Cyber Monday Deal: Up to 60% off InvestingProCLAIM SALE

Flaws could expose users of privacy-protecting software, researchers say

Published 24/07/2014, 01:43
Flaws could expose users of privacy-protecting software, researchers say

By Joseph Menn

SAN FRANCISCO (Reuters) - Researchers have found a flaw that could expose the identities of people using a privacy-oriented operating system touted by Edward Snowden, just two days after widely used anonymity service Tor acknowledged a similar problem.

The most recent finding concerns a complex, heavily encrypted networking programme called the Invisible Internet Project, or I2P. Used to send messages and run websites anonymously, I2P ships along with the specialised operating system "Tails," which former U.S. spy contractor Snowden used to communicate with journalists in secret.

Though a core purpose of I2P is to obscure the Internet Protocol addresses of its roughly 30,000 users, anyone who visits a booby-trapped website could have their true address revealed, making it likely that their name could be exposed as well, according to researchers at Exodus Intelligence.

"People shouldn't trust something wholeheartedly just because Snowden says," Exodus Vice President Aaron Portnoy told Reuters. "Generally, we assume the things we can find, others can find."

Tails launches from a DVD or USB stick and is designed to maintain privacy even when a computer or network has been hacked.

Much more than I2P, Tails relies on Tor, the better-known anonymity system that it uses for all software connections to the Internet. But leaks in the past year have shown that Tor is also a major target for the U.S. National Security Agency and others, and researchers at Carnegie Mellon University said they could have identified hundreds of thousands of Tor users.

Those researchers planned to detail their technique next month at the security conference Black Hat. After Tor developers complained to Carnegie Mellon, the university told Black Hat to cancel the talk.

Tor programmer Roger Dingledine conceded that the researchers had found a flaw, and he said his team was now working to fix it before any public disclosure exposes dissidents and other types of users on Tor to greater risk of attack.

The I2P flaw will likewise be fixed. A spokesman for the I2P project said the group of developers was still analysing the Exodus report.

Tails did not respond to an email seeking comment. It was not clear how many Tails users would have been vulnerable without Exodus' cooperation, since the I2P application does not launch automatically when the operating system is opened.

Exodus is one of a dozen or more companies known to sell secret security flaws to intelligence agencies, law enforcement and other customers in a controversial marketplace.

NO SYSTEM IS FAILSAFE

But in this case, Exodus alerted I2P and Tails to the problem and said it would not divulge the details to customers until the problem has been fixed. Portnoy declined to say what the company would do if a government client asked him to find a similar flaw in the future.

The Tails and Tor episodes show that no anonymity system is failsafe, Portnoy said, and those in jeopardy should focus on compartmentalizing their efforts so that a single breach would not expose everything about them.

"Tor works for most purposes, but a determined adversary will always find a way," he said.

In one such high-stakes case, the FBI used a flaw in a Firefox Web browser that came bundled with Tor to identify a man suspected of hosting child pornography, according to Irish media reports.

Leaked NSA documents show that the NSA logged the IP addresses of many Tor users and may have scanned emails for users living outside of the United States and its four closest intelligence allies, German media reported this month.

(Reporting by Joseph Menn; Editing by Mohammad Zargham)

Latest comments

Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.
© 2007-2024 - Fusion Media Limited. All Rights Reserved.