[tor-talk] Automatic vulnerability scanning of Tor Network?

Lee ler762 at gmail.com
Tue Dec 20 22:09:06 UTC 2011

On 12/20/11, Fabio Pietrosanti (naif) <lists at infosecurity.ch> wrote:
> On 12/20/11 7:05 PM, Lee wrote:
>>> It would be interesting to analyze it to understand "what's running" on
>>> Tor Exit and Tor Relays, eventually make up some kind of network
>>> monitoring systems like it's done for Enterprise Security Monitoring
>>> Systems.
>> The difference being that enterprise security monitoring systems are
>> monitoring *enterprise* systems.  Tor exits and relays do not belong
>> to you; you have no right (certainly the ability, but NOT the right)
>> to run pen tests on those machines.
> The law, in Europe, typical prohibit to break into other systems but
> doesn't prohibit in any case to scan an existing system.
> The scanning can be considered illegal if the "intention" you had was to
> break into the system.
> For example the EFF SSL Scan, or Internet Worm scanner doesn't target to
> "break into your system" and so are scan that can be done.

I tried to stay away from "legal" and "illegal" mainly because there
is no universal agreement on what is/isn't "legal".  Arguing
legalities with people in who-knows-what part of the world seems like
it would be just a waste of time

> The same, what's the problem in receiving a scan on your machine?

You haven't cleared it with me.

I don't know you, I haven't given you permission to do anything with
my machine other than relay Tor traffic.  It seems to me that my only
reasonable option is to consider a scan as a precursor to an attack.

> Please, get an public IP address, don't announce it, don't do anything.
> Now please have a look, without even being a Tor Server, how many mass
> scan your receive.

I have.  Please consider the idea that just because "everybody else is
doing it" doesn't make it right.

> So please, don't bother with that justification, a scan like that would
> probably just be one scan of 10000 you receive every week.
> You should be happy to have a free security audit, without any illegal
> intention, with free reports sent in your email! :-)

I *should* be happy?!!  There is so much wrong with that attitude ..
with your telling me how I *should* feel about you taking unwelcome
actions against my property being right up at the top of the list.

>> Absolutely brilliant.  Someone donates to your cause and, if they
>> don't come up to your standards, you do your best to ensure they get
>> pwned instead of just dropping them from the donor list.
> If you want to participate to the Tor Network you must responsible, that
> means also keeping your system secure.

Super.  So in addition to deciding how I *should* feel, now _you_ get
to decide my system's security posture?  Not in this lifetime.  And I
suspect the tor network would lose a lot of servers if they're
required to allow your "free security audit, without any illegal

> If all people running Tor Server doesn't care about the Security of
> their systems, then it's worthless to run a Tor Server.

Go re-read my msg.  Scanning my relay got you blacklisted.  That
hardly seems like the attitude of someone that doesn't care about the
Security of their systems

> Do bitcon mining and donate results to EFF, but don't run Tor Server.

You probably wouldn't like the suggestion I have for you...

> However yes, everything it's open and must be open.

No it isn't.

We seem to have a fundamental disagreement.  If I provide a service to
anyone on the Internet, that does not imply I've given permission for
anyone to to do anything to that server.

Agreed, there isn't much that I can do to stop anyone from attempting
anything - which is why I took my relay down.  People like you decide
that public resources are their own personal play-toys and do whatever
they feel like with, or to, them.

> If an automated scanner run by a Tor friendly person find a
> vulnerability of your system, you should be VERY HAPPY because the
> vulnerability will not exploited by a Tor unfriendly person.

What part of the concept "your behavior is indistinguishable from a
Tor unfriendly person" are you having trouble grasping?

> Security trough obscurity doesn't scale, so what' the problem?

The problem is that I don't know you, I don't know your intentions,
and I haven't given you permission to do a security audit, free or
otherwise, on my machine.  You need to GET PERMISSION FIRST or you're
behaving exactly like those "Tor unfriendly person" you mentioned.


More information about the tor-talk mailing list