[tor-talk] Hacker and Tor (thank you)
ben at bentasker.co.uk
Sun Dec 4 13:41:38 UTC 2016
On Sat, Dec 3, 2016 at 12:00 PM, <techlist at 123mail.org> wrote:
> OK; I am sure the Islamic terrorist asking about how to hack websites
> will appreciate your help.
There's no more evidence that the OP is an Islamic terrorist than that he's
perhaps someone on the receiving end trying to identify someone who keeps
compromising his server. It's quite likely that neither's actually true.
And, even if it were true, on balance I think it's probably better for the
world if Islamic Terrorists did suddenly shift their focus from bombing to
hacking the kind of server you'd normally find running CPanel.
But, I agree, the way the question was phrased is somewhat questionable.
> Next step is solving his problem about how to
> build a bomb.
Yes, let's keep basic chemistry from kids in case they grow up to be
nut-jobs. Building a bomb is not difficult (though doing it without
accidentally triggering it is somewhat harder), and restricting information
that might lead one to learn how to do so means far more than taking down
"howto's", the entire chemistry curriculum needs to change, and there are a
number of household products we'll need to take off the shelves.
The point I'm trying to make, is restricting basic information "just in
case" doesn't work.
Every time some identifies a vulnerability and releases a PoC they're
providing arms that can be used against users that haven't updated yet. On
the other hand, without that PoC other similar projects can't look for
similar vulnerabilities in their own codebase without looking at the
commits that fixed the issue (which is exactly what the bad guys will do).
So the information's still available, we've just made it harder for the
issue to be fixed elsewhere.
Had someone piped up and said "actually, yesterday I found a way to have
CPanel de-anonymise you" the result would have been that someone looked to
see what weakness in the browser allowed it, and users (genuine or
otherwise) would all have been better off.
So yeah, don't directly give help for things you don't agree with, but
trying to outright shut down discussion is counter-productive. Especially
when the steps needed to maintain anonymity can be applied to a wide number
of legit use-cases.
> If >> >You have a fake usr agent and are running Tor You can do like a
> online browser leakage test.
It's worth noting, purely because I haven't seen it elsewhere. Using an
online browser leakage test is only indicative. If someone's privately
discovered a new way to achieve leakage, the leakage tests aren't going to
show it (at least until they become aware of the technique).
> I would not(and this is my opinion use hidemyass).
Seconded. HMA are a UK registered company, and with the IPA having just
received royal assent there's a good chance HMA are going to be forced to
log connections (and possibly worse). In principle, that's only an issue if
you come to the attention of law enforcement. In practice, there's a good
chance that the Government is going to apply it's usual skills to the IT
challenge and wind up leaking ICRs all over the place.
More information about the tor-talk