lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat Jun 10 21:58:22 2006
From: degeneracypressure at gmail.com (Eliah Kagan)
Subject: Re: blocking tor is not the right way forward.
	It may just be the right way backward.

On 6/9/06, John Sprocket <sargoniv@...il.com> wrote:
> > The problem, in the first place, is that people are hacking the
> > websites of others. Saying, "let's block tor so that it will be
> > slightly harder for some hackers to be quite so anonymous while
> > eroding the privacy of thousands of legitimate users" is called
> > **avoiding the problem**. When you do that instead of securing your
> > servers, you're going to get hacked.
>
> you're suggesting there's something wrong with securing your servers,
> AND categorizing tor users? would doing both not be considered the same
> thing?

Categorizing tor users does not constitute securing your servers. No
matter how insecure they are, blocking tor users does not secure them.
If you have to use software with easily-exploitable, publicly-known
vulnerabilities, blocking tor users does not secure them. If somebody
wants to hack you, and they find out they can't use tor to remain
anonymous, they will find another way of doing it. Sure, it's possible
that not being able to use tor alone to do it will make them think
it's not worth the effort, just like it's possible that not being able
to use tor on your site will make somebody pissed off at you and try
to hack you (and, in the insecure scenario you are describing, almost
certainly succeed). I doubt either is a significant probability. I
could be wrong about that--do you have actual numbers, collected in a
reasonably unbiased study with a statistically significant sampling,
or are you advocating impairing legitimate users on the basis of
unsubstantiated conjecture?

The core of my argument is this: Privacy is valuable--to many
individuals, and to society at large. It is usually within the rights
of a site administrator to block tor (this is not necessarily the case
for public service websites and in other similar situations). But it
is probably wrong to do so, because privacy is valuable. I probably
don't have the *right* to access your site anonymously, in the sense
that it would be morally justified and required to take action against
you to force you to let me. But it is still valuable for people to be
able to do so.

One person's children don't have the *right* to have all the other
children vaccinated against deadly diseases, but when enough of the
other children are not, that child is at risk (in some cases even if
vaccinated, for diseases for which vaccination is imperfect or cannot
be given before a certain age). Likewise, a single network
administrator who decides only to accommodate users who choose not to
exercise their privacy rights doesn't do a great deal of harm to
society at large, but when it becomes common to require disclosure of
personal information to access information and services, it becomes
impossible to live and do business while maintaining one's privacy,
and then privacy rights *are* materially violated. Thus, while it is
within the rights of a network administrator to block tor, and
continues to be within the rights of network administrators to block
tor no matter how many network administrators are blocking tor,
blocking tor still has the effect of degrading privacy rights, and for
that reason is wrong.

> i'm suggesting that an anonymous user in my scenario would be considered
> an illegitimate user. no reason a user should require their privacy to use a
> service that i provide.

A network administrator thinking that the value of privacy doesn't
apply to his/her users doesn't make it so. If you're really talking
about a site where privacy isn't important, such as a site only to be
accessed by a select few people known to the administrator who are
permitted to use it only to complete tasks on behalf of the
administrator or company, then the site shouldn't even be publicly
accessible anyway.

> again, redirecting a tor user to a 403 requires you to sit and think up of
> a workaround. perhaps you aren't able to come up with one or you don't
> want to take the time/effort. this means i've effectively deterred you from
> using tor to get to the website. now if you care about the website more
> than your privacy, you'd not use tor. if you cared about privacy more,
> you'd not visit the site. you've been deterred from visiting the site
> anonymously. which means it worked. how many people will spend more
>  time in order to visit the site?

Yes, exactly, it works to deter legitimate users and to encourage
people to choose not to exercise their privacy rights.

> my statement is to consider a tor user illegitimate. <snip>

Well, if you're going to start by assuming a stronger version of your
own conclusion, then there's not much I can say to argue against you.

> do you blacklist open proxies on your mailserver?

On some mail servers and not others. If I want to receive mail from
those not known to me, then I don't blacklist them. This is really not
a very good question, though, because blacklisting open proxies on a
mail server is not detrimental to privacy in the same way that
blocking tor is. It is one thing to prevent someone from sending
information to me with total anonymity--blocking that would be a boon
to *my* privacy. It is another thing to provide a public resource and
then degrade the public quality of the resource to pressure users to
operate as I see fit.

I think a better question is, do I blacklist open http proxies on my
web server? And the answer is no, because the whole point of having a
web server that is accessible from anywhere is that it should be
accessible to as many people as possible without forcing people to
alter their configurations or do things in a way they would prefer not
to. And then, in *addition* to that, my respect for personal privacy
comes into the equation and reinforces my decision not to attempt to
block anonymous browsing services and systems.

> again, making it requires more work on the part of the client to work to
> keep
> their anonymity a service that i provide. and if tor adapts to blocking
> methods
> where identifying them becomes impossible, wouldn't that be a good thing? ;)
> software becoming better to overcome problems?

No more than it is a good thing for me to set somebody's curtains on
fire to show them that they were dangerously inflammable. It's a good
thing for anonymizing technology to develop, because privacy is
valuable. Hindering privacy is potentially good in that it might help
anonymizing technology develop, but since the whole point of
anonymizing technology is to combat hindrances to privacy, this sounds
like a case of "killing off the village in order to save it."

> > a more accurate
> > interpretation would be, "I hate the privacy of others. I'm fighting
> > the war against the privacy of others."
>
>
> nobody has said that, but you speak as if that's the case.
> i guess you've never heard of being the devil's advocate to
> a privacy zealot. :-D

While I stand by the argumentative content conveyed there, I do agree
that I hastily and unjustifiably put you in a negative light, for you
didn't say that. For this I apologize, and I appreciate your friendly
and forgiving response.

On 6/9/06, Rodrigo Barbosa wrote:
> But remember your rights stop when the rights of others start. So,
> if a give admin wants people who use Tor to be blocked from his
> particular site, it is his right. I might not agree with it, but
> I'll defend his right to do so. After all, it is his site. If he
> was to do that (and makes a clear statement that he is doing so),
> he will be loosing users perhaps, but it is his call.

"Your rights stop when the rights of other start" is an exceedingly
oversimplified and spoon-fed way to understand rights theory, and it's
not even true. (If two people are trapped on an island and there is
only enough food for one, does one of then suddenly cease to have the
right to live, and, consequently, lose all other rights dependent on
continued life? There are **rights conflicts**.) While you're correct
that administrators have the right to try to block tor, doing so will,
if it becomes popular, result in users' privacy rights being violated.
And yes, the ability to live in society without everybody and his
cousin having my personal information *is* a right, and if it is
impossible for me to exercise it, then that right of mine is in a
state of being violated.

On 6/9/06, Rodrigo Barbosa <rodrigob@...kover.org> wrote:
> What rights do you have over other people's networks and sites ?

None--a tor user does not have the *right* to unfettered access to
otherwise blocked sites (though the tor user's right to privacy is
eroded when a large enough number of sites block tor and other
anonymization methods).

> What rights do you have to circunvect the decisions they made ?

Total--a network administrator has no right to make decisions about
how users are to behave. Users are free to behave in any way that is
legal and does not contradict any of his/her contractual obligations.
And circumventing tor blocking is legal. And "terms of use" on sites
are not contracts.

On 6/9/06, Jeffrey F. Bloss <jbloss@...pabay.rr.com> wrote:
> And you're trying to justify unrestricted access to those public places
> based on what amounts to a "discrimination" argument. A fallacious
> premise.
>
> Choosing to be anonymous isn't something you are, it's something you do.
> A conscious choice, not an unavoidable consequence of your state of
> being like race/color or sexual orientation. Consequently, it's a
> quality that has no moral or legal protection.

I agree that blocking tor users should not be illegal on the grounds
that it discriminates unduly (nor on any other grounds). I agree that
it does not constitute the same kind of discrimination as, say, not
allowing transgendered users to use your site. However, I find your
argument bankrupt. Suppose I convert to a religion. Then my being of
that religion is a conscious choice. And yet, discriminating against
me on the basis of my religion is still immoral and illegal, and
rightly so. Whether or not a category has moral or legal protection
does not and should not (respectively) have any bearing on whether or
not that category is protected. Otherwise religion and possibly sexual
orientation would not be protected categories, but (for instance) it
would often be immoral and illegal to discriminate in hiring on the
basis of whether or not someone is an insane, psychotic killer.

One of the reasons why the discrimination argument for my position
doesn't work here is that the category in question is directly
relevant to the matter of accessing the site. There are many other
perfectly legal ways of accessing sites that could legitimately, under
some circumstances, be restricted, like downloading the entire
contents of a large site when that would greatly burden the entity
owning the site due to bandwidth and/or transfer limitations.

No discrimination argument is necessary, though, to substantiate the
claim that blocking tor is antithetical to social justice. The
collective blocking of anonymization techniques, including tor, has
the potential to make it impossible for a person to go about the
business of living one's life while maintaining control over his/her
personal information. Once that condition comes to be, people's civil
rights are being violated. Undue discrimination is not the only
wrongful practice that threatens civil rights.

Furthermore, it is worth noting that while blocking tor doesn't
constitute undue discrimination in and of itself, disempowering users
in general inevitably results in concentrated disempowerment of users
who are already discriminated against. People who are under attack by
others are the ones who effectively need to protect their privacy the
most, and people who are least discriminated against tend to have the
greatest access to resources with which to continue to protect their
privacy in the face of efforts to prevent them from doing so. When you
do something that is fundamentally hurtful to others and damaging to
society--whether or not it is your right to do it--it is no surprise
that you end up hurting those who are already hurting the most.

-Eliah

Powered by blists - more mailing lists