Software flaw may have exposed whistleblower identities


The anonymity of whistleblowers who disclosed secrets online to news or nonprofit organizations may have been compromised. Forbes reports that Exodus Intelligence claims to have discovered “critical unpatched flaws” in Tails, the computer operating system that is used by news and nonprofit organizations to communicate privately with whistleblowers like Edward Snowden.

“The flaws work on the latest version of Tails and allow for the ability to exploit a targeted user, both for de-anonymisation and remote code execution,” said Loc Nguyen a researcher at Exodus. Remote code execution means a hacker can do almost anything they want to the victim’s system, such as installing malware or siphoning off files. (Forbes)

Forbes tells us that Exodus Intelligence “finds vulnerabilities and lets customers know before informing the wider community.”

That means customers could use the vulnerability however they see fit, possibly for de-anonymising anyone a government considers a target. The company plans to tell the Tails team about the issues “in due time”, said Aaron Portnoy, co-founder and vice president of Exodus, but it isn’t giving any disclosure timeline away. (Forbes)

The government connection

The Register reports that Exodus “makes its coin by identifying zero-day flaws in computer systems and selling the knowledge to its client base,” and those customers include the Defense Department.  According to the Register, the company “would not be selling the Tails information, as yet,” and plans to release details “in a series of blog posts next week.”  The Verge reports that Exodus is working on a patch.

User vulnerability is heightened by the NSA’s practice of targeting users of Tails and saving the full content indefinitely. Is it possible that NSA targeted Tails users because it knew about the vulnerability?

An individual or group with the username “Polity News” claims the US government has been funding Tails.

Polity News is a new Twitter account with no profile, so the credibility of the information is uncertain.  But, the claim is consistent with the government’s history of funding the development of other software, including Tor.

Implications for SecureDrop users

Tails is a key element in SecureDrop, “an open-source whistleblower submission system that media organizations can install to accept documents from anonymous sources.” SecureDrop procedures (available at direct users to have a “secure viewing station” with an “airgapped laptop running the Tails operating system from a USB stick.” The guidance recommends that journalists “always use the Tails operating system on their Journalist Workstation when connecting to the Application Server” or a dedicated computer. ” Also, the procedures say, the journalist “needs to use Tor through the Tails operating system to connect to the Document Interface.”

SecureDrop software is managed by the Freedom of the Press Foundation, which states a security audit last August and “found no critical flaws” in its code. But, a single point of vulnerability anywhere in the communication chain between sender, receiver and publisher, is enough to undermine security and anonymity, and a vulnerability in the operating system is particularly bad.

Whistleblowers who may have responded to Daniel Ellsberg’s plea to disclose national security information must be feeling a bit ill right now. SecureDrop is used by ExposeFacts, the organization behind Ellsberg’s billboards in Washington, D.C.., and by the Project on Government Oversight, currently fighting a subpoena by the Department of Veterans Affairs to obtain information provided to it by VA whistleblowers.

One might wonder why the federal government might bother with a subpoena if the NSA has the means to exploit SecureDrop. But, intelligence agencies don’t always reveal what they know immediately. Sometimes they prefer to give the target time to dig himself into a deeper hole.

What next?

Hearing that a vulnerability has been discovered in Tails, should trigger immediate steps to protect future communications from being compromised. But, it’s not clear what software should replace it. Tails is considered one of the most secure operating systems, and is used by Edward Snowden.

Some organizations using SecureDrop have been slow to inform visitors to their websites of the reported vulnerability in Tails, although the websites include disclaimers warning that the system is not guaranteed to be 100 percent secure. But, is a brief disclaimer enough when one is encouraging people to risk the destruction of their careers and potentially much more? Full consideration of the implications,  of ethical and legal responsibilities, and more should precede any decision to disclose.