[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] IBM says Block Tor



Hi Paul,

Yes, my example was a simplification of the issue here. The point was that in some corporate environments (not all of them), the usage of Tor may be unwanted unless permission is explicitly given to the employee. Of course at a lot of companies this is not true and IBM's advice should be taken with a barrel of salt.

Tom




> On 27 Aug 2015, at 14:57, Paul Syverson <paul.syverson@xxxxxxxxxxxx> wrote:
> 
>> On Thu, Aug 27, 2015 at 10:08:26AM +0200, Tom van der Woerdt wrote:
>> In some corporate environments this would be a reasonable thing to
>> do. And the article that started this thread is about corporate
>> networks.
>> 
>> If you work in a call center with a company computer, you have
>> absolutely no reason to use Tor.
> 
> This is an overly narrow view of "use Tor". In any corporate
> environment, including customer support settings, it could be
> important to protect searches of public information (including perhaps
> especially competitor information) from competitors and possible
> network observers. Maybe _you_ would have no reason to use Tor there,
> but your company would have a reason for you to use Tor.
> 
>> If you did use Tor, it would most likely be a red flag that you or
>> the computer have been compromised and need investigation. Keep in
>> mind that while at work, your boss decides what you are and aren't
>> allowed to do with your time.
> 
> In an inadequately configured environment, perhaps.  But corporate
> investigators and law enforcement officers use Tor all the time to
> investigate crime online and could have to do so unofficially if no
> adequate sanctioned solution were available.  Even in an inflexible
> setting that tension is unnecessary, however. We specifically designed
> for multiple usage scenarios including one where your use is subject
> to local monitoring but still is protected once leaving the local
> network.  The case here is described under Proxy-and-OR-at-Firewall
> Access in "Onion Routing Access Configurations".
> http://www.onion-router.net/Publications.html#DISCEX-2000
> 
> aloha,
> Paul
> 
> 
>> 
>> For the same reason, routing all employee traffic through a proxy
>> and filtering sites that host games also seems reasonable.
>> 
>> Tom
>> 
>> 
>> 
>> 
>>> On 27 Aug 2015, at 08:47, Virgil Griffith <i@xxxxxxxxx> wrote:
>>> 
>>> "In general, networks should be configured to deny access to websites such
>>> as www.torproject.org"
>>> 
>>> Blocking Tor exit nodes is one thing, but this is just bizarre. They could
>>> make a claim that privacy from your boss is something they wish to prevent,
>>> but I saw no such claim.
>>> 
>>>> On Thu, 27 Aug 2015 at 14:19 CJ <tor@xxxxxxxx> wrote:
>>>> 
>>>> 
>>>> 
>>>>> On 08/27/2015 12:51 AM, grarpamp wrote:
>>>> http://public.dhe.ibm.com/common/ssi/ecm/wg/en/wgl03086usen/WGL03086USEN.PDF
>>>>> 
>>>>> IBM Advises Businesses To Block Tor
>>>>> 
>>>>> With Tor-based attacks on the rise, IBM says it's time to stop Tor in
>>>>> the enterprise.
>>>>> 
>>>>> New data from IBM's X-Force research team shows steady increase in SQL
>>>>> injection and distributed denial-of-service attacks as well as
>>>>> vulnerability reconnaissance activity via the Tor anonymizing service.
>>>> 
>>>> Well, that's why my exit nodes was, until recently, opened only to
>>>> HTTP/HTTPS… Now I've pushed a more opened policy but got abuse mails
>>>> from my hosting service the next hours… until I locked down SSH port.
>>>> 
>>>> People using Tor for "bad things" just don't realize how they fuck up
>>>> the whole thing. Not even mentioning "weird contents", just the script
>>>> kiddies running metasploit/other through Tor.
>>>> 
>>>> Hopefully I'll be able to keep my exit up with the current configuration…
>>>> --
>>>> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>>>> To unsubscribe or change other settings go to
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>> -- 
>>> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe or change other settings go to
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>> -- 
>> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> -- 
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk