lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat Jun 10 21:58:22 2006 From: degeneracypressure at gmail.com (Eliah Kagan) Subject: Re: blocking tor is not the right way forward. It may just be the right way backward. On 6/9/06, John Sprocket <sargoniv@...il.com> wrote: > > The problem, in the first place, is that people are hacking the > > websites of others. Saying, "let's block tor so that it will be > > slightly harder for some hackers to be quite so anonymous while > > eroding the privacy of thousands of legitimate users" is called > > **avoiding the problem**. When you do that instead of securing your > > servers, you're going to get hacked. > > you're suggesting there's something wrong with securing your servers, > AND categorizing tor users? would doing both not be considered the same > thing? Categorizing tor users does not constitute securing your servers. No matter how insecure they are, blocking tor users does not secure them. If you have to use software with easily-exploitable, publicly-known vulnerabilities, blocking tor users does not secure them. If somebody wants to hack you, and they find out they can't use tor to remain anonymous, they will find another way of doing it. Sure, it's possible that not being able to use tor alone to do it will make them think it's not worth the effort, just like it's possible that not being able to use tor on your site will make somebody pissed off at you and try to hack you (and, in the insecure scenario you are describing, almost certainly succeed). I doubt either is a significant probability. I could be wrong about that--do you have actual numbers, collected in a reasonably unbiased study with a statistically significant sampling, or are you advocating impairing legitimate users on the basis of unsubstantiated conjecture? The core of my argument is this: Privacy is valuable--to many individuals, and to society at large. It is usually within the rights of a site administrator to block tor (this is not necessarily the case for public service websites and in other similar situations). But it is probably wrong to do so, because privacy is valuable. I probably don't have the *right* to access your site anonymously, in the sense that it would be morally justified and required to take action against you to force you to let me. But it is still valuable for people to be able to do so. One person's children don't have the *right* to have all the other children vaccinated against deadly diseases, but when enough of the other children are not, that child is at risk (in some cases even if vaccinated, for diseases for which vaccination is imperfect or cannot be given before a certain age). Likewise, a single network administrator who decides only to accommodate users who choose not to exercise their privacy rights doesn't do a great deal of harm to society at large, but when it becomes common to require disclosure of personal information to access information and services, it becomes impossible to live and do business while maintaining one's privacy, and then privacy rights *are* materially violated. Thus, while it is within the rights of a network administrator to block tor, and continues to be within the rights of network administrators to block tor no matter how many network administrators are blocking tor, blocking tor still has the effect of degrading privacy rights, and for that reason is wrong. > i'm suggesting that an anonymous user in my scenario would be considered > an illegitimate user. no reason a user should require their privacy to use a > service that i provide. A network administrator thinking that the value of privacy doesn't apply to his/her users doesn't make it so. If you're really talking about a site where privacy isn't important, such as a site only to be accessed by a select few people known to the administrator who are permitted to use it only to complete tasks on behalf of the administrator or company, then the site shouldn't even be publicly accessible anyway. > again, redirecting a tor user to a 403 requires you to sit and think up of > a workaround. perhaps you aren't able to come up with one or you don't > want to take the time/effort. this means i've effectively deterred you from > using tor to get to the website. now if you care about the website more > than your privacy, you'd not use tor. if you cared about privacy more, > you'd not visit the site. you've been deterred from visiting the site > anonymously. which means it worked. how many people will spend more > time in order to visit the site? Yes, exactly, it works to deter legitimate users and to encourage people to choose not to exercise their privacy rights. > my statement is to consider a tor user illegitimate. <snip> Well, if you're going to start by assuming a stronger version of your own conclusion, then there's not much I can say to argue against you. > do you blacklist open proxies on your mailserver? On some mail servers and not others. If I want to receive mail from those not known to me, then I don't blacklist them. This is really not a very good question, though, because blacklisting open proxies on a mail server is not detrimental to privacy in the same way that blocking tor is. It is one thing to prevent someone from sending information to me with total anonymity--blocking that would be a boon to *my* privacy. It is another thing to provide a public resource and then degrade the public quality of the resource to pressure users to operate as I see fit. I think a better question is, do I blacklist open http proxies on my web server? And the answer is no, because the whole point of having a web server that is accessible from anywhere is that it should be accessible to as many people as possible without forcing people to alter their configurations or do things in a way they would prefer not to. And then, in *addition* to that, my respect for personal privacy comes into the equation and reinforces my decision not to attempt to block anonymous browsing services and systems. > again, making it requires more work on the part of the client to work to > keep > their anonymity a service that i provide. and if tor adapts to blocking > methods > where identifying them becomes impossible, wouldn't that be a good thing? ;) > software becoming better to overcome problems? No more than it is a good thing for me to set somebody's curtains on fire to show them that they were dangerously inflammable. It's a good thing for anonymizing technology to develop, because privacy is valuable. Hindering privacy is potentially good in that it might help anonymizing technology develop, but since the whole point of anonymizing technology is to combat hindrances to privacy, this sounds like a case of "killing off the village in order to save it." > > a more accurate > > interpretation would be, "I hate the privacy of others. I'm fighting > > the war against the privacy of others." > > > nobody has said that, but you speak as if that's the case. > i guess you've never heard of being the devil's advocate to > a privacy zealot. :-D While I stand by the argumentative content conveyed there, I do agree that I hastily and unjustifiably put you in a negative light, for you didn't say that. For this I apologize, and I appreciate your friendly and forgiving response. On 6/9/06, Rodrigo Barbosa wrote: > But remember your rights stop when the rights of others start. So, > if a give admin wants people who use Tor to be blocked from his > particular site, it is his right. I might not agree with it, but > I'll defend his right to do so. After all, it is his site. If he > was to do that (and makes a clear statement that he is doing so), > he will be loosing users perhaps, but it is his call. "Your rights stop when the rights of other start" is an exceedingly oversimplified and spoon-fed way to understand rights theory, and it's not even true. (If two people are trapped on an island and there is only enough food for one, does one of then suddenly cease to have the right to live, and, consequently, lose all other rights dependent on continued life? There are **rights conflicts**.) While you're correct that administrators have the right to try to block tor, doing so will, if it becomes popular, result in users' privacy rights being violated. And yes, the ability to live in society without everybody and his cousin having my personal information *is* a right, and if it is impossible for me to exercise it, then that right of mine is in a state of being violated. On 6/9/06, Rodrigo Barbosa <rodrigob@...kover.org> wrote: > What rights do you have over other people's networks and sites ? None--a tor user does not have the *right* to unfettered access to otherwise blocked sites (though the tor user's right to privacy is eroded when a large enough number of sites block tor and other anonymization methods). > What rights do you have to circunvect the decisions they made ? Total--a network administrator has no right to make decisions about how users are to behave. Users are free to behave in any way that is legal and does not contradict any of his/her contractual obligations. And circumventing tor blocking is legal. And "terms of use" on sites are not contracts. On 6/9/06, Jeffrey F. Bloss <jbloss@...pabay.rr.com> wrote: > And you're trying to justify unrestricted access to those public places > based on what amounts to a "discrimination" argument. A fallacious > premise. > > Choosing to be anonymous isn't something you are, it's something you do. > A conscious choice, not an unavoidable consequence of your state of > being like race/color or sexual orientation. Consequently, it's a > quality that has no moral or legal protection. I agree that blocking tor users should not be illegal on the grounds that it discriminates unduly (nor on any other grounds). I agree that it does not constitute the same kind of discrimination as, say, not allowing transgendered users to use your site. However, I find your argument bankrupt. Suppose I convert to a religion. Then my being of that religion is a conscious choice. And yet, discriminating against me on the basis of my religion is still immoral and illegal, and rightly so. Whether or not a category has moral or legal protection does not and should not (respectively) have any bearing on whether or not that category is protected. Otherwise religion and possibly sexual orientation would not be protected categories, but (for instance) it would often be immoral and illegal to discriminate in hiring on the basis of whether or not someone is an insane, psychotic killer. One of the reasons why the discrimination argument for my position doesn't work here is that the category in question is directly relevant to the matter of accessing the site. There are many other perfectly legal ways of accessing sites that could legitimately, under some circumstances, be restricted, like downloading the entire contents of a large site when that would greatly burden the entity owning the site due to bandwidth and/or transfer limitations. No discrimination argument is necessary, though, to substantiate the claim that blocking tor is antithetical to social justice. The collective blocking of anonymization techniques, including tor, has the potential to make it impossible for a person to go about the business of living one's life while maintaining control over his/her personal information. Once that condition comes to be, people's civil rights are being violated. Undue discrimination is not the only wrongful practice that threatens civil rights. Furthermore, it is worth noting that while blocking tor doesn't constitute undue discrimination in and of itself, disempowering users in general inevitably results in concentrated disempowerment of users who are already discriminated against. People who are under attack by others are the ones who effectively need to protect their privacy the most, and people who are least discriminated against tend to have the greatest access to resources with which to continue to protect their privacy in the face of efforts to prevent them from doing so. When you do something that is fundamentally hurtful to others and damaging to society--whether or not it is your right to do it--it is no surprise that you end up hurting those who are already hurting the most. -Eliah
Powered by blists - more mailing lists