[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: 25 tbreg relays in directory



     On Mon, 29 Jun 2009 07:13:42 -0600 Jim McClanahan <jimmymac@xxxxxxxxxx>
wrote:
>Scott, when I did a "reply" on your email, it (tried to) sent it your
>personal email account rather than the list.

     You probably were replying to the message sent directly to you, so that
is quite likely. :-)
>
>------
>
>Scott Bennett wrote:
>> 
>>      On Mon, 29 Jun 2009 05:14:25 -0600 Jim McClanahan <jimmymac@xxxxxxxxxx>
>> wrote:
>> >Scott Bennett wrote:
>> >
>> >>      Ouch.  This provides another example in support of having a way
>> >> for the directory authorities to render insecure versions ...
>> >> and only usable as clients to connect to the tor project's web site to
>> >> download a current version of tor.
>> >
>> >This kind of thinking baffles me.  It seems diametrically opposed to the
>> >notion of free software.  I could understand if the outdated client was
>> 
>>      How so?  It's still free of charge, freely available, and freely
>> modifiable and redistributable.  (GPL3-licensed software doesn't
>> qualify, IMO.)
>
>I did not not mean it was not technically free software.  The license
>takes care of that.  My meaning is that the goal is to restrict people
>rather than to grant freedom.  It is an issue of perspective rather than
>license technicalities.  I probably could have phrased it better.

     Oh, okay.  Thanks for clarifying.
     The intent of my suggestions has been to restrict abuse harmful either
to an uninformed and unsuspecting user or to the tor network overall, not to
restrict "people".
>
>(I happen to like, to the extent I understand it, GPLv3.  But I don't
>see how it is relevant to this discussion and I don't know why it was
>injected into it.)
>
     That was just a side comment.  The viral license is, as I understand it,
the primary motivating reason for the recent decision by the FreeBSD project
to write its own gcc-compatible C compiler in order to keep GPL3 contamination
from getting the upper hand over FreeBSD.  Replacement of other GNU tools in
FreeBSD has been underway for some time already.  The BSD license does not
suffer from the pernicious interference of GPL3, and the FreeBSD project would
like to keep it *Free*BSD.
     There is a history to this way of thinking.  Remember that all of the
modern *BSDs are descended from 4.4BSD-lite, which was released in response
to all the difficulties caused by the AT&T UNIX license that had culminated
in a lawsuit against the University of California Board of Regents (or
Trustees--I don't now recall what they were called at the time).  The AT&T
license problems are also the reason Linus Torvalds decided so long ago that
he'd dump UNIX and write his own.  Likewise for MINIX.  I don't know what
Torvalds will do this time around w.r.t. GPL3, nor what the other *BSD projects
will do.
>> 
>> >endangering the Tor network (which was discussed in the portion of the
>> >comment I skipped over with the ellipsis).  And I would have no problem
>> 
>>      Insecure relays endanger the network
>
>That is why I inserted the ellipsis and made the parenthetical comment
>about it.  I am not arguing against neutralizing insecure relays.  The
>danger to the network is perfect justification IMO.

     Note that the version of tor that Pei Hanru reported here had been part
of the tbreg distribution is *not* secure.
>
>> Insecure clients installed
>> virally onto systems without notice to the users endanger those users.
>
>It's not like the clients ended up there on their own w/o the consent of
>the user or owner.  Trying to enforce a policy on people when those

     Pei Hanru suggested otherwise.

>people are not harming others reeks (IMO) of unsavory things like police
>states and nanny states.  I am opposed.  It is personal perspective, not

     I would argue that those unsuspecting, involuntary tor operators were
indeed harmed and further that they were placed at significant risk of far
greater harms at the hands of that State.

>technical argument.  Obviously, it is technically possible to do what
>you describe.  And because of the free license, it is technically
>possible and legally permissible for people to undo those changes on
>their copies of the software.  It is also possible for the software to
>lie to the network about what it is.  But as I stated, this attitude of
>trying to coerce other people baffles me.  I am not saying nobody does
>it.  The world is full of tyrants.

     Clearly, the above comments are inapplicable to this situation and
to what I was suggesting as a way to deal with similar situations in the
future.  No one suggested that anyone be prevented from deliberately
installing and, at their option, configuring tor to suit their taste.
What was suggested was a way to disable bad software to prevent it from
harming the unsuspecting.  tor is still open source software.  If you
have a bad version, but really do want to run a bad version, you are free
to change it to make it think it is valid even when it isn't.  Of course,
if a large enough fraction of tor users were to do that, tor would fall
into disuse because it would no longer be trusted.
>
>Just to flesh out my view a little more, I would have no problem with a
>configuration option that says "allow the tor network to nearly disable
>this client at <somebody's> discretion."  As long as it could be

     Oh, stop it.  That's ridiculous.  All the person would have to do
would be to upgrade to a valid version.  It does not restrict the user.
It just minimizes the damage that can be caused by software known/suspected
to have something wrong with it.

>disabled.  But I really wonder why Tor developers would be interested in
>spending the time to implement such a thing.
>
     Perhaps because they actually give a dam about the fruits of their
labor.
>> 
>> >with a friendly advisory as long is it wasn't incessant nagware that
>> >couldn't be disabled.  But I don't understand the desire to dictate to
>> 
>>      I don't think the current log messages are so influential as all that.
>> Just take a look at the current consensus. :-(
>> 
>> >people or some nanny viewpoint of trying to save people from
>> >themselves.  (Before somebody makes an argument of keeping the Internet
>> >free of compromised machines, I rather imagine the number of machines
>> >compromised because of Tor software would be lost in the statistical
>> 
>>      Again, when the software is installed by stealth onto the machines
>> of unsuspecting users, then the probability on each user's machine becomes
>> 100%.  In other words, the number of machines w.r.t. the user is 1 out of 1,
>> a ratio that cannot be considered "lost in the noise" for that user.
>
>By stealth???  If that is really so, I guess you could try to make the
>same argument about *any* free software that somebody decided to turn
>into malware.  But I am still unconvinced the people who installed
>didn't know they were installing something.

     Please go back and reread Pei Hanru's summary of what she found out about
the tbreg installations.  If you disagree with what she wrote, please present
the evidence that supports your disagreement.  If you've found something that
Pei Hanru missed that changes your understanding, then the rest of us might
benefit from seeing what you've found.
>
>> >noise of all the other ways machines get compromised.  And I don't think
>> >the unsavory purpose these "tbreg" instances are put to is a relevant
>> >factor.)
>> >
>>      How so?  I note that you deleted all the relevant context in your reply.
>
>I did not reproduce Pei Hanru's email in its entirety because I did not
>see it as necessary.  Or particularly relevant for this discussion.  As
>I stated, "I don't think the unsavory purpose these 'tbreg' instances
>are put to is a relevant factor."  The unsavory purpose I referred to
>and perhaps what you call "relevant context" is the fact that Tor was
>part of software sold to (for the purpose of) (quoting Pei Hanru)
>"automatically register large number of TaoBao accounts." It is my
>opinion (yes, once again, *opinion*) that the fact that an unscrupulous
>person (or group of people) used the free software in question in a
>manner that *might* be analogous to certain freeware (*not* free
>software) actually being a trojan, i.e. malware that arguably was
>installed "by stealth," is not justification for taking a tyrannical
>attitude toward the users of said free software, in this case, Tor.

     BTW, has anyone (not just Jim) tried downloading from the links in
Pei Hanru's summary and then tried running that software?  I don't have
a spare machine to try it on, nor do I have access to anyone here who
can read Chinese and translate for me any information displayed by its
installer or otherwise included in the package(s).
>
>If there is "relevant context" that is eluding me, please inform me
>about it.
>
>BTW, if the person/group/company which sold the software Pei Hanru
>referred to violated the license Tor is released under, I have no
>problems with people seeking legal redress.  It is just what I view as a
>tyrannical attitude toward users that I find abhorrent.
>
>Lest I again be accused of not providing relevant context, here is what
>I take to be the (arguably) relevant (for the discussion of disabling
>software against a user's wish) part of Pei Hanru's email.  Please
>inform me if I am still missing the context to which you refer:
>
>On Sun, 28 Jun 2009 12:09:25 UTC, Pei Hanru wrote:
>
>> The short answer is, someone are making use of Tor to do nasty things, > and all "tbreg"s aren't aware they are running Tor relays.
>>
>> The long answer.
>>
>> "tbreg" stands for "TaoBao REGistrar".  TaoBao is an eBay-like website
>> in China. Some sellers want to quickly increase their reputations
>> (so-called refresh) in order to attract more buyers. The first thing
>> for them is to register multiple accounts. However, TaoBao is rigorous
>> on this, a single IP is only allowed to register one or two accounts.
>> So, someone realize this need and begin to sell softwares which
>> automatically register large number of TaoBao accounts. Tor, together
>> with Privoxy are used as a HTTP proxy to bypass the IP restriction. For
>> some reasons I don't understand, this software will run Tor as a relay.
>
>BTW, I have already thanked Pei Hanru in a different email for tracking
>this down.  Nothing I have said in this email should in any way be
>construed as critical of Pei Hanru.  I appreciate the effort in tracking
>this down and posting the results to the mailing list.
>
     Understood.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************