[tor-talk] Automatic vulnerability scanning of Tor Network?

Lee ler762 at gmail.com
Tue Dec 20 22:56:14 UTC 2011

On 12/20/11, Fabio Pietrosanti (naif) <lists at infosecurity.ch> wrote:
> On 12/20/11 8:06 PM, Nick Mathewson wrote:
>> On Tue, Dec 20, 2011 at 1:35 PM, Fabio Pietrosanti (naif)
>> <lists at infosecurity.ch> wrote:
>>>> Absolutely brilliant.  Someone donates to your cause and, if they
>>>> don't come up to your standards, you do your best to ensure they get
>>>> pwned instead of just dropping them from the donor list.
>>> If you want to participate to the Tor Network you must responsible, that
>>> means also keeping your system secure.
>> When I read Lee's above paragraph, I worry Lee might have gotten the
>> idea that Fabio is speaking for Tor in some official capacity.  So:
>> Please be aware that Fabio is speaking for himself, and does not speak
>> on behalf of the Tor Project.
>> For my own part, I am perfectly fine with the idea of working *with*
>> server operators to help them secure their systems, and with making
>> sure that only secure systems are on the network.  But efforts in this
>> area need to work with the foreknowledge and consent of node
>> operators, and not alienate our volunteer community.  Also, the
>> appropriate response to horribly insecure servers on the network would
>> be to inform the operators and de-list the servers if they didn't get
>> fixed--not to publicly post them but leave them on the network.  That
>> would be the worst of all worlds.
> Well it sounds reasonable not to publish the results.
> At the same time having a Metasploit auto-pown module that try to
> exploit the machine to trigger automatic-update would also be a cool
> idea! (i'm joking :P).
> I mean, it doesn't sounds to me a so strong "tabu'" to portscan all the
> Tor servers.

Not all that many years ago I worked with a most excellent Security
Officer.  He was at my cube one day and noticed that someone had left
their PC unlocked and logged into the email system.  I suggested that
he send an mildly embarrassing email from their account & he said "No,
that wouldn't be right."

Up to that point I hadn't thought of pranks as unethical behavior or
an abuse of trust..  but I realized that he was right.

I guess that's my answer to "but everyone else is doing it."  It's not
your server, you do not have permission to scan their machine.  The
people that deserve respect will get permission first.  The people
that don't, won't.


More information about the tor-talk mailing list