Rogue exit nodes - checking?

slush slush at
Sun Jun 20 21:58:45 UTC 2010

I dont think you are right.

There are two extremes when checking if two files are the same:

* Both files are exact byte copies - we are happy, because everything is clear
* Both files are absolutely different - we are also happy, because we
know that something is bad

But scanner which consider just these two extremes will throw many
false positives, because world isn't ideal. Just download two copies
of some page few minutes in sequence and you will see. Different
banner? Different language (because you changed IP)? New information
here? Everything these you have to consider and have to report only
important things.

Because it is more heuristic than exact measurement, attacker can
adapt his code to be less harmful and skip notification threshold of

There are two ways how to fight attackers:
a) Opensource scanner and beat them by spending months on scanner improvements.
b) Leave scanner closed and piss them up (my way)

I think your irony isn't outright. Trust me I didn't spend almost year
of my life on bullshit.

John: I know SoaT quite well, I originally consider to improve it. But
my attitude is quite different. SoaT checks everything else than
content (as you wrote: SSL, policy etc) - and throws many false
positives once content differs a bit. I'm interested just in content.


On Sun, Jun 20, 2010 at 11:05 PM, Anders Andersson <pipatron at> wrote:
> Unfortunately I
>> cannot publish source codes because attackers can adapt own techniques
>> (though it would be very difficult).
> Yummy. Security through obscurity. Let's hope the bad guys doesn't
> find out. Or do they already know?..
To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

More information about the tor-talk mailing list