Re: William was raided for running a Tor exit node. Please help if you can.
* Joel jaeggli (joe...@bogus.com) wrote: > On 11/29/12 23:18 , Joakim Aronius wrote: > > > I am all for being anonymous on the net but I seriously believe that > > we still need to enforce the law when it comes to serious felonies > > like child pr0n, organized crime etc, we can't give them a free pass > > just by using Tor. I dont think it should be illegal to operate a Tor > > exit node but what just happened could be a consequence of doing it. > > The seriousness of crimes that can be committed using anonymization > services should not be diminished. That said the motive I had for > running a tor exit when I did was that speech, and in particular > political organization (dare we call it sedition) are in fact very > serious crimes in many places. R.g. they can result in indefinite > imprisonment, torture, judicial or extra-legal execution and so forth, I > don't consider that unserious.. > > The internet is potentially quite a useful tool for getting your message > out so long as using it isn't holding a gun to your own head. While we > site here with the convenient idea of some legal arbitrage which allows > me to do something which isn't illegal in my own domain to facilitate > something that is quite illegal elsewhere, the fact of the matter is if > you run a service like this you don't get to pick and choose. I agree. I was about to set up a tor node a few years ago but never got around to it. I send cash to orgs working for human rights in countries with oppressive regimes. I am all for providing anonymized access to help free speech. Perhaps its better with anon access to specific applications like twitter, fb etc and not general internet access. I suspect that the 'free speech' part of the total tor traffic volume is pretty small(?). Cheers, /Joakim
Re: William was raided for running a Tor exit node. Please help if you can.
* Will Hargrave (w...@harg.net) wrote: > > On 29 Nov 2012, at 20:53, George Herbert wrote: > > > The assertion being made here, that it's somehow illegal (or immoral, > > or scary) for there to be not-completely-traceable internet access in > > the US, is absurd. > > The real issue here is *not* the legality of the act of providing a Tor exit > node, or an open access point, or anything else. In sensible countries that > is perfectly legal. The problem here is the reality of undergoing a criminal > investigation. It could also be the case that they think the person running the Tor exit node is the actual perpetrator, i.e. its needed to seize all HW to get the kiddie pr0n. Is it even possible for a network sniffer to distinguish between Tor exit traffic and his own traffic? Hopefully he will get it all back but it will most liklely cost both time and money to explain Tor to the Austrian judical system. > > Think carefully about the impact of having everything in your life which runs > an operating system taken away. Phones. Tablet. Laptop. Servers. All portable > drives, data. If you rely on that hardware for your income (and who > doesn't?) you're going to have to buy all of that again. And restore your > data, if you are able. Fully agree. /J
Re: William was raided for running a Tor exit node. Please help if you can.
* Patrick W. Gilmore (patr...@ianai.net) wrote: > On Nov 29, 2012, at 12:58 , Barry Shein wrote: > > It would seem like they'd have to confiscate the equipment at every > > Starbucks in their jurisdiction, which could be every one in the US > > for example. > > They didn't confiscate every Tor exit node in the US once they found > something nefarious emanating from one. > Lets assume that some child pr0n dealer used this Tor exit node, is it not reasonable if the police wants to see if there are logs that make it possible to catch the sleazebag? Should LE ignore crime if it originates from a network which operates a Tor exit node? I am all for being anonymous on the net but I seriously believe that we still need to enforce the law when it comes to serious felonies like child pr0n, organized crime etc, we can't give them a free pass just by using Tor. I dont think it should be illegal to operate a Tor exit node but what just happened could be a consequence of doing it. Of course they might not know abot Tor and believes that it is Mr Williams that is the bad guy. /J
Re: Network scan tool/appliance horror stories
* Jones, Barry (bejo...@semprautilities.com) wrote: > I can share with you several stories personnel (both IT or vendors), who have > scanned Electric Utility environments with or without permission; and hence > caused multiple failures - including electro-mechanical systems and related > applications. Utilities typically utilize many industrial controllers - some > of which many IT personnel have no knowledge, and some are not robust enough > to weather the storm. > > 1. Know your environment. > 2. Know your tools. > 3. Communicate. > Second that. First agree on what rate they are allowed to scan your network, then let them come back with what they find before they point other tools at the found nodes. Then inform the owners of said nodes of what is going to happen. In a previous life I found an publicly available SQL server on a network belonging to a medical institution that I was pen testing. I pointed Nessus at it and it just died... BR /Joakim
Re: Another LTE network turns up as IPv4-only
* Tore Anderson (tore.ander...@redpill-linpro.com) wrote: > * Mikael Abrahamsson > > >> In my experience, long-lived sessions are unreliable when you're on the > >> move anyway. Go into an elevator? Sessions drop. Subway heads into a > >> tunnel? Sessions drop. > > > > I guess you and me have radically different experience of mobile phone > > networks and how well they work. > > Maybe. Welcome to Oslo. :-) But then, if I remember correctly, Telenor choose to go all-in with one of the Chinese vendors.. I am really interested to see how that plays out. /Joakim
Re: 4g hack
* Christopher Morrow (morrowc.li...@gmail.com) wrote: > On Thu, Aug 11, 2011 at 2:32 AM, Charles N Wyble > wrote: > > http://seclists.org/fulldisclosure/2011/Aug/76 > > > > Wondering what folks think about this? If this was true then we just > > entered a whole new era of mass WAN exploitation. > > > > This isn't really all that new is it? haven't people been able to buy > 3g/pcs/etc antennae and such off ebay for a while and intercept > conversations/data/etc for a long time? GSM was 'hacked' (decrypted > via some rainbow tables) several years ago as well. > > If you ship it over the air and there isn't a reasonable encryption > scheme in place, don't you expect it to be seen? GSM and GPRS are vulnerable to MitM due to lack of two factor authentication etc. WCDMA (3G) and LTE (4G) should be safe as they have much better security. Not sure about 3GPP2 (CDMA) or WiMAX systems, perhaps early version of CDMA has similar problems as GSM. But saying that '4G' is vulnerable is a pretty broad statement as it consists of at least LTE and WiMAX, and some US operators also refer to their WCDMA HSPA as 4G. There is also a difference between 'the standard has security flaws' and 'the operator has deployed an insecure network' as operators might run their network with security features turned off. Anyway, the paranoid should turn of GSM and run WCDMA instead. /Joakim
Re: IPv6 day fun is beginning!
* Jay Ashworth (j...@baylink.com) wrote: > - Original Message - > > From: "Matt Ryanczak" > > > Indeed. Verizon LTE is v6 enabled but the user-agent on my phone > > denies me an IPv6 experience. > > I thought I'd heard that LTE transport was *IPv6 only*... LTE supports both IPv4 and IPv6 (of course) but some operators deploy IPv6 only (with NAT64). (e.g. T-mobile, although their '4G' network is actually 3G with the latest high speed features, +1 for innovative marketing department) /Joakim
Re: The state-level attack on the SSL CA security model
* George Herbert (george.herb...@gmail.com) wrote: > Back on original point - if the *actual effective* model of browser > security is browsers with an internal revoked cert list - then there's > a case to be made that a pre-announcement in private to the browser > vendors, enough time for them to spin patches, and then widespread > public discussion is the most responsible model approach. The public > knowing before their browser knows how to handle the bad cert isn't > helpful, unless you can effectively tell people how to get their > browser to actually go verify every cert. > No. In the case of a remote exploitable hole in the client OS I agree, then the user can do nothing and will benefit if there is a patch before the knowledge of the problem is spread. But in this case it is a security hole in the server side. IF users are informed they can avoid using the service and thus avoid the risk. (And if the risk is to be on the wrong end of a stick, at least I would appreciate a warning.) So what about a general warning that secure communication with site X, Y and Z could be compromised? Maybe even a big warning on the sites themself to give a warning before you login? (It could be removed by a 'man in the middle', but it would spread the word.) I wonder why that didn't happen.. /J
Re: The state-level attack on the SSL CA security model
* Dobbins, Roland (rdobb...@arbor.net) wrote: > > On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote: > > > Announcing this high and loud even before fixes were available would not > > have exposed more users to threats, but less. > > > An argument against doing this prior to fixes being available is that > miscreants who didn't know about this previously would be alerted to the > possibility of using one of these certs (assuming they could get their hands > on one) in conjunction with name resolution manipulation. The fix here is to delete the compromised UID and revoke the certs, thats done immediately, then inform the public, no reason to wait after that. IF the speculations about a specific nation is true then there is a risk that people there run real (like physical) risks by using e.g. yahoo the last few days. They would have appreciated being informed. > > Note that announcing this prior to fixes would've dramatically increased the > resale value of these certificates in the underground economy, making them > much more attractive/lucrative. Why? Surely the value of stolen certs are higher if the public do not know that they exist. /Joakim
Re: wikileaks dns (was Re: Blocking International DNS)
* Jack Bates (jba...@brightok.net) wrote: > Given "These attacks have, and future attacks would, threaten the > stability of the EveryDNS.net infrastructure, which enables access > to almost 500,000 other websites." I'd say they had DOS issues with > their nameservers. They can't be expected to let their other domains > go down in efforts to protect a single domain. This is then important information that should be spelled out in their terms of service. 'If your domain generate to much traffic we will terminate your service'.. It might very well be reasonable for a free service to have these restrictions but as a customer it could be an important differentiator when choosing service provider. ..assuming that the DOS actually took place.. (tinfoil hat on..:) /Joakim > > I'm guessing they weathered the problem somewhat, as they actually > gave 24h notice. However, excessive loads and constant monitoring > and protective measures on a free service would definitely be > something a company would want to stop. > > > Jack
Re: Blocking International DNS
* Suresh Ramasubramanian (ops.li...@gmail.com) wrote: > This isnt new - there have been proposals elsewhere for a resolver > based blacklist of child porn sites. > Swedish ISPs are required to enforce a DNS blacklist for childporn, perhaps also other European countries. The list is maintained by the police (rikskriminalen), they have also published statistics on how many evil access attempts to child porn that they have blocked, i.e. legitimating their existence. They do however fail to mention that browsers usually resolve all links on the webpage it loads so it only takes a look at a page that links to an illegal site for the filter to score a hit... and pr0n pages tend to have a lot of links.. And once you get these things in place you never know where it will end... Cheers, /jkm
Re: end-user ipv6 deployment and concerns about privacy
* Joel Jaeggli (joe...@bogus.com) wrote: > > manual configuration of ip address name mappings seems like a rather low > priority for the average home user... > > I don't expect that will be a big activity in the future either, more > devices means less manual intervention not more. > Ok, ok, so that argument sucked. I guess I'm still stuck in the IPv4 mindset and have not yet grasped the full blessing of IPv6, zeroconf etc. etc. Anyway, constantly changing prefixes for home users still seem like begging for trouble. (Could be a service though, as mentioned, but on the other hand I expect a fair number of anonymity services to arise so charging for it might be tough.) Cheers, /Joakim
Re: end-user ipv6 deployment and concerns about privacy
* Hannes Frederic Sowa (han...@mailcolloid.de) wrote: > > But most people just don't care. My proposal is to have some kind of > sane defaults for them e.g. changing their prefix every week or in the > case of a reconnect. This would mitigate some of the many privacy > concerns in the internet a little bit. Of course all the already known > problems would still exist. And still people have to care about the > technology to reach a higher level of anonymity. Ok. Lets assume that the ISP hands out new prefixes to the clients CPE each week. The CPE then advertises these prefixes on the clients home network. For clients accessing the internet this works fine (except perhaps a glitch during the switchover). But what about the internal communication in the customer premises? How do they connect to their NAS, media players, printers, TVs etc? Of course there is UPnP, DLNA and different other kinds of magic but I imagine that most home users actually configure IP addresses at some point. Constantly changing prefixes will ad another layer of complexity, things will break, and customers will be upset. (and quite frankly I don't think that you would gain that much privacy anyway) just my $.02 /Joakim
Re: Comcast IPv6 Trials
* Paul Stewart (pstew...@nexicomgroup.net) wrote: > That really makes sense - on an incredibly smaller scale (and I mean MUCH > smaller scale), we operate cable modem in two small communities - currently > we use 3 IP addresses per subscriber. One for the cable modem itself, one > for the subscriber (or more depending on their package), and one for voice > delivery (packetcable). If we moved even two of three IP assignments to > native V6 we'd reclaim a lot of V4 space - I can only imagine someone their > size and what this means... > > Paul Excuse the newbie question: Why use public IP space for local CPE management and VoIP? Doesn't DOCSIS support traffic separation? /J
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
* Mark Newton (new...@internode.com.au) wrote: > > On 15/12/2009, at 11:19 PM, Joakim Aronius wrote: > > > So what you are saying is that ease of use and service availability is > > priority one. Then what exactly are the responsibilities of the ISP and CPE > > manufacturer when it comes to security? CPEs with WiFi usually comes with > > the advice to change password etc. Is it ok to build an infrastructure > > relying on UPnP, write a disclaimer, and let the end user handle eventual > > problems? (I assume it is...) > > Hasn't essentially every ISP on the planet been doing that for years, > only without the disclaimer? > > It's not like we're talking about creating UPnP from whole cloth. We're > discussing a replacement of like-for-like, updating existing capabilities > to support IPv6. As was mentioned earlier the end-user is mostly clueless and 'just want things to work'(tm). They do not know/care enough to make wise decissions when it comes to security and they cant identify the absence of security features. Personally I only have rudimentary knowledge of UPnP and UPnP forum but there are real security issues with the protocol and no(?) effort to fix them, current security specs are from 2003. (and varying degree of implementation in products of the security features that actually are in the standard) In the last years the security problems in e.g. Microsoft products have gotten a lot of press and even Joe Sixpack has a hunch that he ought to get an anti-virus program. With the increasingly complex home network environment we will likely see more advanced attacks including UPnP. Then we have a situation with embedded devices with more and more functionality which are hard to patch, that run insecure protocols and it will end up in a real mess. I basically agree with you, adding IPv6 would be a like-for-like replacement. But one difference is that there is an increased attack vector with a higher degree of connectivity (no NAT) and more complex and less mature IP implementations in devices. UPnP might still be the the way to go as it is already there, 'it works' etc. But not working actively with the security issues in the standards is plain stupid. The standard and the functionality of the CPE is the responsibility of the CPE manufacturer. An I guess that the responsibility of the ISP is to provision its customers with as good and secure CPEs that the market provide (and if the s*** hits the fan, point at the CPE manufacturer). Regards, /Joakim
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
* Steven Bellovin (s...@cs.columbia.edu) wrote: > > On Dec 14, 2009, at 11:47 PM, Joel Jaeggli wrote: > > Owen DeLong wrote: > > Stable outgoing connections for p2p apps, messaging, gaming platforms > > and foo website with java script based rpc mechanisms have similar > > properties. I don't sleep soundly at night becasuse the $49 buffalo > > router I bought off an endcap at frys uses iptables, I sleep soundly > > because I don't care. > > > Precisely. And if you want to get picky, remember that "availability" is part > of the standard definition of security. A firewall that doesn't let me play > Chocolate-Sucking Zombie Monsters is an attack on the availability of that > gmae, albeit from the purest of motives. > > No, I'm not saying that this is good. I am saying that in the real world, it > *will* happen. So what you are saying is that ease of use and service availability is priority one. Then what exactly are the responsibilities of the ISP and CPE manufacturer when it comes to security? CPEs with WiFi usually comes with the advice to change password etc. Is it ok to build an infrastructure relying on UPnP, write a disclaimer, and let the end user handle eventual problems? (I assume it is...) /jkm
Re: Gig Throughput on IPSEC
* Truman Boyes (tru...@suspicious.org) wrote: > > an SRX 3400/3600 you can scale up the performance of IPSEC VPN > throughput with additional SPCs. You should be able to scale to over > 6Gbps of IPSEC with enough SPCs. > > Truman Yes, the SRX line of products is the most future-proof way to go. I had a meeting with Juniper technical sales a short while ago and they also stated that "performace figures of the SRX is more in line what you get in real deployments" (compared to the ISG and NS marketing material which have IPsec throughput figures which you probably not will see in the field, same as most vendors). In the ISG and NS series you also need to be aware on capacity limitations in the cards and the backplane. ...and as no one else has commented on L2 security devices I assume that there is not many products for this (IEEE 802.1AE MAC Security). But on the other hand I suppose that there is mostly L3 people on this list and that the Metro Ethernet folks hangs elsewhere.. (I would go for IPsec.) Cheers, /Joakim