Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
On 6/10/06, Rodrigo Barbosa wrote You are confusing matters. No one is proposing to outlaw Tor. Or even to track users back. If someone want to force Tor users to identify themselves before using a site, I'll be against it. But anyone is free to stop Tor users from using their networks/servers. I never said anyone is proposing to outlaw tor, and I do not believe that I am confusing anything. And I never said that anyone is not free to *attempt* to stop tor users from using their networks and servers. But once the action of stopping the users pertains to user behavior rather than site admin behavior, the freedom of choice as to how to act pertains to the users rather than the site admins. It is worth mentioning that I think that attempting to tracking tor users back should remain (as it is) perfectly legal, although it would likely be morally wrong to do so unless the user who is being tracked back has committed a crime (or agreed to the tracking, for instance as part of a development effort for technologies to track tor users). No. You can remain as anonymous you want. You just can't use those sites. If I have the right to do something, but if I do it I am unable to survive and participate in society, then that right of mine is not being respected. When efforts to prevent people from enjoying privacy are isolated and uncommon, they are an insidious nuisance and an insult. When they are common and widespread, they result in true violation of people's privacy rights and harm society as a whole. Lets consider a completely unrelated and different situation to iluatrate it. I too defend the right to buy stuff at a supermarket without providing any means of identification. On the other hand, I don't defend the right to buy absolutely anything (weapons etc) without providing identification. I understand that you do not wish to post in this thread any longer, but would anybody reading this care to explain how this completely unrelated and different situation (which I agree it is) has anything whatsoever to do with what we are talking about, and how it demonstrates something flawed or missing in my arguments? (By the way, to clarify my position: I don't think that people should necessarily have the right to buy things at a supermarket without providing identification, although if it were common for supermarkets to require ID for all purchases, then the result would be that people's privacy rights would be materially violated. And, like blocking tor, I think that requiring supermarket patrons to show ID constitutes an insidious nuisance. Furthermore, since driver licenses, learner permits, passports, military ID cards, permits-to-carry, police identification, and the like are provided by governments, it *might* be reasonable to legally restrict both governmental and non-governmental use of state and federal ID for the benefit of individual privacy.) You are, again, wrong. Unless you start paying to use my site, I have every right to tell you what and how you can access it, as long as my terms are legal. If I say you can only access my web server using Lynx, that is all the right you have. That is simply false. So long as I am not hacking your site or otherwise violating the law, I may access it in whatever manner I wish. That only *changes* when I am paying you, in which case there is a contractual relationship which may govern how I may use your site beyond the (minimal) restrictions against hacking provided by the law, or under other circumstance in which we have a valid, legally-binding contract. Then, when our contractual relationship ends, I may resume accessing your site in whatever legal manner I wish, unless I signed to terms restricting how I may access it which explicitly survived termination or lapse of the contract. What you are asserting, by the way, is patently ridiculous. If I go to a website that says, "You are required to eat five pounds of cake and bow down to the Mona Lisa before surfing the public pages on this site," it would be absurd to think that I could actually be prosecuted for eating four pounds of cake and merely nodding my head to the Mona Lisa. In addition to all this, I would like to point out that it borders on the hilarious for site admins to put up "terms of service" to which you effectively must agree to before reading them, or at least before going back and reading them again. The basic point where you whole argument is flawed is that you consider you have any right to do anything regarding a publicaly avaliable resource. Lets consider a software license, like the GPL. It is also not a contract, the say way a "terms of use" on a site isn't. Do you think you have the right to violate the GPL just because it is not a contract you have signed ? First of all, in the laws of all countries that recognize license agreements as legally binding, they are considered contracts. This is clear if you actually read the text of license agreements before agreeing to them.
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Jun 10, 2006 at 12:58:13PM -0800, Eliah Kagan wrote: > On 6/9/06, Rodrigo Barbosa wrote: > While you're correct > that administrators have the right to try to block tor, doing so will, > if it becomes popular, result in users' privacy rights being violated. > And yes, the ability to live in society without everybody and his > cousin having my personal information *is* a right, and if it is > impossible for me to exercise it, then that right of mine is in a > state of being violated. You are confusing matters. No one is proposing to outlaw Tor. Or even to track users back. If someone want to force Tor users to identify themselves before using a site, I'll be against it. But anyone is free to stop Tor users from using their networks/servers. Those are two (three?) totally different issues. > On 6/9/06, Rodrigo Barbosa <[EMAIL PROTECTED]> wrote: > >What rights do you have over other people's networks and sites ? > None--a tor user does not have the *right* to unfettered access to > otherwise blocked sites (though the tor user's right to privacy is > eroded when a large enough number of sites block tor and other > anonymization methods). No. You can remain as anonymous you want. You just can't use those sites. Lets consider a completely unrelated and different situation to iluatrate it. I too defend the right to buy stuff at a supermarket without providing any means of identification. On the other hand, I don't defend the right to buy absolutely anything (weapons etc) without providing identification. > >What rights do you have to circunvect the decisions they made ? > Total--a network administrator has no right to make decisions about > how users are to behave. Users are free to behave in any way that is > legal and does not contradict any of his/her contractual obligations. > And circumventing tor blocking is legal. And "terms of use" on sites > are not contracts. You are, again, wrong. Unless you start paying to use my site, I have every right to tell you what and how you can access it, as long as my terms are legal. If I say you can only access my web server using Lynx, that is all the right you have. The basic point where you whole argument is flawed is that you consider you have any right to do anything regarding a publicaly avaliable resource. Lets consider a software license, like the GPL. It is also not a contract, the say way a "terms of use" on a site isn't. Do you think you have the right to violate the GPL just because it is not a contract you have signed ? If you want others to respect you right to anonymity, then you better start respecting the right of others to run their sites (and not YOUR site) as they seem fit. This is, by the way, my last post on this subject. I'm really sick of this. If there is one thing I hate, are fanatics. - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEi24epdyWzQ5b5ckRAiCDAJ96KiAWFMSaZthTNGxy5PJbSVZl+wCfXU21 LipDMrVIUFqwJheh7SPZh1c= =AEPj -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
I wrote: Whether or not a category has moral or legal protection does not and should not (respectively) have any bearing on whether or not that category is protected. This is an obvious error; what I meant to say was, "Whether or not a category refers to an intrinsic quality does not and should not (respectively) have any bearing on whether or not that category is protected. -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
On 6/9/06, John Sprocket <[EMAIL PROTECTED]> wrote: > The problem, in the first place, is that people are hacking the > websites of others. Saying, "let's block tor so that it will be > slightly harder for some hackers to be quite so anonymous while > eroding the privacy of thousands of legitimate users" is called > **avoiding the problem**. When you do that instead of securing your > servers, you're going to get hacked. you're suggesting there's something wrong with securing your servers, AND categorizing tor users? would doing both not be considered the same thing? Categorizing tor users does not constitute securing your servers. No matter how insecure they are, blocking tor users does not secure them. If you have to use software with easily-exploitable, publicly-known vulnerabilities, blocking tor users does not secure them. If somebody wants to hack you, and they find out they can't use tor to remain anonymous, they will find another way of doing it. Sure, it's possible that not being able to use tor alone to do it will make them think it's not worth the effort, just like it's possible that not being able to use tor on your site will make somebody pissed off at you and try to hack you (and, in the insecure scenario you are describing, almost certainly succeed). I doubt either is a significant probability. I could be wrong about that--do you have actual numbers, collected in a reasonably unbiased study with a statistically significant sampling, or are you advocating impairing legitimate users on the basis of unsubstantiated conjecture? The core of my argument is this: Privacy is valuable--to many individuals, and to society at large. It is usually within the rights of a site administrator to block tor (this is not necessarily the case for public service websites and in other similar situations). But it is probably wrong to do so, because privacy is valuable. I probably don't have the *right* to access your site anonymously, in the sense that it would be morally justified and required to take action against you to force you to let me. But it is still valuable for people to be able to do so. One person's children don't have the *right* to have all the other children vaccinated against deadly diseases, but when enough of the other children are not, that child is at risk (in some cases even if vaccinated, for diseases for which vaccination is imperfect or cannot be given before a certain age). Likewise, a single network administrator who decides only to accommodate users who choose not to exercise their privacy rights doesn't do a great deal of harm to society at large, but when it becomes common to require disclosure of personal information to access information and services, it becomes impossible to live and do business while maintaining one's privacy, and then privacy rights *are* materially violated. Thus, while it is within the rights of a network administrator to block tor, and continues to be within the rights of network administrators to block tor no matter how many network administrators are blocking tor, blocking tor still has the effect of degrading privacy rights, and for that reason is wrong. i'm suggesting that an anonymous user in my scenario would be considered an illegitimate user. no reason a user should require their privacy to use a service that i provide. A network administrator thinking that the value of privacy doesn't apply to his/her users doesn't make it so. If you're really talking about a site where privacy isn't important, such as a site only to be accessed by a select few people known to the administrator who are permitted to use it only to complete tasks on behalf of the administrator or company, then the site shouldn't even be publicly accessible anyway. again, redirecting a tor user to a 403 requires you to sit and think up of a workaround. perhaps you aren't able to come up with one or you don't want to take the time/effort. this means i've effectively deterred you from using tor to get to the website. now if you care about the website more than your privacy, you'd not use tor. if you cared about privacy more, you'd not visit the site. you've been deterred from visiting the site anonymously. which means it worked. how many people will spend more time in order to visit the site? Yes, exactly, it works to deter legitimate users and to encourage people to choose not to exercise their privacy rights. my statement is to consider a tor user illegitimate. Well, if you're going to start by assuming a stronger version of your own conclusion, then there's not much I can say to argue against you. do you blacklist open proxies on your mailserver? On some mail servers and not others. If I want to receive mail from those not known to me, then I don't blacklist them. This is really not a very good question, though, because blacklisting open proxies on a mail server is not detrimental to privacy in the same way that blocking tor is. It is one thing to prevent someo
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
On 6/9/06, Rodrigo Barbosa <[EMAIL PROTECTED]> wrote: Just because a park is a public place doesn't give me the write to, lets say, drive a car over the grass. Even if public places there are rules that should be followed. Yea, but if you steal a car or take off your license plate and drive over the grass, no matter how many witnesses saw you do it, your probably going to get away with it. But on the matter of TOR. If people want to block it just for protection against anonymous attacks, well then that's a waste of time. Duck ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Michael Holstein <[EMAIL PROTECTED]> wrote: First, I'm a long time supporter of Tor and a staunch advocate of anonymity and privacy. I also believe your interpretation of the Internet is a bit... distorted. :) > We're not talking about authenticated websites here (perhaps I should > have made that more clear), nor are we talking about using TOR, etc. > for malicious purposes. > > For the purpose of this (largely theoretical) argument, I meant > "publicly accessible, non-authenticated websites". And you're trying to justify unrestricted access to those public places based on what amounts to a "discrimination" argument. A fallacious premise. Choosing to be anonymous isn't something you are, it's something you do. A conscious choice, not an unavoidable consequence of your state of being like race/color or sexual orientation. Consequently, it's a quality that has no moral or legal protection. Operators of public places certainly *do* have the right to regulate access based on the conscious choices their prospective patrons. A restaurant, for example, can restrict access with an arbitrary dress code along the lines of "suit and tie". They can even enforce that policy according to time of day if they wish. Operating a "public access" entity doesn't mean you abdicate all your rights to limit access, it only means you're obligated to not limit access based on certain criteria. You still have every right to set non-discriminatory standards, and enforce them as you see fit as long as the practice doesn't breach the rights of your patrons. Now what beside a clothing choice, is Tor? :) -- Hand Crafted on Fri. Jun 09, 2006 at 13:27 Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read. -- Groucho Marx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
On 6/9/06, Cardoso <[EMAIL PROTECTED]> wrote: Most websites rely on cookies, sessions and javascript. If a user can't live with that, I'm very sorry but there's nothing I can do. Actually, no, most websites don't. I use a deny by default cookie policy, and NoScript, and nearly every single website I visit works. I need to enable session cookies when I'm buying something online, but JavaScript is rare that I ever need to enable it for a site. Same about corporate networks where people way high on the food chain demand full access, no firewall control or even transparent filtering. If you have that kind of problem where you work, you need to work on more education and security awareness. Where I am, we force all outbound traffic through a proxy, and everyone including the oh so precious C level goes through it. Mike ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Most websites rely on cookies, sessions and javascript. If a user can't live with that, I'm very sorry but there's nothing I can do. Same about corporate networks where people way high on the food chain demand full access, no firewall control or even transparent filtering. On Fri, 9 Jun 2006 13:56:32 -0300 Rodrigo Barbosa <[EMAIL PROTECTED]> wrote: RB> -BEGIN PGP SIGNED MESSAGE- RB> Hash: SHA1 RB> RB> On Fri, Jun 09, 2006 at 12:33:39PM -0400, Michael Holstein wrote: RB> > >Your interpretation of the Internet is a bit distorted. RB> > RB> > We're not talking about authenticated websites here (perhaps I should RB> > have made that more clear), nor are we talking about using TOR, etc. for RB> > malicious purposes. RB> > RB> > For the purpose of this (largely theoretical) argument, I meant RB> > "publicly accessible, non-authenticated websites". RB> RB> Just because a park is a public place doesn't give me the write RB> to, lets say, drive a car over the grass. RB> RB> Even if public places there are rules that should be followed. RB> RB> - -- RB> Rodrigo Barbosa RB> "Quid quid Latine dictum sit, altum viditur" RB> "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) RB> RB> -BEGIN PGP SIGNATURE- RB> Version: GnuPG v1.4.1 (GNU/Linux) RB> RB> iD8DBQFEiafypdyWzQ5b5ckRAvOQAKCed74EcYcxkphgBWt0yrCtlpe2/wCgvFG3 RB> qg91GcAr7Twpg6hcxJiVQzY= RB> =G/OL RB> -END PGP SIGNATURE- RB> RB> ___ RB> Full-Disclosure - We believe in it. RB> Charter: http://lists.grok.org.uk/full-disclosure-charter.html RB> Hosted and sponsored by Secunia - http://secunia.com/ RB> Allgemeinen Anschulterlaubnis Cardoso <[EMAIL PROTECTED]> - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Jun 09, 2006 at 12:33:39PM -0400, Michael Holstein wrote: > >Your interpretation of the Internet is a bit distorted. > > We're not talking about authenticated websites here (perhaps I should > have made that more clear), nor are we talking about using TOR, etc. for > malicious purposes. > > For the purpose of this (largely theoretical) argument, I meant > "publicly accessible, non-authenticated websites". Just because a park is a public place doesn't give me the write to, lets say, drive a car over the grass. Even if public places there are rules that should be followed. - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEiafypdyWzQ5b5ckRAvOQAKCed74EcYcxkphgBWt0yrCtlpe2/wCgvFG3 qg91GcAr7Twpg6hcxJiVQzY= =G/OL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Understood. :-) On 6/9/06, Michael Holstein <[EMAIL PROTECTED]> wrote: > Your interpretation of the Internet is a bit distorted. We're not talking about authenticated websites here (perhaps I should have made that more clear), nor are we talking about using TOR, etc. for malicious purposes. For the purpose of this (largely theoretical) argument, I meant "publicly accessible, non-authenticated websites". -- ME2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Your interpretation of the Internet is a bit distorted. We're not talking about authenticated websites here (perhaps I should have made that more clear), nor are we talking about using TOR, etc. for malicious purposes. For the purpose of this (largely theoretical) argument, I meant "publicly accessible, non-authenticated websites". ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Your interpretation of the Internet is a bit distorted. On 6/9/06, Michael Holstein <[EMAIL PROTECTED]> wrote: If you want to make your website private, don't put it on the Internet. -- ME2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
But remember your rights stop when the rights of others start. So, if a give admin wants people who use Tor to be blocked from his particular site, it is his right. I might not agree with it, but I'll defend his right to do so. After all, it is his site. If he was to do that (and makes a clear statement that he is doing so), he will be loosing users perhaps, but it is his call. As long as I'm not breaking into anything, there's nothing wrong/illegal with using anonmnity tools to access a public website. If you put something on the public internet for all to see, you can't complain about people trying to avoid your attempts to survail them. What rights do you have over other people's networks and sites ? What rights do you have to circunvect the decisions they made ? If you don't like what the way they are doing things, go somewhere else. No one is forcing you to stop using Tor or being anonymous. Public Internet is just that .. Public. If I can't acccess said site with method #1, I can use method #2. If site says "you're using TOR, go away", I can use $random_proxy in $random_country and accomplish the same thing. If you want to make your website private, don't put it on the Internet. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Jun 09, 2006 at 11:47:59AM -0400, Michael Holstein wrote: > >again, redirecting a tor user to a 403 requires you to sit and think up of > >a workaround. perhaps you aren't able to come up with one or you don't > >want to take the time/effort. this means i've effectively deterred you from > >using tor to get to the website. now if you care about the website more > >than your privacy, you'd not use tor. if you cared about privacy more, > >you'd not visit the site. you've been deterred from visiting the site > >anonymously. which means it worked. how many people will spend more > >time in order to visit the site? > > As an avid supporter of TOR (and previous operator of a multi-megabit > exit node), I do this all the time. > > I'm going to be anonymous dammit, and I don't care what the other side > thinks. The harder you try to keep us out, the harder we work to get > around it. This is a technical battle you'll never win, because there > are more idealists that believe in privacy than there are un-clued > admins (and LEO) that think otherwise. I'm sorry Michael, but you are a fanatic, in the worst possible meaning of the word. I too am a defender of privacy. I use lots of privacy plugins on my browser, encrypt e-mails with GPG, and sometimes even use Tor when going to some sites from companies with questionable reputation. I too would fight like mad if the government (any) decided to ban Tor or any other privacy tool. That is nothing wrong with that. But remember your rights stop when the rights of others start. So, if a give admin wants people who use Tor to be blocked from his particular site, it is his right. I might not agree with it, but I'll defend his right to do so. After all, it is his site. If he was to do that (and makes a clear statement that he is doing so), he will be loosing users perhaps, but it is his call. What rights do you have over other people's networks and sites ? What rights do you have to circunvect the decisions they made ? If you don't like what the way they are doing things, go somewhere else. No one is forcing you to stop using Tor or being anonymous. - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEiZtIpdyWzQ5b5ckRAv43AJ9PSILwd+9pXb5U7I3AGfhDcewh0QCgnnFl xUgTA2JbBgcdMd/AW2/EY34= =2RVR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
again, redirecting a tor user to a 403 requires you to sit and think up of a workaround. perhaps you aren't able to come up with one or you don't want to take the time/effort. this means i've effectively deterred you from using tor to get to the website. now if you care about the website more than your privacy, you'd not use tor. if you cared about privacy more, you'd not visit the site. you've been deterred from visiting the site anonymously. which means it worked. how many people will spend more time in order to visit the site? As an avid supporter of TOR (and previous operator of a multi-megabit exit node), I do this all the time. I'm going to be anonymous dammit, and I don't care what the other side thinks. The harder you try to keep us out, the harder we work to get around it. This is a technical battle you'll never win, because there are more idealists that believe in privacy than there are un-clued admins (and LEO) that think otherwise. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
responses inlineOn 6/8/06, Eliah Kagan <[EMAIL PROTECTED]> wrote: On 6/8/06, John Sprocket wrote:> but like all tools it's a double-edged sword and is easy to abuse.> saying "do not bother. you're fighting against privacy, find a better> way" is not solving the problem but obviously avoiding it in the > first place. again the original problem is of identifying a tor user.> a user choosing to use a known community supported utility> to keep their anonymity (or invalidates their ip). it was stated > that you could lex the cached-directory for a blacklist of ips.The problem, in the first place, is that people are hacking thewebsites of others. Saying, "let's block tor so that it will beslightly harder for some hackers to be quite so anonymous while eroding the privacy of thousands of legitimate users" is called**avoiding the problem**. When you do that instead of securing yourservers, you're going to get hacked.you're suggesting there's something wrong with securing your servers, AND categorizing tor users? would doing both not be considered the samething? if you have no choice but to use closed-source or vuln-ridden softwarethere is nothing you can do besides not use it. if you have a client that requires some proprietary software then that satisfies the "no chice".you can also restrict what a user can do to the machine, but if thefunctionality of the application requires certain privileges and an attacker earns those privileges. then they have the potential to act in the contextof the application.let's say we're referring to a web application because that's what toris commonly associated with. a vuln is discovered where you can insert a record of your choice, then said attacker has the ability to modify flow of the application. remember, you don't control the application, and the application has a requirement of certain resources. how would you secure it from being modified by itself? even if it's only just messing with records that belong to it?take note that this is without having access to the code itself. offtopic, but it's a scenario where you can't quite secure the applicationfrom itself.so what is wrong with directing tor users? i prevent you from usinga tool to keep your privacy when there's no reason you need to be visiting the host anonymously in the first place?i'm suggesting that an anonymous user in my scenario would be consideredan illegitimate user. no reason a user should require their privacy to use a service that i provide. > so redirecting them to a page saying that says "anonymous users> not allowed" or denying a user from running ssh over tor makes > sense to me because it's my equipment after all, and i'd want to know who's> using tor and who isn't.You could require that I give you my social security number and run acredit check on me to view your site, too. You could give me a page saying that I was not allowed to access the site if I didn't agree tothat. But that is very far from saying that it would make sense foryou to do so. It wouldn't. It is legal for you to act destructively to people at large wishing their privacy to be respected, and to your ownusers specifically, but that doesn't mean that it is rational ormorally right for you to do so.again, redirecting a tor user to a 403 requires you to sit and think up of a workaround. perhaps you aren't able to come up with one or you don'twant to take the time/effort. this means i've effectively deterred you fromusing tor to get to the website. now if you care about the website more than your privacy, you'd not use tor. if you cared about privacy more,you'd not visit the site. you've been deterred from visiting the siteanonymously. which means it worked. how many people will spend more time in order to visit the site?> suggesting that an admin shouldn't bother, hackers will work > around it is retarded. of course they'll work around it, but> essentially you're raising the bar so someone will have to make> more effort. you can't really secure everything against everybody> (and still keep your usability. the teeter-totter of security), but you > can make it enough of a pain in the ass to deter them from messing with it.And that is why only leet hackers are able to download movies andmusic on the Internet. Because thousands of technical professionals have joined forces to raise the bar and ensure that only people whoreally know what they're doing can do that, and how could thousands oftechnical professionals fail to succeed against millions of noobs?Rght... If what you are saying were really true, that would only add to my argument about how you're handicapping legitimate users while doingnothing against hackers.my statement is to consider a tor user illegitimate. again, no reasonsomeone should really need to keep their anonymity when visiting a site that i host. someone with access to a proxy or a botnet of spybotswill then have the ability to visit their website and keep their "privacy".but most who don't will just use tor.how man
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
bingo, right on target.. see tor is tor not without any reason. its the reason that must go first tor will follow later ;) joel. On 6/8/06, Eliah Kagan <[EMAIL PROTECTED]> wrote: On 6/8/06, John Sprocket wrote:> but like all tools it's a double-edged sword and is easy to abuse. > saying "do not bother. you're fighting against privacy, find a better> way" is not solving the problem but obviously avoiding it in the> first place. again the original problem is of identifying a tor user. > a user choosing to use a known community supported utility> to keep their anonymity (or invalidates their ip). it was stated> that you could lex the cached-directory for a blacklist of ips.The problem, in the first place, is that people are hacking the websites of others. Saying, "let's block tor so that it will beslightly harder for some hackers to be quite so anonymous whileeroding the privacy of thousands of legitimate users" is called**avoiding the problem**. When you do that instead of securing your servers, you're going to get hacked.> so redirecting them to a page saying that says "anonymous users> not allowed" or denying a user from running ssh over tor makes> sense to me because it's my equipment after all, and i'd want to know who's > using tor and who isn't.You could require that I give you my social security number and run acredit check on me to view your site, too. You could give me a pagesaying that I was not allowed to access the site if I didn't agree to that. But that is very far from saying that it would make sense foryou to do so. It wouldn't. It is legal for you to act destructively topeople at large wishing their privacy to be respected, and to your own users specifically, but that doesn't mean that it is rational ormorally right for you to do so.> suggesting that an admin shouldn't bother, hackers will work> around it is retarded. of course they'll work around it, but > essentially you're raising the bar so someone will have to make> more effort. you can't really secure everything against everybody> (and still keep your usability. the teeter-totter of security), but you > can make it enough of a pain in the ass to deter them from messing with it.And that is why only leet hackers are able to download movies andmusic on the Internet. Because thousands of technical professionals have joined forces to raise the bar and ensure that only people whoreally know what they're doing can do that, and how could thousands oftechnical professionals fail to succeed against millions of noobs?Rght... If what you are saying were really true, that would only add to myargument about how you're handicapping legitimate users while doingnothing against hackers.> essentially you're saying "use something besides tor to > keep your privacy for your abuse/dos."This is an incredibly weak argument. "You can hack me, and you canstill remain anonymous, and you can still remain anonymous in much thesame way, just as long as your vary your method slightly." It's also not even true. tor itself is likely to adapt to blocking methods. Thenyou have to have all the technical expertise necessary to...update tothe next version.It's funny how you mention using something else besides tor to remain anonymous while engaging in malicious activity, but don't bother tomention that blocking tor **blocks tor** and hurts legitimate users(who are less likely to know what they're doing and consequently willbe hurt more). > i don't see anything wrong> with that besides the misinterpretation being "i hate privacy. i'm> fighting the war against privacy." which is not the case.Actually, you're right. That is a misinterpretation. I don't think anybody has said that, but it would be a misinterpretation if somebodydid. Given that you started your email by talking about how you usetor to maintain your own privacy, and then talked about how it makes good sense for site admins to block tor, a more accurateinterpretation would be, "I hate the privacy of others. I'm fightingthe war against the privacy of others."-Eliah___ Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/-- As soon as men decide that all means are permitted to fight anevil, then their good becomes indistinguishable from the evilthat they set out to destroy. - Christopher Dawson, The Judgment of Nations ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
On 6/8/06, John Sprocket wrote: but like all tools it's a double-edged sword and is easy to abuse. saying "do not bother. you're fighting against privacy, find a better way" is not solving the problem but obviously avoiding it in the first place. again the original problem is of identifying a tor user. a user choosing to use a known community supported utility to keep their anonymity (or invalidates their ip). it was stated that you could lex the cached-directory for a blacklist of ips. The problem, in the first place, is that people are hacking the websites of others. Saying, "let's block tor so that it will be slightly harder for some hackers to be quite so anonymous while eroding the privacy of thousands of legitimate users" is called **avoiding the problem**. When you do that instead of securing your servers, you're going to get hacked. so redirecting them to a page saying that says "anonymous users not allowed" or denying a user from running ssh over tor makes sense to me because it's my equipment after all, and i'd want to know who's using tor and who isn't. You could require that I give you my social security number and run a credit check on me to view your site, too. You could give me a page saying that I was not allowed to access the site if I didn't agree to that. But that is very far from saying that it would make sense for you to do so. It wouldn't. It is legal for you to act destructively to people at large wishing their privacy to be respected, and to your own users specifically, but that doesn't mean that it is rational or morally right for you to do so. suggesting that an admin shouldn't bother, hackers will work around it is retarded. of course they'll work around it, but essentially you're raising the bar so someone will have to make more effort. you can't really secure everything against everybody (and still keep your usability. the teeter-totter of security), but you can make it enough of a pain in the ass to deter them from messing with it. And that is why only leet hackers are able to download movies and music on the Internet. Because thousands of technical professionals have joined forces to raise the bar and ensure that only people who really know what they're doing can do that, and how could thousands of technical professionals fail to succeed against millions of noobs? Rght... If what you are saying were really true, that would only add to my argument about how you're handicapping legitimate users while doing nothing against hackers. essentially you're saying "use something besides tor to keep your privacy for your abuse/dos." This is an incredibly weak argument. "You can hack me, and you can still remain anonymous, and you can still remain anonymous in much the same way, just as long as your vary your method slightly." It's also not even true. tor itself is likely to adapt to blocking methods. Then you have to have all the technical expertise necessary to...update to the next version. It's funny how you mention using something else besides tor to remain anonymous while engaging in malicious activity, but don't bother to mention that blocking tor **blocks tor** and hurts legitimate users (who are less likely to know what they're doing and consequently will be hurt more). i don't see anything wrong with that besides the misinterpretation being "i hate privacy. i'm fighting the war against privacy." which is not the case. Actually, you're right. That is a misinterpretation. I don't think anybody has said that, but it would be a misinterpretation if somebody did. Given that you started your email by talking about how you use tor to maintain your own privacy, and then talked about how it makes good sense for site admins to block tor, a more accurate interpretation would be, "I hate the privacy of others. I'm fighting the war against the privacy of others." -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
tor is a problem in some cases and a solution in others. a solutionfor privacy, no doubt. a problem for someone who doesn'twant their users to have privacy when they're communicating withequipment that they own/maintain. i use tor for privacy reasons (since early 2005), and it does it well.i have no complaints, i like the program. before tor existed i usedto actually pay for an anonymizer service that used proxy chaining as well (just without the "extras" that tor provides). tor also saves me money if that's the case.but like all tools it's a double-edged sword and is easy to abuse.saying "do not bother. you're fighting against privacy, find a betterway" is not solving the problem but obviously avoiding it in the first place. again the original problem is of identifying a tor user.a user choosing to use a known community supported utilityto keep their anonymity (or invalidates their ip). it was statedthat you could lex the cached-directory for a blacklist of ips. so redirecting them to a page saying that says "anonymous usersnot allowed" or denying a user from running ssh over tor makessense to me because it's my equipment after all, and i'd want to know who's using tor and who isn't. suggesting that an admin shouldn't bother, hackers will workaround it is retarded. of course they'll work around it, butessentially you're raising the bar so someone will have to makemore effort. you can't really secure everything against everybody (and still keep your usability. the teeter-totter of security), but youcan make it enough of a pain in the ass to deter them from messing with it. essentially you're saying "use something besides tor tokeep your privacy for your abuse/dos." i don't see anything wrong with that besides the misinterpretation being "i hate privacy. i'mfighting the war against privacy." which is not the case..sargoniv On 6/8/06, Joel Jose <[EMAIL PROTECTED]> wrote: yeah, its when people see tor and tor like projects as a problem thana solution that they cant focus on the bigger issue. If profiling, andother privacy threatning features are "disencouraged".. if the concept of using "scarce" resources like ipaddress.. etc for "addressing"network users are discouraged.. if people stop feeling scared ofthings.. then tor and other projects will fade away into the internet archieves...Cmon people.. tor and all other tor-alike do "decrease" performancedrastically.. its a huge resource eater for the people and communitywho maintain it. if there was no need for tor.. certainly it would have gone away sooner than you have finished inserting that module onyour apache ;)\yeah.. i was being too over idealistic there.. besides makingipaddress irrelevent is what tor does afterall(albit in a more sarcastic way).. anyway i seriously hope people will one day in the(not-so-near)future have their privacy "valued" even without tor;)joel.On 6/7/06, Eliah Kagan < [EMAIL PROTECTED]> wrote:> On 6/6/06, John Sprocket wrote:> > hehe. look at it metaphorically (like guest inside establishment)> >> > you're head of security at a casino you monitor a specific area full of > > people/users.> > you have your normal people you can see and possibly identify if you so> > care. there's a> > group of people that walk in and are wearing clothing that is obviously > > meant to obscure their intentions. would you let them stay in your casino,> > or would you ask them politely to> > take off their masks?> >> > do you choose to accept fully anonymous people (only being able to > identify> > them as being anonymous) into your establishment?>> Suppose your casino has cameras, that show you the faces of these> so-called "normal people". You think you can look at their faces and > determine where they live and where they got their money? Because> *that* would be a proper metaphor to looking at your server logs. The> privacy risk to Internet surfers is often *greater* than that to > patrons of "physical" establishments.>> This metaphor appears to be exceedingly contrived, beyond the point of> even making sense in the metaphorical world. What clothing are they > wearing to anonymize themselves? Are they managing to wear clothing> that makes it difficult to distinguish them from others while at the> same time not violating social standards of proper dress in a casino, > not interfering in any way with the other customers, or causing any> other customers to feel uncomfortable? If you can come up with some> clothing that fits that description, then I would guess that most > casinos would permit them to continue as they were. The locks on the> doors to restricted areas in the casino will still restrict their> movement and the security cameras will still enable the security staff > to know if they are committing a crime in the casino, and to stop them> from committing that crime. (In the casino, such a person could still> be **apprehended** too, just as easily as anybody else, which is one > of the reasons why it puzzles me that you have chosen this
[Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
yeah, its when people see tor and tor like projects as a problem than a solution that they cant focus on the bigger issue. If profiling, and other privacy threatning features are "disencouraged".. if the concept of using "scarce" resources like ipaddress.. etc for "addressing" network users are discouraged.. if people stop feeling scared of things.. then tor and other projects will fade away into the internet archieves... Cmon people.. tor and all other tor-alike do "decrease" performance drastically.. its a huge resource eater for the people and community who maintain it. if there was no need for tor.. certainly it would have gone away sooner than you have finished inserting that module on your apache ;) yeah.. i was being too over idealistic there.. besides making ipaddress irrelevent is what tor does afterall(albit in a more sarcastic way).. anyway i seriously hope people will one day in the (not-so-near)future have their privacy "valued" even without tor;) joel. On 6/7/06, Eliah Kagan <[EMAIL PROTECTED]> wrote: On 6/6/06, John Sprocket wrote: > hehe. look at it metaphorically (like guest inside establishment) > > you're head of security at a casino you monitor a specific area full of > people/users. > you have your normal people you can see and possibly identify if you so > care. there's a > group of people that walk in and are wearing clothing that is obviously > meant to obscure their intentions. would you let them stay in your casino, > or would you ask them politely to > take off their masks? > > do you choose to accept fully anonymous people (only being able to identify > them as being anonymous) into your establishment? Suppose your casino has cameras, that show you the faces of these so-called "normal people". You think you can look at their faces and determine where they live and where they got their money? Because *that* would be a proper metaphor to looking at your server logs. The privacy risk to Internet surfers is often *greater* than that to patrons of "physical" establishments. This metaphor appears to be exceedingly contrived, beyond the point of even making sense in the metaphorical world. What clothing are they wearing to anonymize themselves? Are they managing to wear clothing that makes it difficult to distinguish them from others while at the same time not violating social standards of proper dress in a casino, not interfering in any way with the other customers, or causing any other customers to feel uncomfortable? If you can come up with some clothing that fits that description, then I would guess that most casinos would permit them to continue as they were. The locks on the doors to restricted areas in the casino will still restrict their movement and the security cameras will still enable the security staff to know if they are committing a crime in the casino, and to stop them from committing that crime. (In the casino, such a person could still be **apprehended** too, just as easily as anybody else, which is one of the reasons why it puzzles me that you have chosen this metaphor.) Going back to your previous metaphor, I think it is important to recognize that a public website is very unlike a private home, and more like a booth at a fair. Do you want to provide your identity to everyone standing behind booths at fairs, in order for you to merely **walk up** to the booth and take a look? When it comes right down to it, the owner of a private website is perfectly free to choose to try to block tor. That behavior threatens the legitimate interests of legitimate users, but is certainly within the rights of the owner. And tor users are perfectly free to try to get around such attempts. That behavior is commendable, and certainly within the rights of tor users. (And don't go whining about clickwrap agreements for surfing websites--none of those are binding anyway, except in cases of e-commerce, in which the user of the site is actually engaged in a contractual relationship with the owner or owning entity of the site). -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- As soon as men decide that all means are permitted to fight an evil, then their good becomes indistinguishable from the evil that they set out to destroy. - Christopher Dawson, The Judgment of Nations ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
On 6/6/06, John Sprocket wrote: hehe. look at it metaphorically (like guest inside establishment) you're head of security at a casino you monitor a specific area full of people/users. you have your normal people you can see and possibly identify if you so care. there's a group of people that walk in and are wearing clothing that is obviously meant to obscure their intentions. would you let them stay in your casino, or would you ask them politely to take off their masks? do you choose to accept fully anonymous people (only being able to identify them as being anonymous) into your establishment? Suppose your casino has cameras, that show you the faces of these so-called "normal people". You think you can look at their faces and determine where they live and where they got their money? Because *that* would be a proper metaphor to looking at your server logs. The privacy risk to Internet surfers is often *greater* than that to patrons of "physical" establishments. This metaphor appears to be exceedingly contrived, beyond the point of even making sense in the metaphorical world. What clothing are they wearing to anonymize themselves? Are they managing to wear clothing that makes it difficult to distinguish them from others while at the same time not violating social standards of proper dress in a casino, not interfering in any way with the other customers, or causing any other customers to feel uncomfortable? If you can come up with some clothing that fits that description, then I would guess that most casinos would permit them to continue as they were. The locks on the doors to restricted areas in the casino will still restrict their movement and the security cameras will still enable the security staff to know if they are committing a crime in the casino, and to stop them from committing that crime. (In the casino, such a person could still be **apprehended** too, just as easily as anybody else, which is one of the reasons why it puzzles me that you have chosen this metaphor.) Going back to your previous metaphor, I think it is important to recognize that a public website is very unlike a private home, and more like a booth at a fair. Do you want to provide your identity to everyone standing behind booths at fairs, in order for you to merely **walk up** to the booth and take a look? When it comes right down to it, the owner of a private website is perfectly free to choose to try to block tor. That behavior threatens the legitimate interests of legitimate users, but is certainly within the rights of the owner. And tor users are perfectly free to try to get around such attempts. That behavior is commendable, and certainly within the rights of tor users. (And don't go whining about clickwrap agreements for surfing websites--none of those are binding anyway, except in cases of e-commerce, in which the user of the site is actually engaged in a contractual relationship with the owner or owning entity of the site). -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
John Sprocket wrote: hehe. look at it metaphorically (like guest inside establishment) you're head of security at a casino you monitor a specific area full of people/users. you have your normal people you can see and possibly identify if you so care. there's a group of people that walk in and are wearing clothing that is obviously meant to obscure their intentions. would you let them stay in your casino, or would you ask them politely to take off their masks? Bad analogy. A better one is: Do you ask all people for some form of identification before they can enter your establishment? In effect, the act of visiting a Web site discloses information about the visitor. Even if the person blocks cookies, Javascript, Java, Flash, and all the rest, there is still the IP address. If the IP address is fixed, it is possible to build a profile on that user, or small group of users. Perhaps the person isn't interested in being "profiled." Do you (it's a generic "you") value profiling over having visitors to your site? One also needs to keep in mind that it's not just the visited Web site collecting information. There are certain governments collecting information that is, as Valdis put it, "none of [their] damned business" to collect. The visitor may be using TOR to inhibit such data collection. Wired has a good essay by Bruce Schneier called "The Eternal Value of Privacy." I commend it to all: http://www.wired.com/news/columns/0,70886-0.html -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
hehe. look at it metaphorically (like guest inside establishment)you're head of security at a casino you monitor a specific area full of people/users.you have your normal people you can see and possibly identify if you so care. there's a group of people that walk in and are wearing clothing that is obviously meant to obscure their intentions. would you let them stay in your casino, or would you ask them politely totake off their masks?do you choose to accept fully anonymous people (only being able to identify them as being anonymous) into your establishment? .sargonivOn 6/6/06, [EMAIL PROTECTED] <[EMAIL PROTECTED] > wrote:On Tue, 06 Jun 2006 10:34:18 EDT, John Sprocket said:> being ./hacked-with-latest-php-bug. in my opinion, i feel it's this user is > visiting a host> anonymously. meaning he's got something to hide.Or maybe he just thinks that it's none of your damned business who he is,and is taking a stand on principle.You ever been asked for your address, zip code, or phone number by a cashier, *even when you're paying cash*? It's the same basic problem - unless you'revery vigilant, info about you leaks out all the time.And some people object to that, and try to fight it when they can. The"something they have to hide" is just their privacy and right to decide who knows what about them... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
On Tue, 06 Jun 2006 10:34:18 EDT, John Sprocket said: > being ./hacked-with-latest-php-bug. in my opinion, i feel it's this user is > visiting a host > anonymously. meaning he's got something to hide. Or maybe he just thinks that it's none of your damned business who he is, and is taking a stand on principle. You ever been asked for your address, zip code, or phone number by a cashier, *even when you're paying cash*? It's the same basic problem - unless you're very vigilant, info about you leaks out all the time. And some people object to that, and try to fight it when they can. The "something they have to hide" is just their privacy and right to decide who knows what about them... pgp5hNw8orW82.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
well, let's look at it like this. in my opinion it seems moreso not being in fear of bugs andbeing ./hacked-with-latest-php-bug. in my opinion, i feel it's this user is visiting a hostanonymously. meaning he's got something to hide. if someone is a guest inside my establishment and they have something to hide. it makes one wonder, doesn't it? would it be wrong for me to categorize a tor user and say forexample ask them why they choose to be anonymous on a specific webpage? it's my home is it not?i think a problem of jason areff's module is he was thinking narrowmindedly. what wouldbe nicer and less obnoxious is categorizing or labeling a tor user as being anonymous.of course, it's common sense that an attacker will work around this. but tor is a community supported utility, it's known to provide anonymity. people know about it,people incapable of coming up with a workaround to avoid being identified as tor useit for anonymity (being malicious or not). it "can" be identified according to the wiki. why not categorize or label them as being tor? it is my home after all. i'd like to know if someone insists on being anonymous while inside my house. it's categorizing someone using a known and community supported tool.and sure, he sucks at code. but it's a start for him to get an idea he had into motion. hell, this could probably be one of his first programs. ;)if he knew how to code, he'd write a lexer for the cached-directorylike it's stated in the docs.jason,you should probably follow this code, and make it so it caches it in an indexed table perhaps. make it update at some interval of course.http://tor.eff.org/cvs/tor/contrib/exitlist.sargonivOn 6/6/06, Sol Invictus <[EMAIL PROTECTED]> wrote: There is one simple (from management's point of view) way to solve thisissue.DEFAULT DENY and monitor everything else.That way whenever someone uses a legitimate path for something notlegit, it will be caught. Why do you think they posted guards at the gates of old castles? Createthe chokepoint and search everyone.Sol.Joel Jose wrote:> see, its pitty how we dont understand that we are trying to defend > using the wrong principles.>> just like the other poster pointed out.. protect your data == plug> holes + preserve + restore data.. != go for a witch hunt.>> moreover.. we when "blocking" tor and denying access are assuming 3 > things :> 1) tor cannot be recreated(dont bet on that.. imagine a tor-2 network> which corrects(takes different policy measures) the blacklisting> facility, if we hold the rope so tight as to choke.. the privacy > people and the community will come up with a better and more effective> tool.. )> 2) scarce resources is the way forward. Cmon public open proxies, tor> like public projects..etc are not "scarce" resource for the attacker.. > but it is a scarce resource for the users... dont get fooled..> ofcourse all it takes for a determined(and well funded) attacker is> "shift" his cables to get onto a different network to attack you ;) > 3)TOR is not the problem.. its a solution for privacy... it would be> much better if you try to find time to code for better webserver> protections against a dos.. or even write a patch for that new > full-disclosure vulnerability.. did i say proof-of-concept.. yikes..> ;)>> PS : ofcourse right now discussions are on on how to "label" / "mark"> tor users so that CIA triad is maintained for resources accessed by > tor users having different access privileges. psuedonyms are a serious> model thats being considered and researched...>> joel.___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
There is one simple (from management's point of view) way to solve this issue. DEFAULT DENY and monitor everything else. That way whenever someone uses a legitimate path for something not legit, it will be caught. Why do you think they posted guards at the gates of old castles? Create the chokepoint and search everyone. Sol. Joel Jose wrote: see, its pitty how we dont understand that we are trying to defend using the wrong principles. just like the other poster pointed out.. protect your data == plug holes + preserve + restore data.. != go for a witch hunt. moreover.. we when "blocking" tor and denying access are assuming 3 things : 1) tor cannot be recreated(dont bet on that.. imagine a tor-2 network which corrects(takes different policy measures) the blacklisting facility, if we hold the rope so tight as to choke.. the privacy people and the community will come up with a better and more effective tool.. ) 2) scarce resources is the way forward. Cmon public open proxies, tor like public projects..etc are not "scarce" resource for the attacker.. but it is a scarce resource for the users... dont get fooled.. ofcourse all it takes for a determined(and well funded) attacker is "shift" his cables to get onto a different network to attack you ;) 3)TOR is not the problem.. its a solution for privacy... it would be much better if you try to find time to code for better webserver protections against a dos.. or even write a patch for that new full-disclosure vulnerability.. did i say proof-of-concept.. yikes.. ;) PS : ofcourse right now discussions are on on how to "label" / "mark" tor users so that CIA triad is maintained for resources accessed by tor users having different access privileges. psuedonyms are a serious model thats being considered and researched... joel. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
see, its pitty how we dont understand that we are trying to defend using the wrong principles. just like the other poster pointed out.. protect your data == plug holes + preserve + restore data.. != go for a witch hunt. moreover.. we when "blocking" tor and denying access are assuming 3 things : 1) tor cannot be recreated(dont bet on that.. imagine a tor-2 network which corrects(takes different policy measures) the blacklisting facility, if we hold the rope so tight as to choke.. the privacy people and the community will come up with a better and more effective tool.. ) 2) scarce resources is the way forward. Cmon public open proxies, tor like public projects..etc are not "scarce" resource for the attacker.. but it is a scarce resource for the users... dont get fooled.. ofcourse all it takes for a determined(and well funded) attacker is "shift" his cables to get onto a different network to attack you ;) 3)TOR is not the problem.. its a solution for privacy... it would be much better if you try to find time to code for better webserver protections against a dos.. or even write a patch for that new full-disclosure vulnerability.. did i say proof-of-concept.. yikes.. ;) PS : ofcourse right now discussions are on on how to "label" / "mark" tor users so that CIA triad is maintained for resources accessed by tor users having different access privileges. psuedonyms are a serious model thats being considered and researched... joel. On 6/4/06, Tonnerre Lombard <[EMAIL PROTECTED]> wrote: Salut, On Sat, 2006-06-03 at 16:15 -0400, John Sprocket wrote: > i imagine a forensics person looks and sees a tor ip and thinks "okay. > i just deadended. there's nothing i can do because this is a tor exit > node." with a botnet, most bots can be traced back to their meeting > point which is a little bit more useful. The question is also whether one should actually waste one's time trying to figure out who actually conducted the intrusion. When one of our systems gets broken into, I spend my time figuring out what happened, which data got corrupted, and then I fix the hole the intruder used and rebuild the system. There isn't much use in trying to find someone to punish for the fact that one was running insecure software. The only legitimate thing to do in this situation is to fix the hole and to carry on working. If it was so easy to sue away all intruders, why would anyone ever hire a pentester? Anyway, I'm not sure whether this non-technical implication of a specific technical product should really be discussed here. It's not exactly a vulnerability after all, while of course the vulnerability the attacker used to bite Jason surely was one. Wrong end, people... Tonnerre -- SyGroup GmbH Tonnerre Lombard Loesungen mit System Tel:+41 61 333 80 33Roeschenzerstrasse 9 Fax:+41 61 383 14 674153 Reinach Web:www.sygroup.ch [EMAIL PROTECTED] -- As soon as men decide that all means are permitted to fight an evil, then their good becomes indistinguishable from the evil that they set out to destroy. - Christopher Dawson, The Judgment of Nations ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/