Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor - The Yin or the Yang?

Posted by Zonk on from the watch-the-shadows dept.

An anonymous reader writes "Whitedust is running a interesting article on Tor, The Onion Router project sponsored by the EFF. Tor aims to offer anonymous internet use. Once sponsored by the Naval Research Lab with support from DARPA, it is now managed by The Free Haven Project. Although Tor claims to improve safety and security, the article goes into detail on how Tor can be used as a anonymous attack platform."

14 of 139 comments (clear)

  1. anon attack platform? yup! by Lumpy · · Score: 5, Insightful

    It's already being used this way. Friends still in IRC have been fighting Tor attacks by crapflooders that require 15-20 bans to get rid of the jerk. and the IP's line up with Tor proxies.

    It's not hard to modify the client to do nasties for you. hell it can be used to attack any web forum easily without modification.

    unfortunately the kiddies discovered it useful for attacking already.

    --
    Do not look at laser with remaining good eye.
    1. Re:anon attack platform? yup! by dgatwood · · Score: 4, Insightful
      This just tells us what we already knew--online forums and chat mechanisms and other similar technologies should always be designed to require registration.

      IRC is a relic from the ancient design museum, a reminder that once, when the internet was young, everyone who could run a server on the 'net could be trusted. SMTP is the same way, along with a number of other fossilized protocols. These protocols, if they are to continue to be useful in the new age of IP spoofing, dynamic IPs, and wormhole routing, need to be redesigned with a modicum of security built into them.

      Most people aren't willing to create an account with their real email address to post crapfloods. The few who do can be easily banned by email address.

      I know, I know, I'm posting on the world's biggest counterexample for my opinion. Such is life.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. Re:Cultural Idiots by Anonymous Coward · · Score: 1, Insightful

    Ying referes to an aspect of the male anatomy... So is this slip up a foreshadowing that Tor will eventually get the shaft?

  3. Of course it can be abused by Brad+Mace · · Score: 5, Insightful

    For a society to be free, it MUST be possible for people to do things that are against the law. That's just how it works. If people do something illegal then you can punish them, but only an extremely facist government could hope to prevent crimes before they occur.

  4. RBL tor nodes? by blueskies · · Score: 4, Insightful

    If it becomes a large enough of a problem, i can see people firewalling based apon a list of tor nodes.

  5. Fantastic! by Anonymous Coward · · Score: 3, Insightful

    Let's all demonize useful technology before it gets out of the gate! Next year we can all mourn the loss of Sourceforge when it's 'determined' to be a repository for terrorist software development. Oh god, won't somebody help me off of this slippery slope?!

    1. Re:Fantastic! by Jeff+DeMaagd · · Score: 3, Insightful

      Oh god, won't somebody help me off of this slippery slope?!

      Just as well. Slippery slope is a logical fallacy anyway.

  6. Give people anonymity and... by RUFFyamahaRYDER · · Score: 2, Insightful

    Give people anonymity and of course they are going to do bad things with it. The net is as anonymous as it needs to be. I see this only causing more trouble and headaches...

  7. Re:Cultural Idiots by loopback_127001 · · Score: 2, Insightful

    It would be a very important difference, if you were right.

    Yin and Yang are opposites. They are two separate concepts that, together, balance one another out. If one or the other is too out of balance, you see problems, according to the theory.

    But the fact that yin or yang energy can be out of balance would indicate they are, in fact, two different things. Look at Chinese medicine, some substances are considered to have a strong 'yin' value, others to be primarily 'yang'.

    In short, you're getting it right that the two opposing forces are both necessary to create a 'whole', but you're getting it wrong to say that something can't be yin or yang. Although I suppose if your point is really that there is no such thing as a pure-yin or pure-yang object in the universe, that is technically true. but damn, that's even more pedantic than I thought you were being. =)

    Of course, this is all needless wanking around an article that thinks 'yin or yang?' is a clever way of saying 'good or bad?' And, as has already been pointed out, can't spell 'yin' right in the first fucking place.

  8. the need by Amouth · · Score: 0, Insightful

    tell me exactly what is the point of this tech if not the be bad with it.. any good thing doesn't require you to hide behind anything. personaly i think people should be fully accountable for what they do.. allowing them to remove that they will just move to doing bad things. i know it can be used for good but so can just doing it normaly.. i under stand the reason behind it - it is neet, but it is only going to be abused.

    --
    '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  9. My thoughts on Tor. by Captain+Scurvy · · Score: 2, Insightful
    Tor is a good idea, and maybe even a step in the right direction, but it is by no means a "solution" for true Net anonymity and/or privacy. In fact, it is a better tool for attack anonymity than it is for privacy.

    Call me paranoid, but I don't trust anyone other than the intended recipient to decrypt any sensitive data. The way I understand the program to work (correct me if I'm wrong) is that a "trusted" server on the end decrypts your packets and acts as the "proxy" between the tor network and the Internet. What if those trusted servers is compromised? Being so centralized, they make a good way to glean a lot of personal info.

    Now, if you don't care about your data privacy, and just care about a hard to trace connection (i.e., for an attack, but there are plenty of other legitimate reasons), then Tor is pretty cool. However, since there are presently so few servers, and a lot of people DO seem to use Tor to crapflood IRC/forums/etc, it seems like more and more people are just banning the Tor IP addresses.

    1. Re:My thoughts on Tor. by ahsect8 · · Score: 2, Insightful

      You're misunderstanding the protocol. The purpose is to anonymize connections versus content.

      An example scenario: a US intelligence agent may need to contact an agency server from within a foriegn country. Anyone sniffing packets would notice that a user is connecting to a server at www.someagency.mil, even if the content itself was encrypted. Tor anonymizes the connection, as the agent now connects to one of any number of Tor nodes. Tor uses encryption to protect route and address information, not content. It should be used in conjunction with another strong encryption protocol (SSL etc.).

    2. Re:My thoughts on Tor. by Anonymous Coward · · Score: 1, Insightful

      The way I understand the program to work (correct me if I'm wrong) is that a "trusted" server on the end decrypts your packets and acts as the "proxy" between the tor network and the Internet.

      1) You don't have to use any particular node or nodes as "trusted". There is no centralization in architecture, only in default configuration.
      2) The trusted node can be the intended recipient.
      3) You should be using encryption anyway if you care about protecting your data.

  10. WHICH real email address? by mph_az · · Score: 2, Insightful

    One of my 8 yahoo ones, or one of my 10 gmail accounts, or my 4 hotmail accounts or the mailinator account I'm about to make up for the next online form I come across that requires a 'valid email address'?

    Or do you mean the 'real' email address that belongs to one of the more obscure web-based email services?

    Real authentication is impractical in large numbers; this is why it has never been implemented. It barely worked when you sent a photo copy of your drivers' license in to your local BBS; but now, in the age of instant graticication and an international scale (how *can* you tell that ID from istanbul is fake or not?) it's flat out of the question.

    To repeat the point; when it comes to the internet, real authentication is impossible.