> On Aug 29, 2022, at 7:05 AM, stopcensorship5 via Tails-dev > <[email protected]> wrote: > > Hi there > > I am writing to find out if tails is a safe platiform to use for political > activists or dissidents? I am not an expert on the Tails system itself but I > did some research and came accross an article that said Tails was compromised > by Facebook by exploiting a vulnerability in the video player in Tails which > was used to expose users of the system. Has Tails patched that > vulnerability/exploit and is the system safe to use now or can governments > use the same or similar exploit to that of Facebook to find out the identity > of Tails users? > Best regards. > > Link: > https://www.vice.com/en/article/dyz3jy/privacy-focused-os-tails-wants-to-know-how-facebook-and-the-fbi-hacked-it
The "best evidence publicly available" says that this vulnerability has been fixed, though it sure would be good to have more info. Here are some other articles about this: https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez https://www.schneier.com/blog/archives/2020/06/facebook_helped.html https://www.reddit.com/r/tails/comments/nltcik/tailsfacebookvideo_exploit/ According to the Reddit stream, a Tails spokesman (who?) said: “The only way for Tails to be sure that every single aspect of the zero-day is indeed fixed already is to learn about the full details of the zero-day,” a Tails spokesperson said in an email, arguing that it’s possible that the flaw relied on a chain of other flaws that may still be partially unpatched. “Without these full details, we cannot have a strong guarantee that our current users are 100 percent safe from this zero-day as of today.” That said, it appears that it's been fixed. According to a Facebook employee in <https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez>: "One of the former Facebook employees who worked on this project said the plan was to eventually report the zero-day flaw to Tails, but they realized there was no need to because the code was naturally patched out." Tails developers have been taking steps to harden the software in general. The goal is to turn software vulnerabilities into crashes instead of exploitable events. I would encourage more of that, as that's the better long-term plan. In addition, there are other organizations (esp. OpenSSF) would are working to eliminate whole categories of vulnerabilities in certain cases, e.g., by rewriting some vulnerable code in memory-unsafe languages into memory-safe languages (to eliminate whole categories of vulnerabilities). --- David A. Wheeler _______________________________________________ Tails-dev mailing list [email protected] https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
