- Justin Bieber slid into the DMs of someone who hated his new album 6 Years Ago
- HQ Trivia host and co-founder in Twitter feud amid shutdown Today 12:10 PM
- YouTuber shamed for fake call with Caroline Flack after her death Today 10:59 AM
- This MAGA-loving Keanu Reeves imposter isn’t fooling anyone Today 10:16 AM
- How to watch ‘Outlander’ season 5 online Today 8:00 AM
- Kobe Bryant’s complicated online legacy isn’t buried with him Today 6:00 AM
- TikTok teen’s reaction to discovering boyfriend’s cheating goes viral Saturday 4:46 PM
- This may be the creepiest Amazon review you’ll ever read Saturday 3:58 PM
- Bill Maher booed on own show over defense of Bloomberg Saturday 3:37 PM
- The Sun allegedly deletes negative Caroline Flack story after her death Saturday 2:48 PM
- How to watch ‘American Idol’ season 18 Saturday 2:00 PM
- James Blake defends girlfriend Jameela Jamil amid allegations she’s faking her illnesses Saturday 1:46 PM
- Viral video purports to show doctors with guns amid coronavirus outbreak Saturday 1:07 PM
- Russian YouTubers pretend to be Greta Thunberg, share alleged prank call with Bernie Sanders Saturday 11:07 AM
- TikTok teens are shaving off their eyebrows to ‘look like’ Kendall Jenner, Bella Hadid Saturday 10:25 AM
Flaw found in I2P anonymity network can reveal users’ identities
“It’s not enough to have faith upon security, rather to have an understanding of it.”
A Texas-based research firm has found a critical flaw in TAILS, an anonymity-focused operating system touted by the likes of Edward Snowden, that puts users in danger of being de-anonymized and revealed to the world.
The vulnerability, found by Exodus Intelligence, rests with I2P, an anonymizing network that has been rising in popularity alongside the Tor Project, a far mor prominent tool for using the Internet anonymously.
Although the full technical details have yet to be released to the public—the I2P team has them and is working on a fix—we know that the vulnerability de-anonymizes TAILS users who are connected to the I2P network through remote code execution.
MT “@ampernand the i2p 0 day requires you to have js enabled for it to work.” Default setting on Tails allows JS. Oops. 😉
— Aaron Portnoy (@aaronportnoy) July 24, 2014
I was expecting something 1337 but was disappointed. the i2p 0 day requires you to have js enabled for it to work.
— Jeff (@ampernand) July 23, 2014
“We publicized the fact that we’ve discovered these issues for a very simple reason,” Exodus wrote in a blog post, “no user should put full trust into any particular security solution.”
“By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible. Even when the issues we’ve found are fixed by the Tails team, the community should keep in mind that there are most certainly other flaws still present and likely known to others.”
I2P, which can be downloaded and used as a standalone program, has been bundled with the TAILS operating system for a little over a year.
Exodus Intelligence, which makes its money by selling critical software vulnerabilities to entities like the United States government, sparked a major debate in the information security community when it announced the existence of flaws in TAILS and then I2P but did not immediately disclose the details to either project’s developers.
Exodus has since brought the teams from TAILS and I2p—both non-profit, volunteer outfits with limited resources and manpower—into the loop.
TAILS and I2P are both open-source projects but, due to their size, cannot often afford full audits from experts.
— Jeff (@ampernand) July 23, 2014
“We at Exodus are able to do what many software projects cannot,” the company’s blog continued, “perform security code audits and find exploitable vulnerabilities releasing them to the public.”
In response to critics, Exodus’s blog explained that the loud airing of the issue was deliberate. “Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security,” the company wrote. “It’s not enough to have faith upon security, rather to have an understanding of it.”
More detailed information about the vulnerability will be available to the public soon, representatives from both Exodus and I2P have promised.
Photo via tompagenet/Flickr (CC BY-SA 2.0)
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.