[arma@mit.edu: Re: Wikipedia & Tor]
----- Forwarded message from Roger Dingledine <arma@mit.edu> -----
[yes, I know I'm preaching to the choir]
----- Forwarded message from Roger Dingledine <arma@mit.edu> -----
A potential for cooperation is the proposal below for authenticated access to Wikipedia through Tor. I will not speak to any particular design here, but if Wikipedia has a notion of clients trusted to post to Wikipedia, it should be possible to work with them to have an authentication server that controls access to Wikipedia through Tor.
As I understand it, Jimmy is hoping that we will develop and maintain this notion. We would run both "halves" of the Tor network, and when they complain about a user, we would cut that user out of the authenticated side.
A non-good idea, as it goes against what Tor is all about. The problem to be overcome here really has nothing to do with Tor, as such.
Wikipedia already needs this sort of thing because of AOL IPs -- they have similar characteristics to Tor, in that a single IP produces lots of behavior, some good some bad.
So Wikipedia understands that the transport layer isn't to blame, yet they persist in asking for changes in the Tor transport to address the problem of malicious users? *groan*
(One might argue that it's hard for Wikipedia to change their perception and learn about any good Tor uses, firstly because good users will blend in and nobody will notice, and secondly because they've prevented them all from editing so there are no data points either way.)
That's not the perception they need to change. They need to realize that if an avenue for action without responsibility exists, someone will use it. Wikis get defaced all the time *without* AOL or Tor, because the philosophy allows anyone to edit. It is that philosophy that is in error, not the transport layers used by the vandals. Wiki, as someone mentioned to me in a private mail, is the SMTP of web publishing; it doesn't scale well in the presence of large concentrations of assholes.
In summary, I'm not too unhappy with the status quo for now. Tor needs way more basic development / usability work still. In the absence of actual volunteers-who-code on the side of Tor _or_ Wikipedia to resolve the problem, I'm going to focus on continuing to make Tor better, so down the road maybe we'll be able to see better answers.
Roger gets it. The Wikipedians don't. -- Roy M. Silvernail is roy@rant-central.com, and you're not "It's just this little chromium switch, here." - TFT SpamAssassin->procmail->/dev/null->bliss http://www.rant-central.com
Sorry...I don't understand...why would psuedonymity services be provided within Tor? An external reputation/psuedonymity server would of course "reduce" a Tor users' anonymity to mere psuedonymity, but I don't see how it would do anything more, and who cares? If Wikipedia (or anyone) doesn't want to interact with the truly anonymous (as opposed to psuedonymous), then ah well. Solution: Wait and do nothing until someone (commericially) provides such services. Am I punchdrunk or stating the obvious? -TD
From: Eugen Leitl <eugen@leitl.org> To: cypherpunks@jfet.org Subject: [arma@mit.edu: Re: Wikipedia & Tor] Date: Tue, 27 Sep 2005 21:57:50 +0200
----- Forwarded message from Roger Dingledine <arma@mit.edu> -----
From: Roger Dingledine <arma@mit.edu> Date: Tue, 27 Sep 2005 15:54:38 -0400 To: or-talk@freehaven.net Subject: Re: Wikipedia & Tor User-Agent: Mutt/1.5.9i Reply-To: or-talk@freehaven.net
On Tue, Sep 27, 2005 at 11:18:31AM -0400, Paul Syverson wrote:
On Tue, Sep 27, 2005 at 10:27:58AM -0400, Matt Thorne wrote:
everyone is so worried about it, but has any one ever been successfully been able to use tor to effectively spam anyone?
To be fair, this answer is yes. People have used Tor to deface Wikipedia pages, along with Slashdot pages, certain IRC networks, and so on. I think that counts as spam at least in a broad sense.
A potential for cooperation is the proposal below for authenticated access to Wikipedia through Tor. I will not speak to any particular design here, but if Wikipedia has a notion of clients trusted to post to Wikipedia, it should be possible to work with them to have an authentication server that controls access to Wikipedia through Tor.
As I understand it, Jimmy is hoping that we will develop and maintain this notion. We would run both "halves" of the Tor network, and when they complain about a user, we would cut that user out of the authenticated side.
Jimmy and I talked about Tor-and-Wikipedia many months ago, and the conclusion was that they (mediawiki) would be willing to try a variety of technological solutions to see if they work (i.e. cut down on vandalism and aren't too much of a burden to run). My favorite is to simply have certain address classes where the block expires after 15 minutes or so. Brandon Wiley proposed a similar idea but where the block timeout is exponentially longer for repeated abuse, so services that are frequently blocked will stay blocked longer. This is great. But somebody needs to actually code it.
Wikipedia already needs this sort of thing because of AOL IPs -- they have similar characteristics to Tor, in that a single IP produces lots of behavior, some good some bad. The two differences as I understand them are that AOL will cancel user accounts if you complain loudly enough (but there's constant tension here because in plenty of cases AOL decides not to cancel the account, so Wikipedia has to deal some other way like temporarily blocking the IP), and that it's not clear enough to the Wikipedia operators that there *are* good Tor users.
(One might argue that it's hard for Wikipedia to change their perception and learn about any good Tor uses, firstly because good users will blend in and nobody will notice, and secondly because they've prevented them all from editing so there are no data points either way.)
So I've been content to wait and watch things progress. Perhaps we will find a volunteer who wants to help hack the mediawiki codebase to be more authentication-friendly (or have more powerful blocking config options). Perhaps we'll find a volunteer to help build the blind-signature pseudonymous authenticated identity management infrastructure that Nick refers to. Perhaps the Wikimedia operators will increasingly get a sense that Tor has something to offer besides vandalism. (I presume this thread re-surfaced because Tor users and operators are periodically telling Wikipedia that they don't like being blocked.) Maybe we will come to the point eventually that it makes sense to do something different than blocking the Tor IP addresses from editing Wikipedia. (Which, we should all remember compared the Gentoo forum situation, is a great step above blocking them from both reading and writing.)
It could be that we never reach that point. Certain services on the Internet (like some IRC networks) that are really prone to abuse are probably doing the right thing by blocking all Tor users (and all AOL users, and all open proxies, and ...). And we want to keep Tor easy to block, or we're really going to start getting the other communities angry at us.
In summary, I'm not too unhappy with the status quo for now. Tor needs way more basic development / usability work still. In the absence of actual volunteers-who-code on the side of Tor _or_ Wikipedia to resolve the problem, I'm going to focus on continuing to make Tor better, so down the road maybe we'll be able to see better answers.
--Roger
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Tyler Durden wrote:
Sorry...I don't understand...why would psuedonymity services be provided within Tor?
I find the concept of having both pseudonymous and anonymous traffic through TOR quite interesting. In some cases, you really do wish to just separate yourself from your meatspace identity but you may want the reputation of a bitspace identity; in other cases, you want to completely separate yourself from any identity. There are audited anonymizers that provide a form of pseudonymity, in that, they know who you are and can regulate your behavior accordingly. These are generally in the commercial space. Building a TOR nymspace would be much more interesting and distributed. TOR itself does not necessarily have to deal with this. There could be services flowing through TOR that provide this. However, TOR nodes implementing pseudonymous traffic for their own network seems more natural and easier to do. Entry/exit nodes, some nodes, all nodes, or whatever subset makes the most sense could then authenticate pseudonymous traffic and determine capabilities based on things like reputation. But, that was not a why. Anonymity has the property of removing responsibility from the actor for their actions, which is not always a good thing. I am sure TOR exit nodes are hit with the responsibility for those actors, which can lead to the end of exit nodes. At a minimum, pseudonymity can provide a degree of responsibility through reputation. Exit nodes could support either pseudo or anon, or both, depending on beliefs, risks, etc. Also, users could select anon or pseudo as needed. I like choice. Anyway, that is a why and an interesting topic, but TOR has other things to focus on. -Andrew
At 8:37 PM -0400 9/27/05, lists wrote:
Building a TOR nymspace would be much more interesting and distributed.
Since the first time I met Dingledine, he was talking pseudonymity, bigtime. I was curious when he went to play with onion routers, but maybe I'm not so surprised anymore... Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
At 05:37 PM 9/27/2005, lists wrote:
Tyler Durden wrote:
Sorry...I don't understand...why would psuedonymity services be provided within Tor?
I find the concept of having both pseudonymous and anonymous traffic through TOR quite interesting. In some cases, you really do wish to just .... TOR itself does not necessarily have to deal with this. There could be services flowing through TOR that provide this. However, TOR nodes implementing pseudonymous traffic for their own network seems more natural and easier to do.
One way to build a psuedo-pseudonymous mechanism to hang off of Tor that would be easy for the Wikipedians to deal with would be to have a server that lets you connect to it using Tor, log in using some authentication protocol or other, then have it generate different outgoing addresses based on your ID. So user #37 gets to initiate connections from 10.0.0.37, user #258 gets to initiate connections from 10.0.1.2, etc. The reason to use Tor mechanisms is to make connection potentially easier by reducing the number of mechanisms a client needs; the reason to use different IP addresses is for Wikipedia's convenience. It's mainly useful in environments where you can use private address space, so if you're running it on a Tor-friendly location as opposed to Wikipedia's rack space, you might want to tunnel it across the Internet through something other mechanism such as GRE/L2TP/IPSEC/etc.
Quoting Bill Stewart <bill.stewart@pobox.com>:
One way to build a psuedo-pseudonymous mechanism to hang off of Tor that would be easy for the Wikipedians to deal with would be to have a server that lets you connect to it using Tor, log in using some authentication protocol or other, then have it generate different outgoing addresses based on your ID. So user #37 gets to initiate connections from 10.0.0.37, user #258 gets to initiate connections from 10.0.1.2, etc.
The problem I see with this is that it continues to train Wikipedia to use IP addresses as credentials. That's a Bad Thing IMHO. -- Roy M. Silvernail is roy@rant-central.com, and you're not "It's just this little chromium switch, here." - TFT SpamAssassin->procmail->/dev/null->bliss http://www.rant-central.com
One way to build a psuedo-pseudonymous mechanism to hang off of Tor that would be easy for the Wikipedians to deal with would be to have a server that lets you connect to it using Tor, log in using some authentication protocol or other, then have it generate different outgoing addresses based on your ID. So user #37 gets to initiate connections from 10.0.0.37, user #258 gets to initiate connections from 10.0.1.2, etc.
Isn't the IPv4 address space potentially too small in the intermediate run for this approach? Sounds like you'd need IPv6... -TD
On 29 Sep 2005 09:57:54 -0400, Tyler Durden wrote:
One way to build a psuedo-pseudonymous mechanism to hang off of Tor that would be easy for the Wikipedians to deal with would be to have a server that lets you connect to it using Tor, log in using some authentication protocol or other, then have it generate different outgoing addresses based on your ID. So user #37 gets to initiate connections from 10.0.0.37, user #258 gets to initiate connections from 10.0.1.2, etc.
Isn't the IPv4 address space potentially too small in the intermediate run for this approach? Sounds like you'd need IPv6...
-TD
Walking away from TOR and Wikipedia implementations... Already, IPs have reputations associated with them and serve as pseudonyms. Blacklists are one example of this reputation being used or abused. In some distant future, with the switch to IPv6, there exists the potential for so many entities to have IPs that IPs will function as identities on a much broader scale. This will facilitate a great deal of reputation and trust being established on the basis of IPs with other measures, similar to the early days of the net but with a less open mentality. And, off on a tangent... (Since this was still in my shorter term memory after the NYC BSD Con a few weeks ago...) The general point of DKIM (http://mipassoc.org/dkim/index.html) is to have a sender domain mail server sign messages, and then a receiver domain mail server can query the public key for the sender domain and verify the signature. DKIM suggested that public keys be stored in DNS records for domains. While this storage could be per domain, it could also be per sub-domain, per end entities of a domain, etc. Given the driver to combat spam, you never know, something like this could happen in the next few years. Issues of the capabilities of the current DNS and DNS security infrastructure aside, we then have a universal public key distribution mechanism. So, IPs can be tied to domains, domains can be tied to public keys, sub-domains, or end entities, sub-domains can be tied to public keys or end entities, end entities can be tied to public keys, and so on and so forth. Reputations can be built, and there are lots of ways of establishing trust for keys as needed, be it simple PKI, web of trust, etc. It all seems more fluid than anything we have now. A lot could then happen for end users transparently, much like when they swipe a credit card. DKIM is just one example of that. -Andrew
participants (6)
-
Bill Stewart -
Eugen Leitl -
lists -
R.A. Hettinga -
Roy M. Silvernail -
Tyler Durden