On 12/20/11 8:06 PM, Nick Mathewson wrote: > On Tue, Dec 20, 2011 at 1:35 PM, Fabio Pietrosanti (naif) > <[email protected]> wrote: > >>> Absolutely brilliant. Someone donates to your cause and, if they >>> don't come up to your standards, you do your best to ensure they get >>> pwned instead of just dropping them from the donor list. >> >> If you want to participate to the Tor Network you must responsible, that >> means also keeping your system secure. > > When I read Lee's above paragraph, I worry Lee might have gotten the > idea that Fabio is speaking for Tor in some official capacity. So: > Please be aware that Fabio is speaking for himself, and does not speak > on behalf of the Tor Project. > > For my own part, I am perfectly fine with the idea of working *with* > server operators to help them secure their systems, and with making > sure that only secure systems are on the network. But efforts in this > area need to work with the foreknowledge and consent of node > operators, and not alienate our volunteer community. Also, the > appropriate response to horribly insecure servers on the network would > be to inform the operators and de-list the servers if they didn't get > fixed--not to publicly post them but leave them on the network. That > would be the worst of all worlds.
Well it sounds reasonable not to publish the results. At the same time having a Metasploit auto-pown module that try to exploit the machine to trigger automatic-update would also be a cool idea! (i'm joking :P). I mean, it doesn't sounds to me a so strong "tabu'" to portscan all the Tor servers. I agree that's a problem when portscan get out from your tor exit node and you got a server-takedown from the isp (it happened to me!). But don't see big problem in receiving a portscan / app fingerprinting / vulnerability scanning on my node (as long as it doesn't effectively impact the performance of my node), if this could be helpful in letting eventually unsecure nodes to get notice about their vulnerabilities. It would be also nice for example to create a sort of "Best Practice" for the Firewall ports that a Tor Exit node can have opened respect to the world (other than Tor-related ports). For example, in the nmap output of portscan of all tor exit, there are hosts on the internet with Unix RPC services, Microsoft SMB, SQL Server, Mysql, etc. If you would setup and manage a networks (of routers), would you want your to run SQL Servers or NFS on your routers? Probably you would like to have your routers very well hardened, doing their routing job and eventually few other facilities that cannot impact the main functionality security and stability. Also i understand that a lot of people would run Tor on the server they have, doing "multi-purposes" activities, and that's good. But i also understand that if we would analytically see different risks context and the likelihood of a compromission of a Tor router, we would agree that servers with a lot of internet-exposed services are more at risk. It would be very cool if all Tor Routers would portscan each others and, depending on the amount of non-tor related port open, would provide a "security rating". The security rating could also be measured depending on the version of Tor used, if it's up-to-date and there are no "security bugs" in the running version. That way the would be some objective evaluation, following a compliance with a "Best Practice", of which is a Secure Tor Router and which one is not. A user may decide to only use as entry and exit-nodes, tor routers that have a high "security rating" level. However those are just a set of sparse ideas by writing while thinking. -naif _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
