RE: [EMAIL PROTECTED]: Re: Hello directly from Jimbo at Wikipedia]
No, this is important. If this isn't Cypherpunks material these days then nothing is. As for the Wikipedia folks, I can't imagine having a more intelligent batch of people disagree. There's is a very practical matter: Reducing the hassles, particularly when said hassles in general deteriorate the content/bullshit ratio they see. On the other hand, they seem to clearly get the value of Tor, and have practically extended an invitation for a solution that will truly make things better while not significantly increasing their hassles. That the Wikipedia reaction to TorSpam is perhaps regrettable is obvious, but given their goals (not particularly Cypherpunkly) it really does make sense: No one's paid at Wikipedia and no one's going to do all the work of cleaning up the slung feces. In other words, their clipping off one of the side-lobes but increasing the remaining signal-to-noise. Just brute force logic. Sorry. But the door is open for solutions and they do seem to understand the issues. Not bad, and the long-term solution may be very interesting... -TD From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]: Re: Hello directly from Jimbo at Wikipedia] Date: Thu, 29 Sep 2005 14:02:32 +0200 Sorry for the flood, but this is winding down already. What I didn't like about this discussion is that all concerned parties seem to have been shouting into space past each other, just trying to make a noise instead of understanding and solving the problem. - Forwarded message from Steven J. Murdoch [EMAIL PROTECTED] - From: Steven J. Murdoch [EMAIL PROTECTED] Date: Thu, 29 Sep 2005 00:27:51 +0100 To: [EMAIL PROTECTED] Cc: Jimmy Wales [EMAIL PROTECTED] Subject: Re: Hello directly from Jimbo at Wikipedia User-Agent: Mutt/1.4.1i Reply-To: [EMAIL PROTECTED] On Tue, Sep 27, 2005 at 05:48:59PM -0400, Jimmy Wales wrote: All I'm saying is that Tor could segregate users easily enough into two clouds: We sorta trust these ones, more or less, a little bit, but no guarantees -- We don't trust these ones, we don't know them. This would be very difficult to do using the existing Tor design as it doesn't know anything about users or sessions. It lives at the TCP layer and all it does is shift packets from one IP address to another, giving some privacy to both ends. Adding higher layer functionality to Tor increases the chance that it will do neither job well, so here is a proposal which I think does what you want, but avoids this problem. The goal is to increase the cost for a Tor user to commit abuse on Wikipedia. It doesn't need to be full-proof, but just enough to make them go elsewhere. Wikipedia could require Tor users to log in before making edits, and ban accounts if they do something bad. However the cost of creating new accounts is not very high. The goal of this proposal is to impose a cost on creating accounts which can be used though Tor. Non-Tor access works as normal and the cost can be small, just enough to reduce the incentive of abuse. Suppose Wikipedia allowed Tor users to only read articles and create accounts, but not able to change anything. The Tor user then goes to a different website, call it the puzzle server. Here the Tor user does some work, perhaps does a hashcash computation[1] or solves a CAPTCHA[2], then enters the solution along with their new Wikipedia username. The puzzle server (which may be run by Wikipedia or Tor volunteers), records the fact that someone has solved a puzzle along with the username entered. The puzzle server doesn't need the Wikipedia password as there is no reason for someone to do work for another person's account. Now when that Tor user logs into their Wikipedia account to edit something, the Wikipedia server asks the puzzle server whether this account has ever solved a puzzle. If it has, the user can make the edit, if not then the user is told to go to the puzzle server first. This check can be very simple - just an HTTP request to the puzzle server specifying the Wikipedia username, which returns yes vs no, or 200 vs 403. For performance reasons this can be cached locally. There is no cryptography here, and I don't think it is needed, but it can be added without much difficulty. If the Tor user starts committing abuse, his account is cancelled. The puzzle server doesn't need to be told about this, as Wikipedia will not let that user make any edits. The reason this approach avoids the usual problems with proof-of-work schemes[3] is that good Tor users only have to solve the puzzle once, just after they create the account. Bad Tor users will need to solve another puzzle every time they are caught and had their account cancelled. So my question to Jimbo is: what type of puzzle do you think would be enough to reduce abuse through Tor to a manageable level? The difficulty of the puzzle can be tuned over time but what would be necessary for Wikipedia to try this out? Hope this helps, Steven Murdoch
Re: [EMAIL PROTECTED]: Re: Hello directly from Jimbo at Wikipedia]
Oh...-that's- your point: No, Wikipedia needs to realize that the IP address correlation they enjoy outside of Tor is a happy accident, and that they should stop treating IP addressess as user credentials. If they want credentials, they need to implement them. Well, is it reasonable to expect a creature to evolve to an environment that doesn't exist yet? On the other hand, I don't think the number of Tor IP addresses is anywhere near its hockeystick yet, and when it comes it will be changing far too fast for them to block. So they will ultimately have to change their model, methinks. -TD
Re: [EMAIL PROTECTED]: Re: Hello directly from Jimbo at Wikipedia]
Dont' agree here... From: Steve Furlong [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [EMAIL PROTECTED]: Re: Hello directly from Jimbo at Wikipedia] Date: Wed, 28 Sep 2005 09:41:34 -0400 On 9/28/05, Roy M. Silvernail [EMAIL PROTECTED] wrote: A Wikiwhiner wrote I have valid although perhaps unpopular contributions to make, and not only is my freedom to express myself limited, the quality of the material on Wikipedia suffers due to the absence of my perspective. Wow. Nice ego there. If someone I knew wrote some detailed Wiki entries about Telecom DCC control channel protocol throughputs and attacks, he could objectively state that there would be very few people in the world up to the task. He might also want to maintain anonymity. Shutting down this source of wiki entries means that the general flow of Wikipedia content has been altered slightly, but I would argue significantly. I see no material issue with an individual claiming that the absence of his posts to Wiki is significant, even if this is in fact untrue for his particular case. The ego is not material to the essential point. -TD
Re: [EMAIL PROTECTED]: Re: Hello directly from Jimbo at Wikipedia]
On 9/28/05, Roy M. Silvernail [EMAIL PROTECTED] wrote: A Wikiwhiner wrote I have valid although perhaps unpopular contributions to make, and not only is my freedom to express myself limited, the quality of the material on Wikipedia suffers due to the absence of my perspective. Wow. Nice ego there. The status quo is not acceptable and we should work to find a solution. Leaving aside the qualitative discussion, let's remember that the freedom to express onesself does not imply the obligation for any other party to listen. Nor the obligation for any other party to provide you with a soapbox. Operate your own wiki if you don't like their decisions. Tor is transport layer. Authentication for a specific service (such as Wikipedia) is the responsibility of that service and belongs in the session layer. What Roy said. This Wikiwhiner might want to read up on the OSI model. Conveniently, there's a Wikipedia article on it: http://en.wikipedia.org/wiki/OSI_model An authenticated network and an anonymizing network are mutually exclusive. True enough, but to make it clear, an anonymizing network is not exclusive with an authenticated application. (Not necessarily so, anyway. I haven't checked into TOR, but there's no good reason an HTML hidden field couldn't provide session continuity for an anonymous web surfer.) -- There are no bad teachers, only defective children.
Re: [EMAIL PROTECTED]: Re: Hello directly from Jimbo at Wikipedia]
- Forwarded message from cypherpunk [EMAIL PROTECTED] - From: cypherpunk [EMAIL PROTECTED] Subject: Re: Hello directly from Jimbo at Wikipedia As an occasional Tor and Wikipedia user, let me add a couple of points. First, in case it is not obvious, the problem with the present system is that Tor users can no longer edit on Wikipedia. I have done so in the past, in what I like to think is a constructive manner, but cannot do so since this summer. I have valid although perhaps unpopular contributions to make, and not only is my freedom to express myself limited, the quality of the material on Wikipedia suffers due to the absence of my perspective. The status quo is not acceptable and we should work to find a solution. Leaving aside the qualitative discussion, let's remember that the freedom to express onesself does not imply the obligation for any other party to listen. Looking at the proposals for authentication servers and such, I see a major issue which is not being addressed. That is, how does the web server distinguish authenticated Tor users from unathenticated ones? If this is via a complicated protocol, there is no point as the servers won't use it. The problem at hand does not require authenticated Tor users. It requires authenticated Wikipedia users. This does not necessarily mean building complex authentication protocols into the Tor network, and having two classes of traffic flowing around. It could be that this authenticated Tor is a separate network. It only lets users in who are authenticated, and owns a specific set of IP addresses which servers can whitelist. The regular Tor exit nodes can be blacklisted as they are now. Tor is transport layer. Authentication for a specific service (such as Wikipedia) is the responsibility of that service and belongs in the session layer. An authenticated network and an anonymizing network are mutually exclusive. What does Wikipedia need? What is the minimum level of service they require? Presumably, it is similar to what they can get via ISPs, who also map many users to a fixed set of IP addresses. Wikipedia can complain to the ISP, and it will get back in some form to that user. No, Wikipedia needs to realize that the IP address correlation they enjoy outside of Tor is a happy accident, and that they should stop treating IP addressess as user credentials. If they want credentials, they need to implement them. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
