On Sat, 02 Apr 2011 20:08:16 -0700 Jacob Appelbaum jacob@appelbaum.net wrote:
On 03/29/2011 02:10 AM, Scott Bennett wrote:
On Thu, 10 Mar 2011 10:27:50 -0800 Chris Palmer <chris@eff.org> wrote:On 03/10/2011 09:10 AM, mick wrote:
Using Tor to scan the internet is a good way to see how the internet looks from different perspectives at once, which can be quite valuable."
Which says to me that you are using Tor to do this research.
No, it says to you that using Tor to scan the internet is a good way to see how the internet looks from different perspectives at once, which can be quite valuable.
So which is it?
The Observatory work was not done through Tor.
Good.I think we need a scan of the SSLiverse through Tor.
However, using Tor to scan the internet is a good way to see how the internet looks from different perspectives at once, which can be quite valuable, so I vociferously defend the idea of doing so.
Ah. "The ends justify the means." How enlightened. :-(I don't think Chris is making "The ends justify the means" as his ethical model. Tor relays with exit policies that allow exiting to *:443
Whether he is or is not using that as his "ethical model", that is indeed the form (see above) of his reasoning for defending the activity in spite of the harmful effects it has upon the tor network.
intend to allow exiting to *:443. You have to go to quite a bit of effort to become a relay, so I'll trust that this counts as consent for exiting the Tor network on port 443. I hope we don't disagree about this?
Use != abuse. If I run sendmail with it configured to accept mail from outside, that does not mean I agree to receive massmail, malware, or other bad stuff via TCP port 25. Because various idiots with access to the Internet insist upon attempting to abuse my ability to receive mail does not militate against my defending my system from such malicious activity in any way I see fit. Do you suppose, for example, that the operators of the root name servers would hesitate for a minute to filter out packets from any address that were obviously attempting a DoS attack upon their root servers? And would they be wrong to do so? Consider that, in doing so, they would not only be defending their own services, but also the proper functioning of the entire Internet. The same reasoning applies to operators of exit nodes wishing to defend the continued existence of their nodes and thereby defend also the proper functioning of the tor network.
Now, if your ethical issue surrounds the fact that they then connect to a computer without asking permission, I'd make the argument that this is reasonable. Even if I was mistaken in your desire to have me connect to your system, I believe your placement of a computer system on the public internet requires handling a little bit of expectation setting.
What do I mean? I mean to say - if you configure PF to block me, I'm still burning some amount of CPU time on your machine. Is that an unethical action on my part? To ask your computer a question and for your computer to reply (with say, a RST) is a normal part of the networking protocols. The internet is inherently chatty and some amount of that chatter is the cost of connecting to the public internet. Obviously 1,000,000 connections at once isn't polite but is polite really zero connections? Is one connection really so impolite or unethical?
Your analogy is not valid. The activity in question can and does result in termination of services to exit nodes by their ISPs.
Now - if we assume that it's reasonable to send a single SYN and then complete the handshake when the policy allows, what is the next boundary? I'd argue that common HTTPS ports probably run HTTPS software
- to better understand that software, you'll need to negotiate some or
all of that protocol. Is sending a TLS ClientHello a reasonable and ethical next step? I'd say so. It also seems to make sense that when the server replies, you might log the ServerHello. You might even log all of the data that the server intended you to have. Is that impolite or unethical? Is there something wrong with what has been done by this point in the protocol? I don't think so.
As noted above, the activity under consideration results in the general depletion of exit nodes from the tor network. Therefore it must be thought of as an attack upon the tor network itself. Further, an activity that can be used by one party to cause termination of another, innocent party's Internet connection is an intolerable assault upon the latter party's paid access to the Internet for all purposes, not just to offer additional capacity to the tor network, and upon a private agreement between the latter party and his/her ISP. Defense against such offenses is completely appropriate and in order. The activity in question also is not easily distinguishable from that of a lot of actual malware that scans for open ports to find a way in. Using an efficient packet filter (e.g., pf) is a way to provide a defense at minimal cost. Consider it similar to keeping one's household appropriately armed against intruders. Yes, security costs a bit, but TANSTAAFL, and like insurance, it's cheaper than not being prepared when an attack comes. In the case of using a packet filter to prevent responses to miscreants on a permanent basis, it has the additional benefit of proactively defending all other present or future services offered, while denying said miscreants any information. This is even more the case when the filter is combined with something like FreeBSD's black hole option for incoming packets for closed ports because the sender doesn't get a response even in the first attempt. That means that the delay in adding the sender's IP address to the filter does not allow the sender to receive any information at all in response, even once, except in the case that the sender happens to connect to a port that actually *is* open before the sender's address gets added to the table.
Now the client will reasonably tear down the connection as described in the relevant protocols. Is that wrong? I don't think so - the protocols specifically indicate how systems should signal their intentions. You're free to tell me to stop connecting and I'm free to connect - that's how these things generally work.
Let's apply that argument to telephones. There is a procedure for making a telephone call that has several steps: dialing, waiting for the switching system to establish a circuit, ringing the phone at the other end (a connection attempt), possibly several times, then either getting an answer or giving up on the connection attempt with no answer or because the response was a busy signal or notification that the number is no longer assigned. If the call is answered, then information may be transmitted in both directions, and eventually the connection is closed (hung up). So there is a protocol for making a phone call. The existence of the protocol can hardly be a justification for abuse. Is it okay to dial phone numbers, either at random or according to some desired pattern, just to find out whether a human answers, a modem answers, or there is no answer, only to disconnect immediately upon an answer or after an error indication or else upon a configured timeout?
Now - as it happens, the EFF SSL observatory client does not actually implement the entire set of SSL/TLS protocols - just as some software does not implement TLS 1.1 or 1.2 - is it somehow wrong to run a client that isn't completely implemented for all specs that it might encounter? That seems doubtful.
Again, pf's "synproxy" is an appropriate, preconfigured response of the target. It's kind of a simple version of a honeypot.
Google seems to have this data from crawling the web and simply caching it as a matter of crawling everything - they get the data from lots of sources such as other urls, toolbars, etc. Google recently published the Google Certificate Catalog: http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-s...
So is Google's method the only ethical way to collect this certificate data? Or is there no method for collecting this data without users manually submitting each certificate they encounter by hand?
Even if we pretend that the EFF or the Google methods weren't to be used
- do you think that the EFF model is actually burning more CPU time on
each system?
AFAIK, Google does not use the tor network for its web (or other) crawling activities. For Google's purposes, the tor network would be unusably slow. AFAIK, Google does not use any method that uses someone else's computer(s) to make its connections to a destination. An EFF employee, OTOH, has confessed to doing so on this list. The latter, then, is burning CPU time, as well as network connection throughput capacity, on not just one system, but on routelen + 1 systems for each scanned system times the number of ports scanned on that system.
Do you accept that there is some amount of CPU time you're going to have to burn when you connect to the internet as a server? If so, what's the limit or the edge of reasonable CPU time that a single client may cause for a public server?
Are you asking about reasonable time for service requests from legitimate clients? Or, instead, about reasonable time for ignoring "excommunicated" miscreants?
In any case, the idea of using Tor for perspective routing is not particularly new - Geoffrey Goodell's work on the topic is well over half a decade old at this point. It makes a lot of sense to use Tor as a perspective-routing system of sorts and there's nothing wrong with that at all.
The problem has now been identified and publicized. If EFF can find some non-damaging alternative method to gather the information it desires, then more power to it. In the meantime, it should cease any and all activities that can damage the tor network or that can adversely affect innocent parties elsewhere. Ethics do matter. Another point, though irrelevant due to the ethical considerations that we've been discussing so far, is that there is no particular reason to use tor rather than some other proxy to look at the Internet from different locations. Anonymity is not necessary to achieve that end. BTW, I was offended to read a day or two ago that you had been subjected to still more harassment by the federal crime syndicate when returning to the U.S. from points south recently. You certainly have my sympathy over such injustices. The best hope at present is, I think, that the empire will soon bring on its own collapse under the weight of its theft of wealth by inflation when the largest buyers of T-bonds stop buying them. Keep your chin up and your eyes on that day. :-)
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at cs.niu.edu * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
Thus spake Scott Bennett (bennett@cs.niu.edu):
On Sat, 02 Apr 2011 Jacob Appelbaum jacob@appelbaum.net > wrote:
On Thu, 10 Mar 2011 10:27:50 -0800 Chris Palmer chris@eff.org wrote:
The Observatory work was not done through Tor.
Good.I think we need a scan of the SSLiverse through Tor.
Use != abuse. If I run sendmail with it configured to accept mail from outside, thatdoes not mean I agree to receive massmail, malware, or other bad stuff via TCP port 25. Because various idiots with access to the Internet insist upon attempting to abuse my ability to receive mail does not militate against my defending my system from such malicious activity in any way I see fit.
You are right. It does not. You are entitled and in fact expected to defend your system from scans and abuse.
Censor yourself, not others.
Further, an activity that can be used by one party to cause terminationof another, innocent party's Internet connection is an intolerable assault upon the latter party's paid access to the Internet for all purposes, not just to offer additional capacity to the tor network, and upon a private agreement between the latter party and his/her ISP. Defense against such offenses is completely appropriate and in order.
It is not an arbitrary party whose Internet connection risks termination. It is a party that signed up to protect Internet freedom and resist censorship. People who want to bring censorship to Tor are not welcome on the network. The reason is simply because censorship does not work.
The activity in question also is not easily distinguishable from thatof a lot of actual malware that scans for open ports to find a way in.
This justifies Internet censorship? Or censorship at Tor Exits?
Or are we just trying to ethically define "abuse" and "anything that looks like malware" is the best we've come up with so far? That's a pretty poor standard.
Google seems to have this data from crawling the web and simply caching it as a matter of crawling everything - they get the data from lots of sources such as other urls, toolbars, etc. Google recently published the Google Certificate Catalog: http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-s...
So is Google's method the only ethical way to collect this certificate data? Or is there no method for collecting this data without users manually submitting each certificate they encounter by hand?
AFAIK, Google does not use the tor network for its web (or other)crawling activities. For Google's purposes, the tor network would be unusably slow. AFAIK, Google does not use any method that uses someone else's computer(s) to make its connections to a destination.
What does using the Tor network have to do with the ethics of crawling the web/Internet? What makes it not OK to crawl the Internet anonymously, but makes it acceptable to seek that same information so long as you are not anonymous? Or are we being Kantian here, and saying that if everyone crawled the Internet, we'd be doomed. So therefore, only Google can crawl the Internet? That doesn't work either.
Again, people sign up to be Tor relays to take a stand against Internet censorship and surveillance. It is thus expected that they allow all traffic to pass unmolested and unmonitored, or work to implement a way to do their programmatic ExitPolicy filtering in a way that does not impede client activity.
Exits are not so scarce that we need to flex our morals on this point.
An EFF employee, OTOH, has confessed to doing so on this list. The latter, then, is burning CPU time, as well as network connection throughput capacity, on not just one system, but on routelen + 1 systems for each scanned system times the number of ports scanned on that system.
Nobody confessed to doing anything over Tor. Chris and Jake simply defended the idea of crawling the net over Tor. At no point did anybody state that the scan did happen over Tor. In fact, several people said the opposite.
Perhaps if your mail client supported threading this would be more apparent to you? Actually, it's right there in the very first text you quoted, though. So perhaps something else is amiss. Is the pager in UNIX 'mail' still the original 'more' or something? Or are you still using 'ed' to type your mails? :)
Another point, though irrelevant due to the ethical considerations that we've been discussing so far, is that there is no particular reason to use tor rather than some other proxy to look at the Internet from different locations. Anonymity is not necessary to achieve that end.
It is very useful to be able to scan the Internet from multiple, stable vantage points with anonymity.
So long as the resources of any one site are not unreasonably consumed, and so long as the scanner is not substantially occupying Tor exit bandwidth, I really don't see what is so ethically complicated about this.
By occupying this topic with our attention, we are allowing ISPs who seek to impose restrictions on Tor traffic in one form or another to have their way and dictate what is acceptable on our network. Such ISPs do not deserve any Tor-related revenue.
It is that simple. We can worry about compromising our principles for precious few kilobits when all else has failed.
On Friday 15 April 2011 07:12:53 Mike Perry wrote:
What does using the Tor network have to do with the ethics of crawling the web/Internet? What makes it not OK to crawl the Internet anonymously, but makes it acceptable to seek that same information so long as you are not anonymous? Or are we being Kantian here, and saying that if everyone crawled the Internet, we'd be doomed. So therefore, only Google can crawl the Internet? That doesn't work either.
Google and various others crawl the Internet to make a searchable index of information. Mallory crawls the Internet to look for open formmail scripts, misconfigured FTP servers, and the like. What Mallory is looking for is likely to be found on a computer that doesn't have a lot of pointers to it, so he searches IP address space for open ports. Most of his inquiries result in "no such host" or "port closed". Google follows links, so it doesn't make many inquiries to closed ports.
cmeclax
tor-relays@lists.torproject.org
-
cmeclax-sazri -
Mike Perry -
Scott Bennett