[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Rogue exit nodes - checking?



I dont think you are right.

There are two extremes when checking if two files are the same:

* Both files are exact byte copies - we are happy, because everything is clear
* Both files are absolutely different - we are also happy, because we
know that something is bad

But scanner which consider just these two extremes will throw many
false positives, because world isn't ideal. Just download two copies
of some page few minutes in sequence and you will see. Different
banner? Different language (because you changed IP)? New information
here? Everything these you have to consider and have to report only
important things.

Because it is more heuristic than exact measurement, attacker can
adapt his code to be less harmful and skip notification threshold of
scanner.

There are two ways how to fight attackers:
a) Opensource scanner and beat them by spending months on scanner improvements.
b) Leave scanner closed and piss them up (my way)

I think your irony isn't outright. Trust me I didn't spend almost year
of my life on bullshit.

John: I know SoaT quite well, I originally consider to improve it. But
my attitude is quite different. SoaT checks everything else than
content (as you wrote: SSL, policy etc) - and throws many false
positives once content differs a bit. I'm interested just in content.

Marek

On Sun, Jun 20, 2010 at 11:05 PM, Anders Andersson <pipatron@xxxxxxxxx> wrote:
> Unfortunately I
>> cannot publish source codes because attackers can adapt own techniques
>> (though it would be very difficult).
>
> Yummy. Security through obscurity. Let's hope the bad guys doesn't
> find out. Or do they already know?..
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/