[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Securing a Relay - chroot
On 05/27/2011 11:22 AM, CACook@xxxxxxxxxxxxxxx wrote:
On Friday 27 May, 2011 08:10:47 tagnaq wrote:
You do not mention the threats you worry about and assets you care
about (thread model + security requirements).
Yes that's because I don't know what threats there may be.
I am a
user, I don't have an MS in Computer Science.
Heh, I've known those who do who couldn't get as far as you have already.
For example I don't
understand, "maps subnets and/or ports to inside. Separating traffic
into VLANs. In general having a lot more control of the hardware
Wikipedia has a great article on VLANs.
What good is this if users can't secure their own machine
Why set up a relay if my own machine could be
You are asking entirely valid questions that the entire data security
industry also struggles with every day on a deep level. I don't have a
real satisfying answer for you.
You already understand the key point though: separation. Decide which
systems you trust and for what purpose in what contexts you trust them.
Place systems in different trust zones accordingly. Implement barriers
between the zones and be very selective about what is allowed to pass.
No wonder you have a hard time recruiting relays, much
less exit points. I guess the coyness here is for some good reason,
but it's not doing the cause any good. Looks like I have to give up
on a relay.
Computers and networks are inherently good at copying and leaking
information, they do it without even trying. Providing an open service
while perfectly blocking the flow of selective information is actually
extremely difficult to do on shared hardware.
There is always a cost to security, usually complexity, performance,
administration, and money. I find this stuff fascinating and spend all
my learning about it. But when I set up a relay the other day, I chose
to address most of these problems with money: I paid a few dollars a
month for a remote virtual host environment having no trust
relationships with any of my other systems.
tor-talk mailing list