Thus spake Scott Bennett (bennett@cs.niu.edu):
On Sat, 02 Apr 2011 Jacob Appelbaum jacob@appelbaum.net > wrote:
On Thu, 10 Mar 2011 10:27:50 -0800 Chris Palmer chris@eff.org wrote:
The Observatory work was not done through Tor.
Good.I think we need a scan of the SSLiverse through Tor.
Use != abuse. If I run sendmail with it configured to accept mail from outside, thatdoes not mean I agree to receive massmail, malware, or other bad stuff via TCP port 25. Because various idiots with access to the Internet insist upon attempting to abuse my ability to receive mail does not militate against my defending my system from such malicious activity in any way I see fit.
You are right. It does not. You are entitled and in fact expected to defend your system from scans and abuse.
Censor yourself, not others.
Further, an activity that can be used by one party to cause terminationof another, innocent party's Internet connection is an intolerable assault upon the latter party's paid access to the Internet for all purposes, not just to offer additional capacity to the tor network, and upon a private agreement between the latter party and his/her ISP. Defense against such offenses is completely appropriate and in order.
It is not an arbitrary party whose Internet connection risks termination. It is a party that signed up to protect Internet freedom and resist censorship. People who want to bring censorship to Tor are not welcome on the network. The reason is simply because censorship does not work.
The activity in question also is not easily distinguishable from thatof a lot of actual malware that scans for open ports to find a way in.
This justifies Internet censorship? Or censorship at Tor Exits?
Or are we just trying to ethically define "abuse" and "anything that looks like malware" is the best we've come up with so far? That's a pretty poor standard.
Google seems to have this data from crawling the web and simply caching it as a matter of crawling everything - they get the data from lots of sources such as other urls, toolbars, etc. Google recently published the Google Certificate Catalog: http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-s...
So is Google's method the only ethical way to collect this certificate data? Or is there no method for collecting this data without users manually submitting each certificate they encounter by hand?
AFAIK, Google does not use the tor network for its web (or other)crawling activities. For Google's purposes, the tor network would be unusably slow. AFAIK, Google does not use any method that uses someone else's computer(s) to make its connections to a destination.
What does using the Tor network have to do with the ethics of crawling the web/Internet? What makes it not OK to crawl the Internet anonymously, but makes it acceptable to seek that same information so long as you are not anonymous? Or are we being Kantian here, and saying that if everyone crawled the Internet, we'd be doomed. So therefore, only Google can crawl the Internet? That doesn't work either.
Again, people sign up to be Tor relays to take a stand against Internet censorship and surveillance. It is thus expected that they allow all traffic to pass unmolested and unmonitored, or work to implement a way to do their programmatic ExitPolicy filtering in a way that does not impede client activity.
Exits are not so scarce that we need to flex our morals on this point.
An EFF employee, OTOH, has confessed to doing so on this list. The latter, then, is burning CPU time, as well as network connection throughput capacity, on not just one system, but on routelen + 1 systems for each scanned system times the number of ports scanned on that system.
Nobody confessed to doing anything over Tor. Chris and Jake simply defended the idea of crawling the net over Tor. At no point did anybody state that the scan did happen over Tor. In fact, several people said the opposite.
Perhaps if your mail client supported threading this would be more apparent to you? Actually, it's right there in the very first text you quoted, though. So perhaps something else is amiss. Is the pager in UNIX 'mail' still the original 'more' or something? Or are you still using 'ed' to type your mails? :)
Another point, though irrelevant due to the ethical considerations that we've been discussing so far, is that there is no particular reason to use tor rather than some other proxy to look at the Internet from different locations. Anonymity is not necessary to achieve that end.
It is very useful to be able to scan the Internet from multiple, stable vantage points with anonymity.
So long as the resources of any one site are not unreasonably consumed, and so long as the scanner is not substantially occupying Tor exit bandwidth, I really don't see what is so ethically complicated about this.
By occupying this topic with our attention, we are allowing ISPs who seek to impose restrictions on Tor traffic in one form or another to have their way and dictate what is acceptable on our network. Such ISPs do not deserve any Tor-related revenue.
It is that simple. We can worry about compromising our principles for precious few kilobits when all else has failed.