San Francisco - Researchers have found a flaw
that could expose the identities of people using a
privacy-oriented operating system touted by
Edward Snowden, just two days after widely used
anonymity service Tor acknowledged a similar
problem.
The most recent finding concerns a complex,
heavily encrypted networking program called the
Invisible Internet Project, or I2P. Used to send
messages and run websites anonymously, I2P
ships along with the specialised operating
system "Tails", which former US spy contractor
Snowden used to communicate with journalists
in secret.
Though a core purpose of I2P is to obscure the
Internet Protocol addresses of its roughly 30 000
users, anyone who visits a booby-trapped
website could have their true address revealed,
making it likely that their name could be exposed
as well, according to researchers at Exodus
Intelligence.
"People shouldn't trust something wholeheartedly
just because Snowden says," said Exodus vice
president Aaron Portnoy. "Generally, we assume
the things we can find, others can find."
Tails launches from a DVD or USB stick and is
designed to maintain privacy even when a
computer or network has been hacked.
-VULNERABLE
Much more than I2P, Tails relies on Tor, the
better-known anonymity system that it uses for
all software connections to the internet.
But leaks in the past year have shown that Tor
is also a major target for the US National
Security Agency and others, and researchers at
Carnegie Mellon University said they could have
identified hundreds of thousands of Tor users.
Those researchers planned to detail their
technique in August at the security conference
Black Hat. After Tor developers complained to
Carnegie Mellon, the university told Black Hat to
cancel the talk.
Tor programmer Roger Dingledine conceded that
the researchers had found a flaw, and he said his
team was now working to fix it before any public
disclosure exposes dissidents and other types of
users on Tor to greater risk of attack.
The I2P flaw will likewise be fixed. A
spokesperson for the I2P project said the group
of developers was still analysing the Exodus
report.
Tails did not respond to an e-mail seeking
comment. It was not clear how many Tails users
would have been vulnerable without Exodus' co-
operation, since the I2P application does not
launch automatically when the operating system
is opened.
Exodus is one of a dozen or more companies
known to sell secret security flaws to intelligence
agencies, law enforcement and other customers
in a controversial marketplace.
-GOVERNMENT CLIENT
But in this case, Exodus alerted I2P and Tails to
the problem and said it would not divulge the
details to customers until the problem has been
fixed. Portnoy declined to say what the company
would do if a government client asked him to
find a similar flaw in the future.
The Tails and Tor episodes show that no
anonymity system is failsafe, Portnoy said, and
those in jeopardy should focus on
compartmentalising their efforts so that a single
breach would not expose everything about them.
"Tor works for most purposes, but a determined
adversary will always find a way," he said.
In one such high-stakes case, the FBI used a
flaw in a Firefox web browser that came bundled
with Tor to identify a man suspected of hosting
child pornography, according to Irish media
reports.
Leaked NSA documents show that the NSA
logged the IP addresses of many Tor users and
may have scanned e-mails for users living
outside of the US and its four closest intelligence
allies, German media reported.
No comments:
Post a Comment