lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri Jun  9 15:30:37 2006
From: sargoniv at gmail.com (John Sprocket)
Subject: Re: blocking tor is not the right way forward.
	It may just be the right way backward.

responses inline

On 6/8/06, Eliah Kagan <degeneracypressure@...il.com> wrote:
>
> On 6/8/06, John Sprocket wrote:
> > but like all tools it's a double-edged sword and is easy to abuse.
> > saying "do not bother. you're fighting against privacy, find a better
> > way" is not solving the problem but obviously avoiding it in the
> > first place. again the original problem is of identifying a tor user.
> > a user choosing to use a known community supported utility
> > to keep their anonymity (or invalidates their ip). it was stated
> > that you could lex the cached-directory for a blacklist of ips.
>
> The problem, in the first place, is that people are hacking the
> websites of others. Saying, "let's block tor so that it will be
> slightly harder for some hackers to be quite so anonymous while
> eroding the privacy of thousands of legitimate users" is called
> **avoiding the problem**. When you do that instead of securing your
> servers, you're going to get hacked.


you're suggesting there's something wrong with securing your servers,
AND categorizing tor users? would doing both not be considered the same
thing?

if you have no choice but to use closed-source or vuln-ridden software
there is nothing you can do besides not use it. if you have a client that
requires some proprietary software then that satisfies the "no chice".
you can also restrict what a user can do to the machine, but if the
functionality of the application requires certain privileges and an attacker
earns those privileges. then they have the potential to act in the context
of the application.

let's say we're referring to a web application because that's what tor
is commonly associated with. a vuln is discovered where you can insert a
record of your choice, then said attacker has the ability to modify flow of
the application. remember, you don't control the application, and the
application
has a requirement of certain resources. how would you secure it from being
modified by itself? even if it's only just messing with records that belong
to it?
take note that this is without having access to the code itself.
offtopic, but it's a scenario where you can't quite secure the application
from itself.

so what is wrong with directing tor users? i prevent you from using
a tool to keep your privacy when there's no reason you need to be
visiting the host anonymously in the first place?
i'm suggesting that an anonymous user in my scenario would be considered
an illegitimate user. no reason a user should require their privacy to use a
service that i provide.

> so redirecting them to a page saying that says "anonymous users
> > not allowed" or denying a user from running ssh over tor makes
> > sense to me because it's my equipment after all, and i'd want to know
> who's
> > using tor and who isn't.
>
> You could require that I give you my social security number and run a
> credit check on me to view your site, too. You could give me a page
> saying that I was not allowed to access the site if I didn't agree to
> that. But that is very far from saying that it would make sense for
> you to do so. It wouldn't. It is legal for you to act destructively to
> people at large wishing their privacy to be respected, and to your own
> users specifically, but that doesn't mean that it is rational or
> morally right for you to do so.


again, redirecting a tor user to a 403 requires you to sit and think up of
a workaround. perhaps you aren't able to come up with one or you don't
want to take the time/effort. this means i've effectively deterred you from
using tor to get to the website. now if you care about the website more
than your privacy, you'd not use tor. if you cared about privacy more,
you'd not visit the site. you've been deterred from visiting the site
anonymously. which means it worked. how many people will spend more
time in order to visit the site?

> suggesting that an admin shouldn't bother, hackers will work
> > around it is retarded. of course they'll work around it, but
> > essentially you're raising the bar so someone will have to make
> > more effort. you can't really secure everything against everybody
> > (and still keep your usability. the teeter-totter of security), but you
> > can make it enough of a pain in the ass to deter them from messing with
> it.
>
> And that is why only leet hackers are able to download movies and
> music on the Internet. Because thousands of technical professionals
> have joined forces to raise the bar and ensure that only people who
> really know what they're doing can do that, and how could thousands of
> technical professionals fail to succeed against millions of noobs?
> Riiiight...



> If what you are saying were really true, that would only add to my
> argument about how you're handicapping legitimate users while doing
> nothing against hackers.


my statement is to consider a tor user illegitimate. again, no reason
someone should really need to keep their anonymity when visiting a
site that i host. someone with access to a proxy or a botnet of spybots
will then have the ability to visit their website and keep their "privacy".
but most who don't will just use tor.

how many botnet kids know more than just deploying a kit? how many
people who specialize in webappsec know more than tor? how many
people who specialize in vuln-dev people know how to administer exchange?
i'm not suggesting they don't exist, i'm just saying they're a lot more
rare.

generally people when they're begining their research they tend to generally
stick in their field. this means people who spent their time researching
webvulns, on newb sites don't have access to a botnet. people who
specialize in operating system vuln-dev don't know anything about
web application security. people who specialize in botnets don't usually
know
anything about vulndev.

do you blacklist open proxies on your mailserver?

> essentially you're saying "use something besides tor to
> > keep your privacy for your abuse/dos."
>
> This is an incredibly weak argument. "You can hack me, and you can
> still remain anonymous, and you can still remain anonymous in much the
> same way, just as long as your vary your method slightly." It's also
> not even true. tor itself is likely to adapt to blocking methods. Then
> you have to have all the technical expertise necessary to...update to
> the next version.


again, making it requires more work on the part of the client to work to
keep
their anonymity a service that i provide. and if tor adapts to blocking
methods
where identifying them becomes impossible, wouldn't that be a good thing? ;)
software becoming better to overcome problems?

It's funny how you mention using something else besides tor to remain
> anonymous while engaging in malicious activity, but don't bother to
> mention that blocking tor **blocks tor** and hurts legitimate users
> (who are less likely to know what they're doing and consequently will
> be hurt more).


> i don't see anything wrong
> > with that besides the misinterpretation being "i hate privacy. i'm
> > fighting the war against privacy." which is not the case.
>
> Actually, you're right. That is a misinterpretation. I don't think
> anybody has said that, but it would be a misinterpretation if somebody
> did. Given that you started your email by talking about how you use
> tor to maintain your own privacy, and then talked about how it makes
> good sense for site admins to block tor, a more accurate
> interpretation would be, "I hate the privacy of others. I'm fighting
> the war against the privacy of others."


nobody has said that, but you speak as if that's the case.
i guess you've never heard of being the devil's advocate to
a privacy zealot. :-D

-Eliah
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


.sargoniv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060609/234473e2/attachment.html

Powered by blists - more mailing lists