[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Towards a Tor Node Best Best Practices Document

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Towards a Tor Node Best Best Practices Document
From: Kasimir Gabert <kasimir.g@xxxxxxxxx>
Date: Tue, 1 May 2012 14:25:33 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 01 May 2012 16:25:52 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=poiEF1sOOtHaLW3u41ayqM2P3dkTzNmufQfsqkNUBjU=; b=T0BCynBv2dLxEiX6twighLtVTSPukn2S4sXnRkhfFLoLpMpe0qyDVmQ0JBxCLTlY9H Wm879biqZRkl1arvraCJqD+uUjApb6vQb76aLqNH1t/caPwHPSx1Uzr5xkpCf5OOuOzA kDGF6k8xwnVsHojjaDAWQ3u0CwfUSsfkneyDVxJu6viimsZB3+oWaM5Wip0DYvXZ2fcg q0WGc1F09d2A6qdMK7G4/ykBGVfYcUihKq/0wW2XLyx4RCEZfJ3a1+OE3/vr+oaCy0pj 7tOodDGSQ7VAhm4Q19O5H2ZXkmWZpJBjU1eZxrTiaSQLl9GRsHrj5+1l+/Olw+nRDYda blZQ==
In-reply-to: <20120429195916.GA5363@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for support and questions about running Tor relays \(exit, non-exit, bridge\)." <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <20120412210849.GA20233@xxxxxxxxxxxxxx> <20120414231047.1f538901@xxxxxxxxxxxxx> <20120416164008.GB2878@xxxxxxxxxxxxxx> <20120429180639.501bee58@xxxxxxxxxxxxx> <20120429195916.GA5363@xxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx

On Sun, Apr 29, 2012 at 1:59 PM, Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:
>
[snipped]
>
> After reading a few mailinglist archives about kernel.modules_disabled,
> it looks like there is a contingent of kernel developers who are arguing
> for "layered security" over "perfect security", and they are working to
> enumerate and close holes that elevate root directly to ring0. Even if
> the LKML people occasionally refuse to take their patches for old
> unixbeard dogmatic reasons, it looks like they are still being picked up
> by RHEL/CentOS and Ubuntu.
>
> But, this reminds me that I might need to add a "Auditing
> Recommendations" section to the APT.  Technically, the truly paranoid
> should also keep pristine copies of their initrd, kernel, modules, and
> init itself, and veryify/replace them in the event of sketchy activity.
> But the question of how to actually verify/replace these files while
> using an untrusted kernel is another matter..  A few ways come to mind,
> but if we specify just One True Way, obviously custom rootkits could
> still be written to cloak against it...

What do you feel about promoting grsec?

>
[snipped]
>
>
> --
> Mike Perry
>
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>

Thanks,
Kasimir


--
Kasimir Gabert
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Prev by Author: Re: [tor-relays] [tor-dev] Can we stop sanitizing nicknames in bridge descriptors?
Next by Author: Re: [tor-relays] Configuring a Tor relay to *not* accept torrent traffic
Next by thread: [tor-relays] sustained bandwidth drop through noisetor
Index(es):
- Author
- Thread