Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's a lot easier to have the consistent policy "we block Tor exit nodes" than "we block Tor exit nodes, except on this site".

Then they have to make that decision about every site. And re-evaluate that decision every so often.



Of course. If you aren't competent enough to make good decisions, you have to make easy ones.


I'm not really talking to you. I'm talking to some other HN reader who thinks this is an actual debate between two reasonable sides.

Every time a security practitioner has to make a new decision, that opens up the possibility of making a mistake. Therefore, it is good practice to limit the number of decisions that you have to make.

That's why the standard policy for firewalls is default deny, and you have to make an affirmative decision to let packets in.

That's why we make cost-benefit decisions about blocking policy.

Does it cost NASDAQ to block Tor exit nodes from reading their blog? Not materially. Anyone that desperate to read that material anonymously can ask the Internet Archive for it, or get some other proxy to pull it for them. None of their actual or potential clientele will feel the need to use Tor.

Does it benefit NASDAQ to have a general policy of blocking Tor exit nodes? Yes, it definitely does. If you want to probe a site's security, Tor and rented botnets are the sources of choice.

I don't know whether NASDAQs security people are competent or not in general, but in this specific example, they made a good choice.


You're right, there aren't two reasonable sides here. There are people who want things to actually work, and security fetishists.


I'm not the guy you were talking to, but let me make one thing absolutely clear. You can't read that blog post on Tor because nobody is interested in making things "actually work" for you, because you (and the other people who won't or can't not use Tor for five minutes) don't matter to them. It's not a security fetish, it's just sensible prioritisation. They'll get around to you after every other bug is ironed out, their desk is clean, they've been on their weekly 10k run, and they've flossed like they've been intending to for a decade now. They. Don't. Care.


> They. Don't. Care.

Uh... that's worse than a security fetish.


You obviously have not been following the news lately.

Insurance companies are putting incredible pressure for business to lock down their IT HARDER not less hard.

Seriously, look for tor to get blocked lots more places.

"security fetishists" are going to be making good money for a while yet.


Yes, they're causing more and more damage.


The tor users / hackers / ransomeware folks? For sure - we agree there. Because claim handling costs are way up there is going to be building emphasis on following things like this DHS alert on how to protect your network.

We're rolling out tor blocking our sites where we didn't used to need that. I think more automated options as well will come (think cloudflare) which will help folks with this as well and maybe jam tor users into perhaps recaptcha loops or similar? Not sure what right solution is to filter out the tor users - hard block or try and detect and recaptcha etc.


Stop twisting my words.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: