<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class=""></div><div><blockquote type="cite" class=""><div class="">On 15. May 2017, at 01:42, Mirimir <<a href="mailto:mirimir@riseup.net" class="">mirimir@riseup.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">On 05/14/2017 11:56 AM, niftybunny wrote:</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">The last time I checked .onion domains don’t need exits. Every Tor<br class="">node can be a chain of the path to the .onion domain. So it is<br class="">completely pointless to block all the exits and second: Exits are<br class="">the end of the chain to the “normal” internet, if you don’t want<br class="">outgoing Tor traffic from your internal network you fucking block<br class="">guards and entry/middle nodes not exits<br class=""></blockquote><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Ummm, that's basically what I said. It was stupid for the writer to say</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">"exits". But you know that blacklists include all Tor relays.</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""></div></blockquote><div><br class=""></div><div>Okay, they will overkill/overblock all nodes but they are out of luck with bridges. So it is pointless but they will feel better? Wow, much secure, so block, such ASL, wow!</div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">…. btw, good luck with blocking all guards ….<br class=""></blockquote><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Guards are public, bro. But not all bridges, of course.</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""></div></blockquote><div><br class=""></div>You are right, my bad.</div><div><br class=""><blockquote type="cite" class=""><div class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">niftybunny<br class=""><a href="mailto:abuse@to-surf-and-protect.net" class="">abuse@to-surf-and-protect.net</a><br class=""><br class="">Where ignorance is bliss, 'Tis folly to be wise.<br class="">Thomas Gray<span class="Apple-converted-space"> </span><br class=""><br class="">PS: >In accordance with known best practices, any organization<br class="">who has SMB publically accessible via the internet (ports<br class="">139, 445) should immediately block inbound traffic.<br class=""><br class="">WTF?!??!?!??!?!? WHY WOULD YOU EVEN ALLOW SMB TRAFFIC FROM<br class="">UNTRUSTED INTERNET SOURCES INTO YOUR NETWORK????? WHYYYY?????<br class=""></blockquote><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">Because you're a dumbass motherfucker ;)</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""></div></blockquote><div><br class=""></div>Firewall default is to block all traffic. You have to allow this traffic. Without using an VPN this is a special case of stupid …</div><div><br class=""><blockquote type="cite" class=""><div class=""><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" class="">On 15. May 2017, at 00:08, Mirimir <<a href="mailto:mirimir@riseup.net" class="">mirimir@riseup.net</a>> wrote:<br class=""><br class="">On 05/14/2017 08:54 AM, niftybunny wrote:<br class=""><blockquote type="cite" class=""><blockquote type="cite" class="">Known TOR exit nodes are listed within the Security Intelligence<br class="">feed of ASA Firepower devices. Enabling this to be blacklisted<br class="">will prevent outbound communications to TOR networks.<br class=""></blockquote>Wait, what?<br class=""></blockquote><br class="">| WanaCrypt0r will then download a TOR client from<br class="">| <a href="https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip" class="">https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip</a><br class="">| and extract it into the TaskData folder.  This TOR client is used to<br class="">| communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion,<br class="">| 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion,<br class="">| 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.<br class=""><br class=""><a href="https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/" class="">https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/</a><br class=""><br class="">Sad but true.<br class=""><br class="">But what they want to block are guards and directory servers. But their<br class="">list will probably include all relays, so whatever.<br class=""><br class="">Longer term, it's pointless, because malware authors can just hard code<br class="">bridges. Even custom unlisted bridges.<br class=""><br class=""><blockquote type="cite" class="">niftybunny<br class="">abuse@to-surf-and-protect.net<br class=""><br class="">Where ignorance is bliss, 'Tis folly to be wise.<br class=""><br class="">Thomas Gray<span class="Apple-converted-space"> </span><br class=""><br class=""><blockquote type="cite" class="">On 14. May 2017, at 21:45, Jon Gardner <toradmin@brazoslink.net> wrote:<br class=""><br class="">From the SNORT folks...<br class=""><br class="">http://blog.talosintelligence.com/2017/05/wannacry.html?m=1 <http://blog.talosintelligence.com/2017/05/wannacry.html?m=1><br class=""><br class="">".... Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks."<br class=""><br class=""><><<br class="">Jon L. Gardner<br class="">Mobile: +1 979-574-1189<br class="">Email/Skype/Jabber: jon@brazoslink.net <mailto:jon@brazoslink.net><br class="">AIM/iChat/MSN: jlg@mac.com <mailto:jlg@mac.com>_______________________________________________<br class="">tor-relays mailing list<br class="">tor-relays@lists.torproject.org<br class="">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays<br class=""></blockquote><br class=""><br class=""><br class=""><br class="">_______________________________________________<br class="">tor-relays mailing list<br class="">tor-relays@lists.torproject.org<br class="">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays<br class=""><br class=""></blockquote>_______________________________________________<br class="">tor-relays mailing list<br class="">tor-relays@lists.torproject.org<br class="">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays<br class=""></blockquote><br class=""><br class=""><br class=""><br class="">_______________________________________________<br class="">tor-relays mailing list<br class=""><a href="mailto:tor-relays@lists.torproject.org" class="">tor-relays@lists.torproject.org</a><br class=""><a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" class="">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br class=""><br class=""></blockquote><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">tor-relays mailing list</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:tor-relays@lists.torproject.org" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">tor-relays@lists.torproject.org</a><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a></div></blockquote></div><br class=""></body></html>