Tails Developers Puzzled by Facebook and FBI OS Hack
The developers of the anonymous operating system Tails are trying to uncover details about a hack used by Facebook and the FBI to catch a criminal who was stalking women on the social network.
As previously reported by SecurityLab, in 2017, Facebook hired a cybersecurity firm to develop a hacking tool that allowed them to break into the account of Buster Hernandez and gather evidence for his arrest. This tool was later handed over to the FBI.
The tool exploited a so-called zero-day vulnerability in the GNOME Videos player included in Tails OS, which enabled the FBI to discover the real IP address of the criminal.
Although Facebook’s intentions were good, the problem is that neither the company nor the FBI informed the developers of Tails or GNOME Videos about the vulnerability in their products. According to the software developers, they only learned about the issue after the story surfaced in the media, as reported by Motherboard.
“Facebook did not inform Tails about the exploit and decided it was acceptable since the Tails developers had accidentally fixed the vulnerability as part of an unrelated update,” the publication states.
According to Facebook representatives, in mid-June of this year, the company attempted to contact the Tails developers and also received confirmation from the FBI that the hacking tool was used only in the Buster Hernandez case. The FBI declined to comment to Motherboard journalists on whether the exploit was used in other investigations, whether the tool is still in the FBI’s possession, or whether the agency intends to provide information about the vulnerability under the Vulnerabilities Equities Process (VEP).
What is Tails?
Tails (The Amnesic Incognito Live System) is a Debian-based Linux LiveCD distribution designed to ensure privacy and anonymity. In Tails, all outgoing connections are routed through the anonymous Tor network, and all non-anonymous connections are blocked.
About the Vulnerabilities Equities Process (VEP)
The Vulnerabilities Equities Process (VEP) is a set of rules for disclosing vulnerabilities by the U.S. federal government. The document contains a list of criteria used by the government to decide whether to publish information about significant vulnerabilities or keep them secret for use in offensive cyber operations.