[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: 25 tbreg relays in directory



Scott, when I did a "reply" on your email, it (tried to) sent it your
personal email account rather than the list.

------

Scott Bennett wrote:
> 
>      On Mon, 29 Jun 2009 05:14:25 -0600 Jim McClanahan <jimmymac@xxxxxxxxxx>
> wrote:
> >Scott Bennett wrote:
> >
> >>      Ouch.  This provides another example in support of having a way
> >> for the directory authorities to render insecure versions ...
> >> and only usable as clients to connect to the tor project's web site to
> >> download a current version of tor.
> >
> >This kind of thinking baffles me.  It seems diametrically opposed to the
> >notion of free software.  I could understand if the outdated client was
> 
>      How so?  It's still free of charge, freely available, and freely
> modifiable and redistributable.  (GPL3-licensed software doesn't
> qualify, IMO.)

I did not not mean it was not technically free software.  The license
takes care of that.  My meaning is that the goal is to restrict people
rather than to grant freedom.  It is an issue of perspective rather than
license technicalities.  I probably could have phrased it better.

(I happen to like, to the extent I understand it, GPLv3.  But I don't
see how it is relevant to this discussion and I don't know why it was
injected into it.)

> 
> >endangering the Tor network (which was discussed in the portion of the
> >comment I skipped over with the ellipsis).  And I would have no problem
> 
>      Insecure relays endanger the network

That is why I inserted the ellipsis and made the parenthetical comment
about it.  I am not arguing against neutralizing insecure relays.  The
danger to the network is perfect justification IMO.

> Insecure clients installed
> virally onto systems without notice to the users endanger those users.

It's not like the clients ended up there on their own w/o the consent of
the user or owner.  Trying to enforce a policy on people when those
people are not harming others reeks (IMO) of unsavory things like police
states and nanny states.  I am opposed.  It is personal perspective, not
technical argument.  Obviously, it is technically possible to do what
you describe.  And because of the free license, it is technically
possible and legally permissible for people to undo those changes on
their copies of the software.  It is also possible for the software to
lie to the network about what it is.  But as I stated, this attitude of
trying to coerce other people baffles me.  I am not saying nobody does
it.  The world is full of tyrants.

Just to flesh out my view a little more, I would have no problem with a
configuration option that says "allow the tor network to nearly disable
this client at <somebody's> discretion."  As long as it could be
disabled.  But I really wonder why Tor developers would be interested in
spending the time to implement such a thing.

> 
> >with a friendly advisory as long is it wasn't incessant nagware that
> >couldn't be disabled.  But I don't understand the desire to dictate to
> 
>      I don't think the current log messages are so influential as all that.
> Just take a look at the current consensus. :-(
> 
> >people or some nanny viewpoint of trying to save people from
> >themselves.  (Before somebody makes an argument of keeping the Internet
> >free of compromised machines, I rather imagine the number of machines
> >compromised because of Tor software would be lost in the statistical
> 
>      Again, when the software is installed by stealth onto the machines
> of unsuspecting users, then the probability on each user's machine becomes
> 100%.  In other words, the number of machines w.r.t. the user is 1 out of 1,
> a ratio that cannot be considered "lost in the noise" for that user.

By stealth???  If that is really so, I guess you could try to make the
same argument about *any* free software that somebody decided to turn
into malware.  But I am still unconvinced the people who installed
didn't know they were installing something.

> >noise of all the other ways machines get compromised.  And I don't think
> >the unsavory purpose these "tbreg" instances are put to is a relevant
> >factor.)
> >
>      How so?  I note that you deleted all the relevant context in your reply.

I did not reproduce Pei Hanru's email in its entirety because I did not
see it as necessary.  Or particularly relevant for this discussion.  As
I stated, "I don't think the unsavory purpose these 'tbreg' instances
are put to is a relevant factor."  The unsavory purpose I referred to
and perhaps what you call "relevant context" is the fact that Tor was
part of software sold to (for the purpose of) (quoting Pei Hanru)
"automatically register large number of TaoBao accounts." It is my
opinion (yes, once again, *opinion*) that the fact that an unscrupulous
person (or group of people) used the free software in question in a
manner that *might* be analogous to certain freeware (*not* free
software) actually being a trojan, i.e. malware that arguably was
installed "by stealth," is not justification for taking a tyrannical
attitude toward the users of said free software, in this case, Tor.

If there is "relevant context" that is eluding me, please inform me
about it.

BTW, if the person/group/company which sold the software Pei Hanru
referred to violated the license Tor is released under, I have no
problems with people seeking legal redress.  It is just what I view as a
tyrannical attitude toward users that I find abhorrent.

Lest I again be accused of not providing relevant context, here is what
I take to be the (arguably) relevant (for the discussion of disabling
software against a user's wish) part of Pei Hanru's email.  Please
inform me if I am still missing the context to which you refer:

On Sun, 28 Jun 2009 12:09:25 UTC, Pei Hanru wrote:

> The short answer is, someone are making use of Tor to do nasty things, > and all "tbreg"s aren't aware they are running Tor relays.
>
> The long answer.
>
> "tbreg" stands for "TaoBao REGistrar".  TaoBao is an eBay-like website
> in China. Some sellers want to quickly increase their reputations
> (so-called refresh) in order to attract more buyers. The first thing
> for them is to register multiple accounts. However, TaoBao is rigorous
> on this, a single IP is only allowed to register one or two accounts.
> So, someone realize this need and begin to sell softwares which
> automatically register large number of TaoBao accounts. Tor, together
> with Privoxy are used as a HTTP proxy to bypass the IP restriction. For
> some reasons I don't understand, this software will run Tor as a relay.

BTW, I have already thanked Pei Hanru in a different email for tracking
this down.  Nothing I have said in this email should in any way be
construed as critical of Pei Hanru.  I appreciate the effort in tracking
this down and posting the results to the mailing list.