"Practical onion hacking: finding the real address of Tor clients"

Fabian Keil freebsd-listen at fabiankeil.de
Tue Oct 31 14:49:32 UTC 2006


George Shaffer <George.Shaffer at comcast.net> wrote:

> On Thu, 2006-10-26 at 15:05, Fabian Keil wrote:
> > George Shaffer <George.Shaffer at comcast.net> wrote:
> > > On Mon, 2006-10-23 at 08:22, Fabian Keil wrote:
> > > > George Shaffer <George.Shaffer at comcast.net> wrote:
> > > > 
> > > > > . . . many web surfers, even
> > > > > knowledgeable ones, like the "rich" experience and are willing to
> > > > > sacrifice security and privacy for it.
> > > > 
> > > > And they constantly get what they deserve. . .
> > > 
> > > If a member of your family is sick with a contagious disease, and you
> > > tend to them, do you "deserve" to get the disease? It might be
> > > smarter to stay away and call a doctor, but perhaps you get infected
> > > before you knew a doctor was needed, or while waiting for the
> > > doctor, or can't afford a doctor.
> > 
> > I fail to see the similarities between willingly sacrificing
> > security and privacy for '"rich" experience' and caring about
> > ones family.
> 
> It may have been a poor analogy (I was thinking of computer viruses
> which suggested disease) but my objection is to the use of the word
> "deserve."

Lets replace it with "shouldn't act surprised if they run into
problems" then.
 
> What is so often forgotten about malicious web attacks is that nearly
> all web operators have a large investment in their sites and malicious
> software hurts them as much or more as victim client computers. To go to
> a malicious site you need to encounter a site whose security has been
> compromised, be tricked into going to a site, be the victim of poisoned
> DNS, receive an email with a macro based Outlook virus that uses IE
> functionality, or deliberately browse fringe web sites.

Or you can use Tor and give every Tor exit node operator the chance
to render every "trusted site" that doesn't use encryption into
a source of malware.

> > > > Anyone interested whether or not your IP address is currently in
> > > > use only needs to do a port scan. 
> > > 
> > > Are you sure? By "stealth" I mean . . .
> > 
> > If the target IP address is unused, the scanner gets an error
> > message send from the router located one hop before the target.
> > If the scanner doesn't get this error message, it's safe to
> > assume that the target system is running.
> 
> By unused to you mean unassigned or will simply turned off result in
> such a message? I don't have enough computers to test this and know of
> no legal way to do so. I guess I have to take your word, though I've
> never heard this before. Perhaps someone could provide a URL that
> describes this.

http://www.ietf.org/rfc/rfc792.txt
 
> > > > And if you can't trust your firewall
> > > > enough to work in cases where someone knows that your IP address is
> > > > in use, you should get a firewall that actually works anyway.
> > > 
> > > One might conclude, if one assumed these couple smart alec remarks
> > > represented your entire knowledge of firewalls, that you don't seem
> > > to know that once you open a port in a firewall to a server, e.g.,
> > > Tor and port 80, that the firewall cannot protect that server.
> > 
> > The packet filter can still protect all other ports and
> > increase the chances that the packets arriving at the Tor
> > running server are valid. The Tor server's host system can make sure
> > that a compromised Tor server doesn't cause too much damage.
> > As a OpenBSD user you will be aware of systrace,
> > other systems have similar tools.
> 
> While I'm generally familiar with most of your points, and the one about
> a firewall only allowing valid packets is a good one, in the context of
> this discussion, your final sentence grates. Perhaps this comes from the
> way German translates to English, but it would be much easier to read
> "If you are not familiar with, then you should look up systrace" rather
> than saying "you will be aware of." If I ever knew it I've completely
> forgotten it. Looking at man, it does appear that it would be useful for
> controlling "developmental" software on a very secure OpenBSD system.

It's useful to control software in general.

> Fabian, please make this the last time you suggest that I run a Tor
> server whether locally or hosted. This is the third time you've
> suggested that I run a server and the third time I said I'm not going
> to.

I thought we were discussing the (dis)advantaged of running
a Tor server in general. I don't intend to convince you personally
to run a Tor server, especially not if you don't even use the Tor
client regularly.

There are several valid reason not to run a Tor server at all,
I just don't think that "local security" or "ISP terms of service"
are among them.

Fabian
-- 
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20061031/bbae9d63/attachment.pgp>


More information about the tor-talk mailing list