I agree, maybe this open letter is better aimed at the security vendors that include DAN's (non-exit) Tor relays list on a blocklist by default, or without warning about potential impact to other legitimate services (universities, libraries, shared hosting providers, hobbyist email, etc)
Security vendors are not the only users of such lists. There is much more entities and people, that use them without any intermediaries. Negotiating with every single of them is not only whack-a-moling, but also inefficient compared to addressing the issue at the source.
The issue could be approached in other ways too, but I don’t find them satisfying. It would require things like changing the license, which is an idea I can’t stand behind. It would also demand more effort from Dan, which is unacceptable given he’s offering that free of charge, and likely lead to employing practices I despise.
Once the malware runs it will phone home over Tor to the .onion, from a network perspective this will look like a TCP connection to an entry node. I can see many reasons to maintain a list on known entry nodes to prevent unauthorized applications or users from connection out of a network. Those lists should not be enabled by default to block.
That’s a good point, but there are things to note.
Tor entry nodes are publicly known. An organization, that believes they need such a protection, may obtain the list directly from Tor Project. This requires additional effort, yes. But it should require effort. It’s not big, compared to how much it takes to make such a decision in a responsible manner. And it protects against blindly using blocklists without thinking.
This is the same reasoning that was driving Polish internet operator (TP) to blanket block servers suspected of running IRC. Not merely connections to IRC, which is questionable on its own, but servers: so one couldn’t e.g. access websites of many FOSS projects. In my college I had to sign additional papers to be able to access some Wikipedia articles. URLs could contain a particular word also found on porn sites, so the college seen this as a risk of students committing the crime of exposing other students to inappropriate content. We see mandating backdoors in encryption, which use the same logic: encryption helps committing crimes. Finally, something probably most close to any Tor user’s heart: a requirement to be fully tracked everywhere or otherwise treated as a second class citizen. Yes, that is also commonly rationalized by protection against attacks. So it’s worth asking, if this is acceptable reasoning.