Re: [Tails-dev] Tails Safety

2022-08-30 Thread David A. Wheeler 


> On Aug 29, 2022, at 7:05 AM, stopcensorship5 via Tails-dev 
>  wrote:
> 
> Hi there
> 
> I am writing to find out if tails is a safe platiform to use for political 
> activists or dissidents? I am not an expert on the Tails system itself but I 
> did some research and came accross an article that said Tails was compromised 
> by Facebook by exploiting a vulnerability in the video player in Tails which 
> was used to expose users of the system. Has Tails patched that 
> vulnerability/exploit and is the system safe to use now or can governments 
> use the same or similar exploit to that of Facebook to find out the identity 
> of Tails users?
> Best regards.
> 
> Link:
> https://www.vice.com/en/article/dyz3jy/privacy-focused-os-tails-wants-to-know-how-facebook-and-the-fbi-hacked-it

The "best evidence publicly available" says that this vulnerability has been 
fixed, though it sure would be good to have more info.

Here are some other articles about this:
https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez
https://www.schneier.com/blog/archives/2020/06/facebook_helped.html
https://www.reddit.com/r/tails/comments/nltcik/tailsfacebookvideo_exploit/

According to the Reddit stream, a Tails spokesman (who?) said:
“The only way for Tails to be sure that every single aspect of the zero-day is 
indeed fixed already is to learn about the full details of the zero-day,” a 
Tails spokesperson said in an email, arguing that it’s possible that the flaw 
relied on a chain of other flaws that may still be partially unpatched. 
“Without these full details, we cannot have a strong guarantee that our current 
users are 100 percent safe from this zero-day as of today.”

That said, it appears that it's been fixed. According to a Facebook employee in 
:
"One of the former Facebook employees who worked on this project said the plan 
was to eventually report the zero-day flaw to Tails, but they realized there 
was no need to because the code was naturally patched out."

Tails developers have been taking steps to harden the software in general. The 
goal is to turn software vulnerabilities into crashes instead of exploitable 
events. I would encourage more of that, as that's the better long-term plan. In 
addition, there are other organizations (esp. OpenSSF) would are working to 
eliminate whole categories of vulnerabilities in certain cases, e.g., by 
rewriting some vulnerable code in memory-unsafe languages into memory-safe 
languages (to eliminate whole categories of vulnerabilities).

--- David A. Wheeler
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

Re: [Tails-dev] Tails Safety

2022-08-30 Thread intrigeri 
Hi,

stopcensorship5 via Tails-dev (2022-08-29):
> I am writing to find out if tails is a safe platiform to use for
> political activists or dissidents? I am not an expert on the Tails
> system itself but I did some research and came accross an article
> that said Tails was compromised by Facebook by exploiting
> a vulnerability in the video player in Tails which was used to
> expose users of the system. Has Tails patched that
> vulnerability/exploit

Yes.

> and is the system safe to use now or can governments use the same or similar 
> exploit to that of Facebook to find out the identity of Tails users?

See https://tails.boum.org/doc/about/warnings/ :)
___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.

[Tails-dev] Tails Safety

2022-08-30 Thread stopcensorship5 via Tails-dev 
Hi there

I am writing to find out if tails is a safe platiform to use for political 
activists or dissidents? I am not an expert on the Tails system itself but I 
did some research and came accross an article that said Tails was compromised 
by Facebook by exploiting a vulnerability in the video player in Tails which 
was used to expose users of the system. Has Tails patched that 
vulnerability/exploit and is the system safe to use now or can governments use 
the same or similar exploit to that of Facebook to find out the identity of 
Tails users?
Best regards.

Link:
https://www.vice.com/en/article/dyz3jy/privacy-focused-os-tails-wants-to-know-how-facebook-and-the-fbi-hacked-it___
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.