[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Blocking child pornography exits

     On Sat, 21 Jul 2007 06:42:04 -0700 Ben Wilhelm <zorba-tor@xxxxxxxxxxxxx>

>Scott Bennett wrote:
> >      Not AFAIK.  It blocks exits for whatever ports you tell it to 
>block exits
> > for.  The sample torrc that comes with the package has several 
>example lines
> > that you can uncomment or that you can simply use as examples for 
>syntax when
> > writing your own ExitPolicy statements.  One of those may be an 
> > reject *:25", but it starts out, IIRC, having only an "ExitPolicy 
>reject *:*"
> > statement uncommented for those who want to dabble in running a 
> > server.
>For quite a few versions, Tor has come with a significant number of 
>ports blocked, including standard ports for email, exploits, and p2p 
>filesharing. I don't know if this is still the case, but if not, it's 
>changed recently.
>The relevant code, which seems to still be active, starts at line 542 in 
>policies.c, and I'll copy the exit policy itself and relevant comment in:
>#define DEFAULT_EXIT_POLICY                                         \
>   "reject *:25,reject *:119,reject *:135-139,reject *:445,"         \
>   "reject *:465,reject *:563,reject *:587,"                         \
>   "reject *:1214,reject *:4661-4666,"                               \
>   "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
>/** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
>  * cfg doesn't end in an absolute accept or reject, add the default exit
>  * policy afterwards. If <b>rejectprivate</b> is true, prepend
>  * "reject private:*" to the policy. Return -1 if we can't parse cfg,
>  * else return 0.
>  */
>So chances are that if you haven't explicitly added an absolute accept 
>or reject to the end of your cfg, you're blocking a large number of 
>ports that the tor developers have decided they don't want on their network.

     Okay, I wasn't aware of that.  How many servers do you think might have
no uncommented ExitPolicy statements?  As I pointed out before, the sample
torrc has "ExitPolicy reject *:*" uncommented, plus a few examples that are
commented.  People who make no changes to the exit policy section of the
sample torrc will run their servers as middleman servers.  So the question is,
how many servers are running as exit servers with the hard-coded default
exit policy in effect?
>Last I heard, the tor developers did this solely to keep the network 
>usable, and not for moral reasons. But I may be wrong on that. 

     Looks reasonable.

>Nevertheless, trying to block something as nebulous and illdefined as 
>"child pornography" is obviously a far, far different thing than simply 
>blocking a pile of ports frequently used for p2p traffic. Tor doesn't 
>even try to recognize common p2p packets, so hey.
     Of course.  tor's raison d'etre is certainly not to encourage snooping
at the content of transmissions.
     It's worth pointing out that PGP and GPG could be used, as well, to
further the interests of child pornographers, yet that is not a reason to
call for code to be added to those programs to look for child pornography
in the files they process.

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *