22 January 2013. Add response from A2.

21 January 2013

Tails Linux version 0.16 - Firewall Disabling Script Waits For Exploitation

A sends:

Tails Linux version 0.16 - Firewall Disabling Script Waits For Exploitation

"If you’re running Tails version 0.15 or 0.16, please locate and delete the following file each session:

/usr/local/sbin/do_not_ever_run_me

The file, if ran with correct permissions, will completely disable your firewall! So much for the idea that Tails always routes everything through Tor! Where this news has been posted and comments allowed, mysterious “anonymous” users have expressed their low brow intelligence leaving comments such as, “Well you need to be root to run it so it doesn’t matter, if you have root you can do anything!”

First of all, a file called “do_not_ever_run_me” shouldn’t be on a Linux system. If it should NEVER BE RUN, and that means by anyone, root or user, local or remote, it SHOULD NOT BE INCLUDED IN THE DISTRIBUTION!

Any current or future exploit which targets this file will “drop the shields” for the Tails user.

Perhaps Tails itself in its next version, 0.17, should be nicknamed, “do_not_ever_run_me”.

Another questionable decision by the Tails developers is to place the following line within the torrc file (located at /etc/tor/torrc):

## We don’t care if applications do their own DNS lookups since our Tor

## enforcement will handle it safely.

WarnUnsafeSocks 0

Oh, really? We don’t care? Who is we? It’s not me! As the man page for Tor states, this is set to 1 by default, yet Tails sets it for 0! So if something “leaks”, you will never know it? Each session, delete this line or comment it out so the default is 1 like it should be for a Tor session.

What else can we find in this anonymously developed distribution? I’m glad I’m not driving a car with software made by this group of developers."

aka: Tails 0.16 lower shields

src: anonymous

reply: no, throwaway acct

22 January 2013

A2 sends:

As a former Tails developer (https://tails.boum.org) I feel obliged to respond to the allegations on http://cryptome.org/2013/01/tails-exploit.htm.

The file do_not_ever_run_me indeed does nothing that a root user can not accomplish himself. The Tails operating system disables login as root unless the user explicitly specifies a root password at boot time.

The file exists to allow expert users of Tails to temporarily disable certain firewall rules for testing or other purposes where the users needs the firewall rules disabled.

That said, the file isn't a security risk at all. Just as noone can prevent a Tails/Tor user to disclose his identity online at will, noone can prevent a user to execute the file or disable the firewall himself by enabling root access at Tails boot time and issuing the commands to drop the iptables rules himself.

Tails even includes a separate non-safe browsers for situations where it is required to browse the web without Tor, e.g. when the user connects to a public Wireless Access Point that reroutes all traffic to a login page, which obviously can't be accessed with Tor as long as the user isn't logged in and the AP prevents unlogged users connecting to the Internet (and the Tor network).

To put it in other words: If a user decides to enable root access in Tails (which is disabled by default), he can do anything he wants anyway. The file does nothing but issue the very same commands to drop the Firewall rules, that the root user can do himself manually at any time in the console.

Also, as the file is not linked in the menu or anywhere else where it could be easily accessable, there is no possibility that a user runs it accidentially (which isn't possible anyway, as root access is disabled by default).

Regarding the Tor parameter "WarnUnsafeSocks 0", it appears to me the original poster on your web site has a misconception about how Tor and Tails works.

The Tor manual sais:

"When WarnUnsafeSocks is enabled, Tor will warn whenever a request is received that only contain an IP address instead of a hostname. Allowing applications to do DNS resolves themselves is usually a bad idea and can leak your location to attackers. (Default: 1)"

When a user accesses a web service, he usually uses the domain name (e.g. google.com) instead of the IP address. The computer uses DNS to look up the matching IP address for the domain name (very much like a telephone directory). Years ago, many applications that offered SOCKS proxying of their traffic routed all data to the SOCKS proxy, but did DNS lookups themselves without using the proxy. For example, when sending a mail, the mail program would send the mail using the proxy, but look up the IP address of the mail server without using the proxy. Such behaviour would expose the accessed domain names of the user to a wiretapper and the IP address of the user to the DNS server.

Nowdays, while there are still applications that do the DNS lookups directly even when they are configured to use a proxy, most popular programs use the proxy for DNS lookups. That's what the Tor parameter is for. It warns the user whenever an application uses an IP address directly, which usually is the case when the application already resolved the domain name to the matching IP address itself without using the proxy (in this case Tor).

As user applications in Tails *can not* do DNS requests (or any other requests/traffic) outside Tor, this parameter is not required.

Besides that, the parameter was only recently introduced in Tor (0.2.2.14-alpha).

I hope to have clarified the issue a bit.