lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu Jun  8 15:07:28 2006
From: sargoniv at gmail.com (John Sprocket)
Subject: Re: blocking tor is not the right way forward.
	It may just be the right way backward.

tor is a problem in some cases and a solution in others. a solution
for privacy, no doubt. a problem for someone who doesn't
want their users to have privacy when they're communicating with
equipment that they own/maintain.

i use tor for privacy reasons (since early 2005), and it does it well.
i have no complaints, i like the program. before tor existed i used
to actually pay for an anonymizer service that used proxy chaining as well
(just without the "extras" that tor provides). tor
also saves me money if that's the case.

but like all tools it's a double-edged sword and is easy to abuse.
saying "do not bother. you're fighting against privacy, find a better
way" is not solving the problem but obviously avoiding it in the
first place. again the original problem is of identifying a tor user.
a user choosing to use a known community supported utility
to keep their anonymity (or invalidates their ip). it was stated
that you could lex the cached-directory for a blacklist of ips.

so redirecting them to a page saying that says "anonymous users
not allowed" or denying a user from running ssh over tor makes
sense to me because it's my equipment after all, and i'd want to know who's
using tor and who isn't.

suggesting that an admin shouldn't bother, hackers will work
around it is retarded. of course they'll work around it, but
essentially you're raising the bar so someone will have to make
more effort. you can't really secure everything against everybody
(and still keep your usability. the teeter-totter of security), but you
can make it enough of a pain in the ass to deter them from messing with it.
essentially you're saying "use something besides tor to
keep your privacy for your abuse/dos." i don't see anything wrong
with that besides the misinterpretation being "i hate privacy. i'm
fighting the war against privacy." which is not the case.

.sargoniv

On 6/8/06, Joel Jose <joeljose420@...il.com> wrote:
>
> yeah,
>
>       its when people see tor and tor like projects as a problem than
> a solution that they cant focus on the bigger issue. If profiling, and
> other privacy threatning features are "disencouraged".. if the concept
> of using "scarce" resources like ipaddress.. etc for "addressing"
> network users are discouraged.. if people stop feeling scared of
> things.. then tor and other projects will fade away into the internet
> archieves...
>
> Cmon people.. tor and all other tor-alike do "decrease" performance
> drastically.. its a huge resource eater for the people and community
> who maintain it. if there was no need for tor.. certainly it would
> have gone away sooner than you have finished inserting that module on
> your apache ;)
> \
> yeah.. i was being too over idealistic there.. besides making
> ipaddress irrelevent is what tor does afterall(albit in a more
> sarcastic way).. anyway i seriously hope people will one day in the
> (not-so-near)future have their privacy "valued" even without tor;)
>
> joel.
>
> On 6/7/06, Eliah Kagan <degeneracypressure@...il.com> wrote:
> > On 6/6/06, John Sprocket wrote:
> > > hehe. look at it metaphorically (like guest inside establishment)
> > >
> > > you're head of security at a casino you monitor a specific area full
> of
> > > people/users.
> > > you have your normal people you can see and possibly identify if you
> so
> > > care. there's a
> > > group of people that walk in and are wearing clothing that is
> obviously
> > > meant to obscure their intentions. would you let them stay in your
> casino,
> > > or would you ask them politely to
> > > take off their masks?
> > >
> > > do you choose to accept fully anonymous people (only being able to
> > identify
> > > them as being anonymous) into your establishment?
> >
> > Suppose your casino has cameras, that show you the faces of these
> > so-called "normal people". You think you can look at their faces and
> > determine where they live and where they got their money? Because
> > *that* would be a proper metaphor to looking at your server logs. The
> > privacy risk to Internet surfers is often *greater* than that to
> > patrons of "physical" establishments.
> >
> > This metaphor appears to be exceedingly contrived, beyond the point of
> > even making sense in the metaphorical world. What clothing are they
> > wearing to anonymize themselves? Are they managing to wear clothing
> > that makes it difficult to distinguish them from others while at the
> > same time not violating social standards of proper dress in a casino,
> > not interfering in any way with the other customers, or causing any
> > other customers to feel uncomfortable? If you can come up with some
> > clothing that fits that description, then I would guess that most
> > casinos would permit them to continue as they were. The locks on the
> > doors to restricted areas in the casino will still restrict their
> > movement and the security cameras will still enable the security staff
> > to know if they are committing a crime in the casino, and to stop them
> > from committing that crime. (In the casino, such a person could still
> > be **apprehended** too, just as easily as anybody else, which is one
> > of the reasons why it puzzles me that you have chosen this metaphor.)
> >
> > Going back to your previous metaphor, I think it is important to
> > recognize that a public website is very unlike a private home, and
> > more like a booth at a fair. Do you want to provide your identity to
> > everyone standing behind booths at fairs, in order for you to merely
> > **walk up** to the booth and take a look?
> >
> > When it comes right down to it, the owner of a private website is
> > perfectly free to choose to try to block tor. That behavior threatens
> > the legitimate interests of legitimate users, but is certainly within
> > the rights of the owner. And tor users are perfectly free to try to
> > get around such attempts. That behavior is commendable, and certainly
> > within the rights of tor users. (And don't go whining about clickwrap
> > agreements for surfing websites--none of those are binding anyway,
> > except in cases of e-commerce, in which the user of the site is
> > actually engaged in a contractual relationship with the owner or
> > owning entity of the site).
> >
> > -Eliah
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> --
> As soon as men decide that all means are permitted to fight an
> evil, then their good becomes indistinguishable from the evil
> that they set out to destroy.
>                       - Christopher Dawson, The Judgment of Nations
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060608/c377bc77/attachment.html

Powered by blists - more mailing lists