On 12/20/11, Fabio Pietrosanti (naif) <li...@infosecurity.ch> wrote: > On 12/20/11 7:05 PM, Lee wrote: >>> It would be interesting to analyze it to understand "what's running" on >>> Tor Exit and Tor Relays, eventually make up some kind of network >>> monitoring systems like it's done for Enterprise Security Monitoring >>> Systems. >> >> The difference being that enterprise security monitoring systems are >> monitoring *enterprise* systems. Tor exits and relays do not belong >> to you; you have no right (certainly the ability, but NOT the right) >> to run pen tests on those machines. > > The law, in Europe, typical prohibit to break into other systems but > doesn't prohibit in any case to scan an existing system. > > The scanning can be considered illegal if the "intention" you had was to > break into the system. > > For example the EFF SSL Scan, or Internet Worm scanner doesn't target to > "break into your system" and so are scan that can be done.
I tried to stay away from "legal" and "illegal" mainly because there is no universal agreement on what is/isn't "legal". Arguing legalities with people in who-knows-what part of the world seems like it would be just a waste of time > The same, what's the problem in receiving a scan on your machine? You haven't cleared it with me. I don't know you, I haven't given you permission to do anything with my machine other than relay Tor traffic. It seems to me that my only reasonable option is to consider a scan as a precursor to an attack. > Please, get an public IP address, don't announce it, don't do anything. > Now please have a look, without even being a Tor Server, how many mass > scan your receive. I have. Please consider the idea that just because "everybody else is doing it" doesn't make it right. > So please, don't bother with that justification, a scan like that would > probably just be one scan of 10000 you receive every week. > > You should be happy to have a free security audit, without any illegal > intention, with free reports sent in your email! :-) I *should* be happy?!! There is so much wrong with that attitude .. with your telling me how I *should* feel about you taking unwelcome actions against my property being right up at the top of the list. >> Absolutely brilliant. Someone donates to your cause and, if they >> don't come up to your standards, you do your best to ensure they get >> pwned instead of just dropping them from the donor list. > > If you want to participate to the Tor Network you must responsible, that > means also keeping your system secure. Super. So in addition to deciding how I *should* feel, now _you_ get to decide my system's security posture? Not in this lifetime. And I suspect the tor network would lose a lot of servers if they're required to allow your "free security audit, without any illegal intention". > If all people running Tor Server doesn't care about the Security of > their systems, then it's worthless to run a Tor Server. Go re-read my msg. Scanning my relay got you blacklisted. That hardly seems like the attitude of someone that doesn't care about the Security of their systems > Do bitcon mining and donate results to EFF, but don't run Tor Server. You probably wouldn't like the suggestion I have for you... > However yes, everything it's open and must be open. No it isn't. We seem to have a fundamental disagreement. If I provide a service to anyone on the Internet, that does not imply I've given permission for anyone to to do anything to that server. Agreed, there isn't much that I can do to stop anyone from attempting anything - which is why I took my relay down. People like you decide that public resources are their own personal play-toys and do whatever they feel like with, or to, them. > If an automated scanner run by a Tor friendly person find a > vulnerability of your system, you should be VERY HAPPY because the > vulnerability will not exploited by a Tor unfriendly person. What part of the concept "your behavior is indistinguishable from a Tor unfriendly person" are you having trouble grasping? > Security trough obscurity doesn't scale, so what' the problem? The problem is that I don't know you, I don't know your intentions, and I haven't given you permission to do a security audit, free or otherwise, on my machine. You need to GET PERMISSION FIRST or you're behaving exactly like those "Tor unfriendly person" you mentioned. Lee _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk