[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: "Practical onion hacking: finding the real address of Tor clients"



On Tue, 2006-10-31 at 09:49, Fabian Keil wrote:
> George Shaffer <George.Shaffer@xxxxxxxxxxx> wrote:
>  
> > To go to
> > a malicious site you need to encounter a site whose security has been
> > compromised, be tricked into going to a site, be the victim of poisoned
> > DNS, receive an email with a macro based Outlook virus that uses IE
> > functionality, or deliberately browse fringe web sites.
> 
> Or you can use Tor and give every Tor exit node operator the chance
> to render every "trusted site" that doesn't use encryption into
> a source of malware.

If your only point is I forgot to list this, I'm guilty. Other than
that, this seems to be an argument against using Tor.

I was making the point that many web surfers who use poor security with
their browsers don't actually encounter malicious software. I agree with
your restated then they "shouldn't act surprised if they run into
problems." I wish all sites would allow SSL to all pages. Sometimes I
switch http:// to https:// on non forms pages but few major sites 
accept SSL across all their pages; Amazon seems to.

> > > On Thu, 2006-10-26 at 15:05, Fabian Keil wrote:
> > > If the target IP address is unused, the scanner gets an error
> > > message send from the router located one hop before the target.
> > > If the scanner doesn't get this error message, it's safe to
> > > assume that the target system is running.
> > 
> > . . . Perhaps someone could provide a URL that
> > describes this.
> 
> http://www.ietf.org/rfc/rfc792.txt

Thank you. 

Regarding systrace:

> > Looking at man, it does appear that it would be useful for
> > controlling "developmental" software on a very secure OpenBSD system.
> 
> It's useful to control software in general.

"In general" I agree but there are costs as well as benefits to all
security measures. Rational people can reach a wide range of conclusions
regarding how much to invest and where. I suspect you might be rather
uneasy with controlling software, as in preventing customers from using
Skype, as the Narus tools linked to below can.

> There are several valid reason not to run a Tor server at all,
> I just don't think that "local security" or "ISP terms of service"
> are among them.

We will obviously continue to disagree about these. I recently came
across http://www.narus.com/products/index.html which describes a line
of products that allow large ISPs and broadband carriers to monitor
everything that flows across their network. Virtually every protocol can
be identified, and everything from any IP can be assembled into a stream
and it's contents examined. That barely begins to describe what the
Narus tools can do. If you care about privacy, this is really creepy.

Partly this is to allow carriers to conform to the wiretap laws that are
being applied in the US and other countries, but Narus makes clear the
carriers can use these tools for their own purposes. While resources
should prevent an ISP or carrier from monitoring all their customers all
the time, tools like this will allow them to focus on protocols banned
by terms of service and identify the customers using the banned
protocol. In the case of a cable provider, there is only one in any
specific area. If you loose your access, then you have to hope DSL is
available, and you will normally pay more for comparable download
speeds. Personally I want to be careful about my ISPs terms of service.

George Shaffer