[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Automatic vulnerability scanning of Tor Network?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
From: "Fabio Pietrosanti (naif)" <lists@xxxxxxxxxxxxxxx>
Date: Tue, 20 Dec 2011 19:35:50 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 20 Dec 2011 13:36:58 -0500
In-reply-to: <CAD8GWstvNas1A8oqPUmruHGFSHvPkGaER+3WdjHa910ZZoqC-w@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4EF04331.20708@xxxxxxxxxxxxxxx> <CAD8GWstvNas1A8oqPUmruHGFSHvPkGaER+3WdjHa910ZZoqC-w@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.24) Gecko/20111103 Thunderbird/3.1.16

On 12/20/11 7:05 PM, Lee wrote:
>> It would be interesting to analyze it to understand "what's running" on
>> Tor Exit and Tor Relays, eventually make up some kind of network
>> monitoring systems like it's done for Enterprise Security Monitoring
>> Systems.
> 
> The difference being that enterprise security monitoring systems are
> monitoring *enterprise* systems.  Tor exits and relays do not belong
> to you; you have no right (certainly the ability, but NOT the right)
> to run pen tests on those machines.

The law, in Europe, typical prohibit to break into other systems but
doesn't prohibit in any case to scan an existing system.

The scanning can be considered illegal if the "intention" you had was to
break into the system.

For example the EFF SSL Scan, or Internet Worm scanner doesn't target to
"break into your system" and so are scan that can be done.

The same, what's the problem in receiving a scan on your machine?

Please, get an public IP address, don't announce it, don't do anything.
Now please have a look, without even being a Tor Server, how many mass
scan your receive.

So please, don't bother with that justification, a scan like that would
probably just be one scan of 10000 you receive every week.

You should be happy to have a free security audit, without any illegal
intention, with free reports sent in your email! :-)

> Absolutely brilliant.  Someone donates to your cause and, if they
> don't come up to your standards, you do your best to ensure they get
> pwned instead of just dropping them from the donor list.

If you want to participate to the Tor Network you must responsible, that
means also keeping your system secure.

If all people running Tor Server doesn't care about the Security of
their systems, then it's worthless to run a Tor Server.

Do bitcon mining and donate results to EFF, but don't run Tor Server.

However yes, everything it's open and must be open.

If an automated scanner run by a Tor friendly person find a
vulnerability of your system, you should be VERY HAPPY because the
vulnerability will not exploited by a Tor unfriendly person.

Security trough obscurity doesn't scale, so what' the problem?

-naif
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
  - From: Lee
- Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
  - From: Nick Mathewson
- Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
  - From: Robin Kipp
- Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
  - From: Steven J. Murdoch

References:
- [tor-talk] Automatic vulnerability scanning of Tor Network?
  - From: Fabio Pietrosanti (naif)
- Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
  - From: Lee

Prev by Author: [tor-talk] Automatic vulnerability scanning of Tor Network?
Next by Author: Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
Previous by thread: Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
Next by thread: Re: [tor-talk] Automatic vulnerability scanning of Tor Network?
Index(es):
- Author
- Thread