Lee <ler762@xxxxxxxxx> wrote on 20.12.2011: > Which is why I stopped running a relay - waaaay too many people poking > at my machine. In retrospect I was probably just incredibly naive, > but when I put up a tor relay I was expecting to just relay tor > traffic. I did not sign up to be the target of any wannabe pen > tester. For me it is quite clear that by setting up a tor relay I highly expose the server and make it target for scanning and more. Therefore I am personally happy with scanning my servers by tor friendly people. I don't regard this an attack but as a helpful service to the community of tor relay operators. > > > IE (automatically): > > - Having a periodic portscan + application fingerprinting > > - Passing the result to a nessus vulnerability analyzer > > - Sending the results to the contact info > > - Repeating the tests every 2 week, sending again the result to the > > contact info > > - If a "high" vulnerability it's not fixed automatically within 1 > > months, publish it to the internet > > Absolutely brilliant. Someone donates to your cause and, if they > don't come up to your standards, you do your best to ensure they get > pwned instead of just dropping them from the donor list. I would not go so far to publish vulnerabilities of a tor server on the internet but the server could be considered as vulnerable. As a result tor authority server could withdraw guard/exit flags or isolated the vulnerable server so that it do no longer get traffic. I think it is legitimate to make sure that the tor network is not endangered by vulnerable servers. Regards, Klaus
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk