FW: [Full-disclosure] Tool Release - Tor Blocker

Nick Mathewson nickm at freehaven.net
Sat Jun 3 07:22:04 UTC 2006


On Sat, Jun 03, 2006 at 12:23:15AM -0400, y0himba wrote:
>  Item of interest?

I'm not sure this is something we need to be terribly concerned about;
the original poster seems to be overreacting to something with a bad
blocking tool.  We already ship a better tool to find the exits that
allow connections to you, so I'm not sure what harm this bit of C
could do.

> -----Original Message-----
> From: full-disclosure-bounces at lists.grok.org.uk
> [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Jason Areff
> Sent: Saturday, June 03, 2006 12:22 AM
> To: full-disclosure at lists.grok.org.uk
> Subject: [Full-disclosure] Tool Release - Tor Blocker
> 
> It has come to our attention that the majority of tor users are not actually
> from china but are rather malicious hackers that (ab)use it to keep their
> anonymity.

That's news to me.  We've got around 200,000 active users by our
estimate; if Mr. Areff is correct, that's over 100,000 malicious
hackers.  If that were the case, I think we'd see far more abuse
reports.  I'd be interested to see how he reached his conclusion about
our user demographics, and whether he thinks we ought to be soliciting
funds from organized crime rather than the DoD and the EFF (our past
funders).  (It's understandable why some sysadmins make this mistake,
of course.  When Tor is used as intended, sysadmins tend not to
notice: it's just another IP.  When jerks use Tor to irritate others,
Tor leaps to their attention.)

>    We have released a tool to stop users from utilizing this tool to
> protect their identity from prosecution by a designated systems
> administrator. Otherwise this puts the administrator in responsibility for
> any malicious actions caused by said user. Forensics is left with a tor exit
> node.
>
> Recently our servers were hacked by a tor user and we were unable to
> prosecute due to not being able to trace the source as the user was using
> this malicious piece of software to keep his/her anonymity.

Malicious?  Okay.

Rhetoric aside, we fully support everybody's right to block our
software from using your service. In fact, we've even released a tool
to help people do this.  Our FAQ, our docs, and personal
correspondence with us would have each been sufficient to find the
"exitlist.py" script in the Tor source tree; it uses Tor to keep track
of exit nodes.  Unlike the Apache module Mr. Areff posted, it keeps an
up-to-date list of exit nodes, so that as new Tor exits arrive, you
learn about them automatically.  That way you don't need to hardwire a
list of inevitably-out-of-date IP addresses, as the posted module
does.

> To mitigate most tor attackers we've written an apache module designed to
> give tor users a 403 error when visiting a specific website.  We suggest all
> administrators whom do not wish a malicious tor user to visit and possibly
> deface their website to enable the usage of this module. This may not get
> all attackers, but hopefully it raises the security bar just a little bit
> more to safeguard ourselves from hackers.

This is a good interim solution for many people.  If your security
model is such that anybody with a non-blocked IP can deface your
website at will, you might want to block anonymizing networks
until/unless you decide to change your security model.

> Thanks.
> 
> Jason Areff
> CISSP, A+, MCSE, Security+

yrs,
-- 
Nick Mathewson
certified for something, I'm sure of it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 654 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060603/7334216f/attachment.pgp>


More information about the tor-talk mailing list