geeez...
Roger Dingledine
arma at mit.edu
Thu Jan 13 02:01:34 UTC 2011
On Thu, Jan 13, 2011 at 01:17:33AM +0100, Mitar wrote:
> On Wed, Jan 12, 2011 at 6:26 AM, Mike Perry <mikeperry at fscked.org> wrote:
> > and to suggest
> > solutions for their security problems that involve improving their
> > computer security for the Internet at large (open wifi, open proxies,
> > botnets),
>
> I am not sure what you mean by that? That there should not be open
> WiFi because it improves security? Or that because there are open
> WiFis, open proxies, botnets you have to secure your systems anyway?
I assume he meant the latter -- there are many ways that people can
reach your website and have their IP address not really linked to the
human making the connection.
This is related to the "if you remove Tor from the world, you're not
really reducing the ability of bad guys to be anonymous on the Internet"
idea. See also my first entry at https://www.torproject.org/docs/faq-abuse
> But how do you secure them against abusive behavior (blackmailing,
> posting abusive content...)?
By making your decisions based on the application-level content rather
than the routing of the packets. If you have a forum, and it has jerks,
then you need to learn about accounts and authentication. If it stays
bad, you need to learn about reputation, or moderation, or various other
techniques people have developed over the years to deal with abuse.
> There is probably a reasonable argument that identification would help
> with security here. No?
It depends where your jerks are coming from. If your jerks are all obeying
every law and showing up from their static non-natted IP address, then
yes, routing address is definitely related to identity. But if your
jerks have ever noticed this doesn't work so well for them, they may
start using other approaches and suddenly you're back needing to learn
about application-level mechanisms (or you're back being angry at the
Internet for not giving you identification by IP address; if blocking
by IP address is the only abuse prevention mechanism you've got, you're
going to spend a lot of your life angry).
For more on this topic, I'd point you to a short article a few years
ago by Goodell and Syverson called "The Right Place at the Right Time:
Examining the Use of Network Location in Authentication and Abuse
Prevention" -- but in going to hunt for it I can't find it available
online anymore. Proprietary publishers suck I guess. :(
--Roger
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list