[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Hacker and Tor (thank you)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Hacker and Tor (thank you)
From: Ben Tasker <ben@xxxxxxxxxxxxxxx>
Date: Sun, 4 Dec 2016 13:41:38 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 04 Dec 2016 08:42:13 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bentasker.co.uk; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=fKCftyclZM7x6pNVgf8wHi7LYPdxlLJV5x5B/QOoXGQ=; b=QqHNydR8f7lCPA/+uTrcuraGpiI5DHj6nABdZ2QfI/iwm8ZWpNGxAkaL89RfQV9LRH 2W/tJZTU0/TjKh9sYVm0W3jSOCTzXvU3pdQH2FJUDIVbCDESQevMSdkhLoXxxoFsoSMK wF8ccW+u8D0dKhsGVthNQlD2Mh9iuibcmW510=
In-reply-to: <1480766450.730007.807107425.06BD9F90@webmail.messagingengine.com>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <1480766450.730007.807107425.06BD9F90@webmail.messagingengine.com>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On Sat, Dec 3, 2016 at 12:00 PM, <techlist@xxxxxxxxxxx> wrote:

> OK; I am sure the Islamic terrorist asking about how to hack websites
> will appreciate your help.

There's no more evidence that the OP is an Islamic terrorist than that he's
perhaps someone on the receiving end trying to identify someone who keeps
compromising his server. It's quite likely that neither's actually true.

And, even if it were true, on balance I think it's probably better for the
world if Islamic Terrorists did suddenly shift their focus from bombing to
hacking the kind of server you'd normally find running CPanel.

But, I agree, the way the question was phrased is somewhat questionable.

> Next step is solving his problem about how to
> build a bomb.
>
>
Yes, let's keep basic chemistry from kids in case they grow up to be
nut-jobs. Building a bomb is not difficult (though doing it without
accidentally triggering it is somewhat harder), and restricting information
that might lead one to learn how to do so means far more than taking down
"howto's", the entire chemistry curriculum needs to change, and there are a
number of household products we'll need to take off the shelves.

The point I'm trying to make, is restricting basic information "just in
case" doesn't work.

Every time some identifies a vulnerability and releases a PoC they're
providing arms that can be used against users that haven't updated yet. On
the other hand, without that PoC other similar projects can't look for
similar vulnerabilities in their own codebase without looking at the
commits that fixed the issue (which is exactly what the bad guys will do).
So the information's still available, we've just made it harder for the
issue to be fixed elsewhere.

Had someone piped up and said "actually, yesterday I found a way to have
CPanel de-anonymise you" the result would have been that someone looked to
see what weakness in the browser allowed it, and users (genuine or
otherwise) would all have been better off.

So yeah, don't directly give help for things you don't agree with, but
trying to outright shut down discussion is counter-productive. Especially
when the steps needed to maintain anonymity can be applied to a wide number
of legit use-cases.

> If >>  >You have a fake usr agent and are running Tor You can do like a
> online browser leakage test.

It's worth noting, purely because I haven't seen it elsewhere. Using an
online browser leakage test is only indicative. If someone's privately
discovered a new way to achieve leakage, the leakage tests aren't going to
show it (at least until they become aware of the technique).

> I would not(and this is my opinion use hidemyass).
>
>
Seconded. HMA are a UK registered company, and with the IPA having just
received royal assent there's a good chance HMA are going to be forced to
log connections (and possibly worse). In principle, that's only an issue if
you come to the attention of law enforcement. In practice, there's a good
chance that the Government is going to apply it's usual skills to the IT
challenge and wind up leaking ICRs all over the place.

-- 
Ben Tasker
https://www.bentasker.co.uk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Hacker and Tor (thank you)
  - From: techlist

Prev by Author: Re: [tor-talk] privacy of hidden services
Next by Author: Re: [tor-talk] [off-topic] linux firewall
Previous by thread: Re: [tor-talk] Hacker and Tor (thank you)
Next by thread: Re: [tor-talk] Will Quantum computing be the end of Tor and all Privacy?
Index(es):
- Author
- Thread