lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri Jun  9 06:23:47 2006
From: joeljose420 at gmail.com (Joel Jose)
Subject: Re: blocking tor is not the right way forward.
	It may just be the right way backward.

bingo,
 right on target.. see tor is tor not without any reason. its the reason
that must go first tor will follow later ;)

joel.


On 6/8/06, Eliah Kagan <degeneracypressure@...il.com> wrote:
>
> On 6/8/06, John Sprocket wrote:
> > but like all tools it's a double-edged sword and is easy to abuse.
> > saying "do not bother. you're fighting against privacy, find a better
> > way" is not solving the problem but obviously avoiding it in the
> > first place. again the original problem is of identifying a tor user.
> > a user choosing to use a known community supported utility
> > to keep their anonymity (or invalidates their ip). it was stated
> > that you could lex the cached-directory for a blacklist of ips.
>
> The problem, in the first place, is that people are hacking the
> websites of others. Saying, "let's block tor so that it will be
> slightly harder for some hackers to be quite so anonymous while
> eroding the privacy of thousands of legitimate users" is called
> **avoiding the problem**. When you do that instead of securing your
> servers, you're going to get hacked.
>
> > so redirecting them to a page saying that says "anonymous users
> > not allowed" or denying a user from running ssh over tor makes
> > sense to me because it's my equipment after all, and i'd want to know
> who's
> > using tor and who isn't.
>
> You could require that I give you my social security number and run a
> credit check on me to view your site, too. You could give me a page
> saying that I was not allowed to access the site if I didn't agree to
> that. But that is very far from saying that it would make sense for
> you to do so. It wouldn't. It is legal for you to act destructively to
> people at large wishing their privacy to be respected, and to your own
> users specifically, but that doesn't mean that it is rational or
> morally right for you to do so.
>
> > suggesting that an admin shouldn't bother, hackers will work
> > around it is retarded. of course they'll work around it, but
> > essentially you're raising the bar so someone will have to make
> > more effort. you can't really secure everything against everybody
> > (and still keep your usability. the teeter-totter of security), but you
> > can make it enough of a pain in the ass to deter them from messing with
> it.
>
> And that is why only leet hackers are able to download movies and
> music on the Internet. Because thousands of technical professionals
> have joined forces to raise the bar and ensure that only people who
> really know what they're doing can do that, and how could thousands of
> technical professionals fail to succeed against millions of noobs?
> Riiiight...
>
> If what you are saying were really true, that would only add to my
> argument about how you're handicapping legitimate users while doing
> nothing against hackers.
>
> > essentially you're saying "use something besides tor to
> > keep your privacy for your abuse/dos."
>
> This is an incredibly weak argument. "You can hack me, and you can
> still remain anonymous, and you can still remain anonymous in much the
> same way, just as long as your vary your method slightly." It's also
> not even true. tor itself is likely to adapt to blocking methods. Then
> you have to have all the technical expertise necessary to...update to
> the next version.
>
> It's funny how you mention using something else besides tor to remain
> anonymous while engaging in malicious activity, but don't bother to
> mention that blocking tor **blocks tor** and hurts legitimate users
> (who are less likely to know what they're doing and consequently will
> be hurt more).
>
> > i don't see anything wrong
> > with that besides the misinterpretation being "i hate privacy. i'm
> > fighting the war against privacy." which is not the case.
>
> Actually, you're right. That is a misinterpretation. I don't think
> anybody has said that, but it would be a misinterpretation if somebody
> did. Given that you started your email by talking about how you use
> tor to maintain your own privacy, and then talked about how it makes
> good sense for site admins to block tor, a more accurate
> interpretation would be, "I hate the privacy of others. I'm fighting
> the war against the privacy of others."
>
> -Eliah
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
As soon as men decide that all means are permitted to fight an
evil, then their good becomes indistinguishable from the evil
that they set out to destroy.
                      - Christopher Dawson, The Judgment of Nations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060608/a084b87c/attachment.html

Powered by blists - more mailing lists