lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1ca1c1410606051038q46c31455r6401812473c8cb02@mail.gmail.com>
Date: Mon Jun  5 18:38:34 2006
From: synfinatic at gmail.com (Aaron Turner)
Subject: Tool Release - Tor Blocker

Inline...

On 6/2/06, Jason Areff <hailtheczar@...il.com> wrote:
> It has come to our attention that the majority of tor users are not actually
> from china but are rather malicious hackers that (ab)use it to keep their
> anonymity.

Really?  I'm curious where you got those statistics.  Are you saying
that you broke the anonymity of tor and were able to track down users
to their actual location?  Or are you just making assuptions based on
your limited experiance and a few unverified emails?

[snip]

> Otherwise this puts the administrator in responsibility for
> any malicious actions caused by said user. Forensics is left with a tor exit
> node.

As others have mentioned, wouldn't it just be a lot easier to secure
your server in the first place rather then worrying about who to
prosecute after the fact?  What are you going to do when you figure
out the guy who hacked your box is a 13 yr old kid in Russia or China?
 In my experiance, you're really missing the boat when it comes to
securing your systems.

[snip]

>  To mitigate most tor attackers we've written an apache module designed to
> give tor users a 403 error when visiting a specific website.  We suggest all
> administrators whom do not wish a malicious tor user to visit and possibly
> deface their website to enable the usage of this module.

Your module doesn't actually make a determination between "malicious"
and "legitimate" users of tor.  From where I come from, we call this
"throwing the baby out with the bath water".

> This may not get
> all attackers, but hopefully it raises the security bar just a little bit
> more to safeguard ourselves from hackers.

As others have mentioned your code has a variety of flaws.  Assuming
you fix the others, I would also recommend you only list actual Tor
exit nodes rather then all nodes (which include 'middle-man nodes'
which don't allow people to connect to external services).  Middle-man
nodes pose no risk to you or your severs.

>  Jason Areff
>  CISSP, A+, MCSE, Security+
>
>
>  ----------
>  security through obscurity isnt security
>  ----------

Heh.  I find your .sig rather ironic.

-- 
Aaron Turner
http://synfin.net/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ