lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat Jun  3 21:16:09 2006
From: sargoniv at gmail.com (John Sprocket)
Subject: blocking tor is not the right way forward. It
	may just be the right way backward.

so you're saying sacrifice the ability for a identifying legit attacker for
the
sake of allowing privacy for the masses? okay, sure. i never really
cared about my data in the first place. ;-)

attackers have other ways, most definitely. but why use one of those other
methods (proxying through a botnet) when you have tor already available
to you?

don't get me wrong by the way. i use tor all the time. and i'm a pretty
legit tor user if i say so myself :), but i can understand why someone would
want to block it. i imagine a forensics person looks and sees a tor ip and
thinks "okay. i just deadended. there's nothing i can do because this is
a tor exit node." with a botnet, most bots can be traced back to their
meeting point which is a little bit more useful.

is there an easier way for denying tor? or instead of denying, how about
identifying a user as being tor and then redirecting them to a page that
explains why a tor user isn't allowed to visit a specific website.
if there's a better way to identify a tor user (malicious or not),
perhaps the list will benefit from it and come up with a better solution.

On 6/3/06, Joel Jose <joeljose420@...il.com> wrote:
>
> its not just fair game. we had discussed it in tor irc chan. ok so you
> just made a apache mod for the black list. tor always did and always do
> allow anyone to block tor users if they please. but the easiness which tor
> gives for the blocking must not be overused to deny tor communications even
> for legitimate purposes(definition vague).
>
> hopefully the blacklists, apache mods.. and other methods of blocking tor
> are not "default" enabled. And hopefully the security cookbooks and other
> HOWTO's dont come with a default recommendation to enable these tor blocking
> modules.
>
> The admin needs to be educated about tor. Ideally he must be able to
> decide for himself the balance betrween anonimity and performance. He should
> be empowered to take his own decision. An educated and well informed
> decision. Remember " if privacy is outlawed, only outlaws will have
> privacy".. and hackers have better ways to protect their privacy.. but as of
> today.. legitimate users dont have that luxury.. tor is thier most practical
> hope.
>
> joel.
>
> --
> As soon as men decide that all means are permitted to fight an
> evil, then their good becomes indistinguishable from the evil
> that they set out to destroy.
>                       - Christopher Dawson, The Judgment of Nations
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060603/ca4d1b97/attachment-0001.html

Powered by blists - more mailing lists