A recent tweet from Exodus Intel (a company based in Austin, Texas) generated quite some noise on the Internet:
"We're happy to see that TAILS 1.1 is being released tomorrow. Our multiple RCE/de-anonymization zero-days are still effective. #tails #tor"
Tails ships a lot of software, from the Linux kernel to a fully functional desktop, including a web browser and a lot of other programs. Tails also adds a bit of custom software on top of this.
Security issues are discovered every month in a few of these programs. Some people report such vulnerabilities, and then they get fixed: This is the power of free and open source software. Others don't disclose them, but run lucrative businesses by weaponizing and selling them instead. This is not new and comes as no surprise.
We were not contacted by Exodus Intel prior to their tweet. In fact, a more irritated version of this text was ready when we finally received an email from them. They informed us that they would provide us with a report within a week. We're told they won't disclose these vulnerabilities publicly before we have corrected it, and Tails users have had a chance to upgrade. We think that this is the right process to responsibly disclose vulnerabilities, and we're really looking forward to read this report.
Being fully aware of this kind of threat, we're continously working on improving Tails' security in depth. Among other tasks, we're working on a tight integration of AppArmor in Tails, kernel and web browser hardening as well as sandboxing, just to name a few examples.
We are happy about every contribution which protects our users further from de-anonymization and helps them to protect their private data, investigations, and their lives. If you are a security researcher, please audit Tails, Debian, Tor or any other piece of software we ship. To report or discuss vulnerabilities you discover, please get in touch with us by sending email to firstname.lastname@example.org.
Anybody wanting to contribute to Tails to help defend privacy, please join us!