TOR on Academic networks (problem)

Michael Holstein michael.holstein at csuohio.edu
Tue May 16 20:32:00 UTC 2006


> Specifically, we're arguing to various administrative and technical
> committees that the whole damn network shouldn't be trusted by
> services that we subscribe to... and instead, the proxy service that
> berkeleyites use to connect to library services off campus should be
> used on campus too (so that a much smaller segment of our network is
> "trusted").

We actually already have this as well .. a proxy that allows internal 
users to breeze through, and external ones to authenticate. Why the 
journals think it fit to trust a /16 or greater is beyond me.

Problem is .. I don't think they'll buy the argument "you need to change 
your way of doing things so I can offer an anonymous proxy and not cause 
you problems". They'll just say "why run the proxy at all?".

For the short-term, I wrote a script that wgets the library's list of 
subscriptions, and munges that to get the unique domain links, and puts 
those into /etc/hosts with bogus addresses that are denied by the exit 
policy (eg: 127.0.0.2 some.domain). Yes, I realize this doesn't prevent 
access by IP, but if I can keep out 95% of the miscreants, that's fine 
by me.

I hate to break things on purpose, but I do have to dance around a bit 
to keep this going.

My biggest mistake perhaps was actually giving the library folks an 
honest answer when they asked .. had I just said "oh .. I'll look into 
that" and fixed it, they'd have happily gone away. Instead, I sent them 
the boiler-plate response about TOR and they started asking questions.

Lesson learned : don't call TOR an "anonymous proxy". It's a "privacy 
router designed to help the Chinese".

/mike.



More information about the tor-talk mailing list