On Thu, Jan 13, 2011 at 01:17:33AM +0100, Mitar wrote: > On Wed, Jan 12, 2011 at 6:26 AM, Mike Perry <mikepe...@fscked.org> wrote: > > and to suggest > > solutions for their security problems that involve improving their > > computer security for the Internet at large (open wifi, open proxies, > > botnets), > > I am not sure what you mean by that? That there should not be open > WiFi because it improves security? Or that because there are open > WiFis, open proxies, botnets you have to secure your systems anyway?
I assume he meant the latter -- there are many ways that people can reach your website and have their IP address not really linked to the human making the connection. This is related to the "if you remove Tor from the world, you're not really reducing the ability of bad guys to be anonymous on the Internet" idea. See also my first entry at https://www.torproject.org/docs/faq-abuse > But how do you secure them against abusive behavior (blackmailing, > posting abusive content...)? By making your decisions based on the application-level content rather than the routing of the packets. If you have a forum, and it has jerks, then you need to learn about accounts and authentication. If it stays bad, you need to learn about reputation, or moderation, or various other techniques people have developed over the years to deal with abuse. > There is probably a reasonable argument that identification would help > with security here. No? It depends where your jerks are coming from. If your jerks are all obeying every law and showing up from their static non-natted IP address, then yes, routing address is definitely related to identity. But if your jerks have ever noticed this doesn't work so well for them, they may start using other approaches and suddenly you're back needing to learn about application-level mechanisms (or you're back being angry at the Internet for not giving you identification by IP address; if blocking by IP address is the only abuse prevention mechanism you've got, you're going to spend a lot of your life angry). For more on this topic, I'd point you to a short article a few years ago by Goodell and Syverson called "The Right Place at the Right Time: Examining the Use of Network Location in Authentication and Abuse Prevention" -- but in going to hunt for it I can't find it available online anymore. Proprietary publishers suck I guess. :( --Roger *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/