On Sat, Jun 03, 2006 at 12:23:15AM -0400, y0himba wrote: > Item of interest? I'm not sure this is something we need to be terribly concerned about; the original poster seems to be overreacting to something with a bad blocking tool. We already ship a better tool to find the exits that allow connections to you, so I'm not sure what harm this bit of C could do. > -----Original Message----- > From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx > [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Jason Areff > Sent: Saturday, June 03, 2006 12:22 AM > To: full-disclosure@xxxxxxxxxxxxxxxxx > Subject: [Full-disclosure] Tool Release - Tor Blocker > > It has come to our attention that the majority of tor users are not actually > from china but are rather malicious hackers that (ab)use it to keep their > anonymity. That's news to me. We've got around 200,000 active users by our estimate; if Mr. Areff is correct, that's over 100,000 malicious hackers. If that were the case, I think we'd see far more abuse reports. I'd be interested to see how he reached his conclusion about our user demographics, and whether he thinks we ought to be soliciting funds from organized crime rather than the DoD and the EFF (our past funders). (It's understandable why some sysadmins make this mistake, of course. When Tor is used as intended, sysadmins tend not to notice: it's just another IP. When jerks use Tor to irritate others, Tor leaps to their attention.) > We have released a tool to stop users from utilizing this tool to > protect their identity from prosecution by a designated systems > administrator. Otherwise this puts the administrator in responsibility for > any malicious actions caused by said user. Forensics is left with a tor exit > node. > > Recently our servers were hacked by a tor user and we were unable to > prosecute due to not being able to trace the source as the user was using > this malicious piece of software to keep his/her anonymity. Malicious? Okay. Rhetoric aside, we fully support everybody's right to block our software from using your service. In fact, we've even released a tool to help people do this. Our FAQ, our docs, and personal correspondence with us would have each been sufficient to find the "exitlist.py" script in the Tor source tree; it uses Tor to keep track of exit nodes. Unlike the Apache module Mr. Areff posted, it keeps an up-to-date list of exit nodes, so that as new Tor exits arrive, you learn about them automatically. That way you don't need to hardwire a list of inevitably-out-of-date IP addresses, as the posted module does. > To mitigate most tor attackers we've written an apache module designed to > give tor users a 403 error when visiting a specific website. We suggest all > administrators whom do not wish a malicious tor user to visit and possibly > deface their website to enable the usage of this module. This may not get > all attackers, but hopefully it raises the security bar just a little bit > more to safeguard ourselves from hackers. This is a good interim solution for many people. If your security model is such that anybody with a non-blocked IP can deface your website at will, you might want to block anonymizing networks until/unless you decide to change your security model. > Thanks. > > Jason Areff > CISSP, A+, MCSE, Security+ yrs, -- Nick Mathewson certified for something, I'm sure of it.
Description: PGP signature