TOR on Academic networks (problem)
michael.holstein at csuohio.edu
Tue May 16 20:32:00 UTC 2006
> Specifically, we're arguing to various administrative and technical
> committees that the whole damn network shouldn't be trusted by
> services that we subscribe to... and instead, the proxy service that
> berkeleyites use to connect to library services off campus should be
> used on campus too (so that a much smaller segment of our network is
We actually already have this as well .. a proxy that allows internal
users to breeze through, and external ones to authenticate. Why the
journals think it fit to trust a /16 or greater is beyond me.
Problem is .. I don't think they'll buy the argument "you need to change
your way of doing things so I can offer an anonymous proxy and not cause
you problems". They'll just say "why run the proxy at all?".
For the short-term, I wrote a script that wgets the library's list of
subscriptions, and munges that to get the unique domain links, and puts
those into /etc/hosts with bogus addresses that are denied by the exit
policy (eg: 127.0.0.2 some.domain). Yes, I realize this doesn't prevent
access by IP, but if I can keep out 95% of the miscreants, that's fine
I hate to break things on purpose, but I do have to dance around a bit
to keep this going.
My biggest mistake perhaps was actually giving the library folks an
honest answer when they asked .. had I just said "oh .. I'll look into
that" and fixed it, they'd have happily gone away. Instead, I sent them
the boiler-plate response about TOR and they started asking questions.
Lesson learned : don't call TOR an "anonymous proxy". It's a "privacy
router designed to help the Chinese".
More information about the tor-talk