[tor-talk] Automatic vulnerability scanning of Tor Network?
ler762 at gmail.com
Tue Dec 20 22:09:06 UTC 2011
On 12/20/11, Fabio Pietrosanti (naif) <lists at infosecurity.ch> wrote:
> On 12/20/11 7:05 PM, Lee wrote:
>>> It would be interesting to analyze it to understand "what's running" on
>>> Tor Exit and Tor Relays, eventually make up some kind of network
>>> monitoring systems like it's done for Enterprise Security Monitoring
>> The difference being that enterprise security monitoring systems are
>> monitoring *enterprise* systems. Tor exits and relays do not belong
>> to you; you have no right (certainly the ability, but NOT the right)
>> to run pen tests on those machines.
> The law, in Europe, typical prohibit to break into other systems but
> doesn't prohibit in any case to scan an existing system.
> The scanning can be considered illegal if the "intention" you had was to
> break into the system.
> For example the EFF SSL Scan, or Internet Worm scanner doesn't target to
> "break into your system" and so are scan that can be done.
I tried to stay away from "legal" and "illegal" mainly because there
is no universal agreement on what is/isn't "legal". Arguing
legalities with people in who-knows-what part of the world seems like
it would be just a waste of time
> The same, what's the problem in receiving a scan on your machine?
You haven't cleared it with me.
I don't know you, I haven't given you permission to do anything with
my machine other than relay Tor traffic. It seems to me that my only
reasonable option is to consider a scan as a precursor to an attack.
> Please, get an public IP address, don't announce it, don't do anything.
> Now please have a look, without even being a Tor Server, how many mass
> scan your receive.
I have. Please consider the idea that just because "everybody else is
doing it" doesn't make it right.
> So please, don't bother with that justification, a scan like that would
> probably just be one scan of 10000 you receive every week.
> You should be happy to have a free security audit, without any illegal
> intention, with free reports sent in your email! :-)
I *should* be happy?!! There is so much wrong with that attitude ..
with your telling me how I *should* feel about you taking unwelcome
actions against my property being right up at the top of the list.
>> Absolutely brilliant. Someone donates to your cause and, if they
>> don't come up to your standards, you do your best to ensure they get
>> pwned instead of just dropping them from the donor list.
> If you want to participate to the Tor Network you must responsible, that
> means also keeping your system secure.
Super. So in addition to deciding how I *should* feel, now _you_ get
to decide my system's security posture? Not in this lifetime. And I
suspect the tor network would lose a lot of servers if they're
required to allow your "free security audit, without any illegal
> If all people running Tor Server doesn't care about the Security of
> their systems, then it's worthless to run a Tor Server.
Go re-read my msg. Scanning my relay got you blacklisted. That
hardly seems like the attitude of someone that doesn't care about the
Security of their systems
> Do bitcon mining and donate results to EFF, but don't run Tor Server.
You probably wouldn't like the suggestion I have for you...
> However yes, everything it's open and must be open.
No it isn't.
We seem to have a fundamental disagreement. If I provide a service to
anyone on the Internet, that does not imply I've given permission for
anyone to to do anything to that server.
Agreed, there isn't much that I can do to stop anyone from attempting
anything - which is why I took my relay down. People like you decide
that public resources are their own personal play-toys and do whatever
they feel like with, or to, them.
> If an automated scanner run by a Tor friendly person find a
> vulnerability of your system, you should be VERY HAPPY because the
> vulnerability will not exploited by a Tor unfriendly person.
What part of the concept "your behavior is indistinguishable from a
Tor unfriendly person" are you having trouble grasping?
> Security trough obscurity doesn't scale, so what' the problem?
The problem is that I don't know you, I don't know your intentions,
and I haven't given you permission to do a security audit, free or
otherwise, on my machine. You need to GET PERMISSION FIRST or you're
behaving exactly like those "Tor unfriendly person" you mentioned.
More information about the tor-talk