On 12/20/11 7:05 PM, Lee wrote: >> It would be interesting to analyze it to understand "what's running" on >> Tor Exit and Tor Relays, eventually make up some kind of network >> monitoring systems like it's done for Enterprise Security Monitoring >> Systems. > > The difference being that enterprise security monitoring systems are > monitoring *enterprise* systems. Tor exits and relays do not belong > to you; you have no right (certainly the ability, but NOT the right) > to run pen tests on those machines.
The law, in Europe, typical prohibit to break into other systems but doesn't prohibit in any case to scan an existing system. The scanning can be considered illegal if the "intention" you had was to break into the system. For example the EFF SSL Scan, or Internet Worm scanner doesn't target to "break into your system" and so are scan that can be done. The same, what's the problem in receiving a scan on your machine? Please, get an public IP address, don't announce it, don't do anything. Now please have a look, without even being a Tor Server, how many mass scan your receive. So please, don't bother with that justification, a scan like that would probably just be one scan of 10000 you receive every week. You should be happy to have a free security audit, without any illegal intention, with free reports sent in your email! :-) > Absolutely brilliant. Someone donates to your cause and, if they > don't come up to your standards, you do your best to ensure they get > pwned instead of just dropping them from the donor list. If you want to participate to the Tor Network you must responsible, that means also keeping your system secure. If all people running Tor Server doesn't care about the Security of their systems, then it's worthless to run a Tor Server. Do bitcon mining and donate results to EFF, but don't run Tor Server. However yes, everything it's open and must be open. If an automated scanner run by a Tor friendly person find a vulnerability of your system, you should be VERY HAPPY because the vulnerability will not exploited by a Tor unfriendly person. Security trough obscurity doesn't scale, so what' the problem? -naif _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk