The Privileged Cry: Boo, Hoo, Hoo Over Release of OnionScan Data

It hasn’t taken long for the privileged to cry “boo, hoo, hoo,” over Justin Seitz’s releasing the results of using OnionScan on over 8,000 Dark Web sites. You can find Justin’s dump here.

Joseph Cox writes in: Hacker Mass-Scans Dark Web Sites for Vulnerabilities, Dumps Results:

…Sarah Jamie Lewis, the creator of OnionScan, warns that publishing the full dataset like this may lead to some Tor hidden services being unmasked. In her own reports, Lewis has not pointed to specific sites or released the detailed results publicly, and instead only provided summaries of what she found.

“If more people begin publishing these results then I imagine there are a whole range of deanonymization vectors that come from monitoring page changes over time. Part of the reason I destroy OnionScan results once I’m done with them is because people deserve a chance to fix the issue and move on—especially when it comes to deanonymization vectors,” Lewis told Motherboard in an email, and added that she has, when legally able to, contacted some sites to help them fix issues quietly.

Sarah Jamie Lewis and others who seek to keep vulnerability data secret are making two assumptions:

  1. They should have exclusive access to data.
  2. Widespread access to data diminishes their power and privilege.

I agree only with #2 and it is the reason I support public and widespread distribution of data, all data.

Widespread access to data means it is your choices and abilities that determine its uses and not privilege of access.

BTW, Justin has the better of the exchange:

Seitz, meanwhile, thinks his script could be a useful tool to many people. “Too often we set the bar so high for the general practitioner (think journalists, detectives, data geeks) to do some of this larger scale data work that people just can’t get into it in a reasonable way. I wanted to give people a starting point,” he said.

“I am a technologist, so it’s the technology and resulting data that interest me, not the moral pros and cons of data dumping, anonymity, etc. I leave that to others, and it is a grey area that as an offensive security guy I am no stranger to,” he continued.

The question is: Do you want privileged access to data for Sarah Jamie Lewis and a few others or do you think everyone should have equal access to data?

I know my answer.

What’s yours?

Comments are closed.