On Wed, Mar 07, 2007 at 02:50:34PM +0100, Alexander W. Janssen wrote: > OK, we heard a lot of technical details, I'll cover the non-tech part of it. > > On 3/7/07, Fergie <fergdawg@xxxxxxxxxxx> wrote: > >Comments? > > Yes, it's stupid. Well, it sounds like a pretty thorough implementation of a well-known attack. If the goal was getting press coverage, it's successful. If the goal was "let's embed a scripting language in everything!" then it's also a success there. If the goal was getting talks at hacker cons, then I bet it will work fine. These are all laudable goals, and I sympathize with them all as far as they go. But if the goal were actually to send criminals to jail, then I rather suspect that the fellow would've had a talk with law enforcement, or a lawyer, beforehand. Similarly, I hope that in his interview, the author of this attack mentioned that the attack depends on bad configuration choices on the part of the user, and that the interviewer just didn't that would be interesting. It would be a bit misleading to say "I have an attack on this system" when you only have an attack against users using the system wrong. > First, the legal issues. What he does is overtaking a TOR-user's > machine by malicious code. He's accusing people of being childporn > consuments based on the fact that *some* childporn keyword was found - > we all know how good that works! (just have a look at the available > internet filtering-software out there). Right. I don't see what keyword set you could possibly use to reliably distinguish between real criminals, people reading Nabokov, people reading reports _about_ the real criminals, and fangirls reading harry/ron slashfic online. [...] > Secondly: It's harming the TOR-project in two ways: > * TOR will lose valuable reputation and the rest of the world will > denounce us of bigotry. > * If the anti-child-porn patch will be applied the next lobby-group > will demand a backdoor. Why not the PETA? They could as for all > customers who bould furry clothes online. It's for the animals! Why > not the RIAA or MPAA? It's for the better good and the artists! Right. This _is_ a general-purpose attack tool; there's no reason it can't be just as useful for identifying the IPs of misconfigured Tor users looking for information on democracy in China, or for the nearest VD clinic, or for information on how to run for office, or whatever. Snoops everywhere should be pleased. peace, -- Nick Mathewson
Attachment:
pgpWzyZdIDJ3r.pgp
Description: PGP signature