Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.

responses inline

On 6/8/06, Eliah Kagan <degeneracypressure@xxxxxxxxx> wrote:

On 6/8/06, John Sprocket wrote:
> but like all tools it's a double-edged sword and is easy to abuse.
> saying "do not bother. you're fighting against privacy, find a better
> way" is not solving the problem but obviously avoiding it in the
> first place. again the original problem is of identifying a tor user.
> a user choosing to use a known community supported utility
> to keep their anonymity (or invalidates their ip). it was stated
> that you could lex the cached-directory for a blacklist of ips.

The problem, in the first place, is that people are hacking the
websites of others. Saying, "let's block tor so that it will be
slightly harder for some hackers to be quite so anonymous while
eroding the privacy of thousands of legitimate users" is called
**avoiding the problem**. When you do that instead of securing your
servers, you're going to get hacked.

you're suggesting there's something wrong with securing your servers,
AND categorizing tor users? would doing both not be considered the same

if you have no choice but to use closed-source or vuln-ridden software
there is nothing you can do besides not use it. if you have a client that
requires some proprietary software then that satisfies the "no chice".
you can also restrict what a user can do to the machine, but if the
functionality of the application requires certain privileges and an attacker
earns those privileges. then they have the potential to act in the context
of the application.

let's say we're referring to a web application because that's what tor
is commonly associated with. a vuln is discovered where you can insert a
record of your choice, then said attacker has the ability to modify flow of
the application. remember, you don't control the application, and the
has a requirement of certain resources. how would you secure it from being
modified by itself? even if it's only just messing with records that belong
to it?
take note that this is without having access to the code itself.
offtopic, but it's a scenario where you can't quite secure the application
from itself.

so what is wrong with directing tor users? i prevent you from using
a tool to keep your privacy when there's no reason you need to be
visiting the host anonymously in the first place?
i'm suggesting that an anonymous user in my scenario would be considered
an illegitimate user. no reason a user should require their privacy to use a
service that i provide.

so redirecting them to a page saying that says "anonymous users
> not allowed" or denying a user from running ssh over tor makes
> sense to me because it's my equipment after all, and i'd want to know
> using tor and who isn't.

You could require that I give you my social security number and run a
credit check on me to view your site, too. You could give me a page
saying that I was not allowed to access the site if I didn't agree to
that. But that is very far from saying that it would make sense for
you to do so. It wouldn't. It is legal for you to act destructively to
people at large wishing their privacy to be respected, and to your own
users specifically, but that doesn't mean that it is rational or
morally right for you to do so.

again, redirecting a tor user to a 403 requires you to sit and think up of
a workaround. perhaps you aren't able to come up with one or you don't
want to take the time/effort. this means i've effectively deterred you from
using tor to get to the website. now if you care about the website more
than your privacy, you'd not use tor. if you cared about privacy more,
you'd not visit the site. you've been deterred from visiting the site
anonymously. which means it worked. how many people will spend more
time in order to visit the site?

suggesting that an admin shouldn't bother, hackers will work
> around it is retarded. of course they'll work around it, but
> essentially you're raising the bar so someone will have to make
> more effort. you can't really secure everything against everybody
> (and still keep your usability. the teeter-totter of security), but you
> can make it enough of a pain in the ass to deter them from messing with

And that is why only leet hackers are able to download movies and
music on the Internet. Because thousands of technical professionals
have joined forces to raise the bar and ensure that only people who
really know what they're doing can do that, and how could thousands of
technical professionals fail to succeed against millions of noobs?

If what you are saying were really true, that would only add to my
argument about how you're handicapping legitimate users while doing
nothing against hackers.

my statement is to consider a tor user illegitimate. again, no reason
someone should really need to keep their anonymity when visiting a
site that i host. someone with access to a proxy or a botnet of spybots
will then have the ability to visit their website and keep their "privacy".
but most who don't will just use tor.

how many botnet kids know more than just deploying a kit? how many
people who specialize in webappsec know more than tor? how many
people who specialize in vuln-dev people know how to administer exchange?
i'm not suggesting they don't exist, i'm just saying they're a lot more

generally people when they're begining their research they tend to generally
stick in their field. this means people who spent their time researching
webvulns, on newb sites don't have access to a botnet. people who
specialize in operating system vuln-dev don't know anything about
web application security. people who specialize in botnets don't usually
anything about vulndev.

do you blacklist open proxies on your mailserver?

essentially you're saying "use something besides tor to
> keep your privacy for your abuse/dos."

This is an incredibly weak argument. "You can hack me, and you can
still remain anonymous, and you can still remain anonymous in much the
same way, just as long as your vary your method slightly." It's also
not even true. tor itself is likely to adapt to blocking methods. Then
you have to have all the technical expertise necessary to...update to
the next version.

again, making it requires more work on the part of the client to work to
their anonymity a service that i provide. and if tor adapts to blocking
where identifying them becomes impossible, wouldn't that be a good thing? ;)
software becoming better to overcome problems?

It's funny how you mention using something else besides tor to remain
anonymous while engaging in malicious activity, but don't bother to
mention that blocking tor **blocks tor** and hurts legitimate users
(who are less likely to know what they're doing and consequently will
be hurt more).

i don't see anything wrong
> with that besides the misinterpretation being "i hate privacy. i'm
> fighting the war against privacy." which is not the case.

Actually, you're right. That is a misinterpretation. I don't think
anybody has said that, but it would be a misinterpretation if somebody
did. Given that you started your email by talking about how you use
tor to maintain your own privacy, and then talked about how it makes
good sense for site admins to block tor, a more accurate
interpretation would be, "I hate the privacy of others. I'm fighting
the war against the privacy of others."

nobody has said that, but you speak as if that's the case.
i guess you've never heard of being the devil's advocate to
a privacy zealot. :-D


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

.sargoniv _______________________________________________
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -