FW: [Full-disclosure] Tool Release - Tor Blocker

Ringo Kamens 2600denver at gmail.com
Sun Jun 4 01:55:38 UTC 2006

Instead of blocking tor IPs (people will just use other proxies) why not
make your site secure to begin with? Put up an IDS?

On 6/3/06, Nick Mathewson <nickm at freehaven.net> wrote:
> On Sat, Jun 03, 2006 at 12:23:15AM -0400, y0himba wrote:
> >  Item of interest?
> I'm not sure this is something we need to be terribly concerned about;
> the original poster seems to be overreacting to something with a bad
> blocking tool.  We already ship a better tool to find the exits that
> allow connections to you, so I'm not sure what harm this bit of C
> could do.
> > -----Original Message-----
> > From: full-disclosure-bounces at lists.grok.org.uk
> > [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Jason
> Areff
> > Sent: Saturday, June 03, 2006 12:22 AM
> > To: full-disclosure at lists.grok.org.uk
> > Subject: [Full-disclosure] Tool Release - Tor Blocker
> >
> > It has come to our attention that the majority of tor users are not
> actually
> > from china but are rather malicious hackers that (ab)use it to keep
> their
> > anonymity.
> That's news to me.  We've got around 200,000 active users by our
> estimate; if Mr. Areff is correct, that's over 100,000 malicious
> hackers.  If that were the case, I think we'd see far more abuse
> reports.  I'd be interested to see how he reached his conclusion about
> our user demographics, and whether he thinks we ought to be soliciting
> funds from organized crime rather than the DoD and the EFF (our past
> funders).  (It's understandable why some sysadmins make this mistake,
> of course.  When Tor is used as intended, sysadmins tend not to
> notice: it's just another IP.  When jerks use Tor to irritate others,
> Tor leaps to their attention.)
> >    We have released a tool to stop users from utilizing this tool to
> > protect their identity from prosecution by a designated systems
> > administrator. Otherwise this puts the administrator in responsibility
> for
> > any malicious actions caused by said user. Forensics is left with a tor
> exit
> > node.
> >
> > Recently our servers were hacked by a tor user and we were unable to
> > prosecute due to not being able to trace the source as the user was
> using
> > this malicious piece of software to keep his/her anonymity.
> Malicious?  Okay.
> Rhetoric aside, we fully support everybody's right to block our
> software from using your service. In fact, we've even released a tool
> to help people do this.  Our FAQ, our docs, and personal
> correspondence with us would have each been sufficient to find the
> "exitlist.py" script in the Tor source tree; it uses Tor to keep track
> of exit nodes.  Unlike the Apache module Mr. Areff posted, it keeps an
> up-to-date list of exit nodes, so that as new Tor exits arrive, you
> learn about them automatically.  That way you don't need to hardwire a
> list of inevitably-out-of-date IP addresses, as the posted module
> does.
> > To mitigate most tor attackers we've written an apache module designed
> to
> > give tor users a 403 error when visiting a specific website.  We suggest
> all
> > administrators whom do not wish a malicious tor user to visit and
> possibly
> > deface their website to enable the usage of this module. This may not
> get
> > all attackers, but hopefully it raises the security bar just a little
> bit
> > more to safeguard ourselves from hackers.
> This is a good interim solution for many people.  If your security
> model is such that anybody with a non-blocked IP can deface your
> website at will, you might want to block anonymizing networks
> until/unless you decide to change your security model.
> > Thanks.
> >
> > Jason Areff
> > CISSP, A+, MCSE, Security+
> yrs,
> --
> Nick Mathewson
> certified for something, I'm sure of it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060603/6350b2d8/attachment.htm>

More information about the tor-talk mailing list