Re: William was raided for running a Tor exit node. Please help if you can.

[Joakim Aronius]

* Joel jaeggli (joe...@bogus.com) wrote:
> On 11/29/12 23:18 , Joakim Aronius wrote:
> 
> > I am all for being anonymous on the net but I seriously believe that
> > we still need to enforce the law when it comes to serious felonies
> > like child pr0n, organized crime etc, we can't give them a free pass
> > just by using Tor. I dont think it should be illegal to operate a Tor
> > exit node but what just happened could be a consequence of doing it.
> 
> The seriousness of crimes that can be committed using anonymization
> services should not be diminished. That said the motive I had for
> running a tor exit when I did was that speech, and in particular
> political organization (dare we call it sedition) are in fact very
> serious crimes in many places. R.g. they can result in indefinite
> imprisonment, torture, judicial or extra-legal execution and so forth, I
> don't consider that unserious..
> 
> The internet is potentially quite a useful tool for getting your message
> out so long as using it isn't  holding a gun to your own head. While we
> site here with the convenient idea of some legal arbitrage which allows
> me to do something which isn't illegal  in my own domain to facilitate
> something that is quite illegal elsewhere, the fact of the matter is if
> you run a service like this you don't get to pick and choose.

I agree. I was about to set up a tor node a few years ago but never got around 
to it. I send cash to orgs working for human rights in countries with 
oppressive regimes. I am all for providing anonymized access to help free 
speech. Perhaps its better with anon access to specific applications like 
twitter, fb etc and not general internet access. I suspect that the 'free 
speech' part of the total tor traffic volume is pretty small(?).

Cheers,
/Joakim 

Re: William was raided for running a Tor exit node. Please help if you can.

[Joakim Aronius]

* Will Hargrave (w...@harg.net) wrote:
> 
> On 29 Nov 2012, at 20:53, George Herbert  wrote:
> 
> > The assertion being made here, that it's somehow illegal (or immoral,
> > or scary) for there to be not-completely-traceable internet access in
> > the US, is absurd.
> 
> The real issue here is *not* the legality of the act of providing a Tor exit 
> node, or an open access point, or anything else. In sensible countries that 
> is perfectly legal. The problem here is the reality of undergoing a criminal 
> investigation. 

It could also be the case that they think the person running the Tor exit node 
is the actual perpetrator, i.e. its needed to seize all HW to get the kiddie 
pr0n. Is it even possible for a network sniffer to distinguish between Tor exit 
traffic and his own traffic?

Hopefully he will get it all back but it will most liklely cost both time and 
money to explain Tor to the Austrian judical system.

> 
> Think carefully about the impact of having everything in your life which runs 
> an operating system taken away. Phones. Tablet. Laptop. Servers. All portable 
> drives, data. If you rely on that hardware for your income (and who 
> doesn't?) you're going to have to buy all of that again. And restore your 
> data, if you are able. 

Fully agree.

/J

Re: William was raided for running a Tor exit node. Please help if you can.

[Joakim Aronius]

* Patrick W. Gilmore (patr...@ianai.net) wrote:
> On Nov 29, 2012, at 12:58 , Barry Shein  wrote:
> > It would seem like they'd have to confiscate the equipment at every
> > Starbucks in their jurisdiction, which could be every one in the US
> > for example.
> 
> They didn't confiscate every Tor exit node in the US once they found 
> something nefarious emanating from one.
> 
Lets assume that some child pr0n dealer used this Tor exit node, is it not 
reasonable if the police wants to see if there are logs that make it possible 
to catch the sleazebag? Should LE ignore crime if it originates from a network 
which operates a Tor exit node? 

I am all for being anonymous on the net but I seriously believe that we still 
need to enforce the law when it comes to serious felonies like child pr0n, 
organized crime etc, we can't give them a free pass just by using Tor. I dont 
think it should be illegal to operate a Tor exit node but what just happened 
could be a consequence of doing it.

Of course they might not know abot Tor and believes that it is Mr Williams that 
is the bad guy. 

/J

Re: Network scan tool/appliance horror stories

[Joakim Aronius]

* Jones, Barry (bejo...@semprautilities.com) wrote:
> I can share with you several stories personnel (both IT or vendors), who have 
> scanned Electric Utility environments with or without permission; and hence 
> caused multiple failures - including electro-mechanical systems and related 
> applications. Utilities typically utilize many industrial controllers - some 
> of which many IT personnel have no knowledge, and some are not robust enough 
> to weather the storm.
> 
> 1. Know your environment.
> 2. Know your tools.
> 3. Communicate.
> 

Second that. First agree on what rate they are allowed to scan your network, 
then let them come back with what they find before they point other tools at 
the found nodes. Then inform the owners of said nodes of what is going to 
happen.

In a previous life I found an publicly available SQL server on a network 
belonging to a medical institution that I was pen testing. I pointed Nessus at 
it and it just died... 

BR
/Joakim

Re: Another LTE network turns up as IPv4-only

[Joakim Aronius]

* Tore Anderson (tore.ander...@redpill-linpro.com) wrote:
> * Mikael Abrahamsson
> 
> >> In my experience, long-lived sessions are unreliable when you're on the
> >> move anyway. Go into an elevator? Sessions drop. Subway heads into a
> >> tunnel? Sessions drop.
> > 
> > I guess you and me have radically different experience of mobile phone
> > networks and how well they work.
> 
> Maybe. Welcome to Oslo. :-)

But then, if I remember correctly, Telenor choose to go all-in with one of the 
Chinese vendors.. I am really interested to see how that plays out.

/Joakim

Re: 4g hack

[Joakim Aronius]

* Christopher Morrow (morrowc.li...@gmail.com) wrote:
> On Thu, Aug 11, 2011 at 2:32 AM, Charles N Wyble
>  wrote:
> > http://seclists.org/fulldisclosure/2011/Aug/76
> >
> > Wondering what folks think about this? If this was true then we just
> > entered a whole new era of mass WAN exploitation.
> >
> 
> This isn't really all that new is it? haven't people been able to buy
> 3g/pcs/etc antennae and such off ebay for a while and intercept
> conversations/data/etc for a long time? GSM was 'hacked' (decrypted
> via some rainbow tables) several years ago as well.
> 
> If you ship it over the air and there isn't a reasonable encryption
> scheme in place, don't you expect it to be seen?

GSM and GPRS are vulnerable to MitM due to lack of two factor authentication 
etc. WCDMA (3G) and LTE (4G) should be safe as they have much better security. 
Not sure about 3GPP2 (CDMA) or WiMAX systems, perhaps early version of CDMA has 
similar problems as GSM. But saying that '4G' is vulnerable is a pretty broad 
statement as it consists of at least LTE and WiMAX, and some US operators also 
refer to their WCDMA HSPA as 4G. There is also a difference between 'the 
standard has security flaws' and 'the operator has deployed an insecure 
network' as operators might run their network with security features turned off.

Anyway, the paranoid should turn of GSM and run WCDMA instead.

/Joakim 

Re: IPv6 day fun is beginning!

[Joakim Aronius]

* Jay Ashworth (j...@baylink.com) wrote:
> - Original Message -
> > From: "Matt Ryanczak" 
> 
> > Indeed. Verizon LTE is v6 enabled but the user-agent on my phone
> > denies me an IPv6 experience.
> 
> I thought I'd heard that LTE transport was *IPv6 only*...

LTE supports both IPv4 and IPv6 (of course) but some operators deploy IPv6 only 
(with NAT64). (e.g. T-mobile, although their '4G' network is actually 3G with 
the latest high speed features, +1 for innovative marketing department) 

/Joakim

Re: The state-level attack on the SSL CA security model

[Joakim Aronius]

* George Herbert (george.herb...@gmail.com) wrote:
> Back on original point - if the *actual effective* model of browser
> security is browsers with an internal revoked cert list - then there's
> a case to be made that a pre-announcement in private to the browser
> vendors, enough time for them to spin patches, and then widespread
> public discussion is the most responsible model approach.  The public
> knowing before their browser knows how to handle the bad cert isn't
> helpful, unless you can effectively tell people how to get their
> browser to actually go verify every cert.
>

No. In the case of a remote exploitable hole in the client OS I agree, then the 
user can do nothing and will benefit if there is a patch before the knowledge 
of the problem is spread. But in this case it is a security hole in the server 
side. IF users are informed they can avoid using the service and thus avoid the 
risk. (And if the risk is to be on the wrong end of a stick, at least I would 
appreciate a warning.)

So what about a general warning that secure communication with site X, Y and Z 
could be compromised? Maybe even a big warning on the sites themself to give a 
warning before you login? (It could be removed by a 'man in the middle', but it 
would spread the word.)

I wonder why that didn't happen..

/J

Re: The state-level attack on the SSL CA security model

[Joakim Aronius]

* Dobbins, Roland (rdobb...@arbor.net) wrote:
> 
> On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:
> 
> > Announcing this high and loud even before fixes were available would not 
> > have exposed more users to threats, but less.
> 
> 
> An argument against doing this prior to fixes being available is that 
> miscreants who didn't know about this previously would be alerted to the 
> possibility of using one of these certs (assuming they could get their hands 
> on one) in conjunction with name resolution manipulation.

The fix here is to delete the compromised UID and revoke the certs, thats done 
immediately, then inform the public, no reason to wait after that. IF the 
speculations about a specific nation is true then there is a risk that people 
there run real (like physical) risks by using e.g. yahoo the last few days. 
They would have appreciated being informed.
> 
> Note that announcing this prior to fixes would've dramatically increased the 
> resale value of these certificates in the underground economy, making them 
> much more attractive/lucrative.
Why? Surely the value of stolen certs are higher if the public do not know that 
they exist.

/Joakim

Re: wikileaks dns (was Re: Blocking International DNS)

[Joakim Aronius]

* Jack Bates (jba...@brightok.net) wrote:
> Given "These attacks have, and future attacks would, threaten the
> stability of the EveryDNS.net infrastructure, which enables access
> to almost 500,000 other websites." I'd say they had DOS issues with
> their nameservers. They can't be expected to let their other domains
> go down in efforts to protect a single domain.

This is then important information that should be spelled out in their terms of 
service. 'If your domain generate to much traffic we will terminate your 
service'.. It might very well be reasonable for a free service to have these 
restrictions but as a customer it could be an important differentiator when 
choosing service provider.

..assuming that the DOS actually took place.. (tinfoil hat on..:)

/Joakim



> 
> I'm guessing they weathered the problem somewhat, as they actually
> gave 24h notice. However, excessive loads and constant monitoring
> and protective measures on a free service would definitely be
> something a company would want to stop.
> 
> 
> Jack

Re: Blocking International DNS

[Joakim Aronius]

* Suresh Ramasubramanian (ops.li...@gmail.com) wrote:
> This isnt new - there have been proposals elsewhere for a resolver
> based blacklist of child porn sites.
>

Swedish ISPs are required to enforce a DNS blacklist for childporn, perhaps 
also other European countries. The list is maintained by the police 
(rikskriminalen), they have also published statistics on how many evil access 
attempts to child porn that they have blocked, i.e. legitimating their 
existence. They do however fail to mention that browsers usually resolve all 
links on the webpage it loads so it only takes a look at a page that links to 
an illegal site for the filter to score a hit... and pr0n pages tend to have a 
lot of links.. 

And once you get these things in place you never know where it will end...

Cheers,
/jkm

Re: end-user ipv6 deployment and concerns about privacy

[Joakim Aronius]

* Joel Jaeggli (joe...@bogus.com) wrote:
> 
> manual configuration of ip address name mappings seems like a rather low
> priority for the average home user...
> 
> I don't expect that will be a big activity in the future either, more
> devices means less manual intervention not more.
>

Ok, ok, so that argument sucked. I guess I'm still stuck in the IPv4 mindset 
and have not yet grasped the full blessing of IPv6, zeroconf etc. etc. 

Anyway, constantly changing prefixes for home users still seem like begging for 
trouble. (Could be a service though, as mentioned, but on the other hand I 
expect a fair number of anonymity services to arise so charging for it might be 
tough.)

Cheers,
/Joakim
 

Re: end-user ipv6 deployment and concerns about privacy

[Joakim Aronius]

* Hannes Frederic Sowa (han...@mailcolloid.de) wrote:
> 
> But most people just don't care. My proposal is to have some kind of
> sane defaults for them e.g. changing their prefix every week or in the
> case of a reconnect. This would mitigate some of the many privacy
> concerns in the internet a little bit. Of course all the already known
> problems would still exist. And still people have to care about the
> technology to reach a higher level of anonymity.

Ok. Lets assume that the ISP hands out new prefixes to the clients CPE each 
week. The CPE then advertises these prefixes on the clients home network. For 
clients accessing the internet this works fine (except perhaps a glitch during 
the switchover). 

But what about the internal communication in the customer premises? How do they 
connect to their NAS, media players, printers, TVs etc? Of course there is 
UPnP, DLNA and different other kinds of magic but I imagine that most home 
users actually configure IP addresses at some point. 

Constantly changing prefixes will ad another layer of complexity, things will 
break, and customers will be upset. (and quite frankly I don't think that you 
would gain that much privacy anyway) 

just my $.02

/Joakim

Re: Comcast IPv6 Trials

[Joakim Aronius]

* Paul Stewart (pstew...@nexicomgroup.net) wrote:
> That really makes sense - on an incredibly smaller scale (and I mean MUCH 
> smaller scale), we operate cable modem in two small communities - currently 
> we use 3 IP addresses per subscriber.  One for the cable modem itself, one 
> for the subscriber (or more depending on their package), and one for voice 
> delivery (packetcable).  If we moved even two of three IP assignments to 
> native V6 we'd reclaim a lot of V4 space - I can only imagine someone their 
> size and what this means...
> 
> Paul

Excuse the newbie question: Why use public IP space for local CPE management 
and VoIP? Doesn't DOCSIS support traffic separation?

/J 

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Joakim Aronius]

* Mark Newton (new...@internode.com.au) wrote:
> 
> On 15/12/2009, at 11:19 PM, Joakim Aronius wrote:
> 
> > So what you are saying is that ease of use and service availability is 
> > priority one. Then what exactly are the responsibilities of the ISP and CPE 
> > manufacturer when it comes to security? CPEs with WiFi usually comes with 
> > the advice to change password etc. Is it ok to build an infrastructure 
> > relying on UPnP, write a disclaimer, and let the end user handle eventual 
> > problems? (I assume it is...)
> 
> Hasn't essentially every ISP on the planet been doing that for years, 
> only without the disclaimer?
> 
> It's not like we're talking about creating UPnP from whole cloth.  We're
> discussing a replacement of like-for-like, updating existing capabilities
> to support IPv6.

As was mentioned earlier the end-user is mostly clueless and 'just want things 
to work'(tm). They do not know/care enough to make wise decissions when it 
comes to security and they cant identify the absence of security features. 
Personally I only have rudimentary knowledge of UPnP and UPnP forum but there 
are real security issues with the protocol and no(?) effort to fix them, 
current security specs are from 2003. (and varying degree of implementation in 
products of the security features that actually are in the standard)

In the last years the security problems in e.g. Microsoft products have gotten 
a lot of press and even Joe Sixpack has a hunch that he ought to get an 
anti-virus program. With the increasingly complex home network environment we 
will likely see more advanced attacks including UPnP. Then we have a situation 
with embedded devices with more and more functionality which are hard to patch, 
that run insecure protocols and it will end up in a real mess. 

I basically agree with you, adding IPv6 would be a like-for-like replacement. 
But one difference is that there is an increased attack vector with a higher 
degree of connectivity (no NAT) and more complex and less mature IP 
implementations in devices. 

UPnP might still be the the way to go as it is already there, 'it works' etc. 
But not working actively with the security issues in the standards is plain 
stupid. The standard and the functionality of the CPE is the responsibility of 
the CPE manufacturer. An I guess that the responsibility of the ISP is to 
provision its customers with as good and secure CPEs that the market provide 
(and if the s*** hits the fan, point at the CPE manufacturer). 

Regards,
/Joakim

Re: Consumer Grade - IPV6 Enabled Router Firewalls.

[Joakim Aronius]

* Steven Bellovin (s...@cs.columbia.edu) wrote:
> 
> On Dec 14, 2009, at 11:47 PM, Joel Jaeggli wrote:
> > Owen DeLong wrote:
> > Stable outgoing connections for p2p apps, messaging, gaming platforms
> > and foo website with java script based rpc mechanisms have similar
> > properties. I don't sleep soundly at night becasuse the $49 buffalo
> > router I bought off an endcap at frys uses iptables, I sleep soundly
> > because I don't care.
> > 
> Precisely.  And if you want to get picky, remember that "availability" is part
> of the standard definition of security.  A firewall that doesn't let me play
> Chocolate-Sucking Zombie Monsters is an attack on the availability of that
> gmae, albeit from the purest of motives.
> 
> No, I'm not saying that this is good.  I am saying that in the real world, it
> *will* happen.

So what you are saying is that ease of use and service availability is priority 
one. Then what exactly are the responsibilities of the ISP and CPE manufacturer 
when it comes to security? CPEs with WiFi usually comes with the advice to 
change password etc. Is it ok to build an infrastructure relying on UPnP, write 
a disclaimer, and let the end user handle eventual problems? (I assume it is...)

/jkm

Re: Gig Throughput on IPSEC

[Joakim Aronius]

* Truman Boyes (tru...@suspicious.org) wrote:
>
> an SRX 3400/3600 you can scale up the performance of IPSEC VPN  
> throughput with additional SPCs. You should be able to scale to over  
> 6Gbps of IPSEC with enough SPCs.
>
> Truman

Yes, the SRX line of products is the most future-proof way to go. I had a 
meeting with Juniper technical sales a short while ago and they also stated 
that "performace figures of the SRX is more in line what you get in real 
deployments" (compared to the ISG and NS marketing material which have IPsec 
throughput figures which you probably not will see in the field, same as most 
vendors).
In the ISG and NS series you also need to be aware on capacity limitations in 
the cards and the backplane.

...and as no one else has commented on L2 security devices I assume that there 
is not many products for this (IEEE 802.1AE MAC Security). But on the other 
hand I suppose that there is mostly L3 people on this list and that the Metro 
Ethernet folks hangs elsewhere.. (I would go for IPsec.)

Cheers,
/Joakim