[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TOR on Academic networks (problem)

Specifically, we're arguing to various administrative and technical
committees that the whole damn network shouldn't be trusted by
services that we subscribe to... and instead, the proxy service that
berkeleyites use to connect to library services off campus should be
used on campus too (so that a much smaller segment of our network is
"trusted").

We actually already have this as well .. a proxy that allows internal users to breeze through, and external ones to authenticate. Why the journals think it fit to trust a /16 or greater is beyond me.

Problem is .. I don't think they'll buy the argument "you need to change your way of doing things so I can offer an anonymous proxy and not cause you problems". They'll just say "why run the proxy at all?".

For the short-term, I wrote a script that wgets the library's list of subscriptions, and munges that to get the unique domain links, and puts those into /etc/hosts with bogus addresses that are denied by the exit policy (eg: 127.0.0.2 some.domain). Yes, I realize this doesn't prevent access by IP, but if I can keep out 95% of the miscreants, that's fine by me.

I hate to break things on purpose, but I do have to dance around a bit to keep this going.

My biggest mistake perhaps was actually giving the library folks an honest answer when they asked .. had I just said "oh .. I'll look into that" and fixed it, they'd have happily gone away. Instead, I sent them the boiler-plate response about TOR and they started asking questions.

Lesson learned : don't call TOR an "anonymous proxy". It's a "privacy router designed to help the Chinese".

/mike.