- Did the Space Force logo rip off Star Trek? Friday 6:24 PM
- Disabled people with service dogs say Uber, Lyft drivers are denying them rides Friday 3:25 PM
- TikTok teen famous for greasy hair ends her 8-year reign Friday 2:48 PM
- Police handcuff brown man at subway station for carrying a toy gun Friday 1:20 PM
- Fake clip of Sanders quoting infamous ‘hot chip’ tweet is duping people online Friday 1:16 PM
- The Mars Volta’s Cedric Bixler-Zavala alleges Scientologists behind dog’s death Friday 12:46 PM
- Eminem responds to critics: ‘This album was not made for the squeamish’ Friday 12:42 PM
- ‘The poet, the poem’ meme takes iconic lines and turns them into art Friday 12:40 PM
- People are making dark memes about the coronavirus Friday 12:27 PM
- Trump camp’s ‘head on a pike’ impeachment threat hit with memes Friday 11:34 AM
- What is the #FreeBritney movement, and why is Cher tweeting about it? Friday 10:52 AM
- This YouTuber claims the Saudi government plotted to kidnap him on U.S. soil Friday 10:30 AM
- Report: Jack Dorsey declined to host a fundraiser for Tulsi Gabbard Friday 10:22 AM
- Bernie Sanders plugs Joe Rogan endorsement—and women are furious Friday 10:04 AM
- Young woman using TikTok to document the end of her life says she’s dying next week Friday 8:43 AM
Flaw found in I2P anonymity network can reveal users’ identities
“It’s not enough to have faith upon security, rather to have an understanding of it.”
A Texas-based research firm has found a critical flaw in TAILS, an anonymity-focused operating system touted by the likes of Edward Snowden, that puts users in danger of being de-anonymized and revealed to the world.
The vulnerability, found by Exodus Intelligence, rests with I2P, an anonymizing network that has been rising in popularity alongside the Tor Project, a far mor prominent tool for using the Internet anonymously.
Although the full technical details have yet to be released to the public—the I2P team has them and is working on a fix—we know that the vulnerability de-anonymizes TAILS users who are connected to the I2P network through remote code execution.
MT “@ampernand the i2p 0 day requires you to have js enabled for it to work.” Default setting on Tails allows JS. Oops. 😉
— Aaron Portnoy (@aaronportnoy) July 24, 2014
I was expecting something 1337 but was disappointed. the i2p 0 day requires you to have js enabled for it to work.
— Jeff (@ampernand) July 23, 2014
“We publicized the fact that we’ve discovered these issues for a very simple reason,” Exodus wrote in a blog post, “no user should put full trust into any particular security solution.”
“By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible. Even when the issues we’ve found are fixed by the Tails team, the community should keep in mind that there are most certainly other flaws still present and likely known to others.”
I2P, which can be downloaded and used as a standalone program, has been bundled with the TAILS operating system for a little over a year.
Exodus Intelligence, which makes its money by selling critical software vulnerabilities to entities like the United States government, sparked a major debate in the information security community when it announced the existence of flaws in TAILS and then I2P but did not immediately disclose the details to either project’s developers.
Exodus has since brought the teams from TAILS and I2p—both non-profit, volunteer outfits with limited resources and manpower—into the loop.
TAILS and I2P are both open-source projects but, due to their size, cannot often afford full audits from experts.
— Jeff (@ampernand) July 23, 2014
“We at Exodus are able to do what many software projects cannot,” the company’s blog continued, “perform security code audits and find exploitable vulnerabilities releasing them to the public.”
In response to critics, Exodus’s blog explained that the loud airing of the issue was deliberate. “Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security,” the company wrote. “It’s not enough to have faith upon security, rather to have an understanding of it.”
More detailed information about the vulnerability will be available to the public soon, representatives from both Exodus and I2P have promised.
Photo via tompagenet/Flickr (CC BY-SA 2.0)
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.