lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri Jun  9 04:16:36 2006
From: degeneracypressure at gmail.com (Eliah Kagan)
Subject: Re: blocking tor is not the right way forward.
	It may just be the right way backward.

On 6/8/06, John Sprocket wrote:
> but like all tools it's a double-edged sword and is easy to abuse.
> saying "do not bother. you're fighting against privacy, find a better
> way" is not solving the problem but obviously avoiding it in the
> first place. again the original problem is of identifying a tor user.
> a user choosing to use a known community supported utility
> to keep their anonymity (or invalidates their ip). it was stated
> that you could lex the cached-directory for a blacklist of ips.

The problem, in the first place, is that people are hacking the
websites of others. Saying, "let's block tor so that it will be
slightly harder for some hackers to be quite so anonymous while
eroding the privacy of thousands of legitimate users" is called
**avoiding the problem**. When you do that instead of securing your
servers, you're going to get hacked.

> so redirecting them to a page saying that says "anonymous users
> not allowed" or denying a user from running ssh over tor makes
> sense to me because it's my equipment after all, and i'd want to know who's
> using tor and who isn't.

You could require that I give you my social security number and run a
credit check on me to view your site, too. You could give me a page
saying that I was not allowed to access the site if I didn't agree to
that. But that is very far from saying that it would make sense for
you to do so. It wouldn't. It is legal for you to act destructively to
people at large wishing their privacy to be respected, and to your own
users specifically, but that doesn't mean that it is rational or
morally right for you to do so.

> suggesting that an admin shouldn't bother, hackers will work
> around it is retarded. of course they'll work around it, but
> essentially you're raising the bar so someone will have to make
> more effort. you can't really secure everything against everybody
> (and still keep your usability. the teeter-totter of security), but you
> can make it enough of a pain in the ass to deter them from messing with it.

And that is why only leet hackers are able to download movies and
music on the Internet. Because thousands of technical professionals
have joined forces to raise the bar and ensure that only people who
really know what they're doing can do that, and how could thousands of
technical professionals fail to succeed against millions of noobs?
Riiiight...

If what you are saying were really true, that would only add to my
argument about how you're handicapping legitimate users while doing
nothing against hackers.

> essentially you're saying "use something besides tor to
> keep your privacy for your abuse/dos."

This is an incredibly weak argument. "You can hack me, and you can
still remain anonymous, and you can still remain anonymous in much the
same way, just as long as your vary your method slightly." It's also
not even true. tor itself is likely to adapt to blocking methods. Then
you have to have all the technical expertise necessary to...update to
the next version.

It's funny how you mention using something else besides tor to remain
anonymous while engaging in malicious activity, but don't bother to
mention that blocking tor **blocks tor** and hurts legitimate users
(who are less likely to know what they're doing and consequently will
be hurt more).

> i don't see anything wrong
> with that besides the misinterpretation being "i hate privacy. i'm
> fighting the war against privacy." which is not the case.

Actually, you're right. That is a misinterpretation. I don't think
anybody has said that, but it would be a misinterpretation if somebody
did. Given that you started your email by talking about how you use
tor to maintain your own privacy, and then talked about how it makes
good sense for site admins to block tor, a more accurate
interpretation would be, "I hate the privacy of others. I'm fighting
the war against the privacy of others."

-Eliah

Powered by blists - more mailing lists