether the exploit extracts information from the i2p console.

WaelJuly 24, 2014 1:05 PM

@Peter Boughton,

that is relatively uncommon compared to what seems to far more often be a case of ignorance or incompetence - not comprehending what "simple" actually means.
Perhaps that's a more common occurrence.

As Larkin says, a major problem is that KISS is a matter of perspective
Only when the design is not reviewed and vetted in the early stages. Still, all the "reviewers" can be passive, or otherwise impressed by the "complexity"...

I was going to explain with an example; if I did so, would this response still be "simple"? ;)
That's a function of how complex your example is, and how efficient it projects your point. I still would like to see one. In the meantime, I'll share an example I witnessed in real life a while back, some 15 years ago. I was reviewing some senior developer's java code (one on one session with him). I came across something like this:

x = y + 4;
x = x - 2;

I told him why aren’t you doing this instead?

x = y + 2;

He said: "You can do that?" I told him why don't we give it a try and see if it works. There is certainly this type of complexity and it's based on "ignorance." or absent-mindedness.

Another time at the same place, with another more competent developer, I saw this C++ code snippet, but I'll share it as pseudo code:

if file is not there {
create file("test.txt")

I told him, you can simply use one API called OpenCreate. It will do the same thing you are trying to accomplish. This sort of complexity side effect is also common.

The complexity we are talking about here is the "layering" of components and tiers. And this is an architectural complexity -- not a "coding" complexity. This is also common for whatever reason...

At any rate, those who violate the KISS principle usually suffer from Averse Systematic Syndrome, and can ____ __ ___

The blanks are filled with:
Said pricinple, followed by the first (or second, if you so wish) person possesive adjective, followed by this "syndrome" accronym. That's a complex way of saying what I want, but the complexity is needed for "forum Etiquette" :)

AnonymousBlokeJuly 24, 2014 1:13 PM


I hope you did not get that nick from the Matrix. ;-)

Security bugs happen. If there are no security bugs found, then people should be concerned.

Leon WolfesonJuly 24, 2014 1:18 PM

@Thoth - that just makes it harder to block with i.e. NoScript, as the nasties can now execute in HTML.

QMJuly 24, 2014 1:50 PM

@CallMeLateForSupper, @Incredulous, my points were:

(1) "booted" is the wrong term, perhaps "launched". So why would a tech site get that wrong, with an audience of pedantic OCDs?

(2) Why would an anonymising site keep track of OS, and then provide that information to anyone else? Sure, internal stats, looking for problems, I understand. But saying "Hey, 80% of our users are running CheeriOS, so you black hats go figure out how to get to them, and you can make us irrelevant."

(3) Counting sessions initiated per day gives little other than a yardstick for comparison with yesterday and tomorrow. Some sessions will run for hours, days, or weeks; others for a few seconds. Tail and TOR may need to keep on top of this, but it doesn't tell us how many users or endpoints there are. This is a relative metric, and mean nothing by itself. So why tell us "11,000 boots per day in May", without any comparison? Because it's number, masquerading as a fact, and it looks great when there are so few facts in the story.

IncredulousJuly 24, 2014 4:40 PM

@Clive, @QM, et al

I really don't understand the animus against Tor/Tails. As far as I know there is no perfect solution available. Why rail against the people that can deliver the best privacy that is easily usable by any reasonably intelligent person?

Tor/Tails is far better than nothing. Encryption is far safer than no encryption. If you can write better software, please do so. But all this Monday morning quarterbacking just discourages programmers from trying to build privacy tools and discourages users from using the best options that are feasible for them.

Although I am not accusing you personally, it sounds like a disinformation operation against what -- from all we can tell -- remains a powerful tool against NSA spying. Tor needs more users to increase anonymity, not fewer. It is much faster than it used to be. It can be used for non-sensitive browsing just to throw more dust in the air.

The tor proxy system can be installed separately from the browser, and separately from Tails, albeit with a good deal more effort and knowledge.

And, as was mentioned, Tails also includes i2p, a powerful alternate anonymizing system with some great services and sites.

Why do we have more people here criticising the efforts of people who are DOING their best with limited resources in favor of pipe-dream alternatives that nobody actually builds?

FigureitoutJuly 24, 2014 8:35 PM

It is easy and grossly unfair to call Tor/Tails engineers incompetent. From all indication they are in fact top notch.

Let's see you do better.
--Couldn't agree more. On my own, my solution would be so feature-less most everyone wouldn't even use it, much less know how to. And I'm not even close to touching any internet protocols w/ my attempts at secure devices. I myself wouldn't really like it if I was stuck to just it b/c I like having my one (or two...or three...) "internet_I_give_no_f*cks_about" computers. Everyone needs at least one computer to search what ends up eventually being a google search to get things done so much faster. You literally can't live w/o the internet today, you can't even physically avoid much anymore as IP cameras stream your face for some random creeper to look at. Aside from the target on TAILS now, it's arguably one of the most secure "easiest" way to connect on the internet so long as you isolate its use.

How do you defeat an NSL on your service provider to route all your traffic thru another filter before it touches the real web? The only way is to have like 10 laptops and couch-crashing everywhere...or commit some kind of crime or evil act. I personally like to "have my ducks in a row" and not move everything all the time, it jumbles my mind. So I'm essentially f*cked from the start.

No one's put up a better solution b/c they CAN'T do it as it requires so much planning, money, talent, OPSEC, and vetting that the project turns into a paranoid mess.

ThothJuly 24, 2014 8:46 PM

It is not a Matrix name. :)

@Leon Wolfeson
My original post did mention a segregation of secure and insecure logic execution compartment. Usually a software/hardware/hybrid TPM with careful code design should do the trick but how careful ? who knows ...

The most common activity people do online besides browsing webpages is authentication of credentials and if you leave it to HTML/Javascript you have to have the web designer and the browser vendors involved. If you shift it to a secure execution engine sandbox within a browser via a native HTML, you have the browser maker involved. That means, browsers need to have to prevent different execution threads from interrupting or hijacking each other and have some form of isolation and code security. It is much better if security development is made secure and easy out of the box than to leave the web developers without sufficient security knowledge to handle secure logic.

AnonymousBlokeJuly 24, 2014 11:13 PM

"It is not a Matrix name. :)"

Well -- fuck friend. I am sorry! I have to admit as far as dipshits go in the security industry, I, sir, am the most dipshit-ed-ness of them all!

Probably why I do definitely not trust my self with anything social media wise BUT linkedin!

I was just sitting here talking to one of my buddies there: he was part of some infrastructure company, got APT'd, and BOOM, finds his self working with Mandiant! Well, heck, gee whiz, I have smoked pot with Jamie Butler.


IMNSHO opinion, having worked so deeply with companies like End Games Systems (where maybe I worked for some years or not)... ***any*** company is liable to have some security bugs about it.

Well. I suppose that is all I have to say about things like this, allowing far smarter people then my own self to handle the details.

AnonymousBlokeJuly 24, 2014 11:14 PM

Holllee shit. Sorry, there meant, @Thoht, or some shit. That Egyptian god dude, anyway. Sorry!


ThothJuly 25, 2014 1:26 AM

Egyptian god dude :).

No worries.

Do not trust social network - they love to harvest data. Few ever listens until bitten and by then it's too late... really too late. Social media scrubbing softwares and tools are a glimmer of fading hope that do not always deliver.

Tails + Social Media = No Tails. Simple.

HermanJuly 25, 2014 2:27 AM

BTW, the TOR or Tails systems can be easily used with ANY browser. Just look in the settings of the default browser to find the listening port of the proxy server to configure a different browser.

GweihirJuly 25, 2014 7:21 AM


Just to prevent/clear up a possible misunderstanding: I did not call the Tor/Tails folks incompetent (they decidedly are not), I attributed that fine distinction to the people that "advance" and standardize web technology.

sociallyIneptJuly 25, 2014 9:11 AM

linkedin like all over "social networks" sells your information and activity to intelligence services and companies, some that contract to intelligence like my own. You'd be amazed on what we collect about people on a regular basis. We know more about most of you than you know about your selves.

WinterJuly 25, 2014 10:14 AM

Tonika has an interesting approach to anonymity in peer-to-peer networks.
(there is a link to an arxiv writeup

Here is an interview with the developer Petar Maymounkov on Floss Weekly

AFAIU, he tries to order the p2p network on local trust. Every node only communicates with nodes of "friends" it trusts. Communication is fragmented, packets will follow different routes. Everything is encrypted and each node will route a lot of unconnected traffic (TOR style?).

He believes that such a network is robust as long as honest people outnumber cheaters by some margin. Also, it is difficult for powerful parties to add false nodes because each node will have to get someone to trust them.

mzetJuly 25, 2014 10:44 AM


"Simple. Among other actions, Tor "calls home" to download the current list of Tor relays (servers)."

Please be specific, what "calls home" Tor or TailsOS?

If Tor how did they distinguish between Tails users and all other Tor users?

If Tails, isn't it dangerous? Doesn't it help, powerful actor that monitors large part of the Internet, in de-anonymization? Observing that "calling home" was made from specific part of the world (let's say City A) and correlating it with list of people that downloaded TailsOS from that city (we know that the same powerful actor collects such information) gives I guess not very long list of people ...

Penny PincherJuly 25, 2014 9:39 PM

I could never get the checksum of Tails to check out. I'm a n00b so I'm not sure what I was doing wrong. And that was from the Tails official website. Perhaps some of you could download it and checksum it and see what you find.

IncredulousJuly 26, 2014 5:31 PM


Tor does not claim to hide its usage. ISPs can tell you are using Tor, as can the NSA or anyone else who can sniff the backbone. Tor does have options to obfuscate usage in unfavorable political climates through unlisted bridges. A VPN could hide your actual location. But hiding usage is not the core aim of Tor.

What Tor does is hide which website you are connecting to, assuming that you are using Tor correctly and your opponent doesn't control a lot of Tor network nodes.

The more people that use Tor the more anonymous it is. That is why it is good for the Tor network to use it even when you are accessing non-sensitive websites. It makes the "haystack" bigger and therefore it is harder to find specific "needles".

I suspect that the Tor Browser/Tails usage counts come from the different verification pages that they display when the Tor router is initialized in each system, not from the relay initialization.

Ingrid SchubertJuly 26, 2014 8:55 PM

The potential attack is being mitigated now. i2p is building in the cross-site scripting protection that's available but optional in Tails.

XSSFilter patch from str4d:
XSSFilter and XSSRequestWrapper were from
No provided license, but it is clearly intended for public consumption.
But most of it is boilerplate provided by the Servlet Filter system.
In fact, now that I have stripped out his JS-specific patterns and replaced it with the whitelist,
it is effectively identical to what I would have written from scratch.

- Fix several XSS issues (thx Aaron Portnoy of Exodus Intel)
- Add Content-Security-Policy and X-XSS-Protection headers
- Disable changing news feed URL from UI
- Disable plugin install from UI
- Disable setting unsigned update URL from UI
- Disable /configadvanced
* DataHelper: Disallow \r in storeProps() (thx joernchen of Phenoelit)
* ExecNamingService: Disable (thx joernchen of Phenoelit)
* Startup: Add susimail.config to migrated files"

As usual, you would have to be more or less unlucky to get snagged by an exploit of this sort. You almost get snagged all the time, but you don't, because you're not quite standard: you patched in grsecurity or you fooled with your permissions or you put in an oddball apparmor profile on a whim. TAO can get you sooner or later but you're never quite worth their time because they're spread too thin, there are always too many enemies to fight, more and more all the time.

JenniferJuly 27, 2014 3:26 PM

Did they upgrade OpenSSL yet?

According to this, there's an exploit[1] against the version included with TAILS 1.0.1. What version does TAILS 1.1 use?

[1] version 0.9.8o-4squeeze15

Scott "SFITCS" FergusonJuly 29, 2014 7:48 AM


Did they upgrade OpenSSL yet?

According to this, there's an exploit[1] against the version included with TAILS 1.0.1. What version does TAILS 1.1 use?

[1] version 0.9.8o-4squeeze15

Easily fixed:-
Add the Squeeze Long-term Support reposititory and update the package to one that has been fixed:-

# echo "deb squeeze-lts main contrib non-free" >> /etc/apt/sources.list

# apt-get update && apt-get upgrade

$ dpkg -l openssl
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
ii openssl 0.9.8o-4squeeze16 Secure Socket Layer (SSL) binary and related cryptograph

WinterJuly 29, 2014 12:12 PM

The developer just gave a lengthy interview on Floss weekly. See l(listen) to the link I posted.

commandJuly 30, 2014 11:29 PM

What tails developers need to do is dump Debian and use hardened Gentoo. Here is a thought experiment. Let's create a malware that goes around and turn computers into tor exit nodes/relays. That should make it harder for governments to track us right?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.