[tor-talk] Automatic vulnerability scanning of Tor Network?

Lee ler762 at gmail.com
Tue Dec 20 22:09:06 UTC 2011 

On 12/20/11, Fabio Pietrosanti (naif) <lists at infosecurity.ch> wrote:
> On 12/20/11 7:05 PM, Lee wrote:
>>> It would be interesting to analyze it to understand "what's running" on
>>> Tor Exit and Tor Relays, eventually make up some kind of network
>>> monitoring systems like it's done for Enterprise Security Monitoring
>>> Systems.
>>
>> The difference being that enterprise security monitoring systems are
>> monitoring *enterprise* systems.  Tor exits and relays do not belong
>> to you; you have no right (certainly the ability, but NOT the right)
>> to run pen tests on those machines.
>
> The law, in Europe, typical prohibit to break into other systems but
> doesn't prohibit in any case to scan an existing system.
>
> The scanning can be considered illegal if the "intention" you had was to
> break into the system.
>
> For example the EFF SSL Scan, or Internet Worm scanner doesn't target to
> "break into your system" and so are scan that can be done.

I tried to stay away from "legal" and "illegal" mainly because there
is no universal agreement on what is/isn't "legal".  Arguing
legalities with people in who-knows-what part of the world seems like
it would be just a waste of time

> The same, what's the problem in receiving a scan on your machine?

You haven't cleared it with me.

I don't know you, I haven't given you permission to do anything with
my machine other than relay Tor traffic.  It seems to me that my only
reasonable option is to consider a scan as a precursor to an attack.

> Please, get an public IP address, don't announce it, don't do anything.
> Now please have a look, without even being a Tor Server, how many mass
> scan your receive.

I have.  Please consider the idea that just because "everybody else is
doing it" doesn't make it right.

> So please, don't bother with that justification, a scan like that would
> probably just be one scan of 10000 you receive every week.
>
> You should be happy to have a free security audit, without any illegal
> intention, with free reports sent in your email! :-)

I *should* be happy?!!  There is so much wrong with that attitude ..
with your telling me how I *should* feel about you taking unwelcome
actions against my property being right up at the top of the list.


>> Absolutely brilliant.  Someone donates to your cause and, if they
>> don't come up to your standards, you do your best to ensure they get
>> pwned instead of just dropping them from the donor list.
>
> If you want to participate to the Tor Network you must responsible, that
> means also keeping your system secure.

Super.  So in addition to deciding how I *should* feel, now _you_ get
to decide my system's security posture?  Not in this lifetime.  And I
suspect the tor network would lose a lot of servers if they're
required to allow your "free security audit, without any illegal
intention".

> If all people running Tor Server doesn't care about the Security of
> their systems, then it's worthless to run a Tor Server.

Go re-read my msg.  Scanning my relay got you blacklisted.  That
hardly seems like the attitude of someone that doesn't care about the
Security of their systems


> Do bitcon mining and donate results to EFF, but don't run Tor Server.

You probably wouldn't like the suggestion I have for you...

> However yes, everything it's open and must be open.

No it isn't.

We seem to have a fundamental disagreement.  If I provide a service to
anyone on the Internet, that does not imply I've given permission for
anyone to to do anything to that server.

Agreed, there isn't much that I can do to stop anyone from attempting
anything - which is why I took my relay down.  People like you decide
that public resources are their own personal play-toys and do whatever
they feel like with, or to, them.

> If an automated scanner run by a Tor friendly person find a
> vulnerability of your system, you should be VERY HAPPY because the
> vulnerability will not exploited by a Tor unfriendly person.

What part of the concept "your behavior is indistinguishable from a
Tor unfriendly person" are you having trouble grasping?

> Security trough obscurity doesn't scale, so what' the problem?

The problem is that I don't know you, I don't know your intentions,
and I haven't given you permission to do a security audit, free or
otherwise, on my machine.  You need to GET PERMISSION FIRST or you're
behaving exactly like those "Tor unfriendly person" you mentioned.

Lee

More information about the tor-talk mailing list