On Tue, 2006-10-31 at 09:49, Fabian Keil wrote: > George Shaffer <[EMAIL PROTECTED]> wrote: > > > To go to > > a malicious site you need to encounter a site whose security has been > > compromised, be tricked into going to a site, be the victim of poisoned > > DNS, receive an email with a macro based Outlook virus that uses IE > > functionality, or deliberately browse fringe web sites. > > Or you can use Tor and give every Tor exit node operator the chance > to render every "trusted site" that doesn't use encryption into > a source of malware.
If your only point is I forgot to list this, I'm guilty. Other than that, this seems to be an argument against using Tor. I was making the point that many web surfers who use poor security with their browsers don't actually encounter malicious software. I agree with your restated then they "shouldn't act surprised if they run into problems." I wish all sites would allow SSL to all pages. Sometimes I switch http:// to https:// on non forms pages but few major sites accept SSL across all their pages; Amazon seems to. > > > On Thu, 2006-10-26 at 15:05, Fabian Keil wrote: > > > If the target IP address is unused, the scanner gets an error > > > message send from the router located one hop before the target. > > > If the scanner doesn't get this error message, it's safe to > > > assume that the target system is running. > > > > . . . Perhaps someone could provide a URL that > > describes this. > > http://www.ietf.org/rfc/rfc792.txt Thank you. Regarding systrace: > > Looking at man, it does appear that it would be useful for > > controlling "developmental" software on a very secure OpenBSD system. > > It's useful to control software in general. "In general" I agree but there are costs as well as benefits to all security measures. Rational people can reach a wide range of conclusions regarding how much to invest and where. I suspect you might be rather uneasy with controlling software, as in preventing customers from using Skype, as the Narus tools linked to below can. > There are several valid reason not to run a Tor server at all, > I just don't think that "local security" or "ISP terms of service" > are among them. We will obviously continue to disagree about these. I recently came across http://www.narus.com/products/index.html which describes a line of products that allow large ISPs and broadband carriers to monitor everything that flows across their network. Virtually every protocol can be identified, and everything from any IP can be assembled into a stream and it's contents examined. That barely begins to describe what the Narus tools can do. If you care about privacy, this is really creepy. Partly this is to allow carriers to conform to the wiretap laws that are being applied in the US and other countries, but Narus makes clear the carriers can use these tools for their own purposes. While resources should prevent an ISP or carrier from monitoring all their customers all the time, tools like this will allow them to focus on protocols banned by terms of service and identify the customers using the banned protocol. In the case of a cable provider, there is only one in any specific area. If you loose your access, then you have to hope DSL is available, and you will normally pay more for comparable download speeds. Personally I want to be careful about my ISPs terms of service. George Shaffer
