Re: [Tails-dev] Tails Safety

Delete this message

Reply to this message
Author: David A. Wheeler
Date:  
To: stopcensorship5, The Tails public development discussion list
Subject: Re: [Tails-dev] Tails Safety


> On Aug 29, 2022, at 7:05 AM, stopcensorship5 via Tails-dev <tails-dev@???> wrote:
>
> Hi there
>
> I am writing to find out if tails is a safe platiform to use for political activists or dissidents? I am not an expert on the Tails system itself but I did some research and came accross an article that said Tails was compromised by Facebook by exploiting a vulnerability in the video player in Tails which was used to expose users of the system. Has Tails patched that vulnerability/exploit and is the system safe to use now or can governments use the same or similar exploit to that of Facebook to find out the identity of Tails users?
> Best regards.
>
> Link:
> https://www.vice.com/en/article/dyz3jy/privacy-focused-os-tails-wants-to-know-how-facebook-and-the-fbi-hacked-it


The "best evidence publicly available" says that this vulnerability has been fixed, though it sure would be good to have more info.

Here are some other articles about this:
https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez
https://www.schneier.com/blog/archives/2020/06/facebook_helped.html
https://www.reddit.com/r/tails/comments/nltcik/tailsfacebookvideo_exploit/

According to the Reddit stream, a Tails spokesman (who?) said:
“The only way for Tails to be sure that every single aspect of the zero-day is indeed fixed already is to learn about the full details of the zero-day,” a Tails spokesperson said in an email, arguing that it’s possible that the flaw relied on a chain of other flaws that may still be partially unpatched. “Without these full details, we cannot have a strong guarantee that our current users are 100 percent safe from this zero-day as of today.”

That said, it appears that it's been fixed. According to a Facebook employee in <https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez>:
"One of the former Facebook employees who worked on this project said the plan was to eventually report the zero-day flaw to Tails, but they realized there was no need to because the code was naturally patched out."

Tails developers have been taking steps to harden the software in general. The goal is to turn software vulnerabilities into crashes instead of exploitable events. I would encourage more of that, as that's the better long-term plan. In addition, there are other organizations (esp. OpenSSF) would are working to eliminate whole categories of vulnerabilities in certain cases, e.g., by rewriting some vulnerable code in memory-unsafe languages into memory-safe languages (to eliminate whole categories of vulnerabilities).

--- David A. Wheeler